Efficient Anonymous Broadcast Encryption with Adaptive Security

Abstract

Broadcast encryption is an efficient way to distribute confidential information to a set of receivers using broadcast channel. It allows the broadcaster to dynamically choose the receiver set during each encryption. However, most broadcast encryption schemes in the literature haven't taken into consideration the receiver's privacy protection, and the scanty privacy preserving solutions are often less efficient, which are not suitable for practical scenarios. In this paper, we propose an efficient dynamic anonymous broadcast encryption scheme that has the shortest ciphertext length. The scheme is constructed over the composite order bilinear groups, and adopts the Lagrange interpolation polynomial to hide the receivers' identities, which yields efficient decryption algorithm. Security proofs show that, the proposed scheme is both secure and anonymous under the threat of adaptive adversaries in standard model.

1. Introduction

Broadcast encryption (BE) [1] is a cryptographic primitive that allows a broadcaster to encrypt a message for a dynamic set of users and use a broadcast channel to distribute the ciphertext. Only the users within the set can use their private key to decrypt the message, users outside the set can obtain no confidential information about the encryption, even if all of these users collude. The receiver set is dynamic, i.e., it is selected by the broadcaster at the time of encryption, not at the time of system initialization. This means the broadcaster can select an arbitrary set of users to receive the message during each encryption. This features gives broadcast encryption great flexibility compares to those pre-shared group key communication schemes. Broadcast encryption has many practical applications [21-23], such as the access control in encrypted file systems, digital right management systems for satellite TV and DVD content protection, and secure group communications.

There are two kinds of broadcast encryption, the symmetric key based [1-5] and the public key based [6-9]. In a symmetric key based broadcast encryption system, only the trusted authority that generates all private keys can act as the broadcaster; ordinary users can only receive and decrypt messages, but cannot send messages. However, in a public key based system, anyone who knows the public key can broadcast messages to the receiver set he selects.

Identity-based broadcast encryption (IBBE) [10-12] is a special kind of public key broadcast encryption that it combines identity-based encryption (IBE) with broadcast encryption. In an identity-based broadcast encryption system, the encryption and the decryption are based on receivers’ identities, in which the users in a normal broadcast encryption are usually indexed sequentially from 1 to n. Therefore, the most important difference between broadcast encryption and identity-based broadcast encryption is the number of users in the system. In a normal broadcast encryption system, the size n of the user’s universal set should be determined during the system initialization. When adding a new user, the system’s public key should be updated to include the new user’s information. However, the identity-based broadcast encryption doesn’t need to determine the size of user set, so it can support exponentially many users since users’ identities are merely bit strings of arbitrary length.

The prior works on broadcast encryption have mainly focused on enhancing the system’s efficiency and security properties. Comparatively little attention has been paid to user’s privacy protection. In a standard broadcast encryption system, the receiver set is usually transmitted along with the ciphertext. User can not only examine whether he belongs to the set, but also learn other users’ identities that belong to the same set. For example, in the scheme of Boneh et al. [7], even the one that outside the system can learn the target set, because the decryption algorithm needs the information of the whole set as input to decrypt messages. This is inapplicable for those privacy-sensitive scenarios, since the identities of the users that in the receiver set are often as sensitive as the encrypted content itself.

In a privacy preserving broadcast encryption, user should only able to examine whether himself is in the set, but cannot find any other users’ identities. The first work that considers the privacy problem in broadcast encryption is done by Barth et al. [13]. They introduced the notion of private broadcast encryption scheme, explicitly aimed to protect the identities of the receivers. Barth et al.’s work has subsequently attracted researchers’ attentions to construct more privacy-preserving broadcast encryption schemes [14-16]. However, all existing schemes, no matter identity-based or not, are inefficient in decrypting ciphertexts. In their schemes, the techniques they adopted to hide the receiver’s identity into the ciphertext require the decryption algorithm to try to find the right part in the ciphertext to decrypt the message. That is, they need multiple times decryption attempts to compute the right output. In addition, the security models of the previous solutions, especially the identity-based ones, are all against selective adversaries, which still have room for further improvement.

In this paper, we construct a novel dynamic anonymous identity-based broadcast encryption scheme. In the scheme, everyone can receive the broadcasted ciphertext, but only the receivers selected by the broadcaster can successfully decrypt the message. Besides, one can examine whether himself is in the receiver set, but no one except the broadcaster knows who the other receivers are. Different from those previous constructions, we use Lagrange interpolation polynomial to hide the receivers’ identities. Lagrange interpolation theorem can not only be used in secret sharing and traitor tracing, but also very suitable for identity hiding and restoring, which can be used to construct efficient decryption algorithm. Since the scheme is identity-based, it allows user identity to be arbitrary length bit-string, and supports dynamic joining after the initialization. The scheme is built over the composite order bilinear groups, and is secure and anonymous against adaptive adversaries under the composite decisional Bilinear Diffie- Hellman assumption and the subgroup decision assumption. The main contributions of this paper are:

1. We proposed an efficient dynamic anonymous broadcast encryption scheme. Compared to those existing constructions, the proposed scheme adopts the Lagrange interpolation polynomial to hide the receivers’ identities, which result in a more efficient decryption algorithm.

