Broadcast Encryption - Encryption for Digital Content

Cryptography Reference

In-Depth Information

2.2.1 Security

In this section we will focus on proving the security of the template construc-

tion of broadcast encryption based on exclusive set systems. We will follow

the security modeling as expressed by Definition 2.2 . The overall security of

the scheme is based on the security of the underlying encryption scheme E k , D k

as indexed by a key k as well as the properties of the key assignment, i.e., the

way that the keys of user u are sampled by the KeyGen algorithm.

Key Encapsulation Mechanisms.

We require the broadcast encryption scheme to be capable of transmitting

a cryptographic key. We will ask that this same requirement should also be

satisfied by the underlying cryptographic primitive ( E , D ), i.e., a cryptographic

key should be encapsulated safely by the underlying encryption primitive.

We formalize the security requirement as the following game: for a random

choice of the key k, the adversary A can adaptively choose plaintexts and

see how E k encrypts them; similarly, is capable of observing the output of

decryption procedure D k . The adversary is challenged with a pair (c,m) for

which it holds that either c ← E k (m) or c ← E k (m 0 ) where m,m 0 are selected

randomly from the message space. The goal of the adversary is to distinguish

between the two cases. This models a CCA1 type of encryption security, or

what is known as a security against lunch-time attacks.

Experiment Exp kem

A

Select k at random.

aux ←A E k (), D k () ()

m 0 ,m 1 ←M; b ←{0,1}; c = E k (m 1 )

b 0 ←A E k () (aux,c,m b )

return 1 if and only if b = b 0 ;

Fig. 2.3. The security game of CCA1 secure key encapsulation for an encryption

scheme.

Definition 2.5. We say the symmetric encryption scheme ( E , D ) is ε-insecure

if it holds that for any probabilistic polynomial-time A

Adv ke A = |Prob[Exp ke A = 1] − 1

2 |≤ ε

Observe that the above requirement is weaker that one would typically

expect from an encryption scheme that may be desired to protect the plaintext

even if it is arbitrarily distributed. We note though that the key encapsulation

security requirement will still force the encryption function to be probabilistic:

indeed, in the deterministic case, the adversary can easily break security by

Search WWH ::

Custom Search

Home