ContributoryBroadcastEncryptionwithEfficientEncryptionandShortCiphertexts资源-CSDN文库

30 浏览量 2021-02-21 18:24:47 上传评论收藏 424KB PDF 举报

标题所表达的知识点为：一种具有高效加密和短密文的协作广播加密（Contributory Broadcast Encryption, ConBE）。这种加密方式允许发送者通过一个公共的广播加密方案向服务的任意子集发送信息，并且在不依赖完全可信的分发者的情况下，每个组成员都会拥有一个解密密钥。在描述中，提及了传统的广播加密（BE）和组密钥协商（GKA）协议，并提出了一种新的混合原语ConBE，旨在结合这两种方案的优势，既能实现发送者选择接收者子集进行解密，又能保证安全性。从文章提供的摘录中可以得知，ConBE是一种新的加密模型，它允许组成员通过协商形成一个公共的加密密钥，同时每个成员保留自己的私密解密密钥。这种模型不同于传统的BE，后者需要一个可信的第三方来分发解密密钥；ConBE也不同于GKA，后者只允许组内的成员对加密消息进行解密，而不能排除特定成员。ConBE的模型优势在于，发送者可以限制密文只被他选择的成员子集解密。在研究论文中，作者提出了一个具有短密文特性的ConBE方案，并在标准模型下证明了其完全抗合谋攻击（collusion-resistant）的特性，这是基于决策性n-双线性Diffie-Hellman指数假设（decisional n-Bilinear Diffie-Hellman Exponentiation, BDHE）。此外，作者还提出了一个可聚合的BE方案，这说明了聚合能力（aggregatability）是构建高级协议的一个有用特性。下面，我们深入探讨以上提及的关键概念和知识点： 1. 广播加密（Broadcast Encryption，BE）：这是公钥加密的一种形式，它允许发送者向一组用户的任意子集安全地广播信息。传统的BE方案中，为了确保安全性，通常需要一个完全可信的第三方机构来分发解密密钥。BE的关键挑战是如何在不增加密钥分发负担的同时，允许灵活选择消息接收者。 2. 组密钥协商（Group Key Agreement, GKA）：GKA协议使得一群成员可以通过开放网络协商出一个共享的加密密钥。通过这种协议，只有组成员才能解密被共享加密密钥加密的密文。GKA的一个主要问题是，发送者不能指定排除某个特定的成员来解密信息。 3. 协作广播加密（Contributory Broadcast Encryption, ConBE）：ConBE是BE和GKA的结合体，它既具有BE发送者选择接收者子集的能力，又继承了GKA的组成员密钥协商机制。在ConBE中，每个成员都参与公共加密密钥的生成，并拥有自己的私密解密密钥。发送者可以使用公共加密密钥来加密信息，并限制只有特定的成员子集可以解密。 4. 完全抗合谋攻击（Fully collusion-resistant）：在密码学中，抗合谋攻击是指加密方案对多个用户共谋攻击的能力。完全抗合谋攻击意味着即使所有非目标用户联合起来，也无法解密他们没有权限的信息。 5. 决策性n-Bilinear Diffie-Hellman Exponentiation（BDHE）假设：这是一个数学难题假设，它是在密码学安全性证明中经常使用的一个基础。在标准模型下基于BDHE假设证明安全性，意味着即使攻击者拥有强大的计算能力，也无法破解系统。 6. 可聚合性（Aggregatability）：这指的是某些加密方案可以将多个密文合并为一个较短的单一密文，同时保持加密信息的安全性。这种性质可以用来构建更高效的加密协议，因为它减少了必要的密文大小。这项研究的重点在于提供了一种新的加密方案，能够在保证安全性和效率的同时，满足即时通讯、协作计算、移动自组织网络和社交网络等现代通信技术平台上的需求。这篇论文对于理解如何构建在实际应用中既高效又安全的加密解决方案具有重要的意义。

