Information Fusion 13 (2012) 296–303

Contents lists available at ScienceDirect

Information Fusion

journal homepage: www.elsevier .com/locate / inf fus

Privacy-preserving identity-based broadcast encryption

Junbeom Hur a, Chanil Park b, Seong Oun Hwang c,⇑a School of Computer Science and Engineering, Chung-Ang University, 84 Heukseokro, Dongjak-gu, Seoul 156-756, Koreab Department of Computer Science, Korea Advanced Institute of Science and Technology, 373-1, Guseong-dong, Yuseong-gu, Daejeon 305-701, Republic of Koreac Department of Computer and Information Communication Engineering, Hongik University, 300 Shinan-ri, Jochiwon-up, Yeongi-gun, Chungnam 339-701, Republic of Korea

a r t i c l e i n f o a b s t r a c t

Article history:Received 23 April 2010Received in revised form 8 November 2010Accepted 11 March 2011Available online 21 March 2011

Keywords:PrivacyBroadcast encryptionIdentity-based encryptionHidden receiver

1566-2535/$ - see front matter � 2011 Elsevier B.V. Adoi:10.1016/j.inffus.2011.03.003

⇑ Corresponding author. Tel.: +1 217 819 8591; faxE-mail addresses: jbhur@cau.ac.kr (J. Hur), chan

sohwang@hongik.ac.kr (S.O. Hwang).

Broadcast encryption enables a broadcaster to encrypt messages and transmit them to some subset S ofauthorized users. In identity-based broadcast encryption schemes, a broadcasting sender typicallyencrypts a message by combining public identities of receivers in S and system parameters. However,previous identity-based broadcast encryption schemes have not been concerned about preserving theprivacy of receivers. Consequently, all of the identities of broadcast receivers in S are exposed to the pub-lic in the previous schemes, which may be subject to attacks on user privacy in lots of pragmatic appli-cations. We propose a novel privacy-preserving identity-based broadcast encryption scheme against anactive attacker. The proposed scheme protects the privacy of receivers of broadcasted messages by hidingthe identities of receivers in S. Additionally, it achieves less storage and computation costs required toencrypt and decrypt the broadcast message, compared to the previous identity-based broadcast encryp-tion schemes that do not provide user privacy.

� 2011 Elsevier B.V. All rights reserved.

1. Introduction choice, who are legitimate to the broadcast service. Then, any user

The ubiquity of wireless communications facilitates the devel-opment of many group-oriented applications such as pay-per-viewsystems and video conferences. They take advantage of the broad-cast characteristic of wireless communication to accelerate infor-mation exchange among a large number of users and improveenergy efficiency. In content distribution systems, it is often impor-tant to make certain data available to only a selected set of users. Incommercial content distribution, for example, a company maywish for its digital media to be available only to paying customers.Thus, most group-oriented applications require access controlmechanisms to prevent unauthorized access to the group commu-nication and protect application data.

Access control is generally achieved by encrypting the groupcommunication using a secret key that is shared by the privilegedusers. Broadcast encryption (BE) is the issue of sending an en-crypted message to a collection of users, such that only a dynami-cally changing privileged subset of users can decrypt it [1]. In thesecure content distribution, BE is known as an efficient algorithmto realize a secure multicast among the authorized set of users[1]. BE is an information fusion technique that exploits unique(public or secret) information of users in a receiver set, and con-structs an encrypted broadcast message for them. In BE schemes,a broadcaster encrypts messages for any subset S of users of its

ll rights reserved.

: +1 217 265 6758.il@nslab.kaist.ac.kr (C. Park),

in S can decrypt the transmissions using his or her private key. A BEscheme is said to be fully collusion resistant when, even if all usersthat are not in S collude, they can by no means infer informationabout the broadcast message [10]. In the academic and industrialfields, the study of broadcast encryption has become more impor-tant with increasing concerns about the conditional access systemin secure multicasting over an insecure channel, such as the Inter-net or digital multimedia broadcasting (DMB).

Besides the significance of access control, it is often also impor-tant to protect the identities of the users who are able to accessprotected contents. Students would likely wish to keep their iden-tities private in the email that an instructor sent to all of the stu-dent who failed a class. Commercial sites often do not want todisclose identities of customers because competitors might usethis information for targeted advertising. Military authorities mustnot reveal the identities of the intended receivers of a command toenemies in order to avoid any possible adaptive attacks to the com-mand message on a network physical layer, for example, throughjamming attack. It is not so difficult to find such practical scenarioswhere the user privacy is needed as an important requirement inaddition to the access control mechanism.

1.1. Related work

The concept of broadcast encryption was first introduced by Fiatand Naor [1]. They suggested a method to securely broadcast keyinformation, such that only a privileged set of users can decryptthe information, while a coalition of up to k other users cannot

J. Hur et al. / Information Fusion 13 (2012) 296–303 297

obtain any information. Based on this study, several extendedmethods were proposed in [2–4].

After then, many multi-receiver identity-based key encapsula-tion mechanisms (mID-KEM) [5,6] have been proposed in theidentity-based setting [7], which is later called identity-basedbroadcast encryption in [10]. KEM is a variation of a hybrid encryp-tion paradigm where the broadcasted ciphertext only encrypts asymmetric key, which will be used to encrypt the broadcast con-tents. However, the ciphertext size grows with the number ofreceivers in [5,6]. Chatterjee and Sarkar [8] achieved a controllabletradeoff between the ciphertext size and the private keys size.Thus, [8] introduced the first mID-KEM scheme to achieve sub-lin-ear ciphertext sizes. After that, [9] proposed a generic constructionthat achieves ciphertexts of constant size, but private keys of sizeO(N2), where N is the maximum number of users in the system.

