Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts
Lecture Notes in Computer Science
In the standard setting of broadcast encryption, information about the receivers is transmitted as part of the ciphertext. In several broadcast scenarios, however, the identities of the users authorized to access the content are often as sensitive as the content itself. In this paper, we propose the first broadcast encryption scheme with sublinear ciphertexts to attain meaningful guarantees of receiver anonymity. We formalize the notion of outsider-anonymous broadcast encryption (oABE), and
... ribe generic constructions in the standard model that achieve outsider-anonymity under adaptive corruptions in the chosen-plaintext and chosen-ciphertext settings. We also describe two constructions with enhanced decryption, one under the gap Diffie-Hellman assumption, in the random oracle model, and the other under the decisional Diffie-Hellman assumption, in the standard model. . media  , to managing digital subscriptions to satellite TV, to controlling access in encrypted file systems  . Thanks to its versatility, broadcast encryption has received a lot of attention from the crypto research community in recent years (see e.g., [9, 11, 16-19, 21, 23, 24, 28]). The quest, however, has been for ever more efficient solutions in terms of broadcast communication, key storage and encryption/decryption running time. Little attention, instead, has been devoted to the exploration of refined security models that accurately account for the requirements inherent in multi-recipient communication. More specifically, the focus has been on providing assurance for sender-oriented properties, while overlooking the security and privacy concerns of the receivers. One problem with the above (informal) definition of broadcast encryption is the implicit requirement that, whenever the digital content is encrypted and sent in broadcast, information about the set of authorized receivers is necessary to decrypt it correctly. Therefore, the set of authorized receivers is transmitted as part of the ciphertext. This in particular implies that an eavesdropper, even if unable to recover the message, can still easily discover the identities of the actual receivers of the content. A way to address the privacy implications that result from specifying explicitly the set of authorized receivers in the broadcast is to use ephemeral IDs and to keep secret the table that associates such IDs with the actual receivers. This simple solution, however, would at best result in a pseudonym system, in which it is still possible to link pseudonyms across transmissions and determine whether the same entity is an authorized receiver for two different broadcasts. Anonymous Broadcast Encryption. An interesting variant of the broadcast encryption setting was proposed by Barth et al. in . Therein, the authors introduce the notion of private broadcast encryption scheme, explicitly aiming to protect the identities of the receivers. As a proof-of-concept, they also suggest both generic and number-theoretic public-key constructions that do not leak any information about the list of authorized receivers, and are secure in the standard model and in the random oracle model, respectively. The proposed schemes, however, have communication complexity linear in the number of recipients. In , Libert et al. recently suggested proof techniques to argue the security of (a variant of) the number-theoretic construction of  without reliance on random oracles, thus attaining anonymous broadcast encryption with efficient decryption in the standard model. Still, ciphertexts in the resulting construction have length linear in the number of recipients. Krzywiecki et al. presented a private public-key broadcast encryption scheme with communication complexity proportional to the number of revoked users  . The security analysis of the proposed solution is rather informal, however, so the security guarantees are at best heuristic. In  , Yu et al. presented the first secret-key multicast scheme with membership anonymity and communication complexity independent of the number of receivers. The proposed scheme not only hides the identities of the receives, but also the number of users allowed to receive the content. A shortcoming is that only a single user can be revoked for each broadcast. A promising research line toward practical receiver-anonymous broadcast encryption has recently been started by Jarecki and Liu  . The authors propose the first construction of an efficient unlinkable secret handshake scheme, which is an authenticated key exchange protocol providing affiliation/policy hiding (i.e., the transmission hides the affiliation and the identities of all parties) and unlinkability (i.e., it is impossible to link any two instances of the secret handshake protocol). The proposed construction can be seen as a stateful version of a public-key broadcast encryption scheme, with the additional property of protecting the receivers' identities. Statefulness, however, implies that the key used to encrypt the broadcasts changes for each transmission, and receivers need to keep track of the changes to be able to recover the content. An interesting trait of the of construction of  is that it trades some degree of anonymity for better efficiency: while the receiver's identities are hidden from outsiders, the scheme still allows authorized users to learn information about other members of the receiver set. Our Contributions. In this paper we propose the first broadcast encryption scheme with sublinear ciphertexts to achieve meaningful guarantees of receiver anonymity. In particular, we formalize the notion of outsider-anonymous broadcast encryption (oABE), and describe a generic construction based on any anonymous identity-based encryption (AIBE) scheme. Compared with the work of , our construction has the advantage of being stateless, and having constant master public key size. Additionally, by adapting the techniques of , we also obtain an efficient construction with enhanced decryption, where for a given oABE ciphertext, the decryption algorithm executes a single AIBE decryption operation. As outlined in Table 1 , by relaxing the anonymity guarantees, we achieve sublinear ciphertexts size in our constructions. Organization. Sect. 2 provides a brief review of the Subset Cover Framework  and of anonymous identity-based encryption [2, 22] . The setting of outsider-anonymous broadcast encryption is introduced in Sect. 3. In Sect. 4 we first present generic constructions in the standard model that achieve outsider-anonymity under adaptive corruptions in the chosen-plaintext (Sect. 4.1) and chosen-ciphertext (Sect. 4.2) settings. Next, we describe a CCA-secure construction with enhanced decryption under the gap Diffie-Hellman assumption in the random oracle model (Sect. 4.3), and also extend it to the standard model (Sect. 4.4), using the twin-DH-based techniques of  . In Sect. 4.5 we also present a variant of the scheme in Sect. 4.4 with even shorter ciphertexts, at a price on the other parameters, most notably user storage and decryption complexity. Finally, we outline an optimization for the private-key setting to accommodate storage-constrained systems and attain constant key storage at the Center, while maintaining efficient decryption and logarithmic storage at the receivers (Sect. 4.6).