Broadcast Encryption Base Paper

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/TC.2015.2419662, IEEE Transactions on Computers
IEEE TRANSACTIONS ON COMPUTERS, VOL. XXX, NO. XXX, XXX 2015 1
Contributory Broadcast Encryption with Efficient

Encryption and Short Ciphertexts
Qianhong Wu, Member, IEEE, Bo Qin, Lei Zhang, Member, IEEE, Josep Domingo-Ferrer, Fellow, IEEE
Oriol Farràs, and Jesus A. Manjon
AbstractTraditional broadcast encryption (BE) schemes al- Nevertheless, a BE system heavily relies on a fully trusted key
low a sender to securely broadcast to any subset of members server who generates secret decryption keys for the members
but require a trusted party to distribute decryption keys. Group and can read all the communications to any members.
key agreement (GKA) protocols enable a group of members to
negotiate a common encryption key via open networks so that Group key agreement (GKA) is another well-understood
only the group members can decrypt the ciphertexts encrypted cryptographic primitive to secure group-oriented communica-
under the shared encryption key, but a sender cannot exclude tions. A conventional GKA [2] allows a group of members to
any particular member from decrypting the ciphertexts. In this establish a common secret key via open networks. However,
paper, we bridge these two notions with a hybrid primitive whenever a sender wants to send a message to a group, he
referred to as contributory broadcast encryption (ConBE). In
this new primitive, a group of members negotiate a common must first join the group and run a GKA protocol to share
public encryption key while each member holds a decryption key. a secret key with the intended members. More recently, and
A sender seeing the public group encryption key can limit the to overcome this limitation, Wu et al. introduced asymmetric
decryption to a subset of members of his choice. Following this GKA [3], in which only a common group public key is negoti-
model, we propose a ConBE scheme with short ciphertexts. The ated and each group member holds a different decryption key.
scheme is proven to be fully collusion-resistant under the decision
n-Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in However, neither conventional symmetric GKA nor the newly
the standard model. Of independent interest, we present a new introduced asymmetric GKA allow the sender to unilaterally
BE scheme that is aggregatable. The aggregatability property is exclude any particular member from reading the plaintext1 .
shown to be useful to construct advanced protocols. Hence, it is essential to find more flexible cryptographic
Index TermsBroadcast encryption, group key agreement, primitives allowing dynamic broadcasts without a fully trusted
contributory broadcast encryption, provable security. dealer.
A. Our Contributions
I. I NTRODUCTION
We present the Contributory Broadcast Encryption (ConBE)
W ITH the fast advance and pervasive deployment of

communication technologies, there is an increasing
demand of versatile cryptographic primitives to protect group
primitive, which is a hybrid of GKA and BE. Compared to
its preliminary Asiacrypt 2011 version [5], this full paper
provides complete security proofs, illustrates the necessity of
communications and computation platforms. These new plat- the aggregatability of the underlying BE building block and
forms include instant-messaging tools, collaborative comput- shows the practicality of our ConBE scheme with experiments.
ing, mobile ad hoc networks and social networks. These Specifically, our main contributions are as follows.
new applications call for cryptographic primitives allowing a First, we model the ConBE primitive and formalize its
sender to securely encrypt to any subset of the users of the security definitions. ConBE incorporates the underlying ideas
services without relying on a fully trusted dealer. Broadcast of GKA and BE. A group of members interact via open
encryption (BE) [1] is a well-studied primitive intended for networks to negotiate a public encryption key while each
secure group-oriented communications. It allows a sender member holds a different secret decryption key. Using the
to securely broadcast to any subset of the group members. public encryption key, anyone can encrypt any message to any
Q. Wu is with the School of Electronics and Information Engineering,
subset of the group members and only the intended receivers
Beihang University, and The State Key Laboratory of Integrated Services Net- can decrypt. Unlike GKA, ConBE allows the sender to exclude
works, Xidian University and State Key Laboratory of Information Security, some members from reading the ciphertexts. Compared to BE,
Institute of Information Engineering, Chinese Academy of Sciences, Beijing
100093, China (e-mail: qianhong.wu@buaa.edu.cn).
ConBE does not need a fully trusted third party to set up
B. Qin is with Key Laboratory of Data Engineering and Knowledge the system. We formalize collusion resistance by defining an
Engineering (Renmin University of China) Ministry of Education, School attacker who can fully control all the members outside the
of Information, Renmin University of China, ZhongGuanCun Street No. 59,
Haidian District, Beijing, China, Beijing, China (e-mail: bo.qin@ruc.edu.cn).
intended receivers but cannot extract useful information from
L. Zhang is with Shanghai Key Laboratory of Trustworthy Computing, the ciphertext.
Software Engineering Institute, East China Normal University, Shanghai,
China (e-mail: leizhang@sei.ecnu.edu.cn). 1 Dynamic symmetric GKA equipped with a leave sub-protocol allows the
J. Domingo-Ferrer, O. Farràs and J. A. Manjon are with Universitat Rovira members to exclude some members from decrypting ciphertexts. In this case,
i Virgili, Department of Computer Engineering and Mathematics, UNESCO if the sender (who is also a group member) wants to exclude some other
Chair in Data Privacy, Tarragona, Catalonia (e-mail: {josep.domingo, ori- members, he/she has to seek the agreement of the remaining members to run
ol.farras, jesus.manjon}@urv.cat). the leave sub-protocol. The sender cannot exclude any member unilaterally.
0018-9340 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
Second, we present the notion of aggregatable broadcast C. Related Work

