Collusion-resistant Broadcast Encryption
based on Hidden RSA Subgroups
Sigurd Eskeland
a
Norwegian Computing Center, Postboks 114 Blindern, 0314 Oslo, Norway
Keywords:
Broadcast Encryption, Public Key Cryptography, RSA Subgroups.
Abstract:
Public key broadcast encryption enables computations of ciphertexts, in which a single ciphertext is encrypted
with regard to a set of recipients, and only the intended recipients can decrypt that ciphertext independently
of each other and without interactions. A significant shortcoming of existing broadcast encryption schemes
are long decryption keys comprising the public keys of pertaining recipients. Decryption therefore neces-
sitates access to public keys, which requires key management and impacts computational and transmission
overhead, accessibility, and storage. Moreover, a user description list referencing the pertaining recipients and
their public keys must be appended to each ciphertext, which leads to the privacy implication of disclosing
user/content-relations. Curiously, virtually all broadcast encryption schemes are based on bilinear pairings. In
this paper, we propose a collusion-resistant broadcast encryption scheme that is the first broadcast encryption
scheme based on the factorization problem and hidden RSA subgroups. A novel feature is that the decryption
key consists of a single element only, which leads to significantly reduced key management, improved com-
putational efficiency, and elimination of the mentioned privacy issue.
1 INTRODUCTION
Broadcast encryption is a category of cryptographic
systems that allows a sender to compute ciphertexts
that can only be decrypted by an arbitrary subset of re-
cipients T ⊆ U specified by the sender. Broadcast en-
cryption is characterized by having no synchronisms
and no two-way interactions between the sender and
recipients, nor among the recipients. The main goal
of broadcast encryption is to minimize the transmis-
sion overhead, computation cost, storage size, and
key management. All key establishment communi-
cation in broadcast encryption is unidirectional from
the sender to the recipients, and there are no interac-
tions between the sender and the groups of recipients,
nor among the recipients.
Stateful broadcast encryption schemes maintain a
state according to group membership, in which the
broadcast key must be updated by the event of a
change in group membership to maintain forward and
backward secrecy. To meet efficiency goals, the gen-
eral idea is to update only those key elements that are
affected by a user change. An inherent disadvantage
of statefulness is that if a user misses an update mes-
a
https://orcid.org/0000-0003-0045-3387
sage, he or she will be left out from subsequent ses-
sions.
In stateless broadcast encryption, decryptions are
conducted independently of previous sessions as there
is no updating of key material due to changes of group
memberships. In existing stateless broadcast encryp-
tion schemes, the decryption algorithm requires ap-
plication of the private key x
i
of user P
i
of the target
subset T ⊆ U, the public key y
j
of each of the other
users P
j
in T , and some system parameters B:
Dec(x
i
, {y
j
| ∀P
j
∈ (T \{P
i
})},B)
Thus, the decryption key is (x
i
, {y
j
| ∀P
j
∈
(T \{P
i
})}), whose number of elements equals the
size of T . For efficiency reasons, most broadcast en-
cryption schemes assume the “revoked” complemen-
tary subset R = U\T instead of T , since this set is
presumed to be smaller than T . In any regard, this
brings about the following issues:
1. All relevant public keys must be accessible, since
decryption is only possible with a complete de-
cryption key. This may be inconvenient and im-
practical in some settings.
2. The decryption key size is linear to the size
of T . This increases the storage and computa-
tional overhead accordingly.
Eskeland, S.
Collusion-resistant Broadcast Encryption based on Hidden RSA Subgroups.
DOI: 10.5220/0011140000003283
In Proceedings of the 19th International Conference on Security and Cryptography (SECRYPT 2022), pages 291-298
ISBN: 978-989-758-590-6; ISSN: 2184-7711
Copyright
c
2022 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
291
3. The encryption header must contain a user de-
scription list that references each user in T (and
their public keys). This increases the transmission
overhead accordingly.
4. The user description list leads to a potential pri-
vacy issue.
To illustrate the last point; suppose a secure TV
broadcasting scenario where each customer has ac-
cess to a certain channel using his private key. The
problem is that in order to decrypt the customers
would have to know who else has paid for the spe-
cific subscription, which conflicts with the privacy of
the individual subscribers. This privacy issue is ad-
dressed by anonymous broadcast encryption whose
goal is that no identifying information is “leaked”
about the privileged set T (Libert et al., 2012). How-
ever, these schemes are still inflicted with the same
efficiency issues, and in some cases with long cipher-
texts whose number of elements is linear to T (He
et al., 2016).
