DOI QR코드

DOI QR Code

Public key broadcast encryption scheme using new converting method

  • Published : 2008.12.31

Abstract

Broadcast encryption is a cryptographical primitive which is designed for a content provider to distribute contents to only privileged qualifying users through an insecure channel. Anyone who knows public keys can distribute contents by means of public key broadcast encryption whose technique can also be applicable to many other applications. In order to design public key broadcast encryption scheme, it should devise some methods that convert a broadcast encryption scheme based on symmetric key cryptosystem to a public key broadcast encryption. Up to this point, broadcast encryption scheme on trial for converting from symmetric key setting to asymmetric public key setting has been attempted by employing the Hierarchical Identity Based Encryption (HIBE) technique. However, this converting method is not optimal because some of the properties of HIBE are not quite fitting for public key broadcast schemes. In this paper, we proposed new converting method and an efficient public key broadcast encryption scheme Pub-PI which is obtained by adapting the new converting method to the PI scheme [10]. The transmission overhead of the Pub-PI is approximately 3r, where r is the number of revoked users. The storage size of Pub-PI is O($c^2$), where c is a system parameter of PI and the computation cost is 2 pairing computations.

Keywords

Ⅰ. Introduction

Broadcast Encryption was designed for a content center to distribute some contents to only privileged users through an insecure channel. Even though, anyone can get encrypted contents, privileged users can only decrypt and obtain original contents. Moreover, in a broadcast encryption, it is assumed that set of privileged users changes drastically. Nowadays, there are many applications such as distribution of digital contents through the internet, satellite TV, pay-TV, contents protection of CD or DVD and so on.

In general, most of broadcast encryption systems is assumed to be stateless receiver. It means that each user's secret key should not be updated by the center at the initial stage. This assuption makes sense because each user is not always on-line and users' keys might be stored in the temper-resistant device. A session is defined as a time interval during which 샤uly one message or digital contents is transmitted. Regardless either revecati쟈戏 or not, each user's state should not be changeable during one session. In each session, digital contents are encrypted by a session key, SK. Thus broadcast encryption can execute in a efficient way so that the center sends safely the session key SK to only non-revoked users.

A broadcast encryption system is summarized as follows: In order to distribute a content M, the center first encrypts M using the session key SK and then broadcasts the encrypted message together with header, which consists of encrypted session keys and some information so that only non~revoked users can decrypt and get SK. Every non-revoked user decrypts SK from the beader of the transmitted message using its own secret key and then recovers M using SK, whereas any revoked user cannot obtain SK. In particular, broadcast encryption systems should be secure against collusion attack, that is, even when revoked users collude they can not obtain SK、When any possible collusion occurs in t revoked users, it is impossible to know SK. This is called /-resilient. A broadcast encryption system should satisfy r-resilient where r is the number of all revoked users in each session.

Discuss on the efficiency of broadcast encryption systems, the following three factors are considered, the transmission overhead, the storage size and the computation cost. These factors are closely related to the length of the header, the size of a user's secret keys and the computing time to decrypt SK from the given header, respectively. Especially, it is most important to minimize the transmission overhead as large as possible for maintaining proper computation cost and storage size.

In 1991, Berkovits [1] introduced the first broadcast encryption scheme. Since then, broadcast encryption schemes have been proposed. At the beginning stage, various broadcast encryption schemes were suggested, but tree based schemes became the main stream in broadcast encryption after Naor et al. [11] proposed the Complete Subtree(CS) method and the Subset Difference(SD) method based on tree structure in 2001. The Layered Subset Difference(LSD) method is a improved version of the SD method suggested by Halevy and Shamir [8] in 2002. In 2005 Jho et al. [10] introduced new approach, that is, Punctured Interval(PI) method based on linear structure which is very efficient broadcast encryption scheme reducing the transmission overhead remarkably. These CS, SD, LSD and PI are similar groups of subset cover system. In subset cover system, the center in advance defines subsets and its corresponding subset keys. Users are assigned some user keys from the center so that only users contained in a subset are able to compute the subset key corresponding to the subset. Then in each session the center divides the set of non-revoked users into several subsets and encrypts the session key by subset keys corresponding to each subset. Because each non-revoked user belongs to at least one subset, he/she can decrypt the message using the corresponding subset key.

