Public Key Broadcast Encryption Scheme Research Articles

Combinatorial Subset Difference-IoT-Friendly Subset Representation and Broadcast Encryption.

In the Internet of Things (IoT) systems, it is often required to deliver a secure message to a group of devices. The public key broadcast encryption is an efficient primitive to handle IoT broadcasts, by allowing a user (or a device) to broadcast encrypted messages to a group of legitimate devices. This paper proposes an IoT-friendly subset representation called Combinatorial Subset Difference (CSD), which generalizes the existing subset difference (SD) method by allowing wildcards (*) in any position of the bitstring. Based on the CSD representation, we first propose an algorithm to construct the CSD subset, and a CSD-based public key broadcast encryption scheme. By providing the most general subset representation, the proposed CSD-based construction achieves a minimal header size among the existing broadcast encryption. The experimental result shows that our CSD saves the header size by 17% on average and more than 1000 times when assuming a specific IoT example of IP address with 20 wildcards and total users, compared to the SD-based broadcast encryption. We prove the semantic security of CSD-based broadcast encryption under the standard l-BDHE assumption, and extend the construction to a chosen-ciphertext-attack (CCA)-secure version.

Adaptively secure certificate-based broadcast encryption and its application to cloud storage service

The existing public key broadcast encryption schemes are mainly constructed in identity-based cryptosystem, which bears the inherent problems of key escrow and key distribution. The certificate-based encryption mechanism can effectively address the problems in identity-based cryptosystem. Meanwhile, it simplifies the certificate revocation issue for traditional public key cryptosystem. Inspired by the idea of certificate-based encryption, we put forward the new primitive certificate-based broadcast encryption as well as its formal definition and security model. In virtue of prime order bilinear groups, we present an instantiation scheme of certificate-based broadcast encryption. To our best knowledge, the proposed scheme is the first adaptively secure scheme for certificate-based broadcast encryption in the standard model against chosen-ciphertext attack. Compared with the previous work, our scheme has advantages in the respects of computation cost as well as security properties. Furthermore, we present an application scenario of the proposed scheme for data access control in cloud storage service.

Adaptively secure efficient broadcast encryption with constant-size secret key and ciphertext

In those broadcast application scenarios with a great quantity of receivers, e.g., the data access control system in cloud storage service, the single sender is apt to become the efficiency bottleneck of the system, because the computation and storage overhead of the sender will grow rapidly with the amount of qualified receivers. In order to overcome this problem, we first introduce the novel conception of complete binary identity tree which is adopted to manage the qualified receivers. Then we design the prune-merge algorithm to further optimize the structure of the tree and cut down the amount of receivers. The algorithm effectively reduces the computation and storage cost of the trusted authority in the system. Subsequently, in virtue of composite-order bilinear groups, we bring forward an efficient public key broadcast encryption scheme combined its application to the system of data access control in cloud storage service. Compared with the existing schemes, the lengths of system public parameters, secret key and ciphertext in our scheme are all constant. In addition, the number of secret keys in our scheme increases logarithmically with the maximum amount of receivers, while the numbers of secret keys in the existing schemes increase linearly with the maximum amount of receivers. Furthermore, the proposed scheme is proved to guarantee adaptive security under general subgroup decision assumption in the standard model. The performance analysis manifests that our scheme is feasible for those broadcast applications with fixed senders.

New Constructions of Revocable Identity-Based Encryption From Multilinear Maps

A revocable identity-based encryption (RIBE) provides an efficient revocation method in IBE that a trusted authority periodically broadcasts an update key for nonrevoked users and a user can decrypt a ciphertext if he is not revoked in the update key. Boldyreva, Goyal, and Kumar (CCS 2008) defined RIBE and proposed an RIBE scheme that uses a tree-based revocation encryption scheme to revoke users’ private keys. In this paper, we devise a new technique for RIBE and propose RIBE schemes with a constant number of private key elements. We achieve the following results. We first devise a new technique for RIBE that combines a hierarchical IBE (HIBE) scheme and a public-key broadcast encryption (PKBE) scheme using multilinear maps. In contrast to the previous technique for RIBE, our technique uses a PKBE scheme in bilinear maps for revocation to achieve short private keys and update keys. Following our new technique for RIBE, we propose an RIBE scheme in three-leveled multilinear maps that combines the HIBE scheme of Boneh and Boyen (EUROCRYPT 2004) and the PKBE scheme of Boneh, Gentry, and Waters (CRYPTO 2005). The private key and update key of our scheme possess a constant number of group elements. Next, we propose another RIBE scheme with reduced public parameters and short keys by combining the HIBE scheme of Boneh and Boyen and the PKBE scheme of Boneh, Waters, and Zhandry (CRYPTO 2014), which uses multilinear maps. Compared with our first RIBE scheme, our second RIBE scheme requires high-leveled multilinear maps.

