Research Article  Open Access
Bingxin Zhu, Puwen Wei, Mingqiang Wang, "Adaptive Security of Broadcast Encryption, Revisited", Security and Communication Networks, vol. 2017, Article ID 1404279, 16 pages, 2017. https://doi.org/10.1155/2017/1404279
Adaptive Security of Broadcast Encryption, Revisited
Abstract
We provide a strong security notion for broadcast encryption, called adaptive security in the multichallenge setting (MAsecurity), where the adversary can adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge). The adversary specially can query for the challenge ciphertexts on different target user sets adaptively, which generalizes the attacks against broadcast encryptions in the real world setting. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of in the MA setting, where is the maximum number of encryption queries. In order to construct tighter MAsecure broadcast encryptions, we investigate Gentry and Water’s transformation and show that their transformation can preserve MAsecurity at the price of reduction loss on the advantage of the underlying symmetric key encryption. Furthermore, we remove the type assumption in Gentry and Water’s semistatically secure broadcast encryption by using HofheinzKochStriecks techniques. The resulting scheme instantiated in a composite order group is MAsecure with constantsize ciphertext header.
1. Introduction
Broadcast encryptions (BE), introduced by Fiat and Naor [1], allow a sender to broadcast encrypted messages in such a way that only a specified group of users can decrypt the messages. Such schemes are useful in many applications, for example, payTV systems, internet multicasting of video and music, DVD content protection, file system access control, and wireless sensor networks [2]. One basic security requirement for broadcast encryption is the fully collusion resistance, which means that even a coalition of all users outside of target user set learns nothing about the target plaintext. Naor et al. [3] proposed a fully collusion secure broadcast encryption scheme with the private key overhead , where is the total number of users. Subsequent works [4, 5] reduced the private key size to . However, the ciphertexts size of collusion resistant schemes, for example, [3–6], usually grows linearly with either the number of receivers or the number of revoked users. Boneh et al. [7] constructed a fully collusion secure broadcast encryption systems with low ciphertext overhead and short secret keys. But the security of their scheme was proven in a static model, where the adversary needs to choose the target user set before seeing the system parameter. To capture more powerful attacks, Gentry and Waters [8] provided a stronger security model, called adaptive security, where the adversary can compromise users’ keys and choose the target user set adaptively. They showed a generic method to construct adaptively secure broadcast encryption scheme by transforming semistatically secure broadcast encryption scheme, while the underlying semistatically secure scheme in [8] is based on a type assumption, which is considered to be too strong. By introducing the dual system, Waters [9] presented a broadcast encryption scheme with ciphertext overhead of constant size, and the resulting scheme can be proven adaptively secure under static assumption (nontype assumption). Then, Boneh, Waters, and Zhandry [10] made use of multilinear maps to construct a broadcast encryption where ciphertext overhead, private key size, and public key size are all polylogarithmic in . Other works [11–15] focus on the improvements of broadcast encryptions with special functionalities, for example, identitybased BE, anonymous BE, and traitortracing BE. Recently, Wee [16] presented the first broadcast encryption scheme with constantsize ciphertext overhead, constantsize user secret keys, and linearsize public parameters under static assumptions, while the resulting scheme is proven secure under static security model.
It is worth noting that although adaptive security defined in [8] seems strong enough to capture the security of broadcast encryptions, attacks in the real world are more complex, for example, the adversary may adaptively get multiple challenge ciphertexts instead of only one. Such attacks are described in the socalled multiuser, multichallenge setting. Bellare et al. [17] initiated the study of the formal security in the multiuser setting, which shows that oneuser, oneciphertext security implies security in the multiuser, multichallenge setting. But the reduction loss of the proof is , where and denote the number of users and the number of challenge ciphertexts per user, respectively. However, large reduction loss usually implies large cryptographic parameters, which leads to low efficiency in practice. Recent breakthrough was made by Hofheinz and Jager [18], which provided the first INDCCA secure PKE in the multiuser/multichallenge setting and the security tightly relates to the decision linear assumption. Here, tight security means that the security loss is a constant. Hofheinz, Koch, and Striecks [19] extended Chen and Wee’s proof technique [20] to the multiuser/multichallenge setting and provided an almost tightly secure identitybased encryption (IBE) in the same setting, where the security loss only relies on the security parameter instead of the number of queries or instances of the scheme. Hence, an extension of broadcast encryptions in the multiuser/multichallenge setting is natural. However, the problem of constructing tightly secure broadcast encryptions in the multiuser/multichallenge setting is more subtle.