These broadcast encryption schemes using subset cover method are basically based on symmetric key cryptosystem. In these schemes, only the trusted third party, typically the center, can encrypt and broadcast contents to users because the center only knows all subset keys. If anyone desires to distribute some contents, the individual need to know all subset keys. Hence in the case that the center and content provider are not same, either the content provider gives the full contents to the center or the center gives all secret subset keys to the provider. It is one of the biggest problems of symmetric key broadcast encryption. On the other side, broadcast encryptions based on public key cryptosystem enable anyone to broadcast some contents to specific users. Recently, as applications of broadcast encryption are complicated, public key broadcast encryptions become more important.

In order to design public key broadcast encryption scheme, it needs to consider methods that convert a broadcast encryption scheme based on symmetric key cryptosystem to a public key broadcast encryption. The simplest way is to convert each subset keys into a pair of public and secret keys. But this conversion process has a serious shortcoming because the size of public keys might be very long. Naor et al. [11] already mentioned about this problem and suggested to use of Identity-Based CryptographyQBE) in order to solve the problem. Since in the CS method each subset keys is chosen independently, IBE can be applied to the CS method. However, IBE is not adequate for the SD/LSD methods because each user should store a too many secret keys. In 2002 Dodis and Fazio proposed a method to overcome this shortcoming, which utilizes the notion of Hierarchical Identity-Based Encyption(iA\QE) in order to reform SD/LSD to the public key setting [5].

Our Main Result: According to the method of Dodis and Fazio, HIBE is directly applicable to the SD/LSD methods. So the transmission overhead of public key SD/LSD schemes are about k times bigger than the original SD/LSD, where k denotes the length of encryption of a HIBE scheme. On the other hand, k represents the depth in the hierarchy in HIBE of Gentry and Silverberg [7]. This method can also be applied to another subset cover system PI in order to meet the requirement toward the public key PI scheme. However this combination leaves much room for improvement since some properties of HIBE are not necessary for public key broadcast schemes.

We propose an efficient public key broadcast encryption scheme Pub-PI which is the extension to the public key setting of PI scheme in the symmetric key setting. This Pub-PI scheme increases the efficiency by removing unnecessary properties of HIBE when HIBE is used in broadcast encryption schemes. The transmission overhead of the Pub-PI is smaller than that of the public key PI obtained by the method of Dodis and Fazio as well as the previous public key SD/LSD. In fact, the transmission overhead of the Pub-PI is approximately 3r, where r is the number of revoked users. The storage size of Pub-PI is O(c2), where c is a system parameter of PI and the computation cost is 2 pairing computations. This result is obtained by using only basic c-intervals in PI scheme. Actu사ly, the method to design Pub-PI can be applied to any punctured intervals. Using punctured intervals, public key PI schemes with the reduced transmission overhead are realized at the cost of the storage size. That is, there is a trade-off between the transmission overhead and the storage size in our public key PI, such as in the original PI.

Ⅱ. Preliminaries

1. Hierarchical ID-based encryption

Hierarchical Identity Based Encryption(HIBE) is an extension of Identity Based Encryption(IBE). IBE is a public key cryptosystem used for identification of users in cooperation with public keys. Consequently, the authentication of public keys is not required and the size of public keys for each user can be reduced. In HIBE each user is included in a hierarchical tree structure and receives hierarchical identity which contains the information about his/her position in the hierarchical structure. Users at a level in the hierarchy can decrypt the message which is encrypted using hierarchical identities of users under the same level. Usually, HIBE has the root PKG as well as many additional lower-level PKGs to execute some load of root PKG. The root PKG generates only private keys of users in the next level; and other private keys are generated by lower-level PKGs. In fact, private keys of users are generated by their parent. So HIBE consists of the following five polynomial-time algorithms, (Root Setup, Lower-level Setup, Extract, Encrypt, Decrypt)

. Root Setup is a probabilistic algorithm which initialize the global parameters of the system by the Root PKG. Given a security parameter 1" , Root Setup generates system parameters params and a secret key master-key. Then, the PKG publishes params as the global public key and keeps masterkey secret.

. Lower-level Setup is a probabilistic algorithm executed by Lower-level PKGs to generate some secret information which may be used by Extract. Given an hierarchical identity HID = (IDe , IDt), (t > 0) and the corresponding secret key, then Lowerlevel Setup generates secret information, which is called Lower-level Secret.

