Augmented Broadcaster Identity-based Broadcast Encryption

Transcription

1 Augmented Broadcaster Identty-based Broadcast Encrypton Janhong Zhang Yuwe Xu Zhpeng Chen Insttuton of Image Processng and Pattern Recognton North Chna Unversty of Technology Bejng Chna Journal of Dgtal Informaton Management ABSTRACT: Identty-based Broadcast Encrypton (IBBE has the nherent key escrow problem that Prvate Key Generator (PKG can fully determne the user s prvate key whch s an obstacle of the applcaton of IBBE The exstng approaches to solvng key escrow problem need the user to submt dentty to multple PKGs or nteractons between PKG and the user n the prvate key extracton phase For Pont-to-Multpont Identty-based Broadcast Encrypton (PMIBBE that the computng capabltes of recever are lmted these approaches are mpractcable We propose a new approach what we call Augmented Broadcaster Identty-based Broadcast Encrypton (AB- IBBE It requres nether multple PKGs nor calculaton of recever n the prvate key extracton phase We construct a unversal scheme to realze AB-IBBE such that any IND--CPA secure IBBE scheme can be extended to an IND--CPA secure AB-IBBE scheme Categores and Subject Descrptors: E3 [DATA ENCRYPTION]; Data Encrypton Standard: C1 [Network Archtecture and Desgn] Wreless Communcaton D46 [Securty and Protecton] Cryptographc Controls General Terms: Broadcastng Encrypton Keywords: Key Escrow Identty-based Broadcast Encrypton Receved: 4 February 013 Revsed March 013 Accepted 7 March Introducton Broadcast Encrypton (BE s a cryptographc systems when a broadcaster sends messages through broadcast channel enables the broadcaster to encrypt messages for a set of authorzed recevers and only authorzed recevers can recover plantexts Broadcast encrypton can be dvded nto two knds of com-muncaton modes dependng on the dfference of computng power between the broadcaster and the recever One s Multpont-to-Multpont Broadcast Encrypton (MMBE n whch the broadcaster and the recever have smlar calculaton abltes The other s Pontto-Multpont Broadcast Encrypton (PMBE such as satellte broadcasts cable TV subscrptons dgtal rghts management systems etc In PMBE the computng power of the broadcaster and the recever are unbalanced The broadcaster has powerful computng resources; however the computng capabltes of the recever are lmted Identty-based Broadcast Encrypton (IBBE s the combnaton of BE and Identty-based Encrypton (IBE The recever s publc key n an IBBE scheme can be arbtrary strng (E-mal address moble number etc It makes that IBBE do not need complex certfcate management lke tradtonal Publc Key Infrastructure (PKI As n IBE IBBE has the nherent key escrow problem that Prvate Key Generator (PKG can fully determne the user s prvate keys The user must completely trust PKG whereas PKG could engage n malcous actvtes ncludng ndeed decrypt any cphertext for any user and re-dstrbute user s prvate keys for any dentty whch slows down the applcaton of IBBE To overcome key escrow problem of IBBE a natural way s to adopt the correspondng approaches of IBE Up to now four approaches can be used to mtgate key escrow Journal of Dgtal Informaton Management Volume 11 Number 3 June 013 7

2 problem n IBE One approach s Dstrbuted PKG strategy Usng technques of threshold cryptography the master key s dstrbuted among multple PKGs Nevertheless ths approach ncreases nfrastructure spendng and communcaton overhead The second approach s Selfcertfed Cryptography (SCC In SCC each user s publc key s derved from the sgnature of the user s secret key wth dentty and sgned by authorty s secret key The user needs to choose a secret key and use t to sgn The thrd approach s Certfcateless Publc Key Cryptography (CL-PKC In CL-PKC the user s prvate keys consst of two parts whch are generated by PKG and the user ndependently And the user must generate and publsh the partal publc key whch corresponds to the partal prvate key The fourth approach s