Identity-Based Broadcast Encryption with

Constant Size Ciphertexts and Private Keys

Cécile Delerablée1,2
1
Orange Labs - Caen, France
2
ENS - Paris, France
cecile.delerablee@orange-ftgroup.com

Abstract. This paper describes the first identity-based broadcast en-

cryption scheme (IBBE) with constant size ciphertexts and private keys.
In our scheme, the public key is of size linear in the maximal size m of
the set of receivers, which is smaller than the number of possible users
(identities) in the system. Compared with a recent broadcast encryption
system introduced by Boneh, Gentry and Waters (BGW), our system
has comparable properties, but with a better efficiency: the public key
is shorter than in BGW. Moreover, the total number of possible users in
the system does not have to be fixed in the setup.

1 Introduction
Broadcast Encryption. The concept of Broadcast Encryption (BE) was intro-
duced by Fiat and Naor in [16]. In BE schemes, a broadcaster encrypts messages
and transmits them to a group of users who are listening to a broadcast chan-
nel and use their private keys to decrypt transmissions. At encryption time, the
broadcaster can choose the set S of identities that will be able to decrypt mes-
sages. A BE scheme is said to be fully collusion resistant when, even if all users
that are not in S collude, they can by no means infer information about the
broadcast message.
Many BE systems have been proposed [23, 20, 19, 10, 15]. The best known fully
collusion systems
√ are the schemes of Boneh, Gentry and Waters [10] which
achieve O( n)-size ciphertexts and public key, or constant size ciphertexts,
O(n)-size public key and constant size private keys in a construction that we
denote by BGW1 in the following. A lot of systems make use of the hybrid
(KEM-DEM) encryption paradigm where the broadcast ciphertext only encrypts
a symmetric key used to encrypt the broadcast contents. We will adopt this
methodology in the following.

Dynamic Broadcast Encryption. The concept of Dynamic Broadcast Encryption

(DBE) was introduced by Delerablée, Paillier and Pointcheval in [15]. A DBE
scheme is a BE in which the total number of users is not fixed in the setup, with
the property that any new user can decrypt all previously distributed messages.
Thus a DBE scheme is suitable for some applications, like DVD encryption.
Nevertheless, some applications like Video on Demand (VOD) need forward
secrecy. This paper address this problem, in the identity-based setting.
ID-based Encryption. In 1984, Shamir [24] asked for a public key encryption
scheme in which the public key can be an arbitrary string.
Since the problem was posed in 1984, there have been several proposals for
Identity-Based Encryption (IBE) schemes. However, we can considerer that the
first practical IBE scheme was introduced by Boneh and Franklin in 2001 [9].
Since 2001, several schemes have been introduced [14, 26, 12, 8, 7, 6, 17]. Concern-
ing the security, there are mainly two definitions:

1. Full security, which means that the attacker can choose adaptively the iden-
tity he wants to attack (after having seen the parameters);
2. Selective-ID security, which means that the attacker must choose the iden-
tity he wants to attack at the beginning, before seeing the parameters. The
Selective-ID security is thus weaker than full security.

Since the scheme in [9] is proved secure in the random oracle model, several
papers have proposed systems secure without random oracles. In [6], one of
the systems has short parameters and tight security reduction, in the standard
model (proved secure against selective-ID adversaries). In [17], Gentry proposed
the first IBE system that is fully secure without random oracles, has short public
parameters and has a tight security reduction.

