Proceedings of the first International Conference on Pairing-based Cryptography (Pairing 2007)

(2 – 3 july 2007, Tokyo, Japan)

T. Takagi, t. Okamoto, E. Okamoto and T. Okamoto Eds. Springer-Verlag, LNCS 4575, pages 39–59.

Fully Collusion Secure Dynamic Broadcast

Encryption with Constant-Size Ciphertexts
or Decryption Keys

Cécile Delerablée1,3 , Pascal Paillier2 , and David Pointcheval3

1
France Telecom Division R&D, cecile.delerablee@orange-ftgroup.com
2
Gemalto Security Labs, pascal.paillier@gemalto.com
3
ENS-CNRS, david.pointcheval@ens.fr

Abstract. This paper puts forward new efficient constructions for public-key broadcast
encryption that simultaneously enjoy the following properties: receivers are stateless;
encryption is collusion-secure for arbitrarily large collusions of users and security is tight
in the standard model; new users can join dynamically i.e. without modification of user
decryption keys nor ciphertext size and little or no alteration of the encryption key.
We also show how to permanently revoke any subgroup of users. Most importantly, our
constructions achieve the optimal bound of O(1)-size either for ciphertexts or decryp-
tion keys, where the hidden constant relates to a couple of elements of a pairing-friendly
group. Our broadcast-KEM trapdoor technique, which has independent interest, also
provides a dynamic broadcast encryption system improving all previous efficiency mea-
sures (for both execution time and sizes) in the private-key setting.

1 Introduction
Broadcast Encryption. The concept of stateless broadcast encryption was intro-
duced by Fiat and Naor in [5]. In this paradigm, a broadcaster encrypts messages
and transmits these to a group of users U who are listening to a broadcast chan-
nel and use their private keys to decrypt transmissions. The broadcaster may
exclude any subset of users R ⊆ U from being able to decrypt the contents
of the broadcast thanks to a one-time exclusion or revocation mechanism. The
subset of revoked users R is chosen at encryption time and may change from
one encryption to the next. A broadcast encryption scheme is said to be (t, n)-
collusion secure if for any r-subset R ⊆ U with r ≤ t and |U| = n, users in R
can by no means infer information about the broadcast message. It is said to
be fully collusion secure when it is (n, n)-collusion secure. There are mainly two
categories of broadcast encryption systems:

r ≪ n : meaning that we broadcast to all but a small set of revoked users. A

number of systems [14, 9, 8] have been suggested that achieve at best O(r)-
size ciphertexts and O(log n) private key size. This paper specifically focuses
on this case and puts forward constructions which improve these bounds in
the public-key setting and even reach their information-theoretic values in
the private-key setting.
n − r ≪ n : we broadcast only to a few users in the group. The best known
systems
√ are the scheme of Boneh, Gentry and Waters [3] which achieves
O( n)-size ciphertexts and private keys, and the trivial scheme where users
hold independent keys pairs and the message is sequentially encrypted under
the n − r public keys of non-revoked users. This trivial scheme achieves

c Springer-Verlag 2007.

2

O(n − r)-size ciphertexts

√ and O(1) private keys and is more efficient than
[3] when n − r < O( n).

Although previous works often use as an efficiency measure the size of public
and private keys, we choose to rigorously separate encryption from decryption
key material by taking into account all elements required to perform encryption
or decryption. We will denote by λc the size of the broadcast ciphertext, λdk
the (maximal) size of a user decryption key (which may then contain private
and public parts) and λek the size of the encryption key (which may be public
or private). τek and τdk denote the execution time of encryption and decryption
respectively.

Related work in the r ≪ n case. Naor et al. [14] suggested two fully collusion se-
cure broadcast systems: NNL1 (based on the Complete-Subtree method) which
achieves λc = O(r log n/r) and λdk = O(log n) and NNL2 (Subtree-Difference
method) where λc = O(r) and λdk = O(log2 n). Originally the (private) encryp-
tion key has size linear in n, but by using a PRF to generate user decryption keys,
the size of the encryption key can be reduced to O(1) in both NNL1 and NNL2 .
Note however that these two systems do not support public-key encryption.
Dodis and Fazio [4] later refined NNL2 into a public key broadcast encryption
scheme with O(1)-size encryption key. We also mention the work of Dodis and
Fazio [4] which by using parallelized schemes lead to a broadcast system that
has essentially the same characteristics as those of NNL2 .

Related work in the n − r ≪ n case. The so-called trivial broadcast system

consists in multiple encryptions of the message under individual and unrelated
public keys. It is easily seen that this gives a public-key broadcast encryption
scheme with λc = O(n − r), λdk = O(1) and λek = O(n). Recently, Boneh,
Gentry and Waters [3] proposed a very efficient public-key broadcast encryption
system (called BGW1 hereafter) where both ciphertexts and private keys are of
constant size while the public key has size O(n). However, in order to decrypt
ciphertexts, users need to store this public key in addition to their O(1)-size
private keys. Thus each user has to store an actual decryption key of size λdk =
O(n). The same authors suggested a second system (BGW2 ) that achieves a
trade-off
√ between the key and ciphertext sizes and gives λc = λdk = λek =
O( n). Overall, BGW2 provides √ the best
√ broadcast system known so far for
general r’s i.e. when r ∈ [O( n), n − O( n)].
All the above systems make use of the hybrid (KEM-DEM) encryption pa-
radigm where the broadcast ciphertext only encrypts a symmetric key used to
encrypt the broadcast contents. We mention that a number of other systems
rely on an asymmetric encryption of the whole broadcast data. The encryption
rate may asymptotically tend to one in these schemes, thereby reaching trans-
mission sizes similar to hybrid encryption. However, asymmetrically encrypting
the whole contents is often unrealistic in practice for performance reasons.

Dynamic broadcast encryption. A basic property very much desired in broad-

cast encryption (and other group-based protocols) is that the group should be
 3

dynamic in the sense that the group manager can invite new members to join or
permanently revoke undesired members in a very efficient way. Although long-
term revocation necessarily implies a modification of the keys, there is no such
theoretical requirement when a new member joins the group. In this respect, we
say that a broadcast system is dynamic when
i) the system setup as well as the ciphertext size are fully independent from the
expected number of users or an upper bound thereof,
ii) a new user can join anytime without implying a modification of preexisting
user decryption keys,
iii) the encryption key is unchanged in the private-key setting or incrementally
updated in the public-key setting, meaning that this operation must be of
complexity at most O(1).
Hence, by definition, dynamic systems support arbitrarily many users. In [3]
as well as in NNL1 and NNL2 , either a large upper bound on the number of
possible users is chosen at initialization time or the decryption keys have to be
recomputed when a user joins the group, resulting in that those systems are not
dynamic. Similarly, the trivial broadcast system is not dynamic since the cipher-
text must include one additional element per new user, irremediably altering its
size. As discussed in [14, p. 56], the property of being dynamic is incompati-
ble with forward-secrecy because new group members can actually decrypt all
previously encrypted messages. This feature may however be desirable; a newly
manufactured DVD player is expected to play any properly encrypted DVD is-
sued in the past. Achieving forward-secrecy requires the long-term revocation
and a re-keying of user decryption keys.