Cryptographic Primitives. Broadcast encryption is
predominantly based on bilinear pairings and ellip-
tic curve cryptography. However, pairing based cryp-
tography (PBC) has some disadvantages that are of-
ten overlooked. Cao and Liu (2015) note that bi-
linear pairings require working parameters in the or-
der of 1024 bits to offer 80 bits security, in contrast
to pure elliptic curve-based cryptographic schemes,
where such parameters are typically 160 bits. They
point out that there are very few industrial products
being integrated with paring-based cryptosystems, for
reasons such that ”pairing computation is hard to un-
derstand for most engineers” and “heavy group oper-
ation of PBC really lowers the advantages that gained
from smaller key size.”
Hajny et al. (2018) note that there are very few
libraries available supporting pairing-based cryptog-
raphy, and that papers addressing implementation as-
pects of pairing-based cryptography are very rare.
In addition to bilinear mappings, lattices have been
proposed as a cryptographic primitive for broadcast
encryption (Wang and Bi, 2010; Georgescu, 2013).
However, these schemes produce non-constant size
ciphertexts and may not be practical. It is thus of
great interest to explore the applicability of alterna-
tive cryptographic primitives for broadcast encryp-
tion, in particular well-known number-theoretic prim-
itives. However, number-theoretic primitives such as
discrete logarithms and RSA assumptions have so far
been considered inapplicable to broadcast encryption.
Contributions. In this paper, we propose a fully
collusion-resistant public key broadcast encryption
scheme with the following novel features:
• Decryption requires a single private key-element
only. This eliminates the necessity for key man-
agement and availability of other users’ public
keys.
• Decryption requires just a single exponential
modular operation.
• There is no explicit need for a user description list,
and thus an implicit feature is user anonymity.
This is an improvement compared to other broadcast
encryption schemes, in which the decryption key is
linear to the size of target group T (or the revoked
group R ). Another novel and attractive feature is that
it is based on the factorization problem and hidden
RSA subgroups. To the best of our knowledge, our
construction is the first collusion-resistant broadcast
encryption scheme that is based on this security as-
sumption.
The broadcast encryption header consists of a sin-
gle element whose size is linear to the maximum num-
ber of recipients N. For example, the header size is
3072 bits for N = 11 at 128 bits security level, which
for comparison is equal to the RSA ciphertext size of
the same security level, and therefore a significant im-
provement considering the factorization assumption.
2 RELATED WORK
Earlier approaches to stateless broadcast encryption
assume tree-based structures. This includes the
“subset-cover” framework proposed by Naor et al.
(2001) utilizing symmetric user keys, in which keys
of user subsets are derived from a virtual tree struc-
ture. Building on Naor et al. (2001), Dodis and Fazio
(2003) proposed a public key broadcast encryption
(PKBE) scheme.
Boneh et al. (2005) proposed a stateless and fully
collusion resistant PKBE scheme that was the first of
many subsequent PKBE schemes to rely on bilinear
pairings, in which computations are in cyclic groups
of fixed order that determines the ciphertext (header)
size. The authors proposed a “basic” scheme BGW
1
having a decryption key size linear to the number of
recipients N and constant-size ciphertext of two el-
ements, and a generalized variant BGW
2
consisting
of parallel instances of BGW
1
achieving a tradeoff
of O(
√
N) decryption key size and O(
√
N) cipher-
text size. Identity-based variants of (BGW
1
), hav-
ing user identities as public keys, were proposed by
Delerabl
´
ee (2007) and Sakai and Furukawa (2007)
with the same performance properties as (BGW
1
),
except shorter public key length due to the identity-
orientation. Delerabl
´
ee et al. (2007) proposed a dy-
namic PKBE scheme that allows joining of new users
SECRYPT 2022 - 19th International Conference on Security and Cryptography
292
without updating the group keys. The first adaptively
secure PKBE scheme was proposed by Gentry and
Waters (2009), and later schemes are found in (Malek
and Miri, 2012; Zhang et al., 2012; Phan et al., 2013;
Kim et al., 2015; Lee and Lee, 2015). Some other
PKBE schemes are found in (Park et al., 2008; Dubois
et al., 2013; Kim et al., 2013).
All the stateless broadcast encryption schemes are
based on bilinear pairings. In addition to bilinear pair-
ings, lattices is another cryptographic primitive that
has been proposed for realizing PKBE (Wang and Bi,
2010; Georgescu, 2013).
As a sidenote, multi-receiver encryption (MRE)
is different from Broadcast encryption, in which the
sender encrypts N individual plaintexts, one for each
recipient, resulting in N ciphertexts. MRE is proba-
bilistic and its motivation is computational efficiency
by reusing the same element of randomness for all ci-
phertexts (Bellare et al., 2007) instead of generating
unique random integers for each ciphertext.
