Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Broadcast encryption schemes [FN94] allow a sender to encrypt messages to a set \(\varGamma \subset [n]\) of authorized users such that any user in the set \(\varGamma \) can decrypt, and no (possibly colluding) set of unauthorized users can learn anything about the plaintext. Two key measures of efficiency for broadcast encryption are the size of the secret keys and the ciphertext overhead (beyond description of the recipient set and the symmetric encryption of the message). The early contructions of broadcast encryption schemes achieve ciphertext overhead that grows with the number of either authorized or excluded users [NNL01, HS02, DF02, GST04].

The BGW Cryptosystem. Ideally, we would like a broadcast encryption scheme where the size of secret keys and ciphertext overhead is independent of the number of users. This was first achieved in the break-through work of Boneh, Gentry and Waters [BGW05], which presented a broadcast encryption scheme in bilinear groups where both the secret keys and ciphertext overhead consist of a constant number of group elements. In their scheme, the decryption algorithm needs to know the public key, which is linear in the number of users.

The BGW cryptosystem has two main limitations, which is the focus of several follow-up works as well as our current one:

  • First, the BGW scheme achieves selective security, where an adversary must declare a target set of unauthorized users with which it will attack the scheme before even seeing the system parameters. This restriction does not capture the power of many kinds of attackers (for instance: an attacker might choose to corrupt a user after seeing the public parameters, or in response to seeing secret keys for already corrupted parties), so in practice, we would prefer to have schemes that satisfy the more general and stronger notion of adaptive security, which does not place such restrictions on the adversary.

  • Next, the BGW scheme relies on parameterized assumptions. Parameterized assumptions (a.k.a q-type assumptions), while in some cases allowing for improvements over the state-of-the-art, are not particularly well understood. The assumptions are often closely related to the schemes which use them. For example, the size of the assumption often scales with the number of oracle queries that can be made in the security reduction. Furthermore, q-type assumptions become stronger as q grows, with the time needed to recover the discrete logarithm and break the assumption scaling inversely with q [Che06]. As a result, it is desirable to design systems that can be proven secure under static assumptions, like the decisional k-\(\mathsf {Lin}\)ear Assumption in prime-order bilinear groups (k-\(\mathsf {Lin}\)).

These limitations were fixed individually by the works of [GW09, Wee16, CMM16a] respectively (the latter in composite-order groups), but improving [BGW05] to achieve security that is both adaptive and based on a static assumption has remained out of reach.

1.1 Our Results

In this paper we present the first broadcast encryption scheme with constant key and ciphertext overhead size that simultaneously overcomes both of the limitations above. Namely, we achieve adaptive security under a static assumption (k-\(\mathsf {Lin}\)) in prime-order bilinear groups. Our improvements come at the cost of a larger public key that is quadratic instead of linear in the total number of users. We stress that prior to this work, it was not known how to achieve broadcast encryption with any size public parameters, constant-sized keys and ciphertext overhead, and even just selective security under a static assumption in prime-order groups.

As with the BGW cryptosystem and the follow-up works in [Wee16, CMM16a], the decryption algorithm in our scheme needs to know the public key in addition to the secret key. Considering the complications that come with managing user secret keys, which have to be distributed individually and stored securely, we achieve a desirable public/private key size tradeoff that makes sense particularly in applications where decryptors have access to large shared public storage.

We give an additional broadcast encryption scheme with constant key and ciphertext overhead size which is adaptively-secure in the multi-challenge setting under static assumptions with a tight security reduction (where the security loss is independent of the number of challenge ciphertexts). Tight security reductions, which have been studied previously in the context of encryption [BBM00, HJ12] and signatures [Cor00], are desirable when fixing concrete security parameters, since the security loss directly impacts the size of scheme elements. In the context of advanced encryption schemes, tight constructions were only known for identity-based encryption [CW13]. In this work, we give the first tightly secure broadcast encryption scheme. Note that while our security loss is independent of the number of challenge ciphertexts, it remains proportional to n: the number of users in the system. In this work, we view n as being not too large since our public key contains \(O(n^2)\) group elements, which would be impractical for very large n anyway. Thus, a security loss of a small constant times n is much more desirable than one that is proportional to the number of challenge ciphertexts, which could be much larger for largely deployed systems.

Fig. 1.
figure 1

Comparison amongst broadcast encryption schemes in the standard model, where n denotes the number of users, \(|\mathsf {ct}|\), \(|\mathsf {sk}|\) and \(|\mathsf {pk}|\) respectively denote the ciphertext, secret key and public key size (i.e., the number of group elements or exponents of group elements). The last column refers to whether or not the decryption algorithm \(\mathsf {Dec}\) requires the public key \(\mathsf {pk}\) as input.