2. We defined a more rigorous security model to characterize the security threats, and gave the formal mathematical proofs under standard model to claim that our scheme is both secure and anonymous against the adaptive chosen ciphertext attack.

The remainder of this paper is arranged as follows. Section 2 lists a few works in the literature that relate to our topic; section 3 introduces some preliminaries about the backgrounds and complexity assumptions; section 4 gives the formal definitions of the system; section 5 gives the construction of the proposed scheme; the formal security proofs and performance evaluations are given in section 6, and the whole paper is concluded in section 7.

 

2. Related Work

The first work that formally explores the broadcast encryption was done by Fiat el al. [1]. The solution they proposed is secure against a collusion of at most t users and has ciphertext size of O(t log2 t log n), where n is the total number of users. After that, several full collusion resistant broadcast encryption schemes [2,3,6] have been proposed to achieve shorter ciphertext and private keys.

In CRYPTO 2005, Boneh et al. [7] proposed a fully collusion resistant broadcast encryption with constant size ciphertexts and private keys. Their construction is based on the symmetric bilinear maps and the bilinear Diffie-Hellman exponent (BDHE) assumption, and is secure against chosen plaintext attacks (CPA). They also adopted the strongly existentially unforgeable signature scheme to construct a chosen ciphertext attack (CCA) secure scheme. However, both schemes are selectively secure. The work done by Gentry et al. [17] is the first that achieves adaptive CPA security. They proposed two broadcast encryption schemes and two identity-based broadcast encryption schemes; each has constant ciphertext size in random oracle model. Phan et al. [9] modified the first scheme in [7] and proposed a selectively CCA secure scheme with constant size ciphertexts and private keys. They then managed to prove that their scheme is adaptively CCA secure under generalized versions of the BDHE assumption and the knowledge-of-exponent assumption (KEA).

Identity-based broadcast encryption was first studied by Delerablée [10]. They proposed a selectively CPA secure identity-based scheme which has constant size ciphertexts and private keys. Since their solution is identity-based, it can support dynamic user joining without updating the previous keys. Boneh et al. [11] brought the concept of hierarchical IBE (HIBE) and built a broadcast HIBE scheme in standard model. Zhang et al. [12] presented an IBBE scheme using dual encryption technique that achieves adaptive security in standard model using static assumptions.

The above researches on broadcast encryption haven’t taken into consideration the user’s privacy since the decryptions often need the receiver set as the explicit input. The concept of private broadcast encryption was introduced by Barth et al. in [13]. They built two public key based constructions that do not leak any information about the receiver set. Fazio et al. [14] proposed a broadcast encryption scheme with sublinear ciphertext size that achieves receiver anonymity. The receiver’s identity in their scheme is anonymous to the outsider, but not to the ones that in the same receiver set. Libert et al. [15] claimed that the anonymity notion in [14] is weak and is not suit for real-world applications. They gave a formal security definition for anonymous broadcast encryption (ANOBE), which allows the adversary to make adaptive corruptions. The solution they proposed is based on the Kurosawa-Desmedt hybrid encryption scheme [18]. However, this solution uses multiple copies of symmetric ciphertexts as the broadcast body to achieve anonymity. Fan et al. [19] proposed an anonymous multi-receiver identity-based encryption scheme that adopts Lagrange interpolating polynomial mechanism to hide user’s identity. The scheme is only selectively secure in the random oracle model. Hur et al. [16] constructed a privacy-preserving identity-based broadcast encryption scheme, where the ciphertext size is linear in the number of receivers. The scheme is also selectively secure, and needs multiple times decryption attempts to decrypt the ciphertext.

 

3. Preliminaries

We begin by briefly introducing the basic idea of public key broadcast encryption systems. Then we state some preliminaries needed for our construction.

3.1 Public Key Broadcast Encryption System

A public key broadcast encryption system [7] can be seen as a key encapsulation mechanism. It is made up of the following three algorithms.

• Setup(n). A probabilistic algorithm that takes as input the total number of users n, outputs n private keys d1,...,dn and a public key PK.

• Encrypt(PK,S). A probabilistic algorithm that takes as input the public key PK and a subset S ∈ {1,...,n}, outputs a pair (Hdr,K). The Hdr is called the header, and the K is a temporary session key that is for encrypting the message M using standard symmetric encryption. Let CM be the ciphertext of M, then the broadcast consists of (S,Hdr,CM). The pair (S,Hdr) is usually called the full header, and CM is usually called the broadcast body.