Multi-receiver ID-based Key Encapsulation (mID-KEM). A multi-receiver key

encapsulation scheme (mKEM) is an efficient key encapsulation mechanism for
multiple parties. This notion was introduced in [25]. Note that this notion is
different from multi-recipient public key encryption [4, 5, 22], where the sender
wants to send one (different) message to each receiver.
Later, in [2] and [3], the notion of mKEM was extended to multi-receiver identity-
based key encapsulation (mID-KEM), i.e. mKEM in the identity-based setting.
In [2] and [3], the ciphertext size grows with the number of receivers. In [13],
Chatterjee and Sarkar achieved a controllable trade-off between the ciphertext
size and the private key size: ciphertexts are of size |S|/N , and private keys are of
size N where S is the set of receivers and N a parameter of the protocol (which
also represents, in the security reduction, the maximum number of identities
that the adversary is allowed to target). Thus they introduced the first mID-
KEM protocols to achieve sub-linear ciphertext sizes. Very recently, Abdalla et
al. proposed in [1] a generic construction that achieves ciphertexts of constant
size, but private keys of size O(nmax 2 ).
In the following, we do not employ the term “mID-KEM” anymore, but we talk
about “identity-based broadcast encryption” (IBBE), to emphasize that this
notion is close to broadcast encryption and ID-based encryption. We consider
IBBE as a natural generalization of IBE. Indeed, in IBE schemes, one public key
can be used to encrypt a message to any possible identity. In an IBBE scheme,
one public key can be used to encrypt a message to any possible group of s
identities. Consequently, if we set s = 1, the resulting IBBE scheme is an IBE
scheme. The trivial solution to construct an IBBE scheme would be to use an IBE
scheme to encrypt the message once for each identity. The resulting ciphertext
would be of size linear in s. We also see IBBE as a way to make broadcast
encryption more practical.
Motivations. We focus on schemes with ciphertexts of constant size. In BGW1 ,
as we said before, the public key is linear in the total number of decryption keys
that can be distributed. Moreover, this number is fixed in the setup. Thus one
of our motivations is to introduce a system in which the number of possible
decryption keys is not fixed in the setup, and thus does not have any impact on
the size of the public key. In [13] and [1], the trade-off between the ciphertext
size and the private key size implies that if we want to have short ciphertexts,
the private keys cannot be of constant size. Thus we would like to have both
ciphertexts and private keys of constant size (as in BGW1 ). Note that in some
systems like the HIBE scheme in [8], the size of the public key can be reduced
by using a hash function, viewed as a random oracle in the security proof, but
this is not the case in BGW1 , because all the elements of the public depend on
a single value.
Our contributions. In this paper, we propose the first identity-based broad-
cast encryption scheme with constant size ciphertexts and private keys. Our
construction is a Key Encapsulation Mechanism (KEM), thus long messages can
be encrypted under a short symmetric key. In our solution, ciphertexts and pri-
vate keys are of constant size, and the public key is linear in the maximal value of
s. Moreover, in our scheme, the Private Key Generator (PKG) can dynamically
add new members without altering previously distributed information (as in IBE
schemes). We also note that there is no hierarchy between identities, contrary
to HIBE (Hierarchical IBE [21, 18, 8] ). No organization of the users is needed
to have short ciphertexts. Note that the public key is linear in the maximal size
of S, and not in the number of decryption keys that can be distributed, which
is the number of possible identities. The following framework is an example to
show the benefits of our solution: The PKG can send short term decryption
keys. Then sending a new decryption key could be conditional (each month, if
the user pays his bill for example), without affecting the performances of the
system. Indeed, there is no need to revoke previous keys, because the encryption
takes into account the set of users who can decrypt. We can compare our scheme
with BGW1 in such a situation: if we consider that the number of users who
can decrypt is s, and that each user receives a new key at the end of each time
period, then the size of the public key in BGW1 would be λPK = s · t with t the
number of time periods for example. In our scheme, we have λPK = s. Thus one
can note that BGW1 is not really suited to such an situation (the public key
would grow linearly with the number of time periods). In other words, in BGW1 ,
the public key is linear in the number of private keys that can be distributed,
whereas in our construction, the public key is linear in the maximal number of
receivers of a ciphertext, which is independent of the number of private keys that
can be distributed. Indeed, in our case, the number of possible private keys is the
number of possible identities. Note that if there are n receivers and it happens
that n > m, we can just concatenate several encryptions together and get n/m
size ciphertexts (as in [13]), still with constant size private keys. Moreover, in
our construction, ciphertext size is deterministic whereas [13] makes probabilistic
efficiency claims.

2 Preliminaries
We propose a formal definition of an identity-based broadcast encryption scheme
and security notions that we associate to it. We basically include an Extract
procedure in the definition of Broadcast Encryption given in [10]. Our formal
model can also be viewed as a generalization of classical IBE systems. Concerning
the security, we follow the definition of the classical security notions for BE
(security against static adversaries) [10], which is close to the notion of selective-
ID security, used in [6, 11].

2.1 Identity-Based Broadcast Encryption (IBBE)

An IBBE scheme involves an authority: the Private Key Generator (PKG). The
PKG grants new members capability of decrypting messages by providing each
new member (with identity IDi ) a decryption key skIDi . The generation of skIDi
is performed using a master secret key MSK. The broadcaster encrypts mes-
sages and transmits these to the group of users via the broadcast channel. In
a (public-key) IBBE encryption scheme, the broadcaster does not hold any pri-
vate information and encryption is performed with the help of a public key PK
and identities of the receivers. Following the KEM-DEM methodology, broad-
cast encryption is viewed as the combination of a specific key encapsulation
mechanism (a Broadcast-KEM) with a symmetric encryption (DEM) that shall
remain implicit throughout the paper. More formally, an identity-based broad-
cast encryption scheme IBBE with security parameter λ and maximal size m of
the target set, is a tuple of algorithms IBBE = (Setup, Extract, Encrypt, Decrypt)
described as follows:
Setup(λ, m). Takes as input the security parameter λ and m the maximal size
of the set of receivers for one encryption, and outputs a master secret key
MSK and a public key PK. The PKG is given MSK, and PK is made public.
Extract(MSK, IDi ). Takes as input the master secret key MSK and a user identity
IDi . Extract generates a user private key skIDi .
Encrypt(S, PK). Takes as input the public key PK and a set of included identities
S = {ID1 , . . . , IDs } with s ≤ m, and outputs a pair (Hdr, K), where Hdr is
called the header and K ∈ K and K is the set of keys for the symmetric
encryption scheme.
When a message M ∈ {0, 1}∗ is to be broadcast to users in S, the broadcaster
generates (Hdr, K) ← Encrypt(S, PK), computes the encryption CM of M
under the symmetric key K ∈ K and broadcasts (Hdr, S, CM ). We will refer
to Hdr as the header or broadcast ciphertext, (Hdr, S) as the full header, K
as the message encryption key and CM as the broadcast body.
Decrypt(S, ID, skID , Hdr, PK). Takes as input a subset S = {ID1 , . . . , IDs } (with
s ≤ m), an identity ID and the corresponding private key skID , a header
Hdr, and the public key PK. If ID ∈ S, the algorithm outputs the message
encryption key K which is then used to decrypt the broadcast body CM and
recover M .

