Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext

Transcription

1 University of Wollongong esearch Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 05 Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext Jongkil Kim University of Wollongong jk057@uowmail.edu.au Willy Susilo University of Wollongong wsusilo@uow.edu.au Man Ho Au Hong Kong Polytechnic University aau@uow.edu.au Jennifer Seberry University of Wollongong jennie@uow.edu.au Publication Details Kim J. Susilo W. Au M. Ho. & Seberry J. (05). Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext. Transactions on Information Forensics and Security 0 () esearch Online is the open access institutional repository for the University of Wollongong. For further information contact the UOW Library: research-pubs@uow.edu.au

2 Adaptively secure identity-based broadcast encryption with a constantsized ciphertext Abstract In this work we present an adaptively secure identity-based broadcast encryption system featuring constant sized ciphertext in the standard model. The size of the public key and the private keys of our system are both linear in the maximum number of receivers. Also our system is fully collusion-resistant and has stateless receivers. Compared with the state-of-the-art our scheme is well optimized for the broadcast encryption. The computational complexity of decryption of our scheme depends only on the number of receivers not the maximum number of receivers of the system. Technically we employ dual system encryption technique and our proposal offers adaptive security under the general subgroup decisional assumption. Our scheme demonstrates that the adaptive security of the schemes utilizing a composite order group can be proven under the general subgroup decisional assumption while many existing systems working in a composite order group are secure under multiple subgroup decision assumptions. We note that this finding is of an independent interest which may be useful in other scenarios. Disciplines Engineering Science and Technology Studies Publication Details Kim J. Susilo W. Au M. Ho. & Seberry J. (05). Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext. Transactions on Information Forensics and Security 0 () This journal article is available at esearch Online:

3 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY Adaptively Secure Identity-Based Broadcast Encryption With a Constant-Sized Ciphertext Jongkil Kim Willy Susilo Senior Member Man Ho Au Member and Jennifer Seberry Senior Member Abstract In this paper we present an adaptively secure identity-based broadcast encryption system featuring constant sized ciphertext in the standard model. The size of the public key and the private keys of our system are both linear in the maximum number of receivers. In addition our system is fully collusion-resistant and has stateless receivers. Compared with the state-of-the-art our scheme is well optimized for the broadcast encryption. The computational complexity of decryption of our scheme depends only on the number of receivers not the maximum number of receivers of the system. Technically we employ dual system encryption technique and our proposal offers adaptive security under the general subgroup decisional assumption. Our scheme demonstrates that the adaptive security of the schemes utilizing a composite order group can be proven under the general subgroup decisional assumption while many existing systems working in a composite order group are secure under multiple subgroup decision assumptions. We note that this finding is of an independent interest which may be useful in other scenarios. Index Terms Cryptography public key broadcast encryption identity-based broadcast encryption. I. INTODUCTION BOADCAST encryption (BE) [] is a cryptographic primitive in which multiple receivers share encrypted data with a sender. In BE a sender chooses the set of receivers adaptively and encrypts secret data for them. The encrypted data only can be decrypted by recipients included in the set of receivers. BE has many practical applications such as secure databases and Digital ight Management (DM) systems including DVD and Pay TV solutions. The security of BE is defined by the security model it follows. A BE scheme is adaptive secure [] if it allows the adversary to declare the set that he/she wants to attack by using the public parameters and private keys compromised under the restriction that the adversary cannot possess any Manuscript received July 4 04; revised October 8 04; accepted December Date of publication January 05. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Shouhuai Xu. (Corresponding author: Willy Susilo.) J. Kim W. Susilo and J. Seberry are with the Centre for Computer and Information Security esearch School of Computer Science and Software Engineering University of Wollongong Wollongong NSW 5 Australia ( jk057@uowmail.edu.au; wsusilo@uow.edu.au; jennie@uow.edu.au). M. H. Au is with the Department of Computing Hong Kong Polytechnic University Hong Kong ( csallen@comp.polyu.edu.hk). Digital Object Identifier 0.09/TIFS decryption key of the users in the target set. The selective security [] by comparison requires that the adversary to decide the target set before the system parameters are chosen. Selective security is a weaker notion but it is relatively easier to achieve. Broadcast encryption was extended to identity-based broadcast encryption (IBBE) [4] [5] in which each receiver is identified by his/her unique identity as in an identity-based encryption (IBE) [6]. As identities are arbitrary bit-strings an IBBE should support exponentially many users as potential receivers. This implies that for an IBBE to be practical the size of parameters such as public parameters private keys and ciphertexts must not be related to the total number of users in the system. IBBE is often simplified to mid-kem (multiple identitybased key encryption scheme) [7] [8] which is the cryptographic primitive combining identity-based encryption and mkem (multiple-receiver key encapsulation Mechanism). In mid-kem [9] and mkem multiple parties share a secret key for their future secure communications to be protected by symmetric cryptographic algorithms. A trivial solution to broadcast is to encrypt the same message under each receiver s public key. However this trivial solution possesses a ciphertext size linear with the number of receivers. Thus the goal of broadcast encryption is to reduce the size. Although there are several realizations in broadcast encryption allowing polynomial users in the system of the ciphertext achieving an IBBE scheme having efficient sized parameters remains a difficult problem because it has to support exponentially many users in the system using the limited entropy provided in public parameters. An IBBE should satisfy several important properties. First an IBBE scheme should be fully collusion resistant [0] []. This property requires that even if all the users collude they should not be able to learn anything about the message if none of the colluding users is included in the set of receivers for the broadcast. The stateless receivers [] property is also important for the efficiency of the system. If an IBBE scheme does not have stateless receivers it must distribute private keys again whenever there is a change in the set of receivers. In this paper we introduce an adaptively secure IBBE scheme achieving a constant sized ciphertext in the standard Personal use is permitted but republication/redistribution requires permission. See for more information.

4 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY TABLE I COMPAISON BETWEEN PEVIOUS IBBE SCHEME WITH OUS model. Our scheme allows exponentially many users in the system but the maximum number of recipients in a broadcast is defined in the system setup. Our scheme is also fully collusion resistant and features stateless receivers. In order to prove the adaptive security of our scheme we use the dual system encryption [] [5]. Our IBBE scheme achieves a constant sized ciphertext assuming only General Subgroup Decision (GSD) Assumption [6] which is static and simple. II. PELIMINAIES Several existing broadcast encryption schemes [] [] [7] [8] achieve constant-sized ciphertext. While they are secure in the standard model these schemes support only polynomially many users because they have parameters such as public keys or private keys which increase linearly with the number of total users in the system. In these systems the users are normally labelled from to n. Gentry and Waters [] suggested the first adaptively secure identity-based scheme having sub-linear sized ciphertext. First they introduced an IBBE scheme in which a linear sized Tag is included in the ciphertext to allow exponentially many users in the system. Subsequently they suggested a way to achieve sub-linear sized ciphertext by reusing Tag in the original scheme and increasing the size of other components in a ciphertext from constant to sublinear. Lewko Sahai and Waters [9] introduced a revocation scheme based on a revocation system [] [0] which achieves broadcast encryption not by including users but by revoking users. The size of the parameters does not depend on the total number of users in the system. However the size of the ciphertext linearly increases with the number of revoked users in their scheme. In addition while its parameters do not depend on the total number of users in the system adaptive security has been proved when it allows a polynomial number of users. The system can only be proven selective secure if exponentially many users are to be supported. Similarly an adaptively secure Key Policy Attribute Based Encryption (KP-ABE) scheme featuring constant-sized ciphertext and supporting exponentially-many attributes was introduced by Attrapadung []. As broadcast encryption is a special case of a KP-ABE of which the policy consists only of O-gates their scheme is also relevant to our discussion. We analyze this scheme when it works as a broadcast encryption scheme and we find that our scheme is more efficient than this scheme. The size of the ciphertext and the number of pairing computations for the decryption of our scheme are two thirds of theirs. Also the security of their scheme depends on some q-type assumptions while our scheme depends on some simple assumptions. There are three IBBE systems using multilinear map []. Due to the properties of multi-linear map they can be very efficient. However although the number of the group elements of a ciphertext is constant the size of the group elements is O(log N). Also the security of these systems depends on some q-type assumptions which is undesirable. Attrapadung and Libert [] introduced the first IBBE scheme having a constant sized ciphertext as an application of Inner Product Encryption (IPE). Since broadcast encryption can be interpreted as a special case having only O-gates between recipients broadcast encryption can be also achieved by IPE. Their scheme is constructed in a prime order group and has a constant sized ciphertext although the sizes of a private key and a public parameter of their scheme linearly increase with the size of maximum number of receivers in the system. To achieve this they used the dual system encryption. Their scheme depends on standard assumptions (hardness of the Decision Linear Problem (DLIN) and the Decision Bilinear Diffie-Hellman Problem (DBDH)). However their scheme is designed for IPE and is not well adapted for an IBBE system. Some important features are missing in their construction arising from this matter. The security of their system fails if only one receiver is included in a ciphertext because their n-wise independence argument does not hold. Also their computataional complexity can be reduced if IPE is used to construct IBBE. They also achieved an adaptively secure broadcast encryption scheme by applying the dual system encryption to [4]. However this scheme requires a subgroup decisional assumption which cannot be reduced as General Subgroup Decision (GSD) Assumption. We compare our scheme with the existing schemes and the result is summarized in Table I. We note that we also use IPE for IBBE as in []. Nevertheless we optimize the IPE scheme to support IBBE. Hence in addition to a constant sized ciphertext the computational complexity of our scheme only depends on the number of receivers for a broadcast. Also we observe that there exists a possible failure in the security if only one receiver is included in a encryption. We provide a practical solution for this. Furthermore the security of