• Decrypt(PK, S, i, di, Hdr). A deterministic algorithm that takes as input the public key PK, a target set S ∈ {1,...,n}, a user index i ∈ {1,...,n}, the private key di of user i, and a header Hdr. If i ∈ S, then the algorithm outputs the session key K. User i can use this K to decrypt CM and recover the message M.

This public key broadcast encryption system is correct if for all subsets S ⊆ {1,...,n} and all i ∈ S,

3.2 Composite Order Bilinear Groups

The definition of composite order bilinear groups was first introduced in [20]. Given the security parameter k, an algorithm G generates a tuple (p, q, G, GT, e), where p and q are distinct primes, G and GT are cyclic groups of order n = pq, and e : G × G → GT is a bilinear map such that:

1. (Bilinearity) e(ga, hb) = e(g, h)ab for all g,h ∈ G, a, B ∈ Zn.

2. (Non-degeneracy) ∃g ∈ G such that e(g, g) ≠ 1 and is a generator in GT.

3. (Computability) The group operations in G, GT as well as the map e : G × G → GT can be computed in polynomial time with respect to k.

Let Gp and Gq be the subgroups of order p and q respectively, g be a generator of group G, and gp, gq be the generators of Gp and Gq respectively. Then for any hp ∈ Gp and hq ∈ Gq, e(hp ,hq) is the identity element in GT :

since the order of group GT is n.

3.2.1 The Subgroup Decision Assumption

The subgroup decision problem is defined as follows. Given (n, G, GT, e) and an element x ∈ G, determine whether the order of x is p or otherwise. In other words, without knowing the factorization of the group order n, decide if an element is in a subgroup of G.

An algorithm’s advantage in solving the subgroup decision problem can be defined as the probability Pr[solved] - 1/2. The subgroup decision assumption (SDA) holds if for any probabilistic polynomial time (PPT) algorithm A, the advantage in solving the subgroup decision problem in (n, G, GT, e) is at most negligible.

3.2.2 The Composite Decisional Bilinear Diffie-Hellman Assumption

The composite Decisional Bilinear Diffie-Hellman (DBDH) problem is defined as follows. Given (p, q, G, GT, e) and where gp, gq are random generators of Gp, Gq respectively, α,β,γ are randomly selected from Zn, T ∈ GT. Determine whether the element T equals e(gp, gp)αβγ, or is a random element in GT.

An algorithm’s advantage in solving the composite DBDH problem can be defined as the probability Pr[solved] - 1/2. The composite DBDH assumption holds if for any PPT algorithm A, the advantage in solving the composite DBDH problem in (p, q, G, GT, e) is at most negligible.

3.3 Lagrange Interpolating Polynomial

The Lagrange interpolation method can give a polynomial function that exactly through a number of known points in the two-dimensional plane.

Given n distinct points (x1, y1),..., (xn, yn). Let the n monic polynomials of degree (n - 1) be denoted by

such that

Then the interpolation polynomial can be given by

since

 

4. Definitions

We formally define the proposed scheme’s system model and security models in this section. There are three types of entities in our system: the private key generator (PKG), the broadcaster and the receiver. The following explains the roles of these entities.

1. PKG. The private key generator is a trusted entity in the system that is responsible for system initialization and private key generating. It generates system’s master key and public key, and responds to the joining request to generate private key for each user. We assume the private keys are transferred in secure channel. The PKG doesn’t participate in the encryption and decryption, i.e. it could be offline if there are currently no new users to join.

2. Broadcaster. A broadcaster is a user who sends message. In a public key broadcast encryption system, any user can be the broadcaster and send messages to others. During each broadcast, the broadcaster needs to explicitly specify the receiver set, and then encrypts the message for the set and sends it.

3. Receiver. A receiver is a user who belongs to a target set in a broadcast. He can decrypt the ciphertext using his private key. In the meantime, he is not able to discover who else is in this set.

The broadcaster and the receiver are actually the same kind of users. We divide users into these two types mainly based on their behaviors in a broadcast. A user can be one message’s broadcaster and at the same time be some other message’s receiver.

4.1 System Model

The formal system model of our scheme is defined as follows.

Definition 1. A dynamic anonymous broadcast encryption is a tuple of four polynomial-time algorithms ANOBE = (Setup, Join, Encrypt, Decrypt) such that:

(MSK, PK) ← Setup(1k) : is a probabilistic algorithm run by the PKG that takes as input a security parameter k, outputs a master key MSK and a public key PK.

ski ← Join(MSK, IDi) : is a probabilistic algorithm run by the PKG that takes as input the master key MSK and a user’s identity IDi, outputs a private key ski for this identity.

(Hdr, K) ← Encrypt(PK, S) : is a probabilistic algorithm run by the broadcaster that takes as input the public key PK and a set of user’s id S = {..., IDi,... }, outputs a header Hdr and a session key K.

