CryptoDB
A Generic Approach to Adaptively-Secure Broadcast Encryption in the Plain Model
| Authors: |
|
|---|---|
| Download: | |
| Conference: | EUROCRYPT 2025 |
| Abstract: | Broadcast encryption allows a user to encrypt a message to N recipients with a ciphertext whose size scales sublinearly with N. The natural security notion for broadcast encryption is adaptive security which allows an adversary to choose the set of recipients after seeing the public parameters. Achieving adaptive security in broadcast encryption is challenging, and in the plain model, the primary technique is the celebrated dual-systems approach, which can be implemented over groups with bilinear maps. Unfortunately, it has been challenging to replicate the dual-systems approach in other settings (e.g., with lattices or witness encryption). Moreover, even if we focus on pairing-based constructions, the dual-systems framework relies critically on decisional (and source-group) assumptions. We do not have constructions of adaptively-secure broadcast encryption from search (or target-group) assumptions assumptions in the plain model. Gentry and Waters (EUROCRYPT 2009) described a compiler that takes any semi-statically-secure broadcast encryption scheme and transforms it into an adaptively-secure scheme in the random oracle model. While semi-static security is easier to achieve and constructions are known from witness encryption as well as search (and target-group) assumptions on pairing groups, the transformed scheme relies on random oracles. In this work, we show that using publicly-sampleable projective PRGs, we can achieve adaptive security in the plain model. We then show how to build publicly-sampleable projective PRGs from many standard number-theoretic assumptions (e.g., CDH, LWE, RSA). Our compiler yields the first adaptively-secure broadcast encryption schemes from search assumptions as well as the first adaptively-secure scheme from witness encryption (which can in turn be based on evasive LWE) in the plain model. We also obtain the first adaptively-secure pairing-based scheme with linear-size public keys and constant-size ciphertexts. Previous adaptively-secure pairing-based schemes with constant-size ciphertexts had quadratic-size public keys. |
BibTeX
@inproceedings{eurocrypt-2025-35079,
title={A Generic Approach to Adaptively-Secure Broadcast Encryption in the Plain Model},
publisher={Springer-Verlag},
author={Yao-Ching Hsieh and Brent Waters and David J. Wu},
year=2025
}