Abstract
Perfect secrecy, which is a fundamental security notion introduced by Shannon, guarantees that no information on plaintexts is leaked from corresponding ciphertexts in the information-theoretic sense. Although it captures the strongest security, it is well-known that the secret-key size must be equal or larger than the plaintext-size to achieve perfect secrecy. Furthermore, probability distribution on secret keys must be uniform. Alimomeni and Safavi-Naini (ICITS 2012) proposed a new security notion, called guessing secrecy, to relax the above two restrictions, and showed that unlike perfect secrecy, even non-uniform keys can be used for providing guessing secrecy. Iwamoto and Shikata (ISIT 2015) showed secure concrete constructions of a symmetric-key encryption scheme with non-uniform keys in the guessing secrecy framework. In this work, we extend their results to the broadcast encryption setting. We first define guessing secrecy of broadcast encryption, and show relationships among several guessing-secrecy notions and perfect secrecy. We derive lower bounds on secret keys, and show the Fiat-Naor one-bit construction with non-uniform keys is also secure in the sense of guessing secrecy.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For simplicity, we assume that all entities share the information on \(\mathcal {P}\) of \(c_\mathcal {P}\), e.g., by a publicly accessible authenticated bulletin board, and therefore we omit a description of \(\mathcal {P}\) from \(c_\mathcal {P}\).
- 2.
For the lower bounds required for perfectly secure BE schemes, see Appendix A.
- 3.
Information-theoretically secure schemes that attain all lower bounds of secret keys with equalities are often said to be optimal. However, in this paper we do not use the terminology here to avoid confusion since we already use it for \(\mathsf{O}\text {-}\mathsf{GS}\).
- 4.
\(c_{\mathcal {P}}:=m \oplus r_{\{3,4\}} \oplus r_{\emptyset } \oplus r_{3} \oplus r_{4}\) in the original Fiat-Naor construction.
- 5.
References
Alimomeni, M., Safavi-Naini, R.: Guessing Secrecy. In: Smith, A. (ed.) ICITS 2012. LNCS, vol. 7412, pp. 1–13. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32284-6_1
Berkovits, S.: How to broadcast a secret. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 535–541. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_50
Blundo, C., Cresti, A.: Space requirements for broadcast encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 287–298. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053444
Blundo, C., Mattos, L.A.F., Stinson, D.R.: Trade-offs between communication and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 387–400. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_29
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_16
Chen, H., Ling, S., Padró, C., Wang, H., Xing, C.: Key predistribution schemes and one-time broadcast encryption schemes from algebraic geometry codes. In: Parker, M.G. (ed.) IMACC 2009. LNCS, vol. 5921, pp. 263–277. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10868-6_16
Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley-Interscience, 2nd edn. July 2006
Csiszár, I., Koerner, J.: Information Theory: Coding Theorems for Discrete Memoryless Systems, 2nd edn. Cambridge University Press, Cambridge (2011)
Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-44993-5_5
Dodis, Y., Smith, A.: Entropic security and the encryption of high entropy messages. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 556–577. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_30
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_40
Garay, J.A., Staddon, J., Wool, A.: Long-lived broadcast encryption. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 333–352. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_21
Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with Short Ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_10
Iwamoto, M., Shikata, J.: Constructions of symmetric-key encryption with guessing secrecy. In: IEEE International Symposium on Information Theory 2015, pp. 725–729, June 2015
Iwamoto, M., Shikata, J.: Information theoretic security for encryption based on conditional rényi entropies. In: Padró, C. (ed.) ICITS 2013. LNCS, vol. 8317, pp. 103–121. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04268-8_7
Kurosawa, K., Yoshida, T., Desmedt, Y., Burmester, M.: Some bounds and a construction for secure broadcast encryption. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 420–433. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49649-1_33
Luby, M., Staddon, J.: Combinatorial bounds for broadcast encryption. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 512–526. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054150
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_3
Padró, C., Gracia, I., MartÃn, S.: Improving the trade-off between storage and communication in broadcast encryption schemes. Discrete Appl. Math. 143(1–3), 213–220 (2004)
Padró, C., Gracia, I., MartÃn, S., Morillo, P.: Linear broadcast encryption schemes. Discrete Appl. Math. 128(1), 223–238 (2003)
Phan, D.H., Pointcheval, D., Strefler, M.: Security notions for broadcast encryption. In: Lopez, J., Tsudik, G. (eds.) ACNS 2011. LNCS, vol. 6715, pp. 377–394. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21554-4_22
Russell, A., Wang, H.: How to fool an unbounded adversary with a short key. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 133–148. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_9
Shannon, C.E.: Communication theory of secrecy systems. Bell Syst. Tech. J. 28, 656–715 (1949)
Watanabe, Y., Hanaoka, G., Shikata, J.: Unconditionally secure revocable storage: tight bounds, optimal construction, and robustness. In: Nascimento, A.C.A., Barreto, P. (eds.) ICITS 2016. LNCS, vol. 10015, pp. 213–237. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49175-2_11
Watanabe, Y., Shikata, J.: Unconditionally secure broadcast encryption schemes with trade-offs between communication and storage. IEICE Trans. 99–A(6), 1097–1106 (2016)
Yamamoto, H.: Rate-distortion theory for the shannon cipher system. IEEE Trans. Inf. Theor. 43(3), 827–835 (1997)
Acknowledgments
We would like to thank the anonymous reviewers for fruitful comments. We would also like to thank Junji Shikata for his feedback. The author is supported by JSPS Research Fellowship for Young Scientists. This work was supported by Grant-in-Aid for JSPS Fellows Grant Number JP16J10532 and JP17H01752.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Lower Bounds for Perfectly Secure BE Schemes
Previous works [3, 16, 24] derived lower bounds on sizes of ciphertexts and secret keys required for perfectly secure BE schemes in various contexts. We here describe the bounds from [24] since it explicitly showed the lower bound on the encryption-key size.