K ← Decrypt(IDi, ski, Hdr) : is a deterministic algorithm run by the receiver that takes as input a user identity IDi, a private key ski corresponds to this identity, and a header Hdr, outputs a session key K.

At the beginning, the PKG runs the Setup algorithm to generate the master key and the public key. Then for each new user, the PKG runs the Join algorithm to generate a private key for this user according to his identity. This step can be seen as the user’s registration. New user can join at any time, as long as the PKG is online.

Given a message M to be sent, the broadcaster first chooses a receiver set1, and then runs the Encrypt algorithm to output a header Hdr and a session key K. He then uses symmetric encryption to encrypt the message M using the session key K to obtain the ciphertext CM. The final broadcast content is (Hdr, CM).

After receiving (Hdr, CM), a user can run Decrypt algorithm to try to decrypt the header. If he is the receiver, the algorithm can output the right session key; otherwise, the algorithm outputs some other value that cannot be used to decrypt the CM. We observe that the decryption algorithm no longer requires the set S as input.

The dynamic anonymous broadcast encryption is correct if for all sets S and all IDi ∈ S,

4.2 Security Model

Intuitively, a secure anonymous broadcast encryption scheme should meet the following properties.

1. The scheme should be fully collusion resistant. Given a broadcast content, only the users in the receiver set can decrypt the message. Anyone that outside the set cannot recover anything from the ciphertext, even all these users collude.

2. The receivers’ identities should be fully anonymous. Given a broadcast content, anyone should only be able to determine if he is the receiver, but cannot discover any other user’s identity in the receiver set.

We define the chosen-ciphertext attack model for an anonymous broadcast encryption system using attack games between a challenger C and an adversary A. Both challenger and adversary are probabilistic processes that communicate with each other. Compares to the chosen-plaintext attack model, the chosen-ciphertext attack means in a game, the adversary can make additional decryption queries before or after the challenge phase. Our security model is based on those in [15,16]. We refined them by splitting the definition in [15] into two parts (the ciphertext confidentiality and the receiver anonymity), and allow the adversary in the definition in [16] to be adaptive to characterize the security threats more precisely. The adaptive means the adversary could choose the set of identities he wants to attack after the first query phase of the game, which gives the adversary more ability to attack than those selective ones.

In our model, the security goal is ciphertext indistinguishability, i.e., in a game, the adversary is unable to efficiently distinguish the real ciphertext from a random value, therefore cannot win the game with non-negligible advantage.

Based on these notions, we define the scheme’s ciphertext confidentiality, which indicates that an adversary should not able to distinguish a real ciphertext from a random value, even with the ability to query all other users’ private keys. We use the following definition to describe the scheme’s indistinguishability of encryptions under the adaptive chosen-ciphertext attack (IND-ADA-CCA1), where the IND is short for indistinguishability, ADA is short for adaptive, and CCA1 means the first type chosen-ciphertext attack, which the adversary may make decryption queries before the challenge phase.

Definition 2. Given the dynamic ANOBE scheme described in Definition 1, describe A as an adaptive adversary, C as a challenger. Consider the following game:

Setup. The challenger C runs Setup (1k) to generate master key MSK and pubic key PK, and gives the PK to the adversary A.

Phase 1. A can issue at most polynomial times queries to the follow oracles combined in any sequences he chooses:

Challenge. A chooses a set S* of identities that he hasn’t queried the private keys before in phase 1. C runs Encrypt(PK, S*) to encrypt the set S* and obtain a pair (Hdr*, K*). C then chooses a random value b ∈ {0,1}, and set Kb = K*, K1-b = K', where K' is a random element in GT. C then gives (Hdr*, K0, K1) to A.

Phase 2. A issues additional polynomial times joining queries as in phase 1, with the restriction that he cannot issue queries for IDi ∈ S*.

Guess. The adversary A outputs its guess b' for b and wins the game if b' = b.

Define A’s advantage as then the dynamic ANOBE scheme is IND-ADA-CCA1 secure if all probabilistic polynomial time adversaries A have at most negligible advantage in the above game.

We also define the scheme’s receiver anonymity, which requires that, given a ciphertext and two receiver sets, an adversary should not able to distinguish which set is used for the encryption. The following definition describes the scheme’s anonymous indistinguishability of encryptions under the adaptive chosen ciphertext attack (ANON-ADA-CCA1), where ANON stands for the anonymous.

Definition 3. Given the dynamic ANOBE scheme described in Definition 1, describe A as an adaptive adversary, C as a challenger. Consider the following game:

Setup. The challenger C runs Setup(1k) to generate master key MSK and pubic key PK, and gives the PK to the adversary A.