Our Contribution. We define a stronger notion for broadcast encryption, called the adaptive security in the multichallenge setting (MAsecurity), where the adversary can not only adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge) but also adaptively query for the challenge ciphertexts on different target user sets instead of only one target set as in previous security model. Since each target user set is actually the combination of different users chosen by the adversary adaptively, it is more challenging for the reduction algorithm to prepare the parameters of broadcast encryptions than that of ordinary PKE or IBE.
Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of in the MA setting, where is the maximum number of encryption queries. To achieve tighter MAsecurity, we investigate the following two methods. The first method is from Gentry and Waters transformation [8] mentioned above. By exploring the random selfreducibility of BDHE assumption, we show that their transformation still holds in terms of MAsecurity, but at the cost of reduction loss on the advantage of underlying symmetric key encryption. We emphasize that the resulting broadcast encryption scheme’s security depends on both the BDHE assumption and the security of the symmetric key encryption. The reduction loss on the underlying symmetric key encryption is , while the reduction on BDHE is tight due to the random selfreducibility of BDHE assumption, which is not implied by the general result of [17]. To remove the BDHE assumption, our second method applies the HofheinzKochStriecks techniques [19] to GentryWaters’ semistatic secure broadcast encryption. The resulting scheme is essentially the HofheinzKochStriecks IBE scheme instantiated in a composite order group, while the user’s decryption key of broadcast encryption is expressed in a different way from that of [19]. Both methods can turn GentryWaters’ semistatically secure broadcast encryption into a MAsecure one with constantsize ciphertext header.
Note that the public key size of both schemes is linear with the number of users. An interesting problem is how to reduce the public key size of a MAsecure broadcast encryption under standard assumptions while preserving constant ciphertext header size.
2. Preliminaries
Notations. Let , where . For a finite set , we denote by the fact that is picked uniformly at random from . can be denoted as a binary string; that is, , where for . We write vectors in bold font; for example, for a vector of length . denotes the statistical distance of and , where and are random variables. We say and are close if .
2.1. Bilinear Map
Let and be two groups of prime order , and let be a generator of . is a bilinear map with the following properties.(1)Bilinearity: for all and , .(2)Nondegeneracy: .(3)Computability: there exists an efficient algorithm to compute , for any .
2.2. Assumptions
Decisional BDHE Problem [8]. Let be the description of the group parameter which is the output of group generator , where is the security parameter. Choose and given elementswhere , if and if . The problem is to guess .
The decisional BDHE assumption states that for any PPT adversary which takes as inputs the description of and the above elements and outputs , the advantageis negligible in .
2.3. Broadcast Encryption Systems
A broadcast encryption system consists of four randomized algorithms described below.
. Take as input the number of users and the maximal size of a broadcast recipient group and output a public/secret key pair . (The security parameter is taken as parts of the input implicitly.)
. Take as input a user index and the secret key and output a private key .
. Take a user set and the public key as input. It outputs a pair , where is the header and is the message encryption key from a key space .
. Take as input a user set , a user index , and the corresponding private key for user , a header , and the public key . If , then the algorithm outputs the message encryption key .
3. Adaptive Security in the Multichallenge Setting (MASecurity)
In this section, we define the adaptive security of broadcast encryption in the multichallenge setting. Let be a broadcast encryption scheme. The experiment for is described in Table 1.

