An Identity-Based (IDB) Broadcast Encryption Scheme with Personalized Messages (BEPM)

A broadcast encryption scheme with personalized messages (BEPM) is a scheme in which a broadcaster transmits not only encrypted broadcast messages to a subset of recipients but also encrypted personalized messages to each user individually. Several broadcast encryption (BE) schemes allow a broadcaster encrypts a message for a subset S of recipients with public keys and any user in S can decrypt the message with his/her private key. However, these BE schemes can not provide an efficient way to transmit encrypted personalized messages to each user individually. In this paper, we propose a broadcast encryption scheme with a transmission of personalized messages. Besides, the scheme is based on multilinear maps ensure constant ciphertext size and private key size of each user and the scheme can achieve statically security. More realistically, the scheme can be applied to the Conditional Access System (CAS) of pay television (pay-TV) efficiently and safely.


Introduction
The concept of broadcast encryption (BE) was first formally defined by Fiat and Naor in 1994 [1], which is a communication mode of public-key encryption to the multi-recipient. In BE schemes, a broadcaster encrypts broadcast messages and transmits them to a set S of users who are listening on a broadcast channel. Each user in set S uses his/her private key to decrypt the broadcast messages at the same time. Broadcast encryption has wide applications such as digital rights management, pay TV, satellite radio communication, video conference and wireless sensor network [2].
In general broadcast encryption schemes, a broadcaster first chooses a set S of users who will be able to decrypt broadcast messages as authorized users' set and encrypts a computed secret broadcast key K into header as a part of ciphertext. Then it uses the secret key K to encrypt broadcast messages in a symmetric encryption way as the other part of ciphertext. Any user who is listening on a broadcast channel can receive the ciphertext with two parts. But only the user in set S can use his/her private key to decrypt the ciphertext to get the broadcast messages. A broadcast encryption scheme is said to be fully collusion resistant [3] when even if all users that are not in S collude, they can by no means infer any information about the broadcast message. For solving the certificate management, Shamir first presented the concept of the identity-based cryptosystems in [4]. An identity-based encryption (IBE) scheme enables users to set public keys related to their own identities like e-mails, telephone numbers and other arbitrary strings. Besides, IBE reduces initialization, computational overhead and intercommunication, simplifies key management and eliminates the need for private key database.
The pay television (pay-TV) broadcasting contains a Conditional Access System (CAS) where a broadcaster encrypts two kinds of messages to each user: Entitlement Control Messages (ECM) and Entitlement Management Messages (EMM). ECM is common information to all users and the transmission of ECM is similar to a general broadcast encryption way by using users' public keys. EMM includes contract information for a particular user and each user's private key is used to encrypt EMM in a symmetric encryption way. So the broadcaster must manage all of the users' public keys as well as private keys. Hence, the key management cost of the broadcaster is larger than the general broadcast encryption schemes due to extra management of all users' private keys. It is necessary to reduce the management cost of the broadcaster in one aspect: low overhead and efficient transmission of ECM and EMM. In [5] Aggelos pointed out the efficiency of a broadcast encryption scheme is according to four parameters: key-storage, decryption overhead, encryption overhead and transmission overhead. The ciphertext overhead of a broadcast scheme is defined in [6]: the number of bits in the ciphertext beyond what is needed for the description of the recipient set and the symmetric encryption of the plaintext payload. This shows a BEPM scheme is more efficient if the ciphertext overhead is shorter and the private key management cost is less and it will have low overhead if the ciphertext overhead depends at most logarithmically on the number of broadcast users.
Several broadcast encryption schemes [6][7][8][9] have been proposed and they all provide the transmission of broadcast messages like ECM. Especially in 2005, Boneh, Gentry, Waters [7] introduced an identity-based broadcast encryption scheme BGW which was against collusion resistance and the length of ciphertext and private key were constant. In 2012, Yanli Ren [10] constructed a dynamic identity-based broadcast encryption scheme which had a tight security reduction without random oracle. In 2003, the multilinear maps were firstly defined by Silverberg and Boneh in [11], and they showed three properties about multilinear maps which were useful to construct multiparty key exchange and broadcast encryption schemes. In [6], Boneh et al used multilinear maps to construct three low overhead BE schemes with shorter public key size than any previous BE schemes. And in [12], Boneh first used indistinguishability Obfuscation (iO) to construct a distribute BE scheme in which the ciphertext size was independent of the number of recipients. These schemes above can provide secure communication between a broadcaster and a group of users and the broadcaster encrypts content like ECM by simply using public keys of the broadcaster and recipients. The key management cost of these schemes is very small because of the openness of public keys. However, these schemes cannot be used by the broadcaster to transmit personalized messages which are different like EMM to individual users at the same time.
In 2002, Kurosawa [13] defined a multi-recipient encryption scheme as a particular public key encryption scheme which can provide transmission of personalized messages to each user efficiently. In 2009, Harunaga [14] constructed a multi-recipient public key encryption scheme to send personalized messages to each user individually. However, it is inefficient for a sender to transmit the broadcast messages (identical personalized messages) to each user respectively on these schemes. Until now, there was only one scheme constructed by Ohtake [15] that can achieve the function of a broadcaster can encrypt not only broadcast messages but also personalized messages for recipients. But its public key size is the number of 3n + 2 elements of group G 1 (G 1 is a group of prime order p and n is the total number of recipients) and it is based on Public Key Infrastructure (PKI) rather than identity-based. Hence, our goal here is to construct a low overhead and identity-based BEPM which can be used in CAS efficiently by using multilinear maps.