3 PRELIMINARIES
The proposed scheme assumes cyclic subgroups,
which are realized by the following parameters.
• Let n = pq be the product of two large secret
primes
p = 2p
0
⌈N/2⌉
∏
j=1
p
j
r
p
+ 1 (1a)
and
q = 2q
0
N
∏
j=⌈N/2⌉+1
p
j
r
q
+ 1 (1b)
where N is the number of recipients, P =
{p
0
,q
0
, p
j
| 1 ≤ j ≤ N} are distinct large se-
cret primes of approximately the same size, and
(r
p
,r
q
) are optional arbitrary integers. The secu-
rity level λ is determined by λ = ||p
0
|| = ||q
0
|| =
||p
j
||.
• Let g = α
2
mod n, where α is a generator (i.e.,
primitive element) for a cyclic group in Z
∗
p
and in
Z
∗
q
.
• Let g
i
, 1 ≤ i ≤ N, denote a generator for the sub-
group G
i
of order p
0
q
0
p
i
, where
g
i
= g
¯p
i
mod n and ¯p
i
=
N
∏
j=1,i̸= j
p
j
(2)
The order of G
i
is hidden, since P are secret.
• Select a large random secret integer γ, whose bit-
size is at least that of n.
Next we present the relevant computational hardness
assumptions.
3.1 Security Assumptions
Background on subgroups on Hidden Orders. For ef-
ficiency purposes for public key signature, commit-
ment, and encryption cryptosystems, Groth (2005)
proposed using small subgroups in Z
∗
n
of secret or-
ders. For this purpose, Groth proposed a pertaining
decisional RSA subgroup security assumption, whose
hardness is the difficulty to determine if an element
pertains to a subgroup G < Z
∗
n
or to Z
∗
n
. A similar de-
cisional RSA subgroup assumption is formulated by
Bourse et al. (2020). These assumptions are similar to
high-residuosity assumptions, such as (Naccache and
Stern, 1998), and the composite residuosity assump-
tion of the Paillier cryptosystem (Paillier, 1999).
Secret subgroups can for instance be useful and
convenient when designing cryptosystems and cryp-
tographic protocols that are using secret encryption
factors (or blinding factors), since knowing the sub-
group order (represented by the private key) allows
elimination of those encryption factors. This is seen
in the mentioned Paillier cryptosystem, in which us-
ing the private key λ as an exponent to the ciphertext
eliminates the encryption factor r
n
, due to that its sub-
group order is λ, i.e., (r
n
)
λ
mod n
2
= 1. In our cryp-
tosystem, subgroups of hidden orders are used for pre-
venting disclosure of the secret integer γ, as discussed
below.
Congruences. Consider the modular residue
γ
i
= γ mod p
0
q
0
¯p
i
(3)
which in the proposed scheme is the private key for
user P
i
. The prime p
k
divides ¯p
i
if i ̸= k in agree-
ment with Eq. (2). This implies the congruence
γ
i
mod p
k
≡γ
j
mod p
k
for any two residues γ
i
and γ
j
,
i ̸= j. In general, this is
γ ≡ γ
i
≡ γ
j
(mod p
k
)
for 1 ≤ i, j, k ≤ N, i ̸= j ̸= k. Taking a generator g
i
and the composite modulus n into consideration, the
mentioned congruences agree with
g
γ
k
≡ g
γ
i
k
(mod n) (4)
where g
k
generates a cyclic subgroup G
k
. The con-
gruence holds since the order of G
k
is p
0
q
0
p
k
, which
divides the modulus p
0
q
0
¯p
i
of γ
i
for i ̸= k.
In agreement with Eq. (3), the secret integer γ is
congruent to each residue γ
j
, 1 ≤ j ≤ N:
γ ≡
γ
1
(mod p
0
q
0
¯p
1
)
.
.
.
γ
N
(mod p
0
q
0
¯p
N
)
In the proposed scheme γ is a secret integer. This
means that for any two residues γ
i
= γ mod p
0
q
0
¯p
i
Collusion-resistant Broadcast Encryption based on Hidden RSA Subgroups
293
and γ
j
= γ mod p
0
q
0
¯p
j
, γ can be disclosed in agree-
ment with the Chinese remainder theorem:
γ ≡
(
γ
i
(mod p
0
q
0
¯p
i
)
γ
j
(mod p
i
)
(5)
if and only if (p
0
,q
0
, ¯p
i
, p
i
) are known. For this rea-
son, to prevent disclosure of γ, we use subgroups of
hidden order, in which all primes in P are kept secret.