资源推荐

资源详情

资源评论

Contributory Broadcast Encryption with Efﬁcient

Encryption and Short Ciphertexts

Qianhong Wu, Member, IEEE, Bo Qin, Lei Zhang, Member, IEEE,

Josep Domingo-Ferrer, Fellow, IEEE, Oriol Farr



as, and Jes



us A. Manj



Abstract—Broadcast encryption (BE) schemes allow a sender to securely broadcast to any subset of members but require a trusted

party to distribute decryption keys. Group key agreement (GKA) protocols enable a group of members to negotiate a common

encryption key via open networks so that only the group members can decrypt the ciphertexts encrypted under the shared encryption

key, but a sender cannot exclude any particular member from decrypting the ciphertexts. In this paper, we bridge these two notions with

a hybrid primitive referred to as contributory broadcast encryption (ConBE). In this new primitive, a group of members negotiate a

common public encryption key while each member holds a decryption key. A sender seeing the public group encryption key can limit

the decryption to a subset of members of his choice. Following this model, we propose a ConBE scheme with short ciphertexts. The

scheme is proven to be fully collusion-resistant under the decision n-Bilinear Difﬁe-Hellman Exponentiation (BDHE) assumption in the

standard model. Of independent interest, we present a new BE scheme that is aggregatable. The aggregatability property is shown to

be useful to construct advanced protocols.

Index Terms—Broadcast encryption, group key agreement, contributory broadcast encryption, provable security

1INTRODUCTION

ITH the fast advance and pervasive deployment of

communication technologies, there is an increasing

demand of versatile cryptographic primitives to protect

group communications and computation platforms. These

new platforms include instant-messaging tools, colla-

borative computing, mobile ad hoc networks and social

networks. These new applications call for cryptographic

primitives allowing a sender to securely encrypt to any sub-

set of the users of the services without relying on a fully

trusted dealer. Broadcast encryption (BE) [1] is a well-stud-

ied primitive intended for secure group-oriented communi-

cations. It allows a sender to securely broadcast to any

subset of the group members. Nevertheless, a BE system

heavily relies on a fully trusted key server who generates

secret decryption keys for the members and can read all the

communications to any members.

Group key agreement (GKA) is another well-understood

cryptographic primitive to secure group-oriented communi-

cations. A conventional GKA [2] allows a group of members

to establish a common secret key via open networks. How-

ever, whenever a sender wants to send a message to a

group, he must ﬁrst join the group and run a GKA protocol

to share a secret key with the intended members. More

recently, and to overcome this limitation, Wu et al. intro-

duced asymmetric GKA [3], in which only a common group

public key is negotiated and each group member holds a

different decryption key. However, neither conventional

symmetric GKA nor the newly introduced asymmetric

GKA allow the sender to unilaterally exclude any particular

member from reading the plaintext.

Hence, it is essential

to ﬁnd more ﬂexible cryptographic primitives allowing

dynamic broadcasts without a fully trusted dealer.

1.1 Our Contributions

We present the Contributory Broadcast Encryption

(ConBE) primitive, whic h is a hybrid of GKA and BE.

Compared to its preliminary Asiacrypt 2011 v ersion [5],

this full paper provides c omplete security proofs, illus-

trates the necessity of the aggregatability of the underly-

ing BE building block and shows the practicality of our

ConBE scheme with experiments.Speciﬁcally,ourmain

contributions are as follows.

First, we model the ConBE primitive and formalize its

security deﬁnitions. ConBE incorporates the underlying

ideas of GKA and BE. A group of members interact via

 Q. Wu is with the School of Electronics and Information Engineering,

Beihang University, and the State Key Laboratory of Integrated Services

Networks, Xidian University and State Key Laboratory of Information

Security, Institute of Information Engineering, Chinese Academy of Scien-

ces, Beijing 100093, China. E-mail: qianhong.wu@buaa.edu.cn.

 B. Qin is with the Key Laboratory of Data Engineering and Knowledge

Engineering (Renmin University of China) Ministry of Education, School

of Information, Renmin University of China, ZhongGuanCun Street No.