Accountable Authorty Identty-based Encrypton (A-IBE In the prvate key generaton phase of an A-IBE scheme the user must select a random number gve to PKG a proof of knowledge of random number and compute ts prvate key If usng Dstrbuted PKG strategy the user has to submt dentty to multple PKGs whch s a heavy burden n practce Apparently SCC and CL-PKC are not pure Identty-based En-crypton whch are cryptographc systems between tradtonal publc cryptographc system and Identty-based Encrypton What s more n SCC CL- PKC and A-IBE prvate key of the user s produced by nteracton between PKG and user The nteracton not only ncreases communcaton overhead but also brngs the user s calculaton However n Pont-to-Multpont Identty-based Broadcast Encrypton (PMIBBE the computng capablty of the recever s lmted Hence for recevers of PMIBBE the above four approaches are mpractcable In ths paper we propose a practcal approach to solvng key escrow problem of PMIBBE 11 Related Work Broadcast Encrypton (BE was ntroduced by Fat and Naor [1] Several graceful BE schemes [-6] have been ntroduced Identty-based Broadcast Encrypton (IBBE was ntroduced by Delerablée [7] n 007 Delerablée s scheme acheves IND-s-CPA securty and the cphertext length and prvate key sze are constant Recently IBBE attracts more and more attenton [8-10] The evaluaton standard of an IBBE scheme ncludes four mportant parameters key sze cphertext length the user s calculaton and securty Dstrbuted PKG strategy was ntroduced by Boneh and Frankln [11] Self-certfed Cryptography (SCC was ntroduced by Grault [1] Al-Ryam and Paterson [13] ntroduced Certfcateless Publc Key Cryptography (CL- PKC Subsequently several CL-PKC schemes [14-16] have been proposed In 007 Goyal [17] formalzed the noton of Accountable Authorty Identty-based Encrypton (A-IBE and present two schemes In the prvate key generaton phase the nteracton betweens the user and PKG s executed by usng Zero-knowledge Proof of Knowledge of Dscrete Log n the frst scheme and 1-out- Oblvous Transfer n the second scheme In 009 Lbert and Vergnaud [18] mproved Goyal s frst proposal In 010 Xu et al [19] mproved Goyal s second scheme through 1-out-n Oblvous Transfer In 008 Guo and Zhang [0] ntroduced an accountable authorty IBBE scheme whch was a combnaton of Goyal s [17] frst scheme and Delerablée s [7] IBBE scheme In 009 Lbert and Vergnaud [18] used ther mprovement of Goyal s frst proposal to reform Boneh and Hamburg s IBBE scheme In 01 Zhao and Zhang [1] ntroduced an IBBE scheme that can reduce trust of PKG whch stll needs nteracton between PKG and the recever The nteracton s executed by Zero-knowledge Proof and blnd-sgnng method These schemes are not sutable for PMIBBE because the lmted compute capacty of the recever 1 Our Contrbutons We propose a new approach to solvng key escrow problem for Pont-to-Multpont Identty-based Broadcast Encrypton (PMIBBE what we call Augmented Broadcaster Identty-based Broadcast Encrypton (AB- IBBE In consderaton of unbalanced computng power between the broadcaster and the recever n PMIBBE We enhance the broadcaster s functons Let the recever s prvate key consst of two parts one part s produced by PKG and the other part s produced by the broadcaster Compared wth the exstng approaches our approach can make t requre nether submttng dentty to multple PKGs nor nteractons between PKG and the recever and the recever does not need any calculatng operaton n the prvate key extracton phase In the practcal engneerng applcaton compared wth securty traceablty s often trval Hence we do not dscuss traceablty n ths paper We formalze the defnton of Augmented Broadcaster Identty-based Broadcast Encrypton (AB-IBBE whch ncludes a regstraton process when a recever wants to obtan a broadcaster s servce We present the securty notons for AB-IBBE The securty game conssts of the DshonestPKG game and the IND--CPA game We construct a unversal scheme for realzng AB-IBBE such that any IND--CPA secure IBBE scheme can be extended to an IND--CPA secure AB-IBBE scheme The constructon of our unversal scheme s based on Dual System Encrypton [] whch s a new methodology for provng securty of encrypton systems In ths paper we use a new technque of realzng dual system encrypton that was ntroduced by Lewko and Waters [3] where complexty assumptons are three statc hardness assumptons (e they do not depend on the number of queres made by an attacker 8 Journal of Dgtal Informaton Management Volume 11 Number 3 June 013