. Extract is a (possibly) probabilistic algorithm used by Lower-level PKGs to derive private keys of their children. In other words, the Lower-level PKG with HID = (IDb ... , IDt) generates the private key corresponding to any of his children by using HID = (ID】, ..., IDt, IDt+i), params, Lower-level Secret and returns the private key corresponding to HID = (ID】, ..., IDt, IDt+i).

. Encrypt is a probabilistic algorithm which sends a message M securely to the user with hierarchical identifier HID and all his/her ancestor. Encrypt takes input params, HID and M and generates a ciphertext C.

. Decrypt is a deterministic algorithm used to recover the message M from a ciphertext C. Decrypt takes input params, HID, C and the private key d corresponding to HID and recovers M.

We present two HIBE algorithms proposed by Gentry and Silverberg [7] in 2002 and by Boneh, Boyen and Goh [2] in 2005.

HIBE - Gentry and Silverberg

. Root Setup: Given a security parameter F, Root Setup generates two cyclic groups Gt, G2 of a large prime order q and defines a bilinear map 2: G] x —> G2. Namely, for any P, Q u G】and a, bf, e(aP, bQ) = e(bP, aQ) = e(P, &ab ■ For randomly chosen W G】of order q and s。U Z" output params = (GHG2, e, R, 0, %), master key = Here Qo = and : {* 0, 1} — Gj and H2 ' G2^- {0, 1}" are cryptographic hash functions, modeled as random oracles (i.e., they output a truly random string on every input), and n is the length of the message encrypted.

. Lower-level Setup: Each user at level t > 1 picks a random local secret st U and keeps it secret. Recall that the root has secret 50.

. Extract: Assume that every user (IDb , IDt) at level t > 0 has a secret point S{ W Gend t-\ 'translation points' 2i, ... , 2m U G1 (notice, is in the public key) and we assume that So given to the root is the identity of G1. Recursively, to assign the secret key to its child (IDi, ... , IDt+i), the parent (IDb ... , IDt) computes Pt+\ = 2/i(IDi, ... , ID, +i) U , picks a random sr rLq, sets the child's secret point St+i = St + stPi+i, the child's final translation point Qt = sR” and sends to the child the values 5什], Qt together with its own /-I translation points ... , 2m-Unwrapping the notation, the child's secret key is (Sl+l.XU Qi …, 0 = sR)).

. Encrypt: To encrypt a message M {0, l}rt for (IDb ..., IDZ) using the public value Qo, compute Pi = H(IDi, ... , ID, ) U (% for all 1《i V t, choose a random r S Z% , set g =仓(Q0, rPe) u G2 and return C ^[rPQ, M® H2(g), rP2, ..., rPt]. Since the user(IDb ..., ID, ) is unable to decrypt the message using its 'translated' secret point additional values rP2, rPt should be given to the ciphertext. Combining them with secret translation points Q], 2m> the message Mis recovered by the following decrypt process.

. Decrypt: To decrypt C = [Uo, V, U2, …, 0] using £ and 2i, sQtf0 = e(UG, Sefj= e(Qi.uUe for 2 < z <Z and output (£.%.../)). To see the correctness of the decryption, notice that: fo = e(U0, S, )=街% £吊_£) = I[沧%s, _£) , 늬 i=l

HIBE - Boneh, Boyen and Goh

. Root Setup: Given a security parameter 1" and a system parameter I (this indicates the maximum depth of HIBE), Root Setup generates two cyclic groups (%, G2 of a large prime order q and defines a bilinear map 8:G]XG]—)G? . For randomly chosen 户 u G〔 of order q and s w , outputs params = (G, , G2Je, P, R, 3, 户3, ... , 0), master key = sP2. Here R = sP and P2, R, Qi, …, 0 are randomly chosen elements in .

. Lower-level Setup and Extract: To generate a private key 刁心 for an identity ID = (/b 4) u (Z*of depth kJ, using the master secret, pick a. random r Z? and output J|D = (sP2 + r (I\Q\ + ... + 40 + R), 次 r0+i, …, 尸0) W G]2"어 . Note that d\° becomes shorter as the depth of ID increases. The private key for ID can be generated incrementally, given a private key for the parent identity ID的=(7b h-i) e (Z;)히, as required. Indeed, let 曷匸)妇= (討2 + 时 (A2i + + 412^-1), 衬P, r'Qk, …, 저Q) = (이), ai, bk, be) be the private key for 1以」. To generate d心 pick a random t u and output 血= (佝 + % + t (I\Q\ + ... + L0 + P3), + tP, 缶十 1 + tQz, +, 0). This private key is a properly distributed private key for ID = (/b ..企 for 尸="+ Ff

.Encrypt: To encrypt a message M u G2 under the public key ID = (, , ..., 7Q e (Z * )\ pick a random. number u u and output C = ( e(Pb P2)v、M, vP, v(Zi0 + -+I«Qk + P3)) w G2 X G《.

