Combinatorial Subset Difference—IoT-Friendly Subset Representation and Broadcast Encryption

In the Internet of Things (IoT) systems, it is often required to deliver a secure message to a group of devices. The public key broadcast encryption is an efficient primitive to handle IoT broadcasts, by allowing a user (or a device) to broadcast encrypted messages to a group of legitimate devices. This paper proposes an IoT-friendly subset representation called Combinatorial Subset Difference (CSD), which generalizes the existing subset difference (SD) method by allowing wildcards (*) in any position of the bitstring. Based on the CSD representation, we first propose an algorithm to construct the CSD subset, and a CSD-based public key broadcast encryption scheme. By providing the most general subset representation, the proposed CSD-based construction achieves a minimal header size among the existing broadcast encryption. The experimental result shows that our CSD saves the header size by 17% on average and more than 1000 times when assuming a specific IoT example of IP address with 20 wildcards and 220 total users, compared to the SD-based broadcast encryption. We prove the semantic security of CSD-based broadcast encryption under the standard l-BDHE assumption, and extend the construction to a chosen-ciphertext-attack (CCA)-secure version.


Introduction
In the recent applications, the Internet of Things (IoT) systems are more likely to involve multicast of privacy-sensitive information; for example, an IoT sensor network in the smart city involves personal whereabouts transmitted to multiple devices, and an IoT medical system requires sensitive health information to be delivered to the authorized devices. In these IoT secure communications, cryptographic primitives can provide useful functionalities and efficiencies. Especially, advanced encryption protocols like attribute-based encryption or broadcast encryption can handle simultaneous multicast efficiently; attribute-based encryption is often applied to the IoT devices [1,2], and broadcast encryption, which is a specific and efficient version of the attribute-based encryption, is also considered [3] for secure firmware updates in IoT.
Until now, existing cryptographic applications in IoT systems such as those in References [1][2][3][4] assumed device ID as an intrinsic identity string. However, in a network environment in which the IoT device is identified by an IP address, it is useful to use IP address as an ID. Moreover, an arbitrary network group can be effectively represented by IP address including wildcard (*), and if a part of IP is connected to attributes, a device group specified by a set of attributes can also be effectively expressed. This flexible representation denoted by IP characteristics or attributes covers any specific group even without knowing every individual ID predefined. This paper focuses on the efficient and scalable public key broadcast encryption scheme that transmits a message securely to any group of legitimate receiver represented as an flexible IP address in the IoT environment.
Broadcast Encryption. The public key broadcast encryption is an effective cryptosystem for a secure group communication which allows a user (or a device) to broadcast secure messages so that only privileged users (or devices) can decrypt them. To minimize the broadcasting payload, the design of broadcast encryption adopts the hybrid encryption; an original message is often encrypted with a simple symmetric key encryption (e.g., advanced encryption standard (AES)), and the applied symmetric key becomes an official message for public key broadcast encryption. The encrypted key is called a header, which is often regarded as an official ciphertext in the broadcast encryption literature. For the transmission, the privileged users are organized within multiple subsets according to the subset representation. Then the broadcast encryption algorithm is repeatedly applied to each subset; the headers are collected into a vector so that the receiver can find and decrypt the header for his own subset. The symmetric key encryption of the original message is broadcast to the entire users, but only privileged users can decrypt the symmetric key from the header and obtain the message.
Subset Representation. In the broadcast encryption, a subset representation is an important factor which strictly determines the number of subsets. The number of subsets decides the total header size since each subset requires an individual header. Therefore, it is recommended to maintain the subset representation as general as possible so that the representation can cover as many as privileged users, which can decrease the number of subsets. In the broadcast encryption, the subset representation is considered separately: the construction assumes there already exists pre-defined subsets covering the given privileged users.
Existing Methods. The well-known subset representations are complete subtree (CS), subset difference (SD), and interval. They are all based on the binary tree structure, where the users are denoted as leaf nodes of a binary tree. Figure 1 visualizes each representation with an example where green nodes are privileged and red nodes are revoked.
The CS representation covers the privileged users by denoting the parent node; each parent node itself is a subset which includes the descendant leaf nodes. For the example in Figure 1, node 9 covers users 17 and 18, and node 19 covers only user 19. The CS representation requires 8 subsets to cover the privileged users in Figure 1. The SD representation extends the CS by enhancing expressiveness; its covers users by denoting the difference of two subtrees as (c, d) where c is a covered set and d is a revoked set. For the example in Figure 1, a subset (5,20) which subtracts subtree 20 from subtree 5 covers users 17, 18, and 19. Since it generalizes the CS representation by adding a revoked set expression, the SD representation requires 4 subsets to cover the privileged users which is less than the CS representation.
The interval representation covers users within an interval, by denoting the left and right edge of the interval. For the example in Figure 1, a subset (17∼19) includes users 17, 18, and 19. The interval representation requires 4 subsets to cover the privileged users, which is comparable to the SD representation.
Limitations. The main restriction of the existing methods is that they are all limited to the hierarchical tree structure. When expressing the node with a binary label instead of a number, tree-based representations cannot effectively handle non-hierarchical combinations required to represent flexible IP addresses we consider. That is, as in Figure 1, each node can be expressed with a bitstring label which consists of {0, 1, * }, by considering the left branch as 0, right branch as 1, and both as wildcard ( * ) starting from the root. For instance, node 8 can be expressed as a label 011, and a label 01 * can include nodes 7 (010) and 8 (011). In this case, the limitation is that each bit is determined from the root to the leaf node following the tree hierarchy; the wildcard cannot exist before 0 or 1 since the parent should be determined before the child nodes. For example, a label * 00 is not expressible since the wildcard stands before 0, which makes it as a non-existent node in a binary tree.
A main concern is that this limitation prevents the broadcast encryption from being efficiently applied to the IoT systems. Consider the secure group communication of IoT systems where a device is identified by its IP address combined with attributes which is not restricted to the hierarchy. In other words, the wildcard occurs in any position to express a specific group representation (e.g., 0 * * * . * * 1. * * * .001). However, since existing representation methods limit the position of wildcards as we described above, they cannot cover the general and flexible IP addresses within a single subset, which leads to a large number of subsets.
Combinatorial Subset Difference. To overcome the hierarchical limitations, we propose a new IoT-friendly subset representation called combinatorial subset difference (CSD), which extends the SD representation by allowing any combinatorial labels, that is, allowing wildcards in any position. Specifically, the CSD expresses a subset similar to SD as (c, d), but where c is a covered label and d is a revoked label that can allow wildcards in any bits. Our CSD is the most general representation among the existing methods, indicating that any subset expressed in the existing representation can be transformed to the CSD subset. Therefore, the CSD can achieve minimal number of subsets in any cases. To cover the privileged users in the example of Figure 1 (by expressing each user as a label), the CSD requires only a single subset (0 * * * * , 0 * * 11) while SD and interval representations require 4 different subsets.
To adopt the CSD representation in practical broadcast encryption, it is required to construct an algorithm that can output appropriate CSD subsets from the given input of privileged users. Thus, we propose a heuristic algorithm which generates CSD subsets from the list of users. We first construct an SD algorithm that can output SD subsets from the input of privileged users, then extend the algorithm to cover the general CSD cases. The proposed CSD algorithm generates r subsets for the worst case while the SD generates 2r − 1 for the worst case, where r is the number of revoked users. For any cases, the algorithm guarantees that the number of CSD subsets are always no more than the SD subsets.

