Mathematical and Computer Modelling 55 (2012) 113–122

Contents lists available at SciVerse ScienceDirect

Mathematical and Computer Modelling

journal homepage: www.elsevier.com/locate/mcm

Authenticated public key broadcast encryption scheme secure againstinsiders’ attackChanil Park a,1, Junbeom Hur b,∗, Seongoun Hwang c, Hyunsoo Yoon a

a Department of Computer Science, Korea Advanced Institute of Science and Technology, 373-1, Yuseong-Gu, Guseong-Dong, Daejeon, 305-701, Republic of Koreab School of Computer Science and Engineering, Chung-Ang University, Koreac Department of Computer & Information Communication Engineering, Hongik University, Jochiwon-EUP, Yeongi-Gun, Chungcheongnam-Do,339-701, Republic of Korea

a r t i c l e i n f o

Article history:Received 19 September 2010Received in revised form 6 January 2011Accepted 30 January 2011

Keywords:Broadcast encryptionSender authenticationInsiders’ attackCollusion attackIdentity-based encryption

a b s t r a c t

Broadcast encryption schemes have been studied in the past decades. Recently, insiders’attack on the broadcast encryption scheme has been attracted attention amongresearchers. So, several broadcast encryption schemes with sender authentication havebeen proposed. However, since broadcast message size in previous schemes increaseslinearly at the number of target members, the previous schemes are not suitable for thegroup with large members. In this paper, we propose a new authenticated public keybroadcast encryption scheme called ω-APKBE scheme. The proposed ω-APKBE schemeprovides sender authentication property with a constant size broadcast message whichis nonlinear on the number of target members. Hence, the proposed scheme is morecompatible to the dynamic group with large members than the previous schemes.

© 2011 Elsevier Ltd. All rights reserved.

1. Introduction

As Internet technologies develop day by day, the requirement for multimedia content distribution or groupcommunication is increasing. In this environment, it has become an important issue for content providers or groupmanagersto distribute contents or group messages to authorized members securely. A broadcast encryption provides an efficientsolution to distribute them to an authorized group S of large members. In the broadcast encryption, content provider orgroup manager generates broadcast messages or contents in the form of ⟨Hdr, EK (M)⟩, where K is a secret session key toencrypt the contents ormessagesM via a symmetric encryption scheme E(·) andHdr is a headerwhich includes informationabout the secret session key K . Hence, only the authorized members in the group S can retrieve the correct session key Kfrom the Hdr using their secret private keys, while others out of S cannot obtain any information about the session key.

There have been a number of broadcast encryption schemes during the past decade [1–9]. Reducing the size ofbroadcasting header, managing join/leave of group members, or minimizing the private key of broadcast senders andreceivers are well-known issues in the broadcast encryption. However, as a broadcast system consists of multiple broadcastsenders, which is very common in the real world, it is very important for receivers to authenticate the correct broadcastsenders. This issue becomes even more important when we consider malicious insiders’ attacks. Here, malicious insidermeans a legitimate member who belongs to the group S but impersonates the broadcast senders and mounts attacks suchas sending garbage messages or session keys to the group members. In fact, sender authentication issue in the broadcast

∗ Corresponding author. Tel.: +1 217 819 8591; fax: +1 217 819 8591.E-mail addresses: chanil@nslab.kaist.ac.kr (C. Park), nsd0923@gmail.com, jbhur@illinois.edu (J. Hur), sohwang@hongik.ac.kr (S. Hwang),

hyoon@nslab.kaist.ac.kr (H. Yoon).1 Tel.: +82 42 355 7729.

0895-7177/$ – see front matter© 2011 Elsevier Ltd. All rights reserved.doi:10.1016/j.mcm.2011.01.056

114 C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122

encryption seems very trivial because it may be solved by just adding a signature scheme. But, just adding up a signatureusually results in increasing the size of broadcastmessages, which is not desirable in the aspect of efficiency in the broadcastencryption setting.

To address this kind of insiders’ attacks, broadcast encryption schemes with sender authentication have beenproposed [10–12]. Mu et al. proposed the IBABE protocol [10]. They claimed that their scheme provides a senderauthentication and formally proved it. However, in 2008, Selvi et al. [11] demonstrated that the IBABE scheme is vulnerableto the insider attack. They also proposed a new Identity-based broadcast signcryption which is secure against the insiderattack. Selvi et al.’s scheme sends broadcast messages to the group of receivers chosen by a broadcast sender. But, sincethe length of broadcast messages depends on the number of receivers chosen by the broadcast sender, the scheme is notadaptable to the broadcast system with many receivers.

In this paper, we propose a new public key broadcast encryption scheme which is secure against the insiders’ attack aswell as efficient in the size of broadcast message. The proposed scheme uses a secret polynomial f (x) for a constant size ofbroadcast message. We know that the method using a polynomial is vulnerable to a collusion attack of revoked members.But, in 2008, Liu et al. proposed a technique which is secure against full collusion of revoked users [13]. In this paper, weadopted Liu et al.’s technique to construct an efficient broadcast encryption scheme. The proposed scheme also supportsthe sender authentication property. So, legitimate receivers can authenticate the message of the broadcast sender using thepublic key of the sender.

The paper is organized as follows: In Section 2, we briefly introduce related work. In Section 3, we describe a definitionof public key broadcast encryption and its related complexity assumptions. We present our scheme in Section 4 and analyzethe security of the scheme in Section 5. Finally, we show an application of the proposed scheme and conclude this paper inSections 6 and 7, respectively.