5 KIM et al.: ADAPTIVELY SECUE IDENTITY-BASED BOADCAST ENCYPTION our system depends only on GSD assumption. As a result our adaptively secure IBBE features low cost decryption by achieving a constant sized ciphertext and low computational complexity for the decryption process. More importantly our decryption algorithm only depends on the number of receivers of the ciphertext instead of the maximum number of receivers which is part of the system parameters. This offers a big advantage in comparison to the other schemes. A. Our Technique The traditional way to prove the security of broadcast encryption is using q-type assumptions and partitioning the key space by the set of identities of receivers and others [] []. The dual system encryption [] introduced by Waters gives a break-through in security proof methodology by introducing the concept of semi-functional keys and ciphertext which are only used in the security proof. However proving the invariance between a semi-functional key and a normal key is still challenging because the simulator can detect this correlation by generating a semi-functional ciphertext which can be decrypted only by a normal key to distinguish whether the key is a semi-functional key or a normal key. Dual system encryption is used widely to provide security protocols including BE [] [9] [5] [6]. Lewko and Waters [4] suggested a way to solve this problem. In their suggestion when the algorithm generates a semi-functional ciphertext the ciphertext is correlated with semi-functional keys. This means if a valid semi-functional key is used to decrypt a semi-functional ciphertext the semifunctional key does not hinder decryption and works like a normal key but this correlation between the semi-functional key and ciphertext is hidden to the adversary who cannot query a valid key for the challenge ciphertext. Although the nominally semi-functionality is very helpful to prove the security hiding the correlation is not trivial if the system has to support exponentially many users with limited entropy. Lewko and Waters [7] introduced the technique to overcome the shortage of randomness. To amplify the entropy they localize semi-functional spaces by introducing ephemeral semi-functional space which is only used to prove the key invariance between a normal key and a semi-functional key. The random values hiding the correlation between the key and the ciphertext are only used in ephemeral semi-functional space. Then the semi-functional spaces share only random values which do not interrupt to hide this correlation in ephemeral semi-functional space. We prove the security of our scheme similarly with [7]. However we prove the adaptive security of our system using General Subgroup Decision (GSD) Assumption [6] only. Specifically in [7] when they proved the semi-functional invariance of their scheme they used an assumption which cannot be reduced to GSD. In contrast we prove semifunctional invariance without this assumption. Hence the security of our scheme relies on fewer assumptions than Lewko and Waters scheme [7]. Our IBBE scheme achieves adaptive security by combining dual system encryption [] with n-wise pairwise independence argument [] However the n-wise independence argument does not hold if only one receiver is included in the system. Hence first we restrict our scheme so that the number of receivers is larger than. Then we provide a practical way to overcome this restriction. The computational complexity of the decryption algorithm of our scheme only depends on the number of receivers. B. Broadcast Encryption Systems Our broadcast encryption scheme consists of four algorithms namely setup (Setup) private key generation (KeyGen) encryption (Enc) and decryption (Dec) asdefined below. Setup(λ n l) takes as input the number of receivers (n) and the maximal size of a broadcast recipient group (l ( n)). It outputs a public/master secret key pair PK MSK. KeyGen(i MSK) takes as input an index i {...n and the secret key MSK. It outputs a private key d i. Enc(S M PK) takes as input a subset S {...n a message M and a public key PK.If S l it outputs a CT. Dec(S i d i CT PK) takes as input a subset S {...n an index i {...n a private key d i for i a ciphertext CT and the public key PK.If S l and i S then the algorithm outputs the message M. Correctness For the correctness the following property must be satisfied. For S {...n where S l n let (PK MSK) Setup(λ nl) d i KeyGen(i MSK) for i [ n] and CT Enc(S M PK). Then if i S Dec(S i d i CT PK) = M. It should be noted that the definition of BE above is general enough to describe IBBE. C. Security Definition We define the adaptive security model of IBBE. This basically follows the adaptive security model of []. The only difference being we adapt it for an ordinary IBBE scheme while the adaptive security model of [] is for a key encapsulation scheme. Both the adversary and the challenger are given as input l and n i.e. the maximal size of a set of receivers S and the maximum users in a system respectively. Setup: The challenger runs Setup(λ n l) to obtain a public key PK. It gives A the public key PK. Phase I: The adversary A adaptively issues private queries for identities i {...n. Challenge: IfPhase I is over The attacker declares two equal length message M 0 and M and a challenge set S where S {...n and the identities of S never have been queried in Phase I. If S is larger than l it outputs. Otherwise the challenger randomly selects b {0 and runs encryption algorithm to obtain CT = Enc(S M b PK). The challenger returns CT to A. Phase II: The adversary A adaptively issues private queries as Phase I except that added restriction that identities i / S.

6 4 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY Guess: Finally the adversary A outputs a guess b {0 and wins the game if b = b. We define the advantage of an adversary A in attacking the identity based broadcast encryption system IBBE with inputs (nlλ): Adv AIBBEnl (λ) := Pr[b = b ] / We define that an identity based encryption system IBBE is adaptively secure if Adv AIBBEnl (λ) = ɛ is negligible for all PPT algorithms A. D. Composite Order Bilinear Groups We briefly describe the important properties of composite order bilinear groups which were introduced in [8]. Let G be a group generation algorithm taking a security parameter λ as input and outputting a description of a bilinear group G. For our purposes we will have G output (p p p G G T e) where p p p are distinct primes G and G T are cyclic groups of order N = p p p ande: G G T is a map such that:. (Bilinear) g h G a b Z N e(g a h b ) = e(g h) ab. (Non-degenerate) g G such that e(g g) has order N in G T. We assume that the group operations in G in G T as well as the bilinear map e are computable in polynomial time with respect to λ and that the group descriptions of G and G T include generators of the respective cyclic groups. We let G p G p and G p denote the subgroup of order p p and p in G respectively. We note that when h i G pi and h j G p j for i = j e(h i h j ) is the identity element in G T (i.e. e(h h ) = ). This orthogonal property of G p G p G p will be used to implement semi-functionality in our constructions. E. Complexity Assumption Our scheme is adaptively secure under General Subgroup Decision (GSD) assumption [6]. To avoid duplicate statements in the security proof and demonstrate which GSD instances were used clearly we include Assumptions and which are special cases of GSD. General Subgroup Decision (GSD) Assumption [6]: Let G( λ ) be a group generator and Z 0 Z Z k be a collection of non-empty subset of { where each Z i for i satisfies either () or () following Z 0 Z i = and Z Z i = () Z 0 Z i = and Z Z i = () Then we define the following distribution: G = (N = p p p G G T e) G( λ ) g Z G Z...g Zk G Zk D = (G g Z...g Zk ) T G Z0 T G Z. With the fixed collection of sets Z 0...Z k wedefinethe advantage of an algorithm A in breaking this assumption to be: AdvGA GSD (λ) := Pr[A(D T 0) = ] Pr[A(D T ) = ]. We define three assumptions as special cases of GSD assumption. For each assumption given a group generator G( λ )we define the following distribution: G = (N = p p p G G T e) G( λ ) Assumption (A Special Case of GSD Assumption With Z 0 ={ Z ={): g G p D = (G g) T G p p T G p Assumption (A Special Case of GSD Assumption With Z 0 ={ Z ={ ): g X G p g G p X G p D = (G g g X X ) T G p T G p p Assumption (A Special Case of GSD Assumption With Z 0 ={ Z ={ ): g X G p X Y G p g Y G p D = (G g g X X Y Y ) T G p p T G In some lemmas the roles of p and p of Assumption are reversed. III. OU IBBE CONSTUCTION A. Construction Let i be an identity of a user in the system and S be a set of identities of recipients for a broadcast. Also we define the maximum number of receivers l. We restricted the number of receivers to be greater than. Setup(λ l n) The setup algorithm takes in n l and the security parameter λ as input. Then it chooses a bilinear group G of order N = p p p where p p and p are distinct primes. Then the algorithm generates g uwvh G p where G pi is a subgroup of G of order p and also generates randomly MSK ={δ in Z N. It outputs PK = g uwv α j e(g h) δ : j [0l] KeyGen(MSK PK i) Generate y i r i ZN for identity i randomly and the sets X := (x l...x x 0 ) = (i l...i i 0 ).UsingMSK and PKitsets d i := K 0 K K K j : j [l] = g δ w y i h y i v y i u r i h ( α 0x j /x 0 +α j )r i : j [l] It should be noted that x 0 is fixed as i 0 =. However we leave it in the definition to clarify the correctness. Enc(PK M S) First the encryption algorithm parses S as {i...i k and sets Z = (z l.. z 0 ) where z j is an coefficient of z j of k j= (z i j ). With randomly generated s t Z N To output CTitsets CT := C C 0 C C C = M e(g h) δs h s w s v α Z t h α Z t u t where α = (α l...α 0 ).

