Cryptography Reference
In-Depth Information
1. Key-Storage: This refers to the size of the information required for each
receiver to store so that the decryption operation is enabled.
2. Decryption Overhead: This refers to the computation time required by a
receiver in order to perform the recovery of the plaintext.
3. Encryption Overhead: This refers to the computation time the sender is
supposed to invest in order to parse the given revocation instruction and
sample the ciphertext that disables all users that are meant to be excluded
from the transmission and produce the ciphertext.
4. Transmission Overhead. This refers to the actual length of the ciphertexts
(or the maximum such length if it varies).
The above parameters will have a functional dependency in the number of
users n, as well as on possibly other parameters such as the number of users
that the revocation information instructs to be excluded.
Adversarial Model.
The goal of an adversary in the broadcast encryption setting is to circumvent
the revocation capability of the sender. In a setting where the hybrid encryp-
tion approach is employed, the content distribution operates at two levels:
first, a one-time content key k is selected and encrypted with the broadcast
encryption mechanism. Second, the actual message will be encrypted with
the key k and will be broadcasted alongside the encrypted key. It follows that
a minimum requirement would be that the scheme
BE
should be su
ciently
secure to carry a cryptographic key k. As an encryption mechanism this is
known in the context of public key cryptography as a “Key Encapsulation
Mechanism”. The security model we present in this section will take this for-
malization approach, i.e., it will focus on the type of security that needs to
be satisfied by a broadcast encryption scheme in order to be used as a key
encapsulation mechanism. We note that for simplicity we adopt the syntax of
an encryption scheme, i.e., the message is given as an input to the encryption
algorithm, while the security property will capture the case where the mes-
sage is uniformly random as in key encapsulation. Later on in the chapter,
the plaintext m in the definition of broadcast encryption schemes will be used
to mean the one-time content key k unless otherwise noted.
The adversarial scenario that we envision for broadcast encryption is as
follows. The adversary is capable of corrupting a set of users so that the
adversary has access to the key material of the users in the corrupted set
T. Subsequently, the adversary, given a pair (c,m), tries to distinguish if the
pair is an actual plaintext ciphertext pair where m is sampled uniformly at
random, i.e., the adversary attempts to see whether c is an encryption of m
or m has been sampled in a manner independent of c. If indeed the adversary
has no means of distinguishing a valid encryption key pair from an invalid
one, then the encryption mechanism would be su
ciently strong to be used
for the distribution of cryptographic keys.
