SCIENCE CHINA Information Sciences, Volume 61, Issue 11: 118101(2018) https://doi.org/10.1007/s11432-017-9287-6

Dual-mode broadcast encryption

More info
  • ReceivedJun 25, 2017
  • AcceptedOct 27, 2017
  • PublishedMay 21, 2018


In this paper our objective is to explore approaches of secure group-oriented communication with designation and revocation mechanisms simultaneously. In doing so, we present a new scheme of Revocation-Based Broadcast Encryption (RBBE) which is designed on Dan Boneh et al.'s scheme with the designation mechanism proposed in 2005. Moreover, we combine two above-mentioned schemes into a new cryptosystem, called Dual-Mode Broadcast Encryption (DMBE). Based on these work, we reach the following conclusions. First of all, we use the DMBE scheme as an example to show that it is feasible to construct a broadcast encryption scheme that supports designation and revocation mechanisms simultaneously. Moreover, the cryptosystem with dual modes is more efficient than that with single mode over computational costs, and the performance is improved to at most $O(\lceil \frac{N}{2} \rceil )$, where N is the total number of users in the system. Finally, we prove completely that both the RBBE scheme and the DMBE scheme are semantically secure against chosen plaintext attack with full collusion under the decisional bilinear Diffie-Hellman exponent assumption.


This work was supported by National Natural Science Foundation of China (Grant No. 61472032), NSFC-Genertec Joint Fund for Basic Research (Grant No. U1636104), and Joint Research Fund for Overseas Chinese Scholars and Scholars in Hong Kong and Macao (Grant No. 61628201).


[1] Fiat A, Naor M. Broadcast encryption. In: Proceedings of the 13th Annual International Cryptology Conference, Santa Barbara, 1993. 480--491. Google Scholar

[2] Boneh D, Gentry C, Waters B. Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Proceedings of the 25th Annual International Cryptology Conference, Santa Barbara, 2005. 258--275. Google Scholar

[3] Gentry C, Waters B. Adaptive security in broadcast encryption systems (with short ciphertexts). In: Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques, Cologne, 2009. 171--188. Google Scholar

[4] Naor M, Pinkas B. Efficient trace and revoke schemes. In: Proceedings of the 4th International Conference on Financial Cryptography, Anguilla, 2000. 1--20. Google Scholar

[5] Delerablée C, Paillier P, Pointcheval D. Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In: Proceedings of the 1st International Conference on Pairing-Based Cryptography, Tokyo, 2007. 39--59. Google Scholar

[6] Lai J C, Mu Y, Guo F C, et al. Anonymous identity-based broadcast encryption with revocation for file sharing. In: Proceedings of the 21st Australasian Conference on Information Security and Privacy, Melbourne, 2016. 223--239. Google Scholar

    Computational complexity Communication/storage complexity
    Setup $(2n)~\cdot~E(\mathbb{G})~+1\cdot~M(\mathbb{G})$ $(2n+1)~\cdot~l_{\mathbb{G}}$(PK), $2\cdot~l_{\mathbb{Z}_p^*}+1\cdot~l_{\mathbb{G}}$(MK)
    KeyGen $|U|~\cdot~(3~\cdot~E(\mathbb{G})+1\cdot~M(\mathbb{G})~+1\cdot~D(\mathbb{G}))$ (for $|U|$ users) $|U|~\cdot~l_{\mathbb{G}}$ (${\rm~sk}_i$, for $|U|$ users)
    Encrypt $~2~\cdot~E(\mathbb{G})+1~\cdot~E(\mathbb{G}_T)+(|R|-1)\cdot~M(\mathbb{G})~+1\cdot~D(\mathbb{G})+1~\cdot~B$ $2~\cdot~l_{\mathbb{G}}$ ($C_R$)
    Decrypt $(|R|-1)\cdot~M(\mathbb{G})~+1\cdot~D(\mathbb{G})+2~\cdot~B+~1~\cdot~D(\mathbb{G}_T)$ $1~\cdot~l_{\mathbb{G}_T}$ (ek)

    a) $E(\cdot)$, $M(\cdot)$ and $D(\cdot)$ denote the exponentiation operation, multiplication operation and division operation in cyclic group, respectively. $B$ denotes the bilinear pairing $e:~\mathbb{G}~\times~\mathbb{G}~\rightarrow~\mathbb{G}_T$. $|U|$ and $|R|$ denote the number of users in set $U$ and $R$, respectively. $l_{\mathbb{Z}_p^*}$, $l_{\mathbb{G}}$ and $l_{\mathbb{G}_T}$ denote the length of elements in $\mathbb{Z}_p^*$, $\mathbb{G}$ and $\mathbb{G}_T$, respectively.

Copyright 2019 Science China Press Co., Ltd. 《中国科学》杂志社有限责任公司 版权所有