7 KIM et al.: ADAPTIVELY SECUE IDENTITY-BASED BOADCAST ENCYPTION 5 TABLE II THE ECOMMENDED SIZE OF THE PAAMETES FO PIMES [9] IV. SECUITY ANALYSIS In order to prove the security of our scheme the dual system encryption was used. The security can be proved by the invariances of security games. Decrypt(S i d i CT PK) Suppose i S and calculate Z the decryption algorithm outputs D = e(k 0 C 0 )e(k C ) e(k C )e((k ) z (K k ) z = e(g h)δs k C ) Then it outputs a message M = C/D. Correctness D can be computed as follows: E = e(k 0 C 0 )e(k C ) e(k C ) = e(gδ w y i h s )e(v y i u r i h α Z t ) e(h y i w s v α Z t ) = e(g h)sδ e(hw) sy i e(hv) α Z ty i e(h u) tr i α Z e(hw) sy i e(hv) α Z ty i = e(g h) sδ e(h u) tr i α Z F = e((k ) z (K k ) z k C ) k = e( (h (z j ( α 0 x j /x 0 +α j ) ) r i u t ) j= = e((h α 0( k j= z j x j )/x 0 + k j= z j α j ) r i u t ) = e(h (α 0z 0 + k j= α j z j )r i u t ) = e(h u) tr i α Z As i is a root of k j= (z i j ) X Z = k j=0 x j z j = 0 this also implies that k j= x j z j = z 0 x 0. Therefore D = E/F = e(g h) sδ. We restricted our scheme to have S. However this can be accommodated by reserving one identity when system sets up and including this identity if encryption body want to share a secret with only one user. It should be noted that the private key for this reserved identity must not be given to any user. B. Choice of Parameters The size of parameters is determined by the security level which a broadcast system aims to achieve. In our construction N is the product of three primes. The factors of N must not be revealed to the attackers. We recommend the size of N based on the result of Guillevic [9] in Table II for achieving equivalent security levels with AES. The sizes are calculated based on the attacks Number Field Sieve attack and Elliptic Curve Method attack [0]. The minimum of the size of parameters is calculated based on the cost (time) equivalence while the maximum of the size of parameters is computed basedonthecomputational equivalence [0]. A. Security Properties for the Dual System Encryption IBBE Before we present the security proof of our construction we define semi-functional keys and a semi-functional ciphertext which are not used in the real system but necessary in the proof. In the definition g g denotes generators of G G respectively. In order to create semi-functional keys we generate ψ σ Z N first. These are shared parameters in semi-functional keys regardless of the identity of i. Semi-Functional Key: Let (K 0 K K K j : j [l]) be a normal key generated by using the key generation algorithm. Then we randomly select ỹ i ZN for the identity i and define a semi-functional key as below K 0 = K 0 (g g ) ψ ỹ i K = K (g g ) σ ỹ i K = K (g g )ỹi K j = K j : j [l]. Semi-Functional Ciphertext: Let C C 0 C C and C be a properly distributed normal ciphertext. Then with randomly generated a b Z N a semi-functional key is defined as below C = C C 0 = C 0 ga C = C gb C = C C = C Semi-functional keys are only able to decrypt a normal ciphertext but not a semi-functional ciphertext although normal keys can decrypt both a normal and a semi-functional ciphertext. Now we will prove that no PPT algorithm distinguishes the following security games with non-negligible advantage. Gameeal IBBE This is a real game following the adaptive security model of IBBE. All private keys and the challenge ciphertext are also normal. Gamek IBBE This is identical with Gameeal IBBE except for the types of private keys and a ciphertext. In this game the first k keys are semi-functional keys and the rest of the keys are normal keys and the challenge ciphertext is semi-functional. This is identical with Gameq IBBE where q is the total number of key queries besides the private keys. In this game random elements from G p are added to K K...K l components of all semi-functional keys. GameFinal IBBE GameFinal IBBE This is identical with GameFinal IBBE besides the challenge ciphertext. In this game the challenge ciphertext is similar to the semi-functional ciphertext but all components except C have additional random elements from from G p. This is identical with GameFinal IBBE besides the challenge ciphertext. In this game the first component C of the challenge ciphertext is replaced by a random element from G T. Theorem : Our IBBE system is adaptively secure under GameFinal IBBE General Subgroup Decision Assumption. : This is proved by Lemmas to 7.

8 6 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY Lemma (Semi-Functional Ciphertext Invariance): Suppose there exists a polynomial time algorithm A such that Gameeal IBBE Adv A Game0 IBBE Adv A = ɛ. Then we can breaking Assumption. : B is given g T. It will simulate Gameeal IBBE or Game0 IBBE with A. It chooses random exponents y u y w y v y h α 0...α l δ Z N and sets g = g u = g y u w = gy w v = g y v h = gy h. It publishes the public parameters: PK = (g uwv α j e(g h) δ : j [0l]) Also B generates normal keys by the key generation algorithm because it knows both PK and MSK. In the challenge A sends B two messages M 0 M and the set of receivers S. To make the challenge ciphertext B calculates Z = (z l.. z 0 ) where z j is an coefficient of z j of k j= (z i j ) and implicitly sets g s to be the G p part of T (this means that T is the product of g s G p and possibly an element of G p ). B also generates t Z N randomly. It chooses f {0 by flipping a coin and sets: C = M f e(g δ T y h ) C 0 = T y h C = T y w g y v α Z t C = g y h α Z t C = g y ut. If T G p this is properly distributed normal ciphertext and B properly simulates the Gameeal IBBE. If T G p p then we have a semi-functional ciphertext with a = y h s and b = y w s : we denote the G p part of T by g s (i.e. T = gs gs ). Since the values of y h and y w modulo p are uncorrelated from their values modulo p reusing the values from G p does not correlate with the normal key. So this is a properly distributed semi-functional ciphertext and B properly simulates Game0 IBBE. Lemma (Semi-Functional Security): Suppose there exists a polynomial time algorithm A such that Gameq IBBE Adv A GameFinal IBBEAdv A = ɛ. Then we can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption or Assumption. : This is proved by Lemmas. to.. Lemma.: Suppose there exists a polynomial time algorithm A such that Gameq IBBE Adv A GameFinal IBBE Adv A = ɛ. Then we can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : B is given g g X X T. It will simulate Gameq IBBE or GameFinal IBBE with A. It chooses random exponents y g y u y w y v α 0...α l δ Z N and sets g = g y g u = gy u w = gy w v = g y v h = g. It publishes the public parameters: PK = (g uwhv α j e(g h) δ : j [0l]) When A makes a ciphertext query by sending two messages M 0 M and the set of receivers S B responds to A by choosing random t s a b Z N. Then it randomly selects f {0 and returns C = M f e(g h) δs C 0 = h s g a C = w s g b v α Z t C = h α Z t C = u t. When A makes private key queries for some identity i A chooses a random y i r i Z N and returns {(X X g ) y w y i (X X g ) y i (X X g ) y v y i T y u r i T r i ( a 0x j /x 0 +a j ) : j [l]. We let g y x g y x denote X X. Then y i equals to y x y i modulo p and ỹ i equals to y i modulo p and y x y i modulo p.also r i equals to tr i modulo p if we write the G p of T as g t. Also it impicitly sets that ψ = y w and σ = y v modulo p p. If T G p this has simulated Gameq IBBE properly. Also If T G p p because y u and a j modulo p do not appear anywhere else the random elements of G p are added in K and K j to each key and randomized by r i. Hence this has well simulated GameFinal IBBE. Lemma.: Suppose there exists a polynomial time algorithm A such that GameFinal IBBE Adv A GameFinal IBBE Adv A = ɛ. Then we can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : B is given g g X X T. It will simulate GameFinal IBBE or GameFinal IBBE with A. It chooses random exponents y g y u y w y v α 0...α l δψσ Z N and sets g = g y g u = gy u w = gy w v = g y v h = g. It publishes the public parameters: PK = (g uwhv α j e(g h) δ ) When A makes private key queries for some identity i B chooses a random y i r i γ 0...γ l Z N and it returns K 0 = (X X ) y w y i ψy g i K = (X X g ) y i K = (X X ) y v y i g σ y i u r i (g ) r i γ 0 K j = h r i ( α 0 x j /x 0 +α j ) (g ) r i γ j : j [l] We let g y x g y x denote X X. Then y i equals to y x y i modulo p and ỹ i equals to y x y i modulo p and y i modulo p. So these are properly distributed semi-functional keys. When A makes a ciphertext query by sending M 0 M and the set of receivers S B responds to A by choosing random t t t Z N Then it randomly selects f {0 and returns C = M f e(g T ) δ C 0 = Tg a C = T y w g b T y v α Z t v α Z t C = T α Z t h α Z t C = T y ut g y ut. We denote the G p part of T as g τ. This implicitly sets s = τ and t = t + τt modulo p. If T G p thisb has properly simulated Game IBBE Final. If T G p p we must argue that the G terms attached to the ciphertext are uniformly random in order to claim that B simulates properly GameFinal IBBE. Let us denote by G the part of ciphertext g t 0 g t g t and g t. If we also denote by G the part of T as g τ thent 0 = τ t = τ (y w + y v α Z t ) t = τ ( α Z t ) and t = τ (y u t ) modulo p. Because α j y w y v y u do not appears any G p parts in this simulation. So the G parts of the challenge ciphertext are randomly distributed. Hence it has simulated Game IBBE Final.