Remark. This model defines, when m = 1, an IBE system.

2.2 Security Notions for IBBE

The standard notion for BE schemes is Chosen Ciphertext Security against Static
Adversaries. For IBE, one standard notion is selective-ID security (weaker than
full security), where the adversary must choose at the beginning of the game the
set of identities he wants to attack.

Remark. Note that for m = 1 the following security model fits with IND-sID-
CCA security for IBE schemes, that is used in [6] for example.

IND-sID-CCA Security. We define IND-sID-CCA security of an IBBE system.

Security is defined using the following game between an adversary A and a
challenger. We basically refine the definition of [10], by adding extraction queries.
Both the adversary and the challenger are given as input m, the maximal size
of a set of receivers S.
Init: The adversary A first outputs a set S ∗ = {ID∗1 , . . . , ID∗s } of identities that
he wants to attack (with s ≤ m).
Setup: The challenger runs Setup(λ, m) to obtain a public key PK. He gives A
the public key PK.
Query phase 1: The adversary A adaptively issues queries q1 , . . . , qs0 , where
qi is one of the following:
• Extraction query (IDi ) with the constraint that IDi ∈ / S ∗ : The challenger
runs Extract on IDi and forwards the resulting private key to the adver-
sary.
• Decryption query, which consists of a triple (IDi , S, Hdr) with S ⊆ S ∗ and
IDi ∈ S. The challenger responds with Decrypt(S, IDi , skIDi , Hdr, PK).
Challenge: When A decides that phase 1 is over, the challenger runs Encrypt
algorithm to obtain (Hdr∗ , K) = Encrypt(S ∗ , PK) where K ∈ K. The chal-
lenger then randomly selects b ← {0, 1}, sets Kb = K, and sets K1−b to a
random value in K. The challenger returns (Hdr∗ , K0 , K1 ) to A.
Query phase 2: The adversary continues to issue queries qs0 +1 , . . . , qs where
qi is one of the following:
• Extraction query (IDi ), as in phase 1.
• Decryption query, as in phase 1, but with the constraint that Hdr 6= Hdr∗ .
The challenger responds as in phase 1.
Guess: Finally, the adversary A outputs a guess b0 ∈ {0, 1} and wins the game
if b = b0 .
 We denote by qD the total number of Decryption queries and by t the total
number of extraction queries that can be issued by the adversary during the
game. Viewing t, m, qD as attack parameters, we denote by Advind
IBBE (t, m, qD , A)
the advantage of A in winning the game:
0 0 0
Advind
IBBE (t, m, qD , A) = |2 × Pr[b = b] − 1| = |Pr[b = 1|b = 1] − Pr[b = 1|b = 0]|

where the probability is taken over the random coins of A, the challenger and
all probabilistic algorithms run by the challenger.

Definition 1. Let Advind ind

IBBE (t, m, qD ) = maxA AdvIBBE (t, m, qD , A) where the
maximum is taken over all probabilistic algorithms A running in time poly(λ).
An identity-based broadcast encryption scheme IBBE is said to be (t, m, qD )-
IND-sID-CCA secure if AdvindIBBE (t, m, qD ) = negl(λ).

IND-sID-CPA . Analogously to [10], we define semantic security for an IBBE

scheme by preventing the attacker from issuing decryption queries.

Definition 2. We say that an identity-based broadcast encryption system is

(t, m)-IND-sID-CPA secure if it is (t, m, 0)-IND-sID-CCA secure.

Remark. In [10], the choice of S ∗ implies a choice of corrupted users, because

the total number of users is fixed in the setup. In the model we described before,
the corrupted users are not chosen at the beginning but adaptively. We describe
below a modification of our model which does not allow adaptive corruptions,
as in [10].

Definition 3. (t, m, qD )-IND-na-sID-CCA security (non adaptive sID): at ini-

tialization time, the attacker outputs a set S ∗ = {ID∗1 , . . . , ID∗s } of identities that
he wants to attack, and a set C = {ID ¯1 , . . . , ID
¯ t } of identities that he wants to
corrupt (i.e. to obtain the corresponding private key). Thus the attacker issues t
extraction queries only at the beginning of the game.

Definition 4. We say that an identity-based broadcast encryption system is

(t, m)-IND-na-sID-CPA secure if it is (t, m, 0)-IND-na-sID-CCA secure.

Full collusion resistance. In an IBBE system, the number of possible users (iden-
tities) does not have to be fixed at the beginning, thus we cannot really talk about
full collusion resistance. If the number n of possible users was fixed, as in [10] for
example, our construction would be fully collusion resistant.

2.3 Bilinear Maps

We briefly review the necessary facts about bilinear maps. Let G1 , G2 and GT be
three cyclic groups of prime order p. A bilinear map e (·, ·) is a map G1 ×G2 → GT
such that for any generators g1 ∈ G1 , g2 ∈ G2 and a, b ∈ Zp ,

ab
• e g1 a , g2 b = e (g1 , g2 ) (Bilinearity)
 • e (g1 , g2 ) 6= 1 (Non-degeneracy).
A bilinear map group system B is a tuple B = (p, G1 , G2 , GT , e (·, ·)), composed
of objects as described above. B may also include group generators in its de-
scription. We impose all group operations as well as the bilinear map e (·, ·) to
be efficiently computable, i.e. in time poly(|p|).
As seen later, we make use of an arbitrary bilinear map group system in our
constructions. In particular, we do not need G1 and G2 to be distinct or equal.
Neither do we require the existence of an efficient isomorphism going either way
between G1 and G2 , as it is the case for some pairing-based systems.