Our contributions. Introducing a new multi-receiver encryption trapdoor based

on bilinear maps, we suggest broadcast encryption systems which improve the
points discussed above. First, in all our schemes, either the broadcast cipher-
text or the decryption key dki containing all the information required by the
receiver to decrypt is of constant size. Second, the group manager can dynam-
ically include new members while preserving previously computed information:
in particular, user decryption keys need not be recomputed, the morphology and
size of ciphertexts are unchanged and the group encryption key ek requires min-
imal or no modification. Thirdly, our constructions provably resist full collusions
relative to a bilinear map related computational problem denoted (t, n)-GDDHE.
Our security reductions are tight and do not rely on random oracles. We also
show that (t, n)-GDDHE has generic security. Finally, we introduce the most
efficient private-key broadcast encryption scheme known so far which features
constant-size encryption and decryption keys and information-theoretically min-
imal ciphertext size.
For the sake of completeness, Figure 1 compares our schemes with the previ-
ous proposals in terms of ciphertext and key sizes. We consider the private-key
broadcast encryption schemes NNL1 and NNL2 proposed by Naor et al. [14]
(where the group encryption key ek remains private) as well as the public-key
broadcast encryption schemes BGW1 and BGW2 proposed by Boneh et al. [3]. We
4

denote by BGW’1 a slightly modified version of BGW1 where the public param-
eters needed by the decryption procedure are included in the ciphertext rather
than in the decryption key. BGW1 and BGW’1 are described in more detail in
Appendix A.

Schemes Key/Ciphertext Sizes Time Complexity Dynamic?

Public-key λek λdk λc τek τdk

Trivial O(n) O(1) O(n − r) O(n − r) O(1) no
BGW1 O(n) O(n) O(1) O(n − r) O(n − r) no
BGW’1 O(n) O(1) O(n − r) O(n − r) O(n − r) no
√ √ √ √ √
BGW2 O( n) O( n) O( n) O( n) O( n) no
Construction 1 O(n) O(1) O(r) O(r 2 ) O(r) yes
Construction 2 O(n) O(n) O(1) O(r 2 ) O(r 2 ) no

Private-key λek λdk λc τek τdk

n n
NNL1 O(1) O(log n) O(r log r ) O(r log r ) O(log log n) no
NNL2 O(1) O(log2 n) O(r) O(r) O(log n) no
Construction 3 O(1) O(1) O(r) O(r) O(r) yes

Fig. 1. Comparing the efficiency of fully collusion secure broadcast encryption schemes

Remark 1. It is a common practice in broadcast systems (and other group-

oriented protocols as well) to ignore the part of the broadcast ciphertext that
identifies the target subset of users (our R, or the subset S of effective receivers
in [3]). What is called ciphertext size usually refers to the size of the header
alone, not the size of the full header. As discussed in [14], transmitting the r-
subset R ⊆ {1, . . . , n} requires an extra O(r log n/r) bits. We note however that
transmitting R is actually not necessary in Constructions 1 and 3.

Roadmap. Section 2 provides a number of definitional facts about bilinear maps

and the General Diffie-Hellman Exponent assumption. We define dynamic broad-
cast encryption schemes and related security notions in Section 3. We describe
our main construction in Section 4 and prove its security in Section 5. We suggest
a number of related variants and discuss these in Section 6. We finally conclude
on a number of open issues.

2 Preliminaries
2.1 Bilinear Maps

We briefly review the necessary facts about bilinear maps. Let G1 , G2 and GT
be three cyclic groups of prime order p. The group laws in G1 and G2 are noted
additively using elliptic curve conventions, whereas the inner law of GT is noted
multiplicatively. A bilinear map e (·, ·) is a map G1 × G2 → GT such that for
any G ∈ G1 , H ∈ G2 and a, b ∈ Zp ,

e ([a] G, [b] H) = e (G, H)ab

 5

and e (G, H) 6= 1 unless G = 1 or H = 1. A bilinear map group system S is a

tuple
S = (p, G1 , G2 , GT , e (·, ·))
composed of the objects as described above. S may also include group generators
in its description. We impose all group operations as well as the bilinear map
e (·, ·) to be efficiently computable i.e. in time poly(|p|). We know three categories
of bilinear map group systems that are of interest in cryptography:

– the symmetric case G1 = G2 and by extension the one where an efficient

and efficiently invertible isomorphism ψ : G2 → G1 is known [10, 11, 2],
– the asymmetric case where an efficient isomorphism ψ : G2 → G1 is known
but no efficient algorithm is known to invert ψ or more generally to isomor-
phically map G1 onto G2 [12, 13],
– the dissociate case where no efficient isomorphism G2 → G1 or G1 → G2 is
known.

As seen later, we make use of an arbitrary bilinear map group system in

our constructions. In particular, we do not need G1 and G2 to be distinct nor
equal. Neither do we require the existence1 of an efficient isomorphism going
either way between G1 and G2 . Practical implementations may therefore rely on
any category of bilinear maps and select an S that optimizes the size of group
elements or the performance of group operations.

2.2 The General Diffie-Hellman Exponent Assumption

We make use of a nice generalization of the Diffie-Hellman Exponent assump-

tion due to Boneh, Boyen and Goh [1]. The framework suggested in [1] applies
to symmetric and asymmetric bilinear map group systems but can easily be
extended to the dissociate case, adopting the notations of [1]. We give here a
rough overview in the symmetric case. Let then S = (p, G1 , G2 , GT , e (·, ·)) be
a bilinear map group system such that G1 = G2 = G. Let G0 ∈ G be a gen-
erator of G, and set g = e (G0 , G0 ) ∈ GT . Let s, m be positive integers and
P, Q ∈ Fp [X1 , . . . , Xm ]s be two s-tuples of m-variate polynomials over Fp . We
write P = (p1 , p2 , . . . , ps ) and Q = (q1 , q2 , . . . , qs ) and impose that p1 = q1 = 1.
For any function h : Fp → Ω and vector (x1 , . . . , xm ) ∈ Fm p , h(P (x1 , . . . , xm ))
stands for (h(p1 (x1 , . . . , xm )), . . . , h(ps (x1 , . . . , xm ))) ∈ Ω s . We use a similar no-
tation for the s-tuple Q. Let F ∈ Fp [X1 , . . . , Xm ]. It is said that F depends on
(P, Q), which we denote by F ∈ hP, Qi, when there exists a linear decomposition
X X
F = ai,j pi pj + bi qi ,
1≤i,j≤s 1≤i≤s

with coefficients ai,j , bi ∈ Zp . Let P, Q be as above and F ∈ Fp [X1 , . . . , Xm ]. The

(P, Q, F )-General Diffie-Hellman Exponent problems are defined as follows.
1
A one-way isomorphism is often necessary to prove the security of pairing-based systems.
6

Definition 2 ((P, Q, F )-GDHE). Given the vector

H(x1 , . . . , xm ) = [P (x1 , . . . , xm )] G0 , g Q(x1,...,xm ) ∈ Gs × GsT ,

compute g F (x1,...,xm ) .

