Practical Broadcast Encryption from Graph-Theoretic Techniques and Subset-Incremental-Chain Structure

We present generic frameworks for constructing efficient broadcast encryption schemes in the subset-cover paradigm, introduced by Naor et al., based on various key derivation techniques. Our frameworks characterize any instantiation completely to its underlying graph decompositions, which are purely combinatorial in nature. These abstract away the security of each instantiated scheme to be guaranteed by the generic one of the frameworks; thus, give flexibilities in designing schemes. Behind these, we present new techniques based on (trapdoor) RSA accumulators utilized to obtain practical performances. We then give some efficient instantiations from the frameworks, via a new structure called subset-incremental-chain. Our first construction improves the currently best schemes, including the one proposed by Goodrich et al., without any further assumptions (only pseudo-random generators are used) by some factors. The second instantiation, which is the most efficient, is instantiated based on RSA and directly improves the first scheme. Its ciphertext length is of order O(r), the key size is O(1), and its computational cost is O(n1/klog2n) for any (arbitrary large) constant k; where r and n are the number of revoked users and all users respectively. To the best of our knowledge, this is the first explicit collusion-secure scheme in the literature that achieves both ciphertext size and key size independent of n simultaneously while keeping all other costs efficient, in particular, sub-linear in n. The third scheme improves Gentry and Ramzan's scheme, which itself is more efficient than the above schemes in the aspect of asymptotic computational cost.

[1]  Reinhard Diestel,et al.  Graph Theory , 1997 .

[2]  Michael T. Goodrich,et al.  Efficient Tree-Based Revocation in Groups of Low-State Devices , 2004, CRYPTO.

[3]  Kazukuni Kobara,et al.  Sequential Key Derivation Patterns for Broadcast Encryption and Key Predistribution Schemes , 2003, ASIACRYPT.

[4]  Hideki Imai,et al.  Graph-Decomposition-Based Frameworks for Subset-Cover Broadcast Encryption and Efficient Instantiations , 2005, ASIACRYPT.

[5]  Stafford E. Tavares,et al.  Flexible Access Control with Master Keys , 1989, CRYPTO.

[6]  Miodrag J. Mihaljevic Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy , 2003, ASIACRYPT.

[7]  Z. Star An asymptotic formula in the theory of compositions , 1975 .

[8]  Dong Hoon Lee,et al.  Generic Transformation for Scalable Broadcast Encryption Schemes , 2005, CRYPTO.

[9]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[10]  Tomoyuki Asano A Revocation Scheme with Minimal Storage at Receivers , 2002, ASIACRYPT.

[11]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[12]  Jonathan Katz,et al.  Chosen-Ciphertext Security of Multiple Encryption , 2005, TCC.

[13]  Dong Hoon Lee,et al.  One-Way Chain Based Broadcast Encryption Schemes , 2005, EUROCRYPT.

[14]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[15]  Josh Benaloh,et al.  One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract) , 1994, EUROCRYPT.

[16]  Selim G. Akl,et al.  Cryptographic solution to a problem of access control in a hierarchy , 1983, TOCS.

[17]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[18]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[19]  Kazukuni Kobara,et al.  Broadcast encryption with short keys and transmissions , 2003, DRM '03.

[20]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[21]  Pil Joong Lee,et al.  Efficient Broadcast Encryption Scheme with Log-Key Storage , 2006, Financial Cryptography.

[22]  Peng Ning,et al.  Storage-Efficient Stateless Group Key Revocation , 2004, ISC.

[23]  Craig Gentry,et al.  RSA Accumulator Based Broadcast Encryption , 2004, ISC.

[24]  Jessica Staddon,et al.  Combinatorial Bounds for Broadcast Encryption , 1998, EUROCRYPT.

[25]  Hideki Imai,et al.  Subset Incremental Chain Based Broadcast Encryption with Shorter Ciphertext , 2005 .