Ternary subset difference revocation in public key framework supporting outsider anonymity

Abstract

Broadcast encryption (BE) is a cryptographic primitive which sends encrypted message to the users securely. The BE scheme proposed by Naor, Naor, and Lotspiech (NNL) in 2001 is a popular BE scheme which uses a binary tree. The advanced access content system standard suggested to use it for digital right management in Blue-ray and DVD-discs. This paper puts forward an efficient broadcast encryption in public key setting employing ternary tree subset difference method for revocation. Our approach utilizes composite order bilinear group setting to achieve the tree based construction in public key setting. Our second construction is an extension of our first construction and provides outsider-anonymity by disabling the revoked users from getting any information of message and concealing the set of subscribed users from the revoked users. The construction of Fazio and Perera is the closest one to that of our second scheme (as both of these construction are in public key setting and provides outsider-anonymity). We have reduced the ciphertext size from \(r\log N/r\) to min\(\{N/3,N-r,2r-1\}.\) Thus reduces the communication bandwidth. We have also reduced the public key size. Our constructions enjoy the revocation property. Both of our constructions achieve selective semantic security in the standard model under reasonable assumptions and new users can join without updating the pre-existing setup.

Appendix

Derive The Derive algorithm works as follows:

Remark

\({\widetilde{sk}}_{u,v_i^{(l_i)},v_j^{(l_j)}}^{(d)}\) can be used to decrypt the ciphertext. Re-randomization is used to re-randomize the secret key obtained in delegation procedure. Note that, the delegation procedure does not need MK and consequently can be run by any entity, who knows the upper level secret key \(sk_{u,v_i^{(l_i)},v_{j-1}^{(l_{j-1})}}\) to derive secret key \(\{sk_{u,v_i^{(l_i)},J}|J=v_{j}^{(l_{j_1})},v_{j}^{(l_{j_2})}, v_{j}^{(l_{j_1})}+v_{j}^{(l_{j_2})}\}\). If we don’t use re-randomization procedure then every secret key \(\{sk_{u,v_i^{(l_i)},J}|J=v_{j}^{(l_{j_1})},v_{j}^{(l_{j_2})}, v_{j}^{(l_{j_1})}+v_{j}^{(l_{j_2})}\}\) generated from \(sk_{u,v_i^{(l_i)},v_{j-1}^{(l_{j-1})}}\), will have same randomization exponents \(r_1,r_2\). Dividing first component of \(sk_{u,v_i^{(l_i)},v_{j}^{(l_{j_1})}+v_{j}^{(l_{j_2})}}^{(d)}\) by that of \(sk_{u,v_i^{(l_i)},v_{j}^{(l_{j_2})}}^{(d)}\), we obtain \({\Big (h_j^{I_j^{(l_j)}}\Big )}^{r_1}\). Dividing first component of \(sk_{u,v_i^{(l_i)},v_{j}^{(l_{j_1})}}^{(d)}\) by \({\Big (h_j^{I_j^{(l_j)}}\Big )}^{r_1}\), we can get first component of \(sk_{u,v_i^{(l_i)},v_{j-1}^{(l_{j-1})}}^{(d)}\). If the hanging nodes are already revoked users and now u revoke, then \(sk_{u,v_i^{(l_i)},v_{j-1}^{(l_{j-1})}}^{(d)}\) will decrypt the ciphertext (following Decrypt algorithm). Thus a revoked user is still able to recover the message. Re-randomization procedure solves the problem.

Correctness of re-randomization algorithm In Delegation procedure, we generate

$$\begin{aligned} {\widetilde{sk}}_{u,v_i^{(l_i)},v_j^{(l_j)}}^{(d)}= & {} \left( \zeta _0,\zeta _1,\zeta _2, \eta _{j+1}, \eta _{j+2}, \ldots , \eta _{L}\right) \\= & {} \Big (a_0 {(b_j)}^{I_j^{(l_j)}},a_1,a_2,b_{j+1},\ldots ,b_{L}\Big )\\= & {} \Big (w.(v\displaystyle \prod _ {k=i}^{j} h_k^{I_k^{(l_k)}})^{r_1} f^{r_2},g^{r_1},g^{r_2},h_{j+1}^{r_1},\ldots ,h_L^{r_1}\Big ). \\ {\widetilde{sk}}_{u,v_i^{(l_i)},v_j^{(l_j)}}^{(r)}= & {} \Big ( (\theta _0^{(x)}, \theta _1^{(x)}, \theta _2^{(x)}, \phi _{j+1}^{(x)}, \phi _{j+2}^{(x)}, \ldots , \phi _{L}^{(x)})_{x=1,2}\Big )\\= & {} \Big (\big (\alpha _0^{(x)}({\beta _j^{(x)}})^{I_j^{(l_j)}}, \alpha _1^{(x)}, \alpha _2^{(x)}, \beta _{j+1}^{(x)},\ldots ,\beta _L^{(x)}\big )_{x=1,2}\Big )\\= & {} \Big (\big ( (v\displaystyle \prod _ {k=i}^{j}h_k^{I_k^{(l_k)}})^{s_1^{(x)}}f^{s_2^{(x)}},g^{{s_1}^{(x)}},g^{{s_2}^{(x)}},h_{j+1}^{{s_1}^{(x)}},\ldots ,h_L^{{s_1}^{(x)}}\big )_{x=1,2}\Big ). \end{aligned}$$