2. Related work

Fiat et al. first proposed the concept of the broadcast encryption scheme [5]. After then, there have been a number ofprotocols in the literature [8,7,13–16]. The broadcast encryption schemes vary from fixed number of group members todynamic number of group members or from symmetric key based to asymmetric key based. Especially, protocols based onthe polynomial interpolation provides an efficient way for a group with dynamic members [14–16]. It can revoke up to tusers and resist against collusion of size t .

Yoo et al. [17] updated the Naor et al.’s scheme [8]. They partitioned the users intom subgroups and interpolatedmultiplepolynomials. When r users are revoked among n users, their method requires O(log(n/m)) user keys and O(αr + m)transmission overhead in the worst case, where α is a predetermined constant satisfying 1 ≤ α ≤ 2. Boneh and Gentry [2]proposed the public key broadcast encryption scheme for stateless receivers. The security of their scheme is based on thehardness of ℓ-BDHE problem. They also achieved the collusion-resistant broadcast system for N users with

√N header size

and√N public keys, respectively. Liu andWen-Guey, [13] proposed the public key broadcast encryption scheme which use

the polynomial interpolation. They used a bilinear map to achieve a collusion resistance for N users. They proposed twoschemes. One is the basic BE-PI scheme with both public and private keys under O(logN). Another is the PK-SD-PI schemehaving O(r) header size, O(1) public key, and O(log2 N) private keys per user.

Mu et al. [10] proposed the authenticated broadcast encryption scheme. They presented away to authenticate a broadcastmessage using the ID of broadcast sender. However, since the message in the scheme depends on the number of authorizedusers, it is not suitable for the broadcast system with large authorized members. Selvi et al. [11] proved that Mu et al.’sscheme is possible for legal user to impersonate the broadcast sender without the broadcast sender’s secret. Selvi et al. alsoproposed the new authenticated broadcast encryption scheme [11]. However, Selvi et al. used the same polynomial methodbuilt with the secret values of receivers. Hence, their scheme is not efficient for the broadcast system with large authorizedreceivers.

3. Preliminaries

In this section, we define some concepts. We first define a public key broadcast encryption formally and then state somecomplexity assumptions.

3.1. Broadcast encryption

A dynamic public key broadcast encryption scheme consists of four polynomial time algorithms (Setup, Registration,Encryption, Decryption) [2,4].• Setup (Setup(κ)): It takes as input a security parameter κ and outputs a public key PK and a secret key SK .• Registration (Reg(id)): It generates a secret private key for a member. It takes as input id and outputs a private key SKid.• Encryption (Enc(PK , S)): It takes as input a set S of legitimate users and a public key PK . It outputs a pair ⟨Hdr,GK⟩, where

GK is an encryption key chosen from a finite key spaceK andHdr is a set of informationwhich is used to retrieve the keyGK by members. LetM be a message to be broadcasted and C be the encrypted message with the key GK . The broadcastmessage consists of ⟨Hdr, C⟩. The set Hdr is called broadcast header and C is called broadcast body.

C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122 115

• Decryption (Dec(S,Uu, SKu,Hdr, PK)): It takes as inputHdr , a secret private key SKu of member Uu, and the public key PK .If Uu is in the set S, Uu can retrieve the key GK from Hdr , otherwise not. Then, Uu can obtain the messageM by decryptingC with GK .

The broadcast encryption scheme is said to be correct when for all subsets S ⊆ {1, . . . , n} and users i ∈ S, if(PK , SK1, . . . , SKn)←− Setup(κ) and (Hdr,GK)←− Enc(PK , S) then Dec(i, SKi,Hdr, PK) = GK .

We define a security against adaptive chosen ciphertext attack in the broadcast encryption by static adversaries. Thesecurity is defined with games between an adversary A and a challenger C like in [2].

• Init: A begins by choosing a set S∗ ⊆ {1, . . . , n} of receivers to attack.• Setup: C runs the Setup(κ) to generate a public key PK and private keys SK1, . . . , SKn. C gives A the public key PK and

some private keys SKi for i ∈ S∗.• Query phase 1: A issues decryption queries q1, . . . , qm, where decryption queries consist of ⟨Uk, S,Hdr⟩ for S ⊆ S∗ and

Uk ∈ S. C responds with the Decryption(S,Uk, SKk,Hdr, PK).• Challenge:C runs the Encryption algorithm to obtain ⟨Hdr∗,GK⟩.C picks a random b ∈ {0, 1}. It sets GKb = GK and picks

a random GK1−b. It then gives ⟨Hdr∗,GK0,GK1⟩ to the adversary A.• Query phase 2: A issues additional decryption queries qm+1, . . . , qD, where decryption queries consist of ⟨Uk, S,Hdr⟩ for

S ⊆ S∗, Uk ∈ S, and Hdr = Hdr∗. C responds as in phase 1.• Guess: A outputs its guess b′ ∈ {0, 1} and wins the game if b = b′.

In the above game, the advantage of the adversaryA is defined as Advind-ccaA (κ) = |Pr[b′ = b]−1/2|. A broadcast encryptionscheme is said to be secure against chosen ciphertext attack if no polynomial time bounded adversary has non-negligibleadvantage in the above game.

Definition 1. A public key broadcast encryptionΠ = ⟨Setup, Reg, Enc,Dec⟩ is (t, ϵ, κ, qD)-IND-CCA secure if for all t-timeadversary A that makes at most qD decryption queries, we have Advind-ccaA,Π (κ) < ϵ.

