Broadcast Encryption with Guessing Secrecy

Abstract

Perfect secrecy, which is a fundamental security notion introduced by Shannon, guarantees that no information on plaintexts is leaked from corresponding ciphertexts in the information-theoretic sense. Although it captures the strongest security, it is well-known that the secret-key size must be equal or larger than the plaintext-size to achieve perfect secrecy. Furthermore, probability distribution on secret keys must be uniform. Alimomeni and Safavi-Naini (ICITS 2012) proposed a new security notion, called guessing secrecy, to relax the above two restrictions, and showed that unlike perfect secrecy, even non-uniform keys can be used for providing guessing secrecy. Iwamoto and Shikata (ISIT 2015) showed secure concrete constructions of a symmetric-key encryption scheme with non-uniform keys in the guessing secrecy framework. In this work, we extend their results to the broadcast encryption setting. We first define guessing secrecy of broadcast encryption, and show relationships among several guessing-secrecy notions and perfect secrecy. We derive lower bounds on secret keys, and show the Fiat-Naor one-bit construction with non-uniform keys is also secure in the sense of guessing secrecy.

Appendices

Appendix

A Lower Bounds for Perfectly Secure BE Schemes

Previous works [3, 16, 24] derived lower bounds on sizes of ciphertexts and secret keys required for perfectly secure BE schemes in various contexts. We here describe the bounds from [24] since it explicitly showed the lower bound on the encryption-key size.

Proposition 3

([24]). Let \(\varPi \) be an \((\le n,\le \omega )\)-\(\mathsf{PS}\) secure BE scheme. Then, it holds that for any \(\mathcal {P}\subset \mathcal {R}\),

$$\begin{aligned} H(C_\mathcal {P}) \ge H(M). \end{aligned}$$

Moreover, if \(H(C_{\mathcal {P}})=H(M)\) for any \(\mathcal {P}\subset \mathcal {R}\), it then holds that

$$\begin{aligned}&H(EK) \ge \sum _{j=0}^{\omega }\left( {\begin{array}{c}n\\ j\end{array}}\right) H(M), \\&H(DK_i) \ge \sum _{j=0}^{\omega }\left( {\begin{array}{c}n-1\\ j\end{array}}\right) H(M) \text { for every } i\in [n]. \end{aligned}$$

B The Fiat-Naor Construction with Various Biased Randomness

We consider a more complicated situation than the construction in Sect. 5. Suppose that \(\mathcal {M}=\mathcal {C}=\{0,1\}\), and \(P_M(0)=q\). We assume biased random sources \(R_{\mathcal {W}}\) which take values in \(\{0,1\}\) for any \(\mathcal {W}\in \mathscr {W}(\omega )\). We also assume \(P_{R_{\mathcal {W}}}(0)=p_{\mathcal {W}}\) for all \(\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )\).

We assume a biased random source \(R_{\mathcal {W}}\) which takes values in \(\{0,1\}\) such that \(P_{R_{\mathcal {W}}}(0)=p\) for any \(\mathcal {W}\in \mathscr {W}(\omega )\). Without loss of generality, we assume \(1/2 \le q <1\) and \(1/2 \le p_{\mathcal {W}} < 1\) for any \(\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )\).

Note that the construction is the same as the previous one (i.e., the modified Fiat-Naor construction). We then have the following theorem.

Theorem 4

A BE scheme \(\varPi \) given by the modified Fiat-Naor construction is \((\le n,\le \omega )\)-\(\mathsf{A}\text {-}\mathsf{GS}\) secure and achieves the shortest ciphertexts and keys if and only if \(\max \{p_{\mathcal {W}}\}_{\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )} \le q\).

Proof (Sketch)

As in the proof of Theorem 2, we fix some \(\mathcal {P}\subset \mathcal {R}\) such that \(|\mathcal {P}|=n-\omega \) and \(\mathcal {W}=\mathcal {R}\setminus \mathcal {P}\).