59, Haidian District, Beijing, China. E-mail: bo.qin@ruc.edu.cn.

 L. Zhang is with the Shanghai Key Laboratory of Trustworthy Computing,

Software Engineering Institute, East China Normal University, Shanghai,

China. E-mail: leizhang@sei.ecnu.edu.cn.

 J. Domingo-Ferrer, O. Farr



as, and J. A. Manj



on are with the Universitat

Rovira i Virgili, Department of Computer Engineering and Mathematics,

UNESCO Chair in Data Privacy, Tarragona, Catalonia.

E-mail: {josep.domingo, oriol.farras, jesus.manjon}@urv.cat.

Manuscript received 3 Sept. 2013; revised 15 Feb. 2015; accepted 8 Mar. 2015.

Date of publication 2 Apr. 2015; date of current version 15 Jan. 2016.

Recommended for acceptance by J.L. Beuchat.

For information on obtaining reprints of this article, please send e-mail to:

reprints@ieee.org, and reference the Digital Object Identiﬁer below.

Digital Object Identiﬁer no. 10.1109/TC.2015.2419662

1. Dynamic symmetric GKA equipped with a leave sub-protocol

allows the members to exclude some members from decrypting cipher-

texts. In this case, if the sender (who is also a group member) wants to

exclude some other members, he/she has to seek the agreement of the

remaining members to run the leave sub-protocol. The sender cannot

exclude any member unilaterally.

466 IEEE TRANSACTIONS ON COMPUTERS, VOL. 65, NO. 2, FEBRUARY 2016

0018-9340 ß 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.

See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

open networks to negotiate a public encryption key while

each member holds a different secret decryption key. Using

the public encryption key, anyone can encrypt any message

to any subset of the group members and only the intended

receivers can decrypt. Unlike GKA, ConBE allows the

sender to exclude some members from reading the cipher-

texts. Compared to BE, ConBE does not need a fully trusted

third party to set up the system. We formalize collusion

resistance by deﬁning an attacker who can fully control all

the members outside the intended receivers but cannot

extract useful information from the ciphertext.

Second, we present the notion of aggregatable broadcast

encryption (AggBE). Coarsely speaking, a BE scheme is

aggregatable if its secure instances can be aggregated into a

new secure instance of the BE scheme. Speciﬁcally, only the

aggregated decryption keys of the same user are valid

decryption keys corresponding to the aggregated public keys

of the underlying BE instances. We observe that the aggregat-

ability of AggBE schemes is necessary in the construction of

our ConBE scheme and the BE schemes in the literature are

not aggregatable. We construct a concrete AggBE scheme

tightly proven to be fully collusion-resistant under the deci-

sion BDHE assumption. The proposed AggBE scheme offers

efﬁcient encryption/decryption and short ciphertexts.

Finally, we construct an efﬁcient ConBE scheme with our

AggBE scheme as a building block. The ConBE construction

is proven to be semi-adaptively secure under the decision

BDHE assumption in the standard model. Only one round

is required to establish the public group encryption key and

set up the ConBE system. After the system set-up, the stor-

age cost of both the sender and the group members is OðnÞ,

where n is the number of group members participating in

the set-up stage. However, the online complexity (which

dominates the practicality of a ConBE scheme) is very low.

We also illustrate a trade-off between the set-up complexity

and the online performance. After a trade-off, the variant

has Oðn

2=3

Þ complexity in communication, computation and

storage. This is comparable to up-to-date regular BE

schemes which have Oðn

1=2

Þ complexity in the same perfor-

mance metrics, but our scheme does not require a trusted

key dealer. We conduct a series of experiments and the

experimental results validate the practicality of our scheme.