. Decrypt: Consider an identity ID = (4, , If). To decrypt a given ciphertext C = (48Q using the private key 如=(S Z知 1, - bg), output A-e (句, Q / e(B, a0) = M. Indeed, for a valid ciphertext, we have

#

2. Punctured interval (PI) scheme

The punctured interval scheme is a broadcast encryption scheme using the subset cover method. Main difference between the PI and other broadcast encryptions using subset cover method is that the PI uses linear structure (i.e. all users are located on a straight line) unlike CS, SD, LSD using tree structure. In PI scheme, subset covering nonrevoked users is the p-punctured c-interval which is a set of at most c consecutive users containing at most p revoked users, where p > 0 and c 그。. The first user and the last user of one punctured interval must be nonrevoked users. The p-punctured c-interval starting from % and ending at Uj with q revoked users ux is denoted by P.处 * . Each p-punctured c-interval has one interval key (in fact, Ki j.x x is the interval key corresponding to p .), and every user in the punctured interval can obtain the corresponding interval key using his/her own user key. User keys are generated and distributed by the following method:

Key Generation and Distribution

Let ht: (0, 1}s t{0, 1}‘ be one-way permutations for /=0, l, ... where I denotes the length of encryption key. In order to assign one key to each ^-punctured c-interval, we should randomly choose N keys Ki」, K#, Knn to the corresponding users «i, uN. From each K*, the center constructs the one-way key chains under the following rule: For any possible p-punctured c-interval P starting from

. The one-way key chain consists only of the keys of all non-revoked users in P. There are no keys of the revoked users in the key chain.

. For any non-revoked user Uk u P, if the next user “奸] e P is also non-revoked then just apply h0 to the key of Uk to obtain the key of 姓h.

. If the next t users are revoked and the user uet+i w P is non-revoked then apply ht to the key of Uk to obtain the key of 以左+什 1, where 1 < z < /?.

The center assigns these keys to users so that the user uk receives Kk, k and all possible k.x x's, where z <xi < x2< ...<xt<k with 0 <p and 2 ek-i+1 £=c

Encryption

For each session, the center divides L into disjoint ppunctured c-intervals P、Pm e S[p-C), whose union covers all the non~revoked users, under the rule described above. Let P p be one of The , …, Xg last key K . of the key chain corresponding to P is called the interval key of P. Let's denote the interval key of Pp by K* for each ■" = I, 2, m, just for a matter of convenience. Then the center broadcasts:

<祕>两珈2, ..., 砂>”;E*, (SK), .誘(SK), ..., %(SK};琮(M)) where infou is information of P* the starting point ui , the end poin훌 u. and 财 revoked 맀sers.

Decryption

Receiving the encrypted message, each non-revoked user uk first locates the punctured interval that he/she belongs using the infers. L야 the punctured interval be P- .r , where i <j and k 手心, xa. Then uk can find K as follows:

. Find t for whichxt<k<x/+i, where 0 < t < q. Here, t = 0 and t = q mean that there is no wev양ked user before and after uk, respectively.

. Choose Kik.x 我 from the assigned user keys..

. Starting from Kikx x , apply one-way permutation h-s under the rule described in Key Generation until the second subscript reaches toy.

. The resulting key is then K.,.

With the above process, uk decrypts EK (SK)

and Es&M) to obtain the session key SK and the message M, respectively, in order.

Ⅲ. Our Scheme(Pub-PI)

For simplicity of explanation, we will discuss only basic cintervals (which is a set of at most c consecutive users containing no revoked user) and denote the c-interval starting from and ending uj by Rj.

