Identity-Based Broadcast Encryption with Efficient Revocation

Abstract

Identity-based broadcast encryption (IBBE) is an effective method to protect the data security and privacy in multi-receiver scenarios, which can make broadcast encryption more practical. This paper further expands the study of scalable revocation methodology in the setting of IBBE, where a key authority releases a key update material periodically in such a way that only non-revoked users can update their decryption keys. Following the binary tree data structure approach, a concrete instantiation of revocable IBBE scheme is proposed using asymmetric pairings of prime order bilinear groups. Moreover, this scheme can withstand decryption key exposure, which is proven to be semi-adaptively secure under chosen plaintext attacks in the standard model by reduction to static complexity assumptions. In particular, the proposed scheme is very efficient both in terms of computation costs and communication bandwidth, as the ciphertext size is constant, regardless of the number of recipients. To demonstrate the practicality, it is further implemented in Charm, a framework for rapid prototyping of cryptographic primitives.

A Proof of Lemma 3 in Sect. 3.2

Proof

Given a PPT adversary \(\mathcal {A}\) achieving a non-negligible difference \(\varepsilon \) in advantage between \({\text {Gam}}{{\text {e}}_q}\) and \({\text {Gam}}{{\text {e}}_{{\text {Final}}}}\), we will create a PPT algorithm \({\mathcal {C}}\) to break the ADDH1 assumption. Let \(({g_1},g_1^\mu ,g_1^{{\alpha _2}},g_1^{\beta \alpha },{g_2},g_2^\alpha ,g_2^{\beta \alpha },g_2^{\beta {\alpha _2}},g_2^{1/\beta },Z = g_1^{\mu {\alpha _2} + \eta })\) be the instance of ADDH1 problem in \(\mathcal {G}\) that \({\mathcal {C}}\) has to solve, i.e., to decide whether \(\eta = 0\) or a random value in \(\mathbb {Z}_p^*\). Note that in \({\text {Gam}}{{\text {e}}_q}\), all the user keys returned to \(\mathcal {A}\) are semi-functional and so is the challenge header and session key. \({\mathcal {C}}\) will simulate either \({\text {Gam}}{{\text {e}}_q}\) or \({\text {Gam}}{{\text {e}}_{{\text {Final}}}}\) with \({\mathcal {A}}\), depending on the value of \(\eta \).

Setup: At the beginning, \({\mathcal {C}}\) chooses random exponents \({\mathbf {u}_1} = ({u_{1,0}}, \cdots ,{u_{1,m}})\), \({\mathbf {u}_2} = ({u_{2,0}}, \cdots ,{u_{2,m}}),{w_1},{w_2}\xleftarrow {R}{\mathbb {Z}_p}\) and \(b \xleftarrow {R}\mathbb {Z}_p^*\), and sets the public parameters PP :

$$\begin{aligned}&{g_1}: = {g_1},g_1^b,{\mathbf {U}_1} := g_1^{{{\mathbf {u}}_1} + b{{\mathbf {u}}_2}},{W_1} := g_1^{{w_1} + b{w_2}},{g_T} := e({g_1},g_2^\alpha ), \\&{g_2}: = {g_2},g_2^{{{\mathbf {u}}_1}},g_2^{{{\mathbf {u}}_2}},g_2^{{w_1}},g_2^{{w_2}},g_1^{\beta \alpha },g_2^{\beta {\alpha _1}} := g_2^{\beta \alpha }/{(g_2^{\beta {\alpha _2}})^b},g_2^{\beta {\alpha _2}},g_2^{1/\beta }. \end{aligned}$$

Note that this implicitly sets \({\alpha _1} := \alpha - b{\alpha _2}\), and the secret exponents \(({\alpha _1},{\alpha _2})\) in MSK are not available to \({\mathcal {C}}\).