1.2 Potential Applications

A potential application of our ConBE is to secure data

exchanged among friends via social networks. Since the

Prism scandal [4], people are increasingly concerned about

the protection of their personal data shared with their friends

over social networks. Our ConBE can provide a feasible solu-

tion to this problem. Indeed, Phan et al. [6] underlined the

applications of our ConBE [5] to social networks. In this sce-

nario, if a group of users want to share their data without let-

ting the social network operator know it, they can use our

ConBE scheme. Since the setup procedure of our ConBE only

requires one round of communication, each member of the

group just needs to broadcast one message to other intended

members in a send-and-leave way, without the synchroniza-

tion requirement. After receiving the messages from the

other members, all the members share the encryption key

that allows any user to selectively share his/her data to any

subgroup of the members. Furthermore, it also allows

sensitive data to be shared among different groups. Other

applications may include instant messaging among family

members, secure scientiﬁc research tasks jointly conducted

by scientists from different places, and disaster rescue using

a mobile ad hoc network. A common feature of these scenar-

ios is that a group of users would like to exchange sensitive

data but a fully trusted third party is unavailable. Our ConBE

provides an efﬁcient solution to these applications.

1.3 Related Work

A number of works have addressed key agreement proto-

cols for multiple parties. The schemes due to Ingemarsson

et al. [2] and Steiner et al. [7] are designed for n parties and

require OðnÞ rounds. Tree key structures have been further

proposed, reducing the number of rounds to Oðlog nÞ [8],

[9], [10]. Multi-round GKA protocols pose a synchronism

requirement: in order to complete the protocol, all the group

members have to stay online simultaneously. How to opti-

mize the round complexity of GKA protocols has been stud-

ied in several works (e.g., [11], [12], [13]). In [14], Tzeng

presented a constant-round GKA protocol that can identify

cheaters. Subsequently, Yi [15] constructed a fault-tolerant

protocol in an identity-based setting. Burmester and Des-

medt [16] proposed a two-round n-party GKA protocol for

n parties. The Joux protocol [17] is one-round and only

applicable to three parties. The work of Boneh and Silver-

berg [18] shows a one-round ðn þ 1Þ-party GKA protocol

with n-linear pairings.

Dynamic GKA protocols provide extra mechanisms to

handle member changes. Bresson et al. [19], [20] extended

the protocol in [21] to dynamic GKA protocols that allow

members to leave and join the group. The number of rounds

in the set-up=join algorithms of the Bresson et al.’s protocols

[19], [20] is linear with the group size, but the number of

rounds in the leave algorithm is constant. The theoretical

analysis in [22] shows that for any tree-based group key

agreement scheme, the lower bound of the worst-case cost

is Oðlog nÞ rounds of interaction for a member to join or

leave. Without relying on a tree-based structure, Kim et al.

[23] proposed a two-round dynamic GKA protocol.

Recently, Abdalla et al. [24] presented a two-round dynamic

GKA protocol in which only one round is required to cope

with the change of members if they are in the initial group.

Jarecki et al. [25] presented a robust two-round GKA proto-

col in which a session key can be established even if some

participants fail during the execution of the protocol.

Observing that existing GKA protocols cannot handle

sender/member changes efﬁciently, Wu et al. presented a

group key management protocol [26] in which a change of

the sender or monotone exclusion of group members does

not require extra communication, and changes of other

members require one extra round.

BE is another well-established cryptographic primitive

developed for secure group communications. As the core of

BE is to generate and distribute the key materials to the par-

ticipants, BE schemes are also referred to as key distribution

schemes in some scenarios. While digital rights manage-

ment motivated most previous BE schemes [27], [28], recent

efforts [29], [30], [31], [32], [33], [34], [35] are devoted to

modifying BE or key distribution technologies in view of

WU ET AL.: CONTRIBUTORY BROADCAST ENCRYPTION WITH EFFICIENT ENCRYPTION AND SHORT CIPHERTEXTS 467

securing emerging information systems such as sensor net-

works, mobile ad hoc networks, vehicular networks, etc.

