Cryptography Reference
In-Depth Information
An easy way to satisfy the property of key indistinguishability is to have
all keys of subsets selected randomly and independently from each other as is
done in the broadcast encryption scheme BE basic . Indeed, we have the following
proposition.
Proposition 2.7. The basic broadcast encryption scheme BE basic (refer to
Figure 2.2 and comments below) satisfies the key indistinguishability property
with distinguishing probability 0.
Proof. It is easy to see that the choice k j 0 by the KeyGen algorithm is iden-
tically distributed to the random selection of k 1 from K. Based on this it is
easy to derive that the scheme BE basic
satisfies key indistinguishability.
We, now, come to the point we can state the security theorem for the
template broadcast encryption as defined in Figure 2.2 . The requirements for
security are the key-indistinguishability property and the use of an encryption
that is suitable for key encapsulation.
Theorem 2.8. Consider a broadcast encryption scheme BE that fits the tem-
plate of Figure 2.2 over an (n,r,t)-exclusive set system Φ and satisfies (1) the
key indistinguishability property with distinguishing probability ε 1 , (2) its un-
derlying encryption scheme ( E , D ) is ε 2 -insecure in the sense of Definition 2.5 .
Then, the broadcast encryption scheme BE is ε-insecure in the sense of Defi-
nition 2.2 where ε ≤ 2t·|Φ|· (2ε 1 + ε 2 ).
Proof. We will prove the above argument by structuring the proof as a se-
quence of indistinguishable games all operating over the same underlying prob-
ability space. Starting from the actual attack scenario, we consider a sequence
of hypothetical games. In each game, the adversary's view is obtained in dif-
ferent ways, but the probability of success will be related in a predictable
fashion. Let us start writing the original game Exp 0 = Exp re A (n) explicitly
in Figure 2.5 :
Experiment Exp 1 . This experiment, for v = 0,...,t, is identical to Exp 0 ,
with two slight modifications. The first modification is in the encryption on
line 5. The experiment of type v, Exp 1 , is one where the encryption is com-
puted so that the first v subset keys are over a random plaintext while the
remaining subsets encode the correct message. More specifically, the 5th line
in the experiment would look as follows :
c = hj 1 ,..., j s ,E k j 1 (R 1 ),...,E k j v (R v ),E k j v+1 (m 1 ),...,E k j s (m 1 )i
where R i is a random string of the same length as the message m 1 for
i = 1,...,v. Note that if v > s all plaintexts are selected independently at
random.
The second modification of the experiment Exp 1 is the choice of a uni-
formly random variable w ∈{1,...,|Φ|}. Consider an enumeration for the key
encodings, i.e. J = {j[1],..., j[|Φ|]}. The experiment Exp v is modified in the
 
Search WWH ::




Custom Search