2.4 The General Diffie-Hellman Exponent Assumption

As in [15], we make use of the generalization of the Diffie-Hellman exponent as-
sumption due to Boneh, Boyen and Goh [8]. They introduced a class of assump-
tions which includes a lot of assumptions that appeared with new pairing-based
schemes. It includes for example DDH (in GT ), BDH, q−BDHI, and q−BDHE
assumptions.
We give an overview in the symmetric case. Let then B = (p, G1 , G2 , GT , e (·, ·))
be a bilinear map group system such that G1 = G2 = G. Let g0 ∈ G be a
generator of G, and set g = e (g0 , g0 ) ∈ GT . Let s, n be positive integers and
P, Q ∈ Fp [X1 , . . . , Xn ]s be two s-tuples of n-variate polynomials over Fp . Thus,
P and Q are just two lists containing s multivariate polynomials each. We write
P = (p1 , p2 , . . . , ps ) and Q = (q1 , q2 , . . . , qs ) and impose that p1 = q1 = 1. For
any function h : Fp → Ω and vector (x1 , . . . , xn ) ∈ Fnp , h(P (x1 , . . . , xn )) stands
for (h(p1 (x1 , . . . , xn )), . . . , h(ps (x1 , . . . , xn ))) ∈ Ω s . We use a similar notation
for the s-tuple Q. Let f ∈ Fp [X1 , . . . , Xn ]. It is said that f depends on (P, Q),
which we denote by f ∈ hP, Qi, when there exists a linear decomposition
X X
f= ai,j · pi · pj + bi · q i , ai,j , bi ∈ Zp .
1≤i,j≤s 1≤i≤s

Let P, Q be as above and f ∈ Fp [X1 , . . . , Xn ]. The (P, Q, f )-General Diffie-

Hellman Exponent problems are defined as follows.

Definition 5 ((P, Q, f )-GDHE). Given the tuple

 
H(x1 , . . . , xn ) = g0 P (x1 ,...,xn ) , g Q(x1 ,...,xn ) ∈ Gs × GsT ,

compute g f (x1 ,...,xn ) .

Definition 6 ((P, Q, f )-GDDHE). Given H(x1 , . . . , xn ) ∈ Gs × GsT as above

and T ∈ GT , decide whether T = g f (x1 ,...,xn ) .

We refer to [8] for a proof that (P, Q, f )-GDHE and (P, Q, f )-GDDHE have
generic security when f 6∈ hP, Qi. We will prove our constructions are secure
based on the assumption that (P, Q, f )-GDDHE is intractable for any f 6∈ hP, Qi
and polynomial parameters s, n = poly(λ). We just have to determine P , Q and
f , such that we can perform our simulation, and then proving the condition
on the polynomials will prove the intractability of our problem (because as seen
before, the (P, Q, f )-GDDHE problem is hard for any choice of P , Q and f which
satisfy the aforementioned condition).

3 Our Construction

3.1 Description

In this section, we present our new IBBE, with constant size ciphertexts and
private keys.

Setup(λ, m). Given the security parameter λ and an integer m, a bilinear map
group system B = (p, G1 , G2 , GT , e (·, ·)) is constructed such that |p| = λ.
Also, two generators g ∈ G1 and h ∈ G2 are randomly selected as well as a
secret value γ ∈ Z?p . Choose a cryptographic hash function H : {0, 1}? → Z?p .
The security analysis will view H as a random oracle. B and H constitute
system public parameters. The master secret
key is defined as MSK = (g, γ).
m
The public key is PK = w, v, h, hγ , . . . , hγ where w = g γ , and v = e (g, h).

Extract(MSK, ID). Given MSK = (g, γ) and the identity ID, it outputs
1
skID = g γ+H(ID)

Encrypt(S, PK). Assume for notational simplicity that S = {IDj }sj=1 , with s ≤
m

m. Given PK = w, v, h, hγ , . . . , hγ , the broadcaster randomly picks k ←
Z?p and computes Hdr = (C1 , C2 ) and K where
Qs
C1 = w−k , C2 = hk· i=1 (γ+H(IDi )) , K = vk .

Encrypt outputs (Hdr, K). (Then K is used to encrypt the message)

Decrypt(S, IDi , skIDi , Hdr, PK). In order to retrieve the message encryption key
K encapsulated in the header Hdr = (C1 , C2 ), user with identity IDi and the
1
corresponding private key skIDi = g γ+H(IDi ) (with IDi ∈ S) computes
    Qs 1
H(IDj )
K = e C1 , hpi,S (γ) · e (skIDi , C2 ) j=1,j6=i

with  
s s
1  Y Y
pi,S (γ) = · (γ + H(IDj )) − H(IDj )
γ
j=1,j6=i j=1,j6=i
Correctness: Assuming C is well-formed for S:
 
K 0 := e C1 , hpi,S (γ) · e (skIDi , C2 )
   1 Qs 
= e g −k.γ , hpi,S (γ) · e g γ+H(IDi ) , hk· j=1 (γ+H(IDj ))
−k·( sj=1,j6=i (γ+H(IDj ))− sj=1,j6=i H(IDj ))
Q Q Qs
k· j=1,j6=i (γ+H(IDj ))
= e (g, h) · e (g, h)
Qs
k H(IDj )
= e (g, h) j=1,j6=i
Qs
H(IDj )
= K j=1,j6=i

1
0 Qs H(IDj )
Thus K j=1,j6=i = K.