BE schemes in the literature can be classiﬁed into two cat-

egories, i.e., symmetric-key BE [1] and public-key BE [36]. In

the symmetric-key setting, only the trusted center generates

all the secret keys and broadcasts messages to users. Hence,

only the key generation center can be the broadcaster or the

sender. Similarly to the GKA setting, tree-based key struc-

tures were independently proposed to improve efﬁciency in

symmetric-key BE systems [37], [38], and further improved

in [39] with Oðlog nÞ keys. Cheon et al. [40] presented an

efﬁcient symmetric BE scheme allowing new members to

join the protocol anytime. Harn and Lin [41] proposed a

group key transfer protocol. Their protocol is based on

secret sharing and is considerably efﬁcient, albeit it cannot

revoke (compromised) users.

In the public-key BE setting, the trusted center also gen-

erates a public key for all the users so that any one can play

the role of a broadcaster or sender. Naor and Pinkas pre-

sented in [36] the ﬁrst public-key BE scheme in which up to

a threshold of users can be revoked. Subsequently, [42] pre-

sented a fully collusion-resistant public-key BE scheme

exploiting new bilinear pairing technologies in which the

key size, the ciphertext size, and the computation costs

are Oð

ﬃﬃﬃ

Þ. The scheme in [43] slightly reduces the size of

the key and the ciphertexts, although it still has sub-linear

complexity. The schemes presented in [44] strengthen the

security concept of public-key BE schemes. As to perfor-

mance, the sub-linear barrier Oð

ﬃﬃﬃ

Þ has not yet been bro-

ken. In [45], Lewko et al. proposed two elegant schemes

with constant public and secret keys, although their cipher-

text size is linear with the number of the revoked users,

which is OðnÞ in the worst case.

1.4 Paper Organization

The rest of this paper is organized as follows. In Section 2,

we model ConBE and deﬁne its security. In Section 3, we

present a collusion-resistant regular public-key BE scheme

with aggregatability. Efﬁcient ConBE schemes are realized

in Section 4. We analyze the performance of our scheme in

Section 5 and provide detailed proofs for the security results

in Section 6. Finally, Section 7 concludes the paper.

2MODELING CONTRIBUTORY BROADCAST

ENCRYPTION

We begin by formalizing the ConBE notion bridging the

GKA and BE primitives. In ConBE, a group of members ﬁrst

jointly establish a public encryption key; then a sender can

freely select which subset of the group members can

decrypt the ciphertext. Since the negotiated public key is

usually employed to transmit session keys, we deﬁne a

ConBE scheme as a key encapsulation mechanism (KEM).

2.1 Syntax

We ﬁrst deﬁne the algorithms that compose a ConBE

scheme. Let  2 N denote the security parameter. Suppose

that a group of members fU

; ...; U

g want to jointly estab-

lish a ConBE system, where n is a positive integer and each

member U

is indexed by i for 1  i  n. To focus on ConBE,

we assume that the communications between members are

authenticated. However, we do not assume any conﬁdential

channel during the execution of the protocol. Formally, a

ConBE scheme ðParaGen; CBSetup; CBEncrypt; CBDecryptÞ

consists of the following four polynomial-time algorithms.

^ ParaGen(1



). This algorithm is used to generate global

parameters. It takes as input a security parameter  and it

outputs the system parameters, including the group size n.

^ CBSetup(U

ðx

Þ; ...; U

ðx

Þ). This interactive algorithm

is jointly run by members U

, ..., U

to set up a BE scheme.

Each member U

takes private input x

(and her/his random

coins representing the member’s random inner state infor-

mation). The communications between members go

through authenticated and public channels. The algorithm

will either abort or successfully terminate. If it terminates

successfully, each user U

outputs a decryption key dk

securely kept by the user and a common group encryption

key gek shared by all the group members. The group

encryption gek is publicly accessible. If the algorithm aborts,

it outputs NULL. Here, we leave the input system parame-

ters implicit. We denote this procedure by ðU

ðdk

Þ; ...;

ðdk

Þ; gekÞ CBSetupðU

ðx

Þ, ..., U

ðx

ÞÞ.