Recently, Delerablee [10] proposed the first identity-basedbroadcast encryption (IBBE) scheme with constant size ciphertextsand private keys. This construction is also a key encapsulationmechanism, thus long messages can be encrypted under a shortsymmetric key, and the symmetric key is encrypted using the IBBEscheme. In this scheme, ciphertexts and private keys are of con-stant size, and the public key is of size linear in the maximumnumber of a set of receivers. The scheme achieves IND-sID-CPA(indistinguishability under selective ID chosen plaintext attack)security in the random oracle model, which is extended to IND-ID-CCA2 (indistinguishability under adaptive ID chosen ciphertextattack) security in [11]. In [11], the public key and ciphertext sizesare constant, however, the private key size is linear in the totalnumber of receivers.

1.2. Motivation

The previous IBBE schemes have drawbacks in two aspects: pri-vacy and efficiency.

While the previous schemes have focused on protecting thebroadcast contents from unauthorized users and reducing thelength of the ciphertext or private key size, they have not con-cerned about protecting the identities of users allowed to accessthe contents. Who can access the contents, however, is often moresensitive than the contents themselves. Suppose a university pro-vides a document to students with low average grades. To main-tain the privacy of the students, the set of authorized usersshould be kept private, not only from outsiders, but from the stu-dents in the group as well. The broadcast message is typically en-crypted by combining system parameters and public keys ofreceivers in BE schemes. Especially in the previous IBBE schemes,identities of receivers are used as public keys to encrypt and de-crypt the broadcast content by a sender and a set of receivers,respectively. Thus, a broadcaster exposes all of the identities ofthe receivers to the public by attaching them into the header of abroadcast message [5,6,8–11]. This violates the privacy of thereceivers in many practical scenarios.

When it comes to efficiency, the previous IBBE schemes aremainly designed to reduce the ciphertext size. However, they re-sulted in highly computational overhead or storage overhead foreach user. They require each user to compute highly time-consum-ing pairing or modular exponentiation operations in proportion tothe number of receivers [10], or to store secret keys of which size islinear in the number of all users in the system [9,11]. This could bea significant impediment to the applicability of IBBE systems inpractical applications, especially in large scaled systems consistingof resource-constrained devices.

Boyen and Waters [12] proposed an identity-based encryption(IBE) that features fully anonymous ciphertexts and hierarchicalkey delegation, which is called anonymous IBE. Even if theirscheme also focuses on enabling recipient privacy, it lacks

efficiency in terms of scalability in the broadcasting environment.Specifically, in the scheme, the system secret key is a tuple of fivenumbers, and the user’s secret key is also a tuple of five elementsin the pairing operation group. The ciphertext consists of sixcomponents of the pairing operation group for a one-to-onecommunication. When the anonymous IBE scheme performsmultiple encryptions for lots of recipients in the broadcast encryp-tion system, it would also suffer from the same efficiency problem.

Therefore, our goals in this study are to provide (1) recipientprivacy: an encrypted broadcast message should hide who can ac-cess its contents, even from each other in the set of authorizedreceivers, and (2) efficiency with low computational and storageoverhead which are independent on the number of the users inthe receiver set.

1.3. Our contribution

On the basis of the above motivations, we propose a privacy-preserving IBBE scheme. In the proposed scheme, a broadcast mes-sage hides who can access the contents by using a key-private pub-lic key system as a component in building IBBE system. A public-key encryption system is key-private if ciphertexts do not leakany information about the public keys for which they were en-crypted [14]. Thus, which users are authorized to access whichcontent will not be divulged, even to other authorized users inthe proposed scheme.

In addition, the efficiency of the algorithm is enhanced with re-gard to the computational and storage overhead by using one-wayanonymous identity-based key agreement protocol [13]. In theproposed scheme, system public and secret keys are of constantsize. The proposed scheme requires each user to store O(1) privatekey, and to compute constant number of pairing and modularexponentiation operations, which are less than the previous IBBEschemes. We differ from the previous works in that we focus onmaintaining the privacy of users, but do not attempt to achieveciphertext overhead that is sub-linear in the number of users. Evenif the authors in the previous schemes claimed that the ciphertextsize is constant [10,11], they ignored the cost for sending identitiesof users in the communication overhead which is linear in thenumber of users or receivers, as we will demonstrate it later. Thus,strictly speaking, there have been no such IBBE schemes that couldachieve constant size ciphertext so far.

The remainder of the paper is organized as follows. We describepreliminaries of bilinear pairings and one-way anonymous keyagreement protocol in Section 2, and define the formal model ofprivacy-preserving IBBE and its security in Section 3. In Section4, we present our privacy-preserving IBBE scheme. In Section 5,we analyze efficiency and security of the proposed scheme. InSection 6, we examine broadcast encryption systems in practiceand their vulnerability to recipient privacy. Finally, we concludein Section 7.

2. Preliminaries

We briefly review bilinear pairings and the one-way anony-mous key agreement protocol in this section.

2.1. Bilinear pairings

Let G1;G2, and GT be three cyclic groups of prime order p. Abilinear map e is a map e : G1 �G2 ! GT with the followingproperties.

1. Bilinearity: For all g1 2 G1, g2 2 G2, and a; b 2 Z�p, eðga1; g

b2Þ ¼

eðg1; g2Þab.

298 J. Hur et al. / Information Fusion 13 (2012) 296–303

2. Non-degeneracy: e(g1, g2) – 1.3. Computability: There is an efficient algorithm to compute e(g1,

g2) for any g1 2 G1 and g2 2 G2.

Like many pairing-based cryptographic protocols, our protocoluses a special form of bilinear map called a symmetric pairingwhere G1 ¼ G2. In the rest of the paper, all bilinear pairings aresymmetric, and we denote G1 ¼ G2 by G.

Weil pairing [7] or Tate pairing [15] on elliptic curves can beused as an efficiently computable non-degenerate bilinear map.There are efficient and practical ways to find such maps; see forexample [16–18].

2.2. Bilinear Diffie–Hellman assumption

Using the above notations, the Bilinear Diffie–Hellman (BDH)problem is to compute eðg; gÞabc 2 GT given a generator g of G

and elements ga,gb,gc for a; b; c 2 Z�p. An equivalent formulation ofthe BDH problem is to compute e(A, B)c given a generator g of G,and elements A, B and gc in G.

