BESTIE: Broadcast Encryption Scheme for Tiny IoT Equipment

: In public key broadcast encryption, anyone can securely transmit a message to a group of receivers such that privileged users can decrypt it. The three important parameters of the broadcast encryption scheme are the length of the ciphertext, the size of private/public key, and the performance of encryption/decryption. It is suggested to decrease them as much as possible; however, it turns out that decreasing one increases the other in most schemes. This paper proposes a new broadcast encryption scheme for tiny Internet of Things (IoT) equipment (BESTIE), minimizing the private key size in each user. In the proposed scheme, the private key size is O ( log n ) , the public key size is O ( log n ) , the encryption time per subset is O ( log n ) , the decryption time is O ( log n ) , and the ciphertext text size is O ( r ) , where n denotes the maximum number of users, and r indicates the number of revoked users. The proposed scheme is the ﬁrst subset difference-based broadcast encryption scheme to reduce the private key size O ( log n ) without sacriﬁcing the other parameters. We prove that our proposed scheme is secure under q -Simpliﬁed Multi-Exponent Bilinear Difﬁe-Hellman ( q -SMEBDH) in the standard model.


Introduction
In a modern Internet of Things (IoT) infrastructure, the number of total devices tend to increase on a large scale, while the size of individual equipment become smaller. When dealing with secure communications for a massive number of resource-constrained devices, it is important not only to support flexible access control but also to minimize transmission costs and device computation/storage overhead. Broadcast encryption is the fundamental cryptographic primitive to uphold secure communication to any group of privileged devices.

Broadcast Encryption
In the Broadcast encryption (BE) scheme, anyone can securely transmit a message to a group of receivers such that privileged users can decrypt it. In BE protocol, the transmission consists of (S, Hdr, CT sk ): the S is a group (subset) of users, Hdr is a header which contains the encryption of session key sk, and CT sk is the ciphertext of message encrypted with the key sk. When receiving the following transmission, a user first extracts (or decrypts) the session key sk from Hdr; then, he/she uses the following symmetric key sk for the decryption of CT sk . If the user is not covered in S, this indicates that the user is revoked and should not be able to extract the key from Hdr. Moreover, the system should guarantee that, even if all the revoked users collude, it should be impossible to learn any information about the sk in the Hdr. The header is considered a real ciphertext in a BE field of research, since it holds the security of transmissions. Similar to SD, the CSD also represents a subset with a subtraction of two sets, but each subset is no longer a subtree; it is a label of binary bits which is a generalized expansion of the subset difference. In the example of Figure 1c, the CSD subset ( * * , * 1) can cover the privileged users 00, 10. Note that the representation * 1 is impossible to visualize in the tree figure, since the tree is bound to the hierarchy. The CSD has removed the limitation of hierarchy that lies in the subset difference, and it can cover both the SD and the interval representation with a bit label. It is the most generalized form of subset construction that can cover all existing representations. The CSD cuts the header size down to 2r, even in the worst case, and shows that it can always cover users with less (or at least the same) subsets than SD representations.
The public key broadcast encryption scheme for the CSD representation [3] has shown that BE can be applied efficiently to the secure multicast in IoT systems. Since the CSD can represent the generalized binary bits, it can cover the bit string of IP addresses for devices in an IoT system network. The experiments in Reference [3] show that the CSD scheme is practical and appropriate for IoT multicasts within a large scale of devices.

BE for Tiny Equipment
While the number of IoT equipment increases, the size of the equipment itself decreases. In current IoT infrastructures, devices are likely to have no more than a few kilobytes of secure on-chip storage. Note that the key should not be stored in the off-chip flash storage (which could be larger), since they are exposed to the public and commonly extractable [7]. In this setting, the keys of BE should be short enough to be stored in the small-sized memory of tiny IoT equipment. To justify the usage of BE in various IoT systems with tiny devices, we list some specific application examples: • Secure multicast: The research of Reference [3] already justified the usage of BE for secure multicast.
To be more specific, an IoT system manager may want to broadcast and distribute secure messages to the devices by using the subset difference of IPv6 address bit string. Current IoT equipment commonly utilize chips that have 4 KB to 128 KB of non-volatile memory (EEPROM or on-chip flash). Some devices tend to use trusted platform module (TPM) chips that can store and manage keys securely, and the TPM key storage also has a size of no more than 16 KB. (ATmega 128 microprocessor has 128 KB flash and 4 KB EEPROM, and Atmel TPM series provide 16 KB of non-volatile key storage [8]). • Engine control unit (ECU) firmware management: The engine control unit (ECU) of a vehicle is known to have a key storage for its code and data encryption. In time-to-time firmware updates, the system needs to set privileged devices either to guarantee customized firmwares for different vehicles or to revoke the disclosed keys that are often used by other vendors. BE can provide an appropriate environment for the large scale of ECU firmware encryption management. The non-volatile on-chip memory of the ECU usually has a size of no more than 12 KB.
Unfortunately, none of the existing BE schemes are capable of satisfying the requirement of small sized keys in a setting with a massive number of devices. There were some noticeable works that focus on the key size of BE, like Reference [6]. In Reference [6], the authors proposed a scheme that reduces the private key (SK) size from O(log 3 n) to O(log 2 n), compared to the original SD-based schemes [4]. Interval scheme [2] also shows a same order of O(log 2 n) for the SK size, while maintaining the same transmission complexity as [4,6]. The size complexity O(log 2 n), however, is not small enough to be practically applied for tiny IoT devices. In the secure multicast example, the current IPv6 standard considers 2 128 users. Therefore, in the secure multicast for random devices, the system should provide a full spectrum of representations for the 128-bit address combinations. The ECU firmware case is also similar; the vehicle ECU has its own ID which usually consists of distinct 32 to 128 bits [9]. This leads the private key to grow larger than 40 KB for 32 bits or 640 KB for 128 bits, which cannot be stored in the small on-chip storage of 12 KB in ECU. In fact, it is an open problem to reduce the private key size to O(log n) in the SD-based BE approach. This should be achieved with a reasonable cost; Goodrich [10] proposed a symmetric BE with the SK size of O(log n), but the computation cost is O(n) which is beyond practical (see Table 1 for details).