Adaptively secure broadcast encryption under standard assumptions with better efficiency

In this study, the authors present an efficient public-key broadcast encryption (PKBE) scheme with sub-linear size of public keys, private keys and ciphertexts and prove its adaptive security under standard assumptions. Compared with the currently best scheme of Garg et al. (CCS 2010) that provides adaptive security under standard assumptions and sub-linear size of various parameters, the ciphertext size of the author's scheme is 94% shorter and the encryption algorithm of their scheme is also 2.8 times faster than the scheme of Garg et al. To achieve their scheme, they adapt the dual system encryption technique of Waters. However, there is a challenging problem to use this technique for the construction of PKBE with sub-linear size of ciphertexts such as a tag compression problem. To overcome this problem, they first devise a novel tag update technique for broadcast encryption. Using this technique, they build an efficient PKBE scheme in symmetric bilinear groups, and prove its adaptive security under standard assumptions.

Adaptively Anonymous Public-Key Broadcast Encryption Scheme without Random Oracle

Anonymous is one of the most important security properties for kinds of Internet applications. In this paper, we consider the privacy-preserving problem in the context of public key broadcast encryption. We provide a new security definition for anonymous public key broadcast encryption, and construct a new scheme. To achieve anonymous, we blind the ciphertexts using the random factors. Moreover, we use a pair of orthogonal bases to construct secret key and ciphertexts for proper decryption. Our anonymous publickey broadcast encryption scheme can be proven in the adaptive model without random oracle. The key technique used to obtain our result is an elaborate combination of the dual system encryption proposed by Waters and a new approach on bilinear pairings using the notion of dual pairing vector spaces (DPVS) proposed by Okamoto and Takasima.

Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts

We consider designing public-key broadcast encryption schemes with constant-size secret keys and ciphertexts, achieving chosen-ciphertext security. We first argue that known CPA-to-CCA transforms currently do not yield such schemes. We then propose a scheme, modifying a previous selective CPA secure proposal by Boneh, Gentry, and Waters. Our scheme has constant-size secret keys and ciphertexts, and we prove that it is selective chosen-ciphertext secure based on standard assumptions. Our scheme has ciphertexts that are shorter than those of the previous CCA secure proposals. Then, we propose a second scheme that provides the functionality of both broadcast encryption and revocation schemes simultaneously using the same set of parameters. Finally, we show that it is possible to prove our first scheme adaptive chosen-ciphertext secure under reasonable extensions of the bilinear Diffie–Hellman exponent and the knowledge-of-exponent assumptions. We prove both of these extended assumptions in the generic group model. Hence, our scheme becomes the first to achieve constant-size secret keys and ciphertexts (both asymptotically optimal) and adaptive chosen-ciphertext security at the same time.

Transmission-Efficient Broadcast Encryption Scheme with Personalized Messages

Broadcast encryption scheme with personalized messages (BEPM) is a new primitive that allows a broadcaster to encrypt both a common message and individual messages. BEPM is necessary in applications where individual messages include information related to user's privacy. Recently, Fujii et al. suggested a BEPM that is extended from a public key broadcast encryption (PKBE) scheme by Boneh, Gentry, and Waters. In this paper, we point out that 1) Conditional Access System using Fujii et al.'s BEPM should be revised in a way that decryption algorithm takes as input public key as well, and 2) performance analysis of Fujii et al.'s BEPM should be done depending on whether the public key is transmitted along with ciphertext or stored into user's device. Finally, we propose a new BEPM that is transmission-efficient, while preserving O(1) user storage cost. Our construction is based on a PKBE scheme suggested by Park, Kim, Sung, and Lee, which is also considered as being one of the best PKBE schemes.

CP2: Cryptographic privacy protection framework for online social networks

In Online Social Networks (OSNs), users interact with each other by sharing their personal information. One of the concerns in OSNs is how user privacy is protected since the OSN providers have full control over users’ data. The OSN providers typically store users’ information permanently; the privacy controls embedded in OSNs offer few options to users for customizing and managing the dissipation of their data over the network. In this paper, we propose an efficient privacy protection framework for OSNs that can be used to protect the privacy of users’ data and their online social relationships from third parties. The recommended framework shifts the control over data sharing back to the users by providing them with flexible and dynamic access policies. We employ a public-key broadcast encryption scheme as the cryptographic tool for managing information sharing with a subset of a user’s friends. The privacy and complexity evaluations show the superiority of our approach over previous.