An algorithm A has advantage �(j) in solving the BDH problemfor a bilinear map group hp;G;GT ; ei, where j is the securityparameter (the bit length of p), if Pr½Aðk;G;GT ;A;B; gcÞ ¼eðA; BÞc�P �ðjÞ. If for every polynomial-time algorithm (in thesecurity parameter j) to solve the BDH problem on hp;G;GT ; ei,the advantage �(j) is a negligible function, then hp;G;GT ; ei is saidto satisfy the BDH assumption.

2.3. Anonymous key agreement

In Boneh-Franklin identity-based encryption setup [7], a trustedkey authority called private key generator (PKG) generates a pri-vate key di for a user with identities IDi using a master secret s. Auser with identity IDi receives the private key di ¼ HðIDiÞs 2 G,where H : f0;1g� ! G is a cryptographic hash function.

On the basis of this setup, Kate et al. [13] proposed a one-wayanonymous key agreement scheme by replacing the identityhashes with pseudonyms generated by users. One-way anonymouskey agreement is to guarantee anonymity for just one of the partic-ipants; the other participant works as a non-anonymous serviceprovider and the anonymous participant needs to confirm the ser-vice provider’s identity. In this setting, two participants can agreeon a session key in a non-interactive manner.

Suppose Alice and Bob are clients of the same key authority.Alice has identity IDA and private key dA ¼ Q s

A ¼ HðIDAÞs. Alicewishes to remain anonymous to Bob whose identity is IDB. Then,the key agreement protocol progresses as follows.

1. Alice computes QB = H(IDB). She chooses a random integerrA 2 Z�p, generates the corresponding pseudonym PA ¼ QrA

A , andcomputes the session key KA;B ¼ eðdA;Q BÞrA ¼ eðQA;QBÞsrA . Shesends her pseudonym PA to Bob.

2. Bob computes the session key KA;B ¼ eðPA; dBÞ ¼ eðQA;QBÞsrA

using his private key dB.

Kate et al. proved that this protocol is secure in the random ora-cle model assuming the BDH problem in hp;G;GT ; ei is hard interms of the unconditional anonymity, session key secrecy, andno impersonation. The proof can be found in [13].

1 Roughly speaking, the target public key ID should be decided by the adversary indvance, before the challenger runs the setup algorithm. The restriction is that thextraction query on ID is prohibited.

3. Definitions

In this section, we propose a formal definition of a privacy-pre-serving IBBE with security notions.

3.1. Privacy-preserving identity-based broadcast encryption

Like the previous IBBE schemes [10,11], the privacy-preservingIBBE scheme also involves a PKG. The PKG grants new memberscapability of decrypting messages by providing each member ofIDi with a decryption key skIDi

. skIDiis generated using a master se-

cret key, MSK. The broadcaster encrypts messages and transmitsthese to the group of users via the broadcast channel. In a pri-vacy-preserving IBBE scheme, the broadcaster does not hold anyprivate information, and encryption is performed with the helpof a public key, PK, and identities of the receivers. In contrast tothe previous IBBE schemes [10,11], however, the broadcast mes-sage constructed in the privacy-preserving IBBE scheme does notinvolve the identities of a set of receivers. Thus, a privacy-preserv-ing IBBE scheme encrypts a message to several recipients whilehiding the identities of the recipients, even from each other.

More formally, a privacy-preserving IBBE scheme is a tuple offour algorithms Setup, Extract, Encrypt, Decrypt described as follows.

Setup(j). Takes as input the security parameter j, and outputsmaster secret key MSK, and master public key PK. The PKG isgiven MSK, and PK is made public.Extract(MSK, IDi). Takes as input the master secret key MSK anda user identity IDi, and generates a user private key skIDi

.Encrypt(S, PK). Takes as input the public key PK and a set of iden-tities of receivers S = {ID1, . . . , IDn}, and outputs a pair (Hdr, K).K 2 GT is a message encrypting key. When a message M is tobe broadcasted to users in S, the broadcaster generates (Hdr,K) Encrypt(S, PK), computes the encryption CM of M underthe symmetric key K and broadcasts CT = (Hdr,CM). We will referto Hdr as the header, and CM as the broadcast body. In the pre-vious IBBE schemes without any privacy concern, the broadcastmessage is in the form of (Hdr,S,CM), which exposes the list ofreceivers S to the public [10,11].Decrypt(IDi; skIDi

;Hdr). Takes as input an identity IDi and the cor-responding private key skIDi

, and the header Hdr. If Hdr isderived from S and IDi 2 S, the algorithm outputs the messageencryption key K which is then used to decrypt the broadcastbody CM and recover M.

The definition above departs from the standard definition ofbroadcast encryption in that the standard definition explicitly pro-vides S, the set of recipients, to the Decrypt algorithm. Here we omitthis parameter in order to capture systems that hide S. There is noloss of generality, however, as S can be implicitly included in thebroadcast ciphertext, Hdr, directly.

3.2. Security model for privacy-preserving IBBE

A general way to formalize notions of security for cryptographicschemes is combining the various security goals (such as indistin-guishability) and possible attack models (such as CPA, CCA). InIBBE, the adversaries are granted access to the key extraction ora-cle, which answers the private key of any queried public identity(adaptive chosen identity attack), or selectively queried identity(selective chosen identity attack).

We define chosen ciphertext security model for a privacy-preserving IBBE scheme using a game between a challenger and astatic adversary [10]. The security is defined under the selective-IDsecurity notions by refining the definitions in [19,21] where theadversary must choose the set of identities he wants to attack atthe beginning of the game1. The security notions are ‘‘Indistinguish-

ae

J. Hur et al. / Information Fusion 13 (2012) 296–303 299

ability of encryptions under selective multi-ID, chosen ciphertext/plaintext attack’’ (IND-sMID-CCA/CPA) and ‘‘Anonymous indistin-guishability of encryptions under selective multi-ID, chosen cipher-text/plaintext attack’’ (ANON-sMID-CCA/CPA).