. Root Setup: Given a security parameter F, Root Setup generates two cyclic groups Gt, G2 ofa large prime order q and defines a bilinear map 仓:G] x G] T G2 . Namely, for any P, Q Gr and a, b w Z詩(aP, bQ) = e (bP, aQ) = e (P, Q)ab. Assume that be a randomly chosen generator of G]. Place N users on a straight line L and index those users by integers in [1, N] so that the numbering has increasing order. For example, the left most user is indexed by 1 and the right most user is indexed by N. And the unique identity ID; is given to each, user For randomly chosen s0e Z?, Qq is defined by

The 이丄tput of Root Setup is paramo - (GpG2, e, Ao, go, L H2, L, c), m처st创” k승y 瞄 50- Here 1% : * (0, 1} — Gj and //2 : G2 {* 0, 1} are cryptographic hash functions, where n is the length of the encrypted message and c is a system parameter. In fact, c is a constant which represents the maximum length of key chains.

.K으y Generation: For each f(l 三 i V N), the key chain starting at /-th user with length c is generated by the following method: The first key in the key chain, that is, the key corresponding to P髭 is a pair (Kq = 5o R&i + s内G Qh =跖亀), where R耳=R(l。)and % w Z is randomly chosen. The next key is (Kg =+ 踞+i&汁 1, Qi, i+i ~ 汁i&), for Rj+i =上&(1[為 IDei) and randomly chosen 災心 w . Generally, the /-th key in the key chain is (K誓=$疽如 + 如 0丿=%R)), where R毎=HfiD, , and % e is randomly chosen. At last, each user ur receives all possible keys (Ks 0我)for i <t <k V".

.Encrypt: For each session, the sender divides L into disjoint e-intervals Pm, whose union covers all the non-revoked users. The broadcasting header corresponding to % -户”(1 瓦μM m) is: HDRA [SK 甫払(幻), "如%R”], where gll= e(Qiit, =e(K0, Rs j )弓皿 for randomly chosen rp.

.Decrypt: Note that every user contained in knows (Kj, 0j). With the encrypted message 터DR, 产 [SKEDHzeach user in Rj can decrypt the session key SK as follows: SK, 或 안)HJg/ = V①日2(仓(仏, 、;)/仓(Q, j, %)).

Remark that

#

Encryption

For each session, the center divides L into disjoint ppunctured c-intervals Pm e %;0, whose union covers all the non-revoked users, under the rule described above. Let P = p.j x x be one of P]s (“=1, …而).The last key Ki 八 x of the key chain corresponding to P is called the interval key of P. Let's denote the interval key of Pp by for each 〃 = 1, 2, m, just for a matter of convenience. Then the center broadcasts:

烦foiM。”..., 的。, , , ., 电(SK), EK1 (SK), (SK); Esk (M)) where infbp is information of the starting point ui , the end point Uj and qp revoked users.

Decryption

Receiving the encrypted message, each non-revoked user Uk first locates the punctured interv시 that he/she belongs using the infers. Let the punctured interval be P . , where i 勻 and k xq. Then uk can find Kirx x as follows:

Find t for which xt<k< x(+1, where Q < t < q. Here, t =0 and t = q mean that there is no revoked user before and after uk, respectively.

.Choose Kik.xe x from the assigned user keys..

Starting from K.. , apply one-way pennutation h/s under the rule described in Key Generation until the second subscript reaches to j.

.The resulting key is then K ...

With the above process, uk decrypts EK (SK) and Esk[M) to obtain the session key SK and the message M, respectively, in order.

Ⅲ. Our Scheme(Pub-PI)

For simplicity of explanation, we will discuss only basic cintervals (which is a set of at most c consecutive users containing no revoked user) and denote the c-interval starting from 既 and ending Uj by Pe.

. Root Setup: Given a security parameter F, Root Setup generates two cyclic groups Gt, G2 of a large prime order q and defines a bilinear map 仓:G] x G] —> G? . Namely, for any F, Q u G】and a, ft e Z, , e (aP, bQ) = e (bP, aQ) = e (P, Q)ab. Assume that R° be a randomly chosen generator of G[. Place N users on a straight line L and index those users by integers in [leV] so that the numbering has increasing order. For example, the left most user is indexed by 1 and the right most user is indexed by N. And the unique identity ID, is given to each user ub For randomly chosen s0 e , Qo is defined by 如R0. The output of Root Setup is params = (Gl, G2, e, Ro, Qo, 負, H2, L, c), master k으y = Here Hx : * {0, 1} — G1 and Z/2 : G2 {0, l}fl are cryptographic hash functions, where n is the length of the encrypted message and c is a system parameter. In fact, c is a constant which represents the maximum length of key chains.