CSD-based broadcast encryption.
Designing the broadcast encryption is independent of the subset representation; since we proposed a new subset representation, it is also required to design a new broadcast encryption that can adopt the input of CSD subsets. In this paper, we propose a new CSD-based public key broadcast encryption that has a minimal total header size among the existing broadcast encryption due to the minimal number of subsets. The minimal header size indicates minimal transmission cost, which can be suitable for the IoT system applications. Moreover, our CSD-based broadcast encryption improves the encryption time and decryption time while maintaining the order of key sizes. Table 1 shows the comparison between the CSD and the existing public key broadcast encryption schemes. The public key SD is from the specifically measured by applying the public key lifting transformation [5], which combines the hierarchical identity-based encryption (HIBE) [6] to the symmetric key SD-based broadcast encryption [7,8] from the advanced access content system (AACS) DVD standard [9]. The interval refers to the Lin's construction [10], which is based on a new interval representation from binary trees. The revocable SD refers to Lee and Park's construction [11], which is based on the same SD representation, but improves the order of key sizes and enhances identity revocation algorithm. The elements in revocable SD is within a composite order group, where the element size is 8 times larger than the normal prime order group for the security; the size of composite order group elements are denoted as ×8. The header size refers to the total header size in the worst case, which is the product of the number of group elements per subset and the number of subsets. Among the state-of-the-art public key broadcast encryption, our CSD achieves a minimal header size of 2r, due to the minimal number of subsets. The CSD also improves the encryption time and decryption time, compared to the other constructions. Nevertheless, the CSD still maintains the public key size within O(log n) and the secret key size within O(log 2 n), which is comparable to the existing public key broadcast encryption. To verify the theoretical improvements, we implemented the CSD, SD, and interval broadcast encryption on the Intel Edison embedded systems: the experimental results show that our CSD reduces the header size by 1,000 times on average when applied to the IP address examples, with also improving both encryption and decryption time, compared to the existing methods.
The security of our CSD-based public key broadcast encryption is proven under the standard bilinear diffie-hellman exponent (l − BDHE) assumption; we first prove the semantic security (CPA-secure) of our original construction, and then extend the construction to a CCA-secure version.

Contributions.
We now summarize the contribution of our paper, in the sense of practicality and theoretical advances.
• CSD subset representation: we propose a new IoT-friendly subset representation called combinatorial subset difference (CSD), the most general representation that achieves minimal number of subsets among the existing methods. • CSD covering algorithm: we construct a subset generation algorithm for the proposed CSD representation, which can output CSD subsets from the given input of privileged users. • CSD-based broadcast encryption: we propose a new public key broadcast encryption based on the CSD representation, which achieves a minimal header size due to the minimal number of subsets, suitable for the secure group communication in IoT systems. It also improves encryption and decryption time compared to the existing public key broadcast encryption. • Security proof: we provide a formal security proof for the semantic security of our construction under the l − BDHE assumption, in the standard model. • CCA-secure extension: we also propose an extended CCA-secure version of our CSD-based public key broadcast encryption, along with a formal proof for the CCA security. • Implementation: we implemented our construction on the actual IoT device to verify the performance, and provide experimental results showing comparison between the CSD and the existing broadcast encryption schemes.
This paper is organized as follows. Section 2 states related works. Section 3 describes the subset construction algorithm. Section 4 organizes preliminaries for broadcast encryption systems. We present our broadcast encryption scheme in Section 5, and prove the security for security analysis in Section 6. Then we extend it to a CCA-secure broadcast encryption scheme in Section 7, and prove the security in Section 8. Section 9 shows experimental results. Section 10 makes conclusion.

