Adaptively Secure Broadcast Encryption with Dealership

Abstract

In this paper, we put forward first adaptively chosen plaintext attack (CPA) secure broadcast encryption with dealership (BED) scheme in standard model. We achieve adaptive security in the standard model under reasonable assumption in contrast to semi-static security of Gritti et al. and selective security in random oracle model by Acharya et al. Our scheme also achieves privacy in form of hiding the group of subscribed users from broadcaster and supports maximum number of accountability under reasonable assumptions. Unlike the scheme of Gritti et al., our scheme does not need to rely on users’ response to detect the dishonest dealer like recently proposed scheme of Acharya et al.

A General Decisional Diffie-Hellman Exponent Problem [3]

We give an overview of General Decisional Diffie-Hellman Exponent problem in symmetric case. Let \(\mathbb {S}=(p,\mathbb {G},\mathbb {G}_1,e)\) is a bilinear group system. Let g be generator of group \(\mathbb {G}\) and set \(g_1=e(g,g)\). Let \(P,Q\in \mathbb {F}_p[X_1,\ldots ,X_n]^s\) be two s tuple of n variate polynomials over \(\mathbb {F}_p\). We write \(P=(p_1,\ldots ,p_s),Q=(q_1,\ldots ,q_s)\) and impose that \(p_1=1,q_1=1\). For a set \(\varOmega \), a function \(h:\mathbb {F}_p\rightarrow \varOmega \) and a vector \((x_1,\ldots ,x_n)\in {\mathbb { F}_p}^n\) we write,

$$h(P(x_1,\ldots ,x_n))=(h(p_1(x_1,\ldots ,x_n)),\ldots ,h(p_s(x_1,\ldots ,x_n)))\in \varOmega ^s.$$

We use similar notation for the s-tuple Q. A polynomial \(f\in \mathbb {F}_p[X_1,\ldots ,X_n]\) depends on P, Q if there exists \(a_{i,j},b_i(1\le i\le s)\in \mathbb { Z}_p\) such that

$$\begin{aligned} f=\sum _{1\le i,j\le s} a_{i,j}p_ip_j+\sum _{1\le i,j\le s} b_i q_i. \end{aligned}$$

Otherwise, f is independent of P, Q. The (P, Q, f)-General Decisional Diffie-Hellman Exponent ((P, Q, f)-GDDHE) problem is defined as follows:

Definition 8

((P, Q, f)-GDDHE:) Given \(H(x_1,\ldots ,x_n)=(g^{P(x_1,\ldots ,x_n)}, g_1^{Q(x_1,\ldots ,x_n)})\) and \(T \in \mathbb {G}_1\), decide whether \(T=g_1^{f(x_1,\ldots ,x_n)}\).

Boneh et al. [3] have proved that (P, Q, f)-GDDHE is intractable, if f does not depend on P, Q.

Hardness of l -wDABDHE assumption: Let us consider \(h=g^{\beta }\). If we formulate l-wDABDHE problem as the (P, Q, f)-GDDHE problem then

$$\begin{aligned} P=(1,\alpha ,\alpha ^2,\ldots , \alpha ^l,\beta , \beta \alpha ^{l+2},\ldots ,\beta \alpha ^{2l}) \end{aligned}$$

$$\begin{aligned} Q=(1) \end{aligned}$$

$$\begin{aligned} f=(\beta \alpha ^{l+1}) \end{aligned}$$

Following the technique of [8], it is easy to show that f does not depend on P, Q. So, cryptographic hardness of l-wDABDHE assumption follows.