Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts
- PDF / 291,421 Bytes
- 15 Pages / 595.276 x 790.866 pts Page_size
- 70 Downloads / 174 Views
REGULAR CONTRIBUTION
Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts Duong-Hieu Phan · David Pointcheval · Siamak F. Shahandashti · Mario Strefler
Published online: 12 February 2013 © Springer-Verlag Berlin Heidelberg 2013
Abstract We consider designing public-key broadcast encryption schemes with constant-size secret keys and ciphertexts, achieving chosen-ciphertext security. We first argue that known CPA-to-CCA transforms currently do not yield such schemes. We then propose a scheme, modifying a previous selective CPA secure proposal by Boneh, Gentry, and Waters. Our scheme has constant-size secret keys and ciphertexts, and we prove that it is selective chosen-ciphertext secure based on standard assumptions. Our scheme has ciphertexts that are shorter than those of the previous CCA secure proposals. Then, we propose a second scheme that provides the functionality of both broadcast encryption and revocation schemes simultaneously using the same set of parameters. Finally, we show that it is possible to prove our first scheme adaptive chosen-ciphertext secure under reasonable extensions of the bilinear Diffie–Hellman exponent and the knowledge-of-exponent assumptions. We prove both This is the full version of a paper by the same title appearing in the proceedings of ACISP 2012 [35]. D.-H. Phan · D. Pointcheval · S. F. Shahandashti (B) · M. Strefler École Normale Supérieure, 45 rue d’Ulm, 75005 Paris, France e-mail: [email protected] D.-H. Phan e-mail: [email protected] D. Pointcheval e-mail: [email protected] M. Strefler e-mail: [email protected] D.-H. Phan · S. F. Shahandashti Université de Paris 8, Paris, France D.-H. Phan · D. Pointcheval · S. F. Shahandashti · M. Strefler CNRS, Paris, France D.-H. Phan · D. Pointcheval · M. Strefler INRIA, Paris, France
of these extended assumptions in the generic group model. Hence, our scheme becomes the first to achieve constant-size secret keys and ciphertexts (both asymptotically optimal) and adaptive chosen-ciphertext security at the same time. Keywords Public-key cryptography · Broadcast encryption · Adaptive CCA security · Revocation scheme · GBDHE assumption · Knowledge-of-exponent assumption
1 Introduction A broadcast encryption is a cryptographic scheme that enables encryption of broadcast content such that only a set of target users, selected at the time of encryption, can decrypt the content. Apparent applications include group communication, pay TV, content protection, file system access control, and geolocation. A crucial aspect of any cryptographic scheme, which arguably decides its fate of being used in practice, is its efficiency. Since one of the most prominent applications of broadcast encryption is real-time broadcasting, ciphertext size is at the heart of efficiency measures for such schemes, and constructions with constant-size ciphertexts are desirable. Indeed, if one allows the ciphertext size to grow linearly with the number of target users, construction of secure broadcast encryption becomes trivial. Other important
Data Loading...