3 Prelmnares 1 Composte Order Blnear Groups Boneh et al [4] frst ntroduced composte order blnear groups Subsequently [3] used them Here we only brefly revew the defnton and necessary propertes Take the nput as a securty parameter λ group generator G outputs a descrpton of blnear group system G = (N = p 1 G G T e(-- where p 1 are three dstnct prmes G and G T are cyclc groups wth G = G T = N e: G G G T s a blnear map such that: 1 (Blnearty For arbtrary g h G a b then e(g a h b = e(g h ab (Non-degeneracy g G such that e(g g = N 3 (Computablty There s a polynomal tme algorthm to compute group operaton n G G T and map e Let G p denote the subgroups of G where G p = p = 1 p 3 Let g denote a generator of G Then g 1 p g 1 and p g are generators of G p G and G p 1 respectvely h 1 G p h 1 G p h j j α 1 α such that e (h 1 h = e p α p (g g = (g 1 g 3 α 1 α α p 1 1 = 1 Then for h and h j j wth ( j e (h h j s an dentty element n G T That s to say G G G have orthogonalty property Three Statc Hardness Assumpton These statc hardness assumptons were used and proved n [3] They are statc means that they do not depend on the number of queres made by an attacker Assumpton 1 (Subgroup decson problem for 3 prmes Gven blnear map system G = (N = p 1 G G T e ( Randomly select g T 1 p T and set D = (G g It s hard to dstngush T 1 from T The advantage of algorthm B n breakng Assumpton 1 s defned as Adv 1 = Pr [B (D T 1 = 1] B (D T = 1 Defnton 1 Assumpton 1 holds f Adv 1 s neglgble n polynomal tme Assumpton Gven a blnear map system G = (N = p 1 G G T e(randomly select g X 1 X Y T 1 G T 1 p and set D = (G g X 1 X Y It s p 1 hard to dstngush T 1 from T 1 The advantage of algorthm B n breakng Assumpton s defned as Adv = Pr [B(D T 1 = 1] B(D T = 1 Defnton Assumpton holds f Adv s neglgble n polynomal tme Assumpton 3 Gven a blnear map system G = (N = p 1 G G T e(--randomly select αs Z N g X Y Z G p T 1 = e(g g αs T G T and set D = (G g g α X 3 g s Y Z It remans hard to dstngush T 1 from T The advantage of algorthm B n breakng Assumpton 3 s defned as Adv 3 = Pr [B(D T 1 = 1] B(D T = 1 Defnton 3 Assumpton 3 holds f Adv 3 s neglgble n polynomal tme 3 The Defnton of AB-IBBE An Augmented Broadcaster Identty-based Broadcast Encrypton (AB-IBBE scheme conssts of four components Setup Ths s a probablstc algorthm Take the nput as the securty parameter λ and m the maxmal sze of the authorzed recevers set It outputs a master secret key MSK-P and a publc key PK-P Extract Ths algorthm s a probablstc algorthm conssts of two sub-algorthms that are executed by PKG and a broadcaster respectvely Extract-P Takes as nput the master secret key MSK-P and a recever s dentty S It outputs the recever s partal key sk P Extract-B The recever wth dentty regsters to a broadcaster The broadcaster outputs the recever s partal prvate key sk B In the end the recever obtans ntegrated prvate key sk = {sk P sk B} Note that the broadcaster may not publsh the partal publc key whch corresponds to the partal prvate key sk B Encrypt Ths s a probablstc algorthm consst of two steps 1 Takes as nput the publc key PK-P and an authorzed recevers set S = { 1 s } where s m t outputs (Hdr K Takes as nput authorzed recevers set S and (Hdr K t outputs (Hdr K where Hdr s an encrypton of Hdr Then K s used to be encrypton key of a symmetrc encrypton algorthm Decrypt Ths s a determnstc algorthm consst of two steps 1 Takes as nput sk B authorzed recevers set S and Hdr t outputs Hdr f S Journal of Dgtal Informaton Management Volume 11 Number 3 June 013 9