9 KIM et al.: ADAPTIVELY SECUE IDENTITY-BASED BOADCAST ENCYPTION 7 Lemma.: Suppose there exists a polynomial time algorithm A such that GameFinal IBBE Adv A GameFinal IBBEAdv A = ɛ. Then we can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : B is given g g X X Y Y T. It will simulate GameFinal IBBE or GameFinal IBBE using A. It chooses random exponents y g y u y w y v α 0...α l Z N andsetsg = g y g u = g y u w = gy w v = g y v and h = g. It publishes the public parameters: PK = (g uwhv α j e(t y g g )) When A makes private key queries for some identity i B chooses a random y i r i γ 0...γ l Z N and returns K 0 = T (y w+y g ) w y i (Y Y ) (y w+y g )y i K = Th y i (Y Y ) y i K = T y v v y i (Y Y ) y v y i u r i g r i γ 0 K j = h r i ( α 0 x j /x 0 +α j ) g r i γ j : j [l] If we write Y Y and the G p p part of T as g y y g y y and g δgδ respectively this implicitly sets y i = δ + y i modulo p. Also ỹ i equals to y y y i +δ modulo p. ψ = y w + y g modulo p and p andσ = y v modulo p and p.ift G p p ỹ i equals to y y y i modulo p.ift G ỹ i equals to y y y i + δ modulo p if we write the G p part of T as g δ. When A makes a ciphertext query by sending M 0 M and the set of receivers S B responds to A by choosing random a b s t Z N and returning C = e(t y g X X ) s C 0 = (X X ) s (Y Y ) a C = (X X ) y ws (Y Y ) b v α Z t C = h α Z t g t C = u t g t The random values are properly added into the G p p part of the ciphertext because of a b t t.ift G p p this properly simulated GameFinal IBBE. If T G e(g g ) δ y x s additionally added to C of the ciphertext. It should be noted that the value of s modulo p appears C 0 and C in the ciphertext but its value is not revealed because of a and b modulo p. Hence e(g g ) δ y x s is uniformly random to A and this has well simulated GameFinal IBBE. B. Semi-Functional Key Invariance It is quite challenging to prove that there is no polynomial time algorithm B to distinguish between Gamek IBBE and Gamek IBBE with non-negligible advantage because there is no restriction on B. Hence it can generate a semi-functional ciphertext to test whether the kth key is semi-functional or normal by decrypting the semi-functional ciphertext using the kth key. In order to avoid this potential paradox we designed oracles which output the challenge ciphertext and the private key unless the identities of the keys requested do not belong to the set of the recipients identities of the challenge ciphertext. However constructing these oracles and proving the invariance between them is still challenging when we work with exponentially many users because we often have to amplifying the randomness of system with the limited entropy of public keys. Hence we defined additionally ephemeral key and ciphertext which are similar with the ephemeral semi-functional key and ciphertext introduced in [7]. In this setting an ephemeral key decrypts both a normal and a semi-functional ciphertext but an ephemeral challenge ciphertext is decrypted only by a normal key. Ephemeral key: Let K 0 K K andk j be a normal key generated by using the key generation algorithm. With random γ 0 γ...γ l ZN K 0 = K 0 K = K K = K (g g ) γ 0 K j = K j (g g ) γ j : j [l] Ephemeral ciphertext: Let C C 0 C C and C be a properly distributed normal ciphertext. Then with random a bα 0...α k t t ZN and outputs C = C C 0 = C 0 ga C = C gb gσ α Z t C = C Z t g α C = C gt where α = (α 0..α k ). It should be noted that an ephemeral ciphertext has the parameter σ shared with the semi-functional key. ) Sequence of Games: In order to prove the invariance between Gamek IBBE and Gamek IBBE we additionally define security games having an ephemeral key and/or an ephemeral ciphertext and the added restriction in modulo p. Gamek IBBE This game is identical with Gamek IBBE except for the added restriction that the identity of the (k-) th key cannot be equal to any of the identities of the challenge ciphertext modulo p. Gamek EK In this game the ciphertext is semi-functional and the k th key is ephemeral. The additional restriction on the identities modulo p is retained in this game. Gamek EC In this game both the ciphertext the k th key are ephemeral. The additional restriction on the identities modulo p is retained in this game. Gamek IBBE This game is identical with Gamek IBBE except for the additional restriction on the identities modulo p. First we will prove that Gamek IBBE Gamek IBBE. Then the steps Gamek IBBE Gamek EK Gamek EK Gamek EC Gamek EC Gamek IBBE and Gamek IBBE Gamek IBBE will be followed. Lemma : Suppose there exists a polynomial time algorithm A such that Gamek IBBE Adv A Gamek IBBE Adv A = ɛ. Then we can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption or Assumption. : We suppose there exists a PPT attacker A that distinguishes between Gamek IBBE and Gamek IBBE with non-negligible advantage. Because A has non-negligible advantage it produces two values I I Z N which satisfy I = I modulo N but I = I modulo p with non-negligible probability while it is simulating Gamek IBBE.WesetA as the g.c.d of I I and N and B as N/A. Then p is divisible by A andb =. There are two possible cases: ) p is divisible by B and ) A = p p B = p. The rest of the proof can be described as the same manner of [4] and [7]. The case can be used to break Assumption and the case can be used to break Assumption.

10 8 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY TABLE III THE SUMMAY OF OACLES TABLE IV THE SUMMAY OF HOPS ) Oracle Lemmas: The invariance between Gamek IBBE and Gamek IBBE will be proved by using the oracle lemmas. In the following proofs B uses oracles to simulate the security games with A but it cannot distinguish which oracles with which it is working. We define four oracles (O 0 O O O ). Each oracle can response to an initial query a challenge key query and a challenge ciphertext query. We summarize the relation between the oracles and the security games in Table III. In order to respond to an initial query the oracles randomly select g uwvh G p and α 0...α l s aψỹ y σ Z N and return the group elements: {g uwhv α j h s g a w y (g g ) ψ ỹ h y (g g )ỹv y (g g ) σ ỹ : j [0l]. The responses that each oracle outputs as a challenge key and a challenge ciphertext have different distributions according to the type of oracle. They are distributed as the following: Oracle O 0 : If the oracle receives a challenge key query for an identity i Z N it returns the group elements which are identical with a normal key. Upon receiving a challenge ciphertext query for a set of recipients S {...n it calculates Z for S and selects randomly b t Z N then returns the group elements {w s g b v α Z t h α Z t u t. Oracle O : If the oracle receives a challenge key query for an identity i Z N it selects randomly y r γ 0...γ l Z N then returns the group elements {w y h y v y u r (g g ) γ 0 h ( α 0x j /x 0 +α j )r (g g ) γ j : j [l] The challenge ciphertext response is identical with O 0. Oracle O : If the oracle receives a challenge ciphertext query for a set of recipients S {...n it calculates Z for S and selects randomly b tα 0...α l t t ZN then returns the group elements {w s g b v α Z t g σ α Z t h α Z t g α Z t u t g t It responses to a challenge key query in the same way as O. Oracle O : If the oracle receives a challenge key query for an identity i Z N it selects randomly y ỹ r ZN then returns the group elements {w y (g g ) ψ ỹ h y (g g )ỹ v y (g g ) σ ỹ u r h ( α 0x j /x 0 +α j )r : j [l] The challenge ciphertext response is identical with O 0. The invariances of (O 0 O O O ) are proved by several lemmas with additionally defined sub-oracles. For the overview of proving sequences we add Table IV. Lemma 4: Suppose there exists a polynomial time algorithm A such that O 0 Adv A O Adv A = ɛ.thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption or Assumption. : This is proved by Lemma 4. and Lemma 4. with an additional oracle O 0.. Oracle O 0. : If the oracle receives a challenge key query for an identity i Z N it selects randomly y r γ 0...γ l Z N then returns the group elements {w y h y v y u r g γ 0 h( α 0x j /x 0 +α j )r g γ j : j [l]. It responses to an initial query and a challenge ciphertext query in the same way as O 0. Lemma 4.: Suppose there exists a polynomial time algorithm A such that O 0 Adv A O 0. Adv A = ɛ.thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : B is given g g X X T. It will simulate O 0 or O 0. using A. It chooses random exponents y g y u y w y v α 0...α l s a ỹ Z N and sets g = g y g u = gy u w = g y w v = g y v h = g. It sends the group elements to A: (g uwhv α j h s g a (X X ) y w g y w ỹ (X X )gỹ (X X ) y v g y v ỹ : j [0l]) If we write X X as g y x g y x this implicitly sets y equal to y x modulo p and ỹ equal to y x modulo p.alsoψ equals y w and σ equals y v modulo p and p. Because the values of y w and y v modulo p do not correlate with their values in modulo p and p this is properly distributed. When A makes a ciphertext-type query for the set of receivers S B chooses a random b t Z N and returns the group elements {w s g b v α Z t h α Z t u t. identity i A chooses a random y Z N and returns {w y h y v y T y u T α 0x j /x 0 +α j : j [l]. This implicitly sets g r to be the G p part of T.IfT G p then this matches the distribution of O 0. If T G p p