Secure Multicast
Secure multicast is a traditional encryption model for multi-user infrastructure, which considers an environment that encrypts messages to multiple users simultaneously. Most of the secure multicast protocols work with a central manager responsible for the broadcast, and focuses on improving the efficiency of key distribution and transmission.
Among the secure multicast research, Chu et al. [12] proposed a notable end-to-end protocol which can secure both message and the copyright of the content. Their work support the dynamic group, which can let users join/leave or expel users during the system running. However, the security of their protocol relies on informal analysis against few attacks, and the fundamental technique remains on multiple encryption which let the encryption required for the number of total users in the group.
For the efficiency, Kumar et al. [13] proposed a protocol based on the centralized key distribution. By providing more efficient key distribution from the hierarchical tree structure, their protocol could achieve more flexible group control and efficient computation. Still, the total communication relies on the individual transmissions, which leads to a considerably large transmission load.
Recently, Wang et al. [14] implemented the concept of secure multicast on the IoT environment, by proposing an end-to-end key agreement protocol for the IoT devices. It focuses on the authentication of devices when interacting with the user's server, where the user can open a secure channel if the key is once agreed. For the security, their protocol deploy fuzzy extractor, which can use user's biometric information such as fingerprints as a secret key.

Broadcast Encryption
The broadcast encryption is a traditional cryptosystem where one can encrypt a message to the group of multiple users. In the broadcast encryption, the encryption can be handled for each group rather than individuals; it is an efficient primitive to be deployed on the secure multicast.
There are many constructions for the broadcast encryption, with different functionalities and improvements [5,6,8,[15][16][17][18][19][20][21][22][23][24][25][26][27][28][29]. In the cryptographic literature, the broadcast encryption is categorized by two different criteria: symmetric/public key, and stateful/stateless. Symmetric vs. Public. Similar to the categorization of standard encryption systems, the broadcast encryption can be either be based on the symmetric key settings or the public key (or asymmetric) settings. If the broadcast encryption is based on the symmetric key [25,29], only a user with the key can encrypt the message, that is, only the central authority can broadcast messages to other users. On the other hand, if the broadcast encryption is based on the public key [8,10,23], anyone can broadcast messages to other users.
Stateful vs. Stateless. The stateful broadcast encryption and stateless broadcast encryption is determined by the key update. In the stateful broadcast encryption [28], the secret key of users can be updated time to time, in order to help the revocation (proper broadcast). However, in the stateless broadcast encryption [8,25,26], the system allows the key exchange for only once in the initial setup. Stateful broadcast encryption can be easier to design with the help of key updates, but it also involves a price of simultaneous key managements. On the other hand, in the stateless broadcast encryption, the system can change revocation without any key management after the initialization.
In many interactive IoT systems, it is often required to allow each device to broadcast messages rather than restricting the broadcast to the central manager, which requires public key broadcast encryption. Also, stateless broadcast encryption is more appropriate than the stateful settings for the IoT systems, since small and numerous IoT devices are not suitable for frequent updates and managements. In these sense, the proposed broadcast encryption for combinatorial subset difference is a stateless public key broadcast encryption, which satisfies the IoT requirements.

Proposed Subset Construction Algorithm
Despite the efficiency of the combinatorial subset difference (CSD) representation, it is a remaining work to construct a concrete algorithm which returns CSD subsets from a list of privileged/revoked users. In this section, we propose a heuristic algorithm for the CSD subset construction. The proposed algorithm does not assure the optimal minimization of the subsets. However, it guarantees the number of subsets in CSD is no more than the existing subset difference (SD) algorithm [8]. For the worst case, it generates no more than r subsets while the existing SD algorithm generates 2r − 1 subsets.
Since CSD is the generalization of SD, we first explain the how the SD algorithm minimizes the number of subsets. Then we show how to extend it to the CSD algorithm, by focusing on the difference between the SD and the CSD.
In the SD (and CSD) representation, a subset is represented as S = (c, d), where c is a covered set (nodes to include), and d is a revoked set (nodes to exclude). For instance, in a tree structure, a subset S includes all descendants of the node c, except all descendants of the node d.
In the SD algorithm, an internal node c can be categorized as one of the following three types, as illustrated in Figure 2, depending on its children nodes. The definition of node types. Node O is a legitimate node and node X is a revoked node.

•
Type : There is no revoked descendant of c.

•
Type ⊥ : Node c is excluded by its parent, because either it is already covered by another subset or its all descendants are revoked.

•
Type S : Node c becomes a subset (c, d), where all descendants of d are either revoked or already covered by other subsets.
The node type is determined by the types of its children. Therefore, the internal node type is determined from bottom to top, recursively. As in Figure 3, combining two internal nodes identifies the type (Figure 2) of their parent.  Figure 3 are valid. However, as in Figure 4, the CSD is different from SD in case when two S nodes are combined; the SD let the parent of two S be a type ⊥, while CSD let it be another S. In the SD, a set can be fixed only if its descendants are all or ⊥. Therefore, two S nodes cannot be merged into a single set; the parent node becomes ⊥ since two S type nodes are determined as individual subsets in SD. However, in CSD, the parent node becomes another S by merging two S nodes, without generating two subsets.  Figure 5 shows an example where SD and CSD outputs different results, where users (nodes) 1 and 3 are revoked among 8 total users. When representing the revoked nodes in a binary format, 001 and 011 are revoked. The parent nodes are denoted as * . For instance, 00 * is a parent node of 000 and 001, and 01 * is a parent node of 010 and 011. The type of node 000 is since nothing is revoked, and the type of node 001 is ⊥ since it is revoked. The type of node 00 * is S, since its children 000 is included while its other children 001 is excluded, and it requires a subset (00 * , 001) to be covered. Similarly, the type of node 01 * is S. In case of the SD algorithm, the node 0 * * with type S children cannot be an inclusion label since both of its children are labeled as two different subsets ((00 * , 001) and (01 * , 011)) which cannot be merged. Thus, 0 * * should be excluded which determines its type as ⊥. Then the type of the root note is S since its left child is ⊥ and its right child is . As a result, three subsets are generated as ( * * * , 0 * * ), (00 * , 001), and (01 * , 011). On the other hand, in the CSD algorithm, node 0 * * is treated specially, different from the SD. Although the type of its children are both S, it is not necessary to exclude the node; if the node can be merged with a sibling node of type , it is possible to represent the node without generating a new subset. In Figure 5, the node 0 * * has two subsets (00 * , 000) and (01 * , 010), and it has a sibling node 1 * * of type . When merging subsets (00 * , 000) and (01 * , 010) with (1 * * , ⊥), it generates ( * 0 * , 000) and ( * 1 * , 010) where * 0 * and * 1 * can include all eight users while 000 and 010 can exclude 000 and 010 since the CSD allows * in the middle of the representation regardless of the tree hierarchy. As a result, the CSD generates two subsets as ( * 0 * , 001) and ( * 1 * , 011), which does not generates subsets more than the number of revoked users. Table 2 describes node type resolution in SD and CSD, where T 0 is the type of left child and T 1 is the type of right child. The subset generation indicates whether a new subset generation is required for the resolved node type; a new subset should be generated when one child is included while the other child is excluded. The only difference between SD and CSD occurs when the type of both children are S: the node is merged into type ⊥ in SD while it is merged into another S type in CSD. Table 2. Type solution in SD and CSD algorithms.