Definition 3 ((P, Q, F )-GDDHE). Given H(x1 , . . . , xm ) ∈ Gs × GsT as above

and T ∈ GT , decide whether T = g F (x1,...,xm) .

We refer to [1] for a proof that (P, Q, F )-GDHE and (P, Q, F )-GDDHE have
generic security when F 6∈ hP, Qi. We prove that our constructions are fully
collusion secure based on the assumption that (P, Q, F )-GDDHE is intractable
for some well-defined P, Q, F with F 6∈ hP, Qi and for polynomial parameters
s, m = poly(λ) where λ is a security parameter.

3 Dynamic Public-Key Broadcast Encryption

We give a formal definition of a dynamic broadcast encryption scheme and dis-
cuss security notions that are associated to the concept. We basically refine the
definition of [3] by including a join procedure.

3.1 Definition
A dynamic broadcast encryption scheme involves two authorities: a group man-
ager and a broadcaster. The group manager grants new members access to the
group2 by providing to each new member a public label labi and a decryption key
dki . The generation of (labi , dki ) is performed using a secret manager key mk. The
broadcaster encrypts messages and transmits these to the whole group of users
through the broadcast channel. In a public-key broadcast encryption scheme,
the broadcaster does not hold any private information and encryption is per-
formed with the help of a public group encryption key ek containing, possibly
among other things, all user labels. When the broadcaster encrypts a message,
some group members can be revoked temporarily from decrypting the broadcast
content thanks to a one-time revocation mechanism. Following the KEM-DEM
methodology, broadcast encryption is viewed as the combination of a specific
key encapsulation mechanism (a Broadcast-KEM) with a symmetric encryption
(DEM) that shall remain implicit throughout the paper. More formally, a dy-
namic public-key broadcast encryption scheme DBE with security parameter
λ is a tuple of probabilistic algorithms DBE = (Setup, Join, Encrypt, Decrypt)
described as follows:

Setup(λ). Takes as input the security parameter λ and outputs a manager key
mk and an initial group encryption key ek. The group manager is given mk,
and ek is made public.

2
Note that given our definition of dynamic broadcast encryption, the group manager cannot revoke
users permanently since keys cannot be changed. See Section 6 for more detail.
 7

Join(mk, i). Takes as input the manager key mk and a user counter i. Join gen-
erates a user label labi and a user decryption key dki . The user label labi is
added to the group encryption key ek := ek ∪ {labi } and the user decryption
key dki is sent to the i-th user securely.
We denote by n the total number of users (evolving over time) and by
U = {1, . . . , n} the set of all users.
Encrypt(ek, R). Takes as input the group encryption key ek and a set of revoked
users R ⊆ U and outputs a random pair (hdr, K).
When a message M ∈ {0, 1}∗ is to be broadcast to users in U \ R, the
broadcaster generates (hdr, K) ← Encrypt(ek, R), computes the encryption
CM of M under the symmetric key K and broadcasts (hdr, R, CM ). We will
refer to hdr as the header or broadcast ciphertext, (hdr, R) as the full header,
K as the message encryption key and CM as the broadcast body.
Decrypt(dki , R, hdr). Takes as input a header hdr, a subset R ⊆ U and a user de-
cryption key dki . If i ∈ U \ R, the algorithm outputs the message encryption
key K which is then used to decrypt the broadcast body CM and recover
M.

3.2 Security Notions for Dynamic Public-Key Broadcast Encryption

Semantic Security against Static Adversaries. The standard security notion for
broadcast encryption schemes is semantic security against static colluders. Since
we consider dynamic public-key broadcast encryption, we extend the security
definition to one that is a bit more general than in [3]. More specifically, we allow
the adversary to see the group encryption key before choosing the corrupted
users:
1. The challenger first runs Setup(λ) to generate a manager key mk and an
initial group encryption key ek. The adversary A is given ek.
2. A runs exactly n times the Join procedure, but before each invocation A
specifies whether the corresponding new group member is honest or cor-
rupted. Following the i-th call to Join, a user label labi is created and added
to ek and therefore given to the adversary. If user i is corrupted, A receives
in addition the decryption key dki . The user counter i is then incremented
and so forth. Eventually, A ends up with the decryption keys of all corrupted
users C ⊆ U, that is {dki }i∈C . Let t = |C|.
3. The challenger runs algorithm Encrypt with R = C i.e. by revoking all cor-
rupted users to randomly generate (hdr, K) ← Encrypt(ek, C). The challenger
randomly selects b ← {0, 1}, sets Kb = K and sets K1−b to a random value
in the appropriate range. The tuple (hdr, K0 , K1 ) is returned to A.
4. A eventually outputs a guess b′ ∈ {0, 1}.
The adversary wins the above game when b′ = b. Viewing t, n as attack param-
eters, we denote by Advind
DBE (t, n, A) the advantage of A in winning the game:

Advind ′ ′ ′
DBE (t, n, A) = |2 × Pr[b = b] − 1| = |Pr[b = 1|b = 1] − Pr[b = 1|b = 0]|
8

where the probability is taken over the random coins of A, the challenger and
all probabilistic algorithms run by the challenger.

Definition 4 ((t, n)-Collusion Resistance). Let

Advind ind
DBE (t, n) = max Adv DBE (t, n, A)
A

where the maximum is taken over all probabilistic algorithms A running in time
poly(λ). A dynamic public-key broadcast encryption scheme DBE is said to be
semantically secure against (t, n)-colluders if Advind
DBE (t, n) = negl(λ).

Definition 5 (Full Collusion Resistance). Note that for any integers t1 , t2

such that 0 ≤ t1 ≤ t2 ≤ n one has Advind ind
DBE (t1 , n) ≤ AdvDBE (t2 , n). DBE is said
ind
to be semantically secure against full collusions if AdvDBE (n, n) = negl(λ) for
n = poly(λ).