Due to the secrecy of these primes, it is not possible
to restore γ. This ensures collusion resistance, which
prevents any subset of colluding users R from estab-
lishing γ.
On the Necessity of (p
0
,q
0
). The composite modulus
n can be factorized more efficiently by utilizing the
smaller search space of the subgroup G
i
< Z
∗
n
pro-
vided by g
i
than by factoring methods such as general
number field sieves. This situation was also pointed
out by Damg
˚
ard et al. (2008). The secret primes
(p
0
,q
0
), cf. Eq. (1), are necessary to prevent factor-
ization of n in conjunction with g
i
.
According to Fermat’s little theorem, then g
p
=
kp + 1, where g,k > 0 and p is a prime. Thus, g
xp
=
(kp + 1)
x
= k
′
p + 1, where x, k
′
> 0. Recall that g
i
generates a subgroup of order p
0
q
0
p
i
. According to
the composition of p, cf. Eq. (1), then {q
0
, p
i
|
N
2
+
1 ≤ i ≤ N}, do not divide p −1. In agreement with
Fermat’s theorem then
g
p
0
p
i
i
= α
2p
0
p
i
¯p
i
= k
′′
p + 1 for
N
2
+ 1 ≤i ≤N
where (g
i
, ¯p
i
, p) are defined in Eqs. (1, 2). This means
that p can be found by an exhaustive search w.r.t. the
unknown integer p
0
, where p
′
= gcd
(g
x
i
mod n) −
1,n
. If x = p
0
then p
′
= p. The security strength λ
w.r.t. this attack is therefore equivalent to λ = ||p
0
||=
||q
0
||.
The DDH Assumption. In addition to the factoriza-
tion problem, the security also relies on the deci-
sional Diffie-Hellmann assumption. Let g be a gen-
erator for a sufficiently large subgroup G of order
q. Let (a, b,c) be randomly selected large integers in
[1,.. .,q]. Given the triplet
g,g
a
,g
b
,z
b
, where b is a
uniform random bit. Let z
b
= g
ab
and z
1−b
= g
c
. The
probability that b is correctly determined is at least
1
2
+ε for some value ε. If g
ab
and g
c
are indistinguish-
able, so that b cannot be determined w.r.t. z
b
= g
ab
,
then ε is negligible, meaning that the DDH assump-
tion holds.
3.2 Broadcast Encryption Algorithms
A trusted authority is necessary for setting up an in-
stance of the proposed scheme by computing long-
term user keys. Let U = {P
1
,.. .,P
N
} denote a set of
N users. The scheme proposed consists of the follow-
ing algorithms:
Setup. The algorithm (pk,sk) ← Setup(N,λ) inputs
a security parameter λ and the number of users
N, and outputs pk = ({g
i
,y
i
| 0 ≤ i ≤ N},n) and
sk = {γ
i
| 1 ≤ i ≤N}.
Encryption. For any subset T ⊆ U, where R =
U\T is the corresponding set of excluded (or re-
voked) users, the encryption algorithm (k
T
,z) ←
Enc({g
j
,y
j
| P
j
∈ R },n) takes the public keys of
the revoked users as input, and outputs a broadcast
key k
T
and an encryption header z.
Decryption. The decryption algorithm k
T
←
Dec(γ
i
,z,n) takes the private key γ
i
(of which
P
i
∈ T ) and the encryption header z as input, and
outputs the broadcast key k
T
.
The correctness property is met if for any sub-
set T ⊆ U the broadcast keys (k
′
T
,z) ← Enc({g
j
,y
j
|
P
j
∈R },n) and k
′′
T
←Dec(γ
i
,z,n) match, i.e., k
′
T
= k
′′
T
.
3.3 Security Model
The security of the proposed scheme can be defined
using a game between an adversary A and a chal-
lenger C . The adversary defines an arbitrary set of
compromised users S
∗
in which the adversary is per-
mitted to obtain the private keys. This is consistent
with a revoked set of colluding users R = U\T .
Setup. The challenger computes (pk,sk) ←
Setup(N,λ) and obtains N user keys. It then
submits PK to the adversary A.
Key Query. The adversary queries the private keys
for a subset S
∗
⊂ S, where S = {1, ... ,N}. The
challenger submits {γ
i
| i ∈ S
∗
} to A.
Challenge. The challenger invokes (k
S
,z) ←
Enc(g
j
,y
j
| j ∈ S
∗
,n). The challenger randomly
pick a bit b ∈ {0, 1}, and sets k
b
= k
S
and ran-
domly sets k
1−b
in the space of possible session
keys. It then submits the triplet (z,k
0
,k
1
) to the
adversary.