^ CBEncryptðS; gekÞ. This group encryption algorithm is

run by a sender who is assumed to know the public group

encryption key. The sender may or may not be a group

member. The algorithm takes as inputs a receiver set

S f1; ...;ng and the public group encryption key gek, and

it outputs a pair ðc; Þ, where c is the ciphertext and  is the

secret session key in a key space K. Then ðc; SÞ is sent to the

receivers.

^ CBDecrypt(S;j;dk

;c). This decryption algorithm is run

by each intended receiver j 2 S. It takes as inputs the

receiver set S, index j, the receiver’s decryption key dk

, and

a ciphertext c, and it outputs the secret session key .

A ConBE scheme is correct if the members in the receiver

set can always correctly decrypt when the members and the

sender follow the scheme honestly. Formally, it is deﬁned

as follows.

Deﬁnition 1 (Correctness). A ConBE scheme is said to be cor-

rect if for any parameter  2 N and any element  in the ses-

sion key space, ðU

ðdk

Þ; ...; U

ðdk

Þ; gekÞ CBSetup

ðU

ðx

Þ; ...; U

ðx

ÞÞ, and ðc, Þ CBEncrypt ðS, gekÞ,it

holds that CBDecryptðS, j, dk

, cÞ =  for any j 2 S.

A trivial ConBE scheme can be constructed by concur-

rently encrypting to each member with her/his public key

in a traditional public-key cryptosystem. Unfortunately, the

trivial solution incurs a heavy encryption cost and produces

ciphertexts whose size grows linearly with the number of

receivers. Another option would be a BE scheme in which

the public key is obtained by means of a multiparty compu-

tation protocol, but it would require extra communication

and point-to-point conﬁdential channels between the users.

The challenge is to design ConBE schemes with efﬁcient

encryption and short ciphertexts.

2.2 Security Deﬁnitions

We next deﬁne the security of a ConBE scheme. Several meth-

ods have been proposed to transform public key encryption

(PKE) with security against chosen-plaintext attacks (CPA)

into encryption against adaptively chosen-ciphertext attacks

468 IEEE TRANSACTIONS ON COMPUTERS, VOL. 65, NO. 2, FEBRUARY 2016

剩余13页未读，继续阅读

评论收藏

内容反馈

weixin_38707192

粉丝: 3
资源: 921

Contributory Broadcast Encryption with Efficient Encryption and ...

最新资源

Contributory Broadcast Encryption with Efficient Encryption and ...

Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts

Efficient and adaptively secure broadcast encryption systems

Encryption加密

broadcast功能大集合

Broadcast广播的使用

Struts2上传所需jar包

struts1.3.9.zip

英语万能句型模板

用--保险基本原则试题(含答案).doc

高中英语一轮复习精品学案：M3Unit2 Language.docx

基于CORDIC的反正弦和反余弦计算的FPGA实现

BA无标度网络中的SIR模型

使用3DCNN和卷积LSTM进行手势识别学习时空特征

基于三次贝塞尔曲线的类汽车曲率连续路径平滑

基于机器学习的设备剩余寿命预测方法综述

基于维纳过程的退化模型，具有递归过滤算法，可用于估计剩余使用寿命

基于FPGA的奇异值和特征值分解的快速实现。

基于BP神经网络的人口预测

磁悬浮系统自适应模糊PID控制器的设计

无人机协同目标的多无人机协同搜索方法

两轮平衡车的建模与控制研究

基于改进遗传算法的六自由度机器人时间最优轨迹规划

一种基于深度学习的机械臂抓取方法

基于深度神经网络的交通流量预测

一种去除ECG中基线漂移和工频干扰的高效滤波方法

适用于1-8GHz宽带应用的原始Vivaldi天线

最新资源

高中英语一轮复习精品学案：M3Unit2　Language.docx