BESTIE with Short-Key
In this paper, we propose BESTIE, a new broadcast encryption scheme which has a short key size for tiny IoT equipment. The proposed BESTIE has a key size of O(log n), which exceeds the current boundary of the key size O(log 2 n) among the existing subset difference-based broadcast encryptions.
By applying BESTIE in the 128-bit ID systems, we can obtain a 7 KB private key (SK), which can be easily stored in the secure on-chip memory of tiny IoT equipment. Moreover, the BESTIE does not sacrifice any other factor, such as execution (encryption/decryption) times or header sizes.
One-way func. One-way func. The main idea to reduce the key size in the proposed scheme is to share the same random value for every key, while different random values are applied for each key in the existing subset difference-based approaches. In the original CSD scheme [3], as well as most subset difference-based schemes, O(l) size key is required for each bit in the ID, i.e., given a private key SK = (SK ID 1 , · · · , SK ID l ), each element SK ID i contains a primary key and O(l) size auxiliary key for the other bit positions to build a decryption key, where l denotes the bit-length or log n (for total n users). In the existing schemes, each auxiliary key should contain an independent random value; otherwise, a combination of keys may generate an unauthorized decryption key. The proposed BESTIE devises a novel and secure way to reuse the O(l) auxiliary key for all primary keys. As a result, the BESTIE requires O(log n) size key. The detailed construction is available in Section 4.

ROM
Another interesting feature is that, unlike most existing schemes, BESTIE does not demand a public key (PK) for the decryption. Other schemes, such as SD [6] or interval schemes [2], reconstruct the corresponding decryption key from the PK, as well as the SK in the decryption phase, and thus need to maintain the PK in the device storage or receive the PK from the communication. On the other hand, since the decryption in BESTIE relies on the computation with the secret key SK only, there is no need to store the PK in the device. This indicates that BESTIE has an advantage in the PK storage and/or PK transmission overhead.

Contributions
We formally summarize the contributions of our BESTIE as follows: 1.
Theoretical advance: The proposed BESTIE resolves a challenging problem to reduce the private key size to O(log n) in the SD-based BE approach, without sacrificing any other efficiency. Moreover, BESTIE is compatible with even CSD, which is more expressive, and is thus more compact than SD.

2.
Practicality: The BESTIE is applicable to large scale IoT systems (2 128 devices) with a reasonable performance; it requires only 7 KB private key size while the private key size is more than 600 KB in the other existing SD-based approaches. 3. Section 2 organizes related works. Section 3 describes a required background and definitions. We present the construction and the security proof of our proposed BESTIE in Section 4 and extend it to the CCA-secure scheme in Section 5. Section 6 analyzes experimental results. In Section 7, we draw a conclusion.

Related Work
The broadcast encryption (BE) is a traditional cryptographic method, and there have been a variety of researches with different features [1,4,5,[10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25]. Known also as a revocation schemes, BE can provide efficient revocation of individual users, while letting the privileged users remain available to decrypt the broadcasted transmission. The listed categories below are the various viewpoints in BE, and every existing BE scheme has its own feature due to the different purposes.
• Stateful vs. stateless: There are two types of BE schemes, which are stateful schemes [24,26,27] and stateless schemes [1,10,22]. In the stateful BE scheme, the key exchange occurs more than once. On the other hand, the stateless BE scheme allows the key exchange only once in the initial setup. Stateful schemes can be useful in a setting that can allow users to interact after the initial setup. However, in real practice, such as Pay-TV systems or IoT networks, once the devices are deployed, it becomes a big burden to update all keys synchronously. • Symmetric vs. asymmetric: The BE can be also categorized as a symmetric BE [10,25] and asymmetric BE. In the symmetric BE, only a trusted user who has a symmetric key can encrypt and broadcast the message to the receivers. An asymmetric BE, known as a public key broadcast encryption (PKBE), enables any user to broadcast the encrypted information.
It is clear that a stateful BE scheme and a symmetric BE scheme have more limitations in terms of its usage; this paper proposes a stateless public key (asymmetric) BE scheme. For a more practical use, most optimizations of BE schemes are focused on reducing header or key sizes.
• lHeader size: The main objective of the BE research was to reduce the header size, which decides the transmission overhead. Since the header size relies on the number of subsets, there were many works that proposed subset construction/representation methods [2,10,11,22]. The most common representations were the complete subtree (CS) [11], the subset difference (SD) [11], and the interval encryption [2]. The CS method covers users with root nodes of subtrees. The SD method covers users with a subtraction of two subtrees. The interval encryption covers users with ranges of privileged users. Recently, the work of Reference [3] proposed a combinatorial subset difference (CSD), which covers users with a subtraction of two non-hierarchical bit-labels. The SD scheme has a header size of 4r, the interval scheme has a header size of 3r, and the CSD scheme has a header size of 2r, each for the worst cases when r is the number of revoked users. • Key size: Some works have focused on reducing the PK/SK size of BE, although there usually is a trade-off between the size and the encryption/decryption time. The work of Reference [6] has succeeded on reducing the SK size to the order of O(log 2 n) in the subset difference. The interval scheme also obtained an order of O(log 2 n) for the SK size. Until now, even a symmetric key BE (which is limited, but more generally efficient) has a boundary of O(log 2 n) for the size of SK.