Our Contributions
In this paper, we describe an identity-based BEPM scheme that uses asymmetric multilinear maps constructed by Boneh in [6] and extends their BE scheme. Our scheme reduces the ciphertext length in general muiti-recipient encryption schemes and the public key size in other BEPM schemes. Compared with the existed scheme, our scheme reduces the management cost of public keys and private keys. In addition, the public key size in our scheme is shorter than the other existed schemes [6,15] and each user's private key and ciphertext are still in constant size. Besides, we prove that our scheme is statically-secure under the decisional n-Hybrid Diffie-Hellman Exponent problem (n-HDHE) and that it is efficient to be applied to CAS. Our scheme is fully collusion-resistant against any number of colluders.

Organization
The rest of our paper is organized as follows: we will recall some related definitions in section 2. We show the detailed construction of our identity-based BEPM scheme in section 3. We will analyze the security of our scheme and give the comparison between our scheme and the other schemes in section 4. Finally, we will apply our scheme to CAS in section 5.

Asymmetric Multilinear Maps
We use the asymmetric multilinear maps constructed in [6]. It uses g a i to represent a levle-i encoding of a. then the map e can combine a level i encoding and a levle j encoding to generate a level i + j encoding. It uses integer vectors rather than integers to index groups. The detailed algorithms are as follows: Setup (ñ). Use a some positive integer vectorñ and set up añ-linear map. Let p be a large prime number, it outputs a description of groups Gṽ of prime order p andṽ are non-negative integer vectors whereṽ ñ. It also outputs a description of generators gṽ 2 Gṽ . In addition, set Gẽ i be the ith source group andẽ i be a standard basis vector in the group Gẽ i which means e i ¼ ð0; :::; 1; :::; 0Þ is a vector of n 0s and 1 in the ith place. Gñ is the target group and the rest of the Gṽ groups are intermediate groups. So it can get the following map operations: Input two elements h 2 Gṽ 2 and g 2 Gṽ 1 withṽ 1 þṽ 2 ñ, it outputs an element of Gṽ 1 þṽ 2 . It can get the map operation eṽ 1 ;ṽ 2 ðg; hÞ : It omits the subscript and write e 2 to represent the pairing operation of two element in group. It generalizes e 2 to multiple inputs as e(h (1) , h (2) , . . ., h (k) ) = e(h (1) , e(h (2) , . . ., h (k) )). So it writes e n to represent the multiple operation of n elements.
The asymmetric multilinear maps can satisfy three properties introduced in [11]: multilinearity, non-degeneracy and computability.

Hardness Assumption
We recall the definition of decisional n-Hybrid Diffie-Hellman Exponent. The detailed definition is as follows: Letñ is the all-ones vector of n + 1 length,ẽ is a n + 1 length vector of n 0s and 1 in the ith place and the multilinear map e has the source group Gñ and target group G 2ñ . We randomly choose a 2 Z p where p is a large prime number. Let X i ¼ g a 2 ĩ e i ði ¼ 0; . . . ; n À 1Þ and X n ¼ g a 2 n þ1 e n . Then choose a random t 2 Z p and let V ¼ g t n . We now define the decisional n-Hybrid Diffie-Hellman Exponent assumption as given {X i }(i = 0, . . ., n − 1), V and the K ¼ g ta n 2ñ or K = K Ã as K Ã is a random element in group G 2ñ . Definition 1 We say the decisional n-Hybrid Diffie-Hellman Exponent assumption is hard as any polynomial n and probabilistic polynomial time (PPT) algorithm A has negligible advantage to distinguish K ¼ g ta n 2ñ and K = K Ã .

