Security and Communication Networks

Volume 2017 (2017), Article ID 1404279, 16 pages

https://doi.org/10.1155/2017/1404279

## Adaptive Security of Broadcast Encryption, Revisited

Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China

Correspondence should be addressed to Puwen Wei; nc.ude.uds@iewp and Mingqiang Wang; nc.ude.uds@gnaiqgnimgnaw

Received 21 February 2017; Accepted 27 April 2017; Published 3 July 2017

Academic Editor: Paolo D’Arco

Copyright © 2017 Bingxin Zhu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

We provide a strong security notion for broadcast encryption, called adaptive security in the multichallenge setting (MA-security), where the adversary can adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge). The adversary specially can query for the challenge ciphertexts on different target user sets adaptively, which generalizes the attacks against broadcast encryptions in the real world setting. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of in the MA setting, where is the maximum number of encryption queries. In order to construct tighter MA-secure broadcast encryptions, we investigate Gentry and Water’s transformation and show that their transformation can preserve MA-security at the price of reduction loss on the advantage of the underlying symmetric key encryption. Furthermore, we remove the -type assumption in Gentry and Water’s semistatically secure broadcast encryption by using Hofheinz-Koch-Striecks techniques. The resulting scheme instantiated in a composite order group is MA-secure with constant-size ciphertext header.

#### 1. Introduction

Broadcast encryptions (BE), introduced by Fiat and Naor [1], allow a sender to broadcast encrypted messages in such a way that only a specified group of users can decrypt the messages. Such schemes are useful in many applications, for example, pay-TV systems, internet multicasting of video and music, DVD content protection, file system access control, and wireless sensor networks [2]. One basic security requirement for broadcast encryption is the fully collusion resistance, which means that even a coalition of all users outside of target user set learns nothing about the target plaintext. Naor et al. [3] proposed a fully collusion secure broadcast encryption scheme with the private key overhead , where is the total number of users. Subsequent works [4, 5] reduced the private key size to . However, the ciphertexts size of collusion resistant schemes, for example, [3–6], usually grows linearly with either the number of receivers or the number of revoked users. Boneh et al. [7] constructed a fully collusion secure broadcast encryption systems with low ciphertext overhead and short secret keys. But the security of their scheme was proven in a static model, where the adversary needs to choose the target user set before seeing the system parameter. To capture more powerful attacks, Gentry and Waters [8] provided a stronger security model, called adaptive security, where the adversary can compromise users’ keys and choose the target user set adaptively. They showed a generic method to construct adaptively secure broadcast encryption scheme by transforming semistatically secure broadcast encryption scheme, while the underlying semistatically secure scheme in [8] is based on a -type assumption, which is considered to be too strong. By introducing the dual system, Waters [9] presented a broadcast encryption scheme with ciphertext overhead of constant size, and the resulting scheme can be proven adaptively secure under static assumption (non--type assumption). Then, Boneh, Waters, and Zhandry [10] made use of multilinear maps to construct a broadcast encryption where ciphertext overhead, private key size, and public key size are all poly-logarithmic in . Other works [11–15] focus on the improvements of broadcast encryptions with special functionalities, for example, identity-based BE, anonymous BE, and traitor-tracing BE. Recently, Wee [16] presented the first broadcast encryption scheme with constant-size ciphertext overhead, constant-size user secret keys, and linear-size public parameters under static assumptions, while the resulting scheme is proven secure under static security model.