During the experiment, the adversary takes and the description of including as inputs and can have access to the following two kinds of oracles.(i) is the secret key generation oracle which takes a user index as input and outputs . Note that cannot make as the key generation query if , where has been queried to the encryption oracle. Suppose the adversary can make key generation queries at most.(ii) is the encryption oracle which takes as input and outputs the challenge ciphertext , where , . The restriction on encryption query is that can not include any user index which has been queried to . Suppose that the adversary can only query encryption oracle at most times.
A broadcast encryption scheme is adaptively secure in the multichallenge setting (MAsecure) if, for any PPT adversary , the advantage is negligible in .
Remark 1. The main difference between our MAsecurity and the adaptive security defined in [8] is the encryption queries. In MAsecurity experiment, the adversary can not only adaptively have access to the encryption oracle many times but also query for the challenge ciphertexts on different target user sets, while the adversary can make only one encryption query for one target user set in adaptive security experiment [8], where the related advantage of is denoted as .
To investigate Gentry and Waters transformation in the multichallenge setting, we also need to extend semistatic security defined in [8] to the multichallenge setting, which is called semistatic security in the multichallenge setting (MSsecurity). The MSsecurity is defined in a similar way as that of MAsecurity, where the adversary also takes and the description of including as inputs and can have access to and as defined in MAsecurity. But additional restrictions in MSsecurity are that has to choose a target user set at the beginning of the experiment and encryption queries are such that . Details of MS experiment are shown in Table 2

A broadcast encryption scheme is semistatically secure in the multichallenge setting (MSsecure) if, for any PPT adversary , the advantage is negligible in .
4. MASecure Broadcast Encryption
First we give a general result on the reduction loss of an adaptive secure broadcast encryption in the MA setting. Then, to derive a tighter reduction, we show how to extend GentryWaters transformation to the multichallenge setting and construct a concrete MAsecure broadcast encryption based on BDHE assumption.
4.1. General Construction
Theorem 2. For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exists an algorithm with about the same running time as , such that
Proof. The proof proceeds via the following games.(i): is the real MA experiment except the following differences. When the adversary adaptively makes encryption query for set , the challenger responds with , where .(ii): is identical to except that the challenger replies the encryption queries with for , where and denotes the key space. Now we construct a series of subgames for to prove the indistinguishability between and . (i). is the same as except that the challenger chooses to construct challenge for the first encryption query .(ii). is the same as except that the challenger chooses to construct challenge for the th encryption query , where . Let denote the event that the adversary outputs 1 in . Note that and are identical to and , respectively. Thus,Next, we show that is negligible, for . That is, if there exists a PPT adversary which can distinguish the adjacent games for some , we can construct a PPT algorithm which can break the adaptive security of the underlying scheme.
Claim For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exists algorithm with about the same running time as , such thatProof. simulates the experiment as follows. (i)The challenger runs and sends to which will send to .(ii) adaptively makes key generation queries for user index .(iii) sends user index to the challenger which runs and sends back the secret key for user . Then sends to .(iv) adaptively makes encryption queries for , where denotes the th query.(a)If , runs and chooses and sends to .(b)If , runs and sends to .(c)If , sends to the challenger which then chooses and sends back where . Next sends to .(v) outputs . If , outputs 1, otherwise, 0. Observe that if , ’s view is identical to that of . Otherwise ’s view is identical to that of . ThusHence we havewhich completes the proof of Theorem 2.
4.2. MSSecure Broadcast Encryption Based on BDHE Assumption
To reduce the reduction loss, we investigate GentryWaters broadcast encryption [8] in the MA setting. First we briefly recall the semistatically secure broadcast encryption scheme in [8]. Let be a PPT algorithm which takes as input the security parameter and the number of users and generates the description of group parameter , where denotes the group of prime order and is the bilinear map.
. , , where are generators of and . Set Output .
