fully cca2 secure identity based broadcast encryption without random oracles
TRANSCRIPT
Information Processing Letters 109 (2009) 527–533
Contents lists available at ScienceDirect
Information Processing Letters
www.elsevier.com/locate/ipl
Fully CCA2 secure identity based broadcast encryptionwithout random oracles
Yanli Ren ∗, Dawu Gu
Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200240, China
a r t i c l e i n f o a b s t r a c t
Article history:Received 16 September 2008Received in revised form 24 January 2009Accepted 27 January 2009Available online 29 January 2009Communicated by M. Yamashita
Keywords:CryptographyIdentity basedBroadcast encryptionIND-ID-CCA2 secureWithout random oracles
In broadcast encryption schemes, a broadcaster encrypts messages and transmits them tosome subset S of users who are listening to a broadcast channel. Any user in S can usehis private key to decrypt the broadcast. An identity based cryptosystem is a public keycryptosystem where the public key can be represented as an arbitrary string. In this paper,we propose the first identity based broadcast encryption (IBBE) scheme that is IND-ID-CCA2 secure without random oracles. The public key and ciphertext are constant size, andthe private key size is linear in the total number of receivers. To the best of our knowledge,it is the first IBBE scheme that is fully CCA2 secure without random oracles. Moreover, ourIBBE scheme is collusion resistant for arbitrarily large collusion of users.
© 2009 Elsevier B.V. All rights reserved.
1. Introduction
The concept of Broadcast Encryption (BE) was intro-duced by Fiat and Naor in [1]. In a BE scheme, a broad-caster encrypts a message for a subset S of users who arelistening to a broadcast channel. Any user in S can use hisprivate key to decrypt the broadcast. The broadcaster canencrypt to any subset S of his choice. A BE scheme is saidto be fully collusion resistant when, even if all users thatare not in S collude, they can by no means infer informa-tion about the broadcast message.
Many BE systems have been proposed [8,13–15]. Thebest known fully collusion systems are the schemes ofBoneh, Gentry and Waters [8] which achieve O (
√n )-size
ciphertexts and public key, or constant size ciphertexts,O (n)-size public key and constant size private keys in aconstruction. A lot of systems make use of the hybrid en-cryption paradigm where the broadcast ciphertext only en-crypts a symmetric key used to encrypt the broadcast con-tents. We will adopt this methodology in our scheme. And,
* Corresponding author.E-mail address: [email protected] (Y. Ren, D. Gu).URL: http://authors.elsevier.com/locate/latex.
0020-0190/$ – see front matter © 2009 Elsevier B.V. All rights reserved.doi:10.1016/j.ipl.2009.01.017
all public key BE systems are only secure against static ad-versaries, which means that the attacker must choose theset he wants to attack before seeing the public parameters.Though any non-adaptive scheme that is (t, ε,n) secureis also (t, ε/2n,n) secure against adaptive adversaries, thisreduction is only meaningful for small values of n in prac-tice, where n is the number of all receivers. The conceptof Dynamic Broadcast Encryption (DBE) was introduced byDelerablee, Paillier and Pointcheval in [6]. A DBE scheme isa BE in which the total number of users is not fixed in thesetup, with the property that any new user can decryptall previously distributed messages. Thus a DBE scheme issuitable for some applications, like DVD encryption.
Shamir proposed the notion of IBE [2] in 1984 as a wayto simplify public key and certificate management. ManyID-based schemes have been proposed after that, but prac-tical ID-based encryption schemes were not found untilthe work of Boneh and Franklin [9] in 2001. Their IBEscheme was based on groups with efficiently computablebilinear maps, but it is only provably secure in the randomoracle model. It has been shown that when random oraclesare instantiated with concrete hash functions, the result-ing scheme may not be secure [16]. Since 2001, severalschemes have been introduced [3,4,7,10–12,17]. Almost allof the IBE systems since Boneh–Franklin suffer from long
528 Y. Ren, D. Gu / Information Processing Letters 109 (2009) 527–533
parameters and lossy reductions. Given this state of affairs,several papers [3,8,11] have encouraged work on the openproblem of tight security; Waters [3] posed the open prob-lem regarding compact public parameters. In [10], one ofthe systems has short parameters and tight security re-duction in the standard model, but it is proved secureagainst selective-ID adversaries. So Gentry [7] proposedan IBE scheme that is fully secure in the standard modelwith short public parameters and a tight security reduc-tion, where the ciphertext does not leak the identity of therecipient.