3.2.1. ConfidentialityConfidentiality means that no useful information about a plain-

text message can be gleaned from the corresponding ciphertext. Itis defined using the following game between an adversary and achallenger.

Init. The adversary begins by choosing a set S⁄ # {ID1, . . . , IDn}of receivers to attack.Setup. The challenger runs the Setup algorithm and gives thepublic parameter PK to the adversary.Phase 1. The adversary adaptively issues queries q1, . . . ,qm,where each of them is one of the following queries.

� Extraction query: The challenger runs Extract on IDi R S⁄ andforwards the resulting private key to the adversary.

� Hash query: The challenger operates a hash operation onsome input information about IDi R S⁄, and forwards theresult to the adversary2.

� Decryption query: The challenger runs Decrypt on hIDj, S0,

Hdri for S0

# S⁄ and IDj 2 S0, and forwards the result to the

adversary.

Challenge. The challenger runs Encrypt to obtain hHdr⁄,Ki. Hepicks a random b 2 {0,1}. Then, he sets Kb = K and picks a ran-dom K1�b, and gives hHdr⁄, K0, K1i to the adversary.Phase 2. The adversary issues additional queries qm+1, . . . ,qs as inphase 1 with the restriction that Hdr – Hdr⁄ in the decryptionqueries.Guess. The adversary outputs a guess b

0 2 {0,1} of b, and winsthe game if b = b

0.

We denote by qs the total number of queries and by qD the totalnumber of Decryption queries. In the above game, the advantage ofan adversary A is defined as Adv ind�smid�cca

A ðj; qs; qDÞ ¼ jPr½b0 ¼b� � 1=2j.

Definition 1. Let qs be the total number of queries and qD be thetotal number of decryption queries. A scheme is said to be (t, �, j,qs, qD)-IND-sMID-CCA secure if there is no t-polynomial timebounded adversary who has Adv ind�smid�cca

A ðj; qs; qDÞP � for a non-negligible probability � in the above game.

We also define chosen plaintext security for an IBBE scheme bypreventing the attacker from issuing decryption queries.

Definition 2. We say that a scheme is (t, �, j,qs)-IND-sMID-CPAsecure if it is (t, �, j, qs,0)-IND-sMID-CCA secure.

3.2.2. Receiver anonymityThis game ensures that the adversary cannot distinguish a

ciphertext intended for one recipient set from a ciphertext in-tended for another recipient set. More precisely, receiver anonym-ity is defined using the following game between an adversary and achallenger.

Setup. The challenger runs the Setup algorithm and gives thepublic parameter PK to the adversary.Phase 1. The adversary begins by choosing target identity sets

2 Hash query simulates the one-way anonymous key agreement protocol whichwill be used in the proposed construction in Section 4

S0, S1 # {ID1, . . . , IDn} such that jS0j = jS1j. Upon receiving thesets, the challenger randomly chooses b 2 {0,1}. The adversaryadaptively issues queries q1, . . . ,qm, where each of them is oneof the following queries.

� Extraction query: Upon receiving a private key extractionquery, denoted by IDj, the challenger runs Extract on IDj forIDj 2 S0 \ S1, and forwards the resulting private key to theadversary.

� Decryption query: Upon receiving a decryption query,denoted by (CT⁄,IDi) for some IDi 2 S0 [ S1, the challengergenerates a private key associated with IDi denoted byskIDi

. The challenger runs Decrypt on hIDi; skIDi;CT�i, and for-

wards the result to the adversary.

Challenge. The adversary outputs a target plaintext K. The chal-lenger creates a target ciphertext CT on (K, Sb), and then returnsthe result to the adversary.Phase 2. The adversary issues additional queries qm+1, . . . ,qs as inphase 1 with the restriction that CT⁄– CT.Guess. The adversary outputs a guess b

0 2 {0,1} of b, and winsthe game if b = b

0.

In the above game, the advantage of an adversary A is definedas Advanon�smid�cca

A ðj; qs; qDÞ ¼ jPr½b0 ¼ b� � 1=2j.

Definition 3. Let qs be the total number of queries and qD be thetotal number of decryption queries. A scheme is said to be (t, �, j,qs, qD)-ANON-sMID-CCA secure if there is no t-polynomial timebounded adversary who has Advanon�smid�cca

A ðj; qs; qDÞP � for anon-negligible probability � in the above game.

Definition 4. We say that a scheme is (t, �, j, qs)-ANON-sMID-CPAsecure if it is (t, �, j, qs, 0)-ANON-sMID-CCA secure.

4. Privacy-preserving identity-based broadcast encryption

In this section, we present a construction for privacy-preservingIBBE that achieves receiver privacy. The proposed scheme adopts ahybrid encryption mechanism. Specifically, the construction isrealized by combining the one-way anonymous key agreementand the symmetric key encryption to encrypt a message encryptingkey K.

4.1. Construction

– Setup(j). Given the security parameter j, a bilinear map groupsystem B ¼ ðp;G;GT ; eð�; �ÞÞ is constructed such that jpj = j.Also, a generator g 2 G and a secret value x 2 Z�p are randomlyselected. Two cryptographic hash functions H1 : f0; 1g� !G;H2 : GT ! Z�p are chosen. The system public parameters areðg;B;H1;H2Þ. The master secret key is MSK = x, and master pub-lic key is PK = gx.

– Extract(MSK, IDi). Given MSK and the identity IDi, outputs

skIDi¼ H1ðIDiÞx ¼ Q x

i :

– Encrypt(S, PK). Suppose that S = {ID1, . . . , IDn}. Then, given PK = gx,the broadcaster runs Encrypt as follows:Pre-computation (1-2):1. "IDi 2 S, computes Qi = H1(IDi).2. Selects a random r 2 Z�p; and, "IDi 2 S, computes

si ¼ H2ðeðQri ; g

xÞÞ.Computation at each session (3–5):

Table 1Efficiency comparison among IBBE schemes.

