Broadly speaking, the idea of broadcast encryption is to perform a single encryption of a message that can be decrypted by a number of recipients. The main issue is that any particular message may only be intended for a subset of the possible set of recipients. These recipients are called privileged (with respect to this message) while others are called revoked. Two crucial parameters are of interest. The first is the size of the broadcast and the second is the size of the key material that individ- ual recipients need to store. Broadcast encryption has different applications which include pay TV systems, DVD content protection and access control in encrypted file systems.

The formal notion of broadcast encryption was introduced by Fiat and Naor [80].

This was mainly in the setting of symmetric key encryption. Public key broadcast encryption schemes were considered later [78]. The security model for public key broadcast encryption is an extension of the security model for usual PKE schemes.

Differences arise due to the fact that a usual PKE scheme has a single recipient whereas a broadcast scheme has multiple recipients. For example, in a decryption query, the adversary specifies a recipient. Somewhat more importantly, for genera- tion of the challenge ciphertext, the adversary specifies a target set of recipients.

From the point of view of obtaining a security reduction, a crucial issue is the manner in which the adversary is allowed to choose the target set of recipients.

In the adaptive model, the adversary can choose this set after making decryption queries, while in the non-adaptive model, the adversary has to specify the target set at the outset of the security game. Correspondingly, it is much more difficult to obtain a scheme which can be proved secure in the adaptive model.

The above description should make the connection to identity-based techniques clear. The basic similarity is that both IBE and broadcast encryption deal with a number of recipients where each recipient has a private key which is unknown to the other recipients. Further, the adaptive and non-adaptive security models are roughly analogous to the adaptive-identity and selective-identity attacks for IBE security model.

The connection becomes clearer, when we consider the selective-identity security model for HIBE schemes. The adversary has to specify the target identity at the beginning of the security game. For an HIBE scheme, an identity is a tuple where each prefix of the tuple represents an individual possessing a private key. So, one may consider such an identity as specifying a possible set of recipients. From this, it is quite natural to try to obtain a broadcast encryption scheme secure against non- adaptive attacks from an HIBE scheme which is secure against selective-identity attacks.

A HIBE scheme, on the other hand has an additional structure in the form of the requirement of being able to support key delegation over levels. In other words, an identity tuple possessing a private key should be able to generate keys for identities for which it is a proper prefix. Such a requirement is not present in a broadcast en- cryption scheme. Moreover, the security model for the non-adaptive setting does not provide the adversary with a key-extraction oracle. Instead the adversary is provided with the private keys of the revoked users immediately after the system is set-up. To a certain extent, this makes the task of private key generation in a broadcast encryp- tion scheme somewhat simpler than that of an HIBE scheme.

We have talked about broadcast encryption schemes secure against non-adaptive adversaries. By a similar reasoning, an HIBE which is secure against adaptive- identity attacks provides an idea of constructing a broadcast encryption scheme which is secure against adaptive adversaries. It is only recently that a somewhat satisfactory solution for adaptive-identity secure HIBE has been found [170]. As a natural extension, this has led to the construction of a broadcast encryption scheme which is secure against adaptive identities [170].

In a broadcast encryption scheme a broadcast message is typically of the form (S,Hdr,CM), where S is the set of privileged recipients,Hdris an encapsulation of a key K which is used to encrypt a message M through a symmetric encryption scheme to obtain the ciphertext CM. Each user ui∈Suses her private key to decapsulate the key K from theHdrand then uses K to decrypt the broadcast message.

Here we describe only one broadcast encryption scheme. This is the first broad- cast encryption scheme which exploits the above mentioned connection to HIBE schemes. As described in Chapter 5, Boneh, Boyen and Goh had obtained an in- teresting construction of a selective-identity secure HIBE scheme possessing a con- stant size ciphertext. Following the above intuition, this can be modified (albeit in a non-trivial way) to obtain a broadcast encryption scheme. Boneh, Gentry and Wa- ters [42] proposed such a construction. The crucial aspect of this scheme is that the constant size ciphertext for the HIBE scheme translates into a constant size Hdr for the broadcast encryption. A drawback is that the size of the public parameters is linear in the number of recipients. Since this number can be large, this may sig- nificantly affect practical implementation. To alleviate this problem, the paper [42]

provides a mechanism for obtaining a controllable trade-off between the size of the public parameters and the size of the ciphertext. Below we describe the basic scheme from [42].

Set-Up. The description is in terms of a symmetric pairing e : G×G→GT with G=hPi. To set up the scheme, choose a uniform random α ∈ZZp and compute P_i=α^iPfor i=1, . . . ,2n, where n is the maximum number of recipients the system can support. Further, choose a randomγ∈ZZpand set Q=γP. The public key is the tuple

(P,P₁, . . . ,P_n,P_n+2, . . . ,P_2n,Q).

Note that the element Pn+1 is not part of the public key. The private key for user i∈ {1, . . . ,n}is set to be di=γ^Piand so di=αⁱQ.

Encrypt. Given a set S of privileged users, the header is generated as follows.

Choose a random t inZZ_pand set the secret key to be K=e(Pn+1,P)^t=e(P_n,P1)^t. The headerHdris defined to be

tP,t(Q+

∑

j∈S

Pn+1−j)

! .

Decrypt. Suppose uiis a user and belongs to a set S of users for which the broadcast has been created. Let dibe the private key of user ui. LetHdr= (C₀,C₁). Then, the secret key K is reconstructed in the following manner.

e(P_i,C₁) e

d_i+∑j∈S

j6=i

P_n+1−j+i,C₀ .

The correctness of decryption can be seen from the following computation.

e(Pi,C1) e

di+∑j∈S

j6=iPn+1−j+i,C0

= e(α^iP,t(Q+∑j∈SP_n+1−j)) e

α^iQ+∑j∈S

j6=iPn+1−j+i,tP

=e(α^iP,tPn+1−i)× e

α^iP,tQ+∑j∈S

j6=i

P_n+1−j

e

α^iQ+∑j∈S

j6=i

P_n+1−j

,tP

=e(P,tP_n+1)× e

α^iP,tQ+∑j∈S

j6=iP_n+1−j

e

t(Q+∑j∈S

j6=iP_n+1−j),α^iP

=e(P,P_n+1)^t

=K.

In the above scheme, a private key is only one group element and the ciphertext consists of two group elements. Since e(Pn+1,P)can be precomputed, encryption requires no pairings. The drawback is that the size of the public parameters is almost twice the number of possible recipients. The system is able to broadcast to any subset of users and is fully collusion resistant against a non-adaptive adversary who is not allowed to make any decryption query. By composing this protocol with the Boneh-Boyen IBE (somewhat akin to what is done in Section 7.5 of Chapter 7) and applying the generic transformation discussed in Chapter 6 it is possible to obtain a CCA-secure scheme.