broadcast encryption with personalized message
We first introduce the definition and the security model of the identity-based BEPM. An identity-based BEPM scheme includes the following four algorithms: Setup (ID). Set up an identity space ID for a BEPM scheme. It outputs public parameters params and master secret key msk.
Extract(msk, u). Take the master secret key msk and a user u 2 I D, and it outputs a private key sk u for user i with identity u.
Enc(params, S). Input the public parameters params and polynomial sized set S I D of authorized recipients, and then produce a pair (Hdr, K) and a list of personalized keys as K u for the user u 2 I D. Use Hdr to guarantee the confidentiality of K which is the symmetrical encryption key used to encrypt broadcast messages as c and also K u is a personalized symmetrical encryption key of user i with identity u used to encrypt a personalized message as c u . It finally outputs (Hdr, c, c u (u 2 S)) as a ciphertext.
Dec(params, u, sku, Hdr, S). The decryption algorithm inputs Hdr and the private key sk u of user i with identity u 2 I D, and outputs the key pair (K, K u ) for user i with identity u 2 I D. If u= 2S, the decryption algorithm outputs ?. Otherwise, the user i decrypts the Hdr by using its private key sk u to get K and K u , and finally decrypts the ciphertext c and c u respectively.
For security, there are mainly two notions of security: statically secure under a chosen plaintext attack (CPA) and adaptively secure under an adaptively chosen ciphertext attack (CCA2). We define the CPA security as follows: Setup. The challenger C runs SetupðIDÞ to get (params, msk) and gives params to A. Private Key Queries. A adaptively makes private key queries for user i with identity u 2 I D. The challenger C runs Extract(params, msk) to get private key sk u and gives sk u to A.
Challenge. A submits a set S Ã & I D and u = 2 S Ã for any u requested in a private key query. The challenger gets ðHdr Ã ; K Ã 0 ; fK Ã u g u2S Ã Þ from Enc(params, S Ã ). And if b = 0, the challenger gives ðHdr Ã ; K Ã 0 Þ to A, if b = 1, the challenger chooses a random key K Ã 1 to A. Also, the challenger selects {b u } u 2 S Ã , and if b u = 0, it gives K Ã u to A, if b u = 1, the challenger also chooses a random key K Ã 0 u to A. More Private Key Queries A adaptively makes private key queries for user i with identity u = 2 S Ã . The challenger C runs Extract(params, msk) to get sk u and gives sk u to A.
Guess. A makes a guess b 0 for the random value b. And A also gives a list of guess fb 0 u g u2S Ã for {b u } u 2 S Ã . |S Ã | is the total number of elements in set S Ã .
So we can get that the advantage of A is: In CAS, a security module (smart card) is inserted into each user's terminal and given to each user respectively. As the personalized message can only be decrypted in a security module, so no one can get a personalized message as a plaintext in CAS. Hence, we concentrate on the notion of CPA security as we shows below.
Definition 2 A BEPM scheme is said to be statically secure under a chosen plaintext attack if for any polynomial time adversary A that can not make any decryption queries and must determine the challenge set S before Setup, the advantage Adv is negligible.

Our Construction
In this section, we give our construction for an identity-based BEPM scheme based on multilinear maps in details.
First let N = 2 n − 1 (n is an integer) andñ ¼ ð1; . . . ; 1Þ is a vector of n + 1 1s. Use an asymmetric multilinear map where Gñ is the source group and G2 n is the target group of prime order p which means any two elements in Gñ use e 2 to map an element in G 2ñ . From what set above, the asymmetric multilinear maps have the following properties: 1. For all standard basis vectorsẽ i 2 Gẽ i , we have a map e n+1 to group Gñ : e nþ1 ðgẽ 0 ; :::; gẽ n Þ ¼ gñ.
2. For any two elements g ã n and g b n (a, b are integers) in group Gñ, we have a map e 2 to group G2 n : e 2 ðg ã n ; g b n Þ ¼ g ab 2n .
Setup(n). n is the length of users' identities. The identity space is I D ¼ f0; 1g n except {0} n .
Enc (params). Set an authorized set S of recipients. Then randomly choose t 2 Z p , and for any u 2 I D, and let u i represents the ith position in the binary of u. Finally it computes as follows: where u i 2 {0, 1} and X 0 i g 1 e i ¼ gẽ i and X 1 i g 0 An ID-Based BEPM It finally outputs ðK; Hdr; fK u g u2I D Þ. Dec(params, S, Hdr). The user i with identity u decrypts as follows: if u = 2 S, then output ?. Otherwise it lets Hdr = (h 0 , h 1 ) and the receiver i with identity u and private key sk u can compute K = e 2 (Z u , h 1 )/e 2 ((sk u Á ∏ j 2 S, j 6 ¼ u Z 2 n − j + u ), h 0 ) and the personalized key for user u is K u = e 2 (h 0 , sk u2 ).