Full size image

1.2 Related Work

Previous broadcast encryption schemes for n users that are secure in the standard model either carry the baggage of a (n / tt)-tradeoff in key/ciphertext size, use a non-static assumption (i.e., q-type assumption), or are only secure in the weaker, selective security setting (see Fig. 1). In fact, all known broadcast encryption schemes that are adaptively secure under a static assumption and that use the Dual System Encryption methodology [Att14, Wee14, CGW15, AC16, LL15] fall in the scope of the lower bound of (n / tt) for the (ciphertext overhead, secret key) size proved in [GKW15]. We note that we are able to bypass this lower bound by using the modified definition of broadcast encryption proposed by [BGW05], where decryption is allowed to take public parameters as input in addition to the secret key, as explained above.

Short keys and ciphertext overhead have been accomplished in other schemes by moving outside the standard model: [GW09] gives a construction (different from the one depicted in Fig. 1 which uses q-type assumptions) with adaptive security and constant key and ciphertext overhead size, but in the random oracle model; [BWZ14] achieves adaptive security with polylogarithmic (in the number of users) size public parameters, keys, and ciphertext overhead, but is only proven secure in the multilinear generic group model; and [BZ14] achieves adaptive security with linear size public parameters, constant size keys and ciphertext overhead, but relies on strong assumptions, namely, indistinguishability obfuscation [BGI+01]. Lastly, we note that while our constructions harness the power of computational assumptions to achieve their efficiency, the problem of broadcast encryption has been studied in the information-theoretic realm as well [Sv98, SSW00, GSW00, GSY99].

1.3 Our Techniques

We give a construction in the composite-order setting which is secure under standard static decision assumptions to illustrate the main techniques, as well as a construction using prime-order bilinear groups which is secure under k-\(\mathsf {Lin}\).

Dual System Proof Methodology. We employ the dual system proof methodology [Wat09] to achieve the adaptive security of our schemes. A dual system encryption scheme is constructed so that an adversary cannot distinguish the distribution of normal keys (or ciphertexts) from special “semi-functional" keys (or ciphertexts). Semi-functional keys are capable of decrypting normal ciphertexts, but semi-functional keys cannot decrypt a semi-functional ciphertext. A typical dual system proof consists of a hybrid where the first step is constructing the challenge ciphertext as a semi-functional ciphertext. The hybrid then runs over each key requested by the adversary, replacing each requested key with a semi-functional key. At the end, only semi-functional keys are given to an adversary whose job is to break the security of a semi-functional ciphertext. Due to the way semi-functional ciphertexts and secret keys are constructed, it is typically easy to argue the game’s security at this point (semi-functional secret keys cannot be used to decrypt any semi-functional ciphertexts, including the semi-functional challenge ciphertext).

Overview of the Construction. Our constructions can be understood by starting with the Boneh-Gentry-Waters construction for broadcast encryption [BGW05], which is selectively-secure under a (non-static) q-type assumption. BGW’s public parameters look like:

$$\begin{aligned} \mathsf {pk}:= (g^\gamma , g^\alpha , g^{\alpha ^2},\ldots ,g^{\alpha ^n}, \; h^\alpha , h^{\alpha ^2},\ldots ,h^{\alpha ^n}, \; h^{\alpha ^{n+2}},\ldots ,h^{\alpha ^{2n}},\;\; e(g,h)^{\alpha ^{n+1}}) \end{aligned}$$

where \(\gamma , \alpha \) are random exponents in \(\mathbb {Z}_p\), and gh respectively generate prime order groups GH, where \(|G|=|H| = p\), and \(e: G \times H \rightarrow G_T\).

The ciphertext for a subset \(\varGamma \subseteq [n]\) and the key for a user \(i \in [n]\) are given by:

$$\begin{aligned} \mathsf {ct}_\varGamma := (g^s, \;\; g^{(\gamma + \sum _{j \in \varGamma } \alpha ^j)s}, \;\; e(g,h)^{s\alpha ^{n+1}} \cdot M), \;\;\; \mathsf {sk}_i := h^{\alpha ^{n-i+1}\gamma } \end{aligned}$$

Decryption works as follows. Note that a message M in a ciphertext is hidden by an encapsulation key \(e(g,h)^{s \alpha ^{n+1}}\). First, an authorized user of index i pairs \(h^{\alpha ^{n-i+1}}\) from the public parameters with \(g^{(\gamma + \sum _{j \in \varGamma } \alpha ^j)s}\) from the ciphertext to get the encapsulation key hidden by a product of \(e(g,h)^{s(n+1-i+j)}\) for \(j \ne i \in \varGamma \) and \(e(g,h)^{s\alpha ^{n-i+1}\gamma }\). The former can be removed by performing judicious pairings with elements from \(\mathsf {pk}\) and \(g^s\) from the ciphertext, and the latter can only by removed by computing the pairing of \(g^{s}\) with the (authorized) user’s secret key \(\mathsf {sk}_i\). The encapsulation key can therefore be computed and used to obtain the message M.