Phase 1. A can issue at most polynomial times queries to the follow oracles combined in any sequences he chooses:

Challenge. A chooses two distinct receiver sets S0 and S1 such that |S0| = S1, with the requirement that he hasn’t queried the private keys for any IDi ∈ S0△S1 = (S0 \ S0) ∪ (S0 \ S0) before. C chooses a random value b ∈ {0,1}, and runs Encrypt(PK, Sb) to encrypt the set Sb and obtain a pair (Hdrb, Kb). C then gives (Hdrb, Kb) to A.

Phase 2. A issues additional polynomial times joining queries as in phase 1, with the restriction that he cannot issue queries for IDi ∈S0△S1.

Guess. The adversary A outputs its guess b' for b and wins the game if b' = b.

Define A’s advantage as then the dynamic ANOBE scheme is ANON-ADA-CCA1 secure if all probabilistic polynomial time adversaries A have at most negligible advantage in the above game.

 

5. The Construction of Dynamic Anonymous Broadcast Encryption

In this section, we present the construction for the anonymous broadcast encryption that achieves receiver privacy. In the construction, we adopt the Lagrange interpolation polynomial mechanism to form the broadcast header. It allows the legitimate receivers to recover their own polynomial values, and then compute the session key using their private keys. The polynomial curve’s smooth nature determines that, once an interpolation polynomial has been formed, the points that generate this polynomial can be hidden naturally.

5.1 Main Idea

The main idea of the construction works as follows. In the system, each user in the receiver set is associated with a point (x, y) . The x coordinate is user’s ID, which is an l -length bit string; the y coordinate is an element in the group that related to the user’s ID (obviously, this is not the usually point in the two-dimensional plane, since the x coordinate is a large number, and the y coordinate is a group element). The y coordinate is not a fixed value; it changes each time in the encryption due to the randomly chosen exponent and factor.

Let (x1,...,xn) be the identities in the receiver set. During an encryption, the broadcaster first selects a random exponent and computes the session key together with each receiver’s y coordinate, and then uses the points ((x1, y1),...,(xn, yn)) to form a polynomial using Lagrange interpolation:

The main purpose is to hide these y values into the polynomial, because only these values can be used for decryption. If one substitute an ID xi ∈ (x1,...,xn) into F(x), he can get the corresponding yi ∈ F(xi). If xi ∉ (x1,...,xn), since the coefficients of the polynomial are all discrete elements in the group, the value F(xi) is unpredictable. This also means, given the F(x), no one can discover the points ((x1, y1),...,(xn, yn)) that form the polynomial. The polynomial F(x) is the main component of the broadcast header.

For each user, there is a corresponding relationship among the y value, the private key and the session key. The session key can be extracted through these values.

The receiver’s identity is confidential to other users. For example, a malicious user may try the polynomial F(x) with other user’s ID. In this case, he may obtain the right y value, but cannot recover the session key, because he doesn’t possess the corresponding private key. Therefore, he cannot distinguish whether the y value he outputs is right, i.e. he cannot determine whether the user he selects is a receiver.

5.2 Explicit Construction

The whole system works upon the composite order bilinear groups, which allow the random pairing factor to be eliminated if the pairing’s inputs are from both subgroups.

The explicit construction is given as follows. For notation convenience, we use both multiplication and addition to represent the group operations. The addition is used to express the polynomial, since the coefficients of the interpolation polynomial are all group elements.

• (MSK,PK)←Setup(1k) :

Let H :{0,1}* → {0,1}l be a hash function that maps user’s identity to an l -length bit string, where l is a polynomially bounded value. We’ll use the hash value ID ∈ {0,1}l to represent user’s identity in the following content.

Choose two large primes p and q with respect to the security parameter k, and generate bilinear pairing parameters (n, G, GT, e) where n = pq is the order of group G and GT. Let Gp and Gq be the subgroups of order p and q respectively, and gp, gq be the generators of Gp and Gq respectively.

Randomly choose Randomly choose R ∈ Gq, and Compute and for 0 ≤ i ≤ l, compute Qi = ui · Ri. Let Q = (Q0, (Q1,..., Ql). Compute and e(g1, g2).

Output the master key public key PK = (gq,Q, Q, e(g1, g2)).

• ski ← Join (MSK, IDi) :

Parse user’s identity IDi as (IDi,1,..., IDi,l), where each IDi,j ∈{0,1}. Randomly choose r ∈ Zn, and compute the private key

• (Hdr, K) ← Encrypt(PK, S) :

Given the public key PK = (gq, Q, Q, e(g1, g2)) and a receiver set S = (ID1,..., ID|S|), proceed as follows.

1. Let xi = IDi for i = 1, 2, ...,|S|, form the polynomial

such that fi (xi) = 1 and fi(xi) = 0.