Chosen-ciphertext security. Given a chosen-plaintext secure Broadcast-KEM,

one can realize CCA secure public-key broadcast encryption using generic secu-
rity enhancers such as Fujisaki-Okamoto [7, 6] or REACT [15]. Applying the
Fujisaki-Okamoto transform guarantees CCA security in the random oracle
model assuming the one-wayness of the Broadcast-KEM. REACT gives the same
guarantee (and a performance gain at decryption time) assuming one-wayness
under plaintext-checking attacks. We therefore do not consider CCA security in
our constructions, given that it can be realized at negligible cost3 .

Beyond static adversaries. We comment that the above definition captures ad-
versaries that are less static than in previous schemes because the adversary
may choose C somewhat adaptively while seeing how the group encryption key
ek evolves while new users join the system. Up to our knowledge, no public-
key broadcast encryption scheme is known to resist fully adaptive adversaries
(i.e. where the adversary determines C after seing all the public information) in
the standard model4 . As commented in [3], any static adversary that has success
probability ε in the (t, n)-collusion security game leads to an adaptive adversary
with success probability ε·2−n . However, in practice this reduction is only mean-
ingful for small values of n and building systems resisting fully adaptive colluders
is still an open problem in the field.

4 Public-Key DBE with Constant-Size Decryption Keys

4.1 A New Multi-Receiver Encryption Trapdoor
We describe a public-key encryption scheme with multiple receivers featuring
O(1)-size ciphertexts, decryption keys and encryption key. This system, which
we call Construction 0, does not support user revocation and therefore is not
3
In the RO model. However combining the Broadcast-KEM with ID-based encryption as in [3] may
allow to avoid random oracles when such a combination is possible.
4
This is known to be achievable in the random oracle and generic group models.
 9

a broadcast encryption system. We describe Construction 0 to show the basic

trapdoor mechanism which we generalize later to achieve broadcast encryption.
Let S = (p, G1 , G2 , GT , e (·, ·)) be a bilinear map group system with two
randomly selected generators G ∈ G1 and H ∈ G2 . Assume one publishes ek =
(H, W, V ) where W = [γ] G for some γ ← Zp and V = e (G, H) and keeps
mk = (G, γ) secret. Now given mk = (G, γ) and a user counter i, we generate
a unique decryption key by randomly selecting a fresh xi ← Zp and defining
dki = (xi , Ai , Bi ) where
   
xi 1
Ai = G, Bi = H.
γ + xi γ + xi
To generate a random encryption key K given ek = (H, W, V ), the broadcaster
randomly picks k ← Z⋆p , computes

C1 = [k] W , C2 = [k] H , K =Vk

and broadcasts hdr = (C1 , C2 ). To recover K from hdr with dki , the i-th user
computes
k·γ k·xi
e (C1 , Bi ) · e (Ai , C2 ) = e (G, H) γ+xi · e (G, H) γ+xi = V k = K .
It turns out that this encryption scheme achieves chosen-plaintext security under
the co-DDH assumption. Namely, given H, [a] H ∈ G2 and v, t ∈ GT , it must be
hard to decide whether t = v a . Construction 0 may have applications on its own
in contexts where user revocation is not required.

4.2 Achieving User Revocation: A Full Construction

We now proceed to describe our main dynamic public-key broadcast encryption
scheme which we refer to as Construction 1 throughout the paper. Our scheme
allows decoders to store constant-size decryption keys i.e. λdk = O(1) and fea-
tures O(r) ciphertext size where r is the number
√ of revoked users. This is of
particular interest when r is small (i.e. r < n).
Setup(λ). Given the security parameter λ, a bilinear map group system S =
(p, G1 , G2 , GT , e (·, ·)) is constructed such that |p| = λ. Also, two generators
G ∈ G1 and H ∈ G2 are randomly selected as well as a secret value γ ←
Z⋆p . The manager key is defined as mk = (S, G, H, γ). The initial group
encryption key is ek = (S, H, W, V ) where W = [γ] G and V = e (G, H).
Join(mk, i). Given mk = (S, G, H, γ) and the user counter i, Join randomly se-
lects a fresh xi ← Z⋆p (thus xi 6= xj for j < i) and sets dki = (S, xi , Ai , Bi )
and labi = (xi , Vi, Bi ) where
   
xi 1 1
Ai = G, Bi = H and Vi = V γ+xi .
γ + xi γ + xi
dki is securely given to user i and labi is appended to the group encryption
key ek.
10

Encrypt(ek, R). Assume for notational simplicity that R = {1, . . . , r}. Given
ek = (S, H, W, V, (x1 , V1 , B1 ), . . . , (xn , Vn , Bn )), the broadcaster computes

 
1
P1 = H,
γ + x1
 
1
P2 = H,
(γ + x1 )(γ + x2 )
..
.  
1
Pr = H.
(γ + x1 ) . . . (γ + xr )
We describe below a quadratic time algorithm Aggregate which Encrypt may
use to compute
        
1 1
Pr = Aggregate G2 , x1 , H , . . . , xr , H .
γ + x1 γ + xr

By running the Aggregate algorithm on (x1 , B1 ), . . . , (xr , Br ) and storing the

intermediate variables Pj = Pj−1,j , Encrypt also computes Pj for j < r. The
Aggregate algorithm given on Fig. 2 precisely goes through the successive
evaluations of P1 , . . . , Pr and these can be stored at no extra cost. The
broadcaster then picks k ← Z⋆p at random and sets
 
k
C1 = [k] W , C2 = H = [k] Pr .
(γ + x1 ) . . . (γ + xr )
The same Aggregate algorithm can also be applied to compute
1 1
    1

K ′ = V (γ+x1 )...(γ+xr ) = Aggregate GT , x1 , V γ+x1 , . . . , xr , V γ+xr ,

wherefrom K = K ′ k is obtained. These two computations are performed in

time O(r 2 ), see below. Encrypt then defines

hdr = (C1 , C2 , (x1 , P1 ), . . . , (xr , Pr ))

and outputs (hdr, K). The ciphertext thus contains r elements of Zp , r + 1

elements of G2 and one element of G1 .
Decrypt(dki , R, hdr). In order to retrieve the message encryption key K en-
capsulated in the header hdr, the i-th user uses {(xj , Pj )}rj=1 ⊆ hdr and
dki = (S, xi , Ai , Bi ) to compute

K = e (C1 , Bi,R ) · e (Ai , C2 )

where
" # " #
1 1
Bi,R = Qr Bi = H.
(γ + xi ) rj=1 (γ + xj )
Q
j=1 (γ + xj )
 11

Here Bi,R is computed in time O(r) (instead of O(r 2 )) given (xi , Bi) ⊆ dki
and {(xj , Pj )}rj=1 ⊆ hdr by using the Aggregate′ algorithm given later on in
the paper. This requires xi 6= xj i.e. i 6∈ R, otherwise Aggregate′ faces a
division by zero and returns an error.
Finally note that when R = ∅, Construction 1 boils down to Construction 0
except for the encryption key ek = (S, H, W, V ) ∪ {(xi , Vi, Bi )}ni=1 which, in
Construction 0, does not include user labels.