Security Analysis
In this section, we prove the security of our BEPM scheme and show the comparison between our scheme and the other schemes.
security First, we show the security proof of our BEPM scheme as follows: Theorem 1 Construct an asymmetric multilinear map e n + 1 and a map e 2 for a vectorñ, e i ði ¼ 0; :::; nÞ, group Gñ and group G 2ñ , and assume the decisional n-Hybrid Diffie-Hellman Exponent assumption is hard for the multilinear map e n + 1 . Then we can get that our identitybased BEPM scheme is statically secure.
Proof. Assume that there is an adversary A who has advantage to break the BEPM scheme, and then we build an algorithm ℬ to solve the decisional n-Hybrid Diffie-Hellman Exponent problem. A and ℬ interact as follows: Setup. ℬ constructs a multilinear map e as section 2.1 shows for vectorñ,ẽ i ði ¼ 0; :::; nÞ, group Gñ , and group G 2ñ and chooses a random a 2 Z p and a random t 2 Z p and then computes the public parameters as follows: e i ði ¼ 0; . . . ; n À 1Þ; X n ¼ g a 2 n þ1 e n ; U ¼ gñt ; W ¼ e 2 ðe nþ1 ðgẽ 0 ; :::; gẽ n À2 ; X nÀ1 ; gẽ n Þ; e nþ1 ðgẽ 0 ; :::; gẽ n À2 ; X nÀ1 ; gẽ n ÞÞ: The adversary A submits the challenge users' identities set S which is a subset of ID. And ℬ randomly chooses r 2 Z p to compute: ; gẽ n Þ ¼ g a ũ n : Hence, γ = r − ∑ u 2 S α 2 n − u and γ is also uniform. Finally ℬ gives the adversary A (V, W, {X i }(i = 0, . . ., n)).
Private Key Queries. The adversary A makes private key queries for users' identities u = 2 S. Then ℬ responses as follows: ℬ first randomly chooses b 0 1 ; ::; b 0 n ; y 1 ; :::; y n 2 Z p and computes: n g y ĩ n ; for the user i with identity u in the challenge set S. Finally ℬ sends all private keys sk u (u = 2 S) to A.
Challenge. A requests for the challenge and ℬ computes Hdr = (U, U r ). ℬ randomly chooses b 2 {0, 1}. If b = 0, ℬ computes K = W t , else b = 1, ℬ randomly chooses a key K 2 G 2ñ . Also, ℬ randomly chooses b u for the user i with identity u 2 S. And if b u = 0, ℬ computes K u ¼ e 2 ðU; gñÞ b i g Á e 2 ðU; VÞ y i , else b u = 1, ℬ randomly chooses a personalized key K u 2 G 2ñ .
Finally ℬ gives A the challenge response (Hdr, K, {K u } u 2 S ). Apparently, the response (Hdr, K, {K u } u 2 S ) is valid. So ℬ simulates the real BEPM scheme for A perfectly. Guess. A guesses b 0 for b and fb 0 u g u2S for {b u } u 2 S . When fb 0 u g u2S ¼ fb u g u2S and b 0 = b, it means the adversary A wins the game. A win indicates the event that the adversary A can guess the right value for b and {b u } u 2 S . ℬ win indicates the event that the algorithm ℬ can solve the decisional n-HDHE problem. |S| is the total number of elements in set S. Hence, if K and {K u } u 2 S are right values, the probability of the event ℬ win occurring is: Also, if K and {K u } u 2 S are random values chosen from G 2ñ , which means the adversary A does not have the advantege to guess the b and {b u } u 2 S , so the probability of the event ℬ win occurring is: Above all, the advantage of ℬ to solve the decisional n-HDHE problem is: However, the decisional n-HDHE assumption is a hard problem, so the advantage of ℬ is negligible. Hence, the advantage of the adversary A to break the BEPM scheme is negligible.

