Secure and Efficient Construction of Broadcast Encryption with Dealership

Abstract

Broadcast encryption with dealership (BED) has been proposed to achieve more innovative and scalable business models for broadcast services. It has an extensive application future. However, designing secure BED is a challenging task. The only known BED construction so far is by Gritti et al. We aim to raise the profile of BED primitives which has not received much attention despite of its importance. This paper presents a selectively chosen plaintext attack (CPA) secure BED scheme supporting maximum number of accountability and privacy (hides the group of users from broadcaster). Our scheme is a key encapsulation mechanism and practically more efficient. It reduces the parameter sizes and computation cost compared to Gritti et al. More interestingly, the broadcaster does not need to rely on users to detect the dishonest dealer. We provide concrete security analysis of our design under reasonable assumptions.

A The BED Construction of [10]

The portions in the following scheme of [10] framed by boxes indicates those terms which were added or modified in transition from the syntax of KEMD as described in Sect. 2.1 to the syntax of BED of [10].

• (\(\textsf {PP}, \textsf {MK}\))\(\leftarrow \) Setup(\(N,\lambda \)): The PKGC chooses a bilinear group system \(\mathbb {S}=(p,\mathbb {G},\) \(\mathbb {G}_1,e)\), where \(\mathbb {G },\mathbb {G}_1\) are groups of prime order p and \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_1\) is a bilinear mapping. Let g be a generator of \(\mathbb {G}\) and \(h\in _R \mathbb {G}\). It selects \(\alpha , \beta ,\gamma \in _R \mathbb {Z}_p\), computes \(u_i=h^{\gamma \alpha ^i},v_i=h^{\gamma \beta \alpha ^i}\) for \(i\in [0,N]\) and sets public parameter \({\textsf {PP}}\) and master key \({\textsf {MK}}\) as

  $$ {\textsf {MK}}=(\alpha , \beta ,\gamma ), {\textsf {PP}}=(\mathbb {S},g,h,e(g^{\gamma }, g),\{u_i\}_{i=0}^{N},\{v_i\}_{i=0}^{N}). $$

• \(({sk_i,\boxed {{\textsf {PK}}_i}})\) \(\leftarrow \) KeyGen(\({\textsf {PP}},{\textsf {MK}},i\)): The PKGC takes \(s_i\in _R \mathbb {{Z}}_p\), \(f_i\in _R \mathbb {G}\) for \(i\in [1,N]\) and generates a secret key for user i as \(sk_i=(d_{i,0},\ldots ,d_{i,N}),\) where \(d_{i,0}=g^{-s_i}, d_{i,i}=g^{\gamma }f_i^{s_i},d_{i,j}=f_j^{s_i}\) for \(i \ne j\). The PKGC additionally generates the public key for user i as \({\textsf {PK}}_i=(x_i+\alpha ,f_i)\) where \(x_i\in _R \mathbb {Z}_p\). It makes \({\textsf {PK}}_i\) public and sends \(sk_i\) to user i securely through a secure communication channel.

• (P(G), k)\(\leftarrow \) GroupGen(\({\textsf {PP}},\boxed {\{{\textsf {PK}}_i\}_{i=1}^{N}}, G\)): A dealer selects a group G of \(k'(\le k)\) users and generates a group token P(G) as

  $$\begin{aligned} P(G)&=(w_1,w_2,w_3,w_4,w_5,w_6)\\&=(u_0^{t_1\prod \limits _{i\in G} (x_i+\alpha )},v_0^{t_1\prod \limits _{i\in G} (x_i+\alpha )},v_{N-k}^{t_1\prod \limits _{i\in G} (x_i+\alpha )},\prod \limits _{i\in G}f_i^{t_2},g^{t_2},e(g^{\gamma }, g)^{t_2}) \end{aligned}$$

  where \(t_1,t_2\in _R \mathbb {Z}_p\), \(u_i, v_i\) are extracted from \(\mathsf {PP}\), \(x_i+\alpha \), \(f_i\) are extracted from \({\textsf {PK}}_i\) for \(i\in [N]\). The dealer sends G to each subscribed user through a secure communication channel.

• (0\(\vee \)1)\(\leftarrow \) KEMD.Verify(\({{P(G)}},{\textsf {PP}},k\)): The broadcaster implicitly verifies that the size of G does not exceed k by checking the pairing \(e(w_2,u_N)=e(w_3,u_k).\) If the verification succeeds, the broadcaster outputs 1 and proceeds; otherwise it outputs 0 and aborts.

• \((\boxed {C})\) \(\leftarrow \) Encrypt(\({{P(G)}},{\textsf {PP}},\boxed {{M}}\)): The broadcaster verifies that \(w_2=w_1^\beta \) by checking \(e(w_1,v_0)=e(w_2,u_0).\) If the verification succeeds the broadcaster generates a ciphertext C using \(P(G)=(w_1,w_2,w_3,w_4,w_5,w_6)\), PP and a message \(M\in \mathbb {G}_1\) as \(C=(C_1,C_2,C_3)=(w_5^r,w_4^r,Mw_6^r)=(g^{rt_2},\prod \limits _{i\in G}f_i^{rt_2},M.e(g^{\gamma }, g)^{rt_2})\) where \(r \in _R \mathbb {Z}_p\).

• \((\boxed {M})\) \(\leftarrow \) Decrypt(\({\textsf { PP}},sk_i,\boxed {C},G\)): User i checks the cardinality of G which he receives from the dealer. If it is greater than k, then user i informs this to the broadcaster. User i retrieves M by coupling \(C=(C_1,C_2,C_3)\) with \(d_{i,j}\)’s extracted from \(sk_i\) as follows:

  $$\begin{aligned} X&=e(d_{i,i}\prod \limits _{j\in G,j\ne i} d_{i,j},C_1) e(d_{i,0},C_2)\\&=e(g^{\gamma }\prod \limits _{j\in G}f_j^{s_i},g^{rt_2})e(g^{-s_i},\prod \limits _{j\in G}f_j^{rt_2})=e(g^{\gamma }, g^{{rt_2}})\\ X&^{-1} C_3=e(g^{\gamma }, g^{{rt_2}})^{-1}M e(g^{\gamma }, g^{{rt_2}})=M. \end{aligned}$$