11 KIM et al.: ADAPTIVELY SECUE IDENTITY-BASED BOADCAST ENCYPTION 9 then this matches the distribution of O 0.. Also this implicitly sets α j = α j γ 0 = r y u and γ j = r ( α 0 x j /x 0 +α j ) modulo p when we write the G p part of T as g r. γ 0 contains y u modulo p which does not appear anywhere else. Also for all j [l] γ j contains α j modulo p which also does not appear anywhere else. Because y u modulo p and α j modulo p are not correlated with their values in modulo p this challenge ciphertext is randomly distributed. Lemma 4.: Suppose there exists a polynomial time algorithm A such that O 0. Adv A O Adv A = ɛ.thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : B is given g g X X Y Y T. It will simulate O 0. or O using A. It chooses random exponents y g y u y w y v α 0...α l ψy ỹσ Z N and sets g = g y g u = g y u w = gy w v = g y v andh = g. It sends the group elements to A: (g uwhv α j X X w y (Y Y ) ψ ỹ h y (Y Y )ỹv y (Y Y ) σ ỹ : j [l]) This is implicitly sets a = y x modulo p when we write X X = g sgy x. When A makes a ciphertext-type query for the set of recivers S B responds to A by choosing a random t Z N and returning {(X X ) y w v α Z t h α Z t u t. This implies b = y w y x modulo p. a and b are uniformly distributed because y w modulo p does not appear anywhere else. identity i A chooses a random y Z N and returns {w y h y v y T y u T α 0x j /x 0 +α j : j [l]. The G part of the challenge ciphertext is properly distributed if we write g r as the G part of T. If we write the G p part of T as g r this implicitly sets γ 0 = r y u modulo p and γ j = r ( α 0 x j /x 0 + α j ) modulo p. Because y u and α j modulo p do not appear anywhere else the G p parts of this challenge ciphertext is randomly distributed. Hence if T G p p then this matches the distribution of O 0.. If T G then this matches the distribution of O because y u and α j modulo p do not appear anywhere else and does not correlate their values in modulo p and p thisisthe properly distributed challenge ciphertext. Lemma 5: Suppose there exists a polynomial time algorithm A such that O Adv A O Adv A = ɛ. Then we can breaking Assumption or Assumption. : This is proved by Lemma 5. Lemma 5. and Lemma 5. with additional oracles O. and O.. Oracle O. : If the oracle receives a challenge ciphertext query for a set of recipients S {...n it selects randomly b tα 0...α l t t ZN then returns the group elements {w s g b v α Z t g σ α Z t h α Z t g α Z t u t g t. It responses an initial query and a challenge ciphertext query in the same way as O. Oracle O. : If the oracle receives a challenge ciphertext query for an identity i Z N it selects randomly b tα 0...α l t t ZN then returns the group elements {w s g b v α Z t (g g ) σ α Z t h α Z t (g g ) α Z t u t (g g ) t It responses an initial query and a challenge ciphertext query in the same way as O.. Lemma 5.: Suppose there exists a polynomial time algorithm A such that O Adv A O. Adv A = ɛ. Then we can breaking Assumption. : B is given g g X X T. It will simulate O or O. with A. It chooses random exponents y g y w y v y h σ α 0...α l s a ỹ Z N and sets g = g y g u = g y u w = gy w v = g y v h = g. It sends the group elements to A: (g uwhv α j h s g a (X X ) y w g y w ỹ (X X )gỹ (X X ) y v g σ ỹ : j [0l]) We let X X denote as g y x g y x. Then this implicitly sets y equals to y x modulo p.alsoψ equal to y w sets σ equal to σ modulo p and y v modulo p. identity i A chooses a random y r γ 0...γ l Z N and returns {w y h y v y (X X ) r y u g γ 0 (X X ) r ( α 0 x j /x 0 +α j ) g γ j : j [l] This implies that γ 0 = r y u y x modulo p and γ j = r ( α 0 x j /x 0 + α j )y x modulo p. When A makes a ciphertext-type query for the set of recivers S B responds to A by returning {w s g b T y v α Z T α Z T y u. This implicitly sets g t to be the G p part of T.IfT G p then this matches the distribution of O because y u α j of G p part of the challenge key does not appear anywhere else. However if T G p p α j modulo p for j [0l] also appears in the challenge ciphertext. We must argue α 0 x j /x 0 +α j modulo p for j [l] are uniformly random even if α Z modulo p for j [0l] is given: Let α j = α j modulo p for all j [0l]. Then we rewrite the relations γ j α j and α Z as follows. x /x 0 α 0 γ x /x 0 α γ = x k /x 0 α k. γ z 0 z z z k α k k α Z Because α j modulo p is uniformly random and does not correlate their values with those in modulo p by CT γ j for all j [l] and α Z are k-wise independent for k >.

12 0 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY This implies that γ...γ k are α Z are uniformly distributed. It should be noted that if k = γ is equal to α Z because z 0 equal to x /x 0 and z =. Also we stress that γ k+...γ l given to the adversary shares the α 0 but the value of α 0 is not revealed because for all j [k+l] γ j has α j which does not appear anywhere else. Lemma 5.: Suppose there exists a polynomial time algorithm A such that O. Adv A O. Adv A = ɛ. Then we can breaking Assumption. : B is given g g X X Y Y T. It will simulate O. or O. with A. It chooses random exponents y g y u y w y v α 0...α l ψy ỹσ Z N andsetsg = g y g u = gy u w = g y w v = g y v and h = g. It sends the group elements to A: (g uwhv α j (X X ) w y (Y Y ) ψ ỹ h y (Y Y )ỹv y (Y Y ) y v ỹ : j [0l]) This implicitly sets a = y x modulo p if we write X = g sgy x. identity i A chooses a random y r γ 0...γ l Z N and returns {w y h y v y u r (Y Y ) γ 0 h r ( α 0 x j /x 0 +α j ) (Y Y ) γ j : j [l] When A makes a ciphertext-type query for the set of recivers S B responds to A by returning {(X X ) y w T y v α Z T α Z T y u. This implies b = y w y x. a and b modulo p are uniformly distributed because y w modulo p do not appear anywhere else. If T G then this matches the distribution of O..Ifwe write (g g ) t to be the G p p part of T. then this implies that t = t t = t y u and α j = α j modulo p and p for j [0l]. Because α j y u modulo p and p do not appear anywhere else these are properly distributed. Similarly If T G p p then this matches the distribution of O.. Lemma 5.: Suppose there exists a polynomial time algorithm A such that O. Adv A O Adv A = ɛ. Then we can breaking Assumption. : B is given g g X X T. It will simulate O. or O with A. It chooses random exponents y g y w y v α 0...α l s a y Z N and sets g = g y g u = g w = g y w v = g y v h = g. Then the responses of the initial and challenge-key queries can be generated the same way as Lemma 5.. When A makes a ciphertext-type query for the set of receivers S B randomly selects s bα 0...α l t t and responds to A by returning {w s g b T y v α Z g σ α Z t T α Z g α Z t Tg t. This is possible because g was given. If we denote g t to be the G p part of T the G p part of the challenge ciphertext is properly distributed. If T G p then this matches the distribution of O.IfT G p p this matches the distribution of O. for the same reasons as for Lemma 5.. Lemma 6: Suppose there exists a polynomial time algorithm A such that O Adv A O Adv A = ɛ.thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption or Assumption. : This is proved by Lemmas 6. to 6.9 with additional oracles Oracle O. Oracle O. Oracle O. Oracle O.4 Oracle O.5 Oracle O.6 Oracle O.7 and Oracle O.8. Oracle O. : If the oracle receives a challenge key query for an identity i Z N it selects randomly y ỹ r γ 0... γ l Z N then returns the group elements {w y g ψ ỹ y h gỹ vy u r (g g ) γ 0g σ ỹ h r ( α 0 x j /x 0 +α j ) (g g ) γ j : j [l] It responses to an initial query and a challenge ciphertext query in the same way as O. Oracle O. : The response for an initial query is identical with that of O. except that h s (g g ) a replaces h s g a. If the oracle receives a challenge ciphertext query for a set of recipients S {...n it selects randomly bα 0...α l t t t t t 4 t 5 ZN then returns the group elements {w s g b v α Z t g σ α Z t g t h α Z t g α Z t g t 4 u t g t g t 5 It responses to a challenge ciphertext query in the same way as O.. Oracle O. : If the oracle receives a challenge key query for identity i Z N it selects randomly y ỹ r γ 0... γ l Z N then returns the group elements {w y (g g ) ψ ỹ h y (g g )ỹ v y u r (g g ) γ 0 +σ ỹ h r ( α 0 x j /x 0 +α j ) (g g ) γ j : j [l] It responds to an initial query and a challenge ciphertext query in the same way as O.. Oracle O.4 : The response for an initial query is identical with that of O.. If the oracle receives a challenge ciphertext query for a set of recipients S {...n it selects randomly s bα 0...α l t t t ZN then returns the group elements {w s g b v α Z t g σ α Z t h α Z t g α Z t u t g t It responds to a challenge ciphertext query in the same way as O.. Oracle O.5 : If the oracle receives a challenge ciphertext query for a set of recipients S {...n it selects randomly s bα 0...α l t t t t t 4 ZN then returns the group elements {w s g b v α Z t g σ α Z t g σ t h α Z t g α Z t g t u t g t g t 4 It responds to an initial query and a challenge ciphertext query in the same way as O.4.

