Lower Bounds for Private Broadcast Encryption
نویسندگان
چکیده
Broadcast encryption is a type of encryption where the sender can choose a subset from a set of designated receivers on the fly and enable them to decrypt a ciphertext while simultaneously preventing any other party from doing so. The notion of private broadcast encryption extends the primitive to a setting where one wishes to thwart an attacker that additionally attempts to extract information about what is the set of enabled users (rather than the contents of the ciphertext). In this work we provide the first lower bounds for the ciphertext size of private broadcast encryption. We first formulate various notions of privacy for broadcast encryption, (priv-eq, priv-st and priv-full) and classify them in terms of strength. We then show that any private broadcast encryption scheme in the sense of priv-eq (our weakest notion) that satisfies a simple structural condition we formalize and refer to as “atomic” is restricted to have ciphertexts of size Ω(s ·k) where s is the cardinality of the set of the enabled users and k is the security parameter. We then present an atomic private broadcast encryption scheme with ciphertext size Θ(s · k) hence matching our lower bound that relies on key privacy of the underlying encryption. Our results translate to the setting priv-full privacy for a ciphertext size of Θ(n · k) where n is the total number of users while relying only on KEM security. We finally consider arbitrary private broadcast encryption schemes and we show that in the priv-full privacy setting a lower-bound of Ω(n+k) for every ciphertext is imposed. This highlights the costs of privacy in the setting of broadcast encryption where much shorter ciphertexts have been previously attained with various constructions in the non-privacy setting.
منابع مشابه
Combinatorial Bounds for Broadcast Encryption
A broadcast encryption system allows a center to communicate securely over a broadcast channel with selected sets of users. Each time the set of privileged users changes, the center enacts a protocol to establish a new broadcast key that only the privileged users can obtain, and subsequent transmissions by the center are encrypted using the new broadcast key. We study the inherent trade-off bet...
متن کاملUnconditionally Secure Revocable Storage: Tight Bounds, Optimal Construction, and Robustness
Data stored in cloud storage sometimes requires long-term security due to its sensitivity (e.g.,genome data), and therefore, it also requires flexible access control for handling entities who canuse the data. Broadcast encryption can partially provide such flexibility by specifying privilegedreceivers so that only they can decrypt a ciphertext. However, once privileged receivers...
متن کاملGirth, minimum degree, independence, and broadcast independence
An independent broadcast on a connected graph $G$is a function $f:V(G)to mathbb{N}_0$such that, for every vertex $x$ of $G$, the value $f(x)$ is at most the eccentricity of $x$ in $G$,and $f(x)>0$ implies that $f(y)=0$ for every vertex $y$ of $G$ within distance at most $f(x)$ from $x$.The broadcast independence number $alpha_b(G)$ of $G$is the largest weight $sumlimits_{xin V(G)}f(x)$of an ind...
متن کاملSome Bounds and a Construction for Secure Broadcast Encryption
We rst present two tight lower bounds on the size of the secret keys of each user in an unconditionally secure one-time use broadcast encryption scheme (OTBES). Then we show how to construct a computa-tionally secure multiple-use broadcast encryption scheme (MBES) from a key predistribution scheme (KPS) by using the ElGamal cryptosystem. We prove that our MBES is secure against chosen (message,...
متن کاملLower Bounds for Subset Cover Based Broadcast Encryption
In this paper, we prove lower bounds for a large class of Subset Cover schemes (including all existing schemes based on pseudorandom sequence generators). In particular, we show that – For small r, bandwidth is Ω(r) – For some r, bandwidth is Ω(n/ log(s)) – For large r, bandwidth is n− r where n is the number of users, r is the number of revoked users, and s is the space required per user. Thes...
متن کامل