## Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys (2005)

### Cached

### Download Links

Citations: | 121 - 13 self |

### BibTeX

@INPROCEEDINGS{Boneh05collusionresistant,

author = {Dan Boneh and Craig Gentry and Brent Waters},

title = {Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys},

booktitle = {},

year = {2005},

pages = {258--275},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers.

### Citations

1123 | Identity-based encryption from the Weil pairing - Boneh, Franklin |

430 | Secure group communications using key graphs
- Wong, Gouda, et al.
- 1998
(Show Context)
Citation Context ...is proportional to 2 ⌈log 2 r⌉ = O(r). This simple extension to the Naor and Pinkas system gives a broadcast system with similar parameters as the latest NNL derivative. Wallner et al.[WHA97] and Wong=-=[WGL98]-=- independently discovered the logical-tree-hierarchy scheme (LKH) for group multicast. Using these methods receivers must maintain state and remain connected to receive key-updates. The parameters of ... |

261 | A one round protocol for tripartite Diffie-Hellman - Joux |

250 | Broadcast encryption
- Fiat, Naor
- 1994
(Show Context)
Citation Context ...m for n users where both ciphertexts and public keys are of size O( √ n) for any subset of receivers. We discuss several applications of these systems. 1 Introduction In a broadcast encryption scheme =-=[FN93]-=- a broadcaster encrypts a message for some subset S of users who are listening on a broadcast channel. Any user in S can use his private key to decrypt the broadcast. However, even if all users outsid... |

245 | Key management for multicast: Issues and architectures
- Wallner, Harder, et al.
- 1998
(Show Context)
Citation Context ... ciphertext size is proportional to 2⌈log2 r⌉ = O(r). This simple extension to theNaor and Pinkas system gives a broadcast system with similar parameters as the latest NNL derivative. Wallner et al. =-=[WHA97]-=- and Wong [WGL98] independently discovered the logical-key-hierarchy scheme (LKH) for multicast group key management. Using these methods receivers maintain state and remain connected to receive key-u... |

221 | Lower Bounds for Discrete Logarithms and Related Problems
- Shoup
- 1997
(Show Context)
Citation Context ...HE assumption is a natural extension of the bilinear-DHI assumption previously used in [BB04, DY05]. Furthermore, Boneh et al. [BBG05] show that the ℓ-BDHE assumption holds in generic bilinear groups =-=[Sho97]-=-. 3 Construction We are now ready to present our broadcast encryption system. We first present a special case system where ciphertexts and private keys are always constant size, but the public key gro... |

201 | Chosen-ciphertext security from identity-based encryption
- Canetti, Halevi, et al.
(Show Context)
Citation Context ...cast Encryption We show how to extend the system of Section 3.1 to obtain chosen ciphertext security. The basic idea is to compose the system with the IBE system of [BB04] and then apply the ideas of =-=[CHK04]-=-. The resulting system is chosen ciphertext secure without using random oracles. We will need a signature scheme (SigKeyGen, Sign, Verify). We will also need a collision resistant hash function that m... |

197 | Multicast security: a taxonomy and some efficient constructions - Canetti, Garay, et al. - 1999 |

177 | Key establishment in large dynamic groups using one-way functiontrees - McGrew, Sherman - 2003 |

174 | Revocation and tracing schemes for stateless receivers
- Naor, Naor, et al.
(Show Context)
Citation Context ...or [FN93] were the first to formally explore broadcast encryption. They presented a solution which was secure against a collusion of t users and has ciphertext size of O(t log 2 t log n). Naor et al. =-=[NNL01]-=- presented a fully collusion secure broadcast encryption system that is efficient for broadcasting to all, but a small set of revoked users. Their scheme is useful for content protection where broadca... |

164 | Hierarchical identity based encryption with con
- Boneh, Boyen, et al.
(Show Context)
Citation Context ... assumption called the bilinear Diffie-Hellman Exponent assumption (BDHE). This assumption was recently used to construct a hierarchical identity based encryption system with constant size ciphertext =-=[BBG05]-=-. Let G be a bilinear group of prime order p. The ℓ-BDHE problem in G is stated as follows: given a vector of 2ℓ + 1 elements � h, g, g α , g (α2 ) (α , . . . , g ℓ ) (α , g ℓ+2 ) (α , . . . , g 2ℓ ) ... |