SD-Based BE
Among the existing BE schemes, our main focus is on the SD-based methods (e.g., SD, interval, CSD), which achieves the header size of O(r). In methods that do not use SD, the header size is impractical since it depends on the number of total users n instead of the number of revocation r. ). However, in general practice, the revocation tends to remain small while the total user grows large in various applications: the number of revocation r is much smaller than the √ n. Table 1 shows the order of costs in SD-based BE schemes that achieve the header (CT) size of O(r), where n is the number of total users, and r is the number of revoked users. NNL'01 [11] is the original SD scheme which is a symmetric key BE. DF'02 [4] proposed a transformation technique that converts a symmetric key BE to public key BE by utilizing hierarchical identity-based encryption (HIBE); the shown results are obtained by applying the BBG-HIBE [20] scheme to the NNL'01. (DF'02 [4] states O(1) PK size and O(log 2 n) SK size, but it refers to the HIBE keys; remind that the BBG-HIBE key has O(log n) elements). Lin '10 [2] refers to the interval encryption, which is similar to the SD in a way that the users are represented in a binary tree; the secret key size is O(log 2 n). LKLP'14 [6] proposes a more efficient SD scheme with utilizing the random oracle, which also achieves the secret key size of O(log 2 n). GST'04 [10] is a symmetric key BE which focuses on the O(log n) SK size. However, it sacrifices the decryption time to O(n), or increase CT size and encryption time by a given constant k to mitigate the decryption time. Compared with all existing SD-based BE schemes, BESTIE is the first approach to obtain a O(log n) SK size while providing overall decent performance. Moreover, since BESTIE does not sacrifice any other factors, it retains a small CT size, a small PK size, and fast encryption/decryption performance.

Attribute-Based Encryption
From a high-level perspective, BE can be considered as a special case of attribute-based encryption (ABE) [28][29][30][31]; if we let each bitwise ID be an attribute and define subset inclusion as an access policy of ciphertext-policy ABE (CP-ABE), it can provide the same functionality of BE. However, as most general cases are not as efficient as special cases, ABE cannot achieve time and size costs comparable to BE. For instance, in the CP-ABE with constant-size ciphertext [31], the key size grows linear to the number of attributes. Since the access policy requires a bitwise representation of the ID and subsets, the key size roughly grows to O(2 n ), which is beyond practical.

Preliminaries
In this section, we provide backgrounds and preliminary definitions. Section 3.1 describes the basic definition of public key broadcast encryption (PKBE). Section 3.2 defines the formal security model for our proposed system. Section 3.3 gives a remark for the mathematical background about bilinear maps and pairings in elliptic curve groups. In Section 3.4, we describe the cryptographic assumption which our system is based on. Section 3.5 gives a summary for the combinatorial subset difference, which is a subset cover method our system adopts.

Public Key Broadcast Encryption
In a public key broadcast encryption (PKBE) system, the original message m is commonly encrypted to C K , which is often called the broadcast body, with a simple symmetric key algorithm (e.g., AES block cipher). Then, the symmetric key M is encrypted with the PKBE encryption, so that the legitimate receivers can obtain the symmetric key M and use it for the symmetric decryption of C K to obtain m. In the following decryption of BE systems, the symmetric key M is considered as a message; the symmetric key encryption/decryption process (i.e., m, C K ) is common and often omitted in BE schemes.
The PKBE encryption is required for each subset, and the header (or the broadcast ciphertext) Hdr for each subset is collected into a where w is the number of total subsets. A legitimate user decrypts the message by looking for the Hdr S i corresponding to the subset S i where it belongs to, obtaining M from Hdr S i with the PKBE decryption, and finally decrypting the message m from the broadcast body C K . Formally, a PKBE system Π consists of four algorithms: Setup(l, λ) takes user's ID bit-length l and session key length λ as inputs. It outputs public parameters PK and a master key MK. KeyGen(ID, MK, PK) takes user's l-bit ID, master key MK, and public key PK as inputs. It outputs a private key set SK ID .
Encrypt(S, PK, M) takes a subset S, and a public key PK and a message M as inputs. It outputs a broadcast ciphertext Hdr S for the subset S. Decrypt(S, ID, SK ID , Hdr S ) takes a subset S, a user id ID ∈ {0, 1} l , private key SK ID for user ID, and a header Hdr S as inputs. If ID ∈ S, then it outputs message M.
The system is correct if every user in S can get the message M. Namely, for all S and all ID ∈ S, if (PK, MK) ← Setup(l, λ), SK ID ← KeyGen(ID, MK, PK), and Hdr S ← Encrypt (S, PK, M) then Decrypt (S, ID, SK ID , Hdr S ) extracts M.