Proposition 3
([24]). Let \(\varPi \) be an \((\le n,\le \omega )\)-\(\mathsf{PS}\) secure BE scheme. Then, it holds that for any \(\mathcal {P}\subset \mathcal {R}\),
Moreover, if \(H(C_{\mathcal {P}})=H(M)\) for any \(\mathcal {P}\subset \mathcal {R}\), it then holds that
B The Fiat-Naor Construction with Various Biased Randomness
We consider a more complicated situation than the construction in Sect. 5. Suppose that \(\mathcal {M}=\mathcal {C}=\{0,1\}\), and \(P_M(0)=q\). We assume biased random sources \(R_{\mathcal {W}}\) which take values in \(\{0,1\}\) for any \(\mathcal {W}\in \mathscr {W}(\omega )\). We also assume \(P_{R_{\mathcal {W}}}(0)=p_{\mathcal {W}}\) for all \(\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )\).
We assume a biased random source \(R_{\mathcal {W}}\) which takes values in \(\{0,1\}\) such that \(P_{R_{\mathcal {W}}}(0)=p\) for any \(\mathcal {W}\in \mathscr {W}(\omega )\). Without loss of generality, we assume \(1/2 \le q <1\) and \(1/2 \le p_{\mathcal {W}} < 1\) for any \(\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )\).
Note that the construction is the same as the previous one (i.e., the modified Fiat-Naor construction). We then have the following theorem.
Theorem 4
A BE scheme \(\varPi \) given by the modified Fiat-Naor construction is \((\le n,\le \omega )\)-\(\mathsf{A}\text {-}\mathsf{GS}\) secure and achieves the shortest ciphertexts and keys if and only if \(\max \{p_{\mathcal {W}}\}_{\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )} \le q\).
Proof (Sketch)
As in the proof of Theorem 2, we fix some \(\mathcal {P}\subset \mathcal {R}\) such that \(|\mathcal {P}|=n-\omega \) and \(\mathcal {W}=\mathcal {R}\setminus \mathcal {P}\).
Then, we have
where \(\mathscr {W}^{(\mathcal {W})}\), \(r_{\mathscr {W}^{(\mathcal {W})}}\), and \(R_{\mathscr {W}^{(\mathcal {W})}}\) are the same as those in Theorem 2, and Eq. (14) follows from \(r_{\mathscr {W}^{(\mathcal {W})}}\) is independent of \((m,r_{\mathcal {W}})\). Since it holds
we have \(\mathsf{A}\text {-}\mathsf{GS}(\varPi ,\mathcal {P},\mathcal {W}) = p_{\mathcal {W}}q + \max \{p_{\mathcal {W}}(1-q), (1-p_{\mathcal {W}})q \}\). If \(p_{\mathcal {W}} \le q\), then we have \(\mathsf{A}\text {-}\mathsf{GS}(\varPi ,\mathcal {P},\mathcal {W}) = q = \max _{m\in \mathcal {M}}P_M(m)\). Otherwise, we have \(\mathsf{A}\text {-}\mathsf{GS}(\varPi ,\mathcal {P},\mathcal {W}) = p_{\mathcal {W}} > q = \max _{m\in \mathcal {M}}P_M(m)\).
Therefore, it holds \(\mathsf{A}\text {-}\mathsf{GS}(\varPi )=\max _{m\in \mathcal {M}}P_M(m)\) if \(\max \{p_{\mathcal {W}}\}_{\mathcal {W}\in \mathscr {W}(\mathcal {P},\omega )} \le q\).    \(\square \)
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Watanabe, Y. (2017). Broadcast Encryption with Guessing Secrecy. In: Shikata, J. (eds) Information Theoretic Security. ICITS 2017. Lecture Notes in Computer Science(), vol 10681. Springer, Cham. https://doi.org/10.1007/978-3-319-72089-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-72089-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72088-3
Online ISBN: 978-3-319-72089-0
eBook Packages: Computer ScienceComputer Science (R0)