Efficiency Our construction achieves O(1)-size ciphertexts, O(m)-size public

keys and constant size private keys. Note that public key is linear in the maximal
size of S, and not in the number of decryption keys that can be distributed. If
we would like to fix the total number n of users, and set m = n, then we would
reduce the public key size by a factor of two from BGW. Note also that as we
said before, the broadcaster has to send the set S of identities that are included
in the ciphertext. This set is needed to decrypt, as in previous schemes, thus it
is counted in the full header, but not in the header.

3.2 Security Analysis

We prove the IND-sID-CPA security of our system by using the GDDHE frame-
work of [8]. We start by defining the following intermediate decisional problem.

Definition 7 ((f, g, F )-GDDHE). Let B = (p, G1 , G2 , GT , e (·, ·)) be a bilinear

map group system and let f and g be two coprime polynomials with pairwise
distinct roots, of respective orders t and n. Let g0 be a generator of G1 and h0 a
generator of G2 . Solving the (f, g, F )-GDDHE problem consists, given
t−1
g0 , g0 γ , . . . , g0 γ , g0 γ·f (γ) , g0 k·γ·f (γ) ,
2n
h0 , h 0 γ , . . . , h 0 γ , h0 k·g(γ) ,

k·f (γ)
and T ∈ GT , in deciding whether T is equal to e (g0 , h0 ) or to some random
element of GT .

We denote by Advgddhe (f, g, F, A) the advantage of an algorithm A in distinguish-

ing the two distributions and set Advgddhe (f, g, F ) = maxA Advgddhe (f, g, F, A)
over poly(|p|)-time A’s.
The following statement is a corollary of Theorem 2 which can be found in
Appendix A. This corollary concerns the case where the polynomials are of the
form described above (see the reformulation of the problem in Appendix A).
Corollary 1 (Generic security of (f, g, F )-GDDHE). For any probabilistic
algorithm A that totalizes of at most q queries to the oracles performing the
group operations in G1 , G2 , GT and the bilinear map e (·, ·),

(q + 2(n + t + 4) + 2)2 · d
Advgddhe (f, g, F, A) ≤
2p

with d = 2 · max(n, t + 1).

IND-sID-CPA Security. Let IBBE denote our construction as per Section 3. We

state:

Theorem 1. For any n, t, we have Advind

IBBE (t, n) ≤ 2 · Adv
gddhe
(f, g, F ).

The rest of this section is dedicated to proving Theorem 1. To establish the

semantic security of IBBE against static adversaries, we assume to be given
an adversary A breaking it under a (t, n)-collusion and we build a reduction
algorithm R that distinguishes the two distributions of the (f, g, F )-GDDHE
problem.
Both the adversary and the challenger are given as input n, the maximal size
of a set of included users S, and t the total number of extraction queries and
random oracle queries that can be issued by the adversary.
Algorithm R is given as input a group system B = (p, G1 , G2 , GT , e (·, ·)), and
a (f, g, F )-GDDHE instance in B (as described in Definition 7). We thus have f
and g two coprime polynomials with pairwise distinct roots, of respective orders
t and n, and R is given
t−1
g0 , g0 γ , . . . , g0 γ , g0 γ·f (γ) , g0 k·γ·f (γ) ,
γ γ 2n
h0 , h 0 , . . . , h 0 , h0 k·g(γ) ,

k·f (γ)
as well as T ∈ GT which is either equal to e (g0 , h0 ) or to some random
element of GT .
For simplicity, we state that f and g are unitary polynomials, but this is not a
mandatory requirement.

Notations.
Qt Qt+n
• f (X) = i=1 (X + xi ), g(X) = i=t+1 (X + xi )
f (x)
• fi (x) = x+xi for i ∈ [1, t], which is a polynomial of degree t − 1
g(x)
• gi (x) = x+xi for i ∈ [t + 1, t + n], which is a polynomial of degree n − 1

Init: The adversary A outputs a set S ∗ = {ID∗1 , . . . , ID∗s∗ } of identities that he

wants to attack (with s∗ ≤ n).
Setup: To generate the system parameters, R formally sets g = g0 f (γ) (i.e. with-
out computing it) and sets
Qt+n
(γ+xi )
h = h0 i=t+s∗ +1 , w = g0 γ·f (γ) = g γ ,
Qt+n
f (γ)· i=t+s∗ +1
(γ+xi )
v = e (g0 , h0 ) = e (g, h) .
n

