1. Introduction

The concept of broadcast encryption, introduced by Berkovits, allows a sender to efficiently broadcast encrypted messages to selected recipients while preventing others from decrypt them [1]. Traditionally, RSA encryption, a public-key cryptosystem proposed by Rivest, Shamir, and Adleman in 1977, is designed for one-to-one communication [2]. However, with the rapid growth of networks, most applications now operate in one-to-many communication scenarios, making traditional RSA cryptosystems less suitable. Consequently, research on multi-user cryptosystems leveraging broadcast encryption.has expanded. Sigurd proposed a collusion-resistant scheme based on hidden RSA subgroups, while Baee et al. introduced a broadcast authentication scheme to enhance vehicle-to-vehicle (V2V) communication security improvement [3-4]. Balakrishna conducted a systematic review on broadcast encryption and Srivastava et al. proposed a multivariate polynomial-based identity-based broadcast encryption (MulIB-BE) scheme [5-6]. Further, Rabaninejad et al. developed an attribute-based anonymous broadcast encryption scheme (Improved-YRL), Dupin et al. introduced a symmetric cryptography-based broadcast encryption model, and Lin Guoqing et al. proposed a key management protocol suitable for RSA broadcast encryption [7-9]. Li Xiaofeng et al. designsed a multi-user RSA encryption scheme for targeted receivers [10]. Collectively, these contributions have significantly advanced broadcast encryption technology, particularly in improving the efficiency, security, and practicality. Based on the research of Lin Guoqing and Li Xiaofeng, this paper proposes a new multi-privilege RSA broadcast encryption scheme, which implements the division of multiple privilege levels.

2. Related works

This section introduces the key generation algorithm for generating multiple private keys from a single public key and reviews Lin’s 2004 RSA-based broadcast encryption protocol. It also defines the public key modulus \( {N_{i}} \) and the secret key \( {S_{i}} \) generation algorithm used for privilege level division, forming the theoretical foundation of this paper.

Key generation algorithm: Assume that a broadcast center intends to broadcast messages to \( n \) users. The broadcast center selects a public key \( e \) and generates a private key \( {d_{i}} \) for each user \( {u_{i}} \) . For each user \( {u_{i}} \) , different moduli \( {n_{i}} \) are selected for key generation, generating a different private key \( {d_{i}} \) . This can be viewed as a function \( {d_{i}}=f({n_{i}}) \) where the input is the modulus \( {n_{i}} \) and the output is the private key \( {d_{i}} \) , with \( {n_{i}}={p_{i}}*{q_{i}} \) , and \( φ({n_{i}})=({p_{i}}-1)*({q_{i}}-1) \) , ensuring that \( gcd{(φ({n_{i}}),e)}=1 \) , and thus \( e{d_{i}}≡1 mod φ({n_{i}}) \) . For example, with \( e=7 \) , let \( {n_{1}}=7×11=77 \) , so \( φ({n_{1}})=60 \) , and \( 7{d_{1}}≡1 mod 60 \) , yielding \( {d_{1}}=43 \) , Similarly, let \( {n_{2}}=2*11=22 \) , so \( φ({n_{2}})=10 \) , and \( 7{d_{2}}≡1 mod 10 \) , yielding \( {d_{2}}=3 \) . This proves that for each user \( {u_{i}} \) , a different private key \( {d_{i}} \) corresponding to \( {u_{i}} \) can be generated. This key generation algorithm improves the computational efficiency of the key management center and reduces storage requirements.

In Lin Guoqing and Li Xiaofeng’s research on RSA broadcast encryption schemes, both adopted similar key generation algorithms. However, in their schemes, the public key modulus \( N \) is defined as \( N={n_{1}}*{n_{2}}*…*{n_{i}} \) , and encryption is performed using \( N \) as the modulus. Since \( N \) is a multiple of each \( {n_{i}} \) , any user \( {u_{i}} \) can use their corresponding private key \( {d_{i}} \) to decrypt all broadcast messages. The proof of this point is as follows:

Assume a broadcast system has two users \( {u_{1}} \) and \( {u_{2}} \) . The broadcast center needs to send two messages: \( {M_{1}} \) (the message intended for user \( {u_{1}} \) ) and \( {M_{2}} \) (the message intended for user \( {u_{2}} \) ). The public key is \( e \) , and \( N= {n_{1}}*{n_{2}} \) , where \( {n_{1}}={p_{1}}*{q_{1}} \) , and \( {n_{2}}={p_{2}}*{q_{2}} \) . During decryption, user \( {u_{1}} \) uses their private key \( ({d_{1}},{n_{1}}) \) to decrypt message \( {M_{1}} \) , where:

\( {M_{1}}=C_{1}^{{d_{1}}} mod {n_{1}}=(M_{1}^{e{d_{1}}} mod N) mod {n_{1}} \)