The q-type assumption underlying BGW’s security is enabled by the powers of \(\alpha \). These powers prevent a straightforward dual-system proof of adaptive security from static assumptions. To obtain a construction based on static assumptions, we need to remove the powers of \(\alpha \) in the scheme. Towards this goal, consider the substitutions:

$$\begin{aligned} g^{\alpha ^j} \mapsto g^{w_j}, \qquad h^{\alpha ^{n-j+1}} \mapsto h^{r_j},\qquad j \in [n] \end{aligned}$$

where \(w_1,\ldots ,w_n,r_1,\ldots ,r_n\) are chosen uniformly at random. Correctness of BGW scheme relies on the fact that

$$\begin{aligned} \{ e(g^{\alpha ^j s}, h^{\alpha ^{n-i+1}}) \}_{i,j \in [n], j \ne i} \end{aligned}$$

lies in a set of linear size, namely

$$\begin{aligned} \{e(g^s,h^\alpha ),\ldots ,e(g^s,h^{\alpha ^n}),\; e(g^s,h^{\alpha ^{n+2}}),\ldots ,e(g^s,h^{\alpha ^{2n}}) \}. \end{aligned}$$

With our substitutions, the corresponding collection lies in a set

$$\begin{aligned} \{ e(g^s,h^{w_j r_{i}}) \}_{i,j \in [n], j \ne i} \end{aligned}$$

of size \(O(n^2)\), and hence the corresponding blow-up in the size of the public key, which needs to additionally contain \(\{h^{w_j r_{i}}\}_{i,j \in [n], i \ne j}\).

Finally, replacing the prime-order pairing group by an composite-order asymmetric bilinear group \((G, H, G_T)\) where \(|G|=|H| = N = p q\), so as to use a subgroup membership assumption instead of the q-DBDH assumption used in BGW, and replacing \(g \mapsto g_p\), \(h \mapsto h_p\), where \(g_p,h_p\) respectively generate \(G_p, H_p\): prime order subgroups of groups GH, we obtain our composite-order scheme.

Alternative Viewpoint. As seen above, we can view our construction as a modification of the broadcast encryption scheme from [BGW05] where we improve the secret key/public key size trade-off. An alternative way to view our construction is to start from the broadcast encryption scheme of Waters [Wat09], which can be proven adaptively secure from static assumptions (using the dual system proof methodology) and features constant size ciphertext overhead, but linear size secret keys. We describe the construction using composite-order asymmetric bilinear groups for simplicity:

$$\begin{aligned} \mathsf {pk}:=&\big (\{ g_p^{w_j}\}_{j \in [n]},\;\; e(g_p,h_p)^\alpha \big ) \\ \mathsf {ct}_\varGamma :=&\big ( g_p^s,\;\; g_p^{s(u+\sum _{j \notin \varGamma }w_j)}, \;\; e(g_p,h_p)^{s \alpha }\cdot M \big ) \\ \mathsf {sk}_i :=&\big ( h_p^{r_i}, \;\; \{ h_p^{w_j r_i} \}_{j \in [n], \atop j \ne i}, \;\; h_p^{\alpha + u r_i}\big ) \end{aligned}$$

where \(s,u,\alpha ,w_j,r_i\) for \(i,j \in [n]\) are random exponents in \(\mathbb {Z}_N\), and \(g_p,h_p\) respectively generate \(G_p, H_p\): prime order subgroups of groups GH, where \(|G|=|H| = N = p q\), and \(e: G \times H \rightarrow G_T\).

Decryption works as follows. Note that a message M in a ciphertext is again hidden by an encapsulation key \(e(g_p,h_p)^{s \alpha }\). To get the encapsulation key \(e(g_p,h_p)^{s \alpha }\), decryption pairs \(g_p^s\) with \(h_p^{\alpha + u r_i}\). To get rid of the extra term \(e(g_p,h_p)^{s u r_i}\), it pairs \(g_p^{s(u + \sum _{j \notin \varGamma }w_j)}\) from the ciphertext together with \(h_p^{r_i}\). Doing so, decryption also gets many cross terms of the form \(e(g_p,h_p)^{s \sum _{j \notin \varGamma } w_j r_i}\) which can be stripped away, pairing \(g_p^s\) with the appropriate \(h_p^{w_j r_i}\) from the secret key. Note that these secret key elements are all available only when \(i \in \varGamma \) and the key is therefore authorized.

To improve this construction’s linear-sized secret keys to constant-size, we pre-compute the values \(\{h_p^{r_i},h_p^{w_j r_i}\}_{j \in [n], j\ne i}\) and include them in the public parameters instead of the secret key. Therefore, the secret key is reduced to the part that contains the encapsulation key \(\alpha \). Note that this crucially takes advantage of our modified model of broadcast encryption where decryption is allowed to use elements from the public key as well as the secret key.