We show that the proposed scheme has the IND-CCA security via Fujisaki–Okamoto transformation [18,19]. For thisproof, we first show that the proposed scheme has one-way security against chosen plaintext attacks (OW-CPA security).We define the security against one-way chosen plaintext attack on a broadcast encryption [13,20],

• Init: Adversary A chooses a target set S ∈ {1, . . . , n} of users to attack.• Setup: The challenger C operates the Setup(κ) to generate a public key PK and private keys SK1, . . . , SKn. The challenger

C gives the adversary A the public key PK and the private keys SKi for i ∈ S.• Challenge: The challenger C runs the Encryption algorithm and outputs ⟨Hdr,m⟩ where m is randomly chosen. The

challenger C gives Hdr to the adversary A.• Guess: The adversary A outputs a guessing m′.

We define the adversary A’s success probability as Advow−cpaA (κ) = Pr[m′ = m].

Definition 2. A public key broadcast encryption Π = ⟨Setup, Reg, Enc,Dec⟩ is (t, ϵ, κ)-OW-CPA secure if for all t-timeadversary A, we have

Advow−cpaA,Π (κ) < ϵ.

3.2. Discrete logarithm problem (DLP)

Let G be a group of prime order q and P be a generator of G. Then, the DLP is as follows: Given (P, aP) for random a ∈ Z∗q ,find a. We say that an algorithm A has (t, ϵ)-advantage in solving the DLP in G if for t polynomial time algorithm A,

Pr[A(P, aP) = a] ≥ ϵ.

3.3. Bilinear map and bilinear Diffie–Hellman problem

We briefly describe the bilinear map and the bilinear Diffie–Hellman problem in the groups. We follow the notationsin [2,21].

Bilinear map: Let G and G1 be two groups of order q, where q is a large prime. The bilinear map e : G×G→ G1 betweentwo groups has the following properties,

1. Bilinear: For all a, b ∈ Zq, P,Q ∈ G, we have e(aP, bQ ) = e(P,Q )ab.2. Non-Degeneracy: If P is a generator of G, then e(P, P) is a generator of G1.3. Computable: There is an efficient algorithm to compute e(P,Q ) for any P,Q ∈ G.

It is said that a group G is a bilinear group if the group action in G can be computed efficiently and there exists a group G1and an efficient computable bilinear map e : G× G→ G1 [21].

116 C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122

Bilinear Diffie–Hellman Problem (BDHP): LetG andG1 be two groupswith prime order q. Let e : G×G→ G1 be a bilinearmapand P be a generator of G. Then, the BDHP is as follows: Given ⟨P, aP, bP, cP⟩ for random a, b, c ∈ Z∗q , compute e(P, P)abc .We say that an algorithm A has (t, ϵ)-advantage in solving the BDHP in (G, G1, e) if for t polynomial time algorithm A,

Pr[A(P, aP, bP, cP) = e(P, P)abc] ≥ ϵ.

4. Authenticated public key broadcast encryption

In this section, we describe an authenticated public key broadcast encryption scheme. The proposed scheme is secureagainst insiders’ attack and supports a ω-session stateless property. Hence, we call the proposed scheme ω-APKBE, inbrief. Here, the ω-session stateless property means that legitimate receivers can retrieve a secret session key GK from acurrent broadcast message even though they lost broadcast messages for up to ω previous sessions. In the construction, theproposed scheme combines a sender authentication property into Liu et al.’s technique [13] for insiders’ attack. Therefore,only an authorized groupmanager (GM) can send broadcast messages but amalicious insider cannot impersonate the groupmanager. The proposed scheme also reduces the size of private keys in terms of users and achieves constant size broadcastmessage. Before describing the proposed scheme, we first define some notations.

4.1. Notations

Let Gm be a communication group established by GM in themth session, GKm be a session group key chosen by GM, andSKi,m be a private key of user Ui in themth session.When a user Ui joins the group in themth session (Ui ∈ Gm), he receives aprivate key SKi,m from GM. At anymth session, a user Uv ∈ Gm can determine the session group key GKm and obtain privatekey SKv,m+1 for the (m + 1)th session from the broadcast message Bm and the private key SKv,m. We denote a set of userswho left the group in the mth session by Revm and a set of users who join the group in the mth session by Joinm. Hence,Gm = (Gm−1 ∪ Joinm) \ Revm. We assume that once a user is revoked he is kept revoked.

4.2. Protocol description

We now present the ω-APKBE scheme. The ω-APKBE consists of four algorithms: Setup, Registration, Encryption, andDecryption. The construction is as follows.

Let κ be a security parameter and G,G1 be two groups of order q for a large prime q. G is an additive group and G1is a multiplicative group. Let e : G × G → G1 is an admissible bilinear map and EK (·) is a strong symmetric encryptionwith a symmetric key K . Let sidm denote a session index in the mth session. Let H1 : {0, 1}∗ → G, H2 : {0, 1}∗ → Z∗q ,H3 : {0, 1}∗ → {0, 1}κ , and H4 : {0, 1}κ → {0, 1}κ are strong one-way hash functions.Setup: For an input κ , GM processes the following steps.

• Let P be a generator of G and t , ω be two integers.• Choose a random value ρ ∈ Z∗q and sets ρP . The ρ is the master secret key of GM.• Choose a t-degree polynomial f1(x) =

∑tj=0 ajx

j for aj ∈ Zq and set Q1 = f1(0)P .• The public key of the group manager is

PK = {P, ρP,G,G1,H1,H2,H3,H4, EK (·)}.

• To update parameters for the (m+ 1)th session, GM chooses a random integer zm ∈ Z∗q and computes:

fm+1(x) = fm(x)+ zm (mod q), (1)

Qm+1 = fm+1(0)P. (2)

Registration: In the mth session, when a new user subscribes to the group Gm, GM processes the following steps.

