Adaptive Chosen-Ciphertext Security of Distributed Broadcast Encryption

TL;DR

This paper introduces an efficient distributed broadcast encryption scheme that achieves adaptive chosen-ciphertext security, improving security guarantees and efficiency over previous schemes that only offered CPA security.

Contribution

It presents the first adaptive CCA secure distributed broadcast encryption scheme with constant ciphertext and private key sizes, and linear public key size, using bilinear groups.

Findings

Proposed a semi-static CCA secure DBE scheme under the $q$-Type assumption.

Converted the semi-static scheme into an adaptive CCA secure scheme using a generic transformation.

Scheme achieves constant ciphertext and private key sizes, with efficient public key verification.

Abstract

Distributed broadcast encryption (DBE) is a specific kind of broadcast encryption (BE) where users independently generate their own public and private keys, and a sender can efficiently create a ciphertext for a subset of users by using the public keys of the subset users. Previously proposed DBE schemes have been proven in the adaptive chosen-plaintext attack (CPA) security model and have the disadvantage of requiring linear number of pairing operations when verifying the public key of a user. In this paper, we propose an efficient DBE scheme in bilinear groups and prove adaptive chosen-ciphertext attack (CCA) security for the first time. To do this, we first propose a semi-static CCA secure DBE scheme and prove the security under the $q$-Type assumption. Then, by modifying the generic transformation of Gentry and Waters that converts a semi-static CPA secure DBE scheme into an adaptive CPA secure DBE scheme to be applied to CCA secure DBE schemes, we propose an adaptive CCA secure DBE scheme and prove its adaptive CCA security. Our proposed DBE scheme is efficient because it requires constant size ciphertexts, constant size private keys, and linear size public keys, and the public key verification requires only a constant number of pairing operations and efficient group membership checks.