Security Model
In this section, we describe a selective semantic security (IND-sID-CPA) and a selective CCA-security (IND-sID-CCA) for broadcast encryption as in Reference [3,5]. Depending on whether the number of challenged sets is represented as a single subset or as multiple subsets, we separate security notions as a single-set security and a multi-set security. Consequently, the single-set security implies a multi-set security as shown in Reference [3].
The single-set security is defined as a following game between an adversary A and a challenger C. Both C and A are given l and λ, the user ID length and the key length, respectively, as inputs. Note that the collusion resistance is straightforward, since the secret keys for all users (except the selected target) are distributed before the challenge.
Init: Algorithm A outputs a set S * of users to attack. Setup: The challenger C performs Setup(l, λ) to obtain a public key PK and a master key MK. KeyGen: The challenger C runs KeyGen(ID, MK, PK) to obtain private keys SK 0 l , · · · , SK 1 l . C then provides A with the public key PK and all private keys SK ID for ID / ∈ S * . Phase 1: (optional for CCA) Attacker A adaptively issues decryption queries q 1 , · · · , q d where a decryption query consists of the triple (S, ID, Hdr S ) with S ⊆ S * and ID ∈ S. C responds with Decrypt(S, ID, SK ID , Hdr S ). Challenge: For the challenge, algorithm A outputs two messages M 0 and M 1 . C picks ξ ∈ {0, 1}, encrypts the message M ξ by running Encrypt(S * , PK, M ξ ) to obtain Hdr * S , and gives Hdr * S to the attacker A. Phase 2: (optional for CCA) Attacker A continues to adaptively issue decryption queries q d+1 , . . . , q D where a decryption query consists of (S, ID, Hdr S ) with S ⊆ S * and ID ∈ S. The only constraint is that Hdr S = Hdr * S . C responds as in query phase 1. Guess: Attacker A produces its guess ξ ∈ {0, 1} for ξ and wins the game if ξ = ξ .
Let AdvSSBr A,Π (l, λ) be the advantage that A wins the above game.
The multi-set security game is defined similar to the single-set security game, except the challenged set is given as multiple subsets.
Init: Algorithm A outputs a set S * = {S * 1 , · · · , S * w } of users to attack. Setup: The challenger C executes Setup(l, λ) to obtain a public key PK and a master key MK. KeyGen: The challenger C runs KeyGen(ID, MK, PK) to obtain private keys SK 0 l , · · · , SK 1 l . C gives A all private keys SK ID for ID / ∈ S * i where i = 1, · · · , w. Phase 1: (optional for CCA) Attacker A adaptively issues decryption queries q 1 , · · · , q d where a decryption query consists of the triple (S, ID, Hdr S ) with S ⊆ S * and ID ∈ S. C responds with Decrypt(S, ID, SK ID , Hdr S ).
Challenge: For the challenge, algorithm A outputs two messages M 0 and M 1 . C picks ξ ∈ {0, 1}, encrypts the message M ξ by running Encrypt(S * i , PK, M ξ ) to obtain Hdr * S i for i = 1, · · · , w, and gives all Hdr * S i to the attacker A. Phase 2: (optional for CCA) Attacker A continues to adaptively issue decryption queries q d+1 , . . . , q D where a decryption query consists of (S, ID, Hdr S ) with S ⊆ S * and ID ∈ S. The only constraint is that Hdr S i = Hdr * S i . C responds as in query phase 1. Guess: Attacker A provides its guess ξ ∈ {0, 1} for ξ and wins the game if ξ = ξ .
Let AdvMSBr A,Π (l, λ) be the advantage that A wins the above game.
In Reference [3], it is shown that the single-set security implies the multi-set security.

Theorem 1 ([3]). Suppose the public key broadcast encryption
where w is the number of subsets.

1.
G 1 , G 2 and G T are (multiplicative) cyclic groups of prime order p.
e : G 1 × G 2 → G T denotes a bilinear map.
Let G 1 , G 2 , and G T be groups as above. A bilinear map is a map e : G 1 × G 2 → G T with satisfying the following properties:

1.
Bilinear: for all u ∈ G 1 , v ∈ G 2 and a, b ∈ Z p , we have e(u a , v b ) = e(u, v) ab 2.
We say that G 1 and G 2 are bilinear groups if the group action in G 1 and G 2 can be computed efficiently and there exist a group G T and an efficiently computable bilinear map e : G 1 × G 2 → G T as above.

Computational Complexity Assumptions
The security of our system is based on a complexity assumption called q-simplified multi exponent bilinear Diffie-Hellman (q-SMEBDH) assumption. The q-SMEBDH assumption was originally introduced in Reference [6], but without formal analysis on the hardness of the assumption. In this paper, we formally show that the q-SMEBDH is a weaker assumption than the q-bilinear Diffie-Hellman exponent known as q-BDHE, by reducing q-SMEBDH to the q-BDHE. Assumption 1. (q-Simplified Multi-Exponent Bilinear Diffie-Hellman, q-SMEBDH). Let (p, G 1 , G 2 , G T , e) describe the bilinear group of prime order p with the security parameter λ. Let g 1 and g 2 be generators of G 1 and G 2 , respectively. The q-SMEBDH assumption is that, if the challenge tuples P = ((p, G 1 , G 2 , G T , e), } 1≤i,j,i =j,≤q ) and T are given, no PPT algorithm B can distinguish T = T 0 = e(g 1 , g 2 ) bc from T = T 1 = e(g 1 , g 2 ) d with more than a negligible advantage. The advantage of B is defined as Adv where the probability is taken over the random choice of a 1 , . . . , a l , b, c, d ∈ Z p .