Indeed, the main technical challenge in proving our schemes secure is to carry on the dual-system proof when the values \(\{h_p^{r_i},h_p^{w_j r_i}\}_{j \in [n], j\ne i}\) are public for every \(i\in [n]\), and only a single group element remains private. This is in contrast to the security proof of previous dual system schemes, such as [Wat09], where the values \(h_p^{r_i}, \{h_p^{w_j r_i}\}_{j \in [n], j\ne i}\) are known to the adversary only for queried keys \(\mathsf {sk}_i\). We solve it by carefully switching the \(h_p^{r_i}, \{h_p^{w_j r_i}\}_{j \in [n], j\ne i}\) for each \(i \in [n]\) one by one to semi-functional, thereby changing the distribution of the public parameters over the hybrid through the keys. Similar techniques are also found in the selectively secure broadcast encryption of [Wee16, CMM16a], which removed the use of q-type assumptions in [BGW05], using the Déjà Q paradigm introduced by [CM14].

Prime-Order Groups. The scheme we just described in two ways is based on composite-order asymmetric bilinear groups. We give the scheme in detail in Sect. 3 and its proof in [GKW18, Sect. 3]. For efficiency reasons [Gui13], schemes based on prime-order groups are preferable in practice. As such, we additionally provide a translation of our composite-order scheme to the prime-order setting in Sect. 4.

Our construction uses a proof paradigm that can be seen as an optimization of known composite to prime-order translation frameworks, such as [Fre10, OT08, OT09, Lew12, CGW15, Att15, AC16]. Roughly speaking, in these frameworks, a random group element \(g_p^s\) of a composite order bilinear group G is emulated by a vector of group elements \([\mathbf {A}\mathbf {s}]_1\), where \(\mathbf {s}\in \mathbb {Z}_p^k\), \(\mathbf {A}\in \mathbb {Z}_p^{(k+1) \times k}\) is a k-\(\mathsf {Lin}\) matrix, and we use the bracket notation \([a]_i\) to denote the element \(g_i^{a}\) for \(i \in \{1,2,T\}\) (for a prime order bilinear group \(G_1 \times G_2 \rightarrow G_T\)). Here, k depends on the k-\(\mathsf {Lin}\) assumption used, i.e.: \(k = 1\) corresponds to the Symmetric External Diffie-Hellman Assumption, or SXDH. The decision assumption used to argue that \(g_p^s \approx g_p^s g_q^s\) in composite order groups is replaced by the k-\(\mathsf {Lin}\) assumption: \([\mathbf {A}\mathbf {s}]_1 \approx [\mathbf {u}]_1\), where \(\mathbf {A}\in \mathbb {Z}_p^{(k+1) \times k}\) is a k-\(\mathsf {Lin}\) matrix, , and is a uniformly random vector over \(\mathbb {Z}_p^{k+1}\). Finally, each group element \(g^{w_i}\) of the public parameters is mapped to a \((k+1) \times (k+1)\) matrix of group elements.

Our constructions employ an optimization that uses public parameter matrices of size only \((k\,+\,1)\,\times \,k\), thereby reducing the public parameters and the ciphertext size by a factor of \(k+1\) (see Fig. 2). This is done by replacing the information theoretic argument at the heart of the dual system encryption methodology (used to switch secret keys to semi-functional secret keys) with a computational argument. Similar techniques are used in [CW14, BKP14, AC16].

Fig. 2.
figure 2

\(\mathbf {A},\mathbf {B}\in \mathbb {Z}_p^{(k+1) \times k}\) are k-\(\mathsf {Lin}\) matrices, \(\overline{\mathbf {B}} \in \mathbb {Z}_p^{k \times k}\) denotes the k upper rows of \(\mathbf {B}\).

Full size image

Tight Security Proof in the Multi-challenge Setting. The security definition of public key encryption schemes typically involves a game where there is only one challenge ciphertext, since this implies security of the scheme when multiple challenge ciphertexts are allowed to be requested via a standard hybrid argument. However, using such an argument incurs a security loss that is proportional to the number of challenge ciphertexts. This can be problematic since real-life attacks might be performed on many challenge ciphertexts. In particular, for widely deployed schemes, the number of challenge ciphertexts can be as large as \(2^{20}\), or even \(2^{30}\). A standard hybrid over the ciphertexts in the latter case results in an increase in the size of the security parameter by 30 compared to the setting where the adversary receives only one challenge ciphertext. For elliptic curve groups eligible to instantiate our scheme in which the SXDH assumption is believed to hold, such an increase would translate to a \(2 \cdot 30 = 60\) bit increase in the size of each group element description. Thus, a tight security reduction allows for shorter group element descriptions and increased efficiency. Finally, note that the number of challenge ciphertexts can be unknown during the setup phase, which means that a conservative estimate could assume it to be high during security parameter calculation, thereby resulting in needlessly large group elements used in the scheme. Tight security reductions avoid this problem by allowing the security parameter to be set in a way that is independent of the number of challenge ciphertexts.