13 KIM et al.: ADAPTIVELY SECUE IDENTITY-BASED BOADCAST ENCYPTION Oracle O.6 : If the oracle receives a challenge ciphertext query for a set of recipients S {...n it selects randomly s b t t t 4 ZN then returns the group elements {w s g b v α Z t g σ t h α Z t g t u t g t 4 It responds to an initial query and a challenge ciphertext query in the same way as O.5. Oracle O.7 : If the oracle receives a challenge ciphertext query for a set of recipients S {...n it selects randomly s b t Z N then returns the group elements {w s g b v α Z t h α Z t u t It responds to an initial query and a challenge ciphertext query in the same way as O.6. Oracle O.8 : If the oracle receives a challenge key query for an identity i Z N it selects randomly y ỹ r γ γ ZN then returns the group elements {w y (g g ) ψ ỹ h y (g g )ỹ v y u r (g g ) σ ỹ g γ 0 h r ( α 0 x j /x 0 +α j ) g γ j : j [l] It responds to an initial query and a challenge ciphertext query in the same way as O.7. Lemma 6.: Suppose there exists a polynomial time algorithm A such that O Adv A O. Adv A = ɛ. Thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : B is given g g X X T. It will simulate O or O. with A. It chooses random exponents y g y u y w y v α 0...α l s a ỹ Z N andsetsg = g y g u = g y u w = gy w v = g y v andh = g. It sends the group elements to A: (g uwhv α j h s g a (X X ) y w g y w ỹ (X X )gỹ (X X ) y v g y v ỹ : j [l]) This implicitly sets g y = X modulo p.alsoψ equals y w and σ equals y v modulo p p. When A makes a ciphertext-type query for the set of receivers S B responds to A by choosing random b tα 0...α l t t Z N and returning {w s g b v α Z t g y v α Z t h α Z t g α Z t u t g t where α = (α 0...α l ). identity i A chooses a random γ Z N and returns {T y w T T y v (X X g γ )y u (X X g γ ) α 0x j /x 0 +α j : j [l ] If we denote X X = g y x g y x this implicitly sets r = y x modulo p. We note γ 0 = γ y u modulo p and γ 0 = y x y u modulo p alsoγ j = γ( α 0 x j /x 0 + α j ) modulo p and γ j = y x ( α 0 x j /x 0 + α j ) modulo p. Let T G p and g y be the G p part of T then this matches the distribution of O.IfT G p p (g g ) y is the G p p part of T then this matches the distribution of O. because y u and α 0...α l modulo p do not appear anywhere else. Lemma 6.: Suppose there exists a polynomial time algorithm A such that O. Adv A O. Adv A = ɛ.thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : In this lemma G p and G p parts of Assumption are reversed. B is given g g X X Y Y T. It will simulate O. or O. with A. It chooses random exponents y g y u y w y v α 0...α l yσ Z N and sets g = g y g u = gy u w = g y w v = g y v h = g. It sends the group elements to A: (g uwhv α j Tw y (Y Y ) y w h y (Y Y ) v y (Y Y ) σ : j [l]) This is properly distributed if we denote the G p part of T by g s. Also this sets ψ = y w modulo p p.ift G p p this is a properly distributed set of group elements of O.. If T G this is properly distributed set of group elements of O.. identity i A chooses a random r γ 0...γ l Z N and it returns {(X X ) y w (X X ) (X X ) y v u r (Y Y ) γ 0 h r ( α 0 x j /x 0 +α j ) (Y Y ) γ j : j [l] This is properly a distributed challenge-key. It should be noted that y v modulo p was used but not revealed because there is random parameter γ 0 modulo p which does not appear in any other component. When A makes a ciphertext-type query for the set of receivers S B responds to A by choosing random t t t Z N and returns {T y w T y v α Z t v α Z t g σ α Z t T α Z t h α Z t g α Z t T y ut g y ut g t. We denote the G p p part of T as g τ gτ. This implicitly sets s = τ and t = t + τt modulo p.alsog parts of the challenge ciphertext distribute g bgσ α Z t g α Z t g t where b = τ (y w + y v α Z t σ α Z t ) t = τ t + t t = y u τ t + t. b is not correlated with t and t because y v modulo p appears only here. Also due to t and t t and t do not correlate. Therefore the G terms here are properly distributed. If T G p p thisb has properly simulated O.. If T G we must argue that the G terms attached to the ciphertext are uniformly random in order to claim that B simulates properly O.. Let us denote by G the part of ciphertext g t g t 4 and g t 5. If we also denote by G the part of T as g τ thent = τ (y w +y v α Z t ) t 4 = τ ( α Z t ) and t 5 = τ (y u t ) modulo p. Neither t nor t 4 correlates with t 5 because of α Z which is randomly distributed as α Z modulo p do not appear anywhere. Also t and t 4 do not correlate to each other because y v does not reveal its value although it appears within the challenge key. So the G parts of the challenge ciphertext are properly distributed. Lemma 6.: Suppose there exists a polynomial time algorithm A such that O. Adv A O. Adv A = ɛ. Then we can

14 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY breaking Assumption. : B is given g g X X Y Y T. It will simulate O. or O. with A. It chooses random exponents y g y u y w y v α 0...α l s a y Z N andsetsg = g y g u = g y u w = gy w v = g y v andh = g. It sends the group elements to A: (g uwhv α j h s (Y Y ) a w y (Y Y ) y w h y (Y Y ) v y (Y Y ) y v : j [0l]) This implicitly sets ψ = y w and σ = y v modulo p and p. When A makes a ciphertext-type query for the set of receivers S B responds to A by choosing random b t t 4 t 5 Z N and returns {w s (Y Y ) b (X X ) y v α Z t (X X ) α Z t g t 4 (X X ) y ut g y ut 5. Then the G part of challenge ciphertext properly is distributed and t = t y x. We write X = g y x. Also the G part of challenge ciphertext t = t modulo p and t = y u t modulo p are properly distributed. Moreover if we denote Y Y a g y y g y y b modulo p equal to b y y.theg part also properly distributed with random values t = b y y modulo p t 4 and t 5. identity i A chooses a random r γ 0...γ l Z N and returns {T y w T T y v u r (Y Y ) γ 0 h r ( a 0 x j /x 0 +a j ) (Y Y ) γ j : j [l] If T G p p the challenge key type response is identically distributed to a response from O.. If T G then the challenge key-type reponse is identically distributed to a response from O.. Lemma 6.4: Suppose there exists a polynomial time algorithm A such that O. Adv A O.4 Adv A = ɛ.thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : In this lemma G p and G p parts of Assumption are reversed. B is given g g X X Y Y T. It will simulate O. or O.4 with A. It chooses random exponents y g y u y w y v α 0...α l ψy σ Z N andsetg = g y g u = gy u w = g y w v = g y v h = g. Then initial response normal keys can be responded by generating them as the same way of Lemma 6.. identity i A chooses a random r γ 0...γ l Z N and returns {(X X g ) y w (X X g ) (X X g ) y v u r (Y Y ) γ 0 h r ( a 0 x j /x 0 +a j ) (Y Y ) γ j : j [l] This is properly distributed challenge-key. It should be noted that y v modulo p and p was used but not revealed because there is random parameter r modulo p and p which does not appear anywhere else. When A makes a ciphertext-type query for the set of receivers S B responds to A by choosing random t t t Z N and returning {T y w T y v α Z t v α Z t g σ α Z t T α Z t h α Z t g α Z t T y ut g y ut g t. Identically with lemma 6. if T G p p this properly simulates O.4. Also if T G G p part of the challenge ciphertext distributed randomly and this properly simulates O.. Lemma 6.5: Suppose there exists a polynomial time algorithm A such that O.4 Adv A O.5 Adv A = ɛ.thenwe can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption. : B is given g g X X T. It will simulate O.4 or O.5 using A. It chooses random exponents y g y u y w y v α 0...α l s a ỹ Z N andsetsg = g y g u = g y u w = gy w v = g y v and h = g. It sends the following group elements to A: (g uwhv α j h s g a (X X ) y w g y w ỹ (X X )gỹ (X X ) y v g y v ỹ : j [l]). This implicitly sets g y = X modulo p and gỹ modulo p. Also ψ = y w and σ = y v modulo p and p. identity i A chooses a random y r γ 0...γ l Z N and returns {(X X g ) y w y (X X g ) y (X X g ) y v y (X X ) r y u g γ 0 (X X ) r ( α 0 x j /x 0 +α j ) g γ j : j [l] Let us write X X as g y x g y x this implicitly sets y = y x y and r = y x r modulo p. ỹ equals to y modulo p and y x y modulo p.alsoψ = y w modulo p and p andσ = y v modulo p and p. γ 0 equals γ 0 modulo p and y x r y u modulo p.for j [l] γ j equals γ j modulo p and y x r ( α 0 x j /x 0 + α j ) modulo p. When A makes a ciphertext-type query for the set of receivers S B responds to A by choosing random b tα 0...α l t t Z N and returning {w s g b T y v α Z g y v α Z t T α Z g α Z t T y u g t where α = (α 0...α l ). If T G p and g t is the G p part of T then this matches the distribution of O.4.IfT G p p g t gt is the G p p part of T this implicitly sets t = α Z t modulo p and t 4 = y u t modulo p. This matches the distribution of O.5 because the G p part in the challenge ciphertext is k-wise independent as in Lemma 5.. Lemma 6.6: Suppose there exists a polynomial time algorithm A such that O.5 Adv A O.6 Adv A = ɛ. Then we can breaking Assumption. : B is given g g X X Y Y T. It will simulate O.5 or O.6 with A. It chooses random exponents y g y u y w y v α 0...α l ψy Z N and sets g = g y g u = gy u w = g y w v = g y v h = g. It sends to A the group elements: (g uwhv α j X X w y (Y Y ) ψ h y (Y Y ) v y (Y Y ) y v : j [l])

