Secure and efficient public key multi-channel broadcast encryption schemes

Secure and efficient public key multi-channel broadcast encryption schemes

Journal of Information Security and Applications 51 (2020) 102436 Contents lists available at ScienceDirect Journal of Information Security and Appl...
Download PDF
577KB Sizes 0 Downloads 80 Views
Report

Journal of Information Security and Applications 51 (2020) 102436

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Secure and efficient public key multi-channel broadcast encryption schemes Kamalesh Acharya School of Computer Sciences, NISER Bhubaneswar, HBNI, Khurda 752050, India

a r t i c l e

i n f o

Keywords: Multi-channel broadcast encryption Selective security Adaptive security Dynamic property

a b s t r a c t In the modern era of digital technology, sending different messages to different group of users are essential in many real-life applications, like TV broadcast, radio broadcast etc. Multi-channel broadcast encryption (MCBE) is a mechanism which sends different messages to different group of users efficiently. We have proposed two multi-channel broadcast encryption schemes in the public key setting. Our first construction is selectively secure against chosen-plaintext attack, whereas the second one achieves adaptive security which is the strongest security model in the broadcast setting. Besides, our second construction is dynamic, whereas none of the existing MCBE constructions supports the dynamic property. Moreover, our second MCBE construction is the first inclusive-exclusive MCBE construction, where the broadcaster can reduce the encryption and decryption cost by choosing the smallest set between the set of subscribes and revoked users in the encryption and decryption phase respectively. © 2019 Elsevier Ltd. All rights reserved.

1. Introduction Broadcast encryption (BE) is a cryptographic technique that sends an encrypted message in such a way that users who have not subscribed cannot recover the message communicated between a broadcaster and subscribers. Due to its numerous applications like pay-TV, internet broadcast, digital right management etc. different variants of broadcast encryption schemes [4,5,7,8,10,11,13– 17,22,24] are available. Usual broadcast encryption sends one message to a group of users, to send different messages to different group of users it needs to employ the same or different broadcast encryption schemes repeatedly. But it will increase the communication bandwidth and computation costs. Multi-channel broadcast encryption Fig. 1 solves the problem by sending different messages to different group of users. BE can be classified into the public, private (or symmetric) key setting. In symmetric broadcast encryption, the broadcaster and the private key generator (PKG) are the same. Thus the workload of the broadcaster increases and desireable in cryptographic applications. On the other hand, in public key BE, PKG and broadcaster are different and the workload of broadcaster reduces. Furthermore, the setup of a BE cannot be used by another BE scheme as it needs some secure information (like- master key) in the encryption phase.

E-mail address: [email protected] https://doi.org/10.1016/j.jisa.2019.102436 2214-2126/© 2019 Elsevier Ltd. All rights reserved.

Broadcast encryption (BE) schemes are divided into Static and Dynamic depending on the requirement of fixing the system users in Setup phase or not. Most of the broadcast encryption schemes fix the system users in Setup phase. Dynamic broadcast encryption does not fix system users in Setup phase and supports joining of users in the system. It generates public parameter and secret key on requirement. Thus, it manages storage size efficiently. Dynamic BE is desirable as group manager can allow to join new user efficiently. Depending on the size of subscribed and revoked (complement of the set of subscribers) users, the BE schemes are classified into two categories to reduce the computation cost. Some schemes use subscribed users set as an input in the encryption phase and others use revoked user set as an input to reduce the computation cost. Both the mechanism are important for large scale IT system. For example, in Facebook, WhatsApp, we send some message to small set of users and some message to almost all the users. Thus both should be used efficiently. ”Inclusive-Exclusive BE” solve the issue by choosing the smallest set between the set of subscribes and revoked users. Security of broadcast encryption is measured by playing a game between an adversary and a challenger and classified into three categories- selective, semi-static, adaptive. In selective security, the adversary fixes the target set at the beginning of the game. Thus the adversary is less powerful. In semi-static security, the adversary takes an initial set at the beginning of the game but decides a subset of the initial set as the target set in challenge phase. The security level of semi-static security lies between selective and adaptive security model. Adaptive security (also called as “full security”)

2

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436

Fig. 1. Multi-Channel Broadcast Encryption.

introduced by Gentry et al. [15] is the strongest security model. Here, the adversary decides the target set (that it wants to attack) on challenge phase only. Thus adversary is more powerful. Consider the following applications where MCBE is useful1. During the war, the defense minister wants to send different messages for different group of soldiers on an urgent basis. The ciphertext header and computation cost will be large if different headers are used for different groups. An MCBE scheme can handle this situation more efficiently. 2. In a factory, the owner needs to send different messages to different group of workers regularly. An MCBE will be helpful to do this efficiently. 3. Suppose sports channel ESPN wants to broadcast different national sports of different countries simultaneously. Use of parallel BE will increase storage size, communication bandwidth and computation cost. An MCBE can solve the problem efficiently. Related work: Broadcast encryption was introduced by Fiat and Naor. [14]. After that, different variants of BE has been proposed. Depending on size of subscribed and revoked used be can be divided into- Subscription based broadcast encryption (e.g. [5]) and revocation based broadcast encryption (e.g. [17]). Depending on application BE can be classified into following like- Identity based BE (e.g. [9,25]), Distributed BE (e.g. [26]), Hierarchical BE (e.g. [19]), Anonymous BE (e.g. [18]), Traitor Tracing (e.g. [6,8]), Multichannel BE (e.g. [3]), Broadcast encryption with personalised messages (e.g. [2,21]), Broadcast Encryption with dealership (e.g. [1,16]). First MCBE scheme was proposed by Phan et al. [24] in the symmetric key setting. It uses the scheme of Boneh et al. [5] and generates a header of constant size from which each user can recover the corresponding group key. The scheme achieves selective security under ν -Decisional Bilinear Diffie Hellman Exponent (ν DBDHE) assumption and has constant secret key, header size and linear public parameter size. Zhao et al [27] reduced the parameter size by reducing some exponentiations. It has parameter sizes and security similar to Phan et al. [24]. Acharya et al. [3] proposed two constructions in public key setting. Their first construct achieves semi-static security under Decisional Bilinear Diffie-Hellman Exponent Sum (DBDHE-sum) assumption and second construction produces selective security under modified square Decisional DiffieHellman Exponent (m-Sq-DDHE) assumption but it needs huge computation cost to achieve outsider-anonymity. Our contribution: We have designed two multi-channel broadcast encryption schemes in public key setup. We are listing our contribution details1. Our first construction uses the broadcast encryption of Boneh et al. [5]. Existing constructions of Phan et al. [24], Zhao et al. [27] and Acharya et al. [3] use extra component in public parameter to set the group key. Both Phan et al. [24], Zhao et al.