Since \( N= {n_{1}}*{n_{2}} \) , \( N \) is a multiple of \( {n_{1}} \) , thus:

\( {M_{1}}=(M_{1}^{e{d_{1}}} mod N) mod {n_{1}}=M_{1}^{e{d_{1}}} mod {n_{1}} \)

However, if user \( {u_{2}} \) , acting as an attacker, attempts to decrypt both messages, they will derive:

\( {M_{1}}=(M_{1}^{e{d_{2}}} mod N) mod {n_{2}}=M_{1}^{e{d_{2}}} mod {n_{2}} \)

By Euler's theorem, since \( gcd{({M_{1}},{n_{1}})}=1 \) and \( gcd{({M_{2}},{n_{2}})}=1 \) , it follows that:

\( M_{1}^{φ({n_{1}})}≡1 mod {n_{1}} \) , \( M_{1}^{φ({n_{2}})}≡1 mod {n_{2}} \)

Thus:

\( M_{1}^{e{d_{1}}} ≡M_{1}^{kφ({n_{1}})+1}≡M[{M^{φ({n_{1}})}}{]^{k}} mod {n_{1}}≡M[1{]^{k}} mod {n_{1}}≡M mod {n_{1}}=M \)

Similarly:

\( M_{1}^{e{d_{2}}}≡ M mod {n_{2}}=M \)

Therefore, user \( {u_{2}} \) , using their private key \( ({d_{2}}, {n_{2}}) \) , can also decrypt message \( {M_{1}} \) , which is unreasonable for a broadcast system with privilege division.

It is worth noting that Lin's scheme proposed a key management protocol that divides plaintext into groups and encrypts them using a randomly generated secret key \( S \) , which is then broadcasted after RSA encryption. However, their scheme did not explicitly define how the random secret key \( S \) is generated. Moreover, to prevent users from decrypting others' messages, \( m \) different secret keys \( {S_{i}} \) should be used to encrypt each of the \( m \) messages, and the secret key \( {S_{i}} \) used for encrypting each plaintext \( {M_{i}} \) must differ.

2.1. Public key modulus \( {N_{i}} \) and secret key \( S \) definition for privilege division

To avoid a scenario where one user can decrypt messages intended for other users, this paper builds upon Lin's scheme and proposes an RSA encryption scheme suitable for a multi-privilege broadcast system. This scheme redefines the public key modulus \( {N_{i}} \) and the secret key \( S \) generation suitable for a privilege division system.

2.1.1. Definition of public key modulus \( {N_{i}} \) ​. To distinguish between users' privilege levels, assume a broadcast center needs to broadcast \( m \) messages. It should generate \( m \) different \( {N_{i}} \) . The user with the highest privilege level should be able to decrypt all messages, and the private key distributed to this user by the key management center is denoted as \( ({d_{m}},{n_{m}}) \) . Each \( {N_{i}} \) should be a multiple of \( {n_{m}} \) to ensure that this user can decrypt all messages. Therefore, the formula for the public key modulus \( {N_{i}} \) is:

\( {N_{i}}={r_{i}}*\prod _{i=1}^{m}{n_{i}} \)

\( {N_{1}}={r_{1}}*{n_{1}}*{n_{2}}…*{n_{m}} \)

\( {N_{2}}={r_{2}}*{n_{2}}*…*{n_{m}} \)

…

\( {N_{m}}={r_{m}}*{n_{m}} \)

where \( {r_{i}} \) is a confusion factor. During encryption, the secret key \( {S_{i}} \) is encrypted using \( {N_{i}} \) . For user \( {u_{1}} \) , if they attempt to use their private key \( {d_{1}} \) to decrypt any message other than \( {M_{1}} \) , they will fail because \( {N_{i}}(2≤i≤m) \) is not a multiple of \( {n_{1}} \) , preventing the correct decryption of the secret key \( {K_{i}} \) . This will be proven in Section 4.

2.1.2. Secret key \( {K_{i}} \) generation. The secret key \( {K_{i}} \) ​ is used for symmetric encryption of plaintext messages. To ensure that users with different privilege levels can decrypt different messages, \( m \) secret keys \( {K_{i}} \) are generated for \( m \) plaintext messages \( {M_{i}} \) . The key management center selects \( m \) large numbers \( {t_{i}} \) as modulus confusion factors, which should be slightly smaller than the corresponding \( {M_{i}} \) . The secret key \( {K_{i}} \) is then generated by performing a modulus operation on \( {M_{i}} \) :

\( {K_{i}}={M_{i}} mod {t_{i}} \)

