Fully Distributed Broadcast Encryption

Broadcast encryption schemes rely on a centralized authority to generate decryption keys for each user. It is observed that, when a broadcast encryption scheme is deployed for secret escrows, a dishonest dealer can read the escrowed secrets without leaving any witnesses. We present a new broadcast encryption paradigm referred to as fully distributed broadcast encryption (FDBE) without suffering from this vulnerability. In the new paradigm, there are multiple dealers, and by contacting a number of them equal to a threshold or more, any user can join the system; then the secrets can be encrypted to any subset of users and only the intended receivers can decrypt, while an attacker cannot get any information about the encrypted message even if the attacker controls all the users outside the receiver set and corrupts some dealers, provided that the number of corrupted dealers is less than a threshold. We realize the first fully distributed broadcast encryption scheme which is proven secure under the decision Bilinear Diffie-Hellman Exponentiation assumption in the standard model. A variant is also shown to achieve sub-linear complexity in terms of public key, decryption key and ciphertext, comparable to up-to-date regular broadcast encryption schemes without robustness and strong security against misbehaving dealers.

[1]  Martijn Stam Beyond Uniformity: Better Security/Efficiency Tradeoffs for Compression Functions , 2008, CRYPTO.

[2]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[3]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[4]  Dong Hoon Lee,et al.  Public Key Broadcast Encryption Schemes With Shorter Transmissions , 2008, IEEE Transactions on Broadcasting.

[5]  Brent Waters,et al.  Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys , 2006, EUROCRYPT.

[6]  Alan Bundy,et al.  Constructing Induction Rules for Deductive Synthesis Proofs , 2006, CLASE.

[7]  J. Pieprzyk,et al.  Dynamic Threshold Cryptosystems ( A New Scheme in Group Oriented Cryptography ) , 1995 .

[8]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[9]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[10]  Jonathan Katz,et al.  Efficiency improvements for signature schemes with tight security reductions , 2003, CCS '03.

[11]  Brent Waters,et al.  Adaptive Security in Broadcast Encryption Systems (with Short Ciphertexts) , 2009, EUROCRYPT.

[12]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[13]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 2000, TNET.

[14]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[15]  Yevgeniy Dodis,et al.  Public Key Broadcast Encryption for Stateless Receivers , 2002, Digital Rights Management Workshop.

[16]  Paz Morillo,et al.  CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts , 2007, ProvSec.

[17]  Brent Waters,et al.  A fully collusion resistant broadcast, trace, and revoke system , 2006, CCS '06.

[18]  David Pointcheval,et al.  Dynamic Threshold Public-Key Encryption , 2008, CRYPTO.

[19]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[20]  Yi Mu,et al.  Asymmetric Group Key Agreement , 2009, EUROCRYPT.

[21]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[22]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[23]  Moti Yung,et al.  A New Randomness Extraction Paradigm for Hybrid Encryption , 2009, EUROCRYPT.

[24]  Philippe Golle,et al.  Dealing cards in poker games , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[25]  Michael T. Goodrich,et al.  Efficient Tree-Based Revocation in Groups of Low-State Devices , 2004, CRYPTO.

[26]  Josep Domingo-Ferrer,et al.  Threshold Public-Key Encryption with Adaptive Security and Short Ciphertexts , 2010, ICICS.

[27]  Ran Canetti,et al.  Efficient Communication-Storage Tradeoffs for Multicast Encryption , 1999, EUROCRYPT.

[28]  Douglas R. Stinson,et al.  Fault Tolerant and DistributedBroadcast Encryption , 2003, CT-RSA.

[29]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[30]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[31]  Chae Hoon Lim,et al.  Directed Signatures and Application to Threshold Cryptosystems , 1996, Security Protocols Workshop.

[32]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[33]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[34]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[35]  Alan T. Sherman,et al.  Key Establishment in Large Dynamic Groups Using One-Way Function Trees , 2003, IEEE Trans. Software Eng..

[36]  Paz Morillo,et al.  Ad-Hoc Threshold Broadcast Encryption with Shorter Ciphertexts , 2008, Electron. Notes Theor. Comput. Sci..

[37]  Serge Vaudenay,et al.  Advances in Cryptology - EUROCRYPT 2006 , 2006, Lecture Notes in Computer Science.

[38]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.

[39]  Moni Naor,et al.  Efficient trace and revoke schemes , 2000, International Journal of Information Security.

[40]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[41]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[42]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[43]  Marc Joye,et al.  Topics in Cryptology — CT-RSA 2003 , 2003 .

[44]  Jung Hee Cheon,et al.  Skipping, Cascade, and Combined Chain Schemes for Broadcast Encryption , 2008, IEEE Transactions on Information Theory.