Lemma 1.
If there is an adversary A which solves a q-SMEBDH problem with advantage in time τ, then there is an adversary which solves a q-BDHE problem with advantage in time τ + q 2 .
Proof. We will reduce a q-BDHE problem to a q-SMEBDH problem. Assume that Note that, since i = j, q + 1 + j − i = q + 1 and 2 ≤ q + 1 + j − i ≤ 2q. Let g c 1 = h 1 and g c 2 = h 2 . If, for a given q-SMEBDH, there is an adversary A which decides whether T = e(g b 1 , g c 2 ) with advantage, then using A, we can decide whether T = e(g 1 , h 2 ) α q+1 with advantage since e(g 1 , h 2 ) α q+1 = e(g 1 , g c 2 ) b .

Combinatorial Subset Difference
The subset cover representation method of our system is based on the combinatorial subset difference (CSD) proposed in Reference [3]. The CSD uses a more general, thus, more compact representation method which is extended from the subset difference (SD). The subset difference is the most common representation method in the broadcast encryption (BE) in literature, which denotes a subset with a difference of two subtrees. To be more specific, the SD method constructs a binary tree by mapping the users to the leaf nodes, and represents the subset of privileged users by subtracting the two complete subtrees denoted as the root node of each subtree (i.e., (CL, RL), where CL is a covered set, and RL is a revoked set).
CSD [3] is a more universal type of representation method that consists of a subtraction of two non-hierarchical labels. It is similar to the SD method, but CL and RL are no longer subtrees; labels are bit-strings which consist of {0, 1, * }, where a wildcard * includes both 0 and 1. CSD is a more generalized expression compared to the SD and includes all possible SD combinations. The number of subsets in CSD is always smaller than that of SD, or at least the same. The header sizes in CSD are 2r in the worst case, while they are 4r in the SD in the worst case (r = the number of revoked users).
A secure and efficient BE construction compatible with CSD is more challenging than a construction based on SD. Since the key structure is not bound to the tree structure anymore, there are more representation cases that a privileged user has to decrypt using its key. Thus, the BE scheme with CSD may cause key size growth to cover additional cases and is even harder to reduce the key size. In this paper, we propose the first BE scheme, which minimizes the key size to be logarithmic and is compatible with even CSD, as well as SD.

Proposed Broadcast Encryption Scheme
In this section, we propose BESTIE, a broadcast encryption scheme applicable to tiny IoT equipment and prove its security. In Section 4.1, we describe our intuitions of how to compress the key size. We construct our proposed BE scheme in Section 4.2, analyze the complexity in Section 4.3, and prove its security in Section 4.4.

Main Idea
Before the formal description, we informally elaborate a sketch of the idea that lies behind the BESTIE. The main contribution of the BESTIE is to compress the private key size from O(log 2 n) to O(log n).
As mentioned in Section 1, most subset difference-based schemes require O(l) size key for each bit in the ID. i.e., given a private key SK = (SK ID 1 , · · · , SK ID l ), each element SK ID i contains a primary key, and O(l) size auxiliary key. In the existing schemes, each auxiliary key should contain an independent random value; otherwise, a combination of keys may generate an unauthorized decryption key.
In Reference [3], the CSD subset is represented as (CL, RL) where CL is a covered set and RL is a revoked set and a user with an ID should be able to construct its decryption key only if it belongs to the covered set but NOT to the revoked set, i.e., ID ∈ CL and ID ∈ ¬ RL. The combination of key elements derives a decryption key. However, the combination should be performed in a restricted way to prevent from generating any unauthorized decryption key. To ensure that the combination generates only legitimate keys, the scheme has the auxiliary keys with different random exponents r i for each primary key. The resulting SK for the user with ID = ID 1 · · · ID l in the CSD is summarized as follows.
where sets {g α (. . . k i,ID i ) r i } and {k r i j,0 , k r i j,1 |j = i, j ∈ [1, l]} include a primary key and auxiliary keys, respectively.
Thus, the key size becomes O(log 2 n), since i ∈ [1, l]. (i.e., O(log n) per combination × log n combinations). Existing subset difference-based BE schemes [2,6] have the similar approach. Hence, the known lower key size bound has been O(log 2 n).
In our approach, we detach k i,ID i from the primary key g α (. . . k i,ID i ) r i of SK ID i in Equation (1) by splitting the master key α into a pair (α − α w , α w ), and apply the same random r to the auxiliary keys as follows: Now, the key is divided into two parts such that a decryption key can be constructed only if both conditions ID ∈ CL and ID ∈ ¬ RL are satisfied. Note that, if at least a single bit in ID is different from RL (i.e., ID / ∈ RL), then g α w and g α−α w can be combined, outputting the decryption key g α . The full construction is more complex, and we describe it in the next section.