In 2007, Delerablee proposed the first identity basedbroadcast encryption (IBBE) scheme with constant size ci-phertexts and private keys [5]. Their construction is a KeyEncapsulation Mechanism (KEM), thus long messages canbe encrypted under a short symmetric key. In this scheme,ciphertexts and private keys are of constant size, and thepublic key is of size linear in the maximal value of the setof receivers. Moreover, the Private Key Generator (PKG) candynamically add new members without altering previouslydistributed information. The scheme achieves IND-sID-CPAsecurity in the random oracles. And the author noted thatthe scheme can achieve CCA security by making one ofthe identities that they broadcast to derive from a verifi-cation key of a strong signature scheme. In addition, healso claimed that one way to remove the random oraclemodel could be to randomize the private key extraction.They proposed an open problem that is to construct anIBBE scheme which achieves fully security. Until now, thereis no IBBE scheme that is fully secure without random or-acles with short public key, private keys and ciphertexts.
Our contributions. In this paper, we solve the open prob-lem of [5] and propose an IBBE scheme that is IND-ID-CCA2 secure without random oracles, with constant sizepublic key and ciphertexts. The private key size is de-pendent of the total number of users. To the best of ourknowledge, this is the first IBBE scheme that is fully se-cure without random oracles. Moreover, our IBBE schemeis collusion resistant for arbitrarily large collusion of users.
2. Definitions
2.1. Bilinear map
Let p be a large prime number, G1, G2 are two groupsof order p, and g is a generator of G1. e : G1 × G1 → G2 isa bilinear map, which satisfies the following properties [3]:
(1) Bilinearity: For all u, v ∈ G1 and a,b ∈ Z, e(ua, vb) =e(u, v)ab .
(2) Non-degeneracy: e(g, g) �= 1.(3) Computability: There exists an efficient algorithm to
compute e(u, v), ∀u, v ∈ G1.
2.2. Complexity assumption
The security of our scheme is based on a complexityassumption that we call the decisional truncated bilinearDiffie–Hellman exponent assumption (TBDHE). It is alsocalled wBDHI∗ assumption in [12].
First, we recall the decisional version of q-BDHE prob-lem [12], which is as follows: Given a vector of 2q + 2elements
(g′, g, gα, gα2
, . . . , gαq, gαq+2
, . . . , gα2q, Z
) ∈ G2q+11 × G2
to decide whether Z = e(g′, g)αq+1
.Since the tuple has not the term gαq+1
, the bilinear mapdoes not seem to help decide whether Z = e(g′, g)α
q+1.
Instead, we can use a truncated version of the q-BDHEproblem, in which the terms (gαq+2
, . . . , gα2q) are omitted
from the input vector. We call it the q-TBDHE problem forconvenience. Obviously, the q-BDHE problem can be solvedonce the q-TBDHE problem is solved whereas not. So wecan say that the TBDHE problem is at least as difficult asthe BDHE problem.
An algorithm A that outputs w ∈ {0,1} has advantageε in solving the decision q-TBDHE if
∣∣Pr[
A(
g′, g, gα, . . . , gαq, e(g′, g)α
q+1) = 0]
− Pr[
A(
g′, g, gα, . . . , gαq, Z
) = 0]∣∣ � ε,
where the probability is over the random choice of gen-erators g, g′ ∈ G1,α ∈ Z∗
p, Z ∈ G2, and the random bitsconsumed by A. We refer to the distribution on the leftas PTBDHE and the distribution on the right as RTBDHE.
We say that the decision (t, ε,q)-TBDHE assumptionholds in G1, G2 if no t-time algorithm has advantage atleast ε in solving the decision q-TBDHE problem in G1, G2.
2.3. Syntax
An identity based broadcast encryption (IBBE) schemeis a tuple of algorithms described as follows:
Setup(n). Takes as input the number of receivers n, outputa master secret key MSK and a public key PK. The PKGis given MSK, and PK is made public.
Key generation(MSK, IDi). Takes as input the master secretkey MSK and a user identity IDi , where i ∈ {1, . . . ,n}.The PKG generates a private key dIDi for the user withidentity IDi .
Encrypt(S,PK). Takes as input the public key PK and a setS ⊆ {1, . . . ,n}, output a pair (Hdr, K ), where Hdr iscalled the header and K ∈ G2 is a message encrypt-ing key. We will often refer to Hdr as the broadcastciphertext.Let M be a message to be broadcast to the set Sand let CM be the encryption of M under the sym-metric key K . The broadcast to users in S consists of(S,Hdr, CM). The pair (S,Hdr) is often called the fullheader and CM is often called the broadcast body.