4 Takes as nput PK-P sk B S and Hdr t outputs K Then K s used to recover cphertexts 4 The Securty Notons for AB-IBBE To defne securty for an Augmented Broadcaster Identtybased Broadcast Encrypton (AB-IBBE system we frst defne the DshonestPKG game and the IND--CPA game The DshonestPKG game Setup The adversary runs Setup algorthm to obtan MSK- P PK-P and sends PK-P to the challenger Query phase 1 The adversary adaptvely ssues queres q 1 q q t In each query q the adversary selects recevers set S adaptvely where S m and S The challenger runs n Extract-B algorthm and sends sk B to the adversary Challenge When the adversary decdes that phase 1 s over t chooses two messages Hdr 0 Hdr 1 and a challenger dentty set S * where S * m and has no revealed dentty n query phase 1 The challenger chooses random η {0 1} runs the frst step of Encrypt algorthm to obtan Hdr * and sends Hdr * to A Query phase The adversary adaptvely ssues queres q t + 1 q t + 1 q π These queres are the same as query phase 1 wth constrant S Guess The adversary outputs a guess η {0 1} and wns the game f η =η The advantage of the adversary A s defned as: Adv DPKG (t π m A = Pr [η = η] 1 In the DshonestPKG game PKG acts as an adversary that makes an effort to recover the key K Owng to PKG t can output the recever s partal key sk P so that PKG can decrypt Hdr optonally To Lmt PKG to recover K we must lmt PKG to obtan Hdr The IND--CPA game Setup The challenger runs Setup algorthm to obtan MSK- P PK and sends PK to the adversary Query phase 1 The adversary adaptvely ssues queres q 1 q q t In each query q the adversary selects users set S adaptvely where S m and S The challenger runs Extract algorthm and sends sk to the adversary Challenge When the adversary decdes that phase 1 s over the challenger runs Encrypt algorthm to obtan (Hdr * K and chooses random b {01} Let K b = K and K 1- b s arbtrary element n keyspace The challenger sends (Hdr * K 0 K 1 to the adversary Query phase The adversary adaptvely ssues queres q t + 1 q t + 1 q π These queres are the same as query phase 1 wth constrant S Guess The adversary outputs a guess η {0 1} and wns the game f η = η The advantage of the adversary A s defned as: Adv IIC (t π m A = Pr [η =η] 1 Defnton 4 An Augmented Broadcaster Identty-based Broadcast Encrypton (AB-IBBE scheme s IND--CPA secure f both Adv DPKG (t π m A and Adv IIC (t π m A are neglgble n polynomal tme 3Our Unversal AB-IBBE Scheme 31 Our Constructon In ths secton we gve a unversal constructon for realzng Augmented Broadcaster Identty-based Broadcast Encrypton (AB-IBBE Usng our unversal AB-IBBE scheme any IND--CPA secure IBBE scheme can be converted nto an AB-IBBE scheme Let I be an IND-- CPA secure IBBE scheme The symbol wth suffx I stand for the content of I such as MSK-I stands for the master secret key of I Setup It s the same as the Setup algorthm of I In the end t outputs a master secret key MSK P = MSK I and a publc key PK P = PK I Extract Ths algorthm s a probablstc algorthm conssts of two sub-algorthms that are executed by PKG and a broadcaster respectvely Extract-P It s the same as the Extract algorthm of I It outputs the recever s partal key sk P = sk I Extract-P A recever wth dentty regsters to a broadcaster Let S = { 1 s } where s m S s the set of the regstered recevers denttes and S The broadcaster constructs one blnear map system G = (N = p 1 G G T e ( where p 1 are three dstnct prmes Let G p denote the subgroup of G where G p = p and = 1 3 Randomly chooses g h u 1 u m α r 1 and R R It outputs 3 j {d 0 d 1 d } = { e( g r R g α (h s sk r R } B = In the end the recever obtans ntegrated prvate key sk = {sk P sk B} Encrypt Ths s a probablstc algorthm consst of two steps 1 It s the same as the Encrypt algorthm of I It outputs (Hdr K = (Hdr I K I 30 Journal of Dgtal Informaton Management Volume 11 Number 3 June 013