• Assign a new member an identity u ∈ Z∗q , which has never been used.• Assign a private key SKu,m for themth session to the member Uu,

SKu,m = {αuP, αufm(u)P, (αu + ρ)Qm},

where αu is a random integer from Z∗q .

Encryption: In themth session, GM processes the following steps to distribute a session group key.

• LetRm(|Rm| ≤ t) be a set of revoked users duringω+1 sessions in and before themth session. If the number of revokedusers is less than t , then GM adds t − |Rm| dummy users, Ud1 ,Ud2 , . . . ,Udt−|Rm |

to the set Rm.• Choose a session group key GKm, an update value zm, and ω + 1 random values Tm,0, Tm,1, . . . , Tm,ω . GM sets βm,i =

H2(Tm,i‖GKm‖∑m

j=m−i zj) for 0 ≤ i ≤ ω.

C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122 117

• Choose random values σm,0, . . . , σm,ω ∈ Z∗q and then computes km,i, δm,i, Cm,i, λm,i (0 ≤ i ≤ ω), respectively,

km,i = e(P, σm,iH1(sidm)), (3)

δm,i = e(ρP, βm,iQm−i), (4)

Cm,i = Tm,i ⊕ H3(δm,i||km,i), (5)

λm,i = (σm,i − ρH2(Cm,i))H1(sidm). (6)• GM broadcasts Bm = sidm‖Γ

asympk ‖Γ

sym as a header message, for 0 ≤ i ≤ ω,

Γasympk = {βm,iP, λm,i, Cm,i, {(r, βm,ifm−i(r)P)}r∈Rm},

Γ sym=

EH4(Tm,i)

GKm,

m−j=m−i

zj

.

Decryption: The privileged user Uu in themth session can get the session group key GKm from Bm by processing the followingsteps.• Check the last updated private key SKu,v , v = m− ℓ for some 0 ≤ ℓ ≤ ω.• Compute e(βm,ℓP, αufv(u)P) = e(P, P)βm,ℓαufv(u).• Compute e(αuP, βm,ℓfv(r)P) = e(P, P)αuβm,ℓfv(r) for r ∈ Rm.• Compute

e(P, P)αuβm,ℓfv(0) =∏

j∈Rm∪{Uu}

e(P, P)αuβm,ℓfv(j)ψj , (7)

where ψj =∏

j′∈Rm∪{Uu},j′=jj′

j′−j .• Compute δm,ℓ,

δm,ℓ =e(βm,ℓP, (αu + ρ)Qv)

e(P, P)αuβm,ℓfv(0)

=e(βm,ℓP, αufv(0)P) · e(βm,ℓP, ρfv(0)P)

e(P, P)αuβm,ℓfv(0)

= e(βm,ℓP, ρfv(0)P)

= e(ρP, βm,ℓQv). (8)• Get Sm = H1(sidm) and compute

km,ℓ = e(P, λm,ℓ) · e(ρP,H2(Cm,ℓ)Sm)= e(P, (σm,ℓ − ρH2(Cm,ℓ))Sm) · e(P, ρH2(Cm,ℓ)Sm)

= e(P, σm,ℓSm). (9)• Get the value Tm,ℓ by computing Cm,ℓ ⊕ H3(δm,ℓ||km,ℓ).• Get the session group key GKm and the update value

∑mj=v zj by decrypting the EH4(Tm,ℓ)(GKm,

∑mj=v zj)with Tm,ℓ.

• Compute β ′m,ℓ = H2(Tm,ℓ‖GKm‖∑m

j=v zj) and checks βm,ℓP = β ′m,ℓP . If not, reject the broadcast message, otherwise,accept the session group key GKm and update value

∑mj=v zj.

• Finally, updates the private key SKu,v to SKu,m+1 by computing as follows:

αufm+1(u)P = αu ·

m−j=v

zj + fv(u)

P

=

m−j=v

zj

αuP + αufv(u)P, (10)

(αu + ρ)Qm+1 = αufm+1(0)P + ρfm+1(0)P

= αu

fv(0)+

m−j=v

zj

P + ρ

fv(0)+

m−j=v

zj

P

=

m−j=v

zj

· (αuP + ρP)+ αufv(0)P + ρfv(0)P

=

m−j=v

zj

· (αuP + ρP)+ (αu + ρ)Qv. (11)

118 C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122

Table 1Comparison among public key broadcast encryption schemes.

Header Public key Private key

BGW-I [2] O(1) O(N) O(1)BGW-II [2] O(

√N) O(

√N) O(1)

BE-PI [13] O(r + 2) O(1) O(logN)Selvi et al. [11] O(S + 2) O(1) O(1)ω-APKBE O((ω + 1) · (t + 4)) O(1) O(1)

N, r, and S is the number of total users, revoked users, and receivers, respectively. ω is the stateless duration, and t is the threshold.

(a) Communication overhead upon changing the revoked users. (b) Communication overhead upon changing the receivers.

Fig. 1. Communication overhead.

4.3. Efficiency

The proposed ω-APKBE scheme uses secret t-degree polynomials fm(x), which is updated at every session. Hence, thesession information duringω+1 sessions in and before the current session should be broadcasted for theω-session statelessproperty. But, the proposed scheme has the constant size broadcast message O((ω+ 1) · (t + 4)) since ω and t are fixed inthe setup stage. Therefore, the proposed scheme is independent of the number of revoked users.We compared the proposedscheme with previous ones in Table 1.