Construction
In this section, we describe the formal construction of the proposed BESTIE, which is a public key broadcast encryption scheme. As defined in Section 3.1, the public key broadcast encryption can allow any user (or device) to broadcast messages. When the system begins, each user is grouped into a specific subset. To broadcast the message, the broadcaster needs to run encryption for each subset to obtain subset header. Figure 2 visualizes the overall workflow of the public key broadcast encryption. The manager runs the setup to initiate the system, publishes the public key PK, and keeps the master secret key MK. Then, by using MK, the manager runs key generation for each device and provides corresponding secret keys SK ID . When a device wants to broadcast a message, it runs encryption for each subset to obtain corresponding header, and gathers all headers to broadcast the vector of headers. When a device receives the headers, it searches the header for its own subset, and runs decryption with the header and its own secret key to obtain the message. In the following construction, we denote ID i , CL i , and RL i the ith bit of a bit-string ID, CL, and RL, respectively. In addition, we denote H Setup(l, λ): This algorithm first generates the bilinear groups G 1 , G 2 of prime order p of bit size θ(λ). It selects random elements g 1 ∈ G 1 and g 2 ∈ G 2 . It selects a random exponent α ∈ Z p . It chooses O(l) random group elements h 0 , h 1,0 , h 1,1 , . . . , h l,0 , h l,1 , k 0 , k 1,0 , k 1,1 , . . . , k l,0 , k l,1 ∈ G 1 . It outputs a master key MK = g α 1 and a public key as PK =((p, G 1 , G 2 , G T , e), g, h 0 , h 1,0 , h 1,1 , . . . , h l,0 , h l,1 , k 0 , k 1,0 , k 1,1 , . . . , k l,0 , k l,1 , Ω = e(g 1 , g 2 ) α ).
KeyGen(ID, MK, PK): This algorithm takes as input ID = ID 1 . . . ID l , the master key MK, and the public key PK. It chooses random exponents α w and r ∈ Z p and outputs a private key SK ID as SK ID = (x 0 , x 1 , . . . , x l , y 0 , y 1 · · · , y 2l , z) = (g α−α w . . RL l ) as input labels, the public key PK, and a message M ∈ G T as inputs. It selects a random exponent t ∈ Z p and outputs a ciphertext by implicitly including S = (CL, RL) as Decrypt(S, ID, SK ID , Hdr S ): This algorithm takes a subset S = (CL, RL), a user's ID, a private key SK ID , and a ciphertext Hdr S for S as inputs. Let P = {i|ID i = RL i ∧ RL i = * } and Q = {i|ID i = RL i ∧ RL i = * }. Let d denote the number of bits, which, in ID, are different from RL or d = |P|.
Then, it computes and outputs a message as The correctness is verified by the following equation.

Complexity Analysis
In this section, we analyze the complexity of the key sizes and the execution time of the proposed public key broadcast encryption scheme. The main complexity relies on the parameter l, which is the number of bits for total users n (or log n).
For the key sizes, the public key size requires four fixed elements g, h 0 , k 0 , Ω and l elements h i,0 , h i,1 , k i,0 , k i,1 , which is total 2l + 4 elements where the default element size is 20 bytes. The secret key requires total 2l + 3 elements where the default element size is 20 bytes, which reduces the order to O(l) or O(log n). The header size for a single subset requires four fixed elements, which is constant-size.
For the execution time, the encryption time for a single subset requires four elliptic curve computations, which is almost negligible as O(1). Since the number of subsets depend on the subset representation, the complexity is determined by the number of subsets in the CSD, which is O(r). The decryption time requires O(l) computations, which is O(log n) for n total users.

Security Proof
Theorem 2. Let G 1 and G 2 be bilinear groups of prime order p. Suppose the (decision) (t, , 4q)-SMEBDH assumption holds in G 1 × G 2 . Then, the proposed public key broadcast encryption system is (t , , q, λ) semantically secure for arbitrary q, and t < t + O(eq 2 ), where e is the maximum time for an exponentiation in G 1 and G 2 .
Proof. Suppose A has advantage in attacking the proposed public key broadcast encryption system. Using A, we construct an algorithm B that solves the (decision) 4q-SMEBDH problem.
For generators g 1 ∈ G 1 and g 2 ∈ G 2 , and b ∈ Z p , algorithm B is given as input random tuples and T that is either sampled from P SMEBDH (where T = e(g 1 , g 2 ) bc ) or from R SMEBDH (where T is uniform and independent in G T ). Algorithm B's goal is to output 1 when the input tuple T is sampled from P SMEBDH and 0 otherwise. Note that we let l = q in this proof. Algorithm B interacts with A in a selective subset game as follows: Init: The game begins with A outputting a subset S * = (CL * , RL * ) to attack where CL * , RL * ∈ {0, 1, * } l .
Setup: To generate the public key, algorithm B chooses random exponents γ 1 , γ 2 , v 1 , · · · v 4l ∈ Z p , and sets h i,j = g To generate a private key SK ID for user ID ∈ {0, 1} l , algorithm B considers the following three cases.
(i) ID ∈ CL * : Algorithm B chooses random exponents r and α w ∈ Z p and sets r = Algorithm B computes x 0 as follows: Algorithm B computes x i , y 0 , y i , and z as follows: (ii) ID ∈ CL * and ID ∈ RL * : Algorithm B selects random exponents r and u ∈ Z p and sets r = ∑ l j=1 −b a 2l+2j−1+ID j + r . It sets Algorithm B can compute g v i r , since g v i r Algorithm B computes x 0 as follows: Algorithm B computes x i , y 0 , y i , and z as follows: (iii) ID ∈ CL * and ID ∈ RL * : Algorithm B does not require the SK ID , since ID ∈ S * .
Challenge: Algorithm A submits challenge labels (CL , RL ) and two messages M * 0 , M * 1 . If (CL = CL * ) ∨ (RL = RL * ), then Algorithm B aborts the simulation since it failed to guess the challenge labels. Otherwise, B flips a random coin ξ ∈ {0, 1} internally. B implicitly sets t = c and creates a challenge ciphertext as Guess: Finally, A outputs a guess ξ ∈ {0, 1}. Algorithm B concludes its own game by producing a guess as follows. If ξ = ξ then B outputs 1 meaning T = e(g 1 , g 2 ) bc . Otherwise, it outputs 0 meaning that T is random in G T .
To complete the proof, we show that public keys, private keys, and the challenge ciphertext are correctly distributed. The public keys are correctly distributed since new random elements v i are chosen from Z p . The private keys are correctly distributed as shown in the query phase. The challenge ciphertext is correctly distributed since it satisfies the following equation: When the input tuple is sampled from P SMEBDH (where T = e(g 1 , g 2 ) bc ), then A's view is identical to its view in a real attack game, and, therefore, A satisfies |Pr[ξ = ξ ] − 1/2| ≥ . When the input tuple is sampled from R SMEBDH (where T is uniform in G T ), then Pr[ξ = ξ ] = 1/2. Therefore, with g 1 uniform in G 1 , g 2 uniform in G 2 , b and c uniform in Z p , and T uniform in G T , we have that |Pr[B(P, e(g 1 , g 2 ) bc ) = 0] − Pr[B(P, T) = 0]| ≥ |(1/2 + ) − 1/2| = as required, which completes the proof of the theorem.

