Recipient Revocable Broadcast Encryption with Dealership

Abstract

The broadcast encryption with dealership (BED) scheme allows a dealer, instead of a broadcaster, to manage a recipient. Unlike prior broadcast encryption schemes, BED reduces the burden placed on the broadcaster to manage recipient, which makes it suitable for a broadcasting service targeting a large number of recipients. Subscribing and unsubscribing from the broadcast service occur frequently at the request of the user, however, early versions of BED schemes do not support recipient revocation. In this paper, we propose a recipient revocable broadcast encryption with dealership and show that it is secure in the adaptive security model without random oracles.

This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT) (No. 2015-0-00320, A study of a public-key authentication framework for internet entities with hierarchical identities).

A Security Proof

1.1 A.1 Proof of Theorem 1

Proof

Let a PPT adversary \(\mathcal {A}\) breaks the privacy of our RR-BED scheme. The security game between the challenger \(\mathcal {C}\) and the adversary \(\mathcal {A}\) is executed as follows:

• Setup : The challenger \(\mathcal {C}\) randomly chooses \(\alpha ,\beta \in \mathbb {Z}_p\) and \(h\in \mathbb {G}\) and generates \(\textsf {PP} = \big (\mathbb {B}, h, h^{\alpha }, \cdots , h^{\alpha ^{N}}, g, g^{\alpha }, \cdots , g^{\alpha ^N}, g^{\alpha \beta }, \cdots , g^{\alpha ^{N+1}\beta }, \varOmega =e(g,g), \varOmega _1=e(g,h)\big )\) and \(\textsf {MK}=(\alpha ,\beta )\). It keeps MK secret and gives PP to \(\mathcal {A}\).

• Challenge : \(\mathcal {A}\) selects two user groups \(G_0,G_1\) of the same size and submits to \(\mathcal {C}\). \(\mathcal {C}\) picks \(b\in \{0,1\}\) and runs RR-BED.GroupGen(\(G_{b}, v, k,\) PP) to obtain a group token.

  $$\begin{aligned} P(G_b)&= (w_1,w_2,w_3,\hat{w}_1,\cdots ,\hat{w}_{k+1},w_M) \\&= (g^{\alpha \beta F(\alpha )r},\varOmega ^{-r}, g^{-\alpha r},g^{-\alpha ^{i}r},\cdots ,g^{-\alpha ^{k+1}r},\varOmega _1^r). \end{aligned}$$

  where \(v\ge |G_b|\), k is a maximum revocation number, and \(F(x)=\prod _{i\in G_b}^{|G_b|}(x+ID_i)\). \(\mathcal {C}\) gives \(P(G_b)\) to \(\mathcal {A}\).

• Guess : \(\mathcal A\) outputs a guess \(b'\in \{0,1\}\). If \(b=b'\), \(\mathcal A\) wins.

\(\mathcal {A}\) must guess the group information from the group token. The group information is contained in \(F(\alpha )\) of \(w_1\) and \(w_2\). But \(F(\alpha )\) is hidden by a random integer r. If \(\mathcal {A}\) can predict r from \(g^{\alpha }\) and \(\hat{w}_1=g^{-\alpha r}\), then \(\mathcal {A}\) can generate \(P(G_0)\), and \(P(G_1)\), and compare them with \(P(G_b)\) because \(G_0,G_1\) are selected by \(\mathcal {A}\). But predicting r from \(g^{\alpha }\) and \(\hat{w}_1=g^{-\alpha r}\) is same as solving the DL problem. Therefore the group privacy is guaranteed if the DL assumption holds.\(\square \)

1.2 A.2 Proof of Theorem 2

Proof

Let a PPT adversary \(\mathcal {A}\) breaks the maximum number of accountability of our RR-BED scheme. The security game between a challenger \(\mathcal {C}\) and the adversary \(\mathcal {A}\) is executed as follows:

• Setup : The challenger \(\mathcal {C}\) randomly chooses \(\alpha ,\beta \in \mathbb {Z}_p\) and \(h\in \mathbb {G}\). It generates \(\textsf {PP} = \big (\mathbb {B}, h, h^{\alpha }, \cdots , h^{\alpha ^{N}}, g, g^{\alpha }, \cdots , g^{\alpha ^N}, g^{\alpha \beta }, \cdots , g^{\alpha ^{N+1}\beta }, \varOmega =e(g,g),\varOmega _1=e(g,h)\big )\) and \(\textsf {MK}=(\alpha ,\beta )\). It keeps MK and gives PP to \(\mathcal {A}\).

• Challenge : \(\mathcal {C}\) chooses a threshold value \(v\le N\) and sends the value to \(\mathcal {A}\).

• Guess : \(\mathcal A\) chooses \(G^*\), where \(|G^*| = v' > v\), and generates a group token

  $$\begin{aligned} P(G^*)&= (w_1,w_2,w_3,\hat{w}_1,\cdots ,\hat{w}_{k+1},w_M) \\&= (g^{\alpha \beta F(\alpha )r},\varOmega ^{-r}, g^{-\alpha r},g^{-\alpha ^{i}r},\cdots ,g^{-\alpha ^{k+1}r},\varOmega _1^r). \end{aligned}$$

  where k is a maximum revocation number and \(F(x)=\prod _{i\in G^*}^{|G^*|}(x+ID_i)\). \(\mathcal A\) sends \((P(G^*),G^*)\) to \(\mathcal C\). If RR-BED.Verify(\(P(G^*),v\), PP) = 1, then \(\mathcal A\) wins.

RR-BED.Verify(\(P(G^*),v,\textsf {PP}\)) = 1 indicates that \(\mathcal A\) can generate a valid group token. So \(\mathcal A\) can computes \(g^{\alpha ^{N+2}}, \cdots , g^{\alpha ^{N+v'-v+1}}\) and the \(v'(>v)\) degree polynomial \(F(x)=\prod _{i\in G^*}^{|G^*|}(x+ID_i)\). Hence, breaking the maximum number of accountability is the same as solving the \((N+i)-\) DHE(\(2\le i\le v-v'+1 \)) problem.    \(\square \)