Efficient provably-secure hierarchical key assignment schemes

A hierarchical key assignment scheme is a method to assign some private information and encryption keys to a set of classes in a partially ordered hierarchy, in such a way that the private information of a higher class can be used to derive the keys of all classes lower down in the hierarchy. In this paper we design and analyze hierarchical key assignment schemes which are provably secure and support dynamic updates to the hierarchy with local changes to the public information and without requiring any private information to be re-distributed. – We first consider the problem of constructing a hierarchical key assignment scheme by using as a building block a symmetric encryption scheme. We propose a new construction which is provably secure with respect to key indistinguishability, requires a single computational assumption, and improves on previous proposals. – Then, we show how to construct a hierarchical key assignment scheme by using as a building block a public-key broadcast encryption scheme. In particular, one of our constructions provides constant private information and public information linear in the number of classes in the hierarchy.

무인증서 공개키 암호에 기반한 다중수신자 암호 기법 및 응용

본 논문에서는 신원기반 다중수신자 암호 기법의 장점인 묵시적 인증을 제공하는 동시에 키 위탁문제를 해결하기 위한 무인증서 공개키 암호 기술 기반의 새로운 다중수신자 암호 기법을 소개한다. 제안 기법은 다중수신자에 대한 메시지 암호화 단계에서 겹선형 페어링 연산을 제거하였을 뿐만 아니라 복호화 단계에서 단 한 번의 겹선형 페어링 연산만을 요구하는 매우 효율적인 다중수신자 암호 기법이다. 또한, 본 논문에서는 제안 기법을 이용하여 스테이트리스 수신자 환경을 위한 서브셋-커버 프레임워크 기반의 새로운 공개키 브로드캐스트 암호 기법을 제시한다. In this paper we introduce the notion of multi-receiver certificateless encryption that avoids the inherent key escrow problem of multi-receiver identity-based encryption, and also present a highly efficient multi-receiver certificateless encryption scheme which eliminates pairing computation to encrypt a message for multiple receivers, Moreover, the proposed scheme only needs one pairing computation to decrypt the ciphertext. Finally, we discuss how to properly transform our scheme into a new public key broadcast encryption scheme for stateless receivers based on the subset-cover framework, which enjoys the advantages of certificateless cryptography.

Authenticated public key broadcast encryption scheme secure against insiders’ attack

Broadcast encryption schemes have been studied in the past decades. Recently, insiders’ attack on the broadcast encryption scheme has been attracted attention among researchers. So, several broadcast encryption schemes with sender authentication have been proposed. However, since broadcast message size in previous schemes increases linearly at the number of target members, the previous schemes are not suitable for the group with large members. In this paper, we propose a new authenticated public key broadcast encryption scheme called ω -APKBE scheme. The proposed ω -APKBE scheme provides sender authentication property with a constant size broadcast message which is nonlinear on the number of target members. Hence, the proposed scheme is more compatible to the dynamic group with large members than the previous schemes.

Secure multicast scheme based on public key broadcast encryption

The difficulty of utilizing public key broadcast encryption in secure multicast is keep balance between implementation cost and security. Taking identity to differentiate each receiver,and using a group of identities instead of group public key in general public key broadcast encryption schemes,the length of system public key parameters was shorten. The procedures of secure multicast communications utilizing the new scheme show that the new scheme is efficient in decreasing the cost of computation and communication,and reaches the semantic security that can fight against chosen ciphertext attack.

Public Key Broadcast Encryption Schemes With Shorter Transmissions

Broadcast encryption allows a sender to securely distribute messages to a dynamically changing set of users over an insecure channel. In a public key broadcast encryption (PKBE) scheme, this encryption is performed in the public key setting, where the public key is stored in a user's device, or directly transmitted to the receivers along with ciphertexts. In this paper, we propose two PKBE schemes for stateless receivers which are transmission-efficient. A distinctive feature in our first construction is that, different than existing schemes in the literature, only a fraction of the public key related to the set of intended receivers is required in the decryption process. This feature results in the first PKBE scheme with O(r) transmission cost and O(1) user storage cost for r revoked users. Our second construction is a generalized version of the first one providing a tradeoff between ciphertext size and public key size. With appropriate parametrization, we obtain a PKBE scheme with (Oradicn) transmission cost and O(1) user storage cost for any large set of n users. The transmission cost of our second scheme is at least 30\% less than that of the recent result of Boneh et al.'s PKBE scheme, which is considered as being the current state-of-the-art. By combining the two proposed schemes, we suggest a PKBE scheme that achieves further shortened transmissions, while still maintaining O(1) user storage cost. The proposed schemes are secure against any number of colluders and do not require costly re-keying procedures followed by revocation of users.