CCA-Secure Broadcast Encryption
In this section, we extend our proposed BESTIE to the chosen-cipertext-secure broadcast encryption, similar to Reference [3,37] by attaching an unforgeable one-time signature scheme to the semantically secure PKBE scheme. To utilize the CCA extension in Reference [3,37], we require our broadcast encryption to support general IDs such that wildcards ( * ) can be used in IDs for key generation. Thus, we first describe a general ID scheme as a building block. Then, we represent a CCA-secure scheme with a complexity analysis and security proof.
KeyGen(ID, MK, PK): Private key generation is similar to the main scheme, except for the wildcards (*). We set h i, * = 1 and populate h r i,0 and h r i,1 for h r i, * . Similarly, the interpretation of k i, * covers both k i,0 and k i,1 . Therefore, if ID i = * , SK ID includes both g 1 α w k r i,0 and g 1 α w k r i,1 , as well as h r i,0 and h r i,1 . The key generation is summarized as follows: Encrypt(S, PK, M): The encryption is equivalent to the main scheme in Section 4.2.
Decrypt(S, ID, SK ID , Hdr S ): Similar to the decryption in Section 4.2, for Then, let d = |P| + |P * | + |Q * |, where |P| denotes the number of bits which in ID are different from RL, and |P * | + |Q * | indicates the number of * in ID.
We extend our semantically secure broadcast encryption scheme using a similar technique presented in Reference [3,37] to attain the chosen ciphertext security. We can construct an l-level public key broadcast encryption system Π = (Setup, KeyGen, Encrypt, Decrypt) secure against chosen-ciphertext attacks using the (l + z)-level Π = (Setup , KeyGen , Encrypt , Decrypt ) semantically secure broadcast encryption scheme with a strong one-time signature scheme (SigKeyGen, Sign, Veri f y) with verification keys which are mapped to {0, 1} z . The main idea is that ID = (b 1 , · · · , b l ) ∈ {1, 0, * } l in Π is transformed to ID = ID|| * z = (b 1 , · · · , b l , * , · · · , * ) ∈ {1, 0, * } l+z in Π . Therefore, the secret key SK ID for ID in Π becomes the secret key SK ID in Π . When encrypting a message M for the ID in Π, the sender constructs a z-bit verification key V sig = (e 1 , · · · , e z ) ∈ {0, 1} z and then encrypts M to the ID = ID||V sig using Π .
For more detail, l-level Π is built using (l + z)-level Π and a one-time signature scheme as the following: Setup(l, λ): Let 2 l be the maximum number of users and lambda be the session key length. Assume that the signature verification key space is {0, 1} z .
Perform a semantically secure broadcast encryption scheme Π to generate the public key PK and master secret key MK, and output PK and MK.
KeyGen(ID, MK, PK): To generate a private key SK ID for an identity ID = b 1 . . . b l utilizing the master secret key, encode ID to ID = ID|| * * · · · * z . The key generation algorithm in KeyGen of Π generates the secret key SK ID .
Encrypt(S, PK, M): Perform SigKeyGen(1 z ) algorithm to get a signature signing key K sig and a verification key V sig . Assume that V sig = e 1 . . . e z . For a given S = (CL||V sig , RL||V sig ), run Encrypt to obtain header Hdr S and sign the header as and output the tuple Hdr as (Hdr S , σ, V sig ).
Correctness can be shown with a similar computation to the one in Section 4. It is noted that the user key size is enlarged from O(l) to O(l + z), and the header size increases by the size of a signature and a verification key.

Complexity Analysis
In this section, we analyze the complexity of the key sizes and the execution time of the proposed public key broadcast encryption scheme. The general complexity is increased from l to l + z where z is a bit-length of the one-time signature verification key, since the CCA-secure extension requires z additional depth from the original scheme.
For the key sizes, the public key size requires 2(l + z) + 4 elements, and the secret key size requires 2(l + z) + 3 elements. The header size is 5 fixed elements, since the CCA-secure header requires one-time signature in addition to the original header.
The encryption additionally requires one-time signature singing time and the decryption additionally requires one-time signature verifying time. However, one-time signature processing time is very fast and negligible: the execution times remain almost the same as the original CPA-secure scheme.