Output. The adversary outputs a bit b
′
. The adver-
sary succeeds if b = b
′
.
The game can be conducted for any subset S
∗
⊆ S.
Let Pr(b
′
= b) −
1
2
be the probability that the adver-
sary correctly outputs b = b
′
after the game. We say
that the broadcast encryption scheme is key indistin-
guishable if |Pr(b
′
= b)−
1
2
|≤ε, where ε is negligible
due to the difficulty of correctly distinguishing keys.
SECRYPT 2022 - 19th International Conference on Security and Cryptography
294
4 PUBLIC KEY BROADCAST
ENCRYPTION
A trusted authority (TA) is necessary for setting up
system parameters and long-term user keys.
Setup. The TA conducts the following tasks to set up
an instance of the system.
1. Compute n = pq, where p and q are two large
random secret primes selected in agreement with
Eq. (1).
2. Select a large random secret integer γ whose size
is larger than n.
3. The private keys for P
i
∈ U are computed as
γ
i
= γ mod p
0
q
0
¯p
i
, where ¯p
i
=
N
∏
j=1,i̸= j
p
j
4. Let g be a generator of the multiplicative groups
modulo p and q. The corresponding public keys
are computed as
g
i
= g
¯p
i
mod n, y
i
= g
γ
i
mod n, 0 ≤ j ≤ N
Each user P
i
∈ U is assigned the key tuple (γ
i
,g
i
,y
i
).
Note that (g
0
,y
0
) are generic and to be applied for the
case R =
/
0.
Encryption. Select a set of recipients T ⊆ U that is
the target for a secure broadcast, in which R = U\T
denotes a set of so-called revoked users. Generate a
random secret integer r ∈ Z
∗
n
, and compute the en-
cryption key
k
T
=
∏
∀j∈R
y
j
r
mod n
and the encryption header
z =
∏
∀j∈R
g
j
r
mod n
If R =
/
0 then k
T
= k
U
= y
r
0
and z = g
r
0
. Then the
plaintext is encrypted using k
T
.
Decryption. At the receipt of z, each user P
i
∈ T is
able to restore k
T
by the modular exponentiation
k
T
= z
γ
i
mod n
Note that there is only one public key element and
private key element (for each user), and the header is
only element.
4.1 Correctness
The following shows that the output of the decryption
algorithm (Eq. (6a)) is consistent with the output of
the encryption algorithm (Eq. (6d)):
k
T,i
≡ z
γ
i
≡
(
∏
∀k∈R
g
k
)
r
γ
i
(mod n) (6a)
≡
∏
∀k∈R
g
r ¯p
k
(γ mod p
0
q
0
p
k
)
(mod n) (6b)
≡
∏
∀k∈R
g
k
rγ
(mod n) (6c)
≡
∏
∀k∈R
y
k
r
(mod n) = k
T
(6d)
for γ
i
, i /∈R ), in agreement with Eq. (4). The congru-
ence holds since the order of the subgroup G
k
gener-
ated by g
k
is p
0
q
0
p
k
, and p
0
q
0
p
k
divides the modulus
p
0
q
0
¯p
i
of γ
i
, if i ̸= k. Therefore, two users P
i
,P
j
∈ T ,
holding two distinct private keys (γ
i
,γ
j
), will compute
the same key k
T
.
Example. Let N = 3 and n = (2p
0
p
1
+ 1)(2q
0
p
2
p
3
+
1). Then γ
1
= γ mod p
0
q
0
p
2
p
3
and γ
2
= γ mod
p
0
q
0
p
1
p
3
. Let P
3
∈ R be a revoked user realized by
means of g
3
in the encryption step. The following ex-
pressions are in Z
∗
n
, and show that
g
γ
1
3
= g
¯p
3
γ
1
= g
p
1
p
2
γ
1
= g
p
1
p
2
(γ mod p
0
q
0
p
2
p
3
)
≡ g
p
1
p
2
γ mod p
0
q
0
p
1
p
2
p
3
≡ g
¯p
3
γ
and
g
γ
2
3
= g
¯p
3
γ
2
= g
p
1
p
2
γ
2
= g
p
1
p
2
(γ mod p
0
q
0
p
1
p
3
)
≡ g
p
1
p
2
γ mod p
0
q
0
p
1
p
2
p
3
≡ g
¯p
3
γ
are hence equivalent. However, g
γ
3
3
results in the in-
congruency
g
γ
3
3
= g
p
1
p
2
γ
3
= g
p
1
p
2
(γ mod p
0
q
0
p
1
p
2
)
̸≡ g
¯p
3
γ
This prevents P
3
∈ R from computing the broadcast
key.