[27] use the broadcast encryption of Boneh et al. [5] and extra public parameter to construct the MCBE schemes in symmetric key setting. But our first construction using Boneh et al. [5] is in public key setting and does not use extra public key component to generate group keys. The scheme achieves selective security in the standard model under ν -Decisional Bilinear Diffie-Hellman exponent assumption. 2. Second MCBE construction uses BE scheme of Phan et al. [23] and achieves following properties(a) It is the first adaptive secure MCBE scheme whereas [24,27] are selective secure and [3] is semi-static secure. Adaptive security is the strongest security model in the broadcast setting. (b) In addition, it is the first inclusive-exclusive MCBE scheme in which the broadcaster can choose either set of subscribed or revoked users (depending on size) at the time of encryption without using two different setup. Hence reduces the computation cost. (c) Moreover, it is dynamic in the sense that: (i) The size of public parameter in setup is independent of total number of users that can be accomodated in the system. (ii) The addition of new user does not require the updation of existing secret keys. (iii) The ciphertext header does not depend on the number of users in the system. The key extraction algorithm helps to join new users in the system. No existing multichannel broadcast encryption scheme supports the dynamic property. 3. Both of our constructions are in public key setting similar to Acharya et al. [3]. Other existing MCBE schemes of Phan et al. [24], Zhao et al. [27] are in symmetric key setting. 4. Our constructions support collision resistance property as in the existing schemes. Moreover, the schemes support revocation property. If a user revokes, it will not be able to recover the intended message. Paper organization: In Section 1, we have given the introduction, related work. Section 2 gives necessary back ground. In Section 3, we have given our constructions and their security analysis. Section 4 contains the comparison results. We have concluded in Section 5. 2. Background Notation: Throughout the paper, we will follow notations of Table 1. 2.1. Multi-channel broadcast encryption We start with a description of a formal model for MCBE scheme and the associated algorithms.

Table 1 Notations. ⊥ y ∈ RS [m] [m, n] q |q|

κ η μ ν

null string variable y is taken from set S following an uniform distribution {1, . . . , m}. integers from m to n. prime number bit size of q security parameter (=|q|) number of users in each group number of groups total number of users (=μη )

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436

Syntax of MCBE: A multi-channel broadcast encryption scheme

MCBE = (Setup, KeyExt,Enc, Dec) works as follows. Setup(ν , κ )→ (params, mkey) The probabilistic algorithm Setup for private key generator (PKG) creates the public parameter params and a master key mkey. It makes params public and sends mkey to PKG. Here Gr1 , . . . , Grμ are μ disjoint sets having η element each and ν = μη. KeyExt(params, mkey, i) → (skeyi ) Taking as input params, mkey and a subscribed user i, a probabilistic algorithm KeyExt for PKG provokes a secret key skeyi of user i. The secret key skeyi is given to user i securely. Enc(S1 , . . . , Sμ , params) → (CHdr, {Gkeyi }μ ) Using params and i=1 group of subscribed users S1 , . . . , Sμ , with each Si ⊆Gri , a probabilistic algorithm KeyExt for the broadcaster yields a ciphertext header CHdr and group key Gkeyi for each group Si . It makes the header CHdr public and hands over {Gkeyi }μ to the broadcaster. The group key Gkeyi is usei=1 ful to encrypt message msgi using a symmetric encryption scheme. Note that some Si may be the null set (φ ). If Si = φ then the broadcaster sets Gkeyi = ⊥. Dec(params, skeyi , Hdr, {Si }μ ) → (Gkeyu ) A deterministic algoi=1 rithm Dec for a subscribed user i ∈ Su recovers corresponding group key Gkeyu using skeyi , params, CHdr and subscribed user sets S1 , . . . , Sμ . Correctness: We mention that MCBE is correct if for any subscribed user i ∈ Su







μ

Dec params, KeyExt params, mkey, i , CHdr, {Si }i=1



3

if for every t-probabilistic polynomial time algorithms (algorithm with running time at most t) creating at most q˜ key generation queries AdvSCPA is bounded by  . A,MCBE Adaptive IND-CPA Security: In adaptive security, there is no Initialization phase and Query 1 does not have any restriction on key extraction query. The adaptive security game is defined as follows: •

Setup: This is similar to selective IND-CPA game. Query 1: Taking the key generation queries for user i from the adversary, the challenger generates the secret key skeyi by executing KeyExt(params, mkey, i) and sends to the adversary. Challenge: This phase is identical to that of selective IND-CPA game. Query 2: This is identical to Phase 1. Guess: The adversary predicts δ  ∈ {0, 1} of δ and wins if δ  = δ. In this game, adversary A’s advantage is defined as AdvACPA = A,MCBE

|2Prob(δ  = δ ) − 1|.

Definition 2.2. We say that MCBE scheme is (t, q˜,  )-adaptive IND-CPA secure if for every t-probabilistic polynomial time (PPT) algorithms creating at most q˜ key generation queries AdvACPA A,MCBE is bounded by  . 2.3. Bilinear pairing

= Gkeyu .

Here Setup(ν , κ )→ (params, mkey), Enc(S1 , S2 , . . . , Sμ , params) μ → (CHdr, {Gkeyi }i=1 ). 2.2. Security model Following Acharya et al. [3], we will explain the security of

MCBE in a key indistinguishability game played between a challenger C and an adversary A. Let us assume that both the adverμ sary and challenger knows groups {Gri }i=1 each having η elements. Let ν = ημ. • Selective IND-CPA Security:

Definition 2.3. Let G1 and G2 be two elliptic curve groups of prime order q and g1 be a generator of G1 . A bilinear pairing e : G1 × G1 −→ G2 has following properties: y 1. e(gx1 , g1 ) = e(g1 , g1 )xy , ∀ x, y ∈ Zq . 2. If g1 is generator of G1 then e(g1 , g1 ) is a generator of G2 . The tuple S = (q, G1 , G2 , e) is called as bilinear group system. Here G1 is source group and G2 is target group. 2.4. Complexity assumptions • l-Decisional Bilinear Diffie-Hellman Exponent (l-DBDHE) Assumption: [12]