15 KIM et al.: ADAPTIVELY SECUE IDENTITY-BASED BOADCAST ENCYPTION This is properly distributed if we set X X = g sga. Moreover this implies that σ = y v modulo p and p. identity i A chooses a random y r γ 0...γ l Z N and returns {w y (Y Y ) ψy h y (Y Y ) y v y u r (Y Y ) γ 0 +y v y h r ( α 0 x j /x 0 +α j ) (Y Y ) γ j : j [l]. When A makes a ciphertext-type query for the set of receivers S B responds to A returning {(X X ) y w T y v α Z T α Z T y u Because y w and y v modulo p do not appear anywhere else g b = gay w is randomly distributed. T G p p α Z modulo p appears to be uniformly random to the adversary since α j and y u modulo p do not appear anywhere else. Hence this matches the distribution of O.6.IfT G this implies that α j = α j modulo p t = t and t = y u t where we denote by G the part of T as g t. It should be noted that y u modulo p does not appear anywhere else. So t is also uniformly random to the adversary. Therefore this matches the distribution of O.5. Lemma 6.7: Suppose there exists a polynomial time algorithm A such that O.6 Adv A O.7 Adv A = ɛ. Then we can breaking Assumption. : B is given g g X X T. It will simulate O.6 or O.7 with A. It chooses random exponents y g y w y v α 0...α l s a ỹ Z N and sets g = g y g u = g w = g y w v = g y v h = g. It sends to A the group elements: (g uwhv α j h s g a (X X ) y w g y w ỹ (X X ) y h gỹ (X X ) y v g y v ỹ : j [l]). This is properly distributed. Also ψ = y w and σ = y v modulo p p. identity i A chooses a random y r γ 0...γ l Z N returns {(X X g ) y w y (X X g ) y (X X g ) y v y (X X ) y ur g γ 0 (X X ) r ( α 0 x j /x 0 +α j ) g γ j : j [l ] When A makes a ciphertext-type query for the set of receivers S B randomly choose b t t and responds to A by returning {w s g b T y v α Z T α Z T y u. This implicitly sets g t to be the G p part of T.IfT G p then this matches the distribution of O.7.IfT G p p for the same reasons as Lemma 6.5 this matches the distribution of O.6. Lemma 6.8: Suppose there exists a polynomial time algorithm A such that O.7 Adv A O.8 Adv A = ɛ. Then we can breaking Assumption. : B is given g g X X Y Y T. It will simulate O.7 or O.8 with A. It chooses random exponents y g y u y w y v α 0...α l s a yψσ Z N and sets g = g y g u = gy u w = gy w v = g y v h = g. It sends to A the group elements: (g uwhv α j X X w y (Y Y ) ψy h y (Y Y ) y v y (Y Y ) σ y : j [0l]) When A makes a ciphertext-type query for the set of recivers S B responds to A by choosing random t Z N and returning {(X X ) y w g y v α Z t g α Z t g y ut. Then the G p part of challenge ciphertext properly distributed if we denotes X X = g sgy x. Also the G p part of challenge ciphertext b = y x y w modulo p. This is a properly distributed ciphertext because y x modulo p does not appear anywhere else. identity i A chooses a random y r Z N and returns {w y (Y Y ) ψy h y (Y Y ) y v y (Y Y ) σ y T y u T ( a 0x j /x 0 +a j ) : j [l]. The G p part of the challenge key is properly distributed if we implicitly set the G p part of T as g r. Moreover if we write Y Y as gfrft y y g y y ỹ is equal to y y y modulo p and y y y modulo p. If T G p p the challenge key type response is identically distributed to a response from O.8 because α j and y u modulo p do not appear anywhere else. If T G then the challenge key-type response is identically distributed with a response from O.7. because α j and y u modulo p and p do not appear anywhere else. Lemma 6.9: Suppose there exists a polynomial time algorithm A such that O.8 Adv A O Adv A = ɛ. Then we can breaking Assumption. : B is given g g X X T. It will simulate O.8 or O with A. It chooses random exponents y g y u y w y v α 0...α l s a y Z N andsetsg = g y g u = gy u w = g y w v = g y v h = g. It sends to A the group elements: (g uwhv α j h s g a (X X ) y w g y w y (X X )g y (X X ) y v g y v y : j [l]). This is properly distributed and implies that ψ = y w and σ = y v modulo p p. When A makes a ciphertext-type query for the set of receivers S B responds to A by choosing random t t t Z N and returns {w s g b v α Z t h α Z t u t. identity i A chooses a random ỹ Z N and returns {(X X gỹ )y w (X X gỹ ) (X X gỹ )y v T y ur T r ( a 0 x j /x 0 +a j ) : j [l]. This implicitly sets g r to be the G p part of T.IfT G p p the G p part of the challenge key is properly distributed