encryption (AggBE). Coarsely speaking, a BE scheme is
aggregatable if its secure instances can be aggregated into a A number of works have addressed key agreement protocols
new secure instance of the BE scheme. Specifically, only the for multiple parties. The schemes due to Ingemarsson et al.
aggregated decryption keys of the same user are valid decryp- [2] and Steiner et al. [7] are designed for n parties and
tion keys corresponding to the aggregated public keys of the require O(n) rounds. Tree key structures have been further
underlying BE instances. We observe that the aggregatability proposed, reducing the number of rounds to O(log n) [8],
of AggBE schemes is necessary in the construction of our [9], [10]. Multi-round GKA protocols pose a synchronism
ConBE scheme and the BE schemes in the literature are not requirement: in order to complete the protocol, all the group
aggregatable. We construct a concrete AggBE scheme tightly members have to stay online simultaneously. How to optimize
proven to be fully collusion-resistant under the decision BDHE the round complexity of GKA protocols has been studied in
assumption. The proposed AggBE scheme offers efficient several works (e.g., [11], [12], [13]). In [14], Tzeng presented
encryption/decryption and short ciphertexts. a constant-round GKA protocol that can identify cheaters.
Finally, we construct an efficient ConBE scheme with our Subsequently, Yi [15] constructed a fault-tolerant protocol
AggBE scheme as a building block. The ConBE construction in an identity-based setting. Burmester and Desmedt [16]
is proven to be semi-adaptively secure under the decision proposed a two-round n-party GKA protocol for n parties.
BDHE assumption in the standard model. Only one round is The Joux protocol [17] is one-round and only applicable to
required to establish the public group encryption key and set three parties. The work of Boneh and Silverberg [18] shows a
up the ConBE system. After the system set-up, the storage cost one-round (n + 1)-party GKA protocol with n-linear pairings.
of both the sender and the group members is O(n), where Dynamic GKA protocols provide extra mechanisms to han-
n is the number of group members participating in the set- dle member changes. Bresson et al. [19], [20] extended the
up stage. However, the online complexity (which dominates protocol in [21] to dynamic GKA protocols that allow mem-
the practicality of a ConBE scheme) is very low. We also bers to leave and join the group. The number of rounds in the
illustrate a trade-off between the set-up complexity and the set-up/join algorithms of the Bresson et al.s protocols [19],
online performance. After a trade-off, the variant has O(n2/3 ) [20] is linear with the group size, but the number of rounds
complexity in communication, computation and storage. This in the leave algorithm is constant. The theoretical analysis
is comparable to up-to-date regular BE schemes which have in [22] shows that for any tree-based group key agreement
O(n1/2 ) complexity in the same performance metrics, but our scheme, the lower bound of the worst-case cost is O(log n)
scheme does not require a trusted key dealer. We conduct a rounds of interaction for a member to join or leave. Without
series of experiments and the experimental results validate the relying on a tree-based structure, Kim et al. [23] proposed a
practicality of our scheme. two-round dynamic GKA protocol. Recently, Abdalla et al.
[24] presented a two-round dynamic GKA protocol in which
B. Potential Applications only one round is required to cope with the change of members
A potential application of our ConBE is to secure data if they are in the initial group. Jarecki et al. [25] presented a
exchanged among friends via social networks. Since the Prism robust two-round GKA protocol in which a session key can be
scandal [4], people are increasingly concerned about the established even if some participants fail during the execution
protection of their personal data shared with their friends of the protocol. Observing that existing GKA protocols cannot
over social networks. Our ConBE can provide a feasible handle sender/member changes efficiently, Wu et al. presented
solution to this problem. Indeed, Phan et al. [6] underlined a group key management protocol [26] in which a change of
the applications of our ConBE [5] to social networks. In this the sender or monotone exclusion of group members does not
scenario, if a group of users want to share their data without require extra communication, and changes of other members
letting the social network operator know it, they can use our require one extra round.
ConBE scheme. Since the setup procedure of our ConBE only BE is another well-established cryptographic primitive de-
requires one round of communication, each member of the veloped for secure group communications. As the core of BE is
group just needs to broadcast one message to other intended to generate and distribute the key materials to the participants,
members in a send-and-leave way, without the synchronization BE schemes are also referred to as key distribution schemes
requirement. After receiving the messages from the other in some scenarios. While digital rights management motivated
members, all the members share the encryption key that allows most previous BE schemes [27], [28], recent efforts [29], [30],
any user to selectively share his/her data to any subgroup of [31], [32], [33], [34], [35] are devoted to modifying BE or
the members. Furthermore, it also allows sensitive data to be key distribution technologies in view of securing emerging
shared among different groups. Other applications may include information systems such as sensor networks, mobile ad hoc
instant messaging among family members, secure scientific networks, vehicular networks, etc.
research tasks jointly conducted by scientists from different BE schemes in the literature can be classified into two
places, and disaster rescue using a mobile ad hoc network. A categories, i.e., symmetric-key BE [1] and public-key BE [36].
common feature of these scenarios is that a group of users In the symmetric-key setting, only the trusted center generates
would like to exchange sensitive data but a fully trusted third all the secret keys and broadcasts messages to users. Hence,
party is unavailable. Our ConBE provides an efficient solution only the key generation center can be the broadcaster or
to these applications. the sender. Similarly to the GKA setting, tree-based key
structures were independently proposed to improve efficiency CBSetup(U1 (x1 ), , Un (xn )). This interactive algorithm
in symmetric-key BE systems [37], [38], and further improved is jointly run by members U1 , , Un to set up a BE scheme.
in [39] with O(log n) keys. Cheon et al. [40] presented an Each member Ui takes private input xi (and her/his random
efficient symmetric BE scheme allowing new members to join coins representing the members random inner state infor-
the protocol anytime. Harn and Lin [41] proposed a group key mation). The communications between members go through
transfer protocol. Their protocol is based on secret sharing and authenticated and public channels. The algorithm will either
is considerably efficient, albeit it cannot revoke (compromised) abort or successfully terminate. If it terminates successfully,
users. each user Ui outputs a decryption key dki securely kept by
In the public-key BE setting, the trusted center also gen- the user and a common group encryption key gek shared by
erates a public key for all the users so that any one can all the group members. The group encryption gek is publicly
play the role of a broadcaster or sender. Naor and Pinkas accessible. If the algorithm aborts, it outputs NULL. Here, we
presented in [36] the first public-key BE scheme in which up leave the input system parameters implicit. We denote this pro-
to a threshold of users can be revoked. Subsequently, [42] cedure by (U1 (dk1 ), , Un (dkn ); gek) CBSetup(U1 (x1 ),
presented a fully collusion-resistant public-key BE scheme , Un (xn )).
exploiting new bilinear pairing technologies in which thekey CBEncrypt(S, gek). This group encryption algorithm is run
size, the ciphertext size, and the computation costs are O( n). by a sender who is assumed to know the public group encryp-
The scheme in [43] slightly reduces the size of the key and tion key. The sender may or may not be a group member.
the ciphertexts, although it still has sub-linear complexity. The The algorithm takes as inputs a receiver set S {1, , n}
schemes presented in [44] strengthen the security concept of and the public group encryption key gek, and it outputs a pair
public-keyBE schemes. As to performance, the sub-linear (c, ), where c is the ciphertext and is the secret session key
barrier O( n) has not yet been broken. In [45], Lewko et al. in a key space K. Then (c, S) is sent to the receivers.
proposed two elegant schemes with constant public and secret CBDecrypt(S, j, dkj , c). This decryption algorithm is run by
keys, although their ciphertext size is linear with the number each intended receiver j S. It takes as inputs the receiver set
of the revoked users, which is O(n) in the worst case. S, index j, the receivers decryption key dkj , and a ciphertext
c, and it outputs the secret session key .
D. Paper Organization A ConBE scheme is correct if the members in the receiver
The rest of this paper is organized as follows. In Section II, set can always correctly decrypt when the members and the
we model ConBE and define its security. In Section III, we sender follow the scheme honestly. Formally, it is defined as
present a collusion-resistant regular public-key BE scheme follows.
with aggregatability. Efficient ConBE schemes are realized in Definition 1 (Correctness). A ConBE scheme is said to be
Section IV. We analyze the performance of our scheme in correct if for any parameter N and any element
Section V and provide detailed proofs for the security results in the session key space, (U1 (dk1 ), , Un (dkn ); gek)
in Section VI. Finally, Section VII concludes the paper. CBSetup(U1 (x1 ), , Un (xn )), and (c, ) CBEncrypt (S,
gek), it holds that CBDecrypt(S, j, dkj , c) = for any j S.
II. M ODELING C ONTRIBUTORY B ROADCAST E NCRYPTION
A trivial ConBE scheme can be constructed by concurrently
We begin by formalizing the ConBE notion bridging the
encrypting to each member with her/his public key in a
GKA and BE primitives. In ConBE, a group of members first
traditional public-key cryptosystem. Unfortunately, the trivial
jointly establish a public encryption key; then a sender can
solution incurs a heavy encryption cost and produces cipher-
freely select which subset of the group members can decrypt
texts whose size grows linearly with the number of receivers.
the ciphertext. Since the negotiated public key is usually
Another option would be a BE scheme in which the public key
employed to transmit session keys, we define a ConBE scheme
is obtained by means of a multiparty computation protocol,
as a key encapsulation mechanism (KEM).
but it would require extra communication and point-to-point
confidential channels between the users. The challenge is to
A. Syntax design ConBE schemes with efficient encryption and short
We first define the algorithms that compose a ConBE ciphertexts.
scheme. Let N denote the security parameter. Suppose that
a group of members {U1 , , Un } want to jointly establish a
ConBE system, where n is a positive integer and each member B. Security Definitions
Ui is indexed by i for 1 i n. To focus on ConBE, We next define the security of a ConBE scheme. Several
we assume that the communications between members are methods have been proposed to transform public key en-
authenticated. However, we do not assume any confidential cryption (PKE) with security against chosen-plaintext attacks
channel during the execution of the protocol. Formally, a (CPA) into encryption against adaptively chosen-ciphertext
ConBE scheme (ParaGen, CBSetup, CBEncrypt, CBDecrypt) attacks (CCA2) in the standard model. In [48], Canetti et
consists of the following four polynomial-time algorithms. al. suggested conversion from CPA-secure IBE to CCA2-
ParaGen(1 ). This algorithm is used to generate global secure PKE using a one-time signature. In [49], Matsuda and
parameters. It takes as input a security parameter and it Hanaoka proposed to obtain a CCA2-secure PKE from any
outputs the system parameters, including the group size n. CPA-secure PKE with a universal computational extractor. In
[50], Liu et al. obtained a CCA2-secure ABE from a CPA- The Corrupt oracle is used to model an attacker who
secure ABE without extra cryptographic primitives, but with compromises some members during the set-up stage to estab-
an additional on-the-fly dummy attribute. We note that these lish the group encryption key. The Reveal oracle is used to
methods are applicable to our ConBE setting with/without capture the decryption key leakage after the ConBE system has
modification (e.g., by adding an on-the-fly dummy receiver). been established. This difference can be used to differentiate
The cost depends on the methods, i.e., a universal compu- the security against attacks during the set-up stage from the
tational extractor, a one-time signature or a dummy user. security against attacks after a ConBE system is deployed.
Hence, it is sufficient to only define the CPA security of We assume that the communication channels between mem-
a ConBE scheme. However, noting that ConBE is designed bers are authenticated during the CBSetup stage to establish
for distributed applications where the users are likely to be the group encryption key. This is to allow each user to
corrupted, we include full collusion resistance into our security validate that the received protocol transcripts are from authen-
definition. tic members. The most usual way to establish authenticated
The fully collusion-resistant security of a ConBE scheme is channels is through a public-key infrastructure (PKI): each
defined by the following security game between a challenger user registers a public key to a certification authority CA and
CH and an attacker A. uses the corresponding private key to sign any message she
Initialization. The challenger CH runs ParaGen with a generates during the CBSetup stage. Hence, the authenticity
security parameter and obtains the system parameters. The of the CBSetup transcript from a user can be verified by
system parameters are given to the attacker A. all other users. Note that after this stage has been completed
Queries. Attacker A can make the following queries to and the group encryption key gek has been agreed upon,
challenger CH. messages encrypted under this group key cannot be understood
Execute. A uses the identities of n members by CA, because the latter does not know the corresponding
U1 , , Un to query CH. The challenger runs CBSetup decryption keys. For instance, in a social network application,
(U1 (x1 ), , Un (xn )) on behalf of the n members, and the social network operator can serve as the CA and certify the
responds with the group encryption key gek and the users public keys used to authenticate communication. In this
transcripts of CBSetup to A. way, the operator is only partially trusted and cannot decrypt
Corrupt. A sends i to the Corrupt oracle maintained by the encrypted messages subsequently shared among the users
CH, where i {1, , n}. The challenger CH returns under gek.
the private input and inner random coins of Ui during the
execution of CBSetup. III. A N AGGREGATABLE BE S CHEME
Reveal. A sends i to the Reveal oracle maintained
In this section, we propose an efficient AggBE scheme that
by CH, where i {1, , n}. The challenger CH is essential to construct ConBE schemes.
responds with dki , which is the decryption key of Ui
after execution of CBSetup.
Challenge. At any point, attacker A can choose a target set A. Definitions of AggBE
S {1, , n} to attack, with a constraint that the indices in A BE scheme [42], [1], [44] consists of the following
S have never been queried to the Corrupt oracle or the Re- probabilistic algorithms.
veal oracle. Upon receiving S , the challenger CH randomly BSetup(1 ). Take as input a security parameter . Output
selects {0, 1} and responds with a challenge ciphertext the maximal size n of a group of broadcast receivers, and a
c , where c is obtained from (c , ) CBEncrypt(S, gek) BE public/secret key pair (P K, SK).
if = 1, or c is randomly sampled from the image space of BKeyGen(i, SK). Take as input an index i {1, , n}
CBEncrypt if = 0. and the secret key SK. Output a private key di for user i.
Output. Finally, A outputs a bit 0 , its guess of . The BEncryption(S, P K). Take as input a receiver set S
adversary wins if 0 = . {1, , n} and the public key P K. If |S| > n, abort the
securityf c
We define As advantage AdvConBE,A in winning the protocol. Else if |S| n, output a pair (c, ) where c is called
above fully collusion-resistant security game as the ciphertext and K is the message encryption key.
securityf c BDecryption(S, i, di , c, P K). This algorithm allows each
AdvConBE,A = | Pr[ = 0 ] 1/2|.
receiver to extract the message encryption key from the
Definition 2. An n-party ConBE scheme has adaptive ciphertext. Take as input the receiver set S, the index i
(, n, )-security against a full-collusion attack if no adversary {1, , n}, the receivers secret key di , the ciphertext c and
securityf c
A can obtain in time at most an advantage AdvConBE,A the public key P K. If |S| n and i S, output the message
at least in the above security game. An n-party ConBE encryption key .
scheme has semi-adaptive (, n, )-security against a full- The security for BE is defined by an experiment between an
collusion attack if, for any attacker A0 running in time , A0 s attacker A and a challenger CH. A is given the dealers public
securityf c
advantage AdvConBE,A 0 is less than in the above security key including the system parameters. A can adaptively query
game, with extra constraints that A0 (1) must commit to a set the decryption key of any user. At some point, the attacker
of indices C {1, , n} before the Queries stage, (2) can specifies a challenge set S . The constraint is that, for any i
only query Corrupt and Reveal with i / C and (3) can only S , the decryption key of user i has never been queried. The
choose S C to query CH in the Challenge stage. challenger sets (c , 0 ) BEncryption(S , P K) and 1
K. It sets b {0, 1} and gives (c , b ) to A. Finally, A aggregated public key P K = P K1 ~ ~ P Kn . A wins