To obtain a tightly secure construction, we slightly modify the prime-order scheme mentioned above, so as to allow a different proof strategy. The modification does not incur any increase in the ciphertext size for the most efficient version of the scheme: when \(k=1\) and security holds under 1-\(\mathsf {Lin}\) a.k.a. the SXDH assumption. In general, the ciphertext size in the tightly secure scheme increases by \(k-1\) group elements when security is based on k-\(\mathsf {Lin}\). In the tight-security proof, we simultaneously switch all of the challenge ciphertexts to semi-functional mode using the random self reducibility of the k-\(\mathsf {Lin}\) assumption. Then, the high-level proof structure is similar to that of previous scheme: we perform a hybrid argument that switches each secret key one by one to a semi-functional version (note that the number of secret keys is upper bounded by n, so this hybrid argument only incurs a security loss that is proportional to n, the number of users). To switch the key \(\mathsf {sk}_\ell \) to semi-functional mode, we use entropy from the component \([\mathbf {W}_0 \mathbf {r}_\ell ]_2\) in the key \(\mathsf {sk}_\ell \) to obtain a new random semi-functional component (the component \(\gamma _\ell \mathbf {a}^{\bot }\)). Doing so requires analysis of the entropy of \(\mathbf {W}_0\) leaked by the public key and the challenge ciphertext(s). When there is only one challenge ciphertext for some set of users \(\varGamma \), the (non-tight) proof crucially relies on the fact that \(\ell \notin \varGamma \) for the challenge \(\varGamma \), as required by the security game definition and the fact that the adversary queried \(\mathsf {sk}_\ell \). For the tight reduction, we have many challenges \(\varGamma _i\), so we must deal with potentially more information about \(\mathbf {W}_0\) leaked. In fact, this is not the case: the challenge ciphertexts for all sets \(\varGamma _i\) queried to \(\mathsf {EncO}\) do not leak more information about \(\mathbf {W}_0\) than a single ciphertext for the set \(\bigcup _{i} \varGamma _i\), which would be an allowed challenge query given the same set of user keys. This allows us to reduce to the argument for the single-ciphertext case.

1.4 Discussion

Prior to this work, it wasn’t clear what the bottleneck was in improving a broadcast encryption scheme with constant size secret keys and ciphertext overhead based on q-type assumptions to being based only on static assumptions. More specifically, one might ask: “What exactly is the use of q-type assumptions in [BGW05] buying us?" Our work clarifies that the main bottleneck is to get to linear-size public keys (and not constant-size secret keys or ciphertext overhead). Indeed, as noted earlier, if we replace the \(r_i, w_i\) in the composite-order scheme of Sect. 3 with powers of \(\alpha \) (\(r_i = \alpha ^{i}, w_i = \alpha ^{n-i+1}\)), we can compress the public parameters to linear size, and essentially recover the construction of [BGW05]. That is, the role of the q-type assumption is to compress a quadratic number of terms to linear. This is very different from the use of q-type assumptions in the HIBE of [BBG05], for example, which were replaced with static assumptions by [LW10] without a loss in asymptotic parameters.

2 Preliminaries

2.1 Notation

We denote by the fact that x is picked uniformly at random from a finite set X. By “PPT", we denote a probabilistic polynomial-time algorithm.

2.2 Bilinear Groups

We instantiate both broadcast encryption schemes using asymmetric bilinear groups. Let \(\mathcal {G}\) be a probabilistic polynomial time (PPT) algorithm that on input a security parameter \(1^\lambda \) returns an asymmetric bilinear group description \(\mathbb {G} := (N, G_1, G_2, G_T, e)\), where \(G_1\), \(G_2\) and \(G_T\) are cyclic groups of order N, and \(e : G_1 \times G_2 \rightarrow G_T\) is a non-degenerate bilinear map. We require that the group operations in \(G_1\), \(G_2\) and \(G_T\) as well as the bilinear map e are computable in deterministic polynomial time.

Composite-Order Groups. For the composite-order construction in Sect. 3, we consider groups of order \(N = pq\), where pq are distinct primes of \(\varTheta (\lambda )\) bits, and \(G_1 = G, G_2 = H\) are asymmetric groups. In this setting, we can write \(G = G_p G_q\) and \(H = H_p H_q\), where \(G_p, G_q, H_p, H_q\) are subgroups of the subscripted order. In addition, we use \(G_{s}^*, H_{s}^*\) to denote \(G_{s}\setminus \{1\}, H_{s}\setminus \{1\}\), where \(s \in \{p,q\}\). We will often use write \(g_p, g_q, h_p, h_q\) to denote random generators for the subgroup \(G_{p}, G_{q}, H_p, H_q\).