Key Generation: For each < i < N), the key chain starting at z-th user with length c is generated by the following method: The first key in the key chain, that is, the key corresponding to P* is a pair (Ke = s0 + 阳丿加, =, , 宙0), where R毎=Hi(ID, ) and % e 7% is randomly chosen. The next key is (岛扣=sqRe + 阳+i&汁 1, 0汁 1 =昂, 讦囱), for 曲+1 = Hi(l以, ID/+I) and randomly chosen *计]e 气.Generally, the j'-th key in the key chain is g = + 防%, Qij = W?o), where 璃=Hi(IDb IDy) and 电 e rLq is randomly chosen. At last, each user ut receives all possible keys (K* for i <t <k <i+c.

Encrypt: For each session, the sender divides L into disjoint c-intervals P、Pm, whose union covers all the non-revoked users. The broadcasting header corresponding to Pp = P/7(l M 〃?) is: 니DR" = [SKeHegererej], where g广仓(* 0, 成, 》 =for randomly chosen rp.

Decrypt: Note that every user contained in Pijf knows (Kj, Qij)- With the encrypted message 니DR"= [*HSgK)">, rW = each user in Pjj can decrypt the session key SK as follows: SK =E Hg) =E H国AS 顷

Remark that

#

for small r and TOe.puncture<J}二 3r/2 as r grows. The storage size becomes SSe.punctured} = 0(c) and the computation cost is still 2 pairing computations.

2. Comparison

Previous work [이 Dodis and Fazio first proposed 나le method to extend a broadcast encryption system with related key structure such as the SD/LSD to a public key broadcast encryption in 2002. The efficiency of public key extension using their method is directly affected by the efficiency of HIBE since the method is the simple combination of BE and HIBE.

So in the case to use HIBE of Gentry and Silverberg in order to obtain the public key SD, the transmission overhead , the storage size and computation cost are (2r-l)log N, O(\oeN) and 2 pairing computations, respectively. It is because that the ciphertext for one subset among 2r-l subsets in SD has at most log N length and the number of secret keys stored by each user is log N times of number of user keys in SD. The pubic key size is 0(1). In the case to use HIBE of Boneh et al., the transmission overhead is 3(2r-l). The storage size and the computation cost is same to the above case. However the public key size increases to O(log N).

In HIBE, each user in has different secret keys from other users and users with different keys can decrypt the same ciphertext. But this property of HIBE is not a requirement of broadcast encryption. Because of this point, our extension method uses the modified HIBE removing this property to improve the efficiency of resulting public key BE system. As a result, the transmission overhead, the storage size, the computation cost and the public key size of Pub-PI are 3.(尸 +「(”-2尸)/曰), c(c+l), 2 pairing computations and 0(1), respectively.

Public Key Extension of PI by 티 Since PI scheme is much better than SD scheme in transmission overhead, we can easily guess that if the method in [5] can be applied to PI, the public key PI using [5] might have more efficient transmission overhead than the known public key SD. But so far there is no result applied the method to PI. In this subsection we explain public key extensions of PI using the method of Dodis and Fazio. In fact, these public key PI scheme don't have better efficiency than Pub-PI.

First we can define the hierarchical identifier HID assigning to each basic c~interval PQ as follows: HID(Rj)=(l0, ID», where IDf is the identity of z-th user. In initialization step, the center runs the Setup algorithm of a HIBE and publishes param. Then it makes public keys and corresponding secret keys for each interval % and sends the secret keys to each user in secure channel.

The key relative to a given interval % is extracted using the following method:

#

For i < t j, each key K* generated by above method is assigned to user ut as the secret key of ut. Note that ut already known also knows the next user's key Kj+i, but cannot obtain other keys K渾0+2 M k < j). Although ut cannot know the encrypted key used in order to transmit a message to users in 尸诺, he/she can decrypt the message by HIBE's property. The following two concrete instantiations are obtained by HIBE schemes of [2] and [7],

PI using HIBE of Gentry and Silverberg [7]: In HIBE of Gentry and Silverberg, each user ut in level t keeps (什 1) secret keys and the ciphertext for ut has the length t+2. When this HIBE is applied to the PI using c-interval, the number of secret keys of each user is maximum c times of the number of user keys in the PI, since for each chain in the PI all users located in the chain should store maximum c secret keys. Hence the storage size is O(c2). And the length of the ciphertext for one interval is at most c+2 because a message is encrypted by the secret key of last user in the c-interval. So total transmission overhead is about c(尸+「(7V-2r)/c] ) because the number of intervals is 尸 +「(TV — 2r) / c~|. The computation cost is at most c pairing computations because the decryption process for each user is exactly same to the decryption in HIBE. The public key size is still 0(1) as the HIBE.