4.3 Aggregation of 1-degree terms: Aggregate

The key encapsulation mechanism of Section 4.2 requires the computation of
 
1 1
Pr = H ∈ G2 and K ′ = e (G, H) (γ+x1 )...(γ+xr ) ∈ GT
(γ + x1 ) . . . (γ + xr )
given {labj = (xj , Bj , Vj )}rj=1 where the xj ’s are pairwise distinct. We proceed
to describe how Aggregate(G2 , · · · ) allows to compute Pr from the xj ’s and the
Bj ’s. The same algorithm applies over GT as well to compute K ′ from the xj ’s
and the Vj ’s. h i
1
Description. Given x1 , . . . , xr and Bj = γ+x j
H for 1 ≤ j ≤ r, let us define
for any (j, ℓ) such that 1 ≤ j < ℓ ≤ r,
" # " #
1 1 1
Pj,ℓ = Qj Bℓ = · Qj H.
κ=1 (γ + xκ )
(γ + xℓ ) κ=1 (γ + xκ )

The Aggregate algorithm consists in computing sequentially Pj,ℓ for j = 1, . . . , r−

1 and ℓ = j + 1, . . . , r using the induction
 
1
Pj,ℓ = (Pj−1,j − Pj−1,ℓ ) (1)
xℓ − xj
and posing P0,ℓ = Bℓ for ℓ = 1, . . . , r. The algorithm finally outputs Pr = Pr−1,r .
Aggregate is displayed in more detail on Fig. 2. It is easily shown that Equ. 1 is
sound. Note however that computing Pj,ℓ by Equ. 1 assumes xj 6= xℓ . If xj = xℓ
for some j < ℓ then Pj−1,j = Pj−1,ℓ and Pj,ℓ , which then contains a (γ + xj )2
factor, cannot be computed (this is computationally infeasible without γ). In
this case, we force Aggregate to abort and return an error symbol.
Complexity. One sees that the computation of a term of the form
" #
1
Q H
j∈R (γ + xj )

for any subset R ⊆ {1, . . . , n} from the 1-degree terms [1/(γ + xj )] H where
j ∈ R is quadratic in the cardinality of R. More precisely, generalizing to G ∈
{G2 , GT }:
r(r − 1)
Time [Aggregate(G, r terms)] ≃ · (τp + τG ) ,
2
where τp is the execution time of a subtraction and an inversion modulo p = |G|
and τG the total time of a division and an exponentiation in G.
12

4.4 Aggregation of terms of increasing degree: Aggregate′

Description. The Aggregate algorithm can be accelerated if one is given Pj =
Pj−1,j for j = 1, . . . , r instead of Bj . It is easily seen that Equ. 1 provides a way
to compute P1 , . . . , Pr from B1 , . . . , Br (and vice versa) in quadratic time. So
knowing eitherh vector i is quadratic-time equivalent. However, given P1 , . . . , Pr
1
and (xi , Bi = γ+x i
H), Equ. 1 is reformulated as
" #   " # !
1 1 1
Qj H= Pj − Qj−1 H
(γ + xi ) κ=1 (γ + xκ )
xi − xj (γ + xi ) κ=1 (γ + xκ )

for any j = 1, . . . , r. Note that the left-hand term gives Bi,R when j = r. This
leads us to the iterative computation of Bi,R as depicted on Fig. 2.
Complexity. It is easily seen that Time [Aggregate′ (G, r terms)] ≃ r · (τp + τG ).

Aggregate Aggregate′
Input: two r-arrays x = [x1 , . . . , xr ] Input: xi , Bi , x = [x1 , . . . , xr ]
and P = [B1 , . . . , Br ] and P = [P1 , . . . , Pr ]
Output: Pr as defined above or ⊥ Output: Bi,R as defined above or ⊥

1. for j = 1 to r − 1 1. set temp = Bi

(a) for ℓ = j + 1 to r 2. for j = 1 to r
i. if x[j]h= x[ℓ] output
i ⊥ (a) if xi = x[j] houtput i⊥
1 1
ii. P [ℓ] = x[ℓ]−x[j]
(P [j] − P [ℓ]) (b) set temp = xi −x[j]
(P [j] − temp)
2. output P [r] 3. output temp

Fig. 2. The Aggregate and Aggregate′ algorithms

5 Security Analysis
5.1 Security Reduction to (t, n)-GDHE
We prove the semantic security of our system by reformulating the security
game in terms of sequences of polynomials and relying on the GDHE/GDDHE
framework of [1]. We start by defining the following intermediate computational
problem.
Definition 6 ((t, n)-GDHE). Let S = (p, G1 , G2 , GT , e (·, ·)) be a bilinear map
group system and let f and g be the two random univariate polynomials
t
Y t
X n
Y n−t
X
i
f (X) = (X + xi ) = µi X , g(X) = (X + xi ) = νi X i ,
i=1 i=0 i=t+1 i=0

where all the xi ’s are random and pairwise distinct elements of Z⋆p . Let G0 be
a generator of G1 and H0 a generator of G2 . Solving the (t, n)-GDHE problem
 13

consists, given

G0 , [γ] G0 , . . . , [γ t−1 ] G0 , [γ · f (γ)] G0 , [k · γ · f (γ)] G0 ,

H0 , [γ] H0 , . . . , [γ n ] H0 , [k · g(γ)] H0 ,
2
e (G0 , H0 )f (γ)·g(γ) ,

in computing e (G0 , H0 )k·f (γ)·g(γ) .

As usual, we denote by Succgdhe (t, n, A) the success probability of a random-

ized algorithm A solving (t, n)-GDHE. Similarly to the above, one defines the de-
cisional version of (t, n)-GDHE, which we call (t, n)-GDDHE. In the (t, n)-GDDHE
game, an additional input T ∈ GT is provided and solving (t, n)-GDDHE consists
in deciding whether T = e (G0 , H0 )k·f (γ)·g(γ) . We then denote by Advgddhe (t, n, A)
the advantage of an algorithm A in distinguishing the two distributions and
set Advgddhe (t, n) = maxA Advgddhe (t, n, A) over poly(|p|)-time A’s. The following
statement is a corollary of Theorem 9 that can be found in Section 5.2.