It is worth noting that although adaptive security defined in [8] seems strong enough to capture the security of broadcast encryptions, attacks in the real world are more complex, for example, the adversary may adaptively get multiple challenge ciphertexts instead of only one. Such attacks are described in the so-called multiuser, multichallenge setting. Bellare et al. [17] initiated the study of the formal security in the multiuser setting, which shows that one-user, one-ciphertext security implies security in the multiuser, multichallenge setting. But the reduction loss of the proof is , where and denote the number of users and the number of challenge ciphertexts per user, respectively. However, large reduction loss usually implies large cryptographic parameters, which leads to low efficiency in practice. Recent breakthrough was made by Hofheinz and Jager [18], which provided the first IND-CCA secure PKE in the multiuser/multichallenge setting and the security tightly relates to the decision linear assumption. Here, tight security means that the security loss is a constant. Hofheinz, Koch, and Striecks [19] extended Chen and Wee’s proof technique [20] to the multiuser/multichallenge setting and provided an almost tightly secure identity-based encryption (IBE) in the same setting, where the security loss only relies on the security parameter instead of the number of queries or instances of the scheme. Hence, an extension of broadcast encryptions in the multiuser/multichallenge setting is natural. However, the problem of constructing tightly secure broadcast encryptions in the multiuser/multichallenge setting is more subtle.

*Our Contribution*. We define a stronger notion for broadcast encryption, called the adaptive security in the multichallenge setting (MA-security), where the adversary can not only adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge) but also adaptively query for the challenge ciphertexts on different target user sets instead of only one target set as in previous security model. Since each target user set is actually the combination of different users chosen by the adversary adaptively, it is more challenging for the reduction algorithm to prepare the parameters of broadcast encryptions than that of ordinary PKE or IBE.

Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of in the MA setting, where is the maximum number of encryption queries. To achieve tighter MA-security, we investigate the following two methods. The first method is from Gentry and Waters transformation [8] mentioned above. By exploring the random self-reducibility of BDHE assumption, we show that their transformation still holds in terms of MA-security, but at the cost of reduction loss on the advantage of underlying symmetric key encryption. We emphasize that the resulting broadcast encryption scheme’s security depends on both the BDHE assumption and the security of the symmetric key encryption. The reduction loss on the underlying symmetric key encryption is , while the reduction on BDHE is tight due to the random self-reducibility of BDHE assumption, which is not implied by the general result of [17]. To remove the BDHE assumption, our second method applies the Hofheinz-Koch-Striecks techniques [19] to Gentry-Waters’ semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the user’s decryption key of broadcast encryption is expressed in a different way from that of [19]. Both methods can turn Gentry-Waters’ semistatically secure broadcast encryption into a MA-secure one with constant-size ciphertext header.

Note that the public key size of both schemes is linear with the number of users. An interesting problem is how to reduce the public key size of a MA-secure broadcast encryption under standard assumptions while preserving constant ciphertext header size.

#### 2. Preliminaries

*Notations*. Let , where . For a finite set , we denote by the fact that is picked uniformly at random from . can be denoted as a binary string; that is, , where for . We write vectors in bold font; for example, for a vector of length . denotes the statistical distance of and , where and are random variables. We say and are -close if .

##### 2.1. Bilinear Map

Let and be two groups of prime order , and let be a generator of . is a bilinear map with the following properties.(1)Bilinearity: for all and , .(2)Nondegeneracy: .(3)Computability: there exists an efficient algorithm to compute , for any .

##### 2.2. Assumptions

*Decisional BDHE Problem* [8]. Let be the description of the group parameter which is the output of group generator , where is the security parameter. Choose and given elementswhere , if and if . The problem is to guess .

The decisional BDHE assumption states that for any PPT adversary which takes as inputs the description of and the above elements and outputs , the advantageis negligible in .

##### 2.3. Broadcast Encryption Systems

A broadcast encryption system consists of four randomized algorithms described below.

. Take as input the number of users and the maximal size of a broadcast recipient group and output a public/secret key pair . (The security parameter is taken as parts of the input implicitly.)

. Take as input a user index and the secret key and output a private key .

. Take a user set and the public key as input. It outputs a pair , where is the header and is the message encryption key from a key space .

. Take as input a user set , a user index , and the corresponding private key for user , a header , and the public key . If , then the algorithm outputs the message encryption key .

#### 3. Adaptive Security in the Multichallenge Setting (MA-Security)

In this section, we define the adaptive security of broadcast encryption in the multichallenge setting. Let be a broadcast encryption scheme. The experiment for is described in Table 1.