Delerablee [10] Ren et al. [11] Proposed

Public key (n + 3)S1 + ST 7S1 + Sp S1

300 J. Hur et al. / Information Fusion 13 (2012) 296–303

3. Selects a random k 2 Z�p, and computes a message encrypt-ing key K = e(g, g)k.

4. Selects a random a 2 Z�p.5. Computes Hdr = (C1,C2, C3) where

Secret key S1 + Sp Sp Sp

Storage S1 (n + 2)S1 S1

Communication 2S1 + nSID 2S1 + 3ST + Sp + nSID 6 (n + 2)S1

C1 ¼ gr ;C2 ¼ ðgaÞk;C3 ¼ ci ¼ g1�1a

� �1si

� �IDi2S

:

Privacy No No Yes

Finally, Encrypt returns (Hdr, K). K is used to encrypt a broadcastmessage M, and generate CM. Then, the broadcaster broadcasts aciphertext CT = (Hdr,CM).

Session is defined as the time instance when a broadcasterencrypts and sends a broadcast message. It is important to notethat the steps 1–2 can be pre-computed once and for all, whilethe steps 3–5 should be performed at each session when a broad-caster wants to broadcast a message. On any membership changein S, a broadcaster may compute the steps 3–5 with new k

0and

a0

for backward and forward secrecy of the broadcast message[20]. In case of no membership change in S, C3 could be reused orpublished as a public parameter of the broadcaster, which reducesthe communication cost by reducing the ciphertext size.– Decrypt(IDi; skIDi

;Hdr). In order to retrieve the message encryp-tion key K encapsulated in the header Hdr, a user with IDi andthe corresponding private key skIDi

runs Decrypt as follows:

1. Computes si ¼ H2ðeðskIDi; C1ÞÞ ¼ H2ðeðQ x

i ;C1ÞÞ.2. Retrieves ci from C3, and computes

eðC�12 ; csi

i Þ � eðg;C2Þ ¼ e ðgaÞk� ��1

; g1�1a

� �1si

� �si� �

� eðg; ðgaÞkÞ

¼ eðg; gÞ�kða�1Þ � eðg; gÞka ¼ K:

3 As we discussed in Section 4.2, there is a tradeoff between communicationverhead and computation overhead. Thus, at most n hash values would be addedto the communication cost if the system wants to reduce the decryption cost.

The step 1 is the one-way anonymous key agreement proce-dure, which drives the broadcaster and the receiver with IDi toestablish and share a secret key si. Because the key agreement pro-tocol guarantees unconditional anonymity, key secrecy (for si,here), and no impersonation [13], the decryption procedure guar-antees that only the user in S can decrypt and retrieve K success-fully. We will prove the security later. In addition, the step 1 isrequired to be performed once and for all for the same broadcaster.

4.2. Discussion

The disadvantage of Decrypt is that decryption time may be lin-ear in the number of receivers because the decryption algorithmmust try decrypting the ciphertext until it retrieves ci and decryptssuccessfully (in step 2). To decrypt a ciphertext in the privacy-pre-serving IBBE scheme above, a recipient must attempt n/2 trialdecryptions, on average, where n is the number of recipients. Theprevious non-private schemes improve performance by revealingthe identities of the recipient [5,6,8–11]. We can also improve per-formance by labeling each ci in C3 with recipient identities direct-ing the attention of decryptors to appropriate components.However, these labels reveal the identities of the recipients.

This problem of retrieving corresponding ci from C3 by a userwith IDi could be solved efficiently by labeling each ci with sharedsecret information si like [19], which does not require any trialdecryptions. Let ci in Encrypt be

ci ¼ H3ðsiÞjj g1�1a

� �1si ;

where H3 : Z�p ! f0;1g�. Then, the Decrypt algorithm requires each

decryptor with IDi to calculate H3(si) and then uses the result to lo-cate the ciphertext component ci for him. Users need to performonly one hash operation to retrieve the component regardless of

the number of recipients, which eliminates any unnecessary trialdecryptions.

5. Analysis

Efficiency of the proposed scheme is analyzed and compared tothe previous IBBE schemes in terms of the communication, compu-tation, and storage overheads in this section. Then, the securityproof of the proposed scheme will be given.

5.1. Efficiency

In the proposed scheme and [11], a symmetric bilinear map isused as a primitive function to perform the pairing operation(e : G�G! GT ). However, [10] makes use of an asymmetric bilin-ear map: e : G1 �G2 ! GT where G1–G2. In terms of the compu-tation cost, we will assume that operations in G1 and G2 requirethe same computational effort as in G. We also assume that thebit lengths of an element in G1 and G2 are the same as that in G.

The efficiency comparison results among IBBE schemes aresummarized in Table 1. The notations used in the table are de-scribed as follows:

n

the number of receivers in S Sp bit size of an element in Z�p S1 bit size of an element in G1, G2, and G

ST

bit size of an element in GT

SID

bit size of an identity of a user

In Table 1, public key and secret key represent the sizes of thepublic and secret keys of a system, respectively. Storage representsthe size of private keys of a user. Communication represents thesize of messages in bits that a broadcaster or a sender broadcasts.(We will use a ‘sender’ and a ‘broadcaster’ interchangeably hence-forth.) It includes the header and a set of receivers, S, except thebroadcast body CM. Privacy represents whether each scheme sup-ports the user privacy or not.

As it is shown in Table 1, the proposed scheme requires the leastamount of system public/secret keys and private keys for a user.The analyzed communication cost of the proposed scheme in Table1 implies the upper bound of the cost. Even though the proposedscheme requires n + 2 elements in G to be broadcasted3, it doesnot need to broadcast n identities of receivers as in the previousschemes while guaranteeing the user privacy. In fact, SID is likelyto have various sizes. For example, the email address, which is oneof the most widely used identities in the real world, could be tensof bytes. According to the statistical analysis in [23], the email ad-dress may require more than 50 bytes long for a single user. Thisis not a negligible amount of size at all in practical applications.Assuming that SID is almost the same as S1 (SID � S1), the upperbound of the proposed scheme is almost the same as [10] in termsof the communication cost. If the set of receivers remains the same

oin

Table 2Comparison of computation cost.