Security Proof
Theorem 3. Let G be a bilinear group of prime order p. For any integer l, the public key broadcast encryption system Π is (t, 1 + 2 , l, λ, D) CCA-secure if the public key broadcast encryption system Π is (t , 1 , l + z, λ, 0) semantically secure in G and the signature scheme is (t , 2 , z, 1) strongly existentially unforgeable. Moreover,

3.
Otherwise, B decrypts the header using the second type of secret keys.
Challenge: When A outputs M 0 and M 1 for the challenge, B bypasses them to C and gets the challenge Hdr * S . To generate a challenge for A, B calculates Hdr * as the following: B replies with Hdr * to A.
It is required to compute the probability of B aborting the simulation as a result of a forge to conclude the proof of Theorem 3. We argue that Pr[forge] < 2 . Otherwise one can utilize A to forge signatures with a probability of at least 2 . Shortly, we can build another simulator that knows the private key, but receives K * sig as a challenge in an existential forgery game. In the above experiment, A aborts by submitting a query that includes an existential forgery under K * sig on some ciphertexts. Our simulator can use this forgery to win the existential forgery game. During the game the adversary makes only one chosen message query to generate the signature for the challenge ciphertext. Hence, Pr[forge] < 2 . It now follows that B's advantage is at least 1 , as required.

Experiment
In this section, we show and compare the implementation results by constructing the BESTIE protocol on the real IoT system, which can let many useful IoT applications, such as secure multicast, be available. We present the experimental results in terms of three main factors-the ciphertext header size, the execution time, and the key size-in the proposed scheme (BESTIE) and existing PKBE schemes. We programmed and tested the BESTIE and other schemes on the Intel Edison board environment with a 32-bit 500 Mhz processor, which is commonly utilized as a small IoT device. We performed real encryption protocols based on ublinux 3.10.17 system and pairing-based cryptography (PBC) library (element type set as type F, or f param , which is size-friendly), from setup to encryption/decryption, and measured the time and size of parameter results.
The number of subsets define the ciphertext header sizes in broadcast encryptions. Figures 3 and  4 compares the number of subsets in the BESTIE, CSD [3], SD [4], and interval schemes [2]. Note that the header sizes are equivalent in BESTIE and CSD since they share the same CSD representation method. In Figure 3, the y axis represents the number of subsets as varying the number of randomly chosen revoked users (x axis) varies. The number of total users is 2 128 . The result shows that the number of subsets is strictly linear to the number of revoked users. In Figure 4, instead of a random revocation, we vary the number of randomly chosen secure multicast subsets. Secure multicast subsets are non-hierarchical subsets that include wildcards ( * ) in the middle of covering labels (e.g., 1 * * 01 − 10 * * 1). BESTIE,CSD-15, SD-15, and Interval-15 indicate 2 15 total users. BESTIE, CSD-20, SD-20, and Interval-20 indicate 2 20 total users. Since the CSD representation supports a non-hierarchical representation ( * can be placed anywhere), it can cover the non-hierarchical example within a single CSD subset; the number of subsets in BESTIE and CSD is identical to the number of non-hierarchical groups. However, the number of subsets in the SD and interval schemes is large since they only support hierarchical representations.     Figure 5 represents the encryption time in the BESTIE, CSD, and interval schemes by measuring the time of encrypting a fixed message with using each protocol. The y-axis represents the encryption time measured in seconds, and the x-axis represents the bit-length of users. The SD scheme follows the encryption of Reference [20], thus it requires point exponentiation for the increasing bit-length. In the figure, the encryption time in SD increases dramatically when the bit-length gets longer. The results show that, other than the SD scheme, the encryption time remains similar, and BESTIE shows the best encryption performance among the BE schemes.  Figure 6 represents the decryption time in the BESTIE, CSD, and interval schemes, by measuring the time of decrypting a fixed message with using each protocol. Since the decryption is generally performed in a slow IoT (or embedded) system, the decryption performance should be improved. Since the decryption algorithm mostly performs multiplication of secret keys with constant number of pairings and exponentiations in BESTIE and CSD, the decryption time does not increase as the number of users increases. On the other hand, since the interval scheme performs key derivation using a public parameter for decryption, the decryption time is proportional to the depth of users. Hence, BESTIE and CSD are IoT-friendly PKBE schemes in decryption.  Table 2 shows the public key and secret key size in the bestie, CSD, SD, and interval schemes. When the number of users is 2 128 , BESTIE requires 7.56 KB of SK storage, while CSD, SD, and interval schemes require 960 KB, 40,960 KB, and 640 KB, respectively. Overall, the encryption and decryption performance results show that the BESTIE achieves the fastest encryption and decryption time both less than 200 ms; it indicates that the performance overhead is not an issue in the IoT implementation. The main issue is the secret key size: The key storage sizes in most resource-constrained devices are less than 8 KB. The key size results show that the BESTIE achieves the smallest key size due to the smaller order of O(log n), which is the only available result for the restricted key storages in IoT devices.

Conclusions
This paper proposes a broadcast encryption scheme for tiny IoT equipment (BESTIE) that reduces the key size suitable for a large scale IoT systems. The proposed BESTIE is a public key broadcast encryption scheme for the combinatorial subset difference (CSD) representation. BESTIE has the most efficient ciphertext header size, which is 2r in the worst case, where r is the number of revoked users. Most importantly, BESTIE is the first scheme to reduce a key size to O(log n) from O(log 2 n), which was the minimal key size in existing subset difference-based approaches, without sacrificing any other factor.