The proposed scheme also has flexibility in user revocation. In previous schemes based on the secret polynomial [8,13,17], when users join the group, they receive private keys for all future sessions from a group manager. Therefore, in orderto revoke users forever, the group manager should accumulate identities of all revoked users in and before the currentsession. That is, the revocation set Rm in the mth session is a union of all previous subsets, i.e., Rm = Rev1 ∪ · · · ∪ Revm.In the proposed scheme, however, the group manager just accumulates identities of revoked users during ω+ 1 sessions inand before the current session. Because the secret polynomial fm(x) is changed at every session, the private keys before ωsessions are not available in the current session. Hence, the revocation setRm in themth session is a union of theω previoussessions and the current session. i.e.,Rm = Revm∪Revm−1∪· · ·∪Revm−ω . Therefore, the proposed scheme is more efficientin the group with dynamic membership change than the previous schemes.

When we compute the decryption algorithm, users use the public key ρP of group manager in computing the km,ℓ andauthenticate the broadcast messages by verifying β ′m,ℓP = βm,ℓP where β ′ = H2(Tm,ℓ‖GKm‖

∑mj=v zj). Hence, users can

authenticate that the broadcasted message is originated from the correct group manager. For inside attackers to makebroadcast message illegally, they should know the secret key ρ which is the group manager’s master secret key. But, sinceonly the authorized group manager knows the secret key ρ, the attackers cannot make any valid broadcast message.

We compare the communication overhead among several schemes in Table 1. In order to properly estimate the cost inthe schemes, we used pairing implementation results available in the PBC library [22]. So, we set the simulation parametersas follows: an elliptic curve E over a finite field Fp with embedding degree k = 2where the prime is p ≈ 2512, a group G with160 bit size, and a groupG1 with 1024bit size. In the simulation,we just considered the size of ciphertextwhich is attached inthe header of broadcastmessage since the size of ciphertext is amain factor of the communication overhead in the broadcastencryption. In order to simplify the environment among the schemes, we assume that the number of revoked users is totalrevoked users in all sections and the remaining users are receivers of the broadcast messages. In Fig. 1, we can see that theBGW-II [2] has a good performance in general. However, BGW-II does not provide the sender authentication property. Wecan also see in Fig. 1 that the proposed ω-APKBE scheme has a constant size regardless of revoked users and receivers. Eventhough Selvi et al.’s scheme [11] supports the sender authentication property, our scheme has less ciphertext size than Selviet al.’s scheme in terms of the revoked users and the receivers. Especially, we can know that the communication overheadin the Selvi et al.’s scheme is increased as the number of receivers (see, Fig. 1(b)). For the BE-PI scheme [13], our schemeadopted the basic concept for collusion resistant from the BE-PI scheme. However, the communication overhead in the BE-PIscheme is increased as the number of revoked users but the proposed scheme has still constant size (see, Fig. 1(a)). Hence,our scheme has less communication overhead than the BE-PI scheme in the environment of large revoked users.

C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122 119

5. Security analysis

In this section, we show that the proposedω-APKBE scheme is IND-CCA secure in the randomoraclemodel. The proposedscheme has a hybrid encryption form Γ

hypk = Γ

asympk ||Γ

sym like that in [18], where Γ asympk is a public key broadcast encryption

form and Γ sym is a symmetric encryption form. Hence, we first show that the scheme Γ asympk has the OW-CPA security and

then transform it to have IND-CCA security through Fujisaki–Okamoto transformation [18] under the assumption that theEK (·) is FG-secure. As indicated in [18], the transformation is applied to a public key encryption scheme while the proposedscheme is a public key broadcast encryption scheme. However, we can see the public key broadcast encryption scheme is aspecial form of public key encryption with a public key pk = (PK , S) and multiple private keys SKu, u ∈ S if the authorizedset S is fixed [13]. Now, we show that Γ asym

pk is OW-CPA secure.

Theorem 1. Let G be a bilinear groupwith prime order q. The proposedΓ asympk is (t−t ′, ϵ)-OW-CPA secure assuming (t, ϵ)-BDHP

assumption holds in G. Here, t ′ is some polynomially bounded time.

Proof. Suppose there is an adversary A who can break the system Γasympk with the probability ϵ. We build an algorithm B

that has an advantage ϵ in solving the BDHP. We assume that B is allowed to control the external network for the mthsession. Let Rm = {U1,U2, . . . ,Ut} be a set of revoked users and the target attack set be S = U \ Rm, where U is a setof users in the system Γ

asympk . Actually, the target set S is chosen by the adversary A in the initialization stage. Algorithm

B takes as input BDH challenge (P, aP, bP, cP) where a, b, c ∈ Z∗q are random values and P is a generator of group G. Thealgorithm B sets up the system Γ

asympk , especially for themth session, as follows:

• Init: Algorithm B runs A and receives the set S that A wants to be challenged on.• Setup: To generate a public key PK and private keys SKi for i ∈ S, algorithm B chooses random values θ , µ1, . . . , µt ,ν1, . . . , νt , z1, . . . , zω from Z∗q and sets ρP = aP . The public key PK is

{P, ρP,G,G1,H1,H2,H3, E(·)}.

