Lower Bounds for Private Broadcast Encryption

Broadcast encryption is a type of encryption where the sender can choose a subset from a set of designated receivers on the fly and enable them to decrypt a ciphertext while simultaneously preventing any other party from doing so. The notion of private broadcast encryption extends the primitive to a setting where one wishes to thwart an attacker that additionally attempts to extract information about what is the set of enabled users (rather than the contents of the ciphertext). In this work we provide the first lower bounds for the ciphertext size of private broadcast encryption. We first formulate various notions of privacy for broadcast encryption, (priv-eq, priv-st and priv-full) and classify them in terms of strength. We then show that any private broadcast encryption scheme in the sense of priv-eq (our weakest notion) that satisfies a simple structural condition we formalize and refer to as "atomic" is restricted to have ciphertexts of size Ω(s·k) where s is the cardinality of the set of the enabled users and k is the security parameter. We then present an atomic private broadcast encryption scheme with ciphertext size Θ(s·k) hence matching our lower bound that relies on key privacy of the underlying encryption. Our results translate to the setting priv-full privacy for a ciphertext size of Θ(n ·k) where n is the total number of users while relying only on KEM security. We finally consider arbitrary private broadcast encryption schemes and we show that in the priv-full privacy setting a lower-bound of Ω(n+k) for every ciphertext is imposed. This highlights the costs of privacy in the setting of broadcast encryption where much shorter ciphertexts have been previously attained with various constructions in the non-privacy setting.

[1]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[2]  A. Maximov,et al.  Fast computation of large distributions and its cryptographic applications , 2005 .

[3]  Marc Fischlin,et al.  Public Key Cryptography – PKC 2012 , 2012, Lecture Notes in Computer Science.

[4]  Tal Rabin Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings , 2010, CRYPTO.

[5]  Financial Cryptography , 1997, Lecture Notes in Computer Science.

[6]  Brent Waters,et al.  Privacy in Encrypted Content Distribution Using Private Broadcast Encryption , 2006, Financial Cryptography.

[7]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[8]  Marc Fischlin,et al.  Public Key Cryptography - PKC 2012 - 15th International Conference on Practice and Theory in Public Key Cryptography , 2012 .

[9]  Nelly Fazio,et al.  Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts , 2012, Public Key Cryptography.

[10]  Michael T. Goodrich,et al.  Efficient Tree-Based Revocation in Groups of Low-State Devices , 2004, CRYPTO.

[11]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[12]  Peng Ning,et al.  Storage-Efficient Stateless Group Key Revocation , 2004, ISC.

[13]  Cécile Delerablée,et al.  Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys , 2007, ASIACRYPT.

[14]  Madhur Tulsiani,et al.  Time Space Tradeoffs for Attacks against One-Way Functions and PRGs , 2010, CRYPTO.

[15]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[16]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[17]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[18]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[19]  Brent Waters,et al.  Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys , 2005, CRYPTO.

[20]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[21]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[22]  Yevgeniy Dodis,et al.  Public Key Broadcast Encryption for Stateless Receivers , 2002, Digital Rights Management Workshop.

[23]  Marc Fischlin,et al.  Public key cryptography -- PKC 2012 : 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, May 21-23 2012 : proceedings , 2012 .

[24]  Kenneth G. Paterson,et al.  Anonymous Broadcast Encryption: Adaptive Security and Efficient Constructions in the Standard Model , 2012, Public Key Cryptography.

[25]  Hideki Imai,et al.  Graph-Decomposition-Based Frameworks for Subset-Cover Broadcast Encryption and Efficient Instantiations , 2005, ASIACRYPT.

[26]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[27]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.