Given input D = (S, g1 , {gα1 }u∈[1,2l ]\{l +1} ), T , where α ∈R Zq , T u

Initialization: The adversary sends recipient sets S1 , . . . , Sμ with Si ⊆Gri and an index k ≤ μ to the challenger. Note that some Si may be φ . Setup: The challenger generates (params, mkey) by running Setup(ν , κ ). It sends params to the adversary and retains the mkey secure to itself. Query 1: Taking the key generation queries for user i ∈ Sγ from the adversary, the challenger generates the secret key skeyi by executing KeyExt(params, mkey, i) and sends to the adversary. Challenge: In this phase, the challenger generates  (CHdr, {Gkeyi }μ ) by running Encrypt S1 , . . . , Sμ , params i=1 and chooses a bit δ ∈ R {0, 1}. If δ = 0, the challenger μ sends (CHdr, {Gkeyi }i=1 ) to the adversary where Gkeyi is session key for Si . Otherwise, the challenger replaces Gkeyk , 1 ≤ k ≤ μ for the group Sk by a random group element and provides (CHdr, {Gkeyi }m ) to the adversary. i=1 Query 2: This is identical to Phase 1. Guess: The adversary predicts δ  ∈ {0, 1} of δ and wins if δ  = δ . In this game, adversary A’s advantage is defined as

|2Prob(δ  = δ ) − 1|.

AdvSCPA A,MCBE

=

Definition 2.1. We say that MCBE scheme is (t, q˜,  )-selective IND-CPA (indistinguishable again chosen plaintext attack) secure

l+1 is either gα1 or a random element X ∈ G1 . The l-DBDHE problem

decides whether T = gα1

l+1

or not.

Definition 2.4. We say that l-DBDHE problem is (t,  ) secure if for every t-probabilistic polynomial time adversary A, Advl−DBDHE = A

|Prob[A(D, T = gα1 .

l+1

) = 0] − Prob[A(D, T = X ) = 0]| is bounded by

This is source group variant of [5]. Obviously, if one can del+1 cide T = gα1 or not in D, T , then it can decide whether T1 = e ( g1 , h1 )α or not in instance D, T1 . Thus hardness of this source group variant follows. l+1

• Modified Decisional Bilinear Diffie-Hellman Exponent (mDBDHE) Assumption: [2]

y,z

Let Og1 ,e be an oracle which takes input (y, z) and output w ,  ∩  such that e(y, z ) = e(g1 , w ). Let C S ⊆ [l], C S = φ and y, z takes following inputs: i β  and z = v. 1. y = gα1 or g1 i for i ∈ C  β ν +1− j α 2. y = v j∈ or g1 j for j ∈  S and z = h1 . S g1

β

Given input D = (S, h1 , g1 , {gα1 }u∈[1,2l ]\{l +1}, v, {g1 u }u∈[l] , Og1 ,e ), u

T , where h1 , v ∈R G1 , α , {βu }u∈[l] ∈R Zq , T is either e(g1 , h1 )

x,y

α l+1

or

4

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436

a random element X ∈ G2 . The mDBDHE problem decides whether l+1 T = e ( g1 , h1 )α or not. Definition 2.5. We say that mDBDHE problem is (t,  ) secure if for every t-probabilistic polynomial time adversary l+1 A, AdvmDBDHE = |P rob[A(D, T = e(g1 , h1 )α ) = 0] − P rob[A(D, T = A X ) = 0]| is bounded by  .

broadcast

encryption

Setup(ν , κ )→ (params, mkey) Let {Grx }μ be μ group of x=1

users each having η members and ν = ημ be the number of users that can be supported by the system. Let S = (q, G1 , G2 , e(, )) be a bilinear group system with prime order q. This algorithm for private key generator PKG picks α , γ ∈R Zq and sets master key mkey = (α , γ ), public paramγ

eter params = (S, v = g1 , {gα1 }i∈[1,2ν ]\{ν +1} ). It sends mkey to the PKG securely and makes params public. KeyExt(params, mkey, i) → (skeyi ) The algorithm KeyExt for PKG takes γ ∈R Zq and computes secret key of user i ∈ Gru as skeyi where skeyi = (skeyi1 , skeyi2 ) = 

((gα1 )γ , (g1

j ∈Gru , j =i α

j

1. Takes an integer s ∈R Zq .

2. Extracts gα1 , v, {gα1 ct1 , ct2 as

ct1 =

v



ν +1− j

} j∈S from params, and computes

s α ν +1− j

s γ+

= g1

g1

 ν +1− j α



j∈S

, ct2 = gs1 .

{Gkeyu }u∈[μ] as



s(γ + α ν +1− j )  i j∈S e gα1 , g1

ν +1− j+i

, ct2

= 







s 





j∈Gru

αj

ν , vs e gα1 , gα1 s = e g1

j∈Gru

αj

s ν +1 , v e gα1 , g1 .

{α i γ +

e g1

j∈Gru

αj

s 

ν , v e gα1 , gα1

s

ν +1 e(gα1 , g1 )s

as

e skeyi1 .

2. Recovers Gkeyu =

, gs1



ν +1

ν +1

= e(gα1



, g1 )s = e ( g1 

, g1 )s = e ( g1

j∈Gru

j j∈Gru α

α jγ

ν +1

, g1 )s

, gs1 )e(gα1 α ν +1

, v )s e ( g1

ν +1

, g1 )s

, g1 )s .

Theorem 1. Our MCBE-I achieves selective IND-CPA security under ν -DBDHE assumption following the security model of Section 2.2. Proof. We will prove this theorem following security game of Section 2.2, played between an adversary A and a challenger C. Let the adversary and the challenger have the input of an ν -DBDHE i instance D, T , where D = (S, g1 , {gα1 }i∈[1,ν ]∪[ν +2,2ν ] ), α ∈ Zq , S is bilinear group system of prime order q, g1 is generator of group ν +1 G1 , T is either gα1 or random element of G1 . The challenger tries to solve the instance D, T by playing the following game with adversary. Initialization: The adversary selects Si ⊂ Gri , i ∈ [μ] and sends {Si }μ and an index k to the challenger. i=1 Setup: Using D, T , the challenger selects r ∈R Zq and gr1



Now v =

ν +1− j gα 1

j∈Sk

. It sets public parameter params =



gr1

α ν +1− j j∈Sk g1



(r−

j∈Sk

= g1

j∈S, j=i

gα1

ν +1− j+i

γ

= g1 (say). This im-

1

j∈Sk



i

skey j1 .

j∈Gru , j=i

It returns skeyi = (skeyi1 , skeyi2 ) to the adversary. Note that

gr1α

(r α i −

i

skeyi1 =  ν +1− j+i = g1 gα j∈Sk

α ν +1− j+i )

1

α i (r−

= g1



j∈Sk

 j∈Sk



α ν +1− j )