For both SD and CSD, the examples in
Algorithm 1 shows how to build subsets in both SD and CSD methods. The only difference appears at line 27: the CSD proceeds an additional line 27 while the SD does not. Consequently, as shown in Table 2, line 29 (resolveType(T 0 , T 1 )) returns different values. S 0 = {r|r ∈ revSet, bit(r, i + 1) = 0} 12: 26: // Only used for CSD 27: Unresolved ← U 0 ∪ U 1 28: end if 29: return resolveType(T 0 , T 1 ) 30: end function 31 In the algorithm, the subset construction starts with an ID set of revoked users as an input. Function sd reads each ID of revoked users from the most significant bit (MSB) to the least significant bit (LSB), where i denotes the current index. When i reaches the LSB, the user is determined as either revoked or legitimate. Therefore, it returns ⊥ or as in lines from 2 to 7. Even if i does not reach LSB, it returns if there is no revoked user. In line 11 through 12, the revoked users are divided into two sets, depending on the next bit of user's ID, and the function sd is called recursively for each set denoting tree traverse in lines 13 through 14. If the types of each children is ⊥ and , a new subset should be created as described in lines 16  where pre f ix k is a k-th bit of pre f ix. When the type of a child is S and the other one is , each inclusion label in the unresolved subset is updated to include the type child, as in lines 22 and 24. In the CSD, the unresolved subsets for type S children are preserved as unresolved, since inclusion labels in unresolved subsets will be updated in case they include a type node as in line 27.

Theorem 1.
For the combinatorial subset difference (CSD) representation, Algorithm 1 generates at most r subsets for r revoked users.
Proof. As illustrated in Table 2, a subset is generated when a child node has a ⊥ type. The resolved type becomes ⊥, at least only if a child node is ⊥. A leaf node (user) has type ⊥ only if it is revoked. If there are r revoked nodes, there are at most r leaf nodes with type ⊥. Hence, the number of generated subsets is no more than r.
Unlike CSD, the number of subsets in the SD can exceed r, since a node can still be type ⊥ even if both children have type S.
For the worst case comparison, it is straightforward to deduce that the number of subsets in CSD does not exceed the number of subsets in SD. For the subset generation, a subset is created when a child is ⊥ and the other child is , both in SD and CSD algorithm. Also in both algorithms, a node can be type when its children are both , while it should be ⊥ when one child is ⊥ and the other child is ⊥ or S. However, in SD, a node becomes ⊥ when its children are both S, which may require an additional subset. Therefore, the number of subsets in CSD algorithm is no more than that of SD algorithm.

Public Key Broadcast Encryption
We follow the standard definition of public key broadcast encryption from Reference [23]. In the broadcast encryption, it is often combined with the symmetric key encryption, where the encryption encapsulates the session key instead of arbitrary messages, and the encryption is performed for each subset S. Formally, a public key broadcast encryption Π contains three functions as below: : the setup algorithm initializes the system by setting up public parameters, and generating private keys for stateless devices. From user ID length l and session key length m, the setup returns a public key PK and 2 l secret keys {SK ID } ID∈{0,1} l . • (S, Hdr, C M ) = (Hdr, K) ←Encrypt(PK, S): the encrypt algorithm is performed for each subset S. It first outputs a header Hdr and a message encryption key K ∈ K from the input of subset S ⊆ {0, 1} l and a public key PK. Then, for the message M to be broadcast to a set S, let C M be an encryption of M under the session key K. The transmission for the users in S is selected as (S, Hdr, C M ), where Hdr is called broadcast ciphertext and C M is called broadcast body. • K ∈ K ←Decrypt(S, ID, SK ID , Hdr): the decrypt algorithm is performed by the individual privileged user. From the input of subset S ⊆ {0, 1} l , user ID ID ∈ {0, 1} l , secret key SK ID , and a header Hdr, if ID ∈ S (that is privileged) then it produces the message encryption key K ∈ K. Then the key K is utilized to decrypt the C M to retrieve plaintext M.
The encryption system must let every user in S obtain message M correctly. In other words, for all For the security definition of the broadcast encryption, we describe the selective security for chosen plaintext attacks (IND-sID-CPA-security) and chosen ciphertext attacks (IND-sID-CCA-security) as in Reference [23]. Then we separate the security notions for single-set security and multi-set security, depending on the number of representations of the challenged sets. Finally we show that the single-set security implies the multi-set security.