Decrypt(S, IDi,dIDi ,Hdr,PK). Takes as input a subset S ⊆{1, . . . ,n}, an identity IDi and the corresponding pri-vate key dIDi , a header Hdr, and the public key PK . IfIDi ∈ S , the algorithm outputs the message key K ∈G2. The key K can be used to decrypt the broadcastbody CM and obtain the message body M .
Y. Ren, D. Gu / Information Processing Letters 109 (2009) 527–533 529
2.4. Security model
IND-ID-CCA2. We define IND-ID-CCA2 security of an IBBEsystem. Security is defined using the following game be-tween an adversary A and a challenger B .
Setup. The challenger runs Setup(n) algorithm to obtain apublic key PK . He gives A the public key PK .
Phase 1. The adversary A adaptively issues queries.
Key generation query (IDi): The challenger runs Key gen-eration algorithm on IDi and forwards the resultingprivate key to the adversary.
Decryption query, which consists of a triple (IDi, S,Hdr).The challenger responds with Decrypt(S, IDi,dIDi ,Hdr,PK).
Challenge. A sends (S∗, K0, K1) to B , where S∗ ⊆ {1, . . . ,n}and the identities of S∗ have never been queried the pri-vate keys in Phase 1.
The challenger randomly chooses w ∈ {0,1} and runsalgorithm Encrypt to obtain (Hdr∗, K w). It then gives Hdr∗to adversary A.
Phase 2. A issues additional queries as follows:
Key generation query (IDi), where IDi /∈ S∗ .Decryption query Hdr �= Hdr∗ for any identity of S∗ .
In both cases, B responds as in Phase 1. These queries maybe adaptive.
Guess. Finally, the adversary outputs a guess w ′ ∈ {0,1}and wins if w = w ′ .
We call an adversary A in the above game an IND-ID-CCA2 adversary. The advantage of A is defined as |Pr[w ′ =w] − 1
2 |.
Definition. An IBBE system is (t, ε,qk,qd) IND-ID-CCA2secure if all t-time IND-ID-CCA2 adversaries making atmost qk key generation queries and at most qd decryptionqueries have advantage at most ε in winning the abovegame.
3. Our IBBE scheme
3.1. Set up
Let G1, G2 be defined as above, and g is a genera-tor of G1. g1 = gα , where α ∈ Z∗
p is a random number.e : G1 × G1 → G2 is a bilinear map, h : Z∗
p × {1,2, . . . ,n} →Z∗
p , H : G21 ×Gt
2 → Z∗p are collision-resistant hash functions,
where t ∈ Z∗p . The PKG randomly chooses g2, g3,hi ∈ G1
(i = 0,1,2), and f (x) = ax+b, where a,b ∈ Z∗p . If g2 = g−a
3
or h0 = g−b3 , choose another f (x) again. The public pa-
rameters are (g, g1, g2, g3,h0,h1,h2, f (x),h, H), α is theprivate key of PKG.
3.2. Key generation
To a user U with identity IDi ∈ Z∗p , the PKG randomly
chooses ri, r′i ∈ Z∗
p , and computes
di = (h0 g
r′i
2 gf (r′
i)
3
)α(hh(IDi ,i)
2 hIDi1
)ri, d−1 = r′
i,
d0 = gri , d j = (h
h(ID j , j)2 h
ID j
1
)ri(
j ∈ {1, . . . ,n}, j �= i),
so the private key of U is d = (d−1,d0,d1, . . . ,dn). If
h0 gr′
i2 g
f (r′i)
3 = 1, randomly choose r′i again.
3.3. Encrypt
To broadcast a message for a set S ⊆ {1, . . . ,n}, ran-domly choose s ∈ Z∗
p, K ∈ G2, and compute
c1 =∏i∈S
(hh(IDi ,i)
2 hIDi1
)s, c2 = gs, c3 = e(g1, g2)
s,
c4 = e(g1, g3)s, c5 = K · e(g1,h0)
s+γ ,
β = H(c1, c2, c3, c4, c5, K · e(g1,h0)
s),where γ = H(c1, c2, c3, c4, e(g1,h0)
s).Then the ciphertext is (Hdr, S), where Hdr = (c1, c2, c3,
c4, c5, β). Then K is used to encrypt the message.
3.4. Decrypt
The receiver of S with identity IDi decrypts
e(c2,di · ∏ j∈S, j �=i d j
)c
d−13 · c
f (d−1)
4 · e(c1,d0)= e(g1,h0)
s, c5/e(g1,h0)γ = R,
where γ = H(c1, c2, c3, c4, e(g1,h0)s).
Then he computes β ′ = H(c1, c2, c3, c4, c5, R) and ver-ifies whether β ′ = β . If the equation holds, decryptR/e(g1,h0)
s = K . Otherwise, the receiver returns an errormessage.