outputs a guess bit b0 {0, 1} for b and wins the game if if A outputs a correct guess bit. Denote As advantage by
b = b0 . The adversary As advantage in the game above is AdvA = | Pr[win] 12 |.
BE
defined as AdvA,n,N (1 ) = | Pr[b = b0 ] 21 |. A BE scheme is said to be (, , n)-aggregatable if no -
time algorithm A has advantage AdvA in the above
Definition 3 (Adaptive security). We say that a BE scheme
aggregatability game.
has adaptive security if, for any polynomial-time algorithm

A, its advantage AdvBE
A,n,N (1 ) is negligible in .
B. An AggBE Scheme
In [44], a slightly weaker notion of semi-adaptive security
Let PairGen be an algorithm that, on input a security
is defined. In this case, the attacker must commit to a set of
parameter 1 , outputs a tuple = (p, G, GT , e), where G
indices C at the beginning of the above game. The attacker
and GT have the same prime order p, and e : G G GT is
is allowed to query the decryption key of any user not in
an efficient non-degenerate bilinear map such that e(g, g) 6= 1
C, and can choose any S C for a challenge ciphertext.
for any generator g of G, and for all u, v Zp , it hold-
Gentry and Waters also illustrate a generic transformation
s that e(g u , g v ) = e(g, g)uv . Let = (p, G, GT , e)
[44] to convert any semi-adaptively secure BE scheme into
PairGen(1 ), g be a generator of G. Let hj G be
an adaptively secure one.
randomly chosen for j = 1, , n. The system parameters
Before formalizing aggregatability, we define a weaker
are = (, g, h1 , , hn ). Assume n users in the system.
key homomorphic property for BE schemes. The key ho-
Our AggBE scheme extends the aggregatable signature-based
momorphic property was first defined in the static broadcast
broadcast [3] with user revocation and is constructed as
encryption scenario by Wu et al. [3]. Recently, Boneh et al. ex-
follows.
tended this concept to the attribute-based encryption scenario
BSetup(1 ): The dealer randomly chooses Xi G, ri Zp
[46]. For our dynamic BE scenario, the key homomorphism
and computes Ri = g ri , Ai = e(Xi , g). The BE public key
states that, by combining the decryption keys associated with
is P K = ((R0 , A0 ), , (Rn , An )) and the BE secret key is
the same index of different BE instances, one can obtain a
sk = ((r0 , X0 ), , (rn , Xn )).
functional decryption key associated with the same index of
BKeyGen(j, SK): For j = 1, , n, the private key of the
the combined BE instances.
user j is dj = (0,j , , j1,j , j+1,j , , n,j ):
Definition 4 (Key homomorphism). A BE scheme is said
i,j = Xi hrj i .
to be key homomorphic if for any two public/secret key
pairs (P K1 , SK1 ), (P K2 , SK2 ) BSetup(1 ), any index BEncryption(S, P K): Set S = {0, 1, , n}\S. Randomly
i S {1, , n}, any d1,i =BKeyGen(i, SK1 ) and pick t in Zp and compute c = (c1 , c2 ) :
d2,i =BKeyGen(i, SK2 ), it holds that BDecryption(S, i, Y
d1,i d2,i , c, P K1 ~ P K2 )= for any KEM ciphertext c1 = g t , c2 = ( Ri )t .
(c, ) BEncryption(S, P K1 ~ P K2 ), where ~ : iS
and : are two efficient operations in the public
Set the session key = ( iS Ai )t . Output (c, ) and send
Q
key space and the decryption key space , respectively.
(S, c) to receivers.
The key homomorphic property just indicates that the com- BDecryption(S, j, dj , c, P K): If j S, the receiver j
bined decryption key works for the combined BE instance. It extracts from c with private key dj by computing
does not exclude the possibility that valid decryption keys for Y
the combined BE instance might be obtained in other ways; e( i,j , c1 )e(hj , c2 ) = .
in contrast, aggregatability excludes this possibility. A BE iS
scheme is aggregatable if n instances of the BE scheme can be The correctness of the BE scheme above follows from direct
aggregated into a new BE instance secure against an attacker verification of the following equalities
accessing some decryption keys of each instance, provided Y
that the i-th decryption key corresponding to the i-th instance e( i,j , c1 )e(hj , c2 )
is unknown to the attacker for i = 1, , n. Formally, this iS
Y Y
property is defined as follows. = e( Xi hrj i , g t )e(hj , g ri t )
Definition 5 (Aggregatability). Consider the following game iS iS
Y Y
between an adversary A and a challenger CH: = e( Xi , g)t = ( Ai )t = .
Setup: A initializes the game with an integer n. CH replies iS iS
with (, P K1 , , P Kn ), that is, the system parameters and
The security of our BE scheme relies on the well-established
the n independent public keys of the BE scheme.
decision n-BDHE assumption [47].
Corruption: For 1 i, j n, where i 6= j, the adversary
A is allowed to know the decryption keys dkj,i corresponding Definition 6 (Decision n-BDHE Assumption). Let G be a
to index j with respect to the public key P Ki . bilinear group of prime order p as defined above, g a generator
Challenge: CH and A run a standard Ind-CPA (indistin- of G, and h = g t for some unknown t Zp . Denote y g,,n =
i
2n1
guishability under chosen-plaintext attack) game under the (g1 , , gn , gn+2 , , g2n ) G , where gi = g for
some unknown Zp . We say that an algorithm B that A. High-Level Description

outputs b {0, 1} has advantage in solving the decision n- Our basic idea is to introduce the revocation mechanism of
BDHE assumption if | Pr[B(g, h,
y g,,n , e(gn+1 , h)) = 0] a regular BE scheme into the asymmetric GKA scheme [3]. To

Pr[B(g, h, y g,,n , Z) = 0)]| , where the probability this end, each member acts as the dealer of the aggregatable
is over the random choice of g in G, the random choice BE scheme above. The k-th user publishes P Kk and dj,k ,
t, Zp , the random choice of Z GT , and the random where dj,k is the decryption key of P Kk corresponding to
bits consumed by B. We say that the decision (, , n)-BDHE the index j {1, , n} \ {k}. Then the negotiated public
assumption holds in G if no -time algorithm has advantage key is P K = P K0 ~ ~ P Kn . Each member j can
at least in solving the decision n-BDHE assumption. compute the decryption key dkj = dkj,j nk=1,k6=j dkj,k .
According to the BE security definition in [44], our scheme Observe that dkj,j has never been published. Due to the
is fully collusion-resistant under the decision n-BDHE as- key homomorphism of the BE scheme above, dkj is a valid
sumption. The proof is given in Section VI-A. One can further decryption key corresponding to P K. Hence, anyone knowing
apply the generic Gentry-Waters transformation [44] to convert P K can encrypt to any subset of the members and the intended
our semi-adaptive BE scheme into an adaptively secure one. receivers can decrypt. To guarantee the security of the resulting
ConBE scheme, we also need to show that only the intended
Theorem 1. The proposed BE scheme for dynamic groups receivers can decrypt. This is ensured by the aggregatabilty of
has full collusion resistance against semi-adaptive attacks the underlying BE scheme.
in the standard model if the decision n-BDHE assumption
holds. More formally, if there exists a semi-adaptive attacker
A breaking our scheme with advantage in time , then there B. The Proposal
exists an algorithm B breaking the n-BDHE assumption with Based on our aggregatable BE scheme, we implement a
advantage in time 0 = + O(n2 )Exp , where Exp is the ConBE scheme with short ciphertexts. Assume that the group
time to compute an exponentiation in G or GT . size is at most n. Let = (p, G, GT , e) PairGen(1 ),
One may observe that our BE scheme is key-homomorphic. and g, h1 , , hn be independent generators of G. The system
Consider the system parameters defined as above. Let P K1 = parameters are = (, n, , g, h1 , , hn ).
((R0,1 , A0,1 ), ,(Rn,1 , An,1 )) and P K2 = ((R0,2 , A0,2 ), Setup. The set-up of a ConBE system consists of the
, (Rn,2 , An,2 )) be the respective public keys of two random following three procedures:
instances of the above BE scheme, and for j = 1, , n, let Group Key Agreement. For 1 k n, member k does
dj,1 = (0,j,1 , , j1,j,1 , j+1,j,1 , , n,j,1 ) Gn and the following:
dj,2 = (0,j,2 , , j1,j,2 , j+1,j,2 , , n,j,2 ) Gn be Randomly choose Xi,k G, ri,k Zp ;
the respective decryption keys corresponding to index j under Compute Ri,k = g ri,k , Ai,k = e(Xi,k , g);
P K1 and P K2 . Define P K = P K1 ~ P K2 = ((R0,1 R0,2 , Set P Kk = ((R0,k , A0,k ), , (Rn,k , An,k ));
A0,1 A0,2 ), , (Rn,1 Rn,2 , An,1 An,2 )) and dkj = dj,1 dj,2 For j = 1, , n, j 6= k, compute i,j,k =
= (0,j,1 0,j,2 , , j1,j,1 j1,j,2 , j+1,j,1 j+1,j,2 , , r
Xi,k hj i,k for i = 0, , n, with i 6= j;
n,j,1 n,j,2 ). Then P K is the public key of a new instance Set dj,k = (0,j,k , , j1,j,k , j+1,j,k , , n,j,k );
of the above BE scheme and dkj is the new decryption key Publish (P Kk , d1,k , , dk1,k , dk+1,k , , dn,k );
corresponding to the index j. This fact can be directly verified. Compute dk,k accordingly and keep it secret.
Indeed, the following theorem shows that our BE scheme
Group Encryption Key Derivation. The group encryp-
enjoys the stronger notion of aggregatability.
tion key is
Theorem 2. If there exists an attacker A who wins the
P K = P K0 ~ ~ P Kn = ((R0 , A0 ), , (Rn , An ))
aggregatability game with advantage in time , then there
exists an algorithm B breaking the n-BDHE assumption with where Ri =
Qn Qn
k=1 Ri,k , Ai = k=1 Ai,k for i =
advantage in time 0 = + O((n3 )Exp ). 0, , n. The group encryption key P K is publicly
For the proof of the previous theorem, we refer to The- computable.
orem 3 where we prove a stronger property in the sense Member Decryption Key Derivation: For 0 i n,
that the attacker is additionally allowed to know the internal 1 j n and i 6= j, member j can compute her
randomness used to compute dkj,i corresponding some P Ki decryption key
for 1 i, j n where i 6= j.
dj = (0,j , , j1,j , j+1,j , , n,j )
where
IV. P ROPOSED C ON BE S CHEME n n n
r
Y Y Y
i,j = i,j,j i,j,k = i,j,k = Xi,k hj i,k .
In this section, we propose a ConBE based on the above
k=1,k6=j k=1 k=1
aggregatable BE scheme. The basic construction has short
ciphertexts and long protocol transcripts. Then we show an CBEncrypt. Assume that a sender (not necessarily a group
efficient trade-off between ciphertexts and protocol transcripts. member) wants to send to receivers in S {1, , n} a
session key . Set S = {0, 1, , n} \ S. Randomly pick t = e(g, g)xt = .

