Cryptography Reference
In-Depth Information
Combinatorial broadcast encryption template.
• KeyGen. Given 1
n
it chooses an (n,r,t)-exclusive set system Φ = {S
j
}
j∈J
. The
algorithm then generates a collection of keys {k
j
}
j∈J
⊆ K. For any u ∈ [n],
define J
u
:= {j | u ∈ S
j
} and K
u
= {k
j
| j ∈J
u
}. Set ek = hΦ,{k
j
}
j∈J
i and set
sk
u
= (J
u
,K
u
) for any u ∈ [n].
The language L consists of the descriptions of those elements of 2
Φ
such that
P = {S
j
1
,...,S
j
s
}∈L if and only if s ≤ t and the set R = [n] \∪
i=1
S
j
i
satisfies
|R|≤ r; in such case we say that P encodes R.
• Encrypt. Given P ∈ L and a message m, say P = {S
j
1
,...,S
j
s
} where j
i
∈ J
for i ∈{1,...,s}. Then the set of keys {k
j
| j ∈J and S
j
∈P} is selected from
{k
j
}
j∈J
. By employing the encryption scheme (
E
,
D
) the ciphertext is computed
as follows:
c ←hj
1
,..., j
s
,
E
k
j
1
(m),...,
E
k
j
s
(m)i
• Decrypt. Given the key-pair sk
u
= (J
u
,K
u
) for some u ∈ [n] and a ciphertext of
the form
c = hj
1
,..., j
s
,c
1
,...,c
s
i
it first searches for an encoding j
i
that satisfies j
i
∈J
u
and then returns
D
k
j
i
(c
i
).
If no such encoding is found it returns ⊥.
Fig. 2.2. The construction template for broadcast encryption using an exclusive
set system.
on in this chapter there are substantial advantages to be gained by exploiting
the particular structure of the exclusive set system and packing the infor-
mation in the sets (J
u
,K
u
) in a more compact form than simply listing all
their elements. In this way we will derive much more e
cient schemes com-
pared to
BE
basic
. This gain will come at the expense of introducing additional
cryptographic assumptions in the security argumentation.
The three procedures in the template broadcast encryption scheme
BE
play
the following role in an actual system instantiation. The KeyGen procedure
produces a set system Φ which corresponds to the set of keys in the system and
the collection of sets I
u
which determines the key assignment for each user u.
The procedure Encrypt, given the revocation instructions and a message m
to be distributed, produces the ciphertext by choosing the corresponding keys
from the set of possible keys. This is done by computing the encryption of the
plaintext m under the key assigned to the subset S for all subsets that are
specified in the revocation instruction. The Decrypt procedure will decrypt
the content transmission by using the set of user keys in a straightforward
manner : it will parse the transmitted ciphertext sequence for a ciphertext
block that it can decrypt and then it will apply the correponding key to it to
recover m.
