An Identity-based Broadcast Encryption Protocol for Ad Hoc Networks

Leyou ZhangDepartment of mathematical science

Xidian UniversityXi’an, ShaanXi Province 710071, China

lyzhang@mail.xidian.edu.cn

Yupu HuKey Laboratory of Computer Networks

and Information Security,Ministry of EducationXidian University

Xi’an, ShaanXi Province 710071, Chinayphu@mail.xidian.edu.cn

Ningbo MuKey Laboratory of Computer Networks

and Information Security,Ministry of EducationXidian University

Xi’an, ShaanXi Province 710071, Chinanbmu@mail.xidian.edu.cn

Abstract

An identity-based broadcast encryption protocol forad hoc networks is proposed. Whenever a new mobilead hoc network is formed, the proposed protocol onlyrequires each group member to broadcast his/her identityto construct the group key, which avoids a large numberof message exchanges between group members like groupkey management protocols proposed previously. Hence it ishighly efficient in terms of member removal to construct anew network. In addition, our protocol is also efficient incomputation since the encryption and the decryption onlyrequire two bilinear pair computations. Furthermore, weshow that the new protocol is provably secure under thestandard model.

Keywords: Group key generation protocol, identity-based encryption, broadcast encryption, provably secure,standard model

1. Introduction

In wireless ad hoc networks [1], the nodes act as mo-bile IP routers and carry out basic functions like packetsforwarding, routing and network management. Whenever amobile ad hoc network is constructed in an open networkenvironment, all devices can learn the broadcasted commu-nication. Security is becoming crucial in this environment.Therefore a secure protocol is required to protect the con-

tent of the communication so that only group members inthe ad hoc group can obtain the information. Many proto-cols have been proposed [2-5]. However, these protocolshave been shown inefficient, which makes them completelyimpractical in real-life practice.

Recently, Ching Y. [6] proposed an efficient communi-cation protocol for mobile identity- based ad hoc networks.It incorporates the cryptosystem [7] with a bilinear map andpairing computation to replace the contributory setup of agroup key as seen in other literature, which makes the groupmembers not perform any message exchanges during thegeneration process of a group key. However, its securityrelies on the random oracles. It has been shown that whenthe random oracles are instantiated with concrete hash func-tions, the resulting scheme may not be secure [8, 9]. It mo-tivates us to construct a scheme that has the desirable feath-ers as the scheme in [6] and does not rely on the randomoracles. In this paper, we propose a new construction. Inour construction, each node is conceived as a broadcaster.The broadcaster can select the valid receiver(s) by himselfand encrypt the message (or symmetric key which is used toencrypt the broadcast contents). As the protocol describedin [6], our new protocol avoids message exchanges for keysetup which are sent between the group members. And ourprotocol only requires each group member to broadcast onemessage to set up the group key. In addition, we show thatonly group members can decrypt the ciphertext or the en-crypted symmetric key. Furthermore, we show that the se-curity of the proposed scheme does not rely on the randomoracles.

The 9th International Conference for Young Computer Scientists

978-0-7695-3398-8/08 $25.00 © 2008 IEEE

DOI 10.1109/ICYCS.2008.194

1619

The rest of the paper is organized as follows: Section2 provides a number of definitional facts about bilinearmap, decisional bilinear Diffie-Hellman assumption, iden-tity broadcast encryption scheme and related security no-tions. We describe our main constructions in Section 3 anddiscuss their security in Section 4. We finally conclude inSection 5.

2. Preliminaries

2.1. Bilinear map and pairing

Let G and G1 be two (multiplicative) cyclic groups ofprime order p, and g be a generator of G. A bilinear map isa map e(G × G → G1) with the properties:

(i) Bilinearity: for all a, b ∈ Zp, we have e(ga1 , gb

2) =e(g1, g2)ab;

(ii) Non-degeneracy: e(g1, g2) �= 1 ;

(iii) Computability: There is an efficient algorithm to com-pute bilinear pairing e(u, v) for all u ∈ G1, v ∈ G2.