in Zp and compute the ciphertext c = (c1 , c2 ) where
Y We define , ~, as s1i s2i = (s1i,0 s2i,0 , ,
c1 = g t , c2 = ( Ri )t . s1i,n s2i,n ), P K1 ~ P K2 = P K1 P K2 , k1 k2 = k1 k2 ,
iS respectively. Then it is easy to verify that the Gentry-Waters
BE scheme is key-homomorphic.
Output (c, ) where = ( iS Ai )t . Send (S, c) to the
Q
2) Analog of Our ConBE Using the Gentry-Waters BE
receivers.
Scheme: Following the same paradigm, it is easy to give an
CBDecrypt. If j S, receiver j can extract from the
analog of our ConBE scheme by using the Gentry-Waters BE
ciphertext c with decryption key dj by computing
Y scheme. Assume the same system parameters as above. The
e( i,j , c1 )e(hj , c2 ) = . analog of the ConBE can work as follows.
iS CBSetup. This algorithm consists of the following proce-
The correctness of the scheme directly follows from the dures.
fact that the underlying BE scheme is correct and key- Group Key Agreement. For 1 k n, user k randomly
homomorphic. As to security, we have the following theorem, chooses xk Zp and computes P Kk = e(g, g)xk and
whose proof is given in Section VI-B.
di,k = (si,0,k , si,1,k , , si,k1,k , si,k,k ,
Theorem 3. The proposed ConBE scheme has fully collusion- si,k+1,k , , si,n,k ), (1)
resistant security against semi-adaptive attacks in the stan-
dard model if the decision n-BDHE assumption holds. More where
formally, if there exists a semi-adaptive attacker A breaking r r
si,0,k = g ri,k , si,1,k = h1i,k , , si,k1,k = hk1
i,k
,
our scheme with advantage in time , then there exists an
algorithm B breaking the n-BDHE assumption with advantage r r r
si,k,k = g xk hki,k , si,k+1,k = hk+1
i,k
, , si,n,k = hni,k
in time 0 = + O((n3 )Exp ).
for randomly chosen ri,k from Zp . User ks private key
C. Insecure Analog of ConBE Using Gentry-Waters BE is dk,k . User k publicly broadcasts
The above BE scheme bears some similarities to the Gentry- hP Kk , d1,k , , dk1,k , dk+1,k , , dn,k i (2)
Waters BE scheme [44]. However, our BE scheme is aggregat-
able while the Gentry-Waters BE scheme is not. In this section, Group Encryption Key Derivation. Anyone can com-
with the Gentry-Waters BE scheme as an example, we show pute the group encryption key:
that an analog of our ConBE scheme is insecure due to the K = P K1 P Kn = e(g, g)x1 ++xn = e(g, g)x ,
lack of aggregatability of the Gentry-Waters BE scheme.
1) Review of the Gentry-Waters BE Scheme: Gentry and where we define x = x1 + + xn .
Waters presented a semi-adaptively secure BE scheme [44]. Member Decryption Key Derivation. For i = 1, , n,
Let h1 , , hn and g be independent generators of a group G user i can compute her decryption key
equipped with a bilinear map e. Assume that the order of G
is a prime p. The Gentry-Waters BE scheme is as follows. di = (si,0 , si,1 , , si,i1 , si,i , si,i+1 , , si,n ),
BSetup(n, n): Randomly select x in Zp and compute where
g x , e(g, g)x . The BE public key is P K = e(g, g)x and the n n
BE secret key is SK = g x .
Y Y
si,0 = si,0,k , , si,n = si,n,k .
BKeyGen(i, SK): Run ri Zp and output user is secret k=1 k=1
decryption key si = (si,0 , , si,n ) where
Define ri = ri,1 + + ri,n for 1 i n. Then we
si,0 = g ri , si,1 = hr1i , , si,i1 = hi1
ri
, have that
si,i = g x hri i , si,i+1 = hri+1
i
, si,n = hrni . si,0 = g ri , si,1 = hr1i , , si,i1 = hri1
i
,
BEnc(S, P K): Randomly pick t in Zp and compute c = si,i = g x hri i , si,i+1 = hri+1
i
, , si,n = hrni .
(c1 , c2 ) where Y
c1 = g t , c2 = ( hj )t . CBEncrypt. Decide the receiver set S {1, , n}. Invoke
jS the underlying Gentry-Waters encryption algorithm to compute
the ciphertext c = (c1 , c2 ):
Set = e(g, g)xt and output (c, k). Send (S, c) to the receivers.
BDec(S, i, si , c, P K): If i S, the receiver i extracts
Y
c1 = g t , c2 = ( hj )t
from c with private key di by computing jS
Y Y
e(si,i si,j , c1 )e(si,0 , c2 ) = e( si,j , c1 )e(si,0 , c2 ) where t is randomly chosen from Zp . Set
jS\{i} jS
Y Y = K t = e(g, g)t(x1 ++xn ) = e(g, g)tx
= e((g x hrj i ), g t )e(g ri , ( hj )t )
jS jS and send (S, c) to the receivers.
CBDecrypt. If i S, the user i can extract from c with relationship with the decrypted value e(g, g)xt by the intended
0
her decryption key di by computing receivers. Hence, the value e(g, g)x t extracted by the attackers
Y Y can be viewed as a shadow of the original value e(g, g)xt .
e(si,i si,j , c1 )e(si,0 , c2 ) = e( si,j , c1 )e(si,0 , c2 ) The above shadow property of the Gentry-Waters BE
jS\{i} jS
scheme does not affect the security of their proposal as a
regular BE scheme. However, this property may prevent the
Y Y
= e((g x hrj i ), g t )e(g ri , ( hj )t ) = e(g, g)xt = .
jS jS
Gentry-Waters BE scheme from being used as a building block
for certain advanced protocols.
3) Attack on the Analog: In the sequel we show that the
above Gentry-Waters BE-based ConBE scheme is insecure. An
explicit attack is presented to allow an attacker to decrypt any V. P ERFORMANCE A NALYSIS
ciphertext encrypted to any subset of the group members. The A. Theoretical Analysis
attacker only needs to see the public key of the users and the We first examine the online complexity that is critical for
ciphertext, both of which are transmitted over public channels. the practicality of a ConBE scheme. When evaluating the per-
The attack proceeds as follows. formance, we use the widely adopted metrics [42], [43], [44]
Seeing the public protocol transcripts (Formula (2)) for regular BE schemes. In these metrics, the costs of simple
hP Kk , d1,k , , dk1,k , dk+1,k , , dn,k i from users k = operations (e.g., read the indices of receivers and perform some
1, , n, the attacker can know (from Formula (1)): simple quantifications of group elements associated to these
r r indices) and communication (e.g., the binary representation of
si,0,k = g ri,k , si,1,k = h1i,k , , si,k1,k = hk1
i,k
,
r r r
the receivers set) are not taken into consideration. After the
si,k,k = g xk hki,k , si,k+1,k = hk+1
i,k
, , si,n,k = hni,k CBSetup procedure, a sender needs to retrieve and store the
for i = 1, , n, iQ
6= k. The attacker also knows the ciphertext group public key P K consisting of n elements in G and n
(c1 , c2 ) = (g t , ( jS hj )t ). For each k = 1, , n, the elements in GT . Moreover, for encryption, the sender needs
attacker can compute only two exponentiations and the ciphertext merely contains
Y two elements in G. This is about n times more efficient
k = e( si,j,k , c1 )e(si,0,k , c2 ) than the trivial solution. At the receivers side, in addition
jS to the description of the bilinear pair which may be shared by
Y Y many other security applications, a receiver needs to store n
= e(g xk ( hj )ri,k , g t )e(g ri,k , ( hj )t ) elements in G for decryption. For decryption, a receiver needs
jS jS
to compute two single-base bilinear pairings (or one double-
= e(g, g)xk t . base bilinear pairing). The online costs on the sides of both
the sender and the receivers are really low.
Then the attacker can decrypt the ciphertext by computing We next discuss the complexity of the CBSetup procedure
n
Y n
Y to set up a ConBE system. The overhead incurred by this pro-
k = e(g, g)xk t = e(g, g)(x1 ++xn )t = . cedure is O(n2 ). This procedure needs to be run only once and
k=1 k=1 this can be done offline before the online transmission of secret
The attacker obtains the secret session key if he knows session keys. For instance, in the social networks example, a
the public transcripts of the CBSetup sub-protocol and the number of friends exchange their CBSetup transcripts and
ciphertext. Hence, the construction based on the Gentry-Waters establish a ConBE system to secure their subsequent sharing
BE scheme is insecure. of private picture/videos. Since ConBE allows revoking mem-
We observe that the above attack roots in a specific property bers, the members do not need to reassemble for a new run
(which we call shadow property) of the Gentry-Waters BE of the CBSetup procedure until some new friends join. From
scheme. Suppose that there are two instances sharing the sys- our personal experience, the group lifetime usually lasts from
tem parameters of the Gentry-Waters BE scheme. Their public weeks to months. These observations imply that our protocol
0
keys are P K = e(g, g)x and P K 0 = e(g, g)x , respectively. is practical in the real world.
Assume that a user indexed by i in the first instance has Furthermore, if the initial group is too large, an efficient
secret decryption key si computed from secret value ri and trade-off can be employed [42] to balance the online and
the master secret key x corresponding to P K = e(g, g)x , offline costs. Suppose that n is a cube, i.e., n = n31 , and the
and a user also indexed by i (the users identified by the initial group has n members. We divide the full group into n21
same index in two BE instances can be different or not) in subgroups, each of which has n1 members. By applying our
another instance has secret decryption key s0i computed from basic ConBE to each subgroup, we obtain a ConBE scheme
secret value ri0 and the master secret key x0 corresponding to with O(n21 )-size transcripts per member during the offline
0
P K 0 = e(g, g)x , as defined in the Gentry-Waters BE scheme. stage of group key establishment; a sender needs to do O(n21 )
Let (c1 , c2 ) = (g t , ( jS hj )t ) be the ciphertext sent to a
Q
encryption operations of the basic ConBE scheme, which
receiver group S in the first instance. Then any receiver in produces O(n21 )-size ciphertexts. Consequently, we obtain a
2
S in the first instance can decrypt the session key e(g, g)xt . semi-adaptive ConBE scheme with O(n 3 ) complexity. This
However, a user with the same index in S in the second is comparable to up-to-date public-key BE systems whose
0 1
instance can extract a value e(g, g)x t which has a meaningful complexity is O(n 2 ).
120
100 GK Agreement AES-80 level GEKD AES-80 level CBEncrypt AES-80 level
GK Agreement AES-128 level 2 MDKD AES-80 level 100 CBDecrypt AES-80 level
80 GEKD AES-128 level CBEcrypt AES-128 level
Execution time (ms)