Corollary 7 (Generic security of (t, n)-GDDHE). For any probabilistic al-

gorithm A that totalizes at most q queries to the oracles performing group oper-
ations in (G1 , G2 , GT ) and evaluations of the bilinear map e (·, ·),

(q + 2(n + t + 4) + 2)2 · (t + n)
Advgddhe (t, n, A) ≤ .
2p

Let DBE denote our construction (Construction 1) as per Section 4. We

state:

Theorem 8. For any n, t such that 0 ≤ t ≤ n, one has Advind

DBE (t, n) ≤ 2 ·
Advgddhe (t, n).

Proof. The rest of this section is dedicated to proving Theorem 8. To establish

the semantic security of DBE against static adversaries, we assume to be given
an adversary A breaking DBE under a (t, n)-collusion and we build a reduction
algorithm B that distinguishes the two distributions of the GDDHE decision
problem.

Generation of system parameters and initial ek. The reduction algorithm B is

given as input a group system SQ= (p, G1 , G2 , GT , e (·, ·)) and a (t, n)-GDDHE
i=t Qi=n−t
instance in S. Let then f (X) = i=1 (X + xi ) and g(X) = i=1 (X + x′i ) be
two random polynomials of respective degree t and n − t with non-zero pairwise
distinct roots. B is also given a generator G0 (resp. H0 ) of G1 (resp. G2 ) and

G0 , [γ] G0 , . . . , [γ t−1 ] G0 [γ · f (γ)] G0 [k · γ · f (γ)] G0

H0 , [γ] H0 , . . . , [γ n ] H0 [k · g(γ)] H0
2
e (G0 , H0 )f (γ)·g(γ) ,

as well as T ∈ GT which is either equal to e (G0 , H0 )k·f (γ)·g(γ) or to some random

element of GT . B formally sets G = [f (γ)] G0 (i.e. without computing it) and
14

computes
H = [f (γ) · g(γ)] H0 (from H0 , [γ] H0 , . . . , [γ n ] H0 )
W = [γ] G = [γ · f (γ)] G0 (given as input)
f 2 (γ)·g(γ)
V = e (G0 , H0 ) = e (G, H) (given as input)
B then defines the group encryption key as ek = (H, W, V ). Note that B can
by no means compute the value of G. B then runs A on the system parameters
(S, H) and ek.

Generation of corrupted keys. The adversary A chooses a t-subset C ⊆ {1, . . . , n}

that indicates which users are corrupted: the users whose index lies in C are
corrupted, whereas the users with index in C¯ = {1, . . . , n} \ C are honest. To
generate the keys of the corrupted users, we define fi (X) = f (X)/(X + xi ) for
i ∈ [1, t], which are polynomials of degree t − 1, and then set
   
xi 1
Ai = [xi · fi (γ)] G0 = G, Bi = [fi (γ) · g(γ)] H0 = H
γ + xi γ + xi
and
1 1
Vi = e (G0 , H0 )fi (γ)·f (γ)·g(γ) = e ([f (γ)] G0 , [f (γ) · g(γ)] H0 ) γ+xi = e (G, H) γ+xi .
To generate the labels of honest users, we define gi (X) = g(X)/(X + x′i ) for
i ∈ [1, n − t] and
 
1 2
′
Bi = [f (γ) · gi (γ)] H0 = ′
H, Vi′ = e (G0 , H0 )f (γ)·gi (γ) .
γ + xi
Note that the total number of users is n. Since the polynomials fi g and f gi are
of degree n−1, Bi and Bi′ can be computed easily. Vi can also be computed given
[γ j ] G0 for j ∈ [0, t − 1] and [γ j ] H0 for j ∈ [0, n] since these allow to compute
k
e (G0 , H0 )γ for k ∈ [0, n + t − 1] and since polynomials fi f g and f 2 gi are of
degree n + t − 1. The user labels and keys ((xi , Ai , Bi ), (xi , Vi , Bi )) for i ∈ [1, t] as
well as the user labels (x′i , Bi′ , Vi′ ) for i ∈ [1, n−t] are then given to the adversary
A.

Challenge broadcast ciphertext. B now builds a header hdr = (C1 , C2 , {xi , Bi }ti=1 )
decryptable by the honest users i.e. where the users C ⊆ U are revoked. Given
the GDDHE instance, B computes
C1 = [k · γ · f (γ)] G0 = [k] W ,
   
k k
C2 = [k · g(γ)] H0 = H= H.
f (γ) (γ + x1 ) . . . (γ + xt )
Doing so, B implicitly defines the message encryption key K as
k k·f 2 (γ)·g(γ)
K = e (G, H) (γ+x1 )...(γ+xt ) = e (G0 , H0 ) f (γ) = e (G0 , H0 )k·f (γ)·g(γ) .
B now selects a random bit b ← {0, 1}, sets Kb = T and sets K1−b to a random
element of GT . B sends the tuple (hdr, K0 , K1 ) to A.
 15

Final outcome. A outputs a bit b′ ∈ {0, 1}. B then outputs real if b′ = b or

random otherwise. One has
Advgddhe (t, n, B) = Pr[b′ = b|real] − Pr[b′ = b|random]
1
= × (Pr[b′ = 1|b = 1 ∧ real] − Pr[b′ = 1|b = 0 ∧ real])
2
1
− × (Pr[b′ = 1|b = 1 ∧ random] + Pr[b′ = 1|b = 0 ∧ random]) .
2
Now in the random case, the distribution of b is independent from the adversary’s
view wherefrom
Pr[b′ = 1|b = 1 ∧ random] = Pr[b′ = 1|b = 0 ∧ random] .
In the real case however, the distributions of all variables defined by B per-
fectly comply with the semantic security game since all simulations are perfect.
Therefore
Advind ′ ′
DBE (A) = Pr[b = 1|b = 1 ∧ real] − Pr[b = 1|b = 0 ∧ real] .