Operation Time (ms) Delerablee [10] Ren et al. [11] Proposed scheme

Sender Receiver Sender Receiver Sender Receiver

Pairing 2.9 2 3 3 (n)a 3Exp. in G 1.0 2n + 2 2n � 1 2n + 1 n 6 n + 2 1Exp. in GT 0.2 1 2 4 8 1Computation (ms) 2n + 2.2 2n + 5.2 2n + 10.5 n + 10.3 6n + 2.2 9.7

a Pre-computation.

J. Hur et al. / Information Fusion 13 (2012) 296–303 301

as the set of receivers in the previous session instance, the broad-caster does not need to compute and broadcast C3 in Hdr again, sinceC3 broadcasted at the prior session could be reused at the currentsession. This enhances efficiency of the proposed scheme in termsof the communication cost as well as the computation cost. Thus,the lower bound of the communication cost in our scheme wouldbe 2S1 bits to be broadcasted at the best case.

Next, we analyze and measure the computation cost forencrypting (by a sender) and decrypting (by a receiver) a broadcastmessage. We used a Type A curve (in the pairing-based cryptogra-phy (PBC) library [24]) providing groups in which a bilinear mape : G�G! GT is defined. Although such curves provide goodcomputational efficiency (especially for pairing computation), thesame does not hold from the point of view of the space requiredto represent group elements. Indeed each element of G needs512 bits at an 80-bit security level and 1536 bits when 128-bit ofsecurity are chosen.

Table 2 shows the analysis results. For each operation, we in-clude a benchmark timing. Each cryptographic operation wasimplemented using the PBC library ver. 0.4.18 [24] on a 3.0 GHZprocessor PC. The public key parameters were selected to provide80-bit security level. The computational cost is analyzed in termsof the pairing, exponentiation operations in G and GT . The compar-atively negligible hash operations are ignored in the time result.

We can see that the total computation time to decrypt a broad-cast message by a receiver is constant in the proposed scheme;while linear in the number of receivers in the previous schemes.Even if the proposed scheme requires a sender to perform n pairingoperations to encrypt a broadcast message, it can be pre-computedwhile idle time before the time instance of sending a message. Inaddition, it is important to note that it can be computed onceand for all for the same recipients. Thus, during the session inwhich a broadcaster encrypts a broadcast message, it is requiredto only perform n + 2 exponentiations in G and 1 exponentiationin GT . This is the least amount of computation cost compared tothe previous schemes. Even better, n + 2 exponentiations in G

could also be reduced to 2 exponentiation operations in case thatthe set of receivers in the current session remains the same asthe previous one.

5.2. Security

In this section, we prove both the confidentiality and the recei-ver privacy of the proposed scheme. The following proofs showthat the proposed scheme has semantic security and receiver ano-nymity against a static adversary as long as the BDH assumptionholds. The security is proven through the game between the at-tacker A and the challenger B.

5.2.1. Confidentiality

Theorem 1. Let j be a security parameter. Suppose there exists apolynomial time adversary A who has advantage �(j) against

the proposed scheme. Suppose A makes at most qE private keyextraction queries, and qH2

hash queries to H2. Then there exists analgorithm B which solves the BDH problem with advantageAdv ind�smid�cpa

B ðjÞP �ðjÞqH2

.

Proof. Let ðg; ga; gb; gcÞ 2 G be a random and uniformly distributedinstance of the BDH problem, which algorithm B receives as input.To find the solution e(g,g)abc, B simulates the challenger for A asfollows:

– Init. B runs A and receives a target set S⁄ = {ID1,� � �,IDn} which Awants to attack.

– Setup. B sets PK = gc as a public key and gives A system param-eters hp;G;GT ; eð�; �Þ; g; PK;H1;H2i where H1, H2 are random ora-cles controlled by B.� H1-query: A can query the random oracle H1 at any time. To

respond to the queries, B maintains an initially empty listHlist

1 of quadruples ðIDi; hi;Qi; skIDiÞ. When A queries for the

hash value of some IDi, B responds as follows:1. If Hlist

1 contains a list about IDi, B responds with Q i 2 G.2. Otherwise, B checks whether IDi 2 S⁄ or not, and issues a

hash query on an identity IDi as follows:

– If IDi R S⁄, then B chooses a random hi and sets Qi ¼ ghi .– Else if IDi 2 S⁄, then B chooses a random hi and sets

Qi ¼ ðgbÞhi .

B adds the tuple (IDi,hi,Qi,⁄) to the list Hlist1 and responds with Qi.

– Phase 1. A can query the random oracle H2. It can also send pri-vate key extraction queries.� Extraction query: A can ask for extraction queries for iden-

tity strings. For an input string IDi for private key extraction,B responds as follows:1. If A has already issued an extraction query on IDi, B

responds with the corresponding skIDiin Hlist

1 .2. Else, if A has already issued a hash query for H1 on IDi, B

uses the corresponding hi to compute a private key asfollows:

– If IDi R S⁄ then B computes skIDi

¼ ðgcÞhi ¼ Qci . B adds

the private key skIDiin the corresponding tuple on

the list Hlist1 as like hIDi;hi;Q i; skIDi

i and responds withskIDi

.– If IDi 2 S⁄ then B reports abort.

� H2-queries: A can query the oracle H2 at any time. Torespond to the queries, B maintains an initially empty listHlist

2 ¼ hIDi;Yi; sii. When A queries for the hash value of someYi, which is the pre-image of si, B responds as follows:1. If a query Yi already exists in Hlist

2 , then B responds with si

as a hash value.2. Otherwise, B chooses a random value si 2 Z�p and adds the

tuple hIDi,Yi, sii to the Hlist2 . Then, B responds by sending si

as a hash result of Yi, i.e, H2(Yi) = si.

4

reci

302 J. Hur et al. / Information Fusion 13 (2012) 296–303

Challenge. After completing Phase 1, B chooses r,k,a randomly.