4.2 Parameter Sizes
In agreement with the discussion in Section 3.1, we
suggest that λ = ||p
0
|| = ||q
0
||. We also suggest that
λ = ||p
j
||, 1 ≤ j ≤ N, to ensure a sufficiently large
distribution of the private keys γ
j
, 1 ≤ j ≤ N. Table 1
shows the sizes of modulus primes ℓ = ||p|| = ||q||
and n as a function of λ and N. This is in agreement
with the recommendations of NIST (Barker, 2016),
which suggests RSA modulus should be 1024 bits for
80 bits security level, 2048 bits for 112 bits security
level, and 3072 bits for 128 bits security. Note that for
(λ = 128,N = 10), n should be increased to 3072 bits
to meet the current recommendations for λ = 128.
Consideration has to be taken when selecting a
RSA modulus whose prime factors have a unusual
composition. For example, the attack of Coron et al.
Collusion-resistant Broadcast Encryption based on Hidden RSA Subgroups
295
Table 1: Parameters.
λ N ℓ ||n||
80 10 880 1760
80 20 1688 2260
112 10 1232 2464
112 20 2352 4704
128 10 1408 2816
∗
128 20 2688 5376
(2011) has a computational time and space com-
plexity of O(
√
p
0
), which gives the bound ||p
0
|| =
||q
0
|| ≥ 2λ. However, this attack imposes a vast
space complexity for moderate security levels. For
λ = 100 bits, the memory requirements amounts to
||n||× 1,125,899 GB, which is insurmountable for
any practical realizations of the attack.
5 SECURITY ANALYSIS
In this section, we provide a security proof in the stan-
dard model.
Theorem 1 The proposed scheme is secure assuming
that λ is sufficiently large.
Proof. The proof models interaction between an ad-
versary A and a challenger C , and proves collusion
resistance concerning revoked users R = U\T .
Setup. A challenger C sets up an instance of the
cryptosystem, and computes the public keys PK =
({g
i
,y
i
| 0 ≤ i ≤ N}, n) and private keys {γ
i
| 0 ≤ i ≤
N} by invoking Setup(N,λ). Since the random values
(γ,P ) are chosen uniformly, the keys have a distribu-
tion to that of an actual construction. C submits PK
to A.
Key Query. A queries private user keys for a subset
S
∗
⊂ {1,.. .,N}. C submits {γ
i
| i ∈ S
∗
} to A.
Challenge. Let ˆg =
∏
∀j∈S
∗
g
j
. The challenger in-
vokes (k
S
,z) ← Enc(g
j
,y
j
| j ∈ S
∗
,n), where k
S
= ˆg
γr
and z = ˆg
r
.
The challenger randomly picks a bit b ∈ {0, 1},
and sets k
b
= k
S
and k
1−b
= ˆg
c
, where c is a large
secret integer. It then submits the triplet (z, k
0
,k
1
) to
the adversary. This agree with the DDH challenge
ˆg, ˆg
γ
, ˆg
r
, ˆg
γr
, ˆg
c
where ˆg
γ
=
∏
∀j∈S
∗
y
j
, and ˆg
γr
is a valid encryption
key and ˆg
r
is a valid header.
Output. The challenge corresponds with two cases:
Case 1. The computational problem of A is to deter-
mine if k
S
is k
0
or k
1
with more than
1
2
+ε probability,
where ε is a negligible probability. If the adversary
succeeds at this, it is equivalent to that the adversary
can solve the DDH problem in polynomial time. If
the subgroup is sufficiently large, this is known to be
a computationally intractable problem.
Case 2. Since γ is secret and not known by the adver-
sary, he can compute γ using the private keys/residues
(y
i
,y
j
| i, j ∈ S) according to
γ ≡
(
γ
i
(mod p
0
q
0
¯p
i
)
γ
j
(mod p
i
)
in agreement with Eq. (5) and the Chinese remainder
theorem. Since this requires (p
0
,q
0
, ¯p
i
, p
i
), which are
secret and unknown to the adversary. This requires
that the adversary finds the exact subgroup orders
and/or decomposes the secret primes (p, q), which
means that the adversary will be able to solve the fac-
torization problem. Assuming that λ and n are suf-
ficiently large, this is known to be a computationally
intractable problem. The adversary outputs a bit b
′
,
where the probability that b = b
′
is
1
2
+ ε. Thus, the
proposed scheme is secure assuming that λ is suffi-
ciently large. □
6 CONCLUSION
Predominantly all existing stateless broadcast encryp-
tion schemes are based on bilinear pairings, with a
couple of exceptions that are based on lattices. How-
ever, such schemes have in common some short-
comings, such as long decryption keys comprising
the public keys of pertaining recipients. Decryption
therefore necessitates access to public keys, which re-
quires key management and impacts computational
and transmission overhead, accessibility, and storage.