γ αi

= g1



skey j1 = (g1

i = (gα1 )γ ,

j∈Gru , j=i

αj γ ) .

j∈Gru , j=i

e(gα1 , ct1 ) 

α ν +1− j )

 plicitly sets mkey = (α , γ = r − j∈S α ν +1− j ). It keeps mkey k secure and sends params to the adversary. Query 1: Receiving key generation queries for i ∈ Gru , i ∈ Sk the challenger computes

skeyi2 = i

, g1 ) s =



α ν +1

, g1 )e ( g1

grα

ν

ν +1

α ν +1− j+i }

j∈S

skeyi1 =  1ν +1− j+i , skeyi2 = gα

cost, the broadcaster can compute e(gα1 , gα1 )s one time only and reuse in every group key computation. Dec(params, skeyi , CHdr, {Si }μ ) → (Gkeyu ) A deterministic ali=1 gorithm Dec for a subscribed user i ∈ Su recovers corresponding group key Gkeyu using skeyi , params, CHdr and subscribed user sets S1 , S2 , . . . , Sμ as follows.

e(gα1

 j∈S, j=i

Performance analysis: 1. Storage: params size is (2ν )|G1 |, skeyi size is 2|G1 |, where |G1 | = bit size of an element in G1 . 2. Communication: Header size = 2|G1 |. 3. Computation: Set up phase requires 2ν exponentiations in G1 to compute params, secret key generation needs 2 exponentiation in G1 . Encryption phase requires 4 exponentiations in G1 and μ+1 pairings. Decryption phase requires 3 pairings.

i

It publishes CHdr= (ct1 , ct2 ) and hands over group key {Gkeyu }u∈[μ] to the broadcaster. To reduce the computation

1. Computes

= e ( g1

j j∈Gru α



sαi (γ + αν+1− j )

(S, v, {gα1 }i∈[1,2ν ]\{ν +1} ).

ν 3. Using gα1 , gα1 , v available from params, it sets group keys



e g1 , g1

sets v =

j∈S

= e g1

j∈S, j=i



gα1





i

)γ ). The secret key skeyi is given to user i securely. Enc(S1 , S2 , . . . , Sμ , params) → (CHdr, {Gkeyi }μ ) Let Sx ⊂ Grx , i=1 μ x ∈ [μ] be the groups of subscribed users and S = x=1 Sx . The algorithm Enc for the broadcaster, works as follows.





e skeyi1 .



Our selective secure multi-channel scheme MCBE-I works as follows:



e gα1 , ct1

i

Gkeyu = e(skeyi1 .skeyi2 , ct2 )e(gα1

3.1. MCBE-I: MCBE with selective security

Gkeyu = e g1



sα =  sαi (γ + αν+1− j ) e(g1 , g1 ) j∈S e g1 , g1

3. Construction

i

Correctness: The correctness follows as-

. , ct2

ν +1 e(skeyi1 .skeyi2 , ct2 )e(gα1 , g1 )s .

Challenge: In this phase, the challenger does the following 1. Selects s ∈R Zq and sets ct2 = gs1 = h1 (say). 2. Computes ct1 = hr1





[hr ( l=1, 1  l=k

j∈Sl j∈Sk

ν +1− j gα 1

ν +1− j gα 1

)s ].

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436



3. For each i ∈ Gru , u ∈ [1, μ], u = k, it computes ν Gkeyu = e(skeyi1 .skeyi2 , ct2 )e(gα1 , gα1 )s = e(skeyi1 .skeyi2 , ct2 )e(gα1

ν +1

, g1 )s .

4. For each i ∈ Grk , it computes skeyi1 =  skeyi2 = j∈Gr , j=i skey j1 and sets k

T



gr1α

i

α ν +1− j+i

j ∈Sk , j =i g1

,

ν

Gkeyk = e(skeyi1 .skeyi2 , ct2 )e(gα1 , gα1 )s = ν +1 e(skeyi1 .skeyi2 , ct2 )e(gα1 , g1 )s .

5. Sets ciphertext header CHdr = (ct1 , ct2 ). 6. Takes δ ∈ R {0, 1}. If δ = 0, it gives (CHdr, {Gkeyu }u∈[μ] ); else if δ = 1, it replaces Gkeyk by random and returns (CHdr, {Gkeyu }u∈[μ] ) to the adversary.

 

μ

Note that ct1 = hr1

hr1

l=1, l=k

=



μ

hr1

l=1, l=k

l=1, l=k

=

j∈Sk

gα1



gs1α





=





=

s (γ +

g1

s (γ +

g1

gα1

 s

ν +1− j

). It sends mkey to the PKG securely and makes params public. KeyExt(params, mkey, i) → (skeyi ) The algorithm KeyExt for j PKG computes gα1 , j ∈ {i, i + 1, ν + 1 − i, ν + 1 + i} for user i ∈ Gru . It takes β j ∈R Zq , j ∈ [μ] and sets pkeyi = (πi =

 j∈Sl

g1

α ν +1− j )

 ν +1− j α )



s (γ +

π0α /gα1

 j∈Sl

α ν +1− j )





T

i



α (r−



i

= g1 skeyi2 =

j∈Sk



α ν +1− j )

γ αi

= g1



skey j1 = (g1

gr1α

μ 

2. Extracts gα1 , v, {gα1  1 , ct2 as ct1 , ct

Sl .]



(r α i −

i

gα1

ν +1− j+i

= g1

 j∈Sk

α ν +1− j+i )

1 = ct

αj γ ) .

Thus skeyi1 is identical to the original. Hence Gkeyk is identical to the original one. Thus ct1 , Gkeyk are identical to original construction. Query 2: This is identical to Query 1. Guess: In this phase, the adversary A predicts δ  ∈ {0, 1} of δ . If ν +1 δ  = δ, the challenger C outputs 0 to indicate that T = gα1 ; otherwise, it outputs 1 to believe that T ∈R G1 . ν +1

as true event and T ∈R G2 as random event.