5 Takes as nput authorzed recevers set S and (Hdr K t outputs (Hdr K where Hdr = (C 0 C 1 C = (e ( g g αs s Hdr (h k g k j Then K s used to be encrypton key of a symmetrc encrypton algorthm Decrypt Ths s a determnstc algorthm consst of two steps 1 Takes as nput sk B authorzed recevers set S and e(d 1 C 1 C 0 Hdr t computes Hdr = e(d C It s the same as the Decrypt algorthm of I and outputs K Then K s used to recover cphertexts Effcency In our constructon the sze of sk B s O (1 Compared wth Hdr Hdr only ncreases two group elements In addton the broadcaster does not need publsh the partal publc key whch corresponds to the partal prvate key sk B 3 Correctness Analyss Due to the orthogonalty property of group G p 1 and G s such that e(r k = 1 e (R g k j (h = 1 Hence e g r s k R h j e (g g αk Hdr e(d 1 C 1 C 0 e(d C = e g α s r h j R g k e g r s h = k s j e R h e (g α g k e h e (g g αk Hdr = e (g α g k = Hdr r s j g k k j e (g g αk Hdr e (R g k 33 Securty Analyss Securty analyss conssts of three theorems The proof of Theorem 1 s based on dual system encrypton and through three lemmas In dual system encrypton [1 ] the reducton s through a sequence of games These games are progressvely lberalzed lmts n the end reduced to mpossble Both prvate keys and cphertexts have two types whch are normal and sem-functonal Semfunctonal prvate keys and sem-functonal cphertexts are only used n proof Normal secret keys can decrypt normal and sem-functonal cphertexts Sem-functonal secret keys can decrypt normal cphertexts However sem-functonal secret keys can not decrypt semfunctonal cphertexts Frst choose a generator g of G p and defne semfunctonal keys and sem-functonal cphertexts n the followng manner Sem-functonal keys Choose random β β for Transform normal key sk B = {d 0 d 1 d } nto semfunctonal key sk B = {d 0 d 1 d β }= {d 0 d 1 g β d g β } Sem-functonal cphertexts Choose random γ γ for Transform normal cphertext Hdr = (C 0 C 1 C nto sem-functonal cphertext Hdr = (C 0 C 1 C = γ (C 0 C 1 g γ γ C g The proof of the securty wll use a sequence of games Let π denotes the number of key queres and 0 k π We defne these games as: Game Real : The real IND--CPA secure DshonestPKG game Game k : The game s the same as Game Real except that: (1 the challenge cphertext s sem-functonal ( The frst k keys are sem-functonal and the rest of keys are normal In Game 0 the challenge cphertext s semfunctonal and all keys are normal Both the challenge cphertext and keys of Game π are sem-functonal Game fnal : The game s the same as Game π except that the challenge cphertext s a sem-functonal encrypton on a random element of G T Lemma 1 Suppose there exsts an algorthm A such that Adv Game = ε Then there exsts an algorthm Adv Game Real 0 B wth advantage ε n breakng Assumpton 1 Proof B frst receves g and T 1 3 Setup It selects α a 1 a m b randomly and sets PK = (g h = g b u 1 = g a 1 u m = g a m v = e (g g α Query phase 1 A adaptvely ssues queres q 1 q q t In each query q A adaptvely selects users set S where S m S and makes a key query for B selects r t w randomly sets sk B = {d 0 d 1 d }= ( e ( g r X t 3 g α S j r w (h X 3 Journal of Dgtal Informaton Management Volume 11 Number 3 June

6 Challenge A chooses two messages Hdr 0 Hdr 1 and a challenger dentty set S * wth no revealed dentty n query phase 1 where S * m B chooses random η {0 1} and sets S * Σ a * + b Hdr * = {C 0 C 1 C }= Hdr η e (T g α j j T T Query phase A adaptvely ssues queres q t+1 q t+ q π These queres are the same as query phase 1 wth constrant S * Guess A outputs a guess η {0 1}and wns the game f η = η If T Hdr * s a normal cphertext and f T p Hdr * s a sem-functonal cphertext Therefore B 1 canuse the outputs of A to dstngush T 1 from T wth advantage ε Lemma Suppose there exsts an algorthm A such that Adv Game = ε where 1 k π Then there Adv Game k 1 1 k exsts an algorthm B wth advantage ε n breakng Assumpton Proof