Summing up, we get that Advgddhe (t, n, B) = Advind

DBE (t, n, A)/2. It is obvious
that B runs in time similar to the one of A. ⊓
⊔

5.2 Proving the Intractability of (t, n)-GDHE

In this section, we prove the intractability of distinguishing the two distributions
involved in the (t, n)-GDDHE problem cf. Corollary 7. We first review known
results on the General Diffie-Hellman Exponent problem from [1]. Sticking to
the most general security result, we assume a bilinear map system of the most
favorable type for the adversary i.e. G1 = G2 = G or there is an efficient
isomorphism going both ways between G1 and G2 .
Theorem 9 ([1]). Let P, Q ∈ Fp [X1 , . . . , Xm ] be two s-tuples of m-variate poly-
nomials over Fp and let F ∈ Fp [X1 , . . . , Xm ]. Let dP (resp. dQ , dF ) denote the
maximal degree of elements of P (resp. of Q, F ) and pose d = max(2dP , dQ , dF ).
If F 6∈ hP, Qi then for any generic-model adversary A totalizing at most q queries
to the oracles (group operations in G, GT and evaluations of e) which is given
H(x1 , . . . , xm ) as input and tries to distinguish g F (x1 ,...,xm ) from a random value
in GT , one has
(q + 2s + 2)2 · d
Adv(A) ≤ .
2p
Proof (of Corollary 7). In order to conclude with Corollary 7, we need to prove
that the (t, n)-GDHE problem lies in the scope of Theorem 9. As already said,
we consider the weakest case G1 = G2 = G and thus pose H0 = [α] G0 . In the
(t, n)-GDHE problem, if one replaces γ by x, k by y and α by z, we see that our
problem is reformulated as (P, Q, F )-GDHE where
1, x, x2 , . . . , xt−1 , x · f (x), y · x · f (x)
 
P=
z, z · x, . . . , z · xn , y · z · g(x)
Q = (1, z · f (x)2 g(x))
F = y · z · f (x)g(x),
16

and thus m = 3 and s = t + n + 4. We have to show that F is independent

of (P, Q) i.e. that no coefficients {ai,j }si,j=1 and {b1 , b2 } exist such that F =
Ps P2
i,j=1 ai,j pi pj + k=1 bk qk where the polynomials pi and qk are the one listed
in P and Q above. By making all possible products of two polynomials from P
which are multiples of y · z, we want to prove that no linear combination among
the polynomials from the list R below leads to F :
z · y · xn+1 · f (x), . . . , z · y · x2 · f (x), z · y · x · f (x),
 

R =  z · y · xt−1 · g(x), . . . , z · y · x · g(x), z · y · g(x),  .

z · y · x · f (x)g(x)

Note that the last polynomial can be written as z · y · x · f (x)g(x) = i=n−t

P
i=0 νi ·
i+1
z · y · x · f (x), and thus as a linear combination of the polynomials from the
first line. Moreover, z · y · xn+1 · f (x) is the unique polynomial of degree t + n + 1
in x and such a monomial does not appear in F . Similarly, z · y · xn · f (x), . . . ,
z · y · xn−t+1 · f (x) cannot appear in the combination. We therefore simplify the
task to refuting a linear combination of elements of the list R′ below which leads
to f (x)g(x):
x · f (x), . . . , x2 · f (x), x · f (x),
 n−t 
′
R = .
xt−1 · g(x), . . . , x · g(x), g(x)
Any such linear combination can be written as
f (x)g(x) = A(x) · f (x) + B(x) · g(x)

where A and B are polynomials such that A(0) = 0, deg A = n − t and deg B =
t − 1. Since f and g are coprime by assumption, we must have f | B. Since
deg f =Qt and deg B = t − 1 this implies B = 0. Hence A = g resulting in that
n−t ′
g(0) = i=1 xi = 0 which contradicts x′i 6= 0 for i ∈ [1, n − t]. ⊓
⊔

6 Related Constructions
From a design perspective, our main construction is fairly simple and can there-
fore be refined in many ways. We now present a few broadcast encryption systems
derived from Construction 1. Although we do not provide proof details here, it
can be shown that all constructions inherit full collusion resistance under the
GDDHE assumption from Construction 1.

6.1 Public-Key Broadcast Encryption with Constant-Size

Ciphertexts (Construction 2)
We suggest a simple variant of the previous construction that reaches optimally
short ciphertexts i.e. λc = O(1). The basic observation is that the fraction of the
ciphertext containing {(xj , Pj )}rj=1 can be computed from R and {(xj , Bj )}rj=1
which is a subset of the public encryption key. Therefore Pj for j ∈ R can be
removed completely from hdr if the complete set {(x1 , B1 ), . . . , (xn , Bn )} is made
available at decryption time. Construction 2 therefore redefines
hdr = (C1 , C2 ) where C1 = [k] W , C2 = [k] H ,
 17

and
dki = (S, (xi , Ai , Bi ), (x1 , B1 ), . . . , (xn , Bn )) .
As a result, the new system enjoys constant-size ciphertexts at the expanse of
linear-size user decryption keys. Decryption can be performed as

K = e (C1 , Bi,R) · e (Ai , C2 )

where Bi,R is computed in time O(r 2 ) using the Aggregate algorithm with the
list {(xj , Bj )}j∈R ⊆ dki and (xi , Bi ) ⊆ dki as inputs. Note here that the presence
of R in the full broadcast ciphertext is mandatory to allow proper decryption5 .
We also note that the dynamic aspect is lost when doing these changes since
all users have to update their decryption key whenever a new member joins the
group. It is worthwhile noting that the characteristics of this construction are
exactly those of BGW1 . Our scheme is slightly less efficient since decryption keys
are bigger than those of in BGW1 by the inclusion of n extra integers modulo p.

6.2 Private-Key DBE with Constant-Size Decryption & Encryption

Keys (Construction 3)
In this scheme, the broadcaster and the group manager are the same entity. All
algorithms are unchanged except for the join procedure which now exclusively
employs the encryption key ek, mk being obsolete. The random selection of
xi , i = 1, . . . , n is now replaced by a pseudo-random generation. More precisely,
we modify Construction 1 as follows:

1. Setup(λ) generates S, randomly selects a hash function H : {0, 1}∗ →

7 Z⋆p
and outputs ek = (S, G, H, γ, W, V, H),
2. Join(ek, i) sets xi = H(i), computes Ai and Bi as in Construction 1 and
outputs the user decryption key dki = (S, xi , Ai , Bi ),
3. Encrypt(ek, R) picks a random k ← Z⋆p and computes on the spot

1 1 1
, , ..., ,
γ + x1 (γ + x1 )(γ + x2 ) (γ + x1 ) . . . (γ + xr )

k
, kγ
(γ + x1 ) . . . (γ + xr )
over Z⋆p , thereby allowing to compute P1 , . . . , Pr , C2 , C1 , K directly by expo-
nentiating H, V or W in their respective groups,
4. decryption is identical to the one of Construction 1.

The main difference with Construction 1 is that the broadcaster needs no

linear-size group encryption key nor user labels: these are recovered whenever
necessary using G, H, γ and the user counter i. Therefore λek = O(1) and both
encryption and decryption stages process in time O(r). Note that all efficiency
measures do not depend on the number of users n.
5
Including R in the full header was unnecessary in Construction 1, see Remark 1.
18

6.3 Realizing Long-term Revocation

To revoke user i, the group manager broadcasts (xi , Bi , Vi) and resets H := Bi
and V := Vi . A non revoked user j 6= i can update his label as
     x 1
1 1 1
γ+xi Vi j −xi
Bj := Bj = (Bi − Bj ) Vj := Vj = .
γ + xi xj − xi Vj

Therefore the broadcaster does not have to repeat (xi , Bi , Vi ) in future encryp-
tions. In virtue of the full collusion resistance of Construction 1, long-term re-
vocations can be shown to be forward-secure.