2. Randomly choose t ∈ Zn, v ∈ Gq, (v1,...,v|S|) ∈ Gq, compute K = e(g1, g2)t, C = v·Qt.

3. For i = 1, 2,...,|S|, compute

4. For i = 1, 2,...,|S|, compute

5. Let Hdr = (T1,...,T|S|, C), and output (Hdr, K).

• K←Decrypt(IDi, ski, Hdr) :

Given IDi, ski = (di,1, di,2) and Hdr = (T1,...,T|S|, C), decrypt the header in the following steps:

1. Let xi = IDi, compute

2. Compute

3. Output K as the session key.

Correctness: The correctness of this scheme is shown as follows.

According to equation (1), for any element hp ∈ Gp and hq ∈ Gp, there always has e(hp, hq) = 1. Thus, in the decryption algorithm,

The tuple (T1,...,T|S|) in the Hdr can be seen as the coefficients of the Lagrange interpolation polynomial F(x), where

such that F(xi) = δi = yi.

5.3 Discussion

A user may not discover whether he is the receiver if only based on the decryption algorithm itself. This is because even a user get a wrong he may continue proceed the algorithm to output a session key K'. At this point, he still couldn’t distinguish whether it’s valid or not. One solution in practical is to encrypt the message together with its checksum to form the broadcast body. The user could try to decrypt the broadcast body using K', and then verify the validity of the decrypted message. If the message is valid, then K' is the right session key, which means this user is the receiver.

The encryption algorithm is a probabilistic algorithm due to the choice of the random elements vi from Gq and exponent t from Zn. This means in the encryption algorithm, one single input may produce a plurality of different valid outputs. Consider the following scenario: given a broadcast header Hdr, the adversary multiplies each component in Hdr with a random element in Gq, and outputs the new Hdr'. According to the decryption algorithm and equation (1), the Gq components in Hdr will be eliminated eventually. This means the Hdr' he outputs is also a valid header, and can be decrypted to recover the same session key. It is the main reason that the security model of our scheme is only CCA1 secure, since the adversary A can easily win the game every time if he can make the Decryption queries in phase 2.

 

6. Analysis

The security proof of the proposed scheme is given in this section. At the same time, the performance and functionality of the proposed scheme are analyzed and compared to the previous anonymous broadcast encryption schemes.

6.1 Security

We prove our scheme’s security in the following subsection. The security is proven through games between a challenger C and an adversary A. The proofs show that our proposed scheme has both ciphertext confidentiality and receiver anonymity against adaptive adversaries under the composite DBDH assumption and the SDA assumption.

6.1.1 Ciphertext Confidentiality

Theorem 1. If the composite DBDH assumption holds, then the proposed dynamic ANOBE scheme is IND-ADA-CCA1 secure.

Proof. The IND-ADA-CCA1 security means that all adversaries have at most negligible advantage in winning the game in Definition 2. We now illustrate that, if there exists a PPT adversary A that can win the game with non-negligible advantage ε, then there exists a PPT challenger C that breaks the composite DBDH assumption with non-negligible advantage. That is, not strictly speaking, the challenger can utilize the adversary’s ability to solve the DBDH problem.

Given the parameters (p, q, G, GT, e) and an DBDH instance the challenger C interacts with the adversary A according to the game in Definition 2, and finally outputs a guess σ, where σ = 1 means T = e(gp, gp)αβγ, σ= 0 means T is a random element. Suppose A can issue up to μ times joining queries and μ' times decryption queries. Let l be the length of user’s identities in bitstrings. The challenger C interacts with A in the following way.

Setup. First, C randomly chooses k ∈ {0,...,l}, and let m = 4μ. It then chooses a vector (v0, v1, ..., vl) ∈ {0,..., m-1}l+1 and a vector uniformly at random. These values are all kept internal to the challenger.

For user’s identity IDi = (IDi,1,..., IDi,l), defines three assistant functions

C then let For 1 ≤ i ≤ l, computes Let U = (u0, u1,..., ul). Then, C randomly chooses R ∈ Gq, and It computes Q = gp·R, and for 0 ≤ i ≤ l, computes Qi = ui·Ri. Let Q = (Q0, Q1,..., Ql). It then computes e(g1, g2). The public key PK = (gq, Q, Q, e(g1, g2)). C gives the public parameter (n, G, GT, e) and PK to the adversary A. From the perspective of A, the distribution of the public parameters is identical to the real construction.

Phase 1. In this phase, A can issue two types queries to C. For the joining queries, C responds in the following way.

Suppose the adversary A issues a query for identity IDi. If K(IDi) = 0, the challenger C aborts the game and outputs a random guess σ. Otherwise, C chooses a random r ∈ Zn, and constructs the private key

This is a valid private key from the perspective of A, because if we let

we have

and This private key is computable if L(IDi) ≠ 0 , which can be implied by K(IDi) ≠ 0 for easy analysis.

For each decryption query (Hdri, Si), C generates the private key for an identity in Si, then runs the decryption algorithm to get the session key Ki and returns it to A.

Challenge. A chooses a set S* of identities that he hasn’t queried the private keys before. C encrypts the set S* in the following way.