146 | Tracing traitors
- Chor, Fiat, et al.
- 1994
(Show Context)
Citation Context ... secure is also (t, ɛ/2 n , n) secure against adaptive adversaries. However, in practice this reduction is only meaningful for small values of n.Another problem is to build a tracing traitors system =-=[CFN94]-=- with the same parameters as our system. Ideally, one could combine the two systems to obtain an efficient trace-and-revoke system. Finally, it is interesting to explore alternative systems with simil... |

121 | Plutus — scalable secure file sharing on untrusted storage - Kallahalla, Riedel, et al. - 2008 |

90 | Sirius: Securing remote untrusted storage
- Goh, Shacham, et al.
- 2003
(Show Context)
Citation Context ... header. If n users have access to the file, EFS encrypts KF under the public keys of all n users and places the resulting n ciphertexts in the file header. Related designs can be found in the SiRiUS =-=[GSMB03]-=- and Plutus [KRS + 03] file systems. Abstractly, access control in an encrypted file system can be viewed as a broadcast encryption problem. The file system is the broadcast channel and the key KF is ... |

90 | The LSD broadcast encryption scheme - Halevy, Shamir |

77 | Improved efficiency for CCA-secure cryptosystems built using identity-based encryption
- Boneh, Katz
(Show Context)
Citation Context ...mplying that the system is chosen-ciphertext secure in the standard model. We also note that instead of the signature-based method of [CHK04] we could have used the more efficient MAC-based method of =-=[BK04]-=-. We chose to present the construction using the signature method to simplify the proof. The MAC-based method would also work. 6 Conclusions and Open Problems We presented the first fully collusion re... |

67 | Efficient communication-storage tradeoffs for multicast encryp-tion - Canetti, Malkin, et al. - 1999 |

65 | Separating decision Diffie-Hellman from Diffie-Hellman in cryptographic groups - Joux, Nguyen |

59 | Combinatorial properties and constructions of traceability schemes and frameproof codes - Stinson, Wei - 1998 |

52 | Efficient trace and revoke schemes
- Naor, Pinkas
- 2000
(Show Context)
Citation Context ...s and Fazio [DF02] extend the NNL (subtree difference) method into a public key broadcast system for a small size public key. Other broadcast encryption methods for large sets include Naor and Pinkas =-=[NP00]-=- and Dodis and Fazio [DF03]. For some fixed t these systems can revoke any r < t users where ciphertexts are always of size O(t) and private keys are constant size. By running log n of these systems i... |

51 | Applications of Multilinear Forms to Cryptography, 2002. Available from http://eprint.iacr.org
- Boneh, Silverberg
(Show Context)
Citation Context ...ion relies on computational assumptions. Several other works [Sti97, ST98, SW98, GSY99, GSW00] explore broadcast encryption and tracing from an information theoretic perspective. Boneh and Silverberg =-=[BS03]-=- show that n-linear maps give the ultimate fully collusion secure scheme with constant public key, private key, and ciphertext size. However, there are currently no known implementations of cryptograp... |

51 | A verifiable random function with short proofs and keys - Dodis, Yampolskiy - 2005 |

50 | On Some Methods for Unconditionally Secure Key Distribution and Broadcast Encryption. Designs, Codes and Cryptography - Stinson - 1997 |

42 | Long-lived broadcast encryption - Garay, Staddon, et al. |

39 | Public Key Broadcast Encryption for Stateless Receivers
- Dodis, Fazio
- 2002
(Show Context)
Citation Context ...an be used to encrypt to n−r users with a header size of O(r) elements and private keys of size O(log 2 n). Further improvements [HS02, GST04] reduce the private key size to O(log n). Dodis and Fazio =-=[DF02]-=- extend the NNL (subtree difference) method into a public key broadcast system for a small size public key. Other broadcast encryption methods for large sets include Naor and Pinkas [NP00] and Dodis a... |

33 |
Moni Naor. Tracing traitors
- Chor, Fiat
- 1994
(Show Context)
Citation Context ... secure is also (t, ɛ/2 n , n) secure against adaptive adversaries. However, in practice this reduction is only meaningful for small values of n. Another problem is to build a tracing traitors system =-=[CFN94]-=- with the same parameters as our system. Ideally, one could combine the two systems to obtain an efficient trace-and-revoke system. Finally, it is interesting to explore alternate systems with similar... |