4. Analysis of the IBBE scheme
4.1. Correctness
e(c2,di · ∏ j∈S, j �=i d j
)c
d−13 · c
f (d−1)
4 · e(c1,d0)
= e(gs, (h0 gr′
i2 g
f (r′i)
3 )α∏
i∈S(hh(IDi ,i)2 hIDi
1 )ri )
cr′
i3 · c
f (r′i)
4 · e(∏
i∈S(hh(IDi ,i)2 hIDi
1 )s, gri)
= e(gs, (h0 gr′
i2 g
f (r′i)
3 )α)
e(g1, g2)sr′
i · e(g1, g3)sf (r′
i)
= e(g1,h0)s,
γ = H(c1, c2, c3, c4, e(g1,h0)
s),c5/e(g1,h0)
γ = K · e(g1,h0)s = R,
β ′ = H(c1, c2, c3, c4, c5, R) = β,
R/e(g1,h0)s = K .
530 Y. Ren, D. Gu / Information Processing Letters 109 (2009) 527–533
4.2. Indistinguishability of the ciphertext
Theorem 1. Assume that the (t′, ε′,q)-TBDHE assumptionholds in G1, G2 , then the IBBE scheme is (t, ε,qk,qd) IND-ID-CCA2 secure for t = t′ − O (texp · qn) − O (tpair · q), ε =ε′ +1/(p −1), qk +qd � q − 1, where texp, tpair are the averagetime required to exponentiate and pairing in G1, G2 , respec-tively.
Proof. Assume A is an IND-ID-CCA2 adversary describedas above. We construct an algorithm B that solves theq-TBDHE problem as follows. At the outset of the game,B is given a vector (g′, g, gα, . . . , gαq
, Z) ∈ Gq+21 × G2 to
decide whether Z = e(g′, g)αq+1
.
Set up. B randomly chooses f1(x), f2(x), f3(x) ∈ (Z∗p)[x]
of degree q, where f1(x) = ∑qi=0 ai xi , f2(x) = ∑q
i=0 bi xi ,f3(x) = ∑q
i=0 ci xi .Let g1 = gα , h0 = g f1(α) , g2 = g f2(α) , g3 = g f3(α) ,
f (x) = − bqcq
x − aqcq
, h1 = gu1 , h2 = gu2 , u1, u2 ∈ Z∗p are
random numbers. If g2 = gbq/cq
3 or h0 = gaq/cq
3 , randomlychoose f1(x), f2(x), f3(x) again. Then B sends the pub-lic parameters (g, g1, g2, g3,h0,h1,h2, f (x)) to A. Observethat from the viewpoint of the adversary, the distributionof these public parameters is identical to the real construc-tion since f1(x), f2(x), f3(x), u1, u2 are randomly chosen.
Phase 1. The adversary A adaptively issues queries.
Key generation query. A sends identity IDi to B .If IDi = α, B uses α to solve the q-TBDHE problem im-
mediately. Else, B randomly chooses ri, r′i ∈ Z∗
p , and com-putes
di = (g
∑q−1i=0 (ai+r′
ibi+ f (r′i)ci)α
i+1) · (hh(IDi ,i)2 hIDi
1
)ri,
d−1 = r′i, d0 = gri , d j = (
hh(ID j , j)2 h
ID j
1
)ri
(j ∈ {1, . . . ,n}, j �= i
).
So dIDi = (d−1,d0,d1, . . . ,dn). If h0 gr′
i2 g
f (r′i)
3 = 1, randomlychoose r′
i again.It is a valid private key, because
f(r′
i
) = −bq
cqr′
i − aq
cq, aq + r′
ibq + f(r′
i
)cq = 0,
g∑q−1
i=0 (ai+r′ibi+ f (r′
i)ci)αi+1
= g∑q
i=0(ai+r′ibi+ f (r′
i)ci)αi+1
= (g f1(α) · gr′
i f2(α) · g f (r′i) f3(α)
)α= (
h0 gd−12 g
f (d−1)
3
)α,
di = (h0 g
d−12 g
f (d−1)
3
)α · (hh(IDi ,i)2 hIDi
1
)ri.
Therefore, dIDi is randomly distributed because of the ran-domness of ri, r′
i .
Decryption query. A sends (IDi, S,Hdr) to B .If i ∈ S , B first executes the key generation query to
identity IDi as above, then verifies and decrypts Hdr with
the private key of identity IDi according to the Decrypt al-gorithm. Otherwise, B returns an error message.
