## Cryptology ePrint Archive: Report 2016/953

Collusion-Resistant Broadcast Encryption with Tight Reductions and Beyond

Linfeng Zhou

Abstract: The issue of tight security for identity-based encryption schemes ($\mathsf{IBE}$) in bilinear groups has been widely investigated and a lot of optimal properties have been achieved. Recently, a tightly secure IBE scheme in bilinear groups under the multi-challenge setting has been achieved by Chen et al. (to appear in PKC 2017), and their scheme even achieves constant-size public parameters and is adaptively secure. However, we note that the issue of tight security for broadcast encryption schemes ($\mathsf{BE}$) in bilinear groups has received less attention so far. Actually current broadcast encryption systems of bilinear groups are either not tightly secure or based on non-static assumptions.

In this work we mainly focus on the issue of tight security for standard broadcast encryption schemes \footnote{We utilize the syntax of broadcast encryption schemes under the key-encapsulation setting in this work and it is easy to be transformed into one under the standard setting.}. We construct the \textit{first} tightly secure broadcast encryption scheme from static assumptions (i.e., decisional subgroup assumptions) in the selective security model by utilizing improved techniques derived from the Déjà Q framework (Eurocrypt 2014, TCC-A 2016). The proof of our construction will lead to only $O(\log n)$ or $O(\log \lambda)$ security loss, where $n$ is the number of users in the system and $\lambda$ is the security parameter.

Following this result, we present a tightly secure non-zero inner product encryption scheme ($\mathsf{NIPE}$) from decisional subgroup assumptions in the selective security model. This NIPE scheme has the same parameter sizes as our BE scheme and there is only $O(\log n)$ or $O(\log \lambda)$ security loss as well, where $n$ is the dimension of the inner product space and $\lambda$ is the security parameter.

Finally, we further present a tightly secure functional commitment scheme ($\mathsf{FC}$) for linear functions, which was introduced by Libert et al. (ICALP 16). In contrast with their scheme, which also suffers $O(n)$ security loss during the reduction, there is only $O(\log n)$ or $O(\log \lambda)$ security loss in our FC scheme.

Category / Keywords: Broadcast Encryption, Non-zero Inner Product Encryption, Functional Commitment for Linear Functions, Tight Security

Date: received 3 Oct 2016, last revised 15 Feb 2017

Contact author: daniel linfeng zhou at gmail com

Available format(s): PDF | BibTeX Citation

Note: Fix typos

Short URL: ia.cr/2016/953

[ Cryptology ePrint archive ]