An ID-Based Broadcast Encryption Scheme for Key Distribution

1
An ID-Based Broadcast Encryption Scheme for Key
Distribution

• Author Xinjun Du, Ying Wang, Jianhua Ge, and
  Yumin Wang
• Source IEEE TRANSACTIONS ON BROADCASTING, Volume
  51, Issue 2, June 2005
• Reporter Peng-Yuan Chen
• Date 2006.12.27

2
Outline

• Introduction
• Preliminaries
• - Bilinear Pairings
• - ID-Based Public Key Infrastructure
• - Boneh-Franklin Encryption Scheme
• Proposed Scheme
• - ID-BASED BROADCAST ENCRYPTION SCHEME
• Analysis
• Conclusion

3
Introduction

• ID-based Cryptography
• the public key can be an arbitrary string.
• simplify the management of public certificates,
  using the identity of receiver as the public key.
• Many ID-based cryptographic schemes have been
  proposed using the bilinear pairings.
• This scheme is a variation of the Boneh-Franklin
  identity based encryption scheme.

4
Bilinear Pairings

• Let G1 and G2 be two cyclic groups of order q
  for some large prime q. G1 is a cyclic additive
  group and G2 is a cyclic multiplicative group.
• Let e G1 G1 ?G2 be a pairing which satisfies
  the following conditions
• Bilinear e(aP,bQ) e(P,Q)ab, for all P, Q?G1
  and all a, b? Zq.
• Non-degenerate there exists P?G1 and Q?G1 ,such
  that e(P,Q) ?1.
• Computability there is an efficient algorithm to
  compute e(P,Q) for all P, Q?G1 .

5
ID-Based Public Key Infrastructure

• KGC (trusted Key Generation Center) generate two
  groups G1, G2, and a bilinear pairing e G1 G1
  ?G2 . It chooses an arbitrary generator P? G1 and
  defines two cryptographic hash functions H1
  0,1 ? G1, H2 G2 ? 0,1.
• Set Up
• KGC chooses a random number s? Zq and
  set Ppub sP. Then the KGC publishes system
  parameters params G1, G2, q, P, Ppub, H1, H2,
  and keep s as master-key.
• Private Key Extraction
• A user submits his identity
  information ID to KGC. KGC computes the users
  public key as QIDH1(ID), and returns his private
  key SIDsQID.

6
Boneh-Franklin Encryption Scheme

• The scheme allow the holder of private key SID to
  decrypt a message sent to her under the the
  public key QID .
• Let m denote the message to be encrypted.
• Encryption Compute U rP where r ?R Zq . Then
  compute V m ? H2(e(PPUB, r QID) Output the
  ciphertext (U ,V).
• DecryptionV ? H2(e(U, SID) V ? H2(e(rP, sQID)
  V ? H2(e(sP, rQID) V ? H2(e(PPUB, rQID)
  m

7
ID-BASED BROADCAST ENCRYPTION SCHEME

• This scheme is proposed for key distribution, and
  the following broadcasts can be encrypted by a
  conventional symmetric cryptosystem, such as DES,
  with the distributed keys.
• Users U(IDii1,2,...,n) and IDi is the unique
  identifier. Each user has a public/private key
  pair (Qi, Si). Let k denote the session key to be
  encrypted and broadcasted to the set of users.

8
Encryption(1/2)

• The center computes

The center also forms n-1 auxiliary keys Qvi
(Q1, Q2, , Qn) , 2?i?n which means Qv2
Q1Q2, Qv3 Q1Q3, , Qvn Q1Qn.
9
Encryption(2/2)

• The cryptogram is then formed by computing, for
  some random r ? Zq U1 rP Ui rQVi , 2?i?n
  V k ? H2(e(PPUB, rQV1))
• The center outputs the ciphertext (Ui, 1?i?n, V)
  and broadcast it to the set of users U.

10
Decryption(1/3)

• Without loss of generality, we assume the
  recipient is IDi. The recipient IDi set a vector
  a1 (0,,0 ,1 ,0 ,,0) and only the i-th element
  is 1. Then A is a n n matrix

• The recipient IDi can solve the following system
  of equations easily(x1, x2, , xn) A ( 1 1
  1)

11
Decryption(2/3)

• With (x1, x2,,xn), we can get

• To decrypt the ciphertext, the recipient IDi
  needs to compute e (PPUB, rQV1) e (PPUB,
  r(x1Qi x2QV2 xnQVn)) e (PPUB, rx1Qi ) . e
  (PPUB, r( x2QV2 xnQVn) e (rP, x1sQi ) . e
  (PPUB, x2 r QV2 xn r QVn) e (U1, x1Si ) . e
  (PPUB, x2 U2 xn Un)

12
Decryption(3/3)

• Then, the recipient can compute

• For group membership operations, the center only
  needs to execute one broadcast encryption
  protocol again to distribute a new random session
  key to the resulting set of users.

13
(Ui, 1?i?n, V)
Broadcast center
Users
session
(x1, x2, , xn) A ( 1 1 1)
e(U1, x1Si ).e(PPUB, x2 U2 xn Un) e(rP,
x1sQi ).e(PPUB, x2 r QV2 xn r QVn) e(PPUB,
rx1Qi ).e(PPUB, r( x2QV2 xnQVn) e(PPUB,
r(x1Qi x2QV2 xnQVn)) e(PPUB, rQV1)
14
Analysis

• Computation cost of the encryption by the center
• 2n-2 additions in the group
• n1 scalar multiplications in the group G1 .
• One pairing computation.
• One hashing computation.
• One XOR operation.
• Computation cost of the encryption by per user
• Solving a set of linear equations with n
  variables.
• n-1 additions in the group G1.
• n scalar multiplications in the group G1.
• Two pairing computations.
• One hashing computation.
• One XOR operation.

15
Conclusion

• In this paper an ID-based broadcast encryption
  scheme is proposed for key distribution, by which
  a center can distribute session keys to a certain
  set of users.
• The scheme does not require a secure channel
  between each user and the center and only needs
  one round broadcast.
• The complex re-keying protocols for changes of
  the set of users are also not necessary.
• Then a conventional private-key cryptosystem,
  such as DES, can be usedto encrypt the subsequent
  broadcast with the distributed key.