Challenge. A sends (S∗, K0, K1) to B , where S∗ ⊆ {1, . . . ,n}and the identities of S∗ have never been queried the pri-vate keys in Phase 1.
B randomly chooses K w , w ∈ {0,1}, and computes
c∗1 = (g′)
∑i∈S∗ u2h(IDi ,i)+u1IDi , c∗
2 = g′,
c∗3 = Zbq · e(g′, g)
∑q−1i=0 biα
i+1,
c∗4 = Z cq · e(g′, g)
∑q−1i=0 ciα
i+1,
c∗5 = K w · e
(c∗
2,d∗i · ∏ j∈S∗, j �=i d∗
j
)(c∗
4) f (d∗−1) · (c∗3)
d∗−1 · e(d∗0, c∗
1)· e(g1,h0)
γ ∗,
β∗ = H(c∗
1, c∗2, c∗
3, c∗4, c∗
5, c∗5/e(g1,h0)
γ ∗),
where
γ ∗ = H
(c∗
1, c∗2, c∗
3, c∗4,
e(c∗
2,d∗i · ∏ j∈S∗, j �=i d∗
j
)(c∗
4) f (d∗−1) · (c∗3)
d∗−1 · e(d∗0, c∗
1)
),
and
d∗IDi
= (d∗−1,d∗
0, . . . ,d∗n
)is a private key of ID∗
i in S∗ .For any private key of ID∗
i ,
e(c∗
2,d∗i · ∏ j∈S∗, j �=i d∗
j
)(c∗
4) f (d∗−1) · (c∗3)
d∗−1 · e(d∗0, c∗
1)= Zaq · e(g′, g)
∑q−1i=0 aiα
i+1.
Therefore, B cannot decide whether Z = e(g′, g)αq+1
even if he can generate multiple random decryption keysfor ID∗
i .Then B sends (Hdr∗, S∗) to A, where Hdr∗ = (c∗
1, c∗2, c∗
3,
c∗4, c∗
5, β∗).
Let s∗ = logg g′ . If Z = e(g′, g)αq+1
,
c∗1 = (g′)
∑i∈S∗ u2h(IDi ,i)+u1IDi =
∏i∈S∗
(hh(IDi ,i)
2 hIDi1
)s∗,
c∗3 = Zbq · e(g′, g)
∑q−1i=0 biα
i+1 = e(
g′, g f2(α))α
= e(g1, g2)s∗ ,
c∗4 = Z cq · e(g′, g)
∑q−1i=0 ciα
i+1 = e(
g′, g f3(α))α
= e(g1, g3)s∗ ,
c∗2 = g′ = gs∗ ,
e(c∗
2,d∗i · ∏ j∈S∗, j �=i d∗
j
)(c∗
4) f (d∗−1) · (c∗3)
d∗−1 · e(d∗0, c∗
1)= e(g1,h0)
s∗ ,
c∗5 = K w · e(g1,h0)
s∗+γ ∗,
β∗ = H(c∗
1, c∗2, c∗
3, c∗4, c∗
5, K w · e(g1,h0)s∗),
where γ ∗ = H(c∗1, c∗
2, c∗3, c∗
4, e(g1,h0)s∗ ).
Therefore, (Hdr∗, S∗) is a valid ciphertext for K w underthe randomness of s∗ . Since logg g′ is uniformly random, s∗is uniformly random, and so Hdr∗ is a valid, appropriately-distributed challenge to A. �
Y. Ren, D. Gu / Information Processing Letters 109 (2009) 527–533 531
Phase 2. A issues additional queries as Phase 1.
Key generation query (IDi), where IDi /∈ S∗ .Decryption query Hdr �= Hdr∗ for any identity of S∗ .
In both cases, B responds as in Phase 1. These queries maybe adaptive.
Guess. A submits a guess w ′ ∈ {0,1}. If w ′ = w , B out-puts 0 (indicating that Z = e(g′, g)α
q+1); otherwise, it out-
puts 1.
Probability analysis
Lemma 1. When Z is sampled according to PTBDHE , the jointdistribution of A’s view and the bit w is indistinguishablefrom that in the actual construction, except with probability1/(p − 1).
Proof. When B ’s input is sampled from PTBDHE, B ’s simu-lation appears perfect to A if A makes only key generationqueries. B ’s simulation still appears perfect if A makes de-cryption queries only on identities for which it queries theprivate key, since B ’s responses give A no additional in-formation. Furthermore, querying well-formed ciphertextsto the decryption oracle does not help A distinguish be-tween the simulation and the actual construction, since,by the correctness of Decrypt algorithm, well-formed ci-phertexts will be accepted in either case. Finally, queryinga non-well-formed ciphertext for IDi in S does not helpA distinguish, since this ciphertext will fail the “decrypt”check under every valid private key of IDi in S . Thus, thelemma follows from the following two claims.
