Re-Use
Our main focus so far has been to show that ANOBE is achievable. Indeed we have proved that we can obtain it starting from public-key, identity-based and attribute- based encryption. Our next step is to look at how to improve on the efficiency of certain constructions, striving towards more practical ANOBE schemes.
To this end, we investigate the technique of randomness re-use, a rigorous and formal study of which can be found in [9] (followed by [5]). The usefulness of this technique appears obvious in the context of multi-recipient encryption, where the same “base” encryption scheme is used to send messages to multiple receivers. Re- using randomness has several practical implications: first of all, randomness is not cheap, and therefore generating less of it already represents a performance improve- ment. Secondly, it implies a saving in computational costs, since some components will be re-used in the encryption process. Finally, it allows for smaller bandwidth consumption.
While the efficiency benefits of applying this technique have always been clear, the impact of randomness re-use on the security of the scheme has required some attention. In particular, the authors of [9] provide a condition under which ran- domness re-use is secure in the setting of public-key encryption. Namely, if the
base scheme satisfies a certain property (called reproducibility) then sharing the randomness across ciphertext components can be done without altering the security of the scheme. Informally, a scheme is reproducible if there exists a polynomial-time algorithm that on input the public parameters, a public key pk, a ciphertext C, encryption of a message M underpk using randomness r, a public/secret key-pair (pk′, sk′) and a message M′, returns C′, the encryption of M′ under pk′ using the same randomnessr. We recall the formal definition from [9].
Let Π = (PKE.PG,PKE.KeyGen,PKE.Enc,PKE.Dec) be a PKE scheme. Let
MsgSp and RSp be the message and randomness space of Π, respectively. Let R
be an algorithm that takes as input the public parameters, a public key, a cipher- text generated under such public key, a random message and a key-pair, and outputs a ciphertext. Consider the following experiment.
ExpRepΠ,R(1λ)
(pars)←PKE.PG(1λ)
(pk, sk)←PKE.KeyGen(pars)
M ←MsgSp;r ←RSp
C=PKE.Enc(pars, M, pk;r) (pk′, sk′)←PKE.KeyGen(pars)
M′ ←MsgSp
return1if PKE.Enc(pars, M′, pk′;r) =R(pars, pk, C, M′, pk′, sk′) and0 otherwise.
Definition 4.13 (Reproducibility) Πisreproducibleif for anyλthere is a p.t. al- gorithm R such that the experiment ExpRepΠ,R(1λ) outputs 1 with probability 1.
Informally, the main reproducibility theorem [9, Theorem 1] implies that if a PKE scheme is reproducible and IND-CCA secure, then the corresponding randomness re-using, multi-recipient PKE scheme is also IND-CCA secure.
Now, a crucial observation is that effectively some of our constructions for ANOBE (we will focus on the one in Section 4.3.2) originate from a base encryption scheme which is used repeatedly to encrypt the same message to multiple receivers.
The relation between multi-recipient and broadcast encryption was briefly discussed in [9]: a multi-recipient encryption scheme can indeed be transformed into a BE scheme by encrypting the same message to each user in the target set, by broad- casting the whole vector of ciphertext components, and by specifying a decryption procedure that will allow each legitimate user to decrypt. Therefore it seems natural to consider randomness re-use as an efficiency-enhancing technique in the context of anonymous broadcast encryption.
It turns out that, in order to do so in a provably secure way, we have to introduce a new notion of reproducibility, called key-less reproducibility, better suited for a setting where anonymity is needed. In a nutshell, key-less reproducibility differs from reproducibility in that the reproduction algorithm no longer requires as input
pk, the public key under whichC was created. We formalize this as follows.
