1 Introduction

This era is period of communication technology and internet. Everyone is now dependent on these technologies to accomplish their various day-to-day tasks like personal, official, financial etc. Increasing demand and daily use of these techniques requires security measures in tight and vigilant mode because it brings security breach issues by leakage of private information. To eliminate such risks, various cryptographic techniques were studied in past years. Broadcast encryption schemes were studied a lot in early years. Broadcast encryption scheme allows a user to broadcast the information in a secret manner to set of authorized users so that encrypted message may be only received by authorized uses. Fiat and Naor [1] was the first who established the concept of collusion-resistant broadcast encryption. Boneh et al. [2] constructed a collusion-resistant broadcast encryption scheme having short cipher texts and private keys. Broadcast encryption scheme with constant size ciphertexts or decryption keys which is fully collusion secure was proposed by Delerablée et al. [3]. Boneh et al. presented a Traitor-Tracing scheme with Short Ciphertexts and Private Keys which was fully Collusion Resistant. Their scheme [4] enhances the security features of public-key Broadcast Encryption schemes.

ID based encryption scheme was established by Shamir [5] in which public key of each user is an arbitrary string. However, Boneh and Franklin [6] proposed the first IBE scheme using Weil pairing. The first completely secure Identity Based Encryption in random oracle model was proposed by Gentry [7].

An Identity based broadcast encryption scheme is the well-accepted primitive which has been studied in early years. Sakai and Furukawa [8] and Delereblee [9] explored the IBE scheme with constant size cipher texts and private keys. The later scheme was based on Key Encapsulation Mechanism (KEM) for encryption of large messages using a short symmetric key and was more efficient. Lately, using an O(log n)-way multi-linear map for n users, Boneh et al. [10] proposed an IBBE scheme. Li and Yanli, constructed an efficient IBBE scheme without random oracle model. The scheme relies on the asymmetric decisional bilinear Diffie-Hellman Exponent (DBDHE) assumption [11]. Kim et al. [12] constructed an ID based Broadcast Encryption system for stateless receivers with constant size ciphertext in the standard model which is fully collusion-resistant and an adaptively secure. In addition, the size of the private keys and public key of the system both are linear in respect of the maximum number of receivers.

Wu et al. [13] proposed the primitive of Contributory Broadcast Encryption (CBE) scheme in which a common public encryption key is shared among group of users while each user owns a distinct decryption key. The building block of this CBE scheme was Aggregatable Broadcast Encryption (ABE) which was originally based on Aggregatable Signature based broadcast offered in [14]. Up to that time, aggregatability was mostly taken in consideration under the signature setting [15] and subjected to trim down the storage overhead and the signature verification time for huge numbers of signatures to be stored and verified.

The shortcoming of CBE scheme is that it doesn’t support the system where users changes dynamically. In recent years many IBBE schemes were studied but a little attention was paid to recruit new system users in IBBE scheme. Li et al. [16] proposed an IBBE scheme with constant cipher text using KEM without multilinear maps to recruit new users. Their scheme was combination of IBE scheme and ABE scheme and was secure for open networks. Our scheme also support the system where users dynamically changes and have lower set up cost while maintaining security in open networks. Its more efficient than IBBE scheme in [16].

In this paper firstly we will discuss preliminaries which are the basis of our scheme. Then in next section, we will explain our proposed scheme. This section will include all the steps involved in this scheme. The next section will cover the scheme analysis of our scheme which includes cost analysis, performance analysis, security analysis and storage analysis of our scheme. This section also contains a table which flaunts our scheme performance over other existing scheme in terms of cost of transmission and computation for system setup, transmission cost and computation cost to add new user. In last, we will conclude our results under the title “Conclusion”.

2 Preliminaries

2.1 Bilinear Maps

Let G be an additive cyclic group of order p and G′ be a multiplicative cyclic group of same order p, where p is a prime number. A bilinear mapping e:G × G → G′ holds the following properties:

  • Bilinearity: ∀u,v∈G, ∀a,b∈ Z, e(ua,vb) = e(u,v)ab

  • Non-degeneracy: \(\exists\) generator g \(\in\) G where (g, g) ≠ 1.

  • Computability: ∀u,v∈G, e(u,v) can be computed effectively.