In re-randomization procedure we set,

$$\begin{aligned} sk_{u,v_i^{(l_i)},v_j^{(l_j)}}^{(d)}= & {} \Big (\zeta _0 {(\theta _0^{(1)})}^{\gamma _1} ({\theta _0 ^{(2)}})^{\delta _1}, \zeta _1 ({\theta _1^{(1)}})^{\gamma _1} ({\theta _1 ^{(2)}})^{\delta _1}, \zeta _2 ({\theta _2^{(1)}})^{\gamma _1} ({\theta _2 ^{(2)}})^{\delta _1},\\&\eta _{j+1}({\phi _{j+1}^{(1)}})^{ \gamma _1}({\phi _{j+1}^{(2)}})^{ \delta _1}, \ldots , \eta _{L}({\phi _{L}^{(1)}})^{ \gamma _1}({\phi _{L}^{(2)}})^{ \delta _1}\Big )\\= & {} \Big (w.(v\displaystyle \prod _ {k=i}^{j} h_k^{I_k^{(l_k)}})^{\widetilde{r_1}} f^{\widetilde{r_2}},g^{\widetilde{r_1}}, g^{\widetilde{r_2}},h_{j+1}^{\widetilde{r_1}},\ldots ,h_L^{\widetilde{r_1}}\Big ), \end{aligned}$$

where \(\widetilde{r_1}= r_1+s_1^{(1)}{\gamma }_ 1+ s_1^{(2)} {\delta }_1\) and \(\widetilde{r_2}= r_2+s_2^{(1)}{\gamma }_ 1+ s_2^{(2)} {\delta }_1.\)

$$\begin{aligned} sk_{u,v_i^{(l_i)},v_j^{(l_j)}}^{(r)}= & {} \Big (\big (({\theta _0^{(1)}})^{\gamma _x}({\theta _0 ^{(2)}})^{\delta _x} ,({\theta _1^{(1)}}) ^{\gamma _x}( {\theta _1 ^{(2)}})^{\delta _x},({\theta _2^{(1)}})^{\gamma _x}( {\theta _2 ^{(2)}})^{\delta _x},\\&({\phi _{j+1}^{(1)}})^{ \gamma _x}({\phi _{j+1}^{(2)}})^{ \delta _x},\ldots ,({\phi _{L}^{(1)}})^{ \gamma _x}({\phi _{L}^{(2)}})^{ \delta _x}\big )_{x=2,3}\Big ).\\= & {} \Big (\big ((v\displaystyle \prod _ {k=i}^{j}h_k^{I_k^{(l_k)}})^{\widetilde{s}_1^{(x)}}f^{\widetilde{s}_2^{(x)}},g^{\widetilde{s}_1^{(x)}}, g^{\widetilde{s}_2^{(x)}},h_{j+1}^{\widetilde{s}_1^{(x)}},\ldots ,h_L^{\widetilde{s}_1^{(x)}}\big )_{x=1,2}\Big ), \end{aligned}$$

where \(\widetilde{s}_1^{(1)}= s_1^{(1)}{\gamma }_ 2+ s_1^{(2)} {\delta }_2,\widetilde{s}_1^{(2)}=s_1^{(1)}{\gamma }_ 3+ s_1^{(2)} {\delta }_3 , \widetilde{s}_2^{(1)}=s_2^{(1)}{\gamma }_ 2+ s_2^{(2)} {\delta }_2, \widetilde{s}_2^{(2)}=s_2^{(1)}{\gamma }_ 3+ s_2^{(2)} {\delta }_3.\)