In this paper, we have proposed a novel broadcast
encryption scheme that is based on the factorization
problem and hidden RSA subgroups. It has some
unique features. The encryption header is relatively
short, and the decryption key consists only one key
element, which is the private user key only. This elim-
inates the need for recipients to access public keys of
other recipients and thus key management. An impli-
cation is anonymity, in which there is no longer any
need that a user description list referencing the per-
taining recipients and their public keys is attached to
the ciphertexts. Future work based on the proposed
approach includes anonymous attribute-based broad-
cast encryption.
ACKNOWLEDGEMENTS
Parts of this research has been supported by the NOR-
CICS project, RCN grant number 310105.
SECRYPT 2022 - 19th International Conference on Security and Cryptography
296
REFERENCES
Barker, E. (2016). Nist special publication 800-57. rec-
ommendation for key management. Technical report,
National Institute of Standards and Technology. Part
1:General (Revision 4).
Bellare, M., Boldyreva, A., Kurosawa, K., and Staddon, J.
(2007). Multi-recipient encryption schemes: Efficient
constructions and their security.
Boneh, D., Gentry, C., and Waters, B. (2005). Collusion
resistant broadcast encryption with short ciphertexts
and private keys. In Proceedings of the 25th An-
nual International Conference on Advances in Cryp-
tology, CRYPTO’05, pages 258–275, Berlin, Heidel-
berg. Springer-Verlag.
Bourse, F., Sanders, O., and Traor
´
e, J. (2020). Improved se-
cure integer comparison via homomorphic encryption.
In Topics in Cryptology – CT-RSA 2020: The Cryp-
tographers’ Track at the RSA Conference 2020, San
Francisco, CA, USA, February 24–28, 2020, Proceed-
ings, page 391–416, Berlin, Heidelberg. Springer-
Verlag.
Cao, Z. and Liu, L. (2015). On the disadvantages of pairing-
based cryptography. IACR Cryptology ePrint Archive,
2015:84.
Coron, J.-S., Joux, A., Mandal, A., Naccache, D., and Ti-
bouchi, M. (2011). Cryptanalysis of the rsa subgroup
assumption from tcc 2005. In Catalano, D., Fazio,
N., Gennaro, R., and Nicolosi, A., editors, Public Key
Cryptography – PKC 2011, pages 147–155, Berlin,
Heidelberg. Springer Berlin Heidelberg.
Damg
˚
ard, I., Geisler, M., and Krøigaard, M. (2008). A
correction to ”efficient and secure comparison for
on-line auctions”. IACR Cryptology ePrint Archive,
2008:321.
Delerabl
´
ee, C. (2007). Identity-based broadcast encryption
with constant size ciphertexts and private keys. In Pro-
ceedings of the Advances in Crypotology 13th Interna-
tional Conference on Theory and Application of Cryp-
tology and Information Security, ASIACRYPT’07,
pages 200–215, Berlin, Heidelberg. Springer-Verlag.
Delerabl
´
ee, C., Paillier, P., and Pointcheval, D. (2007).
Fully collusion secure dynamic broadcast encryption
with constant-size ciphertexts or decryption keys. In
Proceedings of the First International Conference on
Pairing-Based Cryptography, Pairing’07, pages 39–
59, Berlin, Heidelberg. Springer-Verlag.
Dodis, Y. and Fazio, N. (2003). Public key broadcast en-
cryption for stateless receivers. In Feigenbaum, J., ed-
itor, Digital Rights Management, pages 61–80, Berlin,
Heidelberg. Springer Berlin Heidelberg.
Dubois, R., Guillevic, A., and Breton, M. S. L. (2013).
Improved broadcast encryption scheme with constant-
size ciphertext. In Proceedings of the 5th Inter-
national Conference on Pairing-Based Cryptogra-
phy, Pairing’12, pages 196–202, Berlin, Heidelberg.
Springer-Verlag.
Gentry, C. and Waters, B. (2009). Adaptive security in
broadcast encryption systems (with short ciphertexts).
In Proceedings of the 28th Annual International Con-
ference on Advances in Cryptology: The Theory and
Applications of Cryptographic Techniques, EURO-
CRYPT ’09, pages 171–188, Berlin, Heidelberg.