전방향 안전성을 보장하는 공개키 브로드캐스트 암호 기법

본 논문에서는 전방향 안전성(forward-secrecy)을 보장하는 공개키 브로드캐스트 암호 기법을 제안한다. 공개키 브로드캐스트 암호는 공개키를 이용하여 구성원 누구나 메시지를 전송할 수 있고, 탈퇴자 그룹을 효율적으로 배제(revocation)할 수 있는 기법이다. 여기에 전방향 안전성을 보장하려는데, 전방향 안전성은 사용자의 비밀키가 노출되더라도 그 노출된 시점 이전의 암호문을 쉽게 복호화 할 수 없도록 하는 것이다. 이러한 기능이 없다면 권한 없는 수신자가 과거의 방송을 수집하고 이후 정당한 비밀키를 받아서 과거의 방송을 복호화할 수 있는 문제가 발생한다. 전방향 안전성은 특히 유료 방송 등의 환경에서 요구된다. 본 논문에서 제안되는 기법은 2005년 Boneh-Boyen-Goh가 제시한 계층구조의 신원 기반 암호기법을 변형하여 설계된다. 먼저 BBG기법을 사용하여 새로운 공개키 브로드캐스트 암호기법을 설계하고, 다시 BBG 기법에서 사용된 하위레벨 비밀키 생성 알고리즘을 사용하여 전방향 안전성을 부여한다. 제안되는 기법은 타원곡선 위의 페어링(pairing)을 이용하여 설계되며, 전체 사용자 n에 대하여 <TEX>$O(\sqrt{n})$</TEX> 사이즈의 통신량과 비밀키 저장량을 가진다. 특히 비밀키 저장량은 탈퇴자 수가 증가할수록 줄어드는 장점을 가진다. 통신량이 중요한 환경에서는 이전에 제시된 기법보다 본 논문에서 제안된 기법을 사용하는 것이 더 바람직한데, 이는 통신량은 동일하지만 비밀키 저장량이 더 적기 때문이다. 제안된 기법은 Bilinear Diffie-Hellman Exponent 가정 하에서 선택 암호문 공격에 안전하도록 설계되며, 그 증명은 랜덤 오라클을 사용하지 않는다. Public Key Broadcast Encryption (PKBE) allows a sender to distribute a message to a changing set of users over an insecure channel. PKBE schemes should be able to dynamically exclude (i.e., revoke) a certain subset of users from decrypting a ciphertext, so that only remaining users can decrypt the ciphertext. Another important requirement is for the scheme to be forward-secrecy. A forward-secure PKBE (fs-PKBE) enables each user to update his private key periodically. This updated private key prevents an adversary from obtain the private key for certain past period, which property is particularly needed for pay-TV systems. In this paper, we present a fs-PKBE scheme where both ciphertexts and private keys are of <TEX>$O(\sqrt{n})$</TEX> size. Our PKBE construction is based on Boneh-Boyen-Goh's hierarchical identity-based encryption scheme. To provide the forward-secrecy with our PKBE scheme, we again use the delegation mechanism for lower level identities, introduced in the BBG scheme. We prove chosen ciphertext security of the proposed scheme under the Bilinear Diffie-Hellman Exponent assumption without random oracles.

A Fully Public Key Tracing and Revocation Scheme Provably Secure Against Adaptive Adversary

A broadcast encryption allows the sender to securely distribute content to a dynamically changing group of users over a broadcast channel. A public key tracing and revocation scheme can combine the public key encryption with the traitor tracing algorithm. This paper proposes a fully public key tracing and revocation scheme. The salient feature of the scheme is that the secret keys of the users are chosen by the users themselves, while in the previous public key broadcast encryption schemes, the broadcaster publishes the encryption key and distributes the individual secret keys to the users. The scheme deals with the setting of stateless receivers. When the traitors are found, the sender can revoke them without involvement of the remaindering receivers. The encryption algorithm in the scheme is semantically secure against adaptive chosen cipher-text attacks based on the DDH assumption.