AdvνC −DBDHE = |P rob[δ  = δ|real] − P rob[δ  = δ|random]|

 

= P rob[δ  = δ|true] −





1  2

v



gα1

ν +1− j

ν +1− j

s

v π0 /

s γ+

= g1

j∈S



} j∈S from params, and computes  ν +1− j α



j∈S

,

s ν +1− j gα

1

, ct2 = gs1 .

j∈R

j∈Gru , j=i

We define T = gα1 Therefore

ct1 =



i = (gα1 )γ ,

j∈Gru , j=i

β

1. Takes an integer s ∈R Zq .

[Here S =

j ∈Sk , j =i

j

((gα1 )γ , (g1 u )γ ). The public parameter params is updated by appending pkeyi . The secret key skeyi is given to user i securely. Enc(S1 , S2 , . . . , Sμ , params) → (CHdr, {Gkeyi }μ ) Let Sx ⊂ Grx , i=1 μ x ∈ [μ] be the groups of subscribed users and S = x=1 Sx . The algorithm Enc for the broadcaster, works as follows.

l=1

ν +1 If T = gα1 then skeyi1 =

β

ν +1

, g1 u , gα1 , j ∈ {i, i + 1, ν + 1 − i, ν + 1 + i} ) and secret key of user i as skeyi where skeyi = (skeyi1 , skeyi2 ) = i



j∈S

Our adaptively secure multi-channel broadcast encryption scheme MCBE-II is a dynamic MCBE supporting Inclusive-Exclusive property and works as follows:

(S, g1 , v = gγ1 , π0 = g1

g1



3.2. MCBE-II: MCBE with adaptive security

α (α ν −1 ) α −1



 γ s

Hence, the challenger C’s advantage of solving ν -DBDHE problem implies the adversary A’s advantage of wining the game. Thus the scheme is secure under the hardness of ν -DBDHE problem. 

each having η members and ν − 1 (where = ν = ημ) be the number of users that can be supported by the system. Let S = (q, G1 , G2 , e(, )) be a bilinear group system. This algorithm for private key generator PKG picks α , γ ∈R Zq and sets master key mkey = (α , γ ), public parameter params =

g1

l=1, l=k

l=1



 γ s

ν +1− j

ν +1− j gs1α

j∈Sk

μ



j∈Sk

l=1, j∈Sl l=k  ν +1− j s (γ + α ) μ

= g1

gr1



1 1  =  P rob[δ  = 1|δ = 1 ∧ true] − P rob[δ  = 1|δ = 0 ∧ true] 2 2 1 = |P rob[δ  = 1|δ = 1 ∧ true] − P rob[δ  = 1|δ = 0 ∧ true]| 2 1 1 = |2P rob[δ  = δ ] − 1| = AdvSCPA A,MCBE−I . 2 2

Setup(ν , κ )→ (params, mkey) Let {Grx }μ be μ group of users x=1

s

ν +1− j

ν +1− j gs1α



j∈Sl

μ

gsr 1



gα1

j∈Sl



μ

= hr1



ν +1− j

j∈Sl

5



1 1 =  (P rob[δ  = 1|δ = 1 ∧ true] + P rob[δ  = 0|δ = 0 ∧ true] ) −  2 2

μ Here R is complement of S in U = i=1 Gri . α (α ν −1 ) ν α −1 αi Notice that = π0 . i=1 g1 = g1   ν +1− j ν +1− j α α π0 / j∈R g1 = j∈S g1 .

Thus

ν 3. Using gα1 , gα1 , v, {gβu }u∈[μ] available from params, it sets group keys {Gkeyu }u∈[μ] as









s 





s 

ν ν β β Gkeyu = e g1 u , vs e gα1 , gα1 s = e g1 u , v e gα1 , gα1

s

s ν +1 β = e g1 u , v e gα1 , g1 .

 1 , ct2 ) It publishes ciphertext header CHdr= (ct1 , ct2 ) or (ct and hands over group key {Gkeyu }u∈[μ] to the broadcaster. To reduce the computation cost, the broadcaster can comν pute e(gα1 , gα1 )s one time only and reuse in every group key computation.  1 depending on Note that the broadcaster generates ct1 or ct the size of the subscribed and revoked user set to reduce the encryption cost.

6

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436

Dec(params, skeyi , CHdr, {Si }μ ) → (Gkeyu ) A deterministic ali=1 gorithm Dec for a subscribed user i ∈ Su recovers corre-

i gα ,v

, generates skey , skey by running the oracles O 1 , users C i1 i2 g1 ,e β g u ,v

sponding group key Gkeyu using skeyi , params, CHdr and subscribed user sets S1 , S2 , . . . , Sμ as follows. ν +1 1. Computes e(gα1 , g1 )s as ν +1

, g1 ) s =

e(gα1 , ct1 ) or  α ν +1− j+i e(skeyi1 . g1 , ct2 )

1 ) e(gα1 , ct , g1 ) s = .  α ν +1− j+i e(skeyi1 .πi / g1 , ct2 ) i

e ( g1

i

β γ

ν

β

γs

= e(g1 u , g1 )e(gα1

Observe

(



that

α ν +1− j )α i j ∈S, j =i g1



ν +1

β

, g1 )s = e(g1 u , v )s e(gα1

πi

α ν +1− j+i j∈R g1  ν +1 − j+i α . j ∈S, j =i g1

=

1 ν +1 gα 1





ν +1

π0

ν +1

, g 1 )s

, g 1 )s .

α ν +1− j j∈R g1

α i

=

= The correctness of MCBE-II is similar to that of MCBE-I. Performance analysis: 1. Storage: params size is (3ν + μ + 3 )|G1 |, skeyi size is 2|G1 |. |G1 | is bit size of an element in G1 . 2. Communication: Header size = 2|G1 |. 3. Computation: Set up phase requires 3ν + μ + 2 exponentiations in G1 to compute params, secret key generation needs 2 exponentiation in G1 . Encryption phase requires 4 exponentiations in G1 and μ+1 pairing. Decryption phase requires 3 pairing.

β g u ,h1

(a) Runs Og11 ,e

ν +1

g1 is generator of group G1 , T is either e(g1 , h1 )α or random, y,z Og1 ,e takes input (y, z) and produces w such that e(y, z ) = e(g1 , w ). Here y, z take values as follows: β j  and z = v. 1. y = gα1 or g1 j for j ∈ C  β ν +1− j α 2. y = v j∈ or g1 j for j ∈  S and z = h1 . S g1

Also assume that both the broadcaster and challenger know μ group of users {Grx }x=1 each having η members. Let ν = ημ. The challenger tries to solve the instance D, T by playing the following game with adversary as follows: Setup: Employing D, T , the challenger computes public paα (α ν −1 )

rameter params = (S, g1 , v = g1 , π0 = g1 α −1 ) and gives it γ to the adversary. Let v = g1 for some unknown γ ∈ Zq . It implicitly sets master key mkey = (α , γ ). Query 1: Receiving the key generation query from user i ∈ Gru , the challenger selects βu ∈R Zq and sets pkeyi =

(πi = π0α /gα1 , gβ1 , gα1 , j ∈ {i, i + 1, ν + 1 − i, ν + 1 + i} ) using D, T and makes it public. It store i in a list of corrupted i

ν +1

u

j

βu

Note that if T = e(g1 , h1 )α similar to original as

Theorem 2. The scheme MCBE-II achieves adaptive IND-CPA security under the hardness of mDBDHE problem. Proof. We will prove this theorem following security game of Section 2.2, played between an adversary A and a challenger C. Let the adversary and the challenger have the input of an mDBDHE instance D, T , where i y,z D = (S, h1 , g1 , {gα1 }i∈[1,ν ]∪[ν +2,2ν ], v, {gβu }u∈[μ] , Og1 ,e ), α , {βu }u∈[μ] ∈ Zq , μ ≤ ν, S is bilinear group system of prime order q, v, h1 ∈R G1 ,



, to get x = g1 u .