2.2. Decisional bilinear Diffie-Hellman as-sumption

Definition 1: (Decisional bilinear Diffie-Hellman(BDH)problem) The challenger chooses a, b, c ∈ Zp at randomand then flips a fair binary coin b ∈ {0, 1}. If b = 1it outputs the tuple (g,A = ga, B = gb, C = gc, T =e(g, g)abc). Otherwise, b = 0, the challenger outputs thetuple (g,A = ga, B = gb, C = gc, T ) where T is a randomelement of G1. The adversary must then output a guess b′

of b.An algorithm B that outputs b ∈ {0, 1} has advantage ε

in solving the decision BDH problem in G if

|Pr[B(g,A = ga, B = gb, C = gc, T = e(g, g)abc) = 0]−Pr[B(g,A = ga, B = gb, C = gc, T ) = 0]| ≥ ε

Definition 2: The (t, ε)-decisional BDH assumptionholds if no t-time adversary has a non-negligible advantageε in solving the above game.

2.3. Identity-based broadcast encryption

Identity-based encryption (IBE) is a new public keycryptosystem. It allows for a party to encrypt a messageusing the recipient’s identity as a public key. The facil-ity to use identities as public keys avoids distributing pub-lic key certificates. So it can simplify many applicationsof public key encryption (PKE). And it is currently an ac-tive research area. The first efficient security model for IBE

was presented by Boneh and Franklin [7]. Since then, manyschemes have been proposed [10-12].

Identity-based broadcast encryption(IBBE) [13] is a gen-eralization of IBE. One public key can be used to encrypt amessage to any possible identity in IBE schemes. But inan IBBE scheme, one public key can be used to encrypt amessage to any possible group of S identities. An identity-based broadcast encryption scheme(IBBE) with the securityparameter and the maximal size m of the target set, consistsof four algorithms Setup, Extract, Encrypt, Decrypt. It isspecified as follows.

Setup Take as input the security parameter and the maxi-mal size m of the set of receivers for encryption, and outputa master secret key and a public key. The master secret keyis sent to PKG , and the public key is made publicized.

Extract Take as input the master secret key and a useridentity ID. Extract generates a user private key dID.

Encrypt Take as input the public key and a set of in-cluded identities S = {ID1, · · · , IDs} with s ≤ m, andoutput a pair (Hdr,K), where Hdr is called the header andK is a key for the symmetric encryption scheme. When amessage M is broadcasted to users in S, the broadcaster gen-erates (Hdr,K), computes the encryption CM of M underthe symmetric key K and broadcasts (Hdr, S,CM ).

Decrypt Take as input a subset S = {ID1, · · · , IDs}with s ≤ m, an identity IDi and the corresponding privatekey dIDi

, a header Hdr and the public key, If IDi ∈ S, thealgorithm outputs the message encryption key K which isthen used to decrypt the broadcast body CM and recover M.

2.4. Security model for IBBE

We give the IND-sID-CCA security of an IBBE system.The security model is defined by using the following gameplayed between an adversary A and a challenger. Both theadversary and the challenger are given as input m, the max-imal size of a set of receivers S.

Init: The adversary A firstly outputs a set S∗ ={ID∗

1 , · · · , ID∗s} of identities that he wants to attack (with

s ≤ m).Setup: The challenger runs Setup to obtain a public key

PK. He gives A the public key PK.Query phase 1: The adversary A adaptively issues

queries q1, · · · , qs0 , where qi is one of the following:-Extraction query (IDi) with the constraint that IDi /∈

S∗: The challenger runs Extract on IDi and sends the re-sulting private key to the adversary.

-Decryption query for a triple (IDi, S,Hdr) with S ⊆S∗ and IDi ∈ S. The challenger responds with Decrypt (S,IDi,Hdr, PK).

Challenge: When A decides that phase 1 is over, thechallenger runs Encrypt algorithm to obtain (Hdr∗,K) =Encrypt(S∗, PK). The challenger then randomly selects

1620

b ∈ {0, 1}, sets Kb = K, and sets K1−b to a random valuein K. The challenger returns (Hdr∗,K0,K1) to A.