Security Definition
We define the single-set security by the selective game between the challenger C and the adversary A. Both C and A knows the ID length l and the session key length m as a default inputs. The security game proceed as follows: Init: A begins by selecting a set S * to claim the users which it intends to attack. Setup: C runs Setup(l, m) to get a public key PK and secret keys SK 0 l , · · · , SK 1 l , and gives A the PK and all secret keys SK ID for ID / ∈ S * . Query phase1: (optional for CCA) A can adaptively issue decryption queries q 1 , . . . , q m ; each query consists of (ID, S, Hdr) for S ⊆ S * and ID ∈ S. C replies the query by Decrypt(S, ID, SK ID , Hdr). Challenge: C runs Encrypt(S * , PK) to get (Hdr * , K) for K ∈ K. Then, C flips a coin b ∈ {0, 1}. If b = 1, C sets K * = K, otherwise C chooses a random R ∈ K and sets K * = R to respond (Hdr * , K * ) back to A. Query phase2: (optional for CCA) A can continue asking decryption queries q m+1 , . . . , q q D ; each query consists of (ID, S, Hdr) for S ⊆ S * and ID ∈ S, but the only constraint is Hdr = Hdr * . C replies the query same as in phase 1.
Let AdvSSBr A,Π (l, m) be the advantage of A to win the game above.

Definition 1.
A public key broadcast encryption Π for a single-set is (t, , l, m)-CPA secure (or (t, , l, m, q D )-CCA secure), if for every t-time adversary A (for CCA: which makes at most q D decryption queries) we have |AdvSSBr A,Π (l, m) − 1/2| < .
A multi-set security is also defined by the selective game between the Ch and A, similar to the single-set security game above, but the only difference is that the challenged set is represented by multiple subsets.
Init: A begins by selecting a set S * = (S * 1 , · · · , S * w ) to claim users which it intends to attack. Setup: C runs Setup(l, m) to get a public key PK and secret keys SK 0 l , · · · , SK 1 l , and gives A the PK and all secret keys SK ID for ID / ∈ S * . Query phase1: (optional for CCA) A can adaptively issue decryption queries q 1 , . . . , q d ; each query consists of (ID, S, Hdr) where S ⊆ S * i for all i and ID ∈ S. C replies the query by Decrypt(S, ID, SK ID , Hdr). Challenge: C runs Encrypt(S * i , PK) for i = 1, · · · , w to get (Hdr * i , K i ) for K ∈ K. Then, C flips a coin b ∈ {0, 1}. If b = 1, C sets K * = (K 1 , · · · , K w ), otherwise C chooses randoms R i ∈ K for i = 1, · · · , w and sets K * = (R 1 , · · · , R w ) to respond (Hdr * , K * ) back to A . Query phase2: (optional for CCA) A can continues asking decryption queries q q d +1 , . . . , q q D ; each query consists of (ID, S, Hdr) with S ⊆ S * i for all i and ID ∈ S, but the only constraint is Hdr = Hdr * . C replies the query same as in phase 1.
Let AdvMSBr A ,Π (l, m) be the advantage of A to win the above game.

Definition 2.
A public key broadcast encryption Π for multi-set is (t, , l, m)-CPA secure (or (t, , l, m, q D )-CCA secure), if for every t-time adversary A (for CCA: which makes at most q D decryption queries) we have |AdvMSBr A ,Π (l, m) − 1/2| < .
Finally, we show the single-set security implies the multi-set security.
Theorem 2. Suppose a single-set public key broadcast encryption Π is (t, , l, m, q D )-CCA secure. Then a multi-set public key broadcast encryption Π is (t, , l, m, q D )-CCA secure for arbitrary < * w, where w is the number of subsets [30].
Proof. For the proof sketch, the basic idea is to convert the challenge key in the multi-set scheme from a real key set K * to a random key set K * by using hybrid games which change each key in the single-set scheme from a real key to a random key. If the adversary cannot distinguish the changes of each key in the single-set scheme, then it also cannot distinguish the changes of challenge key in the multi-set scheme since the number of hybrid games is within polynomial. Suppose that a challenge set is given as S * = (S 1 , S 2 , · · · , S w ) for polynomial w and the corresponding key set is described as K * = (K 1 , · · · , K w ) s.t. K i is the key for S i . The hybrid games G 0 , · · · , G h , · · · , G w for the proof are defined as follows: Game G 0 In this game, all keys K j are real key from an encryption on the set S j . That is, the challenge key K * is a set of real keys. Game G h This game is almost identical to the game G h−1 except the key K h since K h in this game is a random key. Specifically, in this game, the key K j for j ≤ h is a random key and the key K j for h < j is a real key. Game G w In this game, all keys K j are random keys. That is, the challenge key K * is a set of random keys K * .

Let S G h
A be the event that A outputs 1 in G h . A distinguishes G h−1 from G h by the advantage of the single-set security. Thus, we have that Finally, we obtain the inequality relation as follows: The above game can be transformed to define semantic security for a public key broadcast encryption system if the attacker is not allowed to issue decryption queries.

Definition 3.
A public key broadcast encryption system is (t, , l, m) semantically secure if it is (t, , l, m, 0)-CCA secure.
For the scheme construction, we first provide a semantically-secure scheme, and then extend it to gain CCA security.

Bilinear Groups and Pairings
In References [31,32], the bilinear maps and bilinear map groups are defined as follows:

•
There exists two multiplicative groups G and G 1 , which are cyclic groups of prime order p.