2.2 Assumption for Computation

The basis of computational assumption of our scheme is Decision n-Bilinear Deffie-Hellman Exponent (n-BDHE) problem. For a given gi = \(g^{{\alpha_{i} }}\)\(\in\) G1 for \(1 \le i,i \ne n + 1 \le 2n\) where \(\alpha \in Z_{q}\) is unknown and G1 and \(G_{2}\) are same as discussed above; to choose if Z = \(e(g,h)^{n + 1} \in G_{2}\) where Z is not known and chosen randomly from G2. The assumption of Decision n-BDHE holds the belief that it is not possible to solve the Decision n-BDHE problem using any algorithm within polynomial-time.

3 Our Proposal

3.1 SD Para Gen (λ,n)

It takes security parameter λ and total no. of system users n as input, the PKG chooses two cyclic multiplicative group U and V with large prime of order p where a is generator of U. There is also an efficient bilinear map e:UXU \(\to\) V. The PKG arbitrarily chooses master secret key \(MSK = s' \in Zp*\) and computes \(a_{0} = a^{s'} \in U\). Then PKG chooses hash function \(H:\left\{ {0,1} \right\}* \to U\) and a symmetric-key encryption scheme \(\varepsilon k(.)/Dk(.)\) where K is session key for encryption of the sending message. Now Private Key Generator (PKG) holds master secret key s’ and publish the following tuple of parameters:

$$\varPi = \left\{ {p,U,V,e,a,a_{0} ,H,\mathop \varepsilon \nolimits_{k} (.)/\mathop D\nolimits_{k} (.)} \right\}$$

SD extract (s’, IDi): On using input s’ and user Ni’s identity \(\mathop {ID}\nolimits_{i} \in \left\{ {0,1} \right\}*\), it computes \(\mathop {id}\nolimits_{i} = H(\mathop {ID}\nolimits_{i} )\) and \(\mathop k\nolimits_{i} = id_{i}^{s'}\), where \(\mathop k\nolimits_{i}\) is Ni’s private key.

3.2 SD Setup (s’, \(\varPi\), N)

On using input s’, the system users \(N = \left\{ {N_{1} ,N_{2} \ldots N_{n} } \right\}\), the PKG computes the following actions:

  1. 1)

    Setting up of public broadcast encryption: For \(0 \le i \le n\), randomly chooses \(\mathop A\nolimits_{i} \in U/\left\{ i \right\}\), \(r_{i} \in Z_{p}^{*} s.t.\) if \(m_{1} \ne m_{2}\) then \(A_{{m_{1} }} \ne A_{{m_{2} }}\) and \(r_{{m_{1} }} \ne r_{{m_{2} }}\) and computes \(R_{i} = a^{{ - r_{i} }} ,B_{i} = e(A_{i} ,a).\) It publishes the public broadcast encryption key as \(K_{pub} = ((R_{0} ,B_{0} ) \ldots (R_{n} ,B_{n} ))\) and keep \(K_{\sec } = ((r_{0} ,A_{0} ) \ldots (r_{n} ,A_{n} ))\) secret.

  2. 2)

    Generating the decryption key of users: For \(0 \le i \le n\), it computes decryption key for user Ni as di = \((\psi_{0,i} ,\psi_{1,i} \ldots \psi_{n,i} )\) where \(\psi_{k,i} = null\) under the following restrictions:

  3. a.

    K = 2 and i = 1

  4. b.

    K = i where \(1 \le i \le n\)

  5. c.

    K = 2i & k = [(n + 2) − ((2i + n)mod(n + 1))] where \(2 \le i \le \left\lceil {n/2} \right\rceil\)

  6. d.

    K = 2(n − i) & k = 2imod(n + 1) where \(\left\lceil {n/2} \right\rceil < i \le n\)

Here, \(\left\lceil x \right\rceil\) denotes least integer not less than x.

3.3 SD Encrypt (\(\varPi ,S,K_{pub} ,m\))

Message M can be broadcasted by any sender who knows the public broadcast encryption key \(K_{pub}\) to the receiver set S by following actions:

  1. 1.

    Set \(\overline{S}\) = {0….n}\S and choose q randomly from Zp to get the session key \(\xi = (\varPi_{{i \in \overline{S} }} B_{i} )^{q}\) p

  2. 2.