. Choose and output user ’s private key
. Choose and compute . Set Output .
. If , parse as and as and output
Theorem 3. For any PPT adversary which can make at most key generation queries, encryption queries with running time , there exists an algorithm with about the same running time as , such that
The proof is similar to that of [8] except that we have to deal with multiple challenges in the simulation. Furthermore, to derive a tighter reduction, we need the following lemma which makes use of the random selfreducibility of BDHE.
Lemma 4. There exists an efficient algorithm that takes as input for and generates many tuples of the form where and .
Proof. Compute and , where . Let mod . We implicitly setHence, we have If , namely, , then . If , namely, , then . Since are uniformly distributed, we have uniformly distributed over .
Next, more details of the concrete proof of Theorem 3 can be found in Appendix A.
4.3. Transforming MSSecurity to MASecurity
In this section, we show that GentryWaters transformation still holds in the multichallenge setting, but at the cost of reduction loss in the advantage of underlying symmetric encryption scheme. First, we briefly recall GentryWaters transformation [8]. Let , be a MSsecure broadcast system and be a symmetric encryption scheme with key space .
. Run . Let and denotes th bit of . Let and . Output .
. Run . Set . Output private key .
. Generate random bits: and . SetOutput .
. Parse as and as . Set and as above. RunOutput .
Theorem 5. For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exist algorithms , and , each with about the same running time as , such that
Notice that denotes the advantage of , , which is defined by the following onetime symmetric key INDCPA experiment described in Table 3.

During the experiment, takes the security parameter and the description of as input and can make only one encryption query to encryption oracle . More precisely, chooses a pair of plaintexts of the same length as the query and returns as the challenge ciphertext.
We say the symmetric key encryption scheme is onetime CPAsecure if, for any PPT adversary , the advantage is negligible in , where the probability is taken over the random coins used in the experiment, as well as the random coins used by .
Proof of Sketch. The main idea of the proof is similar to that of [8] except that we need to deal with multiple challenges, which incurs a reduction loss in the advantage of symmetric key encryption scheme. More precisely, we need to prove the indistinguishability of the following games.(i) is identical to .(ii) is the same as except that for each encryption query the challenger chooses to construct , where .(iii) is the same as except that for each encryption query the challenger chooses to construct , where .(iv) is the same as except that the challenger chooses to construct .(v) is the same as except that the challenger chooses to construct . The indistinguishability among , , and relies on the MSsecurity of . By using hybrid arguments, we show the indistinguishability between and ( and ), which relies on the onetime CPA security of the underlying symmetric key encryption. It is easy to check that the adversary has no advantage in . More details are shown in Appendix B.
5. Remove Type Assumption
In this section, we show how to remove the type assumption of the MSsecure GentryWaters scheme in Section 4 by using HofheinzKochStriecks techniques [19], where the original GentryWaters scheme is lifted to composite order groups.
Let be a compositeorder group generator which generates group parameters , , where is a nondegenerate bilinear map and are cyclic groups of order and is the product of different primes , and , and let be the generator of group and , for , be the random generators of subgroups of orders , respectively.
Let be a family of universal hash functions with the property that for any nontrivial subgroup and for and , we have . In addition, the resulting scheme relies on the following assumptions [19].
Dual System Assumption 1 (DS1). For any PPT adversary , the advantage function is negligible in , where
Dual System Assumption 2 (DS2). For any PPT adversary , the advantage functionis negligible in , where
Dual System Assumption 3 (DS3). For any PPT adversary , the advantage function
is negligible in , where
Dual System Bilinear DDH Assumption (DSBDDH). For any PPT adversary , the advantage functionis negligible in , where
5.1. Construction
. Generate and compute . Set , generate , and compute . Set Output .
. Take an index and the master key as input. Set , generate , and compute and output a user secret keyNote that is not used in .
. Take a set as well as a master public key as input. We denote as a binary string; that is, , where and