Tomoyuki Asano

A Revocation Scheme with Minimal Storage at Receivers

A revocation or a broadcast encryption technology allows a sender to transmit information securely over a broadcast channel to a select group of receivers excluding some revoked receivers. In this paper we propose two efficient revocation methods which are suitable for stateless receivers. The proposed methods use an a-ary key tree structure and require at most r (log (N/r) / log a + 1) ciphertexts broadcast. Our Method 1 requires only one key to be stored and O (2a log5 N / log a) computational overhead at a receiver, whereas Method 2 requires log N / log a keys and O (2a) computational overhead, where N and r respectively denote the total number of receivers and the number of revoked receivers. Our methods are very efficient with respect to the number of keys each receiver stores, especially Method 1 minimizes it.

Reducing Storage at Receivers in SD and LSD Broadcast Encryption Schemes

A broadcast encryption scheme allows a sender to send information securely to a group of receivers while excluding other designated receivers over a broadcast channel. The most efficient methods currently proposed are the Subset Difference (SD) method and the Layered Subset Difference (LSD) method. In these methods, each receiver must store O(log 2N) and O(log 1 + e N) labels, respectively, where N is the total number of receivers and e is an arbitrary number satisfying e > 0 . In this paper we apply the Master Key technique to the SD and LSD methods in order to reduce the number of labels a receiver stores by log N in exchange for an increase in the computational overhead. In order to reduce a receiver’s memory requirements in another modification, we apply a version of the Complete Subtree method using trapdoor one-way permutations to the SD and LSD methods.

Secure and Insecure Modifications of the Subset Difference Broadcast Encryption Scheme

In ACISP 2003, Hwang et al. proposed a broadcast encryption scheme, which is a modification of the Subset Difference (SD) method. In this paper we present how their scheme can be broached in a way a collusion of two receivers can obtain other receivers’ keys which are not given to any of the colluding receivers. We also propose a new method using trapdoor one-way permutations to reduce the storage overhead in the SD and Layered SD methods. This new method eliminates log N labels from receivers’ storage, where N is the total number of receivers. The method requires few public values and little computational overhead.

Multi-recipient Public-Key Encryption from Simulators in Security Proofs

In PKC 2003, Bellare, Boldyreva, and Staddon proposed the reproducibility test. The test determines whether a single-recipient public-key encryption scheme is adapted to transform into an efficient multi-recipient public-key encryption scheme. In this paper, we propose a new approach to design an efficient multi-recipient single-message public-key encryption scheme. We focus on a certain simulator which appears in the security proof of an ordinary (single-recipient) public-key encryption scheme. By considering the behavior of the simulator, we construct two efficient multi-recipient single-message public-key encryption schemes. These schemes show that there exist schemes which can be transformed into efficient multi-recipient schemes, even they do not pass the reproducibility test.

A tree based one-key broadcast encryption scheme with low computational overhead

In this paper, we propose a new broadcast encryption method which is a modification of the Complete Subtree method and it reduces the number of keys a receiver stores to one. There have been proposed some methods which minimize the number of keys for a receiver to one. The most efficient one among them uses RSA cryptosystem in order to reduce the number of keys, while the proposed method is based on Rabin cryptosystem. The computational overhead at receivers in our method is around 1 / log2e compared with the most efficient method proposed previously, where e is a public exponent of RSA. We examine this result by experiments. Therefore, the proposed method is the most efficient among tree based one-key methods with respect to the computational overhead at receivers. This reduction in the computational overhead is achieved in exchange for an increase in the size of nonsecret memory by [ log N * few (e. g. eight)] bits, where N is the total number of receivers. The security of the proposed method is equivalent to Rabin cryptosystem in the sense of key-intractability in the random oracle model.

A Lightweight Tree Based One-Key Broadcast Encryption Scheme

Broadcast encryption technology enables a sender to send information securely to a group of receivers excluding specified receivers over a broadcast channel. In this paper, we propose a new key-tree structure based on Rabin cryptosystem, and an access control scheme using the structure. We show the security of the access control scheme and construct a new broadcast encryption scheme based on it. The proposed broadcast encryption scheme is a modification of the complete subtree method and it reduces the number of keys a receiver stores to one. There have been proposed some modifications of the complete subtree method which minimize the number of keys for a receiver to one, and the most efficient one among them with respect to the computational overhead at receivers is based on RSA cryptosystem. The computational overhead at receivers in our scheme is around log2e times smaller than the most efficient previously proposed one, where e is a public exponent of RSA, and the proposed scheme is the most efficient among tree based one-key schemes. This property is examined by experimental results. Our scheme achieves this reduction in the computational overhead in exchange for an increase in the size of nonsecret memory by [log n * few (e.g. eight)] bits, where n is the total number of receivers.