Key Extraction: When the adversary \(\mathcal {A}\) requests a secret key extract query for an identity \(ID \in {\mathbb {Z}_p}\), \({\mathcal {C}}\) creates a semi-functional key. It does this by choosing random exponents \(r,\gamma ',kta{g_1}, \cdots ,kta{g_m}\xleftarrow {R}{\mathbb {Z}_p}\), which implicitly sets \(\gamma : = \gamma ' + b{\alpha _2}\). The semi-functional key elements are computed as:

\({K_1} = g_2^{{\alpha _1}} {(g_2^{{w_1}})^r} g_2^\gamma = g_2^\alpha {(g_2^{{w_1}})^r} g_2^{\gamma '},{K_2} = g_2^{{\alpha _2}}{(g_2^{{w_2}})^r}/g_2^{\gamma {b^{ - 1}}}= {(g_2^{{w_2}})^r}/g_2^{\gamma '{b^{ - 1}}},\) \({K_3} = g_2^r\).

For \(i=1,2,...,m\):

\( {K_{4,i}} = {({(g_2^{{w_1}})^{kta{g_i}}} \cdot g_2^{{u_{1,i}}}/{(g_2^{{u_{1,0}}})^{{{(ID)}^i}}})^r}\), \({K_{5,i}} = {({(g_2^{{w_2}})^{kta{g_i}}} \cdot g_2^{{u_{2,i}}}/{(g_2^{{u_{2,0}}})^{{{(ID)}^i}}})^r}.\)

This is a properly distributed semi-functional key, which can be easily verified.

Challenge: Once the public parameters PP and the keys for all key extraction queries are given, \({\mathcal {A}}\) provides a challenge privileged set \(S^ * = \{ I{D_1},I{D_2},...,I{D_n}\} \). \({\mathcal {C}}\) first computes the vector \(\mathbf {y} = ({y_0},{y_1}, \cdots ,{y_m})\) according to \(S^ *\) as the coefficient from \({P_{S^ *}}[Z] = \prod \nolimits _{I{D_j} \in {S^ *}} {(Z - I{D_j})}\). It then picks randomly \(s,ctag \in {\mathbb {Z}_p}\), and computes the challenge header \(Hdr=({C_1},{C_2},{C_3},ctag)\) as follows:

\({C_1} = g_1^s \cdot g_1^\mu ,{C_2} = g_1^{sb},{C_3} = {(W_1^{ctag} \cdot \prod \nolimits _{i = 0}^n {{{(g_1^{{u_i}})}^{{y_i}}}} )^s} \cdot g_1^{\mu (\langle \mathbf {y},{{\mathbf {u}}_1}\rangle + ctag \cdot {w_1})})\). In addition, the challenge session key K is set to be: \(K = {g_T}^s \cdot e(g_1^\mu ,g_2^\alpha )/e(Z,g_2^b)\).

One can verify that the challenge header \(Hdr=({C_1},{C_2},{C_3},ctag)\) has proper semi-functional forms. Furthermore, if \(Z = g_1^{\mu {\alpha _2} }\) (i.e., \(\eta =0\)), then K is a properly distributed semi-functional session key. In this case, \({\mathcal {C}}\) has properly simulated \(\text {Game}_{q}\). If \(\eta \) is a random value in \(\mathbb {Z}_p^*\), which means \(Z = g_1^{\mu {\alpha _2} + \eta }\) is a random element in \(G_1\), then K is uniformly distributed and is independent of all other components. In this case, \({\mathcal {C}}\) has properly simulated \(\text {Game}_{\text {Final}}\).

Guess: Eventually, the adversary \({\mathcal {A}}\) will output a guess \(\beta '\) of \(\beta \). The challenger \({\mathcal {C}}\) then outputs 0 to guess that \(Z = g_1^{\mu {\alpha _2} }\) if \(\beta ' = \beta \); otherwise, it outputs 1 to indicate that \(Z = g_1^{\mu {\alpha _2} + \eta }\) is a random element of \(G_1\). Also, \({\mathcal {C}}\) simulates \(\text {Game}_{q}\) if \(\eta =0\) and \(\text {Game}_{\text {Final}}\) if \(\eta \in {}_R\mathbb {Z}_p^{*}\). Therefore, \({\mathcal {C}}\) can use \({\mathcal {A}}\)’s output to distinguish \(Z = g_1^{\mu {\alpha _2} }\) from random with the same advantage that \({\mathcal {A}}\) has in distinguishing \(\text {Game}_{q}\) from \(\text {Game}_{\text {Final}}\).

This completes the proof of Lemma 3.    \(\square \)