Prime-Order Groups. For the prime-order construction in Sect. 4, we consider groups of order \(N = p\) for some prime p of \(\varTheta (\lambda )\) bits, where \(G_1\) and \(G_2\) are possibly different groups (type 1, 2 or 3 pairing). We write \(g_1\), \(g_2\) to denote random generators of \(G_1\) and \(G_2\) respectively, and \(g_T := e(g_1, g_2)\), which is a generator of \(G_T\). We use implicit representation of group elements: for \(a \in \mathbb {Z}_p\), define \([a]_s = a g_s \in G_s\) as the implicit representation of a in \(G_s\), for \(s \in \{1,2,T\}\). Given \([a]_1\) and \([b]_2\), one can efficiently compute \([ab]_T\) using the pairing e. For two matrices \(\mathbf {A}\in \mathbb {Z}_p^{\ell \times m}\), \(\mathbf {B}\in \mathbb {Z}_p^{m \times n}\), define \(e([\mathbf {A}]_1, [\mathbf {B}]_2 ) := [\mathbf {A}\mathbf {B}]_T \in G_T^{\ell \times m}\).

2.3 Static Composite-Order Assumptions

The security of the composite-order scheme in Sect. 3 is proven under three static assumptions in composite-order asymmetric bilinear groups. We define the advantage functions referred to in the assumptions in Fig. 3.

Fig. 3.
figure 3

Advantage functions

Full size image

Definition 1

(Composite-Order Static Decision Assumptions ). We say that the Static Decision Assumptions hold relative to \(\mathcal {G}\) if for all PPT adversaries \(\mathcal {A}\), the advantages \(\mathrm {Adv}^{SD1}_{\mathcal {G}, \mathcal {A} }(\lambda )\), \(\mathrm {Adv}^{SD2}_{\mathcal {G}, \mathcal {A} }(\lambda )\), and \(\mathrm {Adv}^{SD3}_{\mathcal {G}, \mathcal {A} }(\lambda )\) are negligible functions in \(\lambda \).

2.4 Matrix Diffie-Hellman Assumptions

The security of the prime-order scheme in Sect. 4 is proven under the Matrix Decision Diffie-Hellman (\(\mathsf {MDDH}\)) Assumption [EHK+13], whose definition we recall here.

Definition 2

(Matrix Distribution ). Let \(k,\ell \in \mathbb {N}\), with \(\ell > k\). We call \(\mathcal {D}_{\ell ,k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_p^{\ell \times k}\) of full rank k in polynomial time. We write \(\mathcal {D}_k := \mathcal {D}_{k+1,k}\).

Without loss of generality, we assume the first k rows of form an invertible matrix. The \(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman problem in \(G_s\) for \(s \in \{1,2,T\}\) is to distinguish the two distributions \(([\mathbf {A}]_s, [\mathbf {A}\mathbf {w}]_s)\) and \(([\mathbf {A}]_s,[\mathbf {u}]_s)\) where , and .

Definition 3

(\(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman Assumption \(\mathcal {D}_{\ell ,k}\)-\(\mathsf {MDDH}\) ). Let \(\mathcal {D}_{\ell ,k}\) be a matrix distribution. We say that the \(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman (\(\mathcal {D}_{\ell ,k}\)-\(\mathsf {MDDH}\)) Assumption holds relative to \(\mathcal {G}\) in \(G_s\) for \(s \in \{1,2,T\}\) if for all PPT adversaries \(\mathcal {A}\),

$$\begin{aligned} \mathrm {Adv}^{\mathsf {MDDH}}_{\mathcal {G},\mathcal {D}_{\ell ,k},\mathcal {A}}(\lambda ) :=| \Pr [\mathcal {A}(,[\mathbf {A}]_s, [\mathbf {A}\mathbf {w}]_s)=1]-\Pr [\mathcal {A}(,[\mathbf {A}]_s, [\mathbf {u}]_s) =1] |= \mathsf {negl}(\lambda ), \end{aligned}$$

where the probability is taken over , .

For each \(k \ge 1\), [EHK+13] specifies distributions \(\mathcal {L}_k\), \(\mathcal {SC}_k\), \(\mathcal {C}_k\) (and others) over \(\mathbb {Z}_p^{(k+1)\times k}\) such that the corresponding \(\mathcal {D}_k\)-\(\mathsf {MDDH}\) assumptions are generically secure in bilinear groups and form a hierarchy of increasingly weaker assumptions. \(\mathcal {L}_k\)-\(\mathsf {MDDH}\) is the well known k-Linear Assumption k-\(\mathsf {Lin}\) with 1-\(\mathsf {Lin}\) = \(\mathsf {DDH}\).

Definition 4

(Uniform distribution ). Let \(\ell ,k\in \mathbb {N}\), with \(\ell > k\). We denote by \(\mathcal {U}_{\ell ,k}\) the uniform distribution over all full-rank \(\ell \times k\) matrices over \(\mathbb {Z}_p\). Let \(\mathcal {U}_k:=\mathcal {U}_{k+1,k}\).