Execution time (s)
Execution time (s)

MDKD AES-128 level 80 CBDecrypt AES-128 level
1.5
60
60
1
40
40
20 0.5
20
0 0
0
0 50 100 150 0 50 100 150 0 50 100 150
n n n
Fig. 1. Execution time of Group Key Agreement, Group Encryption Key Derivation, Member Decryption Key Derivation, CBEncrypt, and CBDecrypt for
AES-80 and AES-128 levels.
B. Experimental Analysis once and then one can broadcast to any subset of the users,
In this section we present experimental results on our without re-running the protocol or any extra revocation sub-
ConBE scheme. The experiments were run on a PC with Intel protocol.
Core i7-2600 CPU at 3.4GHz, using the C programming lan- The central graph in Figure 1 shows the time to extract
guage. The cryptographic operations were implemented using the group encryption key and the decryption key for different
the Pairing-Based Cryptography library2 . Following the NIST- group sizes and different security levels. Similarly to the
2012 key size recommendation3 , we realized our protocol for group key agreement time, the key extraction time also grows
a moderate AES-80 level and a more usual AES-128 level, with the security level and the group size. However, even in
corresponding to the security level of an ideal symmetric the worst case, only about 3 seconds are required, which is
cipher with 80-bit and 128-bit secret keys, respectively. We affordable in practice.
used Type A pairings constructed on the curve y 2 = x3 + x The rightmost graph in Figure 1 illustrates the online session
with embedding degree 2. Accordingly, in the first case for key encryption/decryption time. It can be seen that the time is
AES-80 level, G has 512-bit elements of a 160-bit prime almost constant for different group sizes, which is consistent
order and GT has 1024-bit/128-byte elements; and in the with the theoretical analysis. Both the session key encryption
second case for AES-128 level, G has 1536-bit elements of a and decryption take less than 10ms for a 80-bit security level,
256-bit prime order and GT has 3072-bit/386-byte elements, and less than 80ms for a 128-bit security level. After the
respectively. system is set up, the session key transmission is really efficient,
We performed experiments on the offline procedures in- which is user-friendly and definitely makes our ConBE scheme
cluding Group Key Agreement, Group Encryption Key practical.
Derivation and Member Decryption Key Derivation, and We also performed experiments on cost tradeoff between
the online procedures including CBEncrypt andCBDecrypt set-up and online encryption. For n = 180 and AES-128 level,
for different group sizes n = 6, 30, 60, 90, 120, 150, 180. The the execution times for Group Key Agreement, Group En-
values for CBEncrypt and CBDecrypt consider the worst cryption Key Derivation, Member Decryption Key Derivation,
case, i.e., |S| = 1. Also, we did not optimize the underlying CBEncrypt and CBDecrypt are 101s, 2.20s, 1.86s, 55.3ms, and
pairing-related parameters or operations, e.g., by choosing a 57.6ms, respectively. However, using the trade-off described
large prime characteristic of the base field and the prime order in the previous section, specifically taking subgroups of 6
p with most bits 0 (or 1), and by accelerating multi-base users, the times become 410ms, 2.05ms, 1.63ms, 1.33s, and
exponentiations/multi-base pairings [51]. Hence, the practical 57.6ms. The set-up efficiency was significantly improved, at
performance of our protocol can be better than the illustrated the cost of a 1.33s encryption time, to be compared to a 55.3ms
experimental results. encryption time without tradeoff.
In Figure 1, the security level of our protocol is measured by
the secret key size of AES (assumed to be an ideal symmetric
VI. S ECURITY P ROOFS
cipher), i.e., AES with a truncated 80-bit key and AES with
a standard 128-bit key. The leftmost graph in the figure illus- A. Proof of Theorem 1
trates the group key agreement time for different group sizes
Proof: A semi-adaptive attacker must commit to a set
and different security levels. The execution time grows almost
of the group members at the beginning of the game. She is
quadratically with the group size, and also grows with the
allowed to corrupt all the users outside the committed set.
security level. This is consistent with our theoretical analysis,
Finally, she can choose any subset of the committed set as a
because the pairings and the exponentiations dominate the
target set to attack and try to get useful information sent to
computation costs. To achieve a moderate 128-bit security, the
the target group. Suppose that A is a semi-adaptive -time
execution time is about 3 minutes for a group of 180 users.
adversary breaking our BE scheme with advantage for a
This is realistic as the GKA procedure only needs to be run
system parameterized with a given n. We build an algorithm
2 Version 0.5.12, available at http://crypto.stanford.edu/pbc. B with advantage in solving the decision n-BDHE problem
3 http://www.keylength.com/en/4/. in time 0 .
A commits to a set C {1, , n} to B. B queries For the case i C and j 6= i, from Equation (4), the
the decision n-BDHE challenger and obtains a random deci- following equations hold.
sion n-BDHE challenge (g, g t ,
y g,,n , Z), where
y g,,n =
1 n n+2 e(i,j , g)e(hj , Ri )
(g1 , , gn , gn+2 , , g2n ) = (g , , g , g , , vj
2n
g ) and Z is either e(gn+1 , g t ) or a random element of = e(g ai gjri gn+1i+j Ri , g)e(gj g vj , Ri )
GT . B proceeds as follows. = e(g ai gjri gn+1i+j , g)e(gj , Ri )
Preparation for simulation. = e(g ai gjri gn+1i+j , g)e(gj , g ri gn+1i
1
)
For j = 1, , n, B randomly selects vj Zp and 1
= e(g ai gn+1i+j , g)e(gj , gn+1i )
computes hj = gj g vj . Denote C = {1, , n} \ C.
1
For i C {0}, randomly select ai , ri Zp . For j C, = e(g ai gn+1i+j , g)e(g, gn+1i+j )
compute = e(g, g)ai = Ai . (7)
Y n+1 For the case that i C and j {1, , n}, from Equation
R 0 = g r0 ( gn+1k ), A0 = e(g, g)a0 + ,
(5), the following equation holds.
kC
k6 =j e(i,j , g)e(hj , Ri )
vj
Y
0,j = g a0 gjr0 ( 1
gn+1k+j )R0 . (3) = e(g ai hr ri
j , g)e(hj , g )
i
kC
= e(g, g)ai = Ai . (8)
For i C and j 6= i, compute Hence, for j C, i = 0, , n and i 6= j, we have that
1
Ri = g ri gn+1i , Ai = e(g, g)ai , e(i,j , g)e(hj , Ri ) = Ai . (9)
v
i,j = g ai gjri gn+1i+j Ri j . (4) Since g is a generator of G, there exist Xi G and i Zp
satisfying e(Xi , g) = Ai and Ri = g i . The above Equation
For i C and j {1, , n}, compute (9) further implies that i,j = Xi hj i . Therefore, for user j
C = {1, , n} \ C, her decryption key (0,j , , j1,j ,
Ri = g ri , Ai = e(g, g)ai , i,j = g ai hr
j .
i
(5) j+1,j , , n,j ) is well formed. The simulation of decryption
keys for users outside C is perfect.
Then B can answer all the queries from A. Query challenge ciphertext. At some point, the attacker A
Query public key. A can query the BE public key as well submits a target set S C {1, , n} for a challenge

as the system parameters = ((p, G, GT , e), g, h1 , , hn ) ciphertext sent to S . Since S C, we have that S =
and the maximum group size n. From the decision n-BDHE {0, 1, , n} \ S {0, 1, , n} \ C = C {0}. Notice that
challenge, the simulation of is straightforward. B needs to B knows Z and g t from the decision n-BDHE challenger,
generate a BE public key P K = (pk0 , pk1 , , pkn ), where and the values of ri , ai Zp which are chosen during the
pki is the public key of the underlying aggregatable signature- preparation for the simulation for i = 1, , n. Hence B can
based broadcast [3]. B sets pki = (Ri , Ai ) and forwards them compute
to A. Note that ri and ai are uniformly distributed in Zp , so P P
c1 = g t , c2 = (g t ) iS ri
, = Ze(g t , g) iS ai
. (10)
the simulated public keys have an identical distribution as in

the real world, and the simulation is perfect. The algorithm B sets c = (c1 , c2 )
and challenges A with
Query decryption key. A can query the decryption key of any (c , ). In the following we show that (c , ) is well formed.