Georgescu, A. (2013). Anonymous lattice-based broad-
cast encryption. In Proceedings of ICT-EurAsia,
March 25-29, 2013, pages 353–362, Berlin, Heidel-
berg. Springer.
Groth, J. (2005). Cryptography in subgroups of Z
∗
n
. In
Kilian, J., editor, Theory of Cryptography, pages 50–
65, Berlin, Heidelberg. Springer.
Hajny, J., Dzurenda, P., Ricci, S., Malina, L., and Vrba,
K. (2018). Performance analysis of pairing-based el-
liptic curve cryptography on constrained devices. In
2018 10th International Congress on Ultra Modern
Telecommunications and Control Systems and Work-
shops (ICUMT), pages 1–5.
He, K., Weng, J., Liu, J.-N., Liu, J. K., Liu, W., and Deng,
R. H. (2016). Anonymous identity-based broadcast
encryption with chosen-ciphertext security. In Pro-
ceedings of the 11th ACM on Asia Conference on
Computer and Communications Security, ASIA CCS
’16, pages 247–255, New York, NY, USA. ACM.
Kim, J., Susilo, W., Au, M. H., and Seberry, J. (2013). Effi-
cient semi-static secure broadcast encryption scheme.
In Pairing-Based Cryptography - Pairing 2013 - 6th
International Conference, Beijing, China, November
22-24, 2013, Revised Selected Papers, pages 62–76.
Kim, J., Susilo, W., Au, M. H., and Seberry, J.
(2015). Adaptively secure identity-based broadcast
encryption with a constant-sized ciphertext. IEEE
Transactions on Information Forensics and Security,
10(3):679–693.
Lee, K. and Lee, D. H. (2015). Adaptively secure broadcast
encryption under standard assumptions with better ef-
ficiency. IET Information Security, 9:149–157(8).
Libert, B., Paterson, K. G., and Quaglia, E. A. (2012).
Anonymous broadcast encryption: Adaptive security
and efficient constructions in the standard model. In
Fischlin, M., Buchmann, J., and Manulis, M., editors,
Public Key Cryptography – PKC 2012, pages 206–
224, Berlin, Heidelberg. Springer Berlin Heidelberg.
Malek, B. and Miri, A. (2012). Adaptively secure broad-
cast encryption with short ciphertexts. International
Journal of Network Security, 14(2):71–79.
Naccache, D. and Stern, J. (1998). A new public key cryp-
tosystem based on higher residues. In Proceedings of
the 5th ACM Conference on Computer and Commu-
nications Security, CCS ’98, page 59–66, New York,
NY, USA. Association for Computing Machinery.
Naor, D., Naor, M., and Lotspiech, J. B. (2001). Revo-
cation and tracing schemes for stateless receivers. In
Proceedings of the 21st Annual International Cryptol-
ogy Conference on Advances in Cryptology, CRYPTO
’01, pages 41–62, London, UK, UK. Springer-Verlag.
Paillier, P. (1999). Public-key cryptosystems based on com-
posite degree residuosity classes. In Advances in
Cryptology - EUROCRYPT ’99, International Confer-
ence on the Theory and Application of Cryptographic
Techniques, Prague, Czech Republic, May 2-6, 1999,
Proceeding, pages 223–238.
Collusion-resistant Broadcast Encryption based on Hidden RSA Subgroups
297
Park, J. H., Kim, H. J., Sung, M. H., and Lee, D. H. (2008).
Public key broadcast encryption schemes with shorter
transmissions. IEEE Transactions on Broadcasting,
54(3):401–411.
Phan, D.-H., Pointcheval, D., Shahandashti, S. F., and Stre-
fler, M. (2013). Adaptive cca broadcast encryption
with constant-size secret keys and ciphertexts. Inter-
national Journal of Information Security, 12(4):251–
265.
Sakai, R. and Furukawa, J. (2007). Identity-based broad-
cast encryption. IACR Cryptology ePrint Archive,
2007:217.
Wang, J. and Bi, J. (2010). Lattice-based identity-based
broadcast encryption scheme. IACR Cryptology
ePrint Archive, 2010:288.
Zhang, L., Hu, Y., and Wu, Q. (2012). Adaptively se-
cure identity-based broadcast encryption with con-
stant size private keys and ciphertexts from the sub-
groups. Mathematical and Computer Modelling,
55(1):12 – 18. Advanced Theory and Practice for
Cryptography and Future Security.
SECRYPT 2022 - 19th International Conference on Security and Cryptography
298