Query phase 2: The adversary continues to issue queriesqs0+1, · · · , qs, where qi is one of the following:

-Extraction query (IDi), as in phase 1.-Decryption query, as in phase 1, but with the constraint

that Hdr �= Hdr∗. The challenger responds as in phase 1.Guess: Finally, the adversary A outputs a guess b′ ∈

{0, 1} and wins the game if b = b′.We say that if the above indistinguish-ability game allow

no decryption oracle query, then the IBBE scheme is onlychosen plaintext(IND-ID-CPA) secure. There have beenmany methods to convert an IND-ID-CPA scheme to anIND-sID-CCA scheme. Therefore, we only focus on con-structing the IND-ID-CPA scheme in this paper.

3. New protocol for mobile ad hoc networks

3.1. Constructions

In this section, based on the scheme [10] and Mu’sscheme [14], we propose an IND-ID -CPA secure broadcastencryption protocol for mobile ad hoc networks.

Let S = (ID1, ID2, · · · , IDm) denote the identity ofgroup members and suppose each member has obtained thepublic parameters (g, g0, g1, g2, h, F ) with g1 = gα andg0 = gr from PKG, where g and g2 are generators of Gand α and r are selected randomly from Z∗

p . Note that F isa collision-resistant hash function(F : G1 → Z∗

p ). In addi-tion, the private key of each member obtained from PKG isas follows:

dIDi= gα

2 (gIDi1 h)r.

These procedures can be done at anytime before the mobilead hoc network is formed.

Suppose that a set of members who are denoted byS(S ⊆ S) want to form a mobile ad hoc network. Thenour broadcast encryption protocol is constructed as follows.

Setup: Given the parameters as described above, eachmember of S can complete the following computations. Themember selects randomly a t ∈ Zp at first and computesT1 = gt, T2 = gt

2. Without loss of generality, we set S =(ID1, · · · , IDs) for s ≤ m. Then he or she computes

xi = F (e((gIDi1 h)t, g0)), i = 1, · · · , s.

Using these xi, the member constructs

f(x) =s∏

i=1

(x − xi) =s∑

i=0

aixi,

where ai denotes the coefficient corresponding to xi andx ∈ Zp. Then he or she computes (h0, · · · , hs) as

h0 = ga0 , h1 = ga1 , · · · , hs = gas .

Hence, each member of S has an encryption key tuple(h0, · · · , hs, T1, T2). This tuple is not changed until anymember leaves S or new members join in the S.

Encrypt: Let K denote a session key. A broadcaster inS performs the following: Select a random k ∈ Zp andcompute

C0 = Khk0 , C1 = hk

1 , · · · , Cs = hks .

Finally, the broadcaster outputs ciphertext Hdr =(C0, C1, · · · , Cs) and broadcasts it to the rest members.

Decrypt: In order to retrieve the message encryption keyK encapsulated in the header Hdr, the user with identityIDi and the corresponding private key

dIDi= gα

2 (gIDi1 h)r

computes(with identity IDi ∈ S)

xi = F (e(dIDi

, T1)e(g1, T2)

),

and

K = C0

s∏j=1

Cxj

ij .

3.2. Correctness

Assume the Hdr is well-formed for S. Then one can ob-tain

F (e(dIDi, T1)/e(g1, T2))

= F (e(gα2 (gIDi

1 h)r, gt)/e(g1, gt2))

= F (e((gIDi1 h)r, gt)e(gα

2 , gt)/e(g1, gt2))

= F (e((gIDi1 h)r, gt)e(gt

2, g1)/e(g1, gt2))

= F (e((gIDi1 h)r, gt))

= xi

and

C0

s∏j=1

Cxj

ij = Kgka0

s∏j=1

gkaixji

= Kgk∑s

j=0ajxj

i

= K(gf(xi))k

= K.

Note that f(xi) = 0, so one can obtain gf(xi) = 1.

3.3. Efficiency

A mobile ad hoc network is dynamic and hence themembers of S change whenever a mobile ad hoc networkchanges. Our new protocol only needs to add or exclude that

1621

member’s ID during execution of Setup to obtain a new en-cryption key tuple, which is more efficient than the previousprotocols. In addition, our protocol is efficient in computa-tion, where the encryption and the decryption only requiretwo bilinear pair computations.

4. Security Analysis

In this section, we prove the IND-ID-CPA security of ourscheme under the decision BDH assumption.