user j C = {1, , n} \ C. B returns (0,j , , j1,j , Define S0 = S \ {C {0}}. Then S0 C and S = C
j+1,j , , n,j ). Now we show that the simulated decryption 0
{0} S . From Equations (3, 4, 5), the following equations
keys are well formed and perfect. hold:
For the case that i = 0 and j C, from Equation (3), the Y Y Y Y
following equations hold. ( Ri ) t = ( Ri )t = (R0 Ri Ri )t
iS0
iS iC{0}S0 iC
Y Y Y
1
e(0,j , g)e(hj , R0 ) = (g r0 ( gn+1k ) g ri gn+1i g ri ) t
k6 =j kC iC iS0
vj
Y
= e(g a0 gjr0 ( 1
gn+1k+j )R0 , g)e(gj g vj , R0 ) r0
Y
ri
Y
ri t
P
iS ri t
= (g g g ) = (g )
kC iS0
iC
k6 =j P
= (g t ) iS ri
= c2 ; (11)
Y Y
= e(g a0 gjr0 ( 1
gn+1k+j ), g)e(gj , g r0 ( gn+1k ))
kC kC Y n+1 P
k6
Y =j Y ( Ai )t = e(g, g)t e(g, g)t iS ai
. (12)
a0 1
= e(g ( gn+1k+j ), g)e(g, ( gn+1k+j )) iS
kC kC Hence, (c1 , c2 ) is a well-formed ciphertext of the session
a0 a0 +n+1 n+1
= e(g , g)e(g, gn+1 ) = e(g, g) = A0 . (6) key if Z = e(g, g)t . Else if Z is chosen at random
from GT , (c1 , c2 ) is also well formed but independent of Case 1.1.2: k 6= k and k C. Randomly select
. Therefore, B can answer the decision n-BDHE challenge a0,k , 0,k Zp and compute
n+1
that Z = e(g, g)t if and only if A answers that c is a 1
R0,k = g 0,k gn+1k , A0,k = e(g, g)a0,k ,
ciphertext of . Algorithm B has the same success probability
as A to break the above BE scheme. 0,k v
0,j,k = g a0,k gj (gn+1k+j )R0,kj , j 6= k.
Time complexity: Bs overhead is dominated by computing
hj and (i,j , Ri , Ai ) for j 6= i. Computing hj requires O(n) In this case, one can verify that for j 6= k, k 6= k C
exponentiations in G. Computing i,j requires O(n2 ) expo- e(0,j,k )e(hj , R0,k ) = e(g, g)a0,k = A0,k . (15)
nentiations in G. Computing Ri requires O(n) exponentiations
in G. B can compute Ai by O(n) exponentiations in GT . Let Case 1.2: i = 1, , n
Exp denote the time to compute one exponentiation in G or Case 1.2.1: i C and k = k . Randomly select
GT . The time complexity of B is 0 = + O(n2 )Exp . ai,k , i,k Zp and compute
1
Ri,k = g i,k gn+1i , Ai,k = e(g, g)ai,k ,
B. Proof of Theorem 3 i,k v
i,j,k = g ai,k gj gn+1i+j Ri,k j , j 6= i.
Proof: Suppose that A is a semi-adaptive -time ad-
versary breaking our ConBE scheme with advantage for In this case, one can verify that
a system parameterized with n. We build an algorithm B e(i,j,k , g)e(hj , Ri,k ) = e(g, g)ai,k = Ai,k , j 6= i. (16)
with advantage in solving the decision n-BDHE problem
in time 0 . Case 1.2.2: i C or k 6= k . Randomly select ai,k , i,k
A commits to a set C {1, , n} to B. B queries the Zp and compute
decision n-BDHE challenger and obtains a random decision i,k
Ri,k = g i,k , Ai,k = e(g, g)ai,k , i,j,k = g ai,k gj .
n-BDHE challenge (g, g t ,

y g,,n , Z), where

In this case, one can verify that
y = (g , , g , g
g,,n 1 , ,g )
n n+2 2n
1 n
= (g , , g , g
n+2 2n
, , g ) e(i,j,k , g)e(hj , Ri,k ) = e(g, g)ai,k = Ai,k , j 6= i. (17)
and Z is either e(gn+1 , g t ) or a random element of GT . Denote By summarizing Equations (13, 14, 15, 16, 17), we have
C = {1, , n} \ C. B proceeds as follows. the following equations:
Preparation for simulation. For the sake of clarity, we let
B first prepare for all the answers of various possible queries e(i,j,k , g)e(hj , Ri,k ) = e(g, g)ai,k = Ai,k , k C; (18)
that the attacker A may query. Assuming the same parameter
setting as in the proof of Theorem 1, B prepares the answers n+1
e(0,j,k )e(hj , R0,k ) = e(g, g)a0,k e(g, g)
as follows.
For j = 1, , n, compute hj = gj g vj where vj is chosen = A0,k , j 6= k C; (19)
at random in Zp .
Case 0: k C. In this case, B does as in the real scheme. B e(i,j,k , g)e(hj , Ri,k ) = e(g, g)ai,k
randomly selects ai,k , i,k Zp and computes = Ai,k , j 6= k, k C, k 6= k , j 6= i. (20)
i,k After the preparation above, B can answer all the queries
Ri,k = g i,k , Ai,k = e(g, g)ai,k , i,j,k = g ai,k hj .
from A.
In this case, we have that Query transcript. A can query the system parameters and
e(i,j,k , g)e(hj , Ri,k ) = e(g, g)ai,k = Ai,k . (13) the transcripts from all the group members participating in the
CBSetup sub-protocol. The system parameters except hj can
Case 1: k C. be trivially simulated from the decision n-BDHE challenge. As
Case 1.1: i = 0. B randomly selects k C and sets in the preparation for simulation, hj = gj g vj for a randomly
Ck = {1, , n} \ {k }. chosen value vj Zp . Hence, all the system parameters
Case 1.1.1: k = k . Randomly select a0,k , 0,k Zp are correctly simulated. Upon receiving the query for the
and compute transcripts from the members, B responds with
Y n+1
R0,k = g 0,k ( gn+1` ), A0,k = e(g, g)a0,k e(g, g) , M = {(i,j,k , Ri,k , Ai,k )|0 i n, 1 j n,
`Ck 1 k n, j 6= i, j 6= k}.
`6Y
=j
i,k 1 v Due to Equations (18, 19, 20), one can see that transcripts
0,j,k = g a0,k gj ( gn+1`+j )R0,kj , j 6= k . in M are well formed. Furthermore, since i,k and ai,k are
`Ck uniformly distributed in Zp , the simulated transcripts have an
In this case, one can verify that for j 6= k C identical distribution as in the real world and the simulation
n+1 is perfect.
e(0,j,k , g)e(hj , R0,k ) = e(g, g)a0,k e(g, g) Query secret inputs and internal states. A can query the
= A0,k . (14) secret inputs and internal states of members in {1, , n} \
C = C. For these members, their transcripts are generated as Success probability. At some point, A answers whether
in the real scheme in Case 0. Hence, B can answer this query (c1 , c2 ) is a valid ciphertext for or is independent of .
correctly. From Equations (18, 19, 20), we have that
Query decryption keys. Note that in our ConBE one can Qn
( iS Ai )t = ( iS k=1 Ai,k )t
Q Q
always compute the decryption key of a member if one knows n+1 P Pn n+1
the members secret inputs and internal states during the = (e(g, g) + iS k=1 ai,k t
) = e(g, g)t +at
.
CBSetup stage. Hence, the challenger B can handle these
Note that = Ze(g, g)at . Hence, (c1 , c2 ) is a valid ciphertext
queries as those for secret inputs and internal states. n+1
for the session key if and only if Z = e(g, g)t .
Query challenge ciphertext. In the test stage, the attacker A
Then B answers the decision n-BDHE challenger with Z =
submits a target set S C {1, , n} for a challenge n+1
e(g, g)t if and only if A answers that c is a valid
ciphertext sent to S .
ciphertext for . Clearly, B has the same success probability
Similarly to the proof of Theorem 1, since S C, it
as the success probability of A breaking the above ConBE
follows that S = {0, 1, , n}\S {0, 1, , n}\C = C
scheme.
{0}. Then P S0 = SP\{C{0}} C. Hence, P SP = C{0}S0 .
n n Time-complexity: Bs overhead is dominated by computing
Define k=1 i,k = r and k=1 ai,k = a

iS iS (i,j,k , Ri,k , Ai,k ) for j 6= i, j 6= k. Computing i,j,k requires
which are known to B because i,k and ai,k are chosen by
O(n3 ) exponentiations. Computing Ri,k requires O(n2 ) ex-
B. Since B also knows Z and g t from the decision n-BDHE
ponentiations. Computing Ai,k needs O(n2 ) exponentiations.
challenger, B can compute the challenge ciphertext as follows:
The time for B to solve the decision n-BDHE problem is
c1 = g t , c2 = (g t )r , = Ze(g, g)at . 0 = + O(n3 )Exp .
Then B sets c = (c1 , c2 ) and sends (c , ). In the following, VII. C ONCLUSIONS
we show that (c , ) is well formed.
From Case 1.1, we have that In this paper, we formalized the ConBE primitive. In
n n
ConBE, anyone can send secret messages to any subset
Y Y Y of the group members, and the system does not require a
R0,k = (g 0,k gn+1` ) R0,k
trusted key server. Neither the change of the sender nor the
k=1 `Ck k=1,k6=k
dynamic choice of the intended receivers require extra rounds
Y Y Pn
1 0,k to negotiate group encryption/decryption keys. Following the
= (g 0,k gn+1` )( gn+1k )g k=1,k6=k
`Ck kC,k6=k ConBE model, we instantiated an efficient ConBE scheme that

