David Wu
About
CV
Academic
Research
Publications
Talks
Students
Teaching
Service
Awards
Notes
Other
Photos

Publications

A Generic Approach to Adaptively-Secure Broadcast Encryption in the Plain Model

Yao-Ching Hsieh, Brent Waters, and David J. Wu

Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT), 2025

Resources

Abstract

Broadcast encryption allows a user to encrypt a message to \( N \) recipients with a ciphertext whose size scales sublinearly with \( N \). The natural security notion for broadcast encryption is adaptive security which allows an adversary to choose the set of recipients after seeing the public parameters. Achieving adaptive security in broadcast encryption is challenging, and in the plain model, the primary technique is the celebrated dual-systems approach, which can be implemented over groups with bilinear maps. Unfortunately, it has been challenging to replicate the dual-systems approach in other settings (e.g., with lattices or witness encryption). Moreover, even if we focus on pairing-based constructions, the dual-systems framework critically relies on decisional (and source-group) assumptions. We do not have constructions of adaptively-secure broadcast encryption from search (or target-group) assumptions in the plain model.

Gentry and Waters (EUROCRYPT 2009) described a compiler that takes any semi-statically-secure broadcast encryption scheme and transforms it into an adaptively-secure scheme in the random oracle model. While semi-static security is easier to achieve and constructions are known from witness encryption as well as search (and target-group) assumptions on pairing groups, the transformed scheme relies on random oracles. In this work, we show that using publicly-sampleable projective PRGs, we can achieve adaptive security in the plain model. We then show how to build publicly-sampleable projective PRGs from many standard number-theoretic assumptions (e.g., CDH, LWE, RSA).

Our compiler yields the first adaptively-secure broadcast encryption scheme from search assumptions as well as the first such scheme from witness encryption in the plain model. We also obtain the first adaptively-secure pairing-based scheme in the plain model with \( O_\lambda(N) \)-size public keys and \( O_\lambda(1) \)-size ciphertexts (where \( O_\lambda(\cdot) \) suppresses polynomial factors in the security parameter \( \lambda \)). Previous adaptively-secure pairing-based schemes in the plain model with \( O_\lambda(1) \)-size ciphertexts required \( O_\lambda(N^2) \)-size public keys.

BibTeX
@inproceedings{HWW25,
  author    = {Yao-Ching Hsieh and Brent Waters and David J. Wu},
  title     = {A Generic Approach to Adaptively-Secure Broadcast Encryption in the Plain Model},
  booktitle = {{EUROCRYPT}},
  year      = {2025}
}