Let Π = (PKE.PG,PKE.KeyGen,PKE.Enc,PKE.Dec) be a PKE scheme. Let
MsgSp and RSp be the message and randomness space of Π, respectively. Let R
be an algorithm that takes as input public parameters, a ciphertext, a random mes- sage and a key-pair, and outputs a ciphertext. Consider the experiment:
ExpKLRepΠ,R (1λ)
(pars)←PKE.PG(1λ)
(pk, sk)←PKE.KeyGen(pars)
M ←MsgSp;r ←RSp
C=PKE.Enc(pars, M, pk;r) (pk′, sk′)←PKE.KeyGen(pars)
M′ ←MsgSp
return1if PKE.Enc(pars, M′, pk′;r) =R(pars, C, M′, pk′, sk′) and0 otherwise.
Definition 4.14 (Key-less reproducibility) Πis key-less reproducibleif for any
λthere is a p.t. algorithm R such that the experiment ExpKLRepΠ,R (1λ) outputs 1 with probability 1.
We note that we can recover the original reproducibility notion simply by in- cluding a description ofpk in the ciphertextC.
We now apply the technique of randomness re-use to obtain more efficient in- stantiations for ANOBE. Let us reconsider the generic construction presented in Section 4.3.2.
Let Π = (PKE.PG,PKE.KeyGen,PKE.Enc,PKE.Dec) be a key-less reproducible PKE scheme, and let Σ = (Gen,Sign,Ver) be a signature scheme. We call ANOBErrΠ,Σ the scheme constructed from Π and Σ as follows.
BE.PG,BE.KeyGen,BE.Decare as in Section 4.3.2.
BE.Enc(BE-MPK, M, S): to encrypt M for a receiver set S = {i1, . . . , iℓ} ⊆
{1, . . . , n}of size ℓ=|S|, generate a signature key-pair (sigk, vk)←Gen(1λ). Chooser ←RSp, whereRSpis the randomness space of Π. Then, for eachj = 1 to ℓ, compute Cj =PKE.Enc(pars, M||vk, pkij;r). The final BE ciphertext
consists ofC = vk, Cτ(1), . . . , Cτ(ℓ), σ
,whereσ =Sign sigk, Cτ(1), . . . , Cτ(ℓ)
and τ :{1, . . . , ℓ} → {1, . . . , ℓ} is a random permutation.
Theorem 4.15 LetΠ be an IND-IK-CCA secure, weakly robust and key-less repro- ducible PKE scheme. Let Σ be a strongly unforgeable one-time signature scheme. Then ANOBErrΠ,Σ is adaptively ANO-IND-CCA secure.
Proof. The proof follows precisely the proof of Theorem 4.5 up until the BE chal- lenge ciphertext is generated. The modifications are in the following steps and apply to both Lemma 4.6 and Lemma 4.7.
1. Forj = 1 tok−1,BsetsCj =R(pars, C⋆, M1||vk⋆, pkρj, skρj).
2. Forj =k+ 1 toℓ,B computes Cj =R(pars, C⋆, M0||vk⋆, pkθj, skθj).
We observe that B knows all the necessary secret keys since it generated them on its own at the beginning of the simulation. The proof then continues as in Theorem 4.5.
We note that there is no further loss in the security reduction since the key- less reproducibility property of Π implies that PKE.Enc(pars, M′, pk′;r) = R(pars,
PKE.Enc(pars, M, pk;r), M′, pk′, sk′) with probability 1. We have shown that the key-less reproducibility of a PKE scheme guarantees that randomness can be re-used securely. We can exploit this property to compress the ANOBE ciphertexts and, depending on the concrete instantiation, significantly increase the efficiency of the scheme. More precisely, given an ANOBErrΠ,Σ cipher- textC = (vk, Cτ(1), . . . , Cτ(ℓ), σ), letcccdenote the common ciphertext components
that may arise inCτ(1), . . . , Cτ(ℓ)from sharing randomness across PKE components,
i.e.,
Cτ(1)= (ccc,˜cτ(1)), . . . , Cτ(ℓ)= (ccc,˜cτ(ℓ)).
The compressed ANOBE ciphertext will be ˜C = (vk,ccc,˜cτ(1), . . . ,c˜τ(ℓ), σ). Upon
receipt, the user simply reconstitutes the original ciphertextC and runs BE.Decas usual. In Section 4.7 we will discuss briefly a possible instantiation of these ideas.