Observe that e(g1 , h1 = gs1 ) = e(g1 , x ) ⇒ x = g1 u . (b) Computes Gkeyu , Rkeyu ∈ G2 as Gkeyu = sβ sβ  e(g1 u , v )T , Rkeyu = e(g1 u , v )R  ∈ G and T is extracted from the given inwhere R R 2 stance D, T .  1 , ct2 ). 4. It sets ciphertext header CHdr = (ct1 , ct2 ) or (ct 5. The challenger takes δ ∈ R {0, 1}. If δ = 0, it gives (CHdr, {Gkeyu }u∈[μ] ); else if δ = 1, it returns (CHdr, {Rkeyu }u∈[μ] ) to the adversary.

Note 1. See that our scheme is dynamic as it does not generate pkeyi for each users at beginning. In place of that, it generates pkeyi on require and add to params. Thus manage the storage size. Also note that this construction supports inclusive-exclusive proprty as thre broadcaster can choose subscribed or revoked users set in time of encryption. Thus it can reduce the computation cost.

γ

γβ

1. It sets ct2 = h1 where h1 is taken from the given instance

D, T . Let h1 = gs1 for unknown s ∈ Zq .  α ν +1− j 2. It calculates y1 = v j∈ (or y2 = S g1   ν +1− j y ,ct y ,ct vπ0 / j∈R gα1 ) and runs Og11 ,e 1 (or Og12 ,e 1 ) to get  1 ). Here R is complement of  ct1 or (ct S in U.    α ν +1− j , h = gs = e (g , ct ) ⇒ Notice that e y1 = v j∈ g 1 1 1 S 1 1  α N+1− j )s . Thus ct has distribution similar ct1 = (v j∈ g 1 S 1 to original scheme. Note that y1 , y2 values are same but calculated differently. 3. For each i ∈ Gru , the challenger does the following:

j∈R

2. Sets Gkeyu as Gkeyu = e(skeyi2 , ct2 )e(gα1 , gα1 )s = e(g1 u , gs1 )e(gα1

αi γ

γ

e(g1 , v = g1 ) = e(g1 , skeyi2 ) ⇒ skeyi2 = g1 u , the value of skeyi1 , skeyi2 generated by the challenger, are similar to the real scheme. μ  = φ , the adChallenge: Selecting  S ⊆ U (= i=1 Gri ) with  S∩C versary sends  S to the challenger. The challenger does the following steps:

j∈S, j=i

α ν +1

γ

As e(gα1 , v = g1 ) = e(g1 , skeyi1 ) ⇒ skeyi1 = g1 , βu

i

e(gα1

Og11 ,e and returns skeyi = (skeyi1 , skeyi2 ) to the adversary.

ν +1

then Gkeyu has distribution



γ

ν +1

, gs1 ).



γ βu

Gkeyu = e(g1 u , v )T = e(g1 u , g1 )T = e(g1

= e(skeyi2 , ct2 )e(gα1

, gs1 )e(g1 , h1 )α

ν +1

Query 2: This is identical to Query 1 except that, adversary is restricted to query for user i ∈ / S. Guess: In this phase, the adversary A predicts δ  ∈ {0, 1} of δ . If δ  = δ, the challenger C outputs 0 to indicate that T = ν +1 e(g1 , h1 )α ; otherwise, it outputs 1 to believe that T ∈R G2 . We define T = e(g1 , h1 )α random event. Therefore

ν +1

as true event and T ∈R G2 as

AdvmDBDHE = |P rob[δ  = δ|true] − P rob[δ  = δ|random]| C

 

= P rob[δ  = δ|true] −





1  2



1 1 =  (P rob[δ  = 1|δ = 1 ∧ true] + P rob[δ  = 0|δ = 0 ∧ true] ) −  2 2   1 1  =  P rob[δ  = 1|δ = 1 ∧ true] − P rob[δ  = 1|δ = 0 ∧ true] 2 2 1 = |P rob[δ  = 1|δ = 1 ∧ true] − P rob[δ  = 1|δ = 0 ∧ true]| 2 1 1 = |2P rob[δ  = δ ] − 1| = AdvACPA A,MCBE−II . 2 2 Hence, the challenger C’s advantage of solving mDBDHE problem implies the adversary A’s advantage of wining the game. Thus the scheme is secure under the hardness of mDBDHE problem. 

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436

7

Table 2 Comparative summaries of storage, communication bandwith and security of MCBE schemes. Scheme

|params|

|skeyi |

|CHdr|

Public

Dynamic

Inc-Exc

SM

Assumption

[24] [27] [3]

(3ν -1) |G1 | (2ν + μ-1)|G1 | (3ν + μ+3)|G1 | (ν +2)|G1 | ( 2ν )|G 1 | ( 3ν + μ + 3 )|G 1 |

1|G 1 | 1|G 1 | 1 |G1 | ζ |G1 | 2 |G1 | 2|G 1 |

2|G 1 | 2|G 1 | 2 |G1 | 1|G1 | + τ .l 2|G 1 | 2|G 1 |

No No Yes Yes Yes Yes

No No No No No Yes

No No No No No Yes

Selective Selective Semi-static Selective Selective Adaptive

ν -DBDHE ν -DBDHE

MCBE-I MCBE-II

DBDHE-sum m-sq-DDHE ν -DBDHE mDBDHE

|params| = public parameter size, |skeyi | = secret key size for user i, |CHdr| = ciphertext header size, Inc-Exc = InclusiveExclusive, SM= security model, ν = total number of users, |G1 | = bit size of an element of G1 , η= number of users in each group (= 2ζ for some integer ζ ), ν = ημ, μ = number of groups, l= cover size, τ = size of check bits. Table 3 Comparison of computation cost for MCBE schemes. Scheme