Y Y Pn is secure in the standard model. As a versatile cryptographic
1 0,k
=( gn+1` gn+1k )g k=1 . primitive, our novel ConBE notion opens a new avenue to
`Ck kC,k6=k establish secure broadcast channels and can be expected to se-
cure numerous emerging distributed computation applications.
From Case 1.2.1 and Case 1.2.2, we have that
n
YY Y
1
P Pn
i,k ACKNOWLEDGMENTS AND DISCLAIMER
Ri,k = gn+1i g iC k=1
iC k=1 iC
The authors are supported by by the Chinese National
Key Basic Research Program (973 program) through project
n
YY P
iS0
Pn
i,k 2012CB315905, the Natural Science Foundation of China
Ri,k = g k=1 .
through projects 61370190, 61173154, 61472429, 61402029,
iS0 k=1
61272501, 61202465, 61321064 and 61003214, the Beijing

Note that Ck = C C \ {k } and S = C {0} S0 . We Natural Science Foundation through project 4132056, the
have that Fundamental Research Funds for the Central Universities, and
Yn YY n YY n P Pn the Research Funds (No. 14XNLF02) of Renmin University of
R0,k Ri,k Ri,k = g iS k=1 i,k = g r . China and the Open Research Fund of Beijing Key Laboratory
k=1 iC k=1 iS0 k=1 of Trusted Computing, the European Union through projects
Hence the following equalities hold: FP7 DwB, FP7 Inter-Trust and H2020 CLARUS, the
Spanish Government through projects TSI-020302-2010-153
n
Y Y Y and TIN2011-27076-C03-01, the Catalan Government under
( Ri ) t = ( Ri,k )t grant 2014 SGR 537, the Templeton World Charity Foundation

iS iS k=1 under grant no. TWCF0095, the Shanghai NSF under grant
n
Y n
YY n
YY 12ZR1443500; the Shanghai Chen Guang Program (12CG24);
= (( R0,k )( Ri,k )( Ri,k ))t the Science and Technology Commission of Shanghai Munici-
k=1 iC k=1 iS0 k=1 pality under grant 13JC1403500. The fourth author is partially
supported as an ICREA-Acadèmia researcher by the Catalan
r t
= (g ) = (g ) = t r
c2 .
Government and by a Google Faculty Research Award. The
So far, we obtain that c1 = g t , c2 = ( iS Ri )t . Hence,
Q
URV authors are with the UNESCO Chair in Data Privacy, but
(c1 , c2 ) is well formed and the simulation of the challenge this paper does not necessarily reflect the position of UNESCO
ciphertext is perfect. nor does it commit that organization.
R EFERENCES [25] S. Jarecki, J. Kim and G. Tsudik, Flexible Robust Group Key Agree-
ment, IEEE Transactions on Parallel Distributed Systetems, vol. 22, no.
[1] A. Fiat and M. Naor, Broadcast Encryption, in Proc. Crypto 1993, 5, pp. 879-886, 2011.
1993, vol. LNCS 773, Lecture Notes in Computer Science, pp. 480- [26] Q. Wu, B. Qin, L. Zhang, J. Domingo-Ferrer and J. Manjon, Fast
491. Transmission to Remote Cooperative Groups: A New Key Management
[2] I. Ingemarsson, D.T. Tang and C.K. Wong, A Conference Key Distri- Paradigm, IEEE/ACM Transactions on Networking, vol. 21, no. 2, pp.
bution System, IEEE Transactions on Information Theory, vol. 28, no. 621-633, 2013.
5, pp. 714-720, 1982. [27] E. Bertino, N. Shang and S.S. Wagstaff Jr., An Efficient Time-Bound
[3] Q. Wu, Y. Mu, W. Susilo, B. Qin and J. Domingo-Ferrer, Asymmetric Hierarchical Key Management Scheme for Secure Broadcasting, IEEE
Group Key Agreement, in Proc. Eurocrypt 2009, 2009, vol. LNCS Transactions on Dependable Secure Computing, vol. 5, no. 2, 65-70,
5479, Lecture Notes in Computer Science, pp. 153-170. 2008.
[4] http://en.wikipedia.org/wiki/PRISM %28surveillance program%29, [28] A. Shoufan and S.A. Huss, High-Performance Rekeying Processor
2014. Architecture for Group Key Management, IEEE Transactions on Com-
[5] Q. Wu, B. Qin, L. Zhang, J. Domingo-Ferrer and O. Farràs, Bridging puters, vol. 58, no. 10, 1421-1434, 2009.
Broadcast Encryption and Group Key Agreement, in Proc. Asiacrypt [29] W. Gu, S. Chellappan, X. Bai and H. Wang, Scaling Laws of Key Pre-
2011, 2011, vol. LNCS 7073, Lecture Notes in Computer Science, pp. distribution Protocols in Wireless Sensor Networks, IEEE Transactions
143-160. on Information Forensics and Security, vol. 6, no. 4, 1370-1381, 2011.
[6] D. H. Phan, D. Pointcheval and M. Strefler, Decentralized Dynamic [30] M.-H. Park, G.-P. Gwon, S.-W. Seo and H.-Y. Jeong, RSU-Based
Broadcast Encryption, in Proc. SCN 2012, 2011, vol. LNCS 7485, Distributed Key Management (RDKM) For Secure Vehicular Multicast
Lecture Notes in Computer Science, pp. 166-183 Communications, IEEE Journal on Selected Areas in Communications,
[7] M. Steiner, G. Tsudik and M. Waidner, Key Agreement in Dynamic vol. 29, no. 3, pp. 644-658, 2011.
Peer Groups, IEEE Transactions on Parallel and Distributed Systems, [31] Y. Hao, Y. Cheng, C. Zhou and W. Song, A Distributed Key Manage-
vol. 11, no. 8, pp. 769-780, 2000. ment Framework with Cooperative Message Authentication in VANET-
[8] A. Sherman and D. McGrew, Key Establishment in Large Dynamic s, IEEE Journal on Selected Areas in Communications, vol. 29, no. 3,
Groups Using One-way Function Trees, IEEE Transactions on Software pp. 616-629, 2011.
Engineering, vol. 29, no. 5, pp. 444-458, 2003. [32] Z. Liu, J. Ma, Q. Pei, L. Pang and Y. Park, Key Infection, Secrecy
[9] Y. Kim, A. Perrig and G. Tsudik, Tree-Based Group Key Agreement, Transfer and Key Evolution for Sensor Networks, IEEE Transactions
ACM Transactions on Information System Security, vol. 7, no. 1, pp. on Wireless Communications, vol. 9, no. 8, 2643-2653, 2010.
60-96, 2004. [33] Z. Yu and Y. Guan, A Key Management Scheme Using Deployment
[10] Y. Mao, Y. Sun, M. Wu and K.J.R. Liu, JET: Dynamic Join-Exit- Knowledge for Wireless Sensor Networks, IEEE Transactions Parallel
Tree Amortization and Scheduling for Contributory Key Management, Distributed Systems, vol. 19, no. 10, pp. 1411-1425, 2008.
IEEE/ACM Transactions on Networking, vol. 14, no. 5, pp. 1128-1140, [34] B.-J. Chang and S.-L. Kuo, Markov Chain Trust Model for Trust-Value
2006. Analysis and Key Management in Distributed Multicast MANETs,
[11] C. Boyd and J.M. Gonzalez-Nieto, Round-Optimal Contributory Con- IEEE Transactions on Vehicular Technology, vol. 58, no. 4, pp. 1846-
ference Key Agreement, in Proc. PKC 2003, 2003, vol. LNCS 2567, 1862, 2009.
Lecture Notes in Computer Science, pp. 161-174.
[35] B. Rong, H.-H. Chen, Y. Qian, K. Lu, R. Q. Hu and S. Guizani, A
[12] W.-G. Tzeng and Z.-J. Tzeng, Round Efficient Conference Key Agree- Pyramidal Security Model for Large-Scale Group-Oriented Computing
ment Protocols with Provable Security, in Proc. Asiacrypt 2000, 2000, in Mobile Ad Hoc Networks: The Key Management Study, IEEE
vol. LNCS 1976, Lecture Notes in Computer Science, pp. 614-627. Transactions on Vehicular Technology, vol. 58, no. 1, pp. 398-408, 2009.
[13] R. Dutta and R. Barua, Provably Secure Constant Round Contributory
[36] M. Naor and B. Pinkas, Efficient Trace and Revoke Schemes, in Proc.
Group Key Agreement in Dynamic Setting, IEEE Transactions on
FC 2000, 2000, vol. LNCS 1962, Lecture Notes in Computer Science,
Information Theory, vol. 54, no. 5, 2007-2025, 2008.
pp. 1-20.
[14] W.-G. Tzeng, A Secure Fault-Tolerant Conference-Key Agreement
[37] C.K. Wong, M. Gouda and S. Lam, Secure Group Communications
Protocol, IEEE Transactions on Computers, vol. 51, no.4, pp. 373-379,
Using Key Graphs, IEEE/ACM Transactions on Networking, vol. 8,
2002.
no. 1, pp. 16-30, 2000.
[15] X. Yi, Identity-Based Fault-Tolerant Conference Key Agreement,
IEEE Transactions Dependable Secure Computing vol. 1, no. 3, 170- [38] D. Wallner, E. Harder and R. Agee, Key Management for Multicast:
178, 2004. Issues and Architectures, The RFC Repaort 2627, 1999. Available at:
[16] M. Burmester and Y. Desmedt, A Secure and Efficient Conference Key http://www.rfc-editor.org/rfc/pdfrfc/rfc2627.txt.pdf.
Distribution System, in Proc. Eurocrypt 1994, 1994, vol. LNCS 950, [39] M.T. Goodrich, J. Z. Sun and R. Tamassia, Efficient Tree-Based
Lecture Notes in Computer Science, pp. 275-286. Revocation in Groups of Low-State Devices, in Proc. Crypto 2004,
[17] A. Joux, A One Round Protocol for Tripartite Diffie-Hellman, Journal 2004, vol. LNCS 3152, Lecture Notes in Computer Science, pp. 511-
of Cryptology, vol. 17, no. 4, pp. 263-276, 2004. 527.
[18] D. Boneh and A. Silverberg, Applications of Multilinear Forms to [40] J.H. Cheon, N.S. Jho, M.H. Kim and E.S. Yoo, Skipping, Cascade and
Crytography, Contemporary Mathematics, vol. 324, pp.71-90, 2003. Combined Chain Schemes for Broadcast Encryption, IEEE Transac-
[19] E. Bresson, O. Chevassut and D. Pointcheval, Provably Authenticated tions Information Theory, vol. 54, no. 11, pp. 5155-5171, 2008.
Group Diffie-Hellman Key Exchange The Dynamic Case, in Proc. [41] L. Harn and C. Lin, Authenticated Group Key Transfer Protocol Based
Asiacrypt 2001, 2001, vol. LNCS 2248, Lecture Notes in Computer on Secret Sharing, IEEE Transactions on Computers, vol. 59, no. 6,
Science, pp. 290-309. pp. 842-846, 2010.
[20] E. Bresson, O. Chevassut and D. Pointcheval, Dynamic Group Diffie- [42] D. Boneh, C. Gentry and B. Waters, Collusion Resistant Broadcast
Hellman Key Exchange under Standard Assumptions, in Proc. Euro- Encryption with Short Ciphertexts and Private Keys, in Proc. Crypto
crypt 2002, 2002, vol. LNCS 2332, Lecture Notes in Computer Science, 2005, 2005, vol. LNCS 3621, Lecture Notes in Computer Science, pp.
pp. 321-336. 258-275.
[21] E. Bresson, O. Chevassut, D. Pointcheval and J.-J. Quisquater, Provably [43] J.H. Park, H.J. Kim, M.H. Sung and D.H. Lee, Public Key Broadcast
Authenticated Group Diffie-Hellman Key Exchange, in Proc. ACM CCS Encryption Schemes With Shorter Transmissions, IEEE Transactions
2001, 2001, pp. 255-264. on Broadcasting, vol. 54, no. 3, pp. 401-411, 2008.
[22] J. Snoeyink, S. Suri and G. Varghese, A Lower Bound for Multicast [44] C. Gentry and B. Waters, Adaptive Security in Broadcast Encryption
Key Distribution, in Proc. INFOCOM 2001, 2001, pp. 422-431. Systems (with Short Ciphertexts), in Proc. Eurocrypt 2009, 2009, vol.
[23] H.J. Kim, S.M. Lee and D. H. Lee, Constant-Round Authenticated LNCS 5479, Lecture Notes in Computer Science, pp. 171-188.
Group Key Exchange for Dynamic Groups, in Proc. Asiacrypt 2004, [45] A. B. Lewko, A. Sahai, B. Waters, Revocation Systems with Very Small
2004, vol. LNCS 3329, Lecture Notes in Computer Science, pp. 245- Private Keys, in Proc. IEEE S&P 2010, 2010, pp. 273-285.
259. [46] D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, V. Nikolaenko, G. Segev,
[24] M. Abdalla, C. Chevalier, M. Manulis and D. Pointcheval, Flexible V. Vaikuntanathan and D. Vinayagamurthy, Fully Key-Homomorphic
Group Key Exchange with On-demand Computation of Subgroup Keys, Encryption, Arithmetic Circuit ABE and Compact Garbled Circuits,
in Proc. Africacrypt 2010, 2010, vol. LNCS 6055, Lecture Notes in in Proc. Eurocrypt 2014, 2014, vol. LNCS 8441, Lecture Notes in
Computer Science, pp. 351-368. Computer Science, pp. 533-556.
[47] D. Boneh, X. Boyen and E.J. Goh, Hierarchical Identity Based Encryp- Josep Domingo-Ferrer is a Full Professor of Com-
tion with Constant Size Ciphertext, in Proc. Eurocrypt 2005, 2005, vol. puter Science and an ICREA-Acadèmia Researcher
LNCS 3494, Lecture Notes in Computer Science, pp. 440-456. at Universitat Rovira i Virgili, Tarragona, Catalonia,
[48] R. Canetti, S.Halevi, and J. Katz, Chosen-Ciphertext Security from where he holds the UNESCO Chair in Data Privacy.
Identity-based Encryption, in: Proc. EUROCRYPT 2004, 2004, vol. His research interests are in data privacy and data se-
LNCS 3027, pp. 207-222. curity. He received his M. Sc. and Ph. D. degrees in
[49] T. Matsuda and G. Hanaoka, Chosen Ciphertext Security via UCE, in Computer Science from the Autonomous University
Proc. PKC 2014, 2014, vol. LNCS 8383, Lecture Notes in Computer of Barcelona in 1988 and 1991, respectively. He also
Science, pp. 56-76. holds an M. Sc. in Mathematics. He has won several
[50] W. Liu, J. Liu, Q. Wu, B. Qin, Y Zhou, Practical Direct Chosen research and technology transfer awards, including
Ciphertext Secure Key-Policy Attribute-based Encryption with Public the IEEE Fellow Grade, a Google Faculty Research
Ciphertext Test, in Proc. ESORICS 2014, 2014, vol. LNCS 8713, pp. Award, and the Government of Catalonias Narcs Monturiol Medal to the
91-108. scientific merit and twice the ICREA Acadèmia Prize. He has authored 5
[51] M. Scott, On the Efficient Implementation of Pairing-Based Protocols, patents and over 340 publications. He has been the co-ordinator of projects
http://eprint.iacr.org/2011/334.pdf, 2011. funded by the European Union and the Spanish government, among which
the CONSOLIDER ARES project on security and privacy, one of Spains 34
strongest research teams. He has been the PI of US-funded research contracts.
He has held visiting appointments at Princeton, Leuven and Rome. He is a
co-Editor-in-Chief of Transactions on Data Privacy.
Qianhong Wu received his Ph.D. in Cryptography