Claim 1. Assuming the adversary does not find a collision inh, H, then the decryption oracle, in the simulation and in theactual construction, rejects all invalid ciphertexts under identi-ties not queried by A.
Proof. Let log(·), log′(·) denote the logarithms to the baseg, e(g, g), respectively, and an invalid ciphertext Hdr =(c1, c2, c3, c4, c5, β) associated with a set S for
c1 =∏i∈S
(hh(IDi ,i)
2 hIDi1
)s1, c2 = gs2 , c3 = e(g1, g2)
s3 ,
c4 = e(g1, g3)s4 , c5 = K · e(g1,h0)
s5+γ ,β,
where γ = H(c1, c2, c3, c4, e(g1,h0)s5 ), and s1 �= s2, s3, s4
or s5. Therefore,
log c1 = s1
∏i∈S
log(hh(IDi ,i)
2 hIDi1
),
log c2 = s2, log′ c3 = s3 · α · log g2,
log′ c4 = s4 · α · log g3,
log′(c5/K ) = (s5 + γ ) · α · log h0.
According to the decryption process, a ciphertext Hdr canbe accepted if
e(c2,di · ∏ j∈S, j �=i d j
)c
f (d−1)
4 · cd−13 · e(c1,d0)
= e(g1,h0)s5 ,
c5/e(g1,h0)γ = R,
β = H(c1, c2, c3, c4, c5, R), R/e(g1,h0)s5 = K , (1)
where dIDi = (d−1,d0,d1, . . . ,dn) is a private key of IDiin S .
And according to (1),
e(c2,di · ∏ j∈S, j �=i d j
)c
f (d−1)
4 · cd−13 · e(c1,d0)
= e(c2, (h0 gr′
i2 g
f (r′i)
3 )α∏
i∈S(hh(IDi ,i)2 hIDi
1 )ri )
cr′
i3 · c
f (r′i)
4 · e(c1, gri )
= e(g1,h0)s5 .
Since A has not queried the decryption key associated withthe identity IDi , and ri is randomly chosen from Z∗
p , weknow that
e(g1,h0)s5 c
f (r′i)
4 cr′
i3 = e
(c2,
(h0 g
r′i
2 gf (r′
i)
3
)α), (2)
e
(c2,
∏i∈S
hh(IDi ,i)2 hIDi
1
)= e(c1, g). (3)
From (3), we know s1 = s2. Since r′i is randomly chosen
from Z∗p and f (r′
i) = − bqcq
r′i − aq
cq, according to (2),
e(g1,h0)s5 c
−aq/cq
4 = e(c2,
(h0 g
−aq/cq
3
)α),
c3c−bq/cq
4 = e(c2,
(g2 g
−bq/cq
3
)α). (4)
From (4),
(s5 − s2) log h0 − aq
cqlog g3(s4 − s2) = 0,
(s3 − s2) log g2 − bq
cqlog g3(s4 − s2) = 0. (5)
Since log h0 = f1(α), log g2 = f2(α), log g3 = f3(α), f1(x),f2(x), f3(x) are randomly chosen, log h0, log g2, log g3 are
uniformly random. And because h0 �= gaq/cq
3 , g2 �= gbq/cq
3 ,we know s2 = s3 = s4 = s5 from (5).
Therefore, s1 = s2 = s3 = s4 = s5. A ciphertext can beaccepted only if it is valid. The decryption oracle, in thesimulation and in the actual construction, rejects all invalidciphertexts under identities not queried by A. �Claim 2. If the decryption oracle rejects all invalid ciphertexts,then A has advantage 1/(p − 1) in guessing the bit w.
When Z is sampled from PTBDHE, a challenge ciphertextHdr∗ is a valid ciphertext for the randomness of s∗ .
First, we show the adversary cannot obtain a valid ci-phertext Hdr = (c1, c2, c3, c4, c5, β) for K w associated witha set S from Hdr∗ , where
c1 =∏i∈S
(hh(IDi ,i)
2 hIDi1
)s′, c2 = gs′ , c3 = e(g1, g2)
s′ ,
c4 = e(g1, g3)s′ , c5 = K w · e(g1,h0)
s′+γ ,β,
where γ = H(c1, c2, c3, c4, e(g1,h0)s′ ).
532 Y. Ren, D. Gu / Information Processing Letters 109 (2009) 527–533
There are three cases to consider:
(1) s′ = s∗, S = S∗: Hdr = Hdr∗ , the ciphertext will cer-tainly be rejected.