Theorem 1 Suppose that the (t, ε) decision BDH as-sumption holds, then our new protocol is (t′, ε)-IND-ID-CPA secure with t′ = t − O(qeτ + qeρ) , where ρ and τdenote the time for a multiplication and an exponentiationrespectively.

Proof: Suppose that there exists an adversary A to breakour scheme. We will construct a simulator B to solve thedecision BDH problem. Our approach is based on that ofthe scheme[10].

B is given a tuple (g, ga, gb, gc, T ), where T is eitherequal to e(g, g)abc or to some random element of G1. Touse A to solve the decision BDH problem, B must be ableto simulate a challenger for A. Therefore, B firstly set g1 =ga, g2 = gb, g3 = gc. Then such a simulation can be con-structed as follows.

Initialization: The adversary A firstly outputs a set ofidentities S∗ = (ID∗

1 , · · · , ID∗s) with s ≤ m that he wants

to attack.Setup To generate the system parameters, B firstly picks

a ν ∈ Zp at random and selects an identity ID∗j ∈ S∗. Then

he constructs a function g(x) as

g(x) ={ x − ID∗

j x /∈ S∗

x − γ x ∈ S∗ ,

where γ /∈ S∗. Furthermore he sets

h ={

g−ID∗

j

1 gν x /∈ S∗

g−γ1 gν x ∈ S∗ .

Note that this assignment means that the master secret willbe ga

2 = gab, which is unknown to B. Finally, B sets

g0 = g−1

g(x)2 gr =

{g

−1x−ID∗

j

2 gr x /∈ S∗

g−1

x−γ

1 gr x ∈ S∗

where r is selected randomly in Zp and gives A the publicparameters (g, g0, g1, g2, h, F ).

Phase 1 A issues adaptively Extract queries: q1, · · · , qt.Each query qi is specified as follows. Suppose that qi is aquery for an identity IDi /∈ S∗, which means g(IDi) �= 0.Then B computes the private key for IDi as

dIDi= g

−νg(IDi)

2 (gIDi1 h)r.

This manner yields a valid private key for IDi. In fact,

g−ν

g(IDi)

2 (gIDi1 h)r

= g

−νIDi−ID∗

j

2 (gIDi−ID∗

j

1 gν)r

= ga2 (g

IDi−ID∗j

1 gν)r− b

IDi−ID∗j

= ga2 (gIDi

1 h)r− b

IDi−ID∗j

= ga2 (gIDi

1 h)r′

,

where r′ = r − bIDi−ID∗

j. Hence, dIDi

is a valid response

to A.Challenge B sets T1 = g3 = gc at first and runs Setup to

compute

dID∗i

= g

−νg(ID∗

i)

2 (gID∗i

1 h)r

andxi = F (e(dID∗

i, T1)/T ).

Suppose that B is given a valid BDH tuple which meansT = e(g, g)abc. Then it is shown

xi = F (e(dID∗i, T1)/T )

= F (e(g−ν

g(ID∗i)

2 (gID∗i

1 h)r, T1)/T )

= F (e(g−ν

ID∗i−γ

2 (gID∗i −γ

1 gν)r, T1)/T )= F (e(ga

2 (gID∗i

1 h)r, gc)/e(g, g)abc)= F (e(ga

2 , gc)e((gID∗i

1 h)r, gc)/e(g, g)abc)= F (e(ga

2 , gc)e((gID∗i

1 h)r, gc)/e(ga, gb)c)= F (e(g2, g

ac)e((gID∗i

1 h)r, gc)/e(ga, gb)c)= F (e((gID∗

i1 h)r, gc))

= F (e((gID∗i

1 h)c, g0)).

where r = r − bID∗

i−γ . So They can yield valid encryption

keys for S∗. Then B randomly selects b ∈ {0, 1}, sets Kb =K. Using these xi, B runs the Encrypt algorithm to obtainthe Hdr∗. Hence Hdr∗ is a valid simulation. If T is arandom element of G1, then B sets K1−b to a random value.Finally, B returns (Hdr∗,K0,K1) to A.

Phase 2: The adversary continues to issue queriesqt+1, · · · , qe, where qi is an Extract query for IDi as inphase 1 with the constraint that IDi /∈ S∗.

