• PDF / 503,474 Bytes
• 16 Pages / 430 x 660 pts Page_size
• 85 Downloads / 208 Views

DOWNLOAD

REPORT

Orange Labs - Caen, France 2 ENS - Paris, France [email protected]

Abstract. This paper describes the first identity-based broadcast encryption scheme (IBBE) with constant size ciphertexts and private keys. In our scheme, the public key is of size linear in the maximal size m of the set of receivers, which is smaller than the number of possible users (identities) in the system. Compared with a recent broadcast encryption system introduced by Boneh, Gentry and Waters (BGW), our system has comparable properties, but with a better efficiency: the public key is shorter than in BGW. Moreover, the total number of possible users in the system does not have to be fixed in the setup.

1

Introduction

Broadcast Encryption. The concept of Broadcast Encryption (BE) was introduced by Fiat and Naor in [16]. In BE schemes, a broadcaster encrypts messages and transmits them to a group of users who are listening to a broadcast channel and use their private keys to decrypt transmissions. At encryption time, the broadcaster can choose the set S of identities that will be able to decrypt messages. A BE scheme is said to be fully collusion resistant when, even if all users that are not in S collude, they can by no means infer information about the broadcast message. Many BE systems have been proposed [23,20,19,10,15]. The best known fully collusion systems are the schemes of Boneh, Gentry and Waters [10] which √ achieve O( n)-size ciphertexts and public key, or constant size ciphertexts, O(n)-size public key and constant size private keys in a construction that we denote by BGW1 in the following. A lot of systems make use of the hybrid (KEM-DEM) encryption paradigm where the broadcast ciphertext only encrypts a symmetric key used to encrypt the broadcast contents. We will adopt this methodology in the following. Dynamic Broadcast Encryption. The concept of Dynamic Broadcast Encryption (DBE) was introduced by Delerabl´ee, Paillier and Pointcheval in [15]. A DBE scheme is a BE in which the total number of users is not fixed in the setup, with the property that any new user can decrypt all previously distributed messages. Thus a DBE scheme is suitable for some applications, like DVD encryption. K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 200–215, 2007. c International Association for Cryptology Research 2007 

IBBE with Constant Size Ciphertexts and Private Keys

201

Nevertheless, some applications like Video on Demand (VOD) need forward secrecy. This paper address this problem, in the identity-based setting. ID-based Encryption. In 1984, Shamir [24] asked for a public key encryption scheme in which the public key can be an arbitrary string. Since the problem was posed in 1984, there have been several proposals for Identity-Based Encryption (IBE) schemes. However, we can considerer that the first practical IBE scheme was introduced by Boneh and Franklin in 2001 [9]. Since 2001, several schemes have been introduced [14,26,12,8,7,6,17]. Concerning the security, there are mainly two definitions: 1. Full security, which m

Recommend Documents

Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts

141 70 285KB

Efficient Attribute-Based Proxy Re-Encryption with Constant Size Ciphertexts

147 41 32MB

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time

158 25 13MB

Short Message Multichannel Broadcast Encryption

158 8 38MB

Biased RSA Private Keys: Origin Attribution of GCD-Factorable Keys

201 17 39MB

Attribute Based Broadcast Encryption with Short Ciphertext and Decryption Key

145 110 317KB

Identity-Based Outsider Anonymous Broadcast Encryption with Simultaneous Individual Messaging

181 40 27MB

Implementing DRM over Peer-to-Peer Networks with Broadcast Encryption

175 111 74MB

Efficient Anonymous Multi-group Broadcast Encryption

180 77 10MB

Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts

169 24 11MB

Non-committing Encryption with Constant Ciphertext Expansion from Standard Assumptions

194 14 24MB

Expected Constant Round Byzantine Broadcast Under Dishonest Majority

158 58 14MB