Next, algorithm B computes the following parameters implicitly.– Set fm(u) = νu for Uu ∈ Rm and compute fm(0)P = θP + bP = (θ + b)P .– Compute, for 1 ≤ ℓ ≤ ω,∗ fm−ℓ(u) = fm(u)−

∑ℓi=1 zi = νu −

∑ℓi=1 zi,

∗ fm−ℓ(0)P = fm(0)P − (∑ℓ

i=1 zi)P = (θ + b−∑ℓ

i=1 zi)P .– Set Qm−ℓ = fm−ℓ(0)P for 0 ≤ ℓ ≤ ω.Algorithm B computes ω + 1 private keys per revoked user Uu as follows.– Compute αuP = µuP − aP = (µu − a)P .– Compute, for 0 ≤ ℓ ≤ ω,

(αu + ρ)Qm−ℓ = αuQm−ℓ + ρQm−ℓ

= (µu − a)

θ + b−

ℓ−i=1

zi

P + a

θ + b−

ℓ−i=1

zi

P

= µu

θ + b−

ℓ−i=1

zi

P

= µuθP + µubP − µu

ℓ−

i=1

zi

P. (12)

– The set of private keys for Uu ∈ Rm are as follows, for 0 ≤ ℓ ≤ ω,SKu,m−ℓ = {αuP, αufm−ℓ(u)P, (αu + ρ)Qm−ℓ}.

• Challenge: B sets sidm as a session index and chooses τ0, . . . , τω from Z∗q . It computes βm,ℓP = cP − τℓP = (c − τℓ)P for0 ≤ ℓ ≤ ω and computes βm,ℓfm−ℓ(u)P = fm−ℓ(u)(c− τℓ)P for Uu ∈ Rm, 0 ≤ ℓ ≤ ω. Finally, algorithm B chooses ω+ 1random values ξℓ, ζℓ, 0 ≤ ℓ ≤ ω instead of λm,ℓ, Cm,ℓ. B gives the message sidm||Γ

asympk to A1,

Γasympk = {βm,ℓP, ξℓ, ζℓ, {(u, βm,ℓfm−ℓ(u)P)}u∈Rm}0≤ℓ≤ω.

• Guess: Adversary A outputs a guessed δm,ℓ for some ℓ.

Algorithm B can solve the BDHP using δm,ℓ as follows.

δm,ℓ · e(aP, βm,ℓP)−(θ−∑ℓ

i=1 zi) · e(aP, bP)τℓ

= e(ρP, βm,ℓQm−ℓ) · e(aP, βm,ℓP)−(θ−∑ℓ

i=1 zi) · e(aP, bP)τℓ

= e(P, P)abc−abτℓ+a(c−τℓ)(θ−∑ℓ

i=1 zi)−a(c−τℓ)(θ−∑ℓ

i=1 zi)+abτℓ

= e(P, P)abc . (13)

120 C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122

Since νu, zi are randomly selected fromZ∗q , the polynomials fm−ℓ(u) are random values overZ∗q . Hence, fm−ℓ(u)P is uniformlydistributed over G. βm,ℓP is uniformly random over G since it is set from the given cP and random τℓ. Since Tm,0, . . . , Tm,ω ,in the protocol, are randomly chosen values, Cm,ℓ and λm,ℓ are uniformly distributed over G. Hence, we can set those valuesas random values ξℓ, ζℓ. Therefore, the message Γ asym

pk built by B is indistinguishable from original broadcast messages.Assume that the adversary A can compute δm,ℓ for some ℓ (0 ≤ ℓ ≤ ω) with advantage ϵ. Then, it means that the

algorithm B has advantage at least ϵ to solve the BDHP in G. Let t ′ be the time to setup the system Γasympk for the reduction

and compute the Eq. (13). Then the time t ′ is polynomially bounded and the attack on the systemΓasympk takes t− t ′ time. �

Next, we prove that the ω-APKBE scheme has the IND-CCA security. Before proving the IND-CCA security, we need to checkthat the Γ asym

pk has a γ -uniformity property [18]. For a given fixed authorized target set S, we can see the given Γ asympk as a

public key encryption scheme with public key pk = (PK , S) and private key sk = SKu for user Uu ∈ S. Since given valuesTℓ(0 ≤ ℓ ≤ ω) are random,we know, for random yℓ ∈ {0, 1}∗(0 ≤ ℓ ≤ ω), Pr[Γ

asympk = y] ≤ 2−(ω+1)κ where y = y0‖ · · · ‖yω

and κ is the given security parameter.

Theorem 2. Assume that the BDHP is (t1, ϵ1)-hard and the symmetric encryption EK (·) is (t2, ϵ2)-FG-secure. Let qh2 , qh4 , qDbe the number of queries to H2,H4, and the decryption oracle, respectively. Let ℓ1, ℓ2 be the size of plaintext in Γ asym

pk , Γ sym,respectively. Then the ω-APKBE scheme is (t, qh2 , qh4 , qD, ϵ)-secure in the sense of IND-CCA in the random oracle model,

t = min(t1 − t ′, t2)− O((qh2 + qh4) · (ℓ1 + ℓ2)),

ϵ = (2(qh2 + qh4)ϵ1 + (ω + 1)ϵ2 + 1) · (1− 2ϵ1 − 2(ω + 1)ϵ2 − 2−(ω+1)κ − 2ℓ2)−qD − 1,

where t ′ is some polynomially bounded time.

Proof. In Theorem 1, we know that the system Γasympk is (t1 − t ′, ϵ1)-OW-CPA secure. We also see that Γ asym

pk has 2−(ω+1)κ -uniform. For the systemΓ sym, it is easy to see thatΓ sym is (t2, (ω+1)ϵ2)-FG-secure becauseΓ sym consists ofω+1 symmetricencryptions Ek(·). Hence, Theorem 2 is true through Fujisaki–Okamoto transformation [18]. Here, t ′ is the time to setup thesystem Γ

asympk for the reduction and compute the Eq. (13). �

We showed that the proposed scheme has the IND-CCA security for the outside attackers in Theorem 2. However, maliciousinsiders are more dangerous than the outside attackers in the broadcast encryption. Here, we show that the proposed ω-APKBE scheme is also secure against inside attackers.