Collusion resistant
In our security analysis, the adversary can get any private key of user i with identity u = 2 S while it can not get the right plaintext of Hdr Ã . It means any number of colluders can not get the right messages because they do not have any right private key.

Comparison
In this section, we compare our scheme with Ohtake's scheme [15] and the basic extension of Boneh's scheme [6]. In Table 1, we use an integer n to represent the number of users in BEPM scheme. We claim that it is inefficient to send personalized messages in [6] while the header is changed to ðg t n ; ðV Á Q u2S Z 2 n Àu Þ t ; fg b ũ n g u2S Þ and the ciphertext size is the number of |S| + 2 elements in group G 2ñ (|S| is the total number of elements in set S). Ohtake's scheme extends the BGW [7] scheme by increasing the public key size from the number of 2n + 1 elements in group G 1 to 3n + 2 (G 1 is a group of prime order p). By comparing with Ohtake's scheme, our scheme is identity-based and has a shorter public key size which is the number of logn elements of group Gñ , and our scheme removes the element V 2 which is used in Ohtake's scheme to encrypt personalized messages. And our scheme uses multilinear maps and keeps the ciphertext overhead and each user's private key short. Hence, our scheme is more efficient than these two schemes.

Application
Our BEPM scheme can be used to support personalized services in broadcast encryption while it has the following functions: first, our scheme can send a broadcast message by using the key K. Next, our scheme can send personalized messages by using the personalized key K u to each user u 2 S. In addition, the key management in our scheme is with low cost.
As an important component of Digital TV Broadcasting (DVB), the CAS is a necessary and central condition for actualizing the service of pay-TV. The CAS can determine whether a digital receiver can transmit the specific broadcast programs to the users' terminal with ensuring that only the paying users can get the selected TV programs. It is a necessary part of the digital television business, and it is also essential to the development of the digital television business. The Fig 1 shows the work procedures of CAS. The service provides ECM and EMM with stream of the same programs from different CAS to multiplex transmission channel. The decoder receives the detected ECM and EMM as the CAS requires. ECM is authorized control information, and it is a special form of electronic key signal and addressing channel information, and it is encrypted by sending end and then transmitted together with the signal. In receiving end, ECM is used to control the descrambler. EMM is authorized management information, which is information for an authorized user to descramble a business, and it is also encrypted by sending end and then transmitted together with the signal. In receiving end, EMM is used to open or close a single decoder or a group of descramblers. A broadcaster uses a scramble key K 1 to encrypt content such as date, Media Access Control (MAC) address and program types. Then the broadcaster uses another key K 2 to encrypt the scramble key and content information as ECM and transmits to all users. Finally, the broadcaster uses key K 3 which is individual from other users to encrypt the key K 2 and some contract information such as expire date as EMM and sends it to all users. Hence, we can apparently know that the content can only be descrambled by the user who has K 3 , which means the user is a valid subscriber to the program. Note: Here, we use the number of elements of groups to represent the public key size and ciphertext length.
So the CAS is useful to transmit a broadcast message and personalized messages to each user of our BEPM scheme. But the broadcaster must manage all users' key K 3 while our scheme do not request the broadcaster to manage all users' private keys. We can apply our BEPM scheme to CAS as Fig 2 shows. A broadcaster first computes the header, broadcast key K and personalized key K u for any user u 2 S. Then it uses K to encrypt a broadcast program content as a ciphertext c and broadcasts it. And it also uses K u to encrypt the personalized message of any user u 2 S as c u and broadcasts it. A valid subscriber u 2 S receives c and c u , it respectively uses K and K u to decrypt c and c u to get program content and personalized message as contract information.

Results
In this paper, we construct an efficient BEPM scheme by using multilinear maps. Our scheme has the following advantages: first, the public key size in our scheme is shorter than any other existed schemes and the length of the ciphertext in our scheme is constant as well as all users' private keys. Second, comparing with other general BE schemes, the broadcaster can not only send broadcast messages to all recipients but also send a personalized message to any specified user. Third, our BEPM scheme is statically secure and collusion resistant against any number of colluders. Last, it is efficient to apply our scheme to CAS which is the core of the popular pay-TV.