B frst receves g X 1 X Y T where g X 1 X Y It works as follows: Setup It selects α a1a m b randomly and sets PK = (g h = g b u 1 = g a 1 u m = g a m v = e (g g α Query phase 1 A adaptvely ssues queres q 1 q q t In each query q A adaptvely selects users set S where S m S and makes a key query for A selects random r t w 1 For < k B sets sk B = {d 0 d 1 d }= ( e ( g r (Y t g α (h u j r j (Y For = k B sets S* Σ sk B = {d 0 d 1 d }= ( e ( T g α a + b j j * Τ X w 3 S 3 For > k B sets sk B = {d 0 d 1 d }= ( e ( g r t X 3 g α S j r w (h X 3 Challenge A chooses two messages Hdr 0 Hdr 1 and a challenger dentty set S * wth no revealed dentty n query phase 1 where S * m B chooses η {0 1} randomly and sets Hdr * = {C 0 C 1 C }= Hdr η e (X 1 X g α S* Σ (X 1 X a * + b j j w X 1 X Query phase A adaptvely ssues queres q t+1 q t+ q π These queres are the same as query phase 1 wth constrant S * Guess A outputs a guessη {0 1} and wns the game f η = η If T p the above procedure s Game k 1 and f 1 T G the above procedure s Game k Therefore B can use the outputs of A to dstngush T 1 from T wth advantage ε Lemma 3 Suppose there exsts an algorthm A such that Adv Game Adv Game = ε Then there exsts an algorthm B π fnal wth advantage ε n breakng Assumpton 3 Proof B frst receves g g α X g s Y Z T where g G p X Y Z a s Setup It selects a 1 a m b randomly and sets PK = (g h = g b u 1 = g a 1 u m = g a m v = e (g X g α Game 1 3 Query phase 1 A adaptvely ssues queres q 1 q q t In each query q A adaptvely selects users set S where S m S and makes a key query for B selects c r t w randomly and sets sk B = {d 0 d 1 d }= ( e ( g r z Z t X 3 g α X k 1 (h S j r c Z w Y 3 Challenge A chooses two messages Hdr 0 Hdr 1 and a challenger dentty set S * wth no revealed dentty n query phase 1 where S * m B chooses η {0 1}randomly and sets S* Σ a + b j j Hdr * = {C g s Y 0 C 1 C }= M η T (g s Y Query phase A adaptvely ssues queres q t+1 q t+ q π These queres are same as query phase 1 wth constrant S * Guess A outputs a guessη {0 1} and wns the game f η = η If T = e (g g αs then Hdr * s a sem-functonal cphertext of Hdr η If T s a random element of G T then Hdr * s a semfunctonal cphertext of random message Therefore B can use the outputs of A to dstngush T 1 from T wth advantage ε Theorem 1 If Assumpton 1 and 3 are rght then Adv DPKG (t π m A s neglgble n polynomal tme Proof: Accordng to Lemma 1-3 f assumpton 1 and 3 3 Journal of Dgtal Informaton Management Volume 11 Number 3 June 013

7 hold then Game Real and Game fnal are ndstngushable The adversary s advantage n Game Real s neglgble Hence Adv DPKG (t π m A s neglgble n polynomal tme Theorem If I s IND--CPA secure then Adv (t π m A s neglgble n polynomal tme Proof: We use proof by contradcton to prove ths theorem Suppose there exsts polynomal tme algorthm A whch can wn the IND--CPA game for AB-IBBE wth advantage ε Then we can use A to construct a polynomal tme algorthm B wth advantage ε such that B can wn the IND--CPA game for I Ths contradcts that I s IND- -CPA secure Therefore Adv (t π m A s neglgble n polynomal tme Theorem 3 Our Augmented Broadcaster Identty-based Broadcast Encrypton (AB-IBBE scheme s IND--CPA secure Proof Accordng to Theorem 1 Theorem and Defnton 4 Theorem 3 s obvous 4 Conclusons In order to solve key escrow problem for Pont-to-Multpont Identty-based Broadcast Encrypton (PMIBBE we propose Augmented Broadcaster Identty-based Broadcast Encrypton (AB-IBBE and construct a unversal scheme for realzng AB-IBBE In the prvate key extracton phase t requres nether submttng dentty to multple PKGs nor nteracton between PKG and the recever and the recever does not need any calculatng operaton Desgnng a scheme that the recever can jon and leave dynamcally or acheves IND--CCA securty s an open problem 5 Acknowledgements Ths work was supported by Bejng Natural Scence Foundaton (No: 4104 and the Nova Programma (No: 007B-001 References [1] Fat A Naor M (1994 