from Xidian University in 2004. Since then, he has
been with Wollongong University (Australia) as an
associate research fellow, with Wuhan University
(China) as an associate professor, with Universitat
Rovira i Virgili (Catalonia) as a research director
and now with Beihang University (China) as a full
professor. His research interests include cryptogra-
phy, information security and privacy, and ad hoc
network security. He has been a holder/co-holder
of 7 China/Australia/Spain funded projects. He has Oriol Farràs is a Juan de la Cierva postdoctoral
authored 7 patents and over 100 publications. He has served in the program researcher at the UNESCO Chair in Data Privacy
committee of several international conferences in information security and and the CRISES Research Group in the Department
privacy. He is a member of IACR, ACM and IEEE. of Computer Engineering and Maths at Universitat
Rovira i Virgili, Tarragona, Catalonia. He received
his M.Sc. degree in Mathematics and his M.Sc.
degree in Telecommunication Engineering from Uni-
versitat Politècnica de Catalunya in 2004 and 2005,
respectively. He received his Ph.D. degree in Math-
ematics from Universitat Politècnica de Catalunya
in 2010. He has been a postdoctoral fellow in the
Bo Qin received her Ph.D. degree in Cryptography Department of Computer Science at Ben Gurion University of the Negev,
from Xidian University in 2008 in China. Since then, Israel, and a Director of Research at Universitat Rovira i Virgili. His research
she has been with Xian University of Technology interests include cryptography, secret sharing, and information theory.
(China) as a lecturer, with Universitat Rovira i Virgili
(Catalonia) as a postdoctoral researcher, and now
with Renmin University of China as a lecturer. Her
research interests include pairing-based cryptogra-
phy, data security and privacy, and VANET security.
She has been a holder/co-holder of 6 China/Spain
funded projects. She has authored over 60 publica-
tions and served in the program committee of several
international conferences in information security.
A. Manjon is a computer engineer with the

Jesus
UNESCO Chair in Data Privacy and the CRISES
Research Group at the Department of Computer En-
Lei Zhang received his Ph.D. degree in computer gineering and Maths at Universitat Rovira i Virgili,
engineering from Universitat Rovira i Virgili, Tar- Tarragona, Catalonia. He got his B.Sc. in Computer
ragona, Spain, in 2010. He is an Associate Research Engineering in 2004 and his M.Sc. in Computer
Fellow with Software Engineering Institute, East Security in 2008. He has participated in several
China Normal University, Shanghai, China. Before Spanish-funded projects and he is a co-author of
this, he had been a Postdoctoral Researcher with several research publications on security and privacy.
Universitat Rovira i Virgili. His fields of activity
are information security, cryptography, data privacy,
and network security. He has been a holder/co-holder
of 5 China/Spain funded projects. He has authored
over 50 publications. He has served in the program
committee of several international conferences in information security and
privacy. He is a member of IEEE.

Broadcast Encryption Base Paper

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Broadcast Encryption Base Paper

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Contributory Broadcast Encryption with Efficient

W ITH the fast advance and pervasive deployment of

Second, we present the notion of aggregatable broadcast C. Related Work

K. It sets b {0, 1} and gives (c , b ) to A. Finally, A aggregated public key P K = P K1 ~ ~ P Kn . A wins

some unknown Zp . We say that an algorithm B that A. High-Level Description

session key . Set S = {0, 1, , n} \ S. Randomly pick t = e(g, g)xt = .

Execution time (ms)

Execution time (s)

`Ck kC,k6=k ConBE model, we instantiated an efficient ConBE scheme that

Qianhong Wu received his Ph.D. in Cryptography

A. Manjon is a computer engineer with the

You might also like