Then, we have

$$\begin{aligned}&\mathsf{A}\text {-}\mathsf{GS}(\varPi ,\mathcal {P},\mathcal {W}) \nonumber \\&\quad =\sum _{dk_\mathcal {W}\in \mathcal {DK}_\mathcal {W}} \sum _{c_{\mathcal {P}}\in \mathcal {C}_{\mathcal {P}}} \max _{m\in \mathcal {M}} P_{MC_{\mathcal {P}}DK_{\mathcal {W}}}(m, c_{\mathcal {P}}, dk_{\mathcal {W}}) \nonumber \\&\quad =\sum _{r_{\mathscr {W}^{(\mathcal {W})}}\in \{0,1\}^{|\mathscr {W}^{(\mathcal {W})}|}} \left( \max _{m\in \mathcal {M}} P_{MC_{\mathcal {P}}R_{\mathscr {W}^{(\mathcal {W})}}}(m, 0, r_{\mathscr {W}^{(\mathcal {W})}}) \right. \nonumber \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \qquad \left. + \max _{m\in \mathcal {M}} P_{MC_{\mathcal {P}}R_{\mathscr {W}^{(\mathcal {W})}}}(m, 1, r_{\mathscr {W}^{(\mathcal {W})}}) \right) \nonumber \\&\quad =\sum _{r_{\mathscr {W}^{(\mathcal {W})}}\in \{0,1\}^{|\mathscr {W}^{(\mathcal {W})}|}} P_{R_{\mathscr {W}^{(\mathcal {W})}}}(r_{\mathscr {W}^{(\mathcal {W})}}) \nonumber \\&\qquad \qquad \qquad \qquad \qquad \qquad \left( \max _{m\in \mathcal {M}} P_{MC_{\mathcal {P}}}(m, 0) + \max _{m\in \mathcal {M}} P_{MC_{\mathcal {P}}}(m, 1) \right) \\&\quad =\max _{m\in \mathcal {M}} P_{MC_{\mathcal {P}}}(m, 0) + \max _{m\in \mathcal {M}} P_{MC_{\mathcal {P}}}(m, 1), \nonumber \end{aligned}$$

(14)

where \(\mathscr {W}^{(\mathcal {W})}\), \(r_{\mathscr {W}^{(\mathcal {W})}}\), and \(R_{\mathscr {W}^{(\mathcal {W})}}\) are the same as those in Theorem 2, and Eq. (14) follows from \(r_{\mathscr {W}^{(\mathcal {W})}}\) is independent of \((m,r_{\mathcal {W}})\). Since it holds

$$\begin{aligned}&P_{MC_{\mathcal {P}}}(0,0)=p_{\mathcal {W}}q, \ \&P_{MC_{\mathcal {P}}}(1,0)=p_{\mathcal {W}}(1-q),\\&P_{MC_{\mathcal {P}}}(0,1)=(1-p_{\mathcal {W}})q, \ \&P_{MC_{\mathcal {P}}}(1,1)=(1-p_{\mathcal {W}})(1-q), \end{aligned}$$

we have \(\mathsf{A}\text {-}\mathsf{GS}(\varPi ,\mathcal {P},\mathcal {W}) = p_{\mathcal {W}}q + \max \{p_{\mathcal {W}}(1-q), (1-p_{\mathcal {W}})q \}\). If \(p_{\mathcal {W}} \le q\), then we have \(\mathsf{A}\text {-}\mathsf{GS}(\varPi ,\mathcal {P},\mathcal {W}) = q = \max _{m\in \mathcal {M}}P_M(m)\). Otherwise, we have \(\mathsf{A}\text {-}\mathsf{GS}(\varPi ,\mathcal {P},\mathcal {W}) = p_{\mathcal {W}} > q = \max _{m\in \mathcal {M}}P_M(m)\).

Therefore, it holds \(\mathsf{A}\text {-}\mathsf{GS}(\varPi )=\max _{m\in \mathcal {M}}P_M(m)\) if \(\max \{p_{\mathcal {W}}\}_{\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )} \le q\).    \(\square \)