Theorem 3. If there exists an inside attacker A who holds a private key SKA and can output a broadcaster’s secret key ρ throughgiven ω-APKBE scheme with probability ϵ, then we can use this attacker to solve the DLP with the same probability ϵ under therandom oracle model.

Proof. Assume that an adversaryA can break the givenω-APKBE schemewith probability ϵ. Thenwe can build an algorithmB which can break the DLP. The algorithm B sets the random oracles OH1 for one-way hash function H1. The oracle returnsrandom values. Therefore, to maintain consistency, B maintains a list L1 = ⟨in1

i , out1i ⟩. We assume that B can control the

given ω-APKBE scheme. Let Rm = {U1,U2, . . . ,Ut} be a set of revoked users. The algorithm B takes as input DLP challenge(P, aP)where a ∈ Z∗q is random and P is a generator of group G. The algorithm B sets up theω-APKBE scheme Γ as follows.

Algorithm B chooses a random b ∈ Z∗q and set ρP = b−1aP . Then it builds the system Γ with the same parameters inSection 4.2. The public key is

PK = {P, ρP,G,G1,OH1 ,H2,H3,H4, E(·)}.

In themth session, algorithm B makes a broadcast header. B chooses a session group key GKm, update value zm, and ω+ 1random values Tm,0, Tm,1, . . . , Tm,ω . Then B computes βm,i = H2(Tm,i‖GKm‖

∑mj=m−i zj) for 0 ≤ i ≤ ω.

For the oracle OH1(sidm), B checks if there exists a tuple (sidm, hm) in L1. If such a tuple exists, B returns hm. Otherwise,B chooses a random µ ∈ Z∗q and sets hm = (b+ µ)P and adds the tuple (sidm, hm) to L1 and returns hm.

Algorithm B chooses random values σm,0, . . . , σm,ω , from Z∗q and computes km,i, δm,i, Cm,i, λm,i (0 ≤ i ≤ ω), respectively,

km,i = e(P, σm,iH1(sidm)), (14)

δm,i = e(ρP, βm,iQm−i), (15)

Cm,i = Tm,i ⊕ H3(δm,i||km,i), (16)

λm,i = σm,i(b+ µ)P − H2(Cm,i)(1+ b−1µ)aP. (17)

Finally, algorithm B gives sidm‖Γasympk ‖Γ

sym to A,

Γasympk = {βm,iP, λm,i, Cm,i, {(r, βm,ifm−i(r)P)}r∈Rm}0≤i≤ω,

Γ sym=

EH4(Tm,i)

GKm,

m−j=m−i

zj

0≤i≤ω

.

C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122 121

Since σm,i and µ are the random values, Cm,i and λm,i are uniformly distributed over G. Therefore, the broadcast headermessage generated by B is indistinguishable to the group members. Given broadcast header message, adversary A candecrypt it with his private key SKA and returns the secret key ρ of the broadcaster. Since the adversary A can return thesecret key ρ with the probability ϵ, B can solve the DLP with the same probability ϵ as follows:

b · ρ = b · b−1a = a. �

6. Application

The proposed ω-APKBE scheme can be used for several applications. Especially, the Pay-TV broadcasting system isone of interesting applications. The Pay-TV system broadcasts encrypted contents so that only subscribers can watch themultimedia contents and nonsubscribers cannot watch the contents even though they can receive the contents. For securecontents broadcasting, a contents provider and subscribers should share a secret key which is used for decrypting theencrypted contents. The contents provider can use theω-APKBE scheme to share the secret key. The provider can broadcastω-APKBE message, which contains the secret key, through the information channel or the header of encrypted multimediacontents.

For ω-APKBE message distribution in the Pay-TV system, we can approximate the communication cost and thecomputation cost. Suppose we set up the broadcast encryption system per each Pay-TV channel. Then each channel is ableto be identified by its public key. We assume that the average number of subscribers is n = 100,000 per each channel andthe maximum number of revoked members per each session is 500, which is 0.5% of subscribers in each channel. We setsession time in ω-APKBE as 24 h. That is, a session is changed every day and content provider updates a channel’s secretkey every day. We set ω = 10 for stateless receivers and the degree of secret polynomials t = 5000 in the ω-APKBEscheme. We construct the ω-APKBE scheme over the 512 bit finite field. Then the size of broadcast message becomes 3200kB approximately, which is not so much costly in the current Pay-TV broadcasting system or the wireless communication.In the aspect of computation cost, the most computationally intensive operation in the proposed scheme is the calculationof a pairing function. We know that the approximate computation time of a pairing function is 41 ms on the pentium IIIcomputer [23]. In the proposed scheme, subscribers need at least 5000 bilinear pairing operation. Hence, the estimatedcomputation cost for bilinear pairing is 205 s (=3.4 min), Hence, when the contents provider distributes a new secret key,the subscribers can retrieve the new secret key for seamless communication by computing theω-APKBE scheme during theadvertising time or sleeping time.

7. Conclusion

It is obvious that the broadcast encryption is one of the important technologies in broadcast communication. Thebroadcast encryption schemes should provide broadcast senders and receivers with confidentiality and authentication. Inthis paper, we proposed the efficient authenticated broadcast encryption scheme called ω-APKBE. The proposed schemeoffers both the confidentiality and the authentication properties through sender authentication and secure encryption.Especially, the proposed scheme is secure against the insiders’ attack. The proposed scheme has a constant size broadcastmessageO((ω+1)(t+4)), which is independent of the number of revokedmembers.We showed that the proposed schemeis IND-CCA secure through the Fujisaki–Okamoto transformation. Hence, the proposed scheme is adaptable for dynamicgroups in terms of broadcast message size and user revocation strategy.