Among all possible matrix distributions \(\mathcal {D}_{\ell ,k}\), the uniform matrix distribution \(\mathcal {U}_{k}\) is the hardest possible instance, so in particular \(k\text{- }\mathsf {Lin}\Rightarrow \mathcal {U}_k\text{- }\mathsf {MDDH}\).

Lemma 1

(\(\mathcal {D}_{\ell ,k}\text{- }\mathsf {MDDH}\Rightarrow \mathcal {U}_{k}\text{- }\mathsf {MDDH}\), [EHK+13]). Let \(\mathcal {D}_{\ell ,k}\) be a matrix distribution. For any PPT adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \(\mathbf {T}(\mathcal {B}) \approx \mathbf {T}(\mathcal {A})\) and \(\mathrm {Adv}^{\mathsf {MDDH}}_{\mathcal {G},\mathcal {D}_{\ell ,k},\mathcal {A}}(\lambda ) =\mathrm {Adv}^{\mathsf {MDDH}}_{\mathcal {G},\mathcal {U}_{k},\mathcal {B}}(\lambda ) \).

Let \(Q \ge 1\). For , we consider the Q-fold \(\mathcal {D}_{\ell ,k}\)-\(\mathsf {MDDH}\) Assumption in \(G_s\) for \(s \in \{1,2,T\}\) which consists in distinguishing the distributions \(([\mathbf {A}]_s, [\mathbf {A}\mathbf {W}]_s)\) from \(([\mathbf {A}]_s, [\mathbf {U}]_s)\). That is, a challenge for the Q-fold \(\mathcal {D}_{\ell ,k}\)-\(\mathsf {MDDH}\) Assumption consists of Q independent challenges of the \(\mathcal {D}_{\ell ,k}\)-\(\mathsf {MDDH}\) Assumption (with the same \(\mathbf {A}\) but different randomness \(\mathbf {w}\)). In [EHK+13] it is shown that the two problems are equivalent, where (for \(Q \ge \ell -k\)) the reduction loses a factor \(\ell -k\).

Lemma 2

(Random self-reducibility of \(\mathcal {D}_{\ell ,k}\)-\(\mathsf {MDDH}\), [EHK+13]). Let \(\ell ,k,Q \in \mathbb {N}\) with \(\ell >k\). For any PPT adversary \(\mathcal {A}\), there exists an adversary \(\mathcal {B}\) such that \(\mathbf {T}(\mathcal {B}) \approx \mathbf {T}(\mathcal {A}) + Q\cdot \mathsf {poly}(\lambda )\) with \(\mathsf {poly}(\lambda )\) independent of \(\mathbf {T}(\mathcal {A})\), and

$$\begin{aligned} \mathrm {Adv}^{Q \text{- } \mathsf {MDDH}}_{\mathcal {G},\mathcal {D}_{\ell ,k},\mathcal {A}}(\lambda ) \le (\ell -k)\cdot \mathrm {Adv}^{\mathsf {MDDH}}_{\mathcal {G},\mathcal {D}_{\ell ,k},\mathcal {B}}(\lambda ) + \frac{1}{p-1} \end{aligned}$$

where \(\mathrm {Adv}^{Q \text{- } \mathsf {MDDH}}_{\mathcal {G},\mathcal {D}_{\ell ,k},\mathcal {A}}(\lambda ) := | \Pr [\mathcal {A}(\mathbb {G},[\mathbf {A}]_s, [\mathbf {A}\mathbf {W}]_s)=1]-\Pr [\mathcal {B}(\mathbb {G},[\mathbf {A}]_s, [\mathbf {U}]_s) =1] |\) and the probability is over , .

2.5 Broadcast Encryption

A broadcast encryption scheme consists of three randomized algorithms \((\mathsf {Setup}, \mathsf {Enc}, \mathsf {Dec})\), along with a fourth deterministic procedure: \(\mathsf {KeyGen}\).

  • \(\mathsf {Setup}(1^{\lambda }, 1^{n}) \rightarrow (\mathsf {pk}, \mathsf {msk})\). The setup algorithm gets as input the security parameter \(1^\lambda \) and the number of users \(1^n\). It outputs the public parameters \(\mathsf {pk}\) and master secret key \(\mathsf {msk}\).

  • \(\mathsf {KeyGen}(\mathsf {msk}, i) \rightarrow \mathsf {sk}_i\). The key generation algorithm gets as input the master secret key \(\mathsf {msk}\) and an index \(i \in [n]\). It (deterministically) outputs the secret key for user i: \(\mathsf {sk}_i\).

  • \(\mathsf {Enc}(\mathsf {pk}, \varGamma , M) \rightarrow \mathsf {ct}_\varGamma \). The encryption algorithm gets as input \(\mathsf {pk}\) and a subset \(\varGamma \subseteq [n]\). It outputs a ciphertext \(\mathsf {ct}_{\varGamma }\). Here, \(\varGamma \) is public given \(\mathsf {ct}_\varGamma \).