(2) s′ = s∗ , S �= S∗: (c2, c3, c4) = (c∗2, c∗
3, c∗4).
c1 = c∗1 ·
∏i∈(S∗/S)
(hh(IDi ,i)
2 hIDi1
)−s∗
·∏
i∈(S/S∗)
(hh(IDi ,i)
2 hIDi1
)s∗.
Since s∗ = logg g′ is uniformly random, the adversary can-not compute a valid c1 from c∗ .
(3) s′ �= s∗: (c1, c2, c3, c4, γ ) �= (c∗1, c∗
2, c∗3, c∗
4, γ∗), c5 = c∗
5 ·e(g1,h0)
s′+γ −s∗−γ ∗.
Since s∗ = logg g′ is uniformly random, γ ∗ is uniformlyrandom, the adversary cannot compute a valid c5 from c∗ .
Therefore, the adversary cannot obtain a valid cipher-text Hdr for K w associated with a set S from Hdr∗ .
Finally, we know
c∗5 = K w · e
(c∗
2,d∗i · ∏ j∈S∗, j �=i d∗
j
)(c∗
4)f (d∗−1) · (c∗
3)d∗−1 · e(d0∗ , c∗
1)· e(g1,h0)
γ ∗
= K w · e(g1,h0)s∗+γ ∗
,
where γ ∗ = H(c∗1, c∗
2, c∗3, c∗
4, e(g1,h0)s∗ ).
Since s∗ = logg g′ is uniformly random, γ ∗ is uniformlyrandom, and s∗ +γ ∗ = 0 with probability 1/(p −1), c∗
5/K w
is uniformly random for the adversary except probabil-ity 1/(p − 1). So A can guess w ′ = w with probability12 + 1
p−1 .
Lemma 2. When Z is sampled according to RTBDHE , the jointdistribution of A’s view and the bit w is indistinguishable fromthat in the actual construction.
Proof. The lemma follows from Claim 1 and the followingclaim. �Claim 3. If the decryption oracle rejects all invalid ciphertexts,then A has no advantage in guessing the bit w.
When Z is sampled from RTBDHE, we know that s3, s4 �=s∗ . As above, the adversary cannot obtain a valid ciphertextHdr for K w associated with a set S from Hdr∗ . And
c∗5 = K w · e
(c∗
2,d∗i · ∏ j∈S, j �=i d∗
j
)(c∗
4)f (d∗−1)(c∗
3)d∗−1 · e(d∗0, c∗
1)· e(g1,h0)
γ ∗
= K w · e(
gs∗1 ,h0 g−aqα
q ) · Zaq · e(g1,h0)γ ∗
,
where γ ∗ = H(c∗1, c∗
2, c∗3, c∗
4, e(gs∗1 ,h0 g−aqα
q) · Zaq ).
Since s∗,aq, Z are uniformly random, γ ∗ is uniformlyrandom, and c∗
5/K w is random for the adversary. So A canonly guess w ′ = w with probability 1/2 and has no advan-tage in guessing the bit w .
Table 1Comparison to the IBBE scheme of [5].
Scheme Securitymodel
Randomoracles
Publickey size
Privatekey size
Ciphertextsize
CD[5] IND-sID-CPA yes O (m) O (1) O (1)
Ours IND-ID-CCA2 no O (1) O (n) O (1)
Time complexity. In the simulation, B ’s overhead is dom-inated by computing private keys and decrypting the ci-phertexts in response to A’s queries. Each key genera-tion computation requires O (n) exponentiations in G1, andeach decryption computation requires O (n) exponentia-tions and O (1) pairings in G1, G2. Since A makes at mostq − 1 such queries, t′ = t + O (texp · qn) + O (tpair · q).
In the reductions, B ’s success probability and time com-plexity are the same as A’s, except for additive factors de-pending on p and q, respectively. So, one could say thatour IBBE system has a tight security reduction withoutrandom oracles.
4.3. Efficiency
In Table 1, we compare the efficiency of the known IBBEschemes.
In this table, m represents the maximal size of the setof receivers for one encryption, n is the total number ofreceivers. “sID, ID” denote “selective-ID” and “adaptive-ID”model, respectively.
From Table 1, we conclude that our IBBE scheme isIND-ID-CCA2 secure without random oracles. And it hasconstant size public key and ciphertext, though the pri-vate key size is dependent of the total number of re-ceivers.
5. Conclusions
In this paper, we construct an IBBE scheme with con-stant size public key and ciphertext. It achieves IND-ID-CCA2 security without random oracles. The private key sizeis dependent of the total number of receivers. Our IBBEscheme is based on the q-TBDHE assumption, one interest-ing open problem is to construct a dynamic IBBE schemethat is fully secure without random oracles, based on amore natural assumption.