Acknowledgement

This work was supported by the Agency for Defense Development under contract UD090059ED.

References

[1] C. Blundo, P. D’Arco, A. De Santis, M. Listo, Design of self-healing key distribution schemes, Design, Codes, and Cryptography (32) (2004) 15–44.[2] D. Boneh, C. Gentry, Collusion resistant broadcast encryption with short ciphertexts and private keys, in: Advances in Cryptology-CRYPTO 2005,

in: LNCS, vol. 3621, Springer-Verlag, 2005, pp. 258–275.[3] C. Blundo, P. D’Arco, A. De Santis, Definitions and Bounds for Self-Healing Key Distribution Schemes, Automata, Languages and Programming: 31st

International Colloquium (ICALP 2004), in: LNCS, vol. 3142, Springer-Verlag, 2004, pp. 234–245.[4] Y. Dodis, N. Fazio, Public key broadcast encryption for stateless receiver, in: DRMWorkshop 2002, in: LNCS, vol. 2696, Springer-Verlag, 2002, pp. 61–80.[5] A. Fiat, F. Naor, Broadcast encryption, in: Advances in Cryptology-CRYPTO 1993, in: LNCS, vol. 773, Springer-Verlag, 1994, pp. 480–491.[6] D. Halevy, A. Shamir, The LSD broadcast encryption scheme, in: Advances in Cryptology-CRYPTO 2002, in: LNCS, vol. 2442, Springer-Verlag, 2002,

pp. 47–60.[7] M.J. Mihaljevic, M.P.C. Fossorier, H. Imai, A novel broadcast encryption based on time-bound cryptographic keys. DRMTICS, pp. 258–276, (2005).[8] M. Naor, B. Pinkas, Effcient trace and revoke schemes, FC 2000, in: LNCS, vol. 1962, Springer-Verlag, 2001, pp. 1–20.[9] D. Naor, M. Naor, J. Lotspiech, Revocation and tracing schemes for stateless receivers, in: Advances in Cryptology-CRYPTO 2001, in: LNCS, vol. 2139,

Springer-Verlag, 2001, pp. 41–62.[10] Y. Mu,W. Susilo, Y. Lin, C. Ruan, Identity- based authenticated broadcast encryption and distributed authenticated encryption, in: Proc. of Ninth Asian

Computing Science Conference (ASIAN 2004), in: LNCS, vol. 3321, Springer-Verlag, 2004, pp. 169–181.

122 C. Park et al. / Mathematical and Computer Modelling 55 (2012) 113–122

[11] S.S.D. Selvi, S.S. Vivek, R. Gopalakrishnan, N.N. Karuturi, C.P. Rangan, Provably Secure ID-based Broadcast Signcryption (IBBSC) Scheme, CryptologyePrint Archive, Report 2008/225, 2008, http://eprint.iacr.org.

[12] C.H. Tan, J.C.M. Teo, J. Amundsen, Authenticated broadcast encryption scheme, in: 21st International Conference onAdvanced InformationNetworkingand Applications Workshops, AINAW’07, pp. 512–518, 2007.

[13] Y. Liu,Wen-Guey Tzeng, Public key broadcast encryptionwith low number of keys and constant decryption time, in: The 11th internationalWorkshopon Practice and Theory in Public Key Cryptography, LNCS, vol. 4939, pp. 380–396, 2008.

[14] D. Liu, P. Ning, K. Sun, Efficient self-healing group key distribution with revocation capability, in: Proceedings of the 10-th ACM Conference onComputer and Communications Security, October 27–31, 2003.

[15] S. More, M. Malkin, J. Staddon, D. Balfanz, Sliding-window self-healing key distribution, in: ACM Workshop on Survivable and Self-RegenerativeSystmes, 2003.

[16] J. Staddon, S. Miner, M. Franklin, D. Balfanz, M. Malkin, D. Dean, Self-healing key distribution with revocation, in: Proceedings of IEEE Symposium onSecurity and Privacy, 2002, pp. 241–257.

[17] E.S. Yoo, N.S. Jho, J.J. Cheon,M.H. Kim, Efficient broadcast encryption usingmultiple interpolationmethods, in: ICISC 2004, in: LNCS, vol. 3506, Springer-Verlag, 2005, pp. 87–103.

[18] E. Fujisaki, T. Okamoto, Secure integration of asymmetric and symmetric encryption schemes, in: Advances in Cryptology-CRYPTO 1999, in: LNCS, vol.1666, Springer-Verlag, 1999, pp. 537–554.

[19] P. Yang, T. Kitagawa, G. Hanaoka, R. Zhang, K. Matsuura, H. Imai, Applying Fujisaki–Okamoto to identity-based encryption, in: AAECC, pp. 183–192,2006.

[20] J. birkett, A.W. Dent, Relations among notions of plaintext awareness, in: The 11th international Workshop on Practice and Theory in Public KeyCryptography, in: LNCS, vol. 4939, Springer-Verlag, 2008, pp. 47–64.

[21] D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, SIAM Journal of Computing 32 (3) (2003) 586–615.[22] The Pairing-Based Cryptography Library, http://crypto.stanford.edu/pbc/.[23] G.M. Bertoni, L. Chen, P. Fragneto, K.A. Harrison, G. Pelosi, Computing Tate Pairing on Smartcards, 2005,

http://www.st.com/stonline/products/families/smartcard/ches2005v4.pdf.