PI using HIBE of Boneh et(2/. [2]: In HIBE of Boneh et al., each user in level t stores £ -t+2 secret keys where 0 is maximum depth in the HIBE. And the ciphertext contains 3 elements and decryption takes 2 pairings computations regardless of level. So in public key PI using this HIBE, the storage size is <9(c2) and the transmission overhead is 3( r +「(N-2尸)/c] ) and the computation cost is 2 pairing computations. However, the public key size increases to O(r).

Ⅴ. Conclusion

In order to design public key broadcast encryption schemes, it should consider methods that convert broadcast encryption scheme based on the symmetric key cryptosystem to the public key system. Until now, several trials extending of symmetric key setting broadcast encryption to public key setting were executed by directly applying HIBE to broadcast encryption system. However, this extension may be the best way, since some properties of HIBE are not proper to public key broadcast schemes. In this paper, we proposed an efficient public key broadcast encryption scheme Pub-PI which is obtained by adapting the concept of HIBE, but removing unnecessary properties of HIBE we can reduce the transmission overhead further. The transmission overhead of the Pub-PI is smaller than that of the public key PI obtained by the method of Dodis and Fazio as well as the public key SD/LSD scheme. In fact, the transmission overhead of the Pub-PI is approximately 3尸, where r is the number of revoked users. The storage size of Pub-PI is (9(c2), where c is a system parameter of PI and the computation cost is 2 pairing computations. This result is obtained using only basic c-intervals in PI scheme. Actually, the method for designing Pub-PI can be applied to any punctured intervals. Using punctured intervals, public key PI scheme with the reduced transmission overhead will be realized at the cost of the storage size.

References

  1. Berkovits, S.: 'How to broadcast a secret', In Advances in Cryptology - Eurocrypt'91, LNCS vol. 547, 1991, pp. 536-541
  2. Boneh, D., Boyen, X., and Goh, E.: 'Hierarchical identity based encryption with constant size ciphertext' , In Advances in Cryptology - Eurocrypt'05, LNCS vol. 3494, 2005, pp. 440-456
  3. Boneh, D., and Franklin, M.: 'Identity-based encryption from the Weil pairing', In Advances in Cryptology -Crypto'0I, LNCS vol. 2139, 2001, pp. 213-229
  4. Boneh, D., Gentry, C., and Waters, B.: 'Collusion resistant broadcast encryption with short ciphertexts and private keys'. In Advances in Cryptology - Crypto'05, LNCS vol. 3621,2005, pp. 258-275
  5. Dodis, Y., and Fazio, N.: 'Public key broadcast encryption for stateless receivers' . Proc. of the Digital Right Management Workshop'02, LNCS vol. 2696, 2002, pp. 61-80
  6. Fiat, A., and Naor, M.: 'Broadcast encryption', In Advances in Cryptology - Crypto'93, LNCS vol. 773, 1993, pp. 480-491
  7. Gentry, C., and Silverberg, A.: 'Hierarchical ID-based cryptography', In Advances in Cryptology - Asiacrypt'02, LNCS vol. 2501, 2002, pp. 548-566
  8. Halevi, D., and Shamir, A.: 'The LSD broadcast encryption scheme', In Advances in Cryptology - Crypto'02, LNCS vol. 2442, 2002, pp. 47-60
  9. Jho, N.-S., Cheon, J.H., Kim, M.-H., and Yoo, E.S.: 'Broadcast encryption $\pi$', http://eprint.iacr.org/2005/073, 2005
  10. Jho, N.-S., Hwang, J.Y., Cheon, J.H., Kim, M.-H., Lee, D.H., and Yoo., E.S.: 'One-way chain based broadcast encryption schemes', In Advances in Cryptology- Eurocrypt'05, LNCS vol. 3494, 2005, pp. 559-574
  11. Naor, D., Naor, M., and Lotspiech, J.: 'Revocation and tracing schemes for stateless receivers', In Advances in Cryptology - Crypto'0I, LNCS vol. 2139, 2001, pp. 41-62
  12. Naor, M., and Pinkas, B.: 'Efficient trace and revoke schemes', Proc. of Financial cryptography'00, LNCS vol. 1962,2000,pp.1-20