•
Let g be a generator of the group G.
For two groups G and G 1 as above, the bilinear map is defined as a map e : G × G → G 1 , which satisfies the following properties: • The map is bilinear: for all u, v ∈ G and a, b ∈ Z, e(u a , v b ) = e(u, v) ab • The map is non-degenerate: e(g, g) = 1.
G is a bilinear group if the operation in G is efficient and there is a group G 1 with an efficiently computable bilinear map e : G × G → G 1 .

Computational Complexity Assumptions
The security of our scheme is based on the bilinear Diffie-Hellman Exponent (BDHE) assumption which is commonly used as in References [6,23]. It is a natural extension of bilinear Diffie-Hellman Inversion (BDHI) assumption.
The t and are often omitted, and referred as (decisional) l-BDHE in G.

CSD-based Broadcast Encryption
In this section, we present our public key broadcast encryption based on the combinatorial subset difference (CSD) representation. The CSD-based broadcast encryption accepts an input of CSD subset S; as standard broadcast encryption, it runs the broadcast encryption algorithm for each subset S. We first show the formal construction in Section 5.1, along with appropriate examples to aid the comprehension. Then we provide the formal proof for the collusion-resistant semantic security in Section 6.
A master secret key is set as master − key = g α 2 . For an identity ID = b 1 · · · b l , the setup algorithm generates a secret key SK ID from the master secret key. It selects random r 1 , . . . , r l ∈ Z p and set SK ID = (SK ID,1 , . . . , SK ID,l ) as whereb i represents a bit NOT of b i , that is, 1 − b i .
For each subset S = (c, d), let c = c 1 · · · c l and d 1 · · · d l . To generate the header Hdr and encryption key K, the encrypt algorithm selects a random s ∈ Z p and set Hdr and K as Hdr ← (g s , (h 1,c 1 · · · h l,c l k 1,d 1 · · · k l,d l g 3 ) s ) K ← e(g 1 , g 2 ) s where Hdr ∈ G 2 and K ∈ G 1 , h i, * = h i,0 h i,1 , and k i, * = 1.

Example 2.
For subset ( * * 0 * , 0 * 01), Decrypt(S, ID, SK ID , Hdr): Consider an identity ID = b 1 · · · b l and a subset S = (c, d). Let j be an index where the bit in b and d is different, that is, such that b j = 1 and d j = 0, or b j = 0 and d j = 1. For example, if d = 0 * 01 and ID = 0000, then j = 4 since b 4 = 0 and d 4 = 1.
Notice that the encrypt algorithm is applied for each subset S. In other words, the number of Hdr is equal to the number of subsets. When the user receives a message, he chooses Hdr for the set where he belongs and call Decrypt for that specific Hdr.

CPA-Security Analysis
In this section, we formally prove the semantic security (IND-CPA-security) of our CSD-based broadcast encryption in Section 5 under the decisional l-BDHE assumption without the random oracle model. Theorem 3. Let G be a bilinear group of prime order p. Suppose the (decision) (t, , 4l)-BDHE assumption holds in G. Then our l-level CSD public key broadcast encryption system is (t , , l, m) semantically secure for arbitrary l, and t < t − O(el 2 2 l ), where e is the maximum time for an exponentiation in G.
Proof. Suppose that the adversary A has advantage in attacking the l-level CSD-based public key broadcast encryption. Using A, we build an algorithm B which solves the (decisional) 4l-BDHE problem in G.
For generators h, g ∈ G and α ∈ Z * p , let y i = g α i ∈ G. As a beginning of the game, B starts a game with the 4l-BDHE problem, to get a random tuple (h, g, y 1 , . . . , y 4l , y 4l+2 , . . . , y 8l , T) which is either sampled from P BDHE (where T = e(h, g) (α 4l+1 ) ) or from R BDHE (where T is uniform and independent in G 1 ). The goal of B's is to output 1 if the tuple is sampled from P BDHE , or output 0 otherwise. B proceeds by interacting with A in a following selective subset game: Init: The game begins with A first outputting a subset S * = (c * , d * ) that it intends to attack where c * , d * ∈ {0, 1, * } l .
Case 1: If ID c * there exists k ∈ {1, . . . , l} such that b k = c * k , b k = * , and c * k = * . We set k to be the smallest of such index. To generate the secret key SK ID,j , B first picks randomr 1 , . . . ,r l in Z p . We pose r j = α (3−b k )l+k +r j for j = 1, . . . , l. Next, B generates the secret key SK ID = (SK ID,1 , . . . , SK ID,l ) where which is a properly distributed secret key for the identity ID = b 1 . . . b l . B can compute all elements for the secret key, given the values at its disposal, considering the fact that y α j i = y i+j for any i, j. Note If b j = * and an equation includesb j then two equations are created by replacingb j by 0 and 1. To generate the second component of the secret key, first observe that Let Z r j denote the product of y except the last one.
+b k )l + 1 = 3l + 1 or 5l + 1, and Z is computable, B is able to compute all the terms in Z r j . Next, when observing the last term, y −r j (1+b k )l−k+1 is: Hence, the first component in the secret key is equal to: Notice that the unknown term y 4l+1 cancels out, which indicates that B can compute the first secret key component. The first component, g r j , is y (3−b k )l+k g˜r j which can be computed by B. In a similar manner, the remaining elements h r j 1,b 1 , · · · , h r j l,b l , k r j 1,0 , k r j 1,1 , · · · , k r j j−1,0 , k r j j−1,1 k r j j,b j , k r j j+1,0 , k r j j+1,1 , · · · , k r j l,0 , k r j l,1 can be computed by B since they do not involve a y 4l+1 term such that h