–B also chooses random s�1; � � � ; s�n 2 Z�p and defines ciphertext asfollows:1. B computes a secret key K = e(g,g)k.2. B also computes a ciphertext

It epien

Hdr� ¼ hC1 ¼ gar;C2 ¼ gak; C3 ¼ g1�1a

� � 1s�i

� �IDi2S�i

3. B selects b {0,1} randomly. It sets Kb = K, and assigns arandom value to K1�b. Then, B gives (Hdr⁄, K0, K1) as a chal-lenge to A.

– Phase 2. A adaptively asks for the private key extraction andhash queries, and B responds as in phase 1.

– Guess. Finally,A outputs a guess b0 2 {0,1}. At this point, B picks

a random tuple hIDj, Yj, sji from the list Hlist2 and computes

Tj ¼ Y1

r�hj

j with a corresponding value hj and r. Then B outputsTj as the solution to the given instance of BDH problem.

In the above game, B is simulating the real attack environment.A does not distinguish the simulation from the real environment.In the real system, A should correctly guess Yj ¼ eðQx

j ;C1Þ toretrieve the key sj because sj is just computed through the hashfunction H2. Hence, A will also query the exact Yj in the simulationwith the probability �(j). Then, at the end of simulation, Yj willappear in some tuple in Hlist

2 with the probability �(j). Therefore, Bcan produce the correct answer Tj with the probability at least�ðjÞ=qH2

. h

5.2.2. Receiver anonymityTo the best of our knowledge, security proof in ANON-sMID-

CPA/CCA has not been succeeded in the previous IBBE schemes[19,22], and it still remains as an open problem in the anonymousIBBE literature. Therefore, we would alternatively prove the recei-ver anonymity of the proposed scheme in somewhat restrictedsecurity model like in [22], that is selective identity model4 ratherthan selective multi-identity model.

Because the proposed scheme achieves the broadcast encryp-tion by encrypting a secret component g1�1/a under each symmet-ric key si agreed with each receiver IDi and concatenating them(that is, ci ¼ ðg1�1=aÞ1=si in Hdr), it is evident that receiver anonymitydepends on whether the adversary can distinguish sA from sB forIDA – IDB.

Now we prove that it is impossible for an adversary A to learnthe identity of a receiver in a protocol run. For a receiver with IDA,because G and GT are cyclic groups of prime order and QA = H1(IDA)is a generator, exponentiating by the random r blinds the underly-ing identity from the adversary A. To formalize our proof, weconsider the following game between an adversary A and achallenger B.

– Setup. The adversary A publishes the system parameters:cyclic multiplicative groups G and GT of prime order p (of whichbit length is j), and hash functions H1 : f0;1g� ! G andH2 : GT ! Z�p.

– Challenge. A chooses two identity strings IDA and IDB, andsends them to the challenger. The challenger computesQA = H1(IDA),QB = H1(IDB). He then uniformly at random choosesr 2 Z�p and b 2 {0,1}. Then,

1. If b = 0, computes s ¼ H2ðeðQ rA; g

xÞÞ, or2. If b = 1, computes s ¼ H2ðeðQr

B; gxÞÞ

and sends s to A.

nsures that the adversary cannot distinguish a ciphertext intended for onet from a ciphertext intended for another recipient.

– Guess. A wins the game if he can guess the correct value of bwith probability 1/2 + �(j) for a non-negligible function �.

As G is a cyclic prime order group, both QA and QB are genera-tors of G. For the uniform random element r 2 Z�p, the establishedsecret value s equal to H2ðeðQr

A; gxÞÞ or H2ðeðQ r

B; gxÞÞ is also a uni-

form and random element of Z�p. Therefore, an attacker cannotdetermine which of the two ways the challenger generated s andconsequently cannot guess the value of b with probability greaterthan 1/2 to win this game. The inability of the attacker to win thisgame for system parameters of its choosing, even with unboundedcomputation power, proves the receiver anonymity.

6. Case study of broadcast encryption systems

In this section, we discuss the user privacy problem in broadcastencryption systems that are used in practice. We study the widelyused Microsoft Outlook and Windows encrypted file system.

6.1. Outlook

When a user sends an encrypted email message to multiplereceivers through Microsoft Outlook, it makes copies of the singleoriginal ciphertext and sends them to each recipient. Then, theciphertext components are labeled with the issuer and serial num-ber of each recipient’s public key certificate. Many certificateauthorities such as VeriSign provide a free directory service, whichtranslates certificate serial numbers into the certificates them-selves [25]. This reveals the identities of all receivers, and compro-mises the privacy of blind-carbon-copy (BCC) recipients. Worse, if aself-signed certificate is used by a BCC recipient, Outlook includesthe plain name and email address of the recipient in the ciphertext,which is supposed to be sent to all receivers.

Some S/MIME clients avoid this by separately encrypting mes-sages for each recipient. This prevents legitimate recipients fromlearning the identities or the number of other message receivers.However, sending separate encryptions is likely to decrease theefficiency of the mail server and uses more bandwidth.

6.2. Windows EFS

An encrypted file system (EFS) is also a variation of broadcastencryption. The encrypted file can be viewed as the broadcast mes-sages and the users who can access the file as the broadcast receiv-ers. The EFS on Microsoft Windows was introduced in version 3.0of NTFS [26], which is a file system filter that provides file sys-tem-level encryption. The underlying broadcast encryption schemeused in the Windows EFS is also vulnerable to privacy attacks. Afile in EFS is encrypted under a symmetric key, which in turn is en-crypted under the public keys of the users who are authorized toread the file. These encrypted symmetric keys are stored in the fileheader and are usually accessible only to the operating system ker-nel. An Adversary who has physical access to the storage can learnthe list of users authorized to read a file by examining the labels ofciphertext components, for example by duplicating a file server’shard drive or stealing a backup copy of the file system.

7. Conclusion

In many content broadcasting applications, it is important toprotect both the content and the identities of users allowed to ac-cess the content. Many of the previous identity-based broadcastencryption schemes fail to protect the privacy of receivers. Userprivacy is compromised because the underlying encryptionschemes disclose the identities of a ciphertext’s recipients.

