Some Bounds and a Construction for Secure Broadcast Encryption Kaoru Kurosawa 1 , Takuya Yoshida 1 , Yvo Desmedt 2,3 ⋆ , and Mike Burmester 3 1 Dept. of EE, Tokyo Institute of Technology 2–12–1 O-okayama, Meguro-ku, Tokyo 152-8552, Japan {kurosawa,takuya}@ss.titech.ac.jp 2 Center for Cryptography, Computer and Network Security, and Department of EE & CS, University of Wisconsin – Milwaukee P.O. Box 784, WI 53201-0784, U.S.A. desmedt@cs.uwm.edu 3 Information Security Group, Royal Holloway – University of London Egham, Surrey TW20 OEX, U.K. m.burmester@rhbnc.ac.uk Abstract. We first present two tight lower bounds on the size of the secret keys of each user in an unconditionally secure one-time use broad- cast encryption scheme (OTBES). Then we show how to construct a com- putationally secure multiple-use broadcast encryption scheme (MBES) from a key predistribution scheme (KPS) by using the ElGamal cryp- tosystem. We prove that our MBES is secure against chosen (message, privileged subset of users) attacks if the ElGamal cryptosystem is secure and if the original KPS is simulatable. This is the first MBES whose security is proved formally. 1 Introduction Secure broadcast encryption is one of the central problems in communication and network security. In this paper we link One-Time use Broadcast Encryption Schemes (OTBESs) [5,7,6] with Key Predistribution Schemes (KPS)[10]. Both schemes are closely related but they have a different structure. In a KPS, a Trusted Authority (TA) distributes secret information to a set of users such that, each member of a privileged subset P of users can compute a specified key k P , but no coalition F (forbidden subset) is able to recover any information on the key k P that it is not supposed to know. In a OTBES, the TA distributes secret information to a set of users and then broadcasts a ciphertext b P over a network. The secret information is such that each member of a particular subset P of users can decrypt b P , but no coalition F (forbidden subset) is able to recover any information on the plaintext m P of b P that it is not supposed to know. A natural way to construct an OTBES from a KPS is to use a key k P of the KPS to encrypt the message m P , that is b P = k P + m P . (1) ⋆ A part of this research has been supported by NSF Grant NCR-9508528. K. Ohta and D. Pei (Eds.): ASIACRYPT’98, LNCS 1514, pp. 420–433, 1998. c  Springer-Verlag Berlin Heidelberg 1998