R then defines the public key as PK = w, v, h, hγ , . . . , hγ . Note that R
can by no means compute the value of g. R runs A on the system parameters
(B, H) and PK, with H a random oracle controlled by R described below.
Hash Queries: At any time the adversary A can query the random oracle
on any identity IDi (at most t − qE times, with qE the number of extrac-
tion queries). To respond to these queries, R maintains a list LH of tuples
(IDi , xi , skIDi ) that contains at the beginning:
t t+s∗
{(∗, xi , ∗)}i=1 , {(IDi , xi , ∗)}i=t+1
(we choose to note “∗” an empty entry in LH ). When the adversary issues
a hash query on identity IDi ,
1. If IDi already appears in the list LH , R responds with the corresponding
xi .
2. Otherwise, R sets H(IDi ) = xi , and completes the list with (IDi , xi , ∗).
Query phase 1: The adversary A adaptively issues queries q1 , . . . , qm , where
/ S ∗ and
qi is an Extraction query (IDi ): The challenger runs Extract on IDi ∈
forwards the resulting private key to the adversary. To generate the keys,
• if A has already issued an extraction query on IDi , R responds with the
corresponding skIDi in the list LH .
• else, if A has already issued a hash query on IDi , then R uses the corre-
sponding xi to compute
1
skIDi = g0 fi (γ) = g γ+H(IDi )
One can verify that skIDi is a valid private key. R then completes the list
LH with skIDi for IDi .
1. Otherwise, R sets H(IDi ) = xi , computes the corresponding skIDi exactly
as above, and completes the list LH for IDi .
Challenge: When A decides that phase 1 is over, algorithm R computes Encrypt
to obtain (Hdr∗ , K) = Encrypt(S ∗ , PK)
Qt+n  
C1 = g0 −k·γ·f (γ) , C2 = h0 k·g(γ) , K = T i=t+s∗ +1 xi ·e g0 k·γ·f (γ) , h0 q(γ)
Q 
t+n Qt+n
with q(γ) = γ1 · ∗
i=t+s +1 (γ + xi ) − ∗
i=t+s +1 x i .
One can verify that:
Qt+n Qt+s∗ Qt+s∗ ∗
C1 = w−k , C2 = h0 k· i=t+s∗ +1
(γ+xi )· i=t+1 (γ+xi ) = hk· i=t+1 (γ+H(IDi )) .
k·f (γ)
Note that if T = e (g0 , h0 ) , then K = v k .
The challenger then randomly selects b ← {0, 1}, sets Kb = K, and sets
K1−b to a random value in K. The challenger returns (Hdr∗ , K0 , K1 ) to A.
Query phase 2: The adversary continues to issue queries qm+1 , . . . , qE where
/ S ∗ (identical
qi is an extraction query (IDi ) with the constraint that IDi ∈
to phase 1).
Guess: Finally, the adversary A outputs a guess b0 ∈ {0, 1} and wins the game
if b = b0 .

One has

Advgddhe (f, g, F, R) = Pr[b0 = b| real] − Pr[b0 = b| rand]

1
= × (Pr[b0 = 1|b = 1 ∧ real] − Pr[b0 = 1|b = 0 ∧ real])
2
1
− × (Pr[b0 = 1|b = 1 ∧ rand] + Pr[b0 = 1|b = 0 ∧ rand]) .
2
Now in the random case, the distribution of b is independent from the adversary’s
view wherefrom

Pr[b0 = 1|b = 1 ∧ rand] = Pr[b0 = 1|b = 0 ∧ rand] .

In the real case however, the distributions of all variables defined by R per-
fectly comply with the semantic security game since all simulations are perfect.
Therefore
0 0
Advind
IBBE (t, n, A) = Pr[b = 1|b = 1 ∧ real] − Pr[b = 1|b = 0 ∧ real] .

Putting it altogether, we get that Advgddhe (f, g, F, R) = 1

2 · Advind
IBBE (t, n, A).

Remark. Note that if the attacker makes less key derivation queries than random
oracle queries, we generate keys that we never give out, but this is not a problem.

About chosen-ciphertext attacks. The Cannetti, Halevi, and Katz [12] result
applies here. Just making one of the identities that we broadcast to derive from
a verification key of a strong signature scheme. Then it can be used to sign the
ciphertext.

Removing the Random Oracle Model. One way to remove the random
oracle model could be to randomize the private key extraction as follows: For
1 1
an identity IDi , skIDi = g γ+IDi could be replaced by Ai = g γ+IDi +ri .α , with α an
element of MSK and ri chosen by the PKG. Note that this randomization has
already been employed in [6].
Note also that we could easily obtain IND-na-sID-CPA without random oracles
by using an assumption which is not fully non-interactive. Indeed, during the
setup, if the algorithm is given a (f, g, F )-GDDHE instance, with g that corre-
sponds to the target set and f to the corrupted set (chosen by the attacker at
initialization), then the rest of the proof can be done without any oracle.
4 Conclusion

We introduced the first identity-based broadcast encryption (IBBE) scheme with

constant size ciphertexts and private keys. One interesting open problem would
be to construct an IBBE system with constant size ciphertexts and private keys
that is secure under a more standard assumption, or which achieves a stronger
security notion, equivalent to full security in IBE schemes.

Acknowledgements

The author would like to thank David Pointcheval, Pascal Paillier and Brent
Waters for helpful discussions, and anonymous referees for helpful comments.