For any C aborts the game and outputs a random guess σ. Otherwise, C encrypts it as follows.

1. Let xi = IDi for i = 1,2,...,|S*|, forms the polynomial

such that fi(xi) = 1 and fj(xj) = 0.

2. Randomly chooses v ∈ Gq, (v1,...,v|S*|) ∈ Gq. Let

3. For i = 1,2,...,|S*|, computes

4. For i = 1,2,...,|S*|, computes

5. Let Hdr* = (T1,...,T|S*|, C), and (Hdr*, K*).

If T = e(gp, gp)αβγ, this is a valid ciphertext, since K* = T = e(gp, gp)αβγ = e(g1, g2)γ, and

If the decryption oracle in phase 1 has answered the value K* to A, C aborts the game and outputs a random guess σ. This is because answered the value K* means A has queried (Hdr*, S*) or other valid forms in phase 1. A can easily win the game in this case.

Otherwise, A cannot get any useful information from the decryption oracle. In this case, the challenger C selects a random element K' ∈ GT and a random bit b ∈ {0,1}, sets Kb ∈ K', K1-b = K', and gives (Hdr*, K0, K1) to A.

Phase 2. A issues additional joining queries as in phase 1, with the restriction that he cannot issue queries for IDi ∈ S*.

Guess. A outputs a guess b' for b.

If b' = b, C outputs the guess σ = 1, which means T = e(gp, gp)αβγ. If b' ≠ b, C outputs the guess σ = 0, which means T is a random element in GT.

Analysis. We now analyze the probability that the given DBDH problem can be solved by the challenger.

The game may be aborted before it finishes. If the aborting happens, C has only 1/2 probability to solve the problem. Moreover, if the given T is a random value in GT, the adversary A has no advantage in winning the game, so C also has only 1/2 probability to solve the problem, no matter the game is aborted or not. Therefore the probability

If T = e(gp, gp)αβγ, the probability

where ε is A’s advantage in winning the game.

We now discuss the probability that the game aborts when T = e(gp, gp)αβγ. The abort may happen in three cases. 1) In the joining query, game aborts when K(IDi) = 0. 2) In the challenge phase, game aborts when there exists an IDi such that 3) In the challenge phase, game aborts if the K* equals some former value that the decryption oracle has answered in phase 1.

The first two cases are independent from each other since the identities in the joining query are all different from the identities in the challenge set. So we have

and

The probability of the third case is also independent from the first two cases since the K in the encryption algorithm is only affected by the random exponent t selected from Zn. For a single encryption, the probability that K equals K* is 1/p. Thus we have

Then

Since μ and μ' are polynomially bounded, and l, | S* | are reasonably small values, the probability is non-negligible. Therefore the probability

This indicates that, if ε is non-negligible, the challenger C ’s advantage in solving the composite DBDH problem is also non-negligible. So we have the conclusion that if the composite DBDH assumption holds, then no PPT adversary can win the game with non-negligible advantage. □

6.1.2 Receiver Anonymity

Theorem 2. If the SDA assumption holds, then the proposed dynamic ANOBE scheme is ANON-ADA-CCA1 secure.

Proof. We prove this theorem by describing a sequence of games 0,1,2,⋯ such that Game 0 is the original game in Definition 3, and the last game is the target game that the adversary’s winning probability is equal to 1/2. The transitions between each Game i and Game i + 1 are negligible to all PPT adversaries. Since the number of games is a constant, we can have the conclusion that the adversary’s winning probability in the original game is negligibly close to 1 2. Suppose A can issue up to μ times joining queries and μ' times decryption queries. We define these games as follows.

Game 0. In this game, the challenger C interacts with the adversary A using real algorithms. C first runs Setup(1k) to generate master key MSK and pubic key PK, and gives PK to A. In phase 1, A issues queries to the two oracles. For A’s each query, C runs the corresponding algorithm and sends the result to A. In the challenge phase, C receives A’s sets S0 and S1, chooses a random value b ∈ {0,1}, and encrypts the set Sb to get (Hdrb, Kb). C gives the challenge pair (Hdrb, Kb) to A. In phase 2, C continues responding A’s queries for IDi ∉ S0△S1 by running the algorithm Join(MSK, IDi) . At last, A outputs a bit b' and wins the game if b' = b.

We define S0 be the event that A wins the game in Game 0.

Game 1. We now make one small change to the above Game 0. We define the Game 1 to be the game that the decryption oracle has never answered the Kb in phase 1.

Let S1 be the event that A wins the game in Game 1.

Define F to be the event that C has answered the Kb in phase 1. If F occurs, A may have some advantages to win the game. If F does not occur, A cannot get any useful information from the decryption oracle, at the same time the Game 0 and Game 1 proceed identically, with the same output. That is, we can say that

From the analysis in Theorem 1, we know that for a single encryption, the probability that K equals Kb is 1/p. Since A can issue up to μ' times decryption queries, it is clear that

which is negligible.

