选择密文安全的基于身份的广播加密方案

We propose an Identity-Based Broadcast Encryption scheme with semantic security against adaptively chosen ciphertext attacks. Compared with the IBBE scheme proposed by Delerablée which is only chosen plaintext secure, the cost of our chosen ciphertext secure scheme is only an extra regular hash. This scheme improves the Boyen-Mei-Waters approach from CPA-secure (l+1)-Hierarchical Identity Based Encryption ((l+1)-HIBE) to CCA2-secure l-HIBE, our approach only adds an on-the-fly dummy identity, instead of a hierarchy of identities, in the broadcast identity set. When performing encryption, the encryption algorithm computes the hash value of the ciphertext components that are independent of the broadcast identity set. It treats the hashed result as the on-the-fly dummy identity and adds it into the broadcast set. When performing decryption, the decryption algorithm re-computes the hash result, and verifies the validity of the ciphertext by leveraging the built-in verification mechanism, thus achieving chosen ciphertext security. We formally prove the CCA security of the new scheme under the general decision Diffie-Hellman exponent assumption in the random oracle model. Our construction is compact and efficient, and therefore is suitable to be applied in practice.