[24] [27] [3] MCBE-I MCBE-II

params

skeyi

Enc

Dec

# exp

# exp

# exp

# pair

# exp

# pair

3ν -1 in G1 2ν + μ-1 in G1 3ν + μ + 2 in G1 ν in G1 2ν in G1 3ν + μ + 2 in G1

1 in G1 1 in G1 1 in G1 ζ in G1 2 in G1 2 in G1

μ +1 in G1 μ in G2 μ+1 in G1 μ in G2 ν + μ + 1 in G1

μ μ

0 0

1 +μ 1 +μ 2 at most ζ 3 3

l 2 + l + 1 in G1 4 in G1 4 in G1

1 l

μ+1 μ+1

ν − 1 in G1 0 0 0

params = public parameter, skeyi = secret key of user i, Enc = encryption, Dec= decryption, ν = total number of users, # exp = number of exponentiations, # pair = number of pairings, μ = number of groups, η = 2ζ , ν = ημ, η = number of users in each group, l= cover size. Table 4 Setup and Key generation, Encryption, decryption time (in second) for 1024 users. Scheme

Setup and Keygeneneration time

Encryption time

Decryption time

Total no of users

No of subscribers

0.031674 0.034925 0.032442 0.034287

0.013456 0.018722 0.012336 0.014849

1024 1024 1024 1024

256 768 256 768

1.212584 1.193916 1.477429 7.045376 0.021285 0.024280 0.016117 0.016245

1.195437 1.193697 0.003801 0.003896 0.003257 0.006051 0.003390 0.003306

1024 1024 1024 1024 1024 1024 1024 1024

256 768 256 768 256 768 256 768

Private (or Symmetric) Key MCBE [24] [27]

4.381076 4.368832 3.305982 3.278138

Public Key MCBE [3] [3] MCBE-I MCBE-II

4.476871 4.44557 9.881243 9.811708 4.371545 4.423490 4.405963 4.384295

4. Comparison We have compared our MCBE-I, MCBE-II with existing schemes in Tables 2 and 3. We point out the main findings below: •





Pubic parameter (params) size of our schemes are linear to the number of users that can be accommodated in the system and thus comparable with existing schemes. Our MCBE-I, MCBE-II have secret key size constant as in [24,27] and first construction of [3] whereas second construction of [3] has secret key size log η, where η is number of users in each group. Similar to [24,27], header size is constant for all our constructions whereas header size for second construction of [3] is O(l), where l is the cover size. The number of exponentiation in public parameter (params) generation for MCBE-I, MCBE-II are linear to ν as in existing works. Our constructs need constant number of exponentiations in secret key generation whereas second construct of [3] needs log ν exponentiations. Both of our constructions need 4 exponentiations and μ+1 pairings in encryption phase and decryption needs 3 pairings.





As for online computation, all the schemes require more exponentiations for encryption and the second construction of [3] needs more pairings in decryption. Schemes MCBE-I, MCBE-II are in public key setting as in [3] whereas [24,27] are in private key setting. Our second MCBE scheme MCBE-II is dynamic and achieves inclusive-exclusive property and secure in adaptive security model. All of these properties are achieved first time in MCBE framework.

4.1. Implementation and evaluation We have implemented MCBE schemes in a desktop with the following specification: Dell with Intel(R) Core(TM) i7-7700, 3.60GHz processor, 8GB memory, and Ubuntu 18.04 operating system with the assistance of Pairing-Based Cryptography (PBC) library (version 0.5.12) [20]. PBC library is a C library which is built above GNU Math Precision library. We use elliptic curve group on the super singular curve y2 = x3 + x and type A pairing [20]. We have implemented each MCBE constructions using total number of users as

8

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436 Table 5 Setup and Key generation, Encryption, decryption time (in second) for 2048 users. Scheme

Setup and Keygeneneration time

Encryption time

Decryption time

Total no of users

No of subscribers

0.033596 0.038682 0.033701 0.039438

0.016155 0.027137 0.013755 0.018890

2048 2048 2048 2048

512 1536 512 1536

2.581625 2.529902 2.877689 13.80912 0.028325 0.033935 0.017440 0.017562

2.561573 2.546232 0.004388 0.004503 0.005024 0.009863 0.004716 0.004523

2048 2048 2048 2048 2048 2048 2048 2048

512 1536 512 1536 512 1536 512 1536

Private (or Symmetric) Key MCBE [24] [27]

8.732631 8.657272 6.535383 6.514055

Public Key MCBE [3] [3] MCBE-I MCBE-II

9.092217 8.815979 21.790827 21.743959 8.722445 8.655142 8.724829 8.756536

1024 (16 group each having 64 users) and subscribed users as 256 (=one-fourth of total number of users), 768 (=three-fourth of total number of users) respectively and listed the computation time in Table 4. Our MCBE-II is ”inclusive-exclusive” and has encryption and decryption cost similar in both the cases (i.e. for 256, 768 subscribers) as in second case number of revoked users (=1024768=256) is less and equal to number of subscribed users (=256) in first case and this scheme runs encryption and decryption using the set of revoked users. Table 5 contains computation cost for 2048 users (16 group each having 128 users). We will first compare our MCBE-I, MCBE-II with existing public key MCBE schemes. Both of our constructions are efficient in compare to the first construction of Acharya et al. [3]. Observe that first construction of Acharya et al. [3] needs more encryption and decryption time as it needs lots of exponentiations. The second construction of [3] needs more computation in encryption phase due to the requirement of O(l) exponentiation for each cover, where l is the cover size and it also requires more computation in Setup and Key generation as for each user it needs log η number of sub keys. Here η gives number of users in each group. Although decryption is little bit efficient in the second construction of [3], it has huge encryption cost and also it needs much more computation time in Setup and Key generation. Also note that online computation (encryption and decryption) cost for both our constructions is better than existing private (or symmetric) key MCBE schemes ([24,27]). Remark 1. In second construction of [3], users lies at the leaf nodes of complete tree. Therefore total number of users should be power of 2. For this reason, we have taken number of users as power of 2. 5. Conclusion We have proposed two MCBE schemes in public key setting. We have provided details security proof for both of our constructions. First construction does not include extra public parameter to set the group key and achieves selective security against chosen plaintext attack. Our second construction is dynamic, supports inclusive-exclusive property and acquires adaptive security. None of the existing MCBE scheme supports any of these properties. Funding Supported by institute post-doctoral fellowship (file noNISER/FA/SCOMSPDF105/2018-19/209) of National Institute of Science Education and Research Bhubaneswar, HBNI, India.