  • \(\mathsf {Dec}(\mathsf {pk}, \mathsf {sk}_i, \mathsf {ct}_\varGamma ) \rightarrow M\). The decryption algorithm gets as input \(\mathsf {pk}, \mathsf {sk}_i\), and \(\mathsf {ct}_{\varGamma }\). It outputs a message M.

Correctness.

We require that for all \(\varGamma \subseteq [n]\), messages M, and \(i \in [n]\) for which \(i \in \varGamma \),

$$\begin{aligned} \Pr [\mathsf {ct}_\varGamma \leftarrow \mathsf {Enc}(\mathsf {pk}, \varGamma , M), \mathsf {sk}_i \leftarrow \mathsf {KeyGen}(\mathsf {msk}, i); \mathsf {Dec}(\mathsf {pk}, \mathsf {sk}_i, \mathsf {ct}_\varGamma ) = M] = 1 \end{aligned}$$

where the probability is taken over \((\mathsf {pk}, \mathsf {msk}) \leftarrow \mathsf {Setup}(1^{\lambda }, 1^{n})\) and the coins of \(\mathsf {Enc}\).

Fig. 4.
figure 4

\(\mathsf {BE}_\mathsf {composite}\), an adaptively secure broadcast encryption scheme based on composite-order bilinear groups.

Full size image

Security.

For an adversary \(\mathcal {A}\), we define the advantage function

$$\begin{aligned} \mathrm {Adv}_{\mathcal {A}}^{\mathsf {BE}}(\lambda ):=\left| \Pr _{(b, \mathsf {pk}, \mathsf {msk}) \leftarrow \mathsf {SetupO}}\left[ \begin{array}{l} b'=b \end{array} \; \left| \; b' \leftarrow \mathcal {A}^{\mathsf {KeyGenO}(\cdot ),\mathsf {EncO}(\cdot ,\cdot )}(1^\lambda ) \right. \right] - 1/2 \right| \end{aligned}$$

where:

  • \(\mathsf {SetupO}\) samples and , and returns \(\mathsf {pk}\). \(\mathsf {SetupO}\) is called once at the beginning of the game.

  • \(\mathsf {KeyGenO}(i\in [n])\) returns \(\mathsf {KeyGen}(\mathsf {msk},i)\).

  • If \(M_0\) and \(M_1\) are two messages of equal length, and \(\varGamma \subset [n]\), \(\mathsf {EncO}(\varGamma ,M_0,M_1)\) returns \(\mathsf {Enc}(\mathsf {pk},\varGamma ,M_b)\).

with the restriction that for all queries \(i\in [n]\) that \(\mathcal {A}\) makes to \(\mathsf {KeyGenO}(\cdot )\) and all queries \(\varGamma \subset [n]\) to \(\mathsf {EncO}\) satisfy \(i \notin \varGamma \) (that is, \(\mathsf {sk}_i\) does not decrypt \(\mathsf {ct}_{\varGamma }\)).

Note that this definition allows the adversary to query \(\mathsf {EncO}\) multiple times. We call this the multi-challenge setting and say that a broadcast encryption scheme is adaptively secure in the multi-challenge setting if for all PPT adversaries \(\mathcal {A}\), \(\mathrm {Adv}_{\mathcal {A}}^{\mathsf {BE}}(\lambda )\) is a negligible function in \(\lambda \).

If we only consider adversaries that query \(\mathsf {EncO}\) once, we have the standard notion of adaptive security. Namely, we say that a broadcast encryption scheme is adaptively secure if for all PPT adversaries \(\mathcal {A}\) that issue only one query to \(\mathsf {Enc}\), \(\mathrm {Adv}_{\mathcal {A}}^{\mathsf {BE}}(\lambda )\) is a negligible function in \(\lambda \).

Fig. 5.
figure 5

\(\mathsf {BE}_\mathsf {prime}\), an adaptively secure broadcast encryption scheme based on prime-order bilinear groups.

Full size image

Note that a scheme being adaptively secure implies that it is also adaptively secure in the multi-challenge setting via a hybrid argument over the challenge ciphertexts. However, this incurs a security loss proportional to the number of challenge ciphertexts, In Sect. 5, we present a scheme with a tight reduction in the multi-challenge security proof that avoids this loss.

3 Composite-Order Construction

Figure 4 shows our composite order construction. The security proof is given in the full version of this paper [GKW18, Sect. 4].

4 Prime Order Construction

Our prime-order construction is detailed in Fig. 5. The security proof is given in the full version of this paper [GKW18, Sect. 6].

5 Tightly Secure, Prime Order Construction

We give the description of our construction and its security proof in the full version of this paper [GKW18, Sects. 7 and 8].