33 | Efficient tree-based revocation in groups of low-state devices
- Goodrich, Sun, et al.
- 2004
(Show Context)
Citation Context ...eys are constant size. By running log n of these systems in parallel, where the revocation bound of the i’th system is ti = 2 i , one obtains a broadcast encryption system with the same parameters as =-=[GST04]-=-. Private key size is O(log n) and, when revoking r users, ciphertext size is proportional to 2 ⌈log 2 r⌉ = O(r). This simple extension to the Naor and Pinkas system gives a broadcast system with simi... |

32 | Efficient methods for integrating traceability and broadcastencryption - Gafni, Staddon, et al. - 1999 |

28 |
Efficient selective-ID identity based encryption without random oracles
- Boneh, Boyen
(Show Context)
Citation Context ...). 5 Chosen Ciphertext Secure Broadcast Encryption We show how to extend the system of Section 3.1 to obtain chosen ciphertext security. The basic idea is to compose the system with the IBE system of =-=[BB04]-=- and then apply the ideas of [CHK04]. The resulting system is chosen ciphertext secure without using random oracles. We will need a signature scheme (SigKeyGen, Sign, Verify). We will also need a coll... |

28 | Itkis, Daniele Micciancio, Moni Naor, and Benny Pinkas. Multicast Security: A taxonomy and Efficient Constructions. INFOCOM - Canetti, Garay, et al. - 1999 |

25 | Trung, “Some new results on key distribution patterns and broadcast encryption - Stinson, van - 1998 |

21 | An introduction to threshold cryptography - Gemmel - 1997 |

16 | W.G.: A public-key traitor tracing scheme with an optimal transmission rate - Chen, Tzeng |

11 |
Public key broadcast encryption secure against adaptive chosen ciphertext attack
- Dodis, Fazio
- 2003
(Show Context)
Citation Context ...he NNL (subtree difference) method into a public key broadcast system for a small size public key. Other broadcast encryption methods for large sets include Naor and Pinkas [NP00] and Dodis and Fazio =-=[DF03]-=-. For some fixed t these systems can revoke any r < t users where ciphertexts are always of size O(t) and private keys are constant size. By running log n of these systems in parallel, where the revoc... |

5 |
Efficient broadcast encryption using multiple interpolation methods
- Yoo, Jho, et al.
- 2004
(Show Context)
Citation Context ... < t users where ciphertexts are always of size O(t) and private keys are constant size. By running log n of these systems in parallel, where the revocation bound of the i’th system is ti = 2i (as in =-=[YJCK04]-=-), one obtains a broadcast encryption system with the same parameters as [GST04]. Private key size is O(log n) and, when revoking r users, ciphertext size is proportional to 2⌈log2 r⌉ = O(r). This sim... |

4 | A quick key distribution scheme with entity revocation - Anzai, Matsuzaki, et al. - 1999 |

1 |
Key management for multiast: Issues and architectures. IETF draft wallner-key
- Wallner, Harder, et al.
- 1997
(Show Context)
Citation Context ...ciphertext size is proportional to 2 ⌈log 2 r⌉ = O(r). This simple extension to the Naor and Pinkas system gives a broadcast system with similar parameters as the latest NNL derivative. Wallner et al.=-=[WHA97]-=- and Wong[WGL98] independently discovered the logical-tree-hierarchy scheme (LKH) for group multicast. Using these methods receivers must maintain state and remain connected to receive key-updates. Th... |

1 | Combinatorial properties and constructions - Stinson, Wei |

1 |
of traceability schemes and frameproof codes
- Tzeng, Tzeng
- 1998
(Show Context)
Citation Context ...is proportional to 2⌈log2 r⌉ = O(r). This simple extension to theNaor and Pinkas system gives a broadcast system with similar parameters as the latest NNL derivative. Wallner et al. [WHA97] and Wong =-=[WGL98]-=- independently discovered the logical-key-hierarchy scheme (LKH) for multicast group key management. Using these methods receivers maintain state and remain connected to receive key-update messages. T... |