    It gives the ciphertext C = (C1, C2, C3) as output where C1 = \(a^{q}\),C2 = \((\varPi_{{i \in \overline{S} }} R_{i} )^{q}\)), C3 = \(\varepsilon_{\xi } (M)\)

  3. 3.

    Finally broadcast (S,C) to receivers.

3.4 SD Decrypt (\(\varPi ,S,N_{i} ,d_{i} ,K_{i} ,C\))

Take \(i \in S\). For decryption of the cipher text C with the use of decryption key di and private key Ki, user Ni can proceed as given below:

  • Computation of session key: \(\xi = e(\varPi_{{i \in \overline{R} }} \psi_{j,i} ,c_{1} ) \cdot e(k_{i} ,c_{2} )\)

  • Decryption using session key: i.e. M = \(D_{\xi } (c_{3} )\)

The correctness of the IBBE-scheme can be confirmed as-

$$\begin{array}{*{20}l} { = e(\varPi_{{j \in \bar{s}}} \psi_{j,i} ,c_{1} ) \cdot e(k_{i} ,c_{2} )} \hfill \\ { = e(\varPi_{{j \in \bar{s}}} \psi_{j,i} ,a^{q} ) \cdot e(k_{i} ,(\varPi_{{i \in \bar{s}}} R_{i} )^{q} )} \hfill \\ { = e(\varPi_{{j \in \bar{s}}} A_{j} H(ID_{i} )^{{r_{j} .s'}} ,a^{q} ) \cdot e(H(ID_{i} )^{s'} ,(\varPi_{{i \in \bar{s}}} a^{{ - r_{i} }} )^{q} )} \hfill \\ { = e(\varPi_{{j \in \bar{s}}} A_{j} ,a^{q} ) \cdot e(\varPi_{{j \in \bar{s}}} H(ID_{i} )^{{r_{j} \cdot s'}} ,a^{q} )e(H(ID_{i} )^{s'} ,(\varPi_{{i \in \bar{s}}} a^{{ - r_{i} }} )^{q} )} \hfill \\ { = e(\varPi_{{j \in \bar{s}}} A_{j} ,a^{q} ) \cdot e(H(ID_{i} )^{{s'\varSigma_{{j \in \bar{s}}} r_{j} }} ,a^{q} )e(H(ID_{i} )^{s'} ,a^{{q[\varSigma_{{i \in \bar{s}}} ( - r_{i} )]}} )} \hfill \\ { = e(\varPi_{{j \in \bar{s}}} A_{j} ,a^{q} ) \cdot e(H(ID_{i} ,a)^{{s'q\varSigma_{{j \in \bar{s}}} r_{j} }} )e(H(ID_{i} ,a)^{{s'q\varSigma_{{i \in \bar{s}}} ( - r_{i} )}} )} \hfill \\ { = e(\varPi_{{j \in \bar{s}}} A_{j} ,a^{q} )} \hfill \\ { = \varPi_{{j \in \bar{s}}} e(A_{j} ,a)^{q} = (\varPi_{{i \in \bar{S}}} B_{i} )^{q} = \xi } \hfill \\ {{\text{Therefore}},\,D_{\xi } (C_{\xi } ) = D_{\xi } (\varepsilon_{\xi } (M)) = M} \hfill \\ \end{array}$$

4 Scheme Analysis

4.1 Cost Analysis

The transmission cost and computation cost for the proposed scheme is \(O((n - 1)^{2} )\) which is \(O(n^{2} )\) for the already mentioned IBBE Scheme.

This can be easily seen with the help of Table 1. All the system users in the proposed scheme can be accessed information delivered by the PKG. In Table 1, note that 1 \(\le\) i \(\le\)\(\left\lceil {n/2} \right\rceil\),\(\left\lceil {n/2} \right\rceil\) < j \(\le\) n and “a” represents the value \([n + 2 - ((2i + n)\bmod (n + 1))]\).The symbol “\(\Downarrow\)” shows that the values below it constitute the key above it.