Case 2:
If ID d * , to generate the secret key SK ID,j for identity ID = b 1 . . . b l , B first selects a randomr 1 , · · · ,r l in Z p . We pose r j = α (1−b j )l+j +r j for j = 1, · · · , l. Next, B generates the secret key SK ID = (SK ID,1 , · · · , SK ID,l ) The secret key parameters are computed similarly. To generate the second component of the secret key, first observe that Let Z r j denote the product of y except the last one. That is B can compute all the terms in Z r j given the values at its disposal since j,0 = d * j,1 = 0, and each case that b j = 0 or b j = 1 is considered. Next observe that the last term, namely y −r j (3+b j )l−j+1 , is: Therefore, the first component in the secret key is equal to: Notice that the unknown y 4l+1 cancels out, which indicates that B can compute the first secret key component. The first component, g r j , is y (1−b j )l+j g˜r j which can be computed by B. In a similar manner, Thus, B can derive a valid secret key for ID since (4 + t −b j )l − i + j + 1 = (4 + t −b j )l + 1 when i = j and (4 − t +b j )l − i + j + 1 = 3l + 1 or 5l + 1 due to t = b j when i = j. Therefore, B can derive a valid secret key for ID. Finally, B gives A public key PK = (g, g 1 , g 2 , g 3 , h 1,0 , h 1,1 , · · · , h l,0 , h l,1 , k 1,0 , k 1,1 , · · · , k l,0 , k l,1 ) and SK ID such that ID c * or ID d * .
All the values are within an independent and uniform distribution from G, as required. The master key for the corresponding system is supposed to be g α 2 = g α(α 4l +γ) = y 4l+1 y γ 1 , which is not known to B since B does not know y 4l+1 .
For the challenge, B generates Hdr * as (h, ). It sets K * = T · e(y 1 , h γ ) and gives (Hdr * , K * ) to A, as a challenge. If T = e(g, h) 4l+1 (i.e., the input to B is from the 4l-BDHE) then the challenge (Hdr * , K * ) is valid from A's view as in the real attacking game. This can be seen by writing h = g c for some (unknown) c ∈ Z p as follows: and e(g, h) (α 4l+1 ) · e(y 1 , h γ ) = (e(y 1 , y 4l ) · e(y 1 , g γ )) c = e(y 1 , y 4l g γ ) c = e(g 1 , g 2 ) c .
Thus, by definition, Hdr * is a valid encryption of e(y 4l+1 , g) c . Also, observe that e(y 4l+1 , g) c = e(g, h) 4l+1 = T = K b , which confirms that (Hdr, K * ) is a valid challenge to the A. On the other hand, if T is random in G (i.e., the input to B is a random tuple), then K * is just a random independent key of K from A's view.

Guess:
Finally, A outputs a guess b ∈ {0, 1}. Algorithm B concludes its own game by outputting the b . If b = 1 then B outputs 1 meaning T = e(g, h) (α 4l+1 ) . Otherwise, it outputs 0 meaning T is random in G T .
as required, which completes the proof of the theorem.

CCA-secure Broadcast Encryption
In this section, we extend our proposed CPA-secure combinatorial subset difference public key broadcast encryption scheme to obtain CCA-security by using similar technique from Reference [33] which transforms a CPA-secure identity-based encryption to the CCA-secure encryption. However, to apply the similar technique, it is required to allow wildcards ( * ) in the ID (as well as the subset) since the technique is based on the identity-based encryption. Therefore, we first construct a general ID construction, which is a generalized version of our CSD-based broadcast encryption which allows wildcards in the user ID in Section 7.1. Then, based on the general ID construction, we build a CCA-secure CSD-based public key broadcast encryption in Section 7.2. Finally, we provide a formal proof for the CCA-security in Section 8.