7 Conclusion
We introduced new alternatives to design public and private key fully collusion
secure broadcast encryption. Our designs support the inclusion of new users at
minimal cost and achieve the best known security level relative to a generically
secure computational problem via tight reductions in the standard model. We
leave as an open problem to realize dynamic public-key broadcast encryption
with an encryption key substantially shorter that O(n). Resisting fully adap-
tive adversaries would also be a significant improvement. Finally, we expect our
trapdoor mechanism to find other cryptographic applications in the future.

References
1. Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption with constant
size ciphertext. In Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 440–
456, Aarhus, Denmark, May 22–26, 2005. Springer-Verlag, Berlin, Germany. Extended version
available at http://eprint.iacr.org/2005/015.
2. Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil pairing. In Joe
Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 213–229, Santa Barbara, CA, USA,
August 19–23, 2001. Springer-Verlag, Berlin, Germany.
3. Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast encryption with short
ciphertexts and private keys. In Victor Shoup, editor, CRYPTO 2005, volume 3621 of LNCS,
pages 258–275, Santa Barbara, CA, USA, August 14–18, 2005. Springer-Verlag, Berlin, Germany.
4. Yevgeniy Dodis and Nelly Fazio. Public key trace and revoke scheme secure against adaptive
chosen ciphertext attack. In Yvo Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages
100–115, Miami, USA, January 6–8, 2003. Springer-Verlag, Berlin, Germany.
5. Amos Fiat and Moni Naor. Broadcast encryption. In Douglas R. Stinson, editor, CRYPTO’93,
volume 773 of LNCS, pages 480–491, Santa Barbara, CA, USA, August 22–26, 1994. Springer-
Verlag, Berlin, Germany.
6. Eiichiro Fujisaki and Tatsuaki Okamoto. How to enhance the security of public-key encryption
at minimum cost. In Hideki Imai and Yuliang Zheng, editors, PKC’99, volume 1560 of LNCS,
pages 53–68, Kamakura, Japan, March 1–3, 1999. Springer-Verlag, Berlin, Germany.
7. Eiichiro Fujisaki and Tatsuaki Okamoto. Secure integration of asymmetric and symmetric encryp-
tion schemes. In Michael J. Wiener, editor, CRYPTO’99, volume 1666 of LNCS, pages 537–554,
Santa Barbara, CA, USA, August 15–19, 1999. Springer-Verlag, Berlin, Germany.
8. Michael T. Goodrich, Jonathan Z. Sun, and Roberto Tamassia. Efficient tree-based revocation in
groups of low-state devices. In Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS,
pages 511–527, Santa Barbara, CA, USA, August 15–19, 2004. Springer-Verlag, Berlin, Germany.
9. Dani Halevy and Adi Shamir. The LSD broadcast encryption scheme. In Moti Yung, editor,
CRYPTO 2002, volume 2442 of LNCS, pages 47–60, Santa Barbara, CA, USA, August 18–22,
2002. Springer-Verlag, Berlin, Germany.
 19

10. Antoine Joux. A one round protocol for tripartite Diffie-Hellman. In ANTS, pages 385–394, 2000.
11. Antoine Joux and Kim Nguyen. Separating decision Diffie-Hellman from computational diffie-
hellman in cryptographic groups. Journal of Cryptology, 16(4):239–247, 2003.
12. Atsuko Miyaji, Masaki Nakabayashi, and Shunzo Takano. Characterization of elliptic curve traces
under fr-reduction. In ICISC, pages 90–108, 2000.
13. Atsuko Miyaji, Masaki Nakabayashi, and Shunzo Takano. New explicit conditions of elliptic curve
traces for fr-reduction. IEICE Transactions on Fundamentals, E84-A(5):1234–1243, 2001.
14. Dalit Naor, Moni Naor, and Jeffery Lotspiech. Revocation and tracing schemes for stateless
receivers. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 41–62, Santa
Barbara, CA, USA, August 19–23, 2001. Springer-Verlag, Berlin, Germany.
15. Tatsuaki Okamoto and David Pointcheval. REACT: Rapid Enhanced-security Asymmetric Cryp-
tosystem Transform. In David Naccache, editor, CT-RSA 2001, volume 2020 of LNCS, pages
159–175, San Francisco, CA, USA, April 8–12, 2001. Springer-Verlag, Berlin, Germany.

A BGW1 and BGW’1

We briefly describe the system BGW1 put forward by Boneh et al. [3]. As BGW1
is not dynamic, the Setup algorithm takes as input the number n of users in
addition to the security parameter λ, and is in charge of computing the user
decryption keys since there is no Join algorithm.

Setup(λ, n). Given the security parameter λ, a symmetric bilinear map group
system
S = (p, G, GT , e (·, ·))
is constructed such that |p| = λ. The algorithm first picks a generator G ∈ G
and a random α ∈ Zp . It computes Gi = [αi ] G ∈ G for i = 1, . . . , n, n +
2, . . . , 2n. Next, it picks a random γ ← Zp and sets W = [γ] G ∈ G. The
encryption key is

ek = (S, G, G1 , . . . , Gn , Gn+2 , . . . , G2n , W ) ∈ G2n+1 .

The decryption key of user i ∈ {1, . . . , n} is set as dki = [γ] Gi ∈ G. The algo-
rithm outputs the encryption key ek and the n decryption keys dk1 , . . . , dkn .
Encrypt(ek, S). Given the encryption key ek and a subset S ⊆ {1, . . . , n} of
users, the broadcaster randomly picks k ← Z⋆p , sets K = e (Gn+1 , G)k =
e (Gn , G1 )k ∈ GT and computes
!!
X
hdr = [k] G, [k] W + Gn+1−j ∈ G2
j∈S

and outputs (hdr, K).

Decrypt(dki , ek, S, hdr). In order to retrieve the message encryption key K en-
capsulated in the header hdr = (C1 , C2 ), the i-th user computes
X
K = e (Gi , C2 ) / e (dki + Pi , C1 ) where Pi = Gn+1−j+i .
j∈S,j6=i
20

We define BGW’1 as a modification of BGW1 where the decryption algorithm

does not take ek as input parameter anymore but directly includes {Pi }i∈S in
the header hdr instead. This change excepted, the encryption and decryption
algorithms are unchanged. The motivation for considering BGW’1 is that the
decryption key material at the user side does not include the encryption key ek,
resulting in that λdk = O(1) instead of λdk = O(n) in BGW1 . This comes at the
cost of a ciphertext size in O(n − r) instead of O(1) in BGW1 .