Table 1 Information published by the PKG
Full size table

In Table 1, the value of each \(\mathop \psi \nolimits_{k,i}\) is null for:

  1. (i)

    \(k = i;1 \le i \le n\)

  2. (ii)

    \(k = 2\& i = 1\)

  3. (iii)

    \(k = 2i\& k = [(n + 2) - ((2i + n)\bmod (n + 1))];2 \le i \le \left\lceil {n/2} \right\rceil\)

  4. (iv)

    \(k = 2(n - i)\&\quad k = 2i\bmod (n + 1);\left\lceil {n/2} \right\rceil < i \le n\)

Otherwise,\(\mathop \psi \nolimits_{k,i} = A_{k} H(ID_{i} )^{{r_{k} s'}} ;0 \le k \le n,1 \le i \le n\), where s′ denotes master secret key which is known to PKG only.

As for the transmission cost and computation cost, in the algorithm SD Setup(), the PKG computes all the values mentioned in Table 1. This Table 1 represents a matrix of order (n + 1, n) i.e. each column has n + 1 rows. In each column (except the first one) PKG have to compute n-2 value (i.e. 2nd onwards each column has 3 null values) and column first has only 2 null values (i.e. PKG have to compute n-1 values for the first column) whatever be the value of n. Hence the total no. of values which must be computed by PKG is (n − 1)\(^{2}\).We can attain lesser costs by employing some other trades-off.

Our scheme also renders advantage over performance for newcomers. Just as the IBBE scheme, PKG only wants to compute as well as publish the rows corresponding to \((R_{n + 1} ,B_{n + 1} )\) and the columns corresponding to \(d_{n + 1}\), where \(R_{n + 1}\) = \(a^{{ - r_{n + 1} }}\),\(B_{n + 1}\) = \(e(A_{n + 1} ,a)\). However, transmission cost as well as computation cost for employing a fresh user is O(n − 2), which serves O(n) in favour of the IBBE scheme.

4.2 Security Analysis

Since our scheme IBBE-SDK is an optimization (up to some extent) of IBBE scheme which is based on the ABE scheme. Therefore it has same security features as the ABE scheme, which relies on the Decision n-BDHE assumption.

4.3 Storage Analysis

In Table 1, \(K_{pub}\) consists of (n + 1) pairs and each pair has one element in \(U\) and another in \(V\). To encrypt messages, a sender needs to store the column of \(K_{pub}\) and therefore the storage required for \(K_{pub}\) is \((n + 1) \cdot (l_{U} + l_{V} )\), where \(l_{U,} l_{V}\) denote the bit-length of element in \(U\) and \(V\) respectively. On the other hand, a receiver needs to hold (n + 1) components in \(U\) for decryption key in addition of one component in \(U\) for her/his private key.

4.4 Performance Analysis

For encryption of a message, user has to compute one symmetric encryption operation and two exponentiations in \(U\).Therefore with the difference of only two elements in \(U\), the final cipher-text almost depends on the cipher-text given by symmetric encryption scheme. For decryption, the computation cost is one symmetric decryption and about two bilinear pairing operations. Therefore, the online cost for our proposed scheme is also lower in comparison of the IBBE scheme [16].

5 Result

Table 2 shows the comparison among our scheme, the IBBE scheme [16] and the ABE scheme. To make clear the comparison among the schemes, values given in Table 2 are in form of their overall magnitude not as per their definite values.

Table 2 Achievement of our scheme over the existing schemes
Full size table

Table 2 shows that our proposed scheme has equivalent performance as the IBBE scheme [16]. However the length of decryption keys in our SD-IBBE scheme is smaller than the length in IBBE scheme (as it consists n-2 tuples on an average, whereas in earlier IBBE scheme it consist n tuples) which will in turn affect storage, transmission and computation costs. Thus, (from Table 2) we can easily conclude that our proposed scheme covers a great lead over the IBBE scheme.

6 Conclusion

Our scheme is extension of IBBE scheme [16] in an efficient way which supports security for open networks using computation cost of O(n) for addition of new user. Our scheme has lesser length for decryption key i.e. n-2 tuples as compared to earlier IBBE scheme which is of n tuples. However, Our scheme’s performance is comparatively effective if we go through the computation cost of a fresh user which is O(n-2), in addition of transmission cost and storage cost without any compromise with security concerns taken in IBBE scheme [16]. Our scheme serves lower cost for addition of new user when compared with other IBBE schemes.