Acknowledgements
We would like to thank anonymous referees for theirhelpful comments and suggestions. The work described inthis paper was supported by 863 Hi-tech Research andDevelopment Program of China (2006AA01Z405), and alsofunded by Research Fund for the Doctoral Program ofHigher Education of China (200802480019).
References
[1] A. Fiat, M. Naor, Broadcast encryption, in: Advances in Cryptology—CRYPTO’93, in: LNCS, vol. 773, Springer-Verlag, 1994, pp. 480–491.
[2] A. Shamir, Identity-based cryptosystems and signature schemes, in:Advances in Cryptology—CRYPTO’84, in: LNCS, vol. 196, Springer-Verlag, 1985, pp. 47–53.
Y. Ren, D. Gu / Information Processing Letters 109 (2009) 527–533 533
[3] B. Waters, Efficient identity-based encryption without random ora-cles, in: Advances in Cryptology—EUROCRYPT’05, in: LNCS, vol. 3494,Springer-Verlag, 2005, pp. 114–127.
[4] C. Cocks, An identity based encryption scheme based on quadraticresidues, in: Proceeding of Cryptography and Coding, in: LNCS,vol. 2260, Springer-Verlag, 2001, pp. 360–363.
[5] C. Delerablee, Identity-based broadcast encryption with constantsize ciphertext and private keys, in: Advances in Cryptology—ASIACRYPT’07, in: LNCS, vol. 4833, Springer-Verlag, 2007, pp. 200–215.
[6] C. Delerablee, P. Paillier, D. Pointcheval, Fully collusion securedynamic broadcast encryption with constant-size ciphertexts ordecryption keys, in: Proceedings of Pairing Based Cryptography—PAIRING’07, in: LNCS, vol. 4575, Springer-Verlag, 2007, pp. 39–59.
[7] C. Gentry, Practical identity-based encryption without random ora-cles, in: Advances in Cryptology—EUROCRYPT’06, in: LNCS, vol. 4404,Springer-Verlag, 2006, pp. 445–464.
[8] D. Boneh, C. Gentry, B. Waters, Collusion resistant broadcast en-cryption with short ciphertexts and private keys, in: Advances inCryptology—CRYPTO’05, in: LNCS, vol. 3621, Springer-Verlag, 2005,pp. 258–275.
[9] D. Boneh, M. Franklin, Identity-based encryption from the Weilpairing, in: Advance in Cryptology—CRYPTO’01, in: LNCS, vol. 2139,Springer-Verlag, 2001, pp. 213–229.
[10] D. Boneh, X. Boyen, Efficient selective-ID secure identity basedencryption without random oracles, in: Advances in Cryptology—
EUROCRYPT’04, in: LNCS, vol. 3027, Springer-Verlag, 2004,pp. 223–238.
[11] D. Boneh, X. Boyen, Secure identity based encryption without ran-dom oracles, in: Advances in Cryptology—CRYPTO’04, in: LNCS,vol. 3152, Springer-Verlag, 2004, pp. 443–459.
[12] D. Boneh, X. Boyen, E.J. Goh, Hierarchical identity based encryptionwith constant size ciphertext, in: Advances in Cryptology—EUROCRYPT’05, in: LNCS, vol. 3493, Springer-Verlag, 2005,pp. 440–456.
[13] D. Halevy, A. Shamir, The LSD broadcast encryption scheme, in:Advances in Cryptology—CRYPTO’02, in: LNCS, vol. 2442, Springer-Verlag, 2002, pp. 47–60.
[14] D. Naor, M. Naor, J. Lotspiech, Revocation and tracing schemes forstateless receivers, in: Advances in Cryptology—CRYPTO’01, in: LNCS,vol. 2139, Springer-Verlag, 2001, pp. 41–62.
[15] M.T. Goodrich, J.Z. Sun, R. Tamassia, Efficient tree-based revoca-tion in groups of low-state devices, in: Advances in Cryptology—CRYPTO’04, in: LNCS, vol. 3152, Springer-Verlag, 2004, pp. 511–527.
[16] R. Canetti, O. Goldreich, S. Halevi, The random oracle method-ology, revisited(preliminary version), in: Proceedings of the 13thAnnual ACM Symposium on Theory of Computing—STOC’98, 1998,pp. 131–140.
[17] R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption, in: Advances in Cryptology—EUROCRYPT’04, in:LNCS, vol. 3027, Springer-Verlag, 2004, pp. 207–222.