J. Hur et al. / Information Fusion 13 (2012) 296–303 303

The proposed mechanism, privacy-preserving identity-basedbroadcast encryption scheme, enables the efficient encryption ofbroadcast messages to multiple recipients without revealing theidentities of message recipients, even to other recipients. The pro-posed scheme achieves decryption in a constant number of crypto-graphic operations. It also reduces the size of the system public/secret keys and private keys of a user to constant size, which areless than those of the previous schemes that do not provide userprivacy. Thus, it could be applicable to the broadcasting environ-ment consisting of users with resource-limited devices.

One disadvantage of the proposed scheme is that the ciphertextsize is linear in the number of receivers like the previous IBBEschemes. It is a challenging issue to achieve both of the constantciphertext size and constant computational operations or privatekey size in the IBBE scheme, while guaranteeing the recipient pri-vacy. To the best of our knowledge, there have not been such IBBEschemes that were able to satisfy these goals at the same time.Thus, constructing a privacy-preserving IBBE scheme that achievesthese aims simultaneously would be one of the open and challeng-ing future works.

Acknowledgement

This work was supported by the Agency for DefenseDevelopment under contract UD090059ED and National ResearchFoundation of Korea Grant funded by the Korean Government(2009-0066003).

References

[1] A. Fiat, M. Naor, Broadcast encryption, in: Proc. CRYPTO 1993, LNCS 773, 1993,pp. 480–491.

[2] C. Blundo, Luiz A. Frota Mattos, D.R. Stinson, Generalized Beimel–Chorschemes for broadcast encryption and interactive key distribution,Theoretical Computer Science 200 (1998) 313–334.

[3] D.R. Stinson, T.V. Trung, Some new results on key distribution patterns andbroadcast encryption, Designs, Codes and Cryptography 14 (1998) 261–279.

[4] M. Abdalla, Y. Shavitt, A. Wool, Key management for restricted multicast usingbroadcast encryption, IEEE/ACM Transactions on Networking 8 (2000) 443–454.

[5] J. Baek, R. Safavi-Naini, W. Susilo, Efficient multi-receiver identity-basedencryption and its application to broadcast encryption, in: Proc. PKC 2005,LNCS 3386, 2005, pp. 23–26.

[6] M. Barbosa, P. Farshim, Efficient identity-based key encapsulation to multipleparties, in: Proc. IMA Int. Conf., LNCS 3796, 2005, pp. 428–441.

[7] D. Boneh, M.K. Franklin, Identity-based encryption from the weil pairing, in:Proc. CRYPTO 2001, LNCS 2139, 2001, pp. 213–229.

[8] S. Chatterjee, P. Sarkar, Multi-receiver identity-based key encapsulation withshortened ciphertext, in: Proc. INDOCRYPT 2006, LNCS 4329, 2006, pp. 394–408.

[9] M. Abdalla, E. Kiltz, G. Neven, Generalized key delegation for hierarchicalidentity-based encryption, in: Proc. ESORICS 2005, LNCS 4734, 2005, pp. 139–154.

[10] C. Delerablee, Identity-based broadcast encryption with cosntant sizeciphertexts and private keys, in: Proc. ASIACRYPT 2007, LNCS 4833, 2007,pp. 200–215.

[11] Y. Ren, D. Gu, Fully CCA2 secure identity-based broadcast encryption withoutrandom oracles, Information Processing Letters 109 (2009) 527–533.

[12] X. Boyen, B. Waters, Anonymous identity-based encryption (without randomoracles), in: Proc. CRYPTO 2006, LNCS 4117, 2006, pp. 290–307.

[13] A. Kate, G. Zaverucha, I. Goldberg, Pairing-based onion routing, Proc. PrivacyEnhancing Technologies Symposium 2007, LNCS 4776, 2007, pp. 95–112.

[14] M. Bellare, A. Boldyreva, A. Desai, D. Pointcheval, Key-privacy in public-keyencryption, in: Proc. ASIACRYPT 2001, LNCS 2238, 2001, pp. 566–582.

[15] S.D. Galbraith, K. Harrison, D. Soldera, Implementing the tate pairing, in: Proc.5th International Symposium on Algorithmic Number Theory, LNCS 2369,2002, pp. 324–337.

[16] V.S. Miller, The weil pairing and its efficient calculation, Journal of Cryptology17 (2004) 235–261.

[17] Y.J. Choie, E. Lee, Implementation of tate pairing on hyperelliptic curves ofgenus 2, in: Proc. ICISC 2003, LNCS 2971, 2004, pp. 97–111.

[18] J. Hwu, R. Chen, Y. Lin, An efficient identity-based cryptosystem for end-to-endmobile security, IEEE Transactions on Wireless Communications 5 (2006)2586–2593.

[19] A. Barth, D. Boneh, B. Waters, Privacy in encrypted content distribution usingprivate broadcast encryption, in: Proc. Financial Cryptography, 2006.

[20] S. Rafaeli, D. Hutchison, A survey of key management for secure groupcommunication, ACM Computing Surveys 35 (2003) 309–329.

[21] D. Boneh, C. Gentry, Collusion resistant broadcast encryption with shortciphertexts and private keys, CRYPTO 2005, LNCS 3621, 2005, pp. 258–275.

[22] C. Fan, L. Huang, P. Ho, Anonymous multi-receiver identity-based encryption,IEEE Transactions on Computers 59 (2010). 1239-124.

[23] What’s the average length of an email address? <http://janusz.slota.name/blog/2009/05/email-length/> (accessed 13.10.10.

[24] The Pairing-Based Cryptography Library. <http://crypto.stanford.edu/pbc/>(accessed 10.03.10).

[25] Search for Digital IDs (VeriSign). <https://digitalid.verisign.com/services/client/index.html> (accessed 1.04.10).

[26] File Encryption (Windows), Microsoft, <http://msdn.microsoft.com/en-us/library/aa364223%28VS.85%29.aspx> (accessed 1.04.10).