Broadcast Encrypton In: Proceedngs of Advances n Cryptology- Crypto 93 LNCS 773 p Berln: Sprnger-Verlag [] Naor D Naor M Lotspech J (001 Revocaton and Tracng Schemes for Stateless Recevers In: Proceedngs of Crypto 01 LNCS p 41-6 Berln: Sprnger-Verlag [3] Dan H Ad S (00 The lsd broadcast encrypton scheme In: Proceedngs of Advances n Cryptology- Crypto 0 LNCS 44 p Berln: Sprnger-Verlag [4] Goodrch M T Sun J Z Tamassa R (004 Effcent tree-based revocaton n groups of low-state devces In: Proceedngs of Advances n Cryptology-Crypto 04 LNCS 315 p Berln: Sprnger-Verlag [5] Boneh D Gentry C Waters B (005 Colluson resstant broadcast encrypton wth short cphertexts and prvate keys In: Proceedngs of Advances n Cryptology- CRYPTO 05 LNCS Berln: Sprnger- Verlag [6] Phan D H Pontcheval D Shahandasht S F Streer M (005 Adaptve CCA Broadcast Encrypton wth Constant-Sze Secret Keys and Cphertexts In: Proceedngs of Advances n ACISP LNCS Berln: Sprnger-Verlag [7] Delerablée C (007 Identty-Based Broadcast Encrypton wth Constant Sze Cphertexts and Prvate Keys In: Proceedngs of Advances n Cryptology- ASIACRYPT 07 LNCS Berln: Sprnger-Verlag [8] Boneh D Hamburg M (008 Generalzed Identtybased and Broadcast Encrypton Schemes In: Proceedngs of Advances n Asacrypt 08 LNCS 5350 p Berln: Sprnger-Verlag [9] Gentry C Waters B (009 Adaptve securty n broadcast encrypton systems In: Proceedngs of Advances n EURO-CRYPT 09 LNCS 5479 p Berln: Sprnger-Verlag [10] Gentry C Waters B (009 Adaptve Securty n Broadcast Encrypton Systems In: Proceedngs of Advances n Cryptology-Eurocrypt 09 LNCS 5479 p Berln: Sprnger-Verlag [11] Boneh D Frankln M (001 Identty-Based Encrypton from the Wel Parng In: Proceedngs of Advances n Cryptology-Crypto 01 LNCS Berln: Sprnger-Verlag [1] Grault M Self-certfed publc keys In: Proceedngs of Advances n Cryptolog -Eurocrypt 91 LNCS 547 p Berln: Sprnger-Verlag [13] Al-ryam S Paterson K (003 Certfcateless Publc Key Cryptosystems In: Proceedngs of Advances n Cryptology-Asacrypto LNCS 33 p Berln: Sprnger-Verlag [14] Yum D Lee P (004 Generc Constructon of Certfcateless Encrypton In: Computatonal Scence and ts Applcaton-ICCSA LNCS 3043 p [15] Lbert B Qusquater J (006 On Constructng Certgcateless Cryptosystems from Identty Based Encrypton In: Proceedngs of the 9 th nternatonal conference on Theory and Practce of Publc-Key Cryptography LNCS 3958 p Berln: Sprnger- Verlag Journal of Dgtal Informaton Management Volume 11 Number 3 June

8 [16] Lu J Au M Suslo W (007 Self-generatedcertfcate publc key cryptography and certfcateless sgnature/encrypton scheme n the standard model In: ASIACCS [17] Goyal V (007 Reducng Trust n the PKG n Identty-Based Cryptosystems In: Proceedngs of Advances n Cryptology-Crypto LNCS 46 p Berln: Sprnger-Verlag [18] Lbert B Vergnaud D (009 Towards black-box accountable authorty IBE wth short cphertexts and prvate keys In: Proceedngs of Advances n PKC 09 LNCS Berln: Sprnger-Verlag [19] Xu P Cu G H Fu C et al (010 A more effcent accountable authorty IBE scheme under the DL assumpton Sc chna nf Sc 53: [0] Guo S Zhang C (008 Identty-based broadcast encrypton scheme wth untrusted pkg In: ICYCS p IEEE Computer Socety [1] Zhao X W Zhang F G (01 Fully CCA secure dentty-based broadcast encrypton wth black-box accountable authorty The Journal of Systems and Software [] Waters B (009 Dual System Encrypton: Realzng Fully Secure IBE and HIBE under Smple Assumptons In: Proceedngs of Advances n Cryptology-Crypto 09 LNCS 5677 p Berln: Sprnger-Verlag (The full paper appeared Cryptology eprnt Archve Report 009/ 385 [3] Lewko A Waters B (010 New Technques for Dual System Encrypton and Fully Secure HIBE wth Short CphertextsIn: Proceedngs of the 7 th Theory of Cryptography Conference LNCS 5978 p Berln: Sprnger-Verlag [4] Boneh D Goh E Nssm K Evaluatng -DNF Formulas on Cphertexts In: Theory of Cryptography LNCS Berln: Sprnger-Verlag 34 Journal of Dgtal Informaton Management Volume 11 Number 3 June 013