References

1. Michel Abdalla, Eike Kiltz, and Gregory Neven. Generalized key delegation for
hierarchical identity-based encryption. In ESORICS 2007, volume 4734 of LNCS,
pages 139–154. Springer-Verlag, Berlin, Germany, 2005.
2. Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo. Efficient multi-receiver
identity-based encryption and its application to broadcast encryption. In Serge
Vaudenay, editor, PKC 2005, volume 3386 of LNCS, pages 380–397, Les Diablerets,
Switzerland, January 23–26, 2005. Springer-Verlag, Berlin, Germany.
3. Manuel Barbosa and P. Farshim. Efficient identity-based key encapsulation to
multiple parties. In Nigel P. Smart, editor, IMA Int. Conf., volume 3796 of Lecture
Notes in Computer Science, pages 428–441. Springer, 2005.
4. Mihir Bellare, Alexandra Boldyreva, and Silvio Micali. Public-key encryption in
a multi-user setting: Security proofs and improvements. In Bart Preneel, edi-
tor, EUROCRYPT 2000, volume 1807 of LNCS, pages 259–274, Bruges, Belgium,
May 14–18, 2000. Springer-Verlag, Berlin, Germany.
5. Mihir Bellare, Alexandra Boldyreva, and Jessica Staddon. Randomness re-use in
multi-recipient encryption schemeas. In Yvo Desmedt, editor, PKC 2003, volume
2567 of LNCS, pages 85–99, Miami, USA, January 6–8, 2003. Springer-Verlag,
Berlin, Germany.
6. Dan Boneh and Xavier Boyen. Efficient selective-ID secure identity based encryp-
tion without random oracles. In Christian Cachin and Jan Camenisch, editors,
EUROCRYPT 2004, volume 3027 of LNCS, pages 223–238, Interlaken, Switzer-
land, May 2–6, 2004. Springer-Verlag, Berlin, Germany.
7. Dan Boneh and Xavier Boyen. Secure identity based encryption without random
oracles. In Matthew Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages
443–459, Santa Barbara, CA, USA, August 15–19, 2004. Springer-Verlag, Berlin,
Germany.
8. Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity based encryption
with constant size ciphertext. In Ronald Cramer, editor, EUROCRYPT 2005, vol-
ume 3494 of LNCS, pages 440–456, Aarhus, Denmark, May 22–26, 2005. Springer-
Verlag, Berlin, Germany. Extended version available at http://eprint.iacr.org/
2005/015.
 9. Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil
pairing. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages 213–
229, Santa Barbara, CA, USA, August 19–23, 2001. Springer-Verlag, Berlin, Ger-
many.
10. Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast
encryption with short ciphertexts and private keys. In Victor Shoup, editor,
CRYPTO 2005, volume 3621 of LNCS, pages 258–275, Santa Barbara, CA, USA,
August 14–18, 2005. Springer-Verlag, Berlin, Germany.
11. Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-key en-
cryption scheme. In Eli Biham, editor, EUROCRYPT 2003, volume 2656 of LNCS,
pages 255–271, Warsaw, Poland, May 4–8, 2003. Springer-Verlag, Berlin, Germany.
12. Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from
identity-based encryption. In Christian Cachin and Jan Camenisch, editors, EU-
ROCRYPT 2004, volume 3027 of LNCS, pages 207–222, Interlaken, Switzerland,
May 2–6, 2004. Springer-Verlag, Berlin, Germany.
13. Sanjit Chatterjee and Palash Sarkar. Multi-receiver identity-based key encap-
sulation with shortened ciphertext. In Rana Barua and Tanja Lange, editors,
INDOCRYPT 2006, volume 4329 of Lecture Notes in Computer Science, pages
394–408. Springer, 2006.
14. Clifford Cocks. An identity based encryption scheme based on quadratic residues.
In Bahram Honary, editor, Cryptography and Coding, 8th IMA International Con-
ference, volume 2260 of LNCS, pages 360–363, Cirencester, UK, December 17–19,
2001. Springer-Verlag, Berlin, Germany.
15. Cécile Delerablée, Pascal Paillier, and David Pointcheval. Fully collusion secure
dynamic broadcast encryption with constant-size ciphertexts or decryption keys.
In T. Takagi et al., editor, PAIRING 2007, volume 4575 of LNCS, pages 39–59.
Springer-Verlag, Berlin, Germany, 2007.
16. Amos Fiat and Moni Naor. Broadcast encryption. In Douglas R. Stinson, editor,
CRYPTO’93, volume 773 of LNCS, pages 480–491, Santa Barbara, CA, USA,
August 22–26, 1994. Springer-Verlag, Berlin, Germany.
17. Craig Gentry. Practical identity-based encryption without random oracles. In Serge
Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 445–464, St.
Petersburg, Russia, May 28 – June 1, 2006. Springer-Verlag, Berlin, Germany.
18. Craig Gentry and Alice Silverberg. Hierarchical ID-based cryptography. In Yuliang
Zheng, editor, ASIACRYPT 2002, volume 2501 of LNCS, pages 548–566, Queen-
stown, New Zealand, December 1–5, 2002. Springer-Verlag, Berlin, Germany.
19. Michael T. Goodrich, Jonathan Z. Sun, and Roberto Tamassia. Efficient tree-
based revocation in groups of low-state devices. In Matthew Franklin, editor,
CRYPTO 2004, volume 3152 of LNCS, pages 511–527, Santa Barbara, CA, USA,
August 15–19, 2004. Springer-Verlag, Berlin, Germany.
20. Dani Halevy and Adi Shamir. The LSD broadcast encryption scheme. In Moti
Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages 47–60, Santa Barbara,
CA, USA, August 18–22, 2002. Springer-Verlag, Berlin, Germany.
21. Jeremy Horwitz and Ben Lynn. Toward hierarchical identity-based encryption.
In Lars R. Knudsen, editor, EUROCRYPT 2002, volume 2332 of LNCS, pages
466–481, Amsterdam, The Netherlands, April 28 – May 2, 2002. Springer-Verlag,
Berlin, Germany.
22. Kaoru Kurosawa. Multi-recipient public-key encryption with shortened cipher-
text. In David Naccache and Pascal Paillier, editors, PKC 2002, volume 2274 of
LNCS, pages 48–63, Paris, France, February 12–14, 2002. Springer-Verlag, Berlin,
Germany.
23. Dalit Naor, Moni Naor, and Jeffery Lotspiech. Revocation and tracing schemes
for stateless receivers. In Joe Kilian, editor, CRYPTO 2001, volume 2139 of
LNCS, pages 41–62, Santa Barbara, CA, USA, August 19–23, 2001. Springer-
Verlag, Berlin, Germany.
24. Adi Shamir. Identity-based cryptosystems and signature schemes. In G. R. Blakley
and David Chaum, editors, CRYPTO’84, volume 196 of LNCS, pages 47–53, Santa
Barbara, CA, USA, August 19–23, 1985. Springer-Verlag, Berlin, Germany.
25. Nigel P. Smart. Efficient key encapsulation to multiple parties. In Carlo Blundo
and Stelvio Cimato, editors, SCN 04, volume 3352 of LNCS, pages 208–219, Amalfi,
Italy, September 8–10, 2004. Springer-Verlag, Berlin, Germany.
26. Brent R. Waters. Efficient identity-based encryption without random oracles. In
Ronald Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS, pages 114–127,
Aarhus, Denmark, May 22–26, 2005. Springer-Verlag, Berlin, Germany.