General ID Construction
In this section, we extend the proposed broadcast encryption scheme to a generalized ID version, which allows * in each ID (as well as subsets). This general ID scheme is a basic building block for building a CCA-secure broadcast encryption in Section 7.
For labels x and y, we define x y to indicate that x is covered by y, and x y to denote that x is not covered by y. For instance, 0 * 00 0 * * 0 and 0 * 00 1 * * 0. Definition 5. x is covered by y, or x y iff ∀i, x i = y i or y i = * for x = x 1 . . . x l and y = y 1 . . . y l . Definition 6. x is not covered by y, or x y iff ∀a x, ∃i, a i = y i , x i = * , and y i = * .
else if b i = * then i-th secret key duplicated into two elements as follows:  Decrypt(S,ID,SK ID ,Hdr): Consider an identity ID = b 1 . . . b l ∈ {0, 1, * } l and a subset S = (c, d). If ID c and ID d then ID can decrypt the message. Let j be an index such that b j = * and d j = * , b j = 0 and d j = 1, or b j = 1 and d j = 0. If b j = * then the decryption is equivalent to equation 4. Assume that b j = * . From SK ID,j , we use SK ID,j,d j as secret key. To regenerate decrypt key K using the given header Hdr = (A 0 , A 1 ) and the secret key SK ID,j,d j , compute and output e(A 0 , B) e(a 0 , A 1 ) = K.
Thus, the secret key SK ID for ID in Π is the secret key SK ID in Π . Recall that SK ID|| * z can generate secret keys of all descendants of node ID|| * z , that is, SK ID||0 z , · · · , SK ID||1 z . When encrypting a key K ∈ K to ID in Π, the sender generates a z-bit verification key V sig = (e 1 , · · · , e z ) ∈ {0, 1} z and then encrypts K to the ID = ID||V sig using Π .
In more details, l-level Π is constructed using (l + z)-level Π and an one-time signature scheme as follows: Setup(l, m): Let 2 l be the maximum number of users and {0, 1} m be the message space. Assume the signature verification key space as {0, 1} z . To obtain the public key and master secret key, run semantically secure broadcast encryption Π . subset representation and CSD-based broadcast encryption, and also implemented the subset difference (SD) [7,8] and interval [10] representation along with its broadcast encryption on the Intel Edison IoT device with a 500 Mhz 32 bit Atom processor. Specifically, the SD-based broadcast encryption is implemented as a public key broadcast encryption by applying the public key lifting transformation [5], which combines the hierarchical identity-based encryption (HIBE) [6] to the original symmetric Naor SD construction [7,8] from the advanced access content system (AACS) DVD standard [9]. For the comparison, we first show the number of subsets generated from each algorithm to confirm the efficiency of CSD subset representation. We also verify that the CSD-based broadcast encryption achieves the minimal header size, due to the least number of subsets. Then for the broadcast encryption, we observe the practicality of our CSD-based broadcast encryption by comparing the key size and the performance (i.e., encryption time and decryption time) to the other constructions.
Subset Representation. The proposed CSD subset representation is the most general representation among the existing subset representations. Therefore, it can cover more users within a subset, which decreases the number of total subsets. When considering the IoT application, the improvement is more emphasized; the non-hierarchical IP address generates numerous subsets in the existing hierarchy-based representations (e.g., SD or interval), while the CSD can cover the non-hierarchical IP address in a single representation. For example, for a binary IP address 0 * * . * * 1. * * * .001, existing representation methods end up generating many subsets, while the CSD can efficiently cover it with a single subset. Figure 6 shows the subset generations in the IP address application: Figure 6a presents the number of subsets when randomly increasing the number of wildcards in a single binary IP address, and Figure 6b presents the number of subsets when increasing the random IP addresses. The suffix of representations denotes a total bit of a user: for example, SD − 10 indicates an SD representation for 10-bit users, or 2 10 total users. In both (a) and (b), the CSD representation can cover an IP address with a single subset regardless of the total users. When observing (a), the number of subsets in SD and interval representation when the IP address includes more wildcards or the total users increase, while the CSD can cover the address within a single subset in any case. When assuming a binary IP address with 20 wildcards in 2 20 total users, the CSD can remain a single subset while the SD requires more than 1000 subsets; the CSD can save the header size 1000 times compared to the current standard SD representation. In (b), the SD and interval representation generates more subsets for more IP addresses or more total users, while the number of CSD subsets are same as the number of IP addresses. Header Size. Since the CSD representation generates minimal subsets, the CSD-based broadcast encryption achieves minimal (total) header sizes when applied to the broadcast encryption. We verify the result by implementing and running the broadcast encryption constructions on the IoT machine, and measuring the size of the total header output size. Figure 7 compares the header size of each broadcast encryption, by randomly revoking the users: by varying the total users to (a) 2 10 , (b) 2 15 , and (c) 2 20 . The header size is measured by the number of group elements, where a single group element is a 20-bytes object from the pairing-based cryptography (PBC) library. In all cases, the CSD-based broadcast encryption outputs the smallest headers, compared to the SD-based and interval-based broadcast encryption. Key Size. The CSD-based broadcast encryption is also efficient in terms of key sizes; it maintains a public key and secret key size comparable to the standard broadcast encryption such as SD-based and interval-based broadcast encryption. Table 3 shows the public key (PK) size and secret key (SK) size of the CSD-based, SD-based, and interval-based broadcast encryption. The public key size in CSD-based broadcast encryption is proportional to the user depth n, within the same order of O(log n) as the SD-based and interval-based construction. The secret key size is similar to the interval-based construction, within the same order of O(log 2 n) for user depth n. Performance. For the performance of encryption and decryption, the CSD-based broadcast encryption improves the encryption and decryption time compared to the SD-based and interval-based broadcast encryption. The main factor is that our CSD-based construction does not involve any public parameter related computation, while the other constructions require additional delegation from the public parameters which is proportional to the user depth. Table 4 shows the encryption time and decryption time of the CSD-based, SD-based, and interval-based broadcast encryption, by varying the user depth from 10-bits to 20-bits (total users of 2 10 , 2 15 , 2 20 ). Our CSD-based broadcast encryption maintains almost the same performance for all cases, while the other constructions suffer from the increase of encryption and decryption time proportional to the user depth. Open Source. The experiment resources are publicly available at GitHub as an open source (https://github.com/snp-lab/CSD), for the open science and reproducible research. The resources consist of subset construction algorithm for each combinatorial subset difference (CSD), subset difference (SD), and interval, and broadcast encryption implementation for CSD-based, SD-based, and interval-based scheme.

Conclusions
We propose the combinatorial subset difference (CSD), which is a new subset representation for the broadcast encryption. The CSD representation is the most general representation compared to state-of-the-arts such as subset difference (SD) or interval representations. Due to the general coverage, the CSD representation generates minimal subsets which lead to the minimal header size when applied to the broadcast encryption. The CSD representation is the only representation to cover the non-hierarchical IP addresses, making it as a suitable choice for IoT network multicast. We design and implement the algorithm for CSD subset generation, and verify the practicality of our CSD in the IoT systems.
We also propose the CSD-based public key broadcast encryption, which can be efficiently applied to the IP multicast in IoT systems. The CSD-based broadcast encryption achieves minimal (total) header size due to the minimal subsets of the CSD representation, and it also improves the encryption time and decryption time compared to the existing broadcast encryption. Our experimental results verify that the CSD-based broadcast encryption reduces the header size 31% for the worst cases, improves encryption time by 6 times, and improves decryption time by 10 times compared to the SD-based broadcast encryption. For the security, we prove the collusion-resistance and semantic security of the CSD-based construction under the standard l-BDHE assumption, and extend the construction to the CCA-secure broadcast encryption.

Conflicts of Interest:
The authors declare no conflict of interest.