Declaration of Competing Interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. CRediT authorship contribution statement Kamalesh Acharya: Conceptualization, Methodology, Software, Writing - original draft, Writing - review & editing. References [1] Acharya K, Dutta R. Adaptively secure broadcast encryption with dealership. In: Hong S, Park JH, editors. Proceedings of the Information Security and Cryptology ICISC 2016. Springer International Publishing; 2017. p. 161–77. Cham. [2] Acharya K, Dutta R. Provable secure constructions for broadcast encryption with personalized messages. In: Okamoto T, Yu Y, Au MH, Li Y, editors. Proceedings of the Provable Security. Springer International Publishing; 2017. p. 329–48. Cham. [3] Acharya K, Dutta R. Constructions of secure multi- channel broadcast encryption schemes in public key framework. In: Camenisch J, Papadimitratos P, editors. Proceedings of the CANS 2018. Lecture Notes in Computer Science, vol. 11124. Springer; 2018. p. 495–515. [4] Barth A, Boneh D, Waters B. Privacy in encrypted content distribution using private broadcast encryption. In: Crescenzo GD, Rubin A, editors. Proceedings of the Financial Cryptography and Data Security. Lecture Notes in Computer Science, vol. 4107. Springer Berlin Heidelberg; 2006. p. 52–64. [5] Boneh D, Gentry C, Waters B. Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Proceedings of the 25th Annual International Conference on Advances in Cryptology, CRYPTO’05. Berlin, Heidelberg: Springer-Verlag; 2005. p. 258–75. [6] Boneh D, Gentry C, Waters B. A fully collusion resistant broadcast, trace, and revoke system. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS ’06. New York, NY, USA: ACM; 2006. p. 211–20. [7] Boneh D, Waters B, Zhandry M. Low overhead broadcast encryption from multilinear maps. In: Garay J, Gennaro R, editors. Proceedings of the Advances in Cryptology - CRYPTO 2014. Lecture Notes in Computer Science, vol. 8616. Springer Berlin Heidelberg; 2014. p. 206–23. [8] Chor B, Fiat A, Naor M. Tracing traitors. In: Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’94. Springer-Verlag; 1994. p. 257–70. London, UK. [9] Delerablée C. Identity-based broadcast encryption with constant size ciphertexts and private keys. In: Proceedings of the Advances in Crypotology 13th International Conference on Theory and Application of Cryptology and Information Security, ASIACRYPT’07. Berlin, Heidelberg: Springer-Verlag; 2007. p. 200–15. [10] Delerablée C, Paillier P, Pointcheval D. Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In: Takagi T, Okamoto T, Okamoto E, Okamoto T, editors. Proceedings of the Pairing. Lecture Notes in Computer Science, vol. 4575. Springer; 2007. p. 39–59. [11] Dodis Y, Fazio N. Public key broadcast encryption for stateless receivers. In: Feigenbaum J, editor. Proceedings of the Digital Rights Management. Lecture Notes in Computer Science, 2696. Springer Berlin Heidelberg; 2003. p. 61–80. [12] ECRYPT II: Final Report on Main Computational Assumptions in Cryptography. http://www.ecrypt.eu.org/ecrypt2/documents/D.MAYA.6.pdf.

K. Acharya / Journal of Information Security and Applications 51 (2020) 102436 [13] Fazio N, Perera I. Outsider-anonymous broadcast encryption with sublinear ciphertexts. In: Fischlin M, Buchmann J, Manulis M, editors. Proceedings of the Public Key Cryptography - PKC 2012. Lecture Notes in Computer Science, 7293. Springer Berlin Heidelberg; 2012. p. 225–42. [14] Fiat A, Naor M. Broadcast encryption. In: Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93. New York, USA: Springer-Verlag; 1994. p. 480–91. [15] Gentry C, Waters B. Adaptive security in broadcast encryption systems (with short ciphertexts). In: Proceedings of the Advances in Cryptology - EUROCRYPT 2009, 5479. Springer Berlin Heidelberg; 2009. p. 171–88. [16] Gritti C, Susilo W, Plantard T, Liang K, Wong D. Broadcast encryption with dealership. Int. J. Inf. Secur. 2015:1–13. [17] Lewko A, Sahai A, Waters B. Revocation systems with very small private keys. In: Proceedings of the IEEE Symposium on Security and Privacy (SP); 2010. p. 273–85. [18] Libert B, Paterson K, Quaglia E. Anonymous broadcast encryption: Adap- tive security and efficient constructions in the standard model. In: Fischlin M, Buchmann J, Manulis M, editors. Proceedings of the Public Key Cryptography PKC 2012. Lecture Notes in Computer Science, vol. 7293. Heidelberg: Springer Berlin; 2012. p. 206–24. [19] Liu W, Liu J, Wu Q, Qin B. Hierarchical identity-based broadcast encryption. In: Susilo W, Mu Y, editors. Proceedings of the Information Security and Privacy. Lecture Notes in Computer Science, vol. 8544. Springer International Publishing; 2014. p. 242–57.

9

[20] Lynn B., et al. The pairing-based cryptography library. 2006. Internet: crypto. stanford. edu/pbc/[Mar. 27, 2013]. [21] Ohtake G, Hanaoka G, Ogawa K. Efficient broadcast encryption with personalized messages. In: Heng SH, Kurosawa K, editors. Provable Security. Berlin, Heidelberg: Springer Berlin Heidelberg; 2010. p. 214–28. [22] Naor D, Naor M, Lotspiech J. Revocation and tracing schemes for stateless receivers. In: Proceedings of the CRYPTO. In: Lecture Notes in Computer Science, 5479. Heidelberg: Springer; 2001. p. 41–62. [23] Phan DH, Pointcheval D, Shahandashti SF, Strefler M. Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts. Int. J. Inf. Secur. 2013:251–65. [24] Phan DH, Pointcheval D, Trinh VC. Multi-channel broadcast encryption. In: Chen K, Xie Q, Qiu W, Li N, Tzeng WG, editors. Proceedings of the ASIACCS. ACM Press; 2013. p. 277–86. [25] Wang XA, Weng J, Yang X, Yang Y. Cryptanalysis of an identity based broadcast encryption scheme without random oracles. Inf Process Lett. 2011;111(10):461–4. [26] Wu Q, Qin B, Zhang L, Domingo-Ferrer J. Fully distributed broadcast encryption. In: Boyen X, Chen X, editors. Proceedings of the Provable Security. Lecture Notes in Computer Science, vol. 6980. Springer Berlin Heidelberg; 2011. p. 102–19. [27] Zhao XW, Li H. Improvement on a multi-channel broadcast encryption scheme. Appl. Mech. Mater. 2013;427–429:2163–9.