Game 2. In this game, we make changes to the way that the set Sb is encrypted in the challenge phase. Let (ID1,..., IDm) ∈ Sb be the elements that aren’t exist in both S0 and S1, i.e., (ID1,..., IDm) = Sb \ (S0 ∩ S1), which 1 ≤ m ≤ |Sb|. For notation convenience, we use{ID1,...,IDm,IDm+1,...,ID|Sb|} to represent the set Sb. In the challenge phase, we add one judgment to the encryption step 3: for i = 1,2,...,|Sb|, if 1 ≤ i ≤ m, the yi is computed in the following way:

otherwise, yi is computed in the normal way.

Let S2 be the event that A wins the game in Game 2. We now claim that A can only distinguish Game 1 from Game 2 with negligible probability.

The ciphertext (Hdrb, Kb) in Game 2 is valid since the modified y1,..., ym are valid forms of the original ones. Given the (Hdrb, Kb), A may substitute an identity IDi he chooses into the interpolation polynomial to get a yi. If IDi ∈ S0 ∩ S1, the yi he gets is the same in both Game 1 and Game 2. If IDi ∈ {ID1,..., IDm}, the yi he gets in Game 2 is the modified one in Gp, and in Game 1 is the original one in group G. If A chooses IDi ∉ S0 ∩ S1 and from the set other than Sb, the yi he gets in the both games are some random-like elements in group G. According to the SDA assumption, A cannot distinguish whether a given element is in group G or in the subgroup Gp. Therefore for each yi ∈ {y1,..., ym}, the difference between Game 1 and Game 2 is at most negligible. Let ε1 be A’s advantage in the SDA assumption, which is negligible, then we have

which is also negligible.

Game 3. We continue making changes to y1,..., ym. In this game’s challenge phase, C assigns m random elements from Gp for y1,..., ym in encryption step 3. Other steps remain unchanged.

Let S3 be the event that A wins the game in Game 3.

The private values (u0, u1,..., ul) are uniformly distributed in group Gp, which are unknown to A. In the two different games, unless the random exponents t in encryption step 2 are the same value, it is hard for A to distinguish the yi in Game 2 from the random yi in game 3. Thus in A’s view, the yi in Game 2 and the yi in Game 3 are indistinguishable. We then have

In Game 3, If A tries IDi ∉ S0∩S1 into the polynomial, no matter IDi is from Sb or not, he’ll get a random element. Moreover, since A cannot issue joining queries for IDi ∈ S0△S1, he cannot distinguish whether the chosen IDi is in Sb by trying to decrypt yi. That is, the ciphertext C outputs contains no extra information about the identities IDi ∈ S0△S1. Then

Finally we have the conclusion that

which is also negligible. □

6.2 Comparison

The scheme’s performance and functionality are analyzed in this subsection, in contrast to previous anonymous broadcast encryption schemes.

We compared our scheme with the schemes in [13-16] in the following aspects: system’s public key length, user’s private key length, ciphertext length and decryption attempts. In the meantime, the functionality features of our scheme are also compared with those previous schemes. The arbitrary sender feature allows any user in the system to broadcast messages, not just the trusted party. The dynamic joining feature allows the user to join the system freely, without the need to update the public key. The identity-based feature means the scheme is based on IBE, in which the user’s identity in the system could be an arbitrary bit string. The indistinguishability level and the security model (random oracle model / standard model) of these schemes are also compared. Table 1 shows the comparison results among our scheme and schemes in [13-16].

Table 1.Comparison with previous anonymous broadcast encryption schemes

As is shown in Table 1, among the previous anonymous broadcast encryption schemes, our proposed scheme only needs single decryption attempt, while the decryption algorithms in [13-16] need to continually try to find the right part in the ciphertext to decrypt the message. Meanwhile, we trade the public key and private key length for the ciphertext length to obtain the least ciphertext length. In comparison with previous schemes, our scheme achieves all these functionalities, and is CCA1 secure against adaptive adversaries in standard model.

 

7. Conclusion

The anonymous broadcast encryption is an important variant of the broadcast encryption schemes. It can effectively protect the receiver’s privacy during the broadcast, which makes it very suitable for those privacy sensitive scenarios.

Compares with the previous schemes, the proposed ANOBE scheme improves the efficiency of the decryption. It needs only one decryption attempt to successfully decrypt the ciphertext. Besides, the ciphertext size in this scheme is the least among those existing schemes. However, despite the least ciphertext size, it is linear in the number of receivers. How to further reduce the ciphertext size is still a challenging problem.

In the future, we will investigate the feasibility of designing schemes with more efficient algorithms to meet practical needs. Moreover, we will give consideration to the security model to achieve the CCA2 security to enhance the scheme’s security features.