A Intractability of (f, g, F )-GDDHE

In this section, we prove the intractability of distinguishing the two distributions
involved in the (f, g, F )-GDDHE problem (cf. Corollary 1, section 3.2). We first
review some results on the General Diffie-Hellman Exponent Problem, from [8].
In order to be the most general, we assume the easiest case for the adversary:
when G1 = G2 , or at least that an isomorphism that can be easily computed in
either one or both ways is available.

Theorem 2 ([8]). Let P, Q ∈ Fp [X1 , . . . , Xm ] be two s-tuples of m-variate poly-

nomials over Fp and let F ∈ Fp [X1 , . . . , Xm ]. Let dP (resp. dQ , dF ) denote the
maximal degree of elements of P (resp. of Q, F ) and pose d = max(2dP , dQ , dF ).
If F ∈
/ hP, Qi then for any generic-model adversary A totalizing at most q queries
to the oracles (group operations in G, GT and evaluations of e) which is given
H(x1 , . . . , xm ) as input and tries to distinguish g F (x1 ,...,xm ) from a random value
in GT , one has
(q + 2s + 2)2 · d
Adv(A) ≤ .
2p
Proof (of Corollary 1). In order to conclude with Corollary 1, we need to prove
that the (f, g, F )-GDDHE problem lies in the scope of Theorem 2. As already
said, we consider the weakest case G1 = G2 = G and thus pose h0 = g0 β . Our
problem can be reformulated as (P, Q, F )-GDHE where

1, γ, γ 2 , . . . , γ t−1 ,
 
γ · f (γ), k · γ · f (γ)
P =
β, β · γ, β · γ 2 , . . . , β · γ 2n , k · β · g(γ)
Q=1
F = k · β · f (γ),

and thus m = 3 and s = t + n + 4. We have to show that F is indepen-

dent of (P, Q), i.e. that no coefficients {ai,j }si,j=1 and b1 exist such that F =
Ps P2
i,j=1 ai,j pi pj + k=1 b1 q1 where the polynomials pi and q1 are the one listed
in P and Q above. By making all possible products of two polynomials from P
which are multiples of k · β, we want to prove that no linear combination among
the polynomials from the list R below leads to F :

k · β · γ · f (γ), k · β · γ 2 · f (γ), . . . , k · β · γ n+1 · f (γ),

 

R =  k · β · g(γ), k · β · γ · g(γ), . . . , k · β · γ t−1 · g(γ)  .

k · β · γ · f (γ)g(γ)
Pi=n
Note that the last polynomial can be written as k · β · γ · f (γ)g(γ) = i=0 νi ·
k·β ·γ i+1 ·f (γ), and thus as a linear combination of the polynomials from the first
line. We therefore simplify the task to refuting a linear combination of elements
of the list R0 below which leads to f (γ):

γ · f (γ), γ 2 · f (γ), . . . , γ n+1 · f (γ),

 
0
R = .
g(γ), γ · g(γ), . . . , γ t−1 · g(γ)
Any such linear combination can be written as

f (γ) = A(γ) · f (γ) + B(γ) · g(γ)

where A and B are polynomials such that A(0) = 0, deg A ≤ n + 1 and deg B ≤
t − 1. Since f and g are coprime by assumption, we must have f | B. Since
deg f = t and deg B ≤ t − 1 this implies B = 0. Hence A = 1 which contradicts
A(0) = 0. t
u