16 4 TANSACTIONS ON INFOMATION FOENSICS AND SECUITY because y u and a j modulo p do not appear anywhere else. Hence this matches the distribution of O.8 If T G p then this matches the distribution of O. Lemma 7: Suppose there exists a polynomial time algorithm A such that Gamek IBBE Adv A Gamek IBBE Adv A = ɛ. Then we can construct a polynomial time algorithm B with advantage ɛ in breaking Assumption or Assumption. : We assume there exists a PPT attacker A who distinguishes between Gamek IBBE and Gamek IBBE with non-negligible advantage. This means that A can distinguish at least one of following games such as Gamek IBBE and Gamek EK Gamek EK and Gamek EC and Gamek EC and Gamek IBBE with non-negligible advantage. If this adversary exists this can be used to create a PPT algorithm B distinguishing one of following pairs of oracles such as O 0 and O O and O and O and O with non-negligible advantage. However this violates one of Lemmas 4 5 and 6. Assuming that B interacts with one of O 0 O O and O. Each oracle outputs as an initial response the group elements {g uwhv α j h s g a w y (g g ) ψ ỹ h y (g g )ỹv y (g g ) σ ỹ : j [0l]. B randomly chooses δ Z N and gives to A the public parameters PK ={N G g uwv α j e(g h) δ : j [0l]. To create the first k semi-functional keys B generates K 0 K K andk j using the key generation algorithm. Then it randomly chooses δ y i Z N and by using the semi-functional elements in the initial response constructs semi-functionl keys as: K 0 = gδ K 0 (w y (g g ) ψ ỹ ) y i K = K (h y (g g ) ψ ỹ ) y i K = K (v y (g g ) σ ỹ ) y i K j = K j : j [l] This implicitly sets y i = yy i + y i modulo p and y = yy i modulo p p when we let y i be a randomization parameter shared in the first three components of the normal key for identity i. For responding normal keys (> k) B generates normal keys by the key generation algorithm. This is possible because B knows MSK ={δ. It forwarded a normal key to the A. If A requests the kth key for some identity i B makes a challenge key-type query to the oracle with i. Then oracle returns group elements {T 0 T T T j : j [l]. B constructs the challenge key for A as: K 0 = g δ T 0 K = T K = T K j = T j : j [l] If the oracle which B interacts with is O 0 this challenge key is a properly distributed normal key. If the oracle is O this key will be a properly distributed ephemeral key. If the oracle is O this key will be distributed as ephemeral key properly. If B is interacting with O this will be distributed as a proper semi-functional key. When A requests challenge-ciphertext with the set of receivers S for messages M 0 M B forwards this query to the oracle and the received group elements (T T T ).Then B choose f {0 and construct the ciphertext as: C = M f e(g δ h s g a ) C 0 = h s g a C = T C = T C = T and returns it to A. If B is interacting with O 0 O O then the challenge ciphertext will be a properly distributed semi-functional ciphertext. Otherwise if the oracle which B interacts is O then the challenge ciphertext will be an properly distributed ephemeral ciphertext. Thus if B interacts with O 0 O O and O then it has properly simulated Gamek IBBE Gamek EK Gamek EC and Gamek IBBE respectively. Thus if A distinguishes at least one of the pairs of games with non-negligible advantage B can use this to distinguish a corresponding pair of oracles with nonnegligible advantage. This violates Lemmas 4 or 5. V. CONCLUSION In this paper we introduced the adaptively secure identitybased broadcast encryption scheme featuring constant size ciphertext. The public parameters and private keys in our scheme increase linearly with the maximum number of receivers but not the total number of users. Also the computational complexity of the decryption process of our scheme only depends on the number of receivers. Finally we showed that our scheme is adaptively secure under the general decisional subgroup assumption instead of multiple subgroup decisional assumptions in the standard model through the use of the dual system encryption technique. EFEENCES [] A. Fiat and M. Naor Broadcast encryption in Proc. CYPTO 99 pp [] C. Gentry and B. Waters Adaptive security in broadcast encryption systems (with short ciphertexts) in Proc. 8th Annu. Int. Conf. EUOCYPT 009 pp [] D. Boneh C. Gentry and B. Waters Collusion resistant broadcast encryption with short ciphertexts and private keys in Proc. CYPTO 005 pp [4] C. Delerablée Identity-based broadcast encryption with constant size ciphertexts and private keys in Proc. ASIACYPT 007 pp [5]. Sakai and J. Furukawa Identity-based broadcast encryption IAC Cryptol. eprint Archive vol. 007 p [6] A. Shamir Identity-based cryptosystems and signature schemes in Proc. CYPTO 984 pp [7] J. Baek. Safavi-Naini and W. Susilo Efficient multi-receiver identity-based encryption and its application to broadcast encryption in Proc. 8th Int. Workshop Theory Public Key Cryptography 005 pp [8] M. Barbosa and P. Farshim Efficient identity-based key encapsulation to multiple parties in Proc. IMA Int. Conf. 005 pp [9] N. P. Smart Efficient key encapsulation to multiple parties in Proc. 4th Int. Conf. SCN 004 pp [0] Y. Dodis and N. Fazio Public key broadcast encryption for stateless receivers in Proc. Digit. ights Manage. Workshop 00 pp [] D. Halevy and A. Shamir The LSD broadcast encryption scheme in Proc. nd Annu. Int. CYPTO 00 pp [] D. Naor M. Naor and J. B. Lotspiech evocation and tracing schemes for stateless receivers in Proc. st Annu. Int. CYPTO 00 pp [] B. Waters Dual system encryption: ealizing fully secure IBE and HIBE under simple assumptions in Advances in Cryptology (Lecture Notes in Computer Science) vol S. Halevi Ed. Berlin Germany: Springer-Verlag 009 pp

17 KIM et al.: ADAPTIVELY SECUE IDENTITY-BASED BOADCAST ENCYPTION 5 [4] A. Lewko and B. Waters New techniques for dual system encryption and fully secure HIBE with short ciphertexts in Theory of Cryptography (Lecture Notes in Computer Science) vol D. Micciancio Ed. Berlin Germany: Springer-Verlag 00 pp [5] A. Lewko T. Okamoto A. Sahai K. Takashima and B. Waters Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption in Advances in Cryptology (Lecture Notes in Computer Science) vol. 60 H. Gilbert Ed. Berlin Germany: Springer-Verlag 00 pp [6] M. Bellare B. Waters and S. Yilek Identity-based encryption secure against selective opening attack in Theory of Cryptography (Lecture Notes in Computer Science) vol Y. Ishai Ed. Berlin Germany: Springer-Verlag 0 pp [7] B. Malek and A. Miri Adaptively secure broadcast encryption with short ciphertexts IJ Netw. Secur. vol. 4 no. pp [8] Y. en and D. Gu Fully CCA secure identity based broadcast encryption without random oracles Inf. Process. Lett. vol. 09 no. pp May 009. [9] A. Lewko A. Sahai and B. Waters evocation systems with very small private keys in Proc. Symp. Secur. Privacy May 00 pp [0] M. Naor and B. Pinkas Efficient trace and revoke schemes in Proc. 4th Int. Conf. Financial Cryptography 000 pp. 0. [] N. Attrapadung Dual system encryption via doubly selective security: Framework fully secure functional encryption for regular languages and more in Advances in Cryptology (Lecture Notes in Computer Science) vol. 844 P. Q. Nguyen and E. Oswald Eds. Berlin Germany: Springer-Verlag 04 pp [] D. Boneh B. Waters and M. Zhandry Low overhead broadcast encryption from multilinear maps IAC Cryptol. eprint Archive vol. 04 p [] N. Attrapadung and B. Libert Functional encryption for inner product: Achieving constant-size ciphertexts with adaptive security or support for negation in Proc. th Int. Conf. Pract. Theory Public Key Cryptography (PKC) vol Paris France May 00 pp [Online]. Available: [4] D. Boneh and M. Hamburg Generalized identity based and broadcast encryption schemes in Proc. 4th Int. Conf. Theory Appl. Cryptol. Inf. Secur. Adv. Cryptol. (ASIACYPT) vol Melbourne Vic. Australia Dec. 008 pp [5] M. Zhang B. Yang Z. Chen and T. Takagi Efficient and adaptively secure broadcast encryption systems Secur. Commun. Netw. vol. 6 no. 8 pp Aug. 0. [6] L. Zhang Y. Hu and Q. Wu Adaptively secure identity-based broadcast encryption with constant size private keys and ciphertexts from the subgroups Math. Comput. Model. vol. 55 nos. pp. 8 Jan. 0. [7] A. Lewko and B. Waters Unbounded HIBE and attribute-based encryption in Advances in Cryptology (Lecture Notes in Computer Science) vol. 66 K. G. Paterson Ed. Berlin Germany: Springer-Verlag 0 pp [8] D. Boneh E.-J. Goh and K. Nissim Evaluating -DNF formulas on ciphertexts in Theory of Cryptography (Lecture Notes in Computer Science) vol. 78 J. Kilian Ed. Berlin Germany: Springer-Verlag 005 pp [9] A. Guillevic Comparing the pairing efficiency over compositeorder and prime-order elliptic curves in Applied Cryptography and Network Security (Lecture Notes in Computer Science) vol M. Jacobson Jr. M. Locasto P. Mohassel and. Safavi-Naini Eds. Berlin Germany: Springer-Verlag 0 pp [0] A. K. Lenstra Unbelievable security matching AES security using public key systems in Proc. 7th Int. Conf. Theory Appl. Cryptol. Inf. Secur. Adv. Cryptol. (ASIACYPT) Gold Coast Qld Australia Dec. 00 pp Jongkil Kim is currently pursuing the Ph.D. degree with the School of Computer Science and Software Engineering University of Wollongong Wollongong NSW Australia. He is a member of the Centre for Computer and Information Security esearch. His main research interest is in functional encryption including broadcast encryption. Willy Susilo (SM 0) received the Ph.D. degree in computer science from the University of Wollongong Wollongong NSW Australia. He is currently a Professor with the School of Computer Science and Software Engineering and the Director of the Centre for Computer and Information Security esearch University of Wollongong. He has received the prestigious Australian esearch Council Future Fellowship. His main research interests include cryptography and information security. He has authored numerous publications in the area of digital signature schemes and encryption schemes. Man Ho Au (M ) is currently an Assistant Professor with the Department of Computing Hong Kong Polytechnic University Hong Kong. His research interests include information security and privacy. He has authored over 60 referred journal and conference papers including two papers in the ACM Conference on Computer and Communications Security that were named as the unners-up for the Pet Award 009: Outstanding esearch in Privacy Enhancing Technologies. Jennifer Seberry (SM 97) received the Ph.D. degree in computation mathematics from La Trobe University Melbourne VIC Australia in 97. She is currently a Professor with the School of Computer Science and Software Engineering and the Founding Director of the Centre for Computer Security esearch University of Wollongong Wollongong NSW Australia. She has published extensively in Discrete Mathematics and is world renown for her new discoveries on Hadamard matrices orthogonal designs and statistical design. Because of her outstanding contribution to cryptologic research she has been a fellow of the International Association for Cryptologic esearch since 0.