Guess: Finally, A outputs a guess b′ ∈ {0, 1}, and winsthe game if b′ = b.

If A wins the game, it means that B knows T =e(g, g)abc or a random element of G1. It shows B success-fully solves the decision BDH problem. When T is randomin G1 then

Pr[B(g, ga, gb, gc, T ) = 0] =12.

Otherwise T = e(g, g)abc, B replies with a valid challengeHdr∗ and then

|Pr[b = b′] − 1/2| ≥ ε.

1622

Therefore, B has that

|Pr[B(g,A = ga, B = gb, C = gc, T = e(g, g)abc) = 0]−Pr[B(g,A = ga, B = gb, C = gc, T ) = 0]| ≥ ε.

The time complexity of the algorithm B is dominatedby the exponentiations and multiplications performed in theextract queries. Since there are O(1) multiplications andO(1) exponentiations in the extract, the time complexity ofB is

t = t′ + O(qe(τ + ρ)).

5. Conclusions

We presented a new broadcast encryption protocol formobile ad hoc networks. Our scheme is computationallyefficient. And whenever a new mobile ad hoc network isconstructed, our new protocol only needs to add or excludethat member’s ID during execution of Setup to obtain a newencryption key tuple, which is more efficient than the previ-ous protocols. In addition, our new protocol is constructedunder the standard model. Furthermore, under the DBDHassumption, the proposed protocol is provably secure with-out relying on the random oracles.

Our new scheme achieves only selective-ID security.This motivates an interesting open problem to construct ascheme which can achieve a stronger security.

Acknowledgements This work is supported in partby the Nature Science Foundation of China under grant60673072 and the National Basic Research Program ofChina(973) under grant 2007CB311201.

References

[1] M. Frodigh et al. Wireless ad hoc networking: The art of net-working without a network. Ericsson Review, 4: 248-263,2000.

[2] E. R.Anton and O. C. M. B. Duarte , Group key establish-ment in wireless ad hoc networks”, Proc. Workshop en Qual-idade de Servico e Mobilidade:1-8, 2002.

[3] N. Asokan and P. Ginzboorg , Key-agreement in ad hoc net-works, Comput. Commun., 23(17) :1627-1637, 2000.

[4] D. Boneh and A. Silverberg, Applications of multilin-ear forms to cryptography, Cryptol. ePrint Arch., Rep.2002/080.

[5] H. K. Lee , H. S. Lee , and Y. R. Lee , Multi-party au-thenticated key agreement protocols from multilinear forms,Cryptol. ePrint Arch., Rep. 2002/166.

[6] Yu Ng Ching ,Y. Mu , and W. Susilo, An identity-basedbroadcast encryption scheme for mobile ad hoc networks.J. communications and information technology,1: 24-29,2006.

[7] Boneh D., Franklin M.. Identity Based Encryption from theWeil Pairing. CRYPTO, LNCS 2139: 213-229, 2001.

[8] R. Canetti ,O.Goldreich , and S. Halevi. The random oraclemethodology . In STOC: 209-218, 1998.

[9] M. Bellare ,A. Boldyreva , and A. Palacio. An uninstantiablerandomoracle-model scheme for a hybrid- encryption prob-lem. In Cachin and Camenisch: 171-188, 2004.

[10] D. Boneh , X. Boyen . Efficient Selective-ID Secure IdentityBased Encryption Without Random Oracles, EUROCRYPT,LNCS 3027: 223-238, 2004.

[11] D. Boneh , X. Boyen and E. Goh . Hierarchical ID-based en-cryption with constant ciphertext. EuroCrypt, LNCS 3494:440-456, 2005.

[12] B. Waters . Efficient Identity-based Encryption without Ran-dom Oracles. Eurocrypt, LNCS 3494: 114-127, 2005.

[13] C. Delerablee. ID-based broadcast encryption with constantciphertext and private keys. ASIACRYPT, LNCS 4833: 200-215, 2007.

[14] Y. Mu , V. Varadharajan , and Nguyen K. Q. Delegateddecryption, Proc. Cryptography and Coding, LNCS 1746:258-269, 1999 .

1623