3. RSA broadcast encryption

The scheme proposed consists of three stages: in the stage of system initializagtion, the key management center generates the public key \( (e,{N_{i}}) \) and private keys \( {d_{i}} \) for each level \( L=i,0≤i≤m \) . The private keys are distributed to users based on their assigned privilege levels \( L=i \) , where \( 0≤i≤m \) . Each user receives the corresponding private key \( {d_{i}} \) according to their privilege level. Second, in the encryption stage, the broadcast center generates a secret key \( {K_{i}} \) for each plaintext message \( {M_{i}} \) , where \( 0≤i≤m \) . The secret key \( {K_{i}} \) is used to symmetrically encrypt the plaintext message \( {M_{i}} \) , producing the information ciphertext \( {C_{i}} \) . The secret key \( {K_{i}} \) is then encrypted using the RSA algorithm, resulting in the secret key ciphertext \( {S_{i}} \) . Both the secret key ciphertext \( {S_{i}} \) and the information ciphertext \( {C_{i}} \) are broadcasted. Last, when users receive the broadcast message, they use their private key \( {d_{i}} \) to decrypt the corresponding secret key \( {K_{i}} \) . Once the secret key \( {K_{i}} \) is obtained, it is used to decrypt the information ciphertext \( {C_{i}} \) to retrieve the original plaintext message \( {M_{i}} \) .

3.1. System initialization

Assume the broadcast center needs to broadcast \( m \) plaintext messages \( \lbrace {M_{1}},{M_{2}},…,{M_{m}}\rbrace \) , The key management center divides the users into \( m+1 \) privilege levels \( L=\lbrace 0,1,2,…,m\rbrace \) . Users are assigned a privilege level upon registration. The lowest privilege level is \( L=0 \) , representing unauthorized (or illegal) users who do not receive private keys and thus cannot decrypt any messages. The highest privilege level is \( L=m \) , where users can decrypt all messages. The relationship between privilege levels required to decrypt messages is as follows:

\( {M_{m}} \gt {M_{m-1}} \gt … \gt {M_{2}} \gt {M_{1}} \)

Before transmission, the key management center generates \( m \) public keys and \( m \) private keys. First, it selects \( 2m \) distinct large prime numbers \( {p_{1}},{q_{1}},{p_{2}},{q_{2}},…,{p_{m-1}},{q_{m-1}},{p_{m}},{q_{m}} \) . The decryption modulus is \( {n_{i}}={p_{i}}*{q_{i}} \) , and the Euler's totient function is \( φ({n_{i}})={(p_{i}}-1)*({q_{i}}-1) \) . A public exponent \( e \) is selected such that \( e \) is a positive integer smaller than and coprime with each \( φ({n_{i}}) \) . Next, \( m \) large primes \( {r_{i}} \) ​are chosen as confusion factors, ensuring that \( {r_{i}}≠e≠{p_{1}}…{p_{m}}≠{q_{1}}…{q_{m}} \) . The public key modulus \( {N_{i}} \) is calculated as:

\( {N_{i}}={r_{i}}*\prod _{i=1}^{m}{n_{i}} \) (1)

The broadcast center uses \( (e,{N_{i}}) \) as the public key and generates \( m \) private keys \( {d_{i}} \) , where \( {d_{i}} \) satisfies the congruence:

\( {e^{{d_{i}}}}≡1 mod φ({n_{i}}) \) (2)

The resulting private key set \( \lbrace {d_{1}},{d_{2}},…{d_{m}}\rbrace \) is distributed to users based on their privilege levels. Users with privilege level \( L=i,where(0≤i≤m) \) can decrypt the set of ciphertexts is:

\( {Q_{i}}(L)=\begin{cases} \begin{array}{c} ∅,L=0 \\ \lbrace {M_{i}}\rbrace :1≤i≤m,L \gt 0 \end{array} \end{cases} \) (3)

according to the following decryption expectations:

L=0: Users do not receive private keys and thus cannot decrypt any messages.

L=1: Users receive \( ({d_{1}},{n_{1}}) \) and can decrypt \( \lbrace {M_{1}}\rbrace \)

L=2: Users receive \( ({d_{2}},{n_{2}}) \) and can decrypt \( \lbrace {M_{1}},{M_{2}}\rbrace \)

…

L=m: Users receive \( ({d_{m}},{n_{m}}) \) and can decrypt \( \lbrace {M_{1}},{M_{2}},…,{M_{m}}\rbrace \)

3.2. Encryption

A large confusion modulus \( t \) is selected, and the broadcast center performs a modulus operation on each plaintext \( {M_{i}} \) to generate the secret key \( {K_{i}} \) , then RSA-encrypted to produce \( m \) secret key ciphertexts \( {S_{i}} \) ​:

\( {K_{i}}={M_{i}} mod t \) (4)

\( {S_{i}}=K_{i}^{e} mod {N_{i}} \) (5)

For each plaintext \( {M_{i}} \) , DES encryption is performed using \( {K_{i}} \) as the key, resulting in \( m \) information ciphertexts \( {C_{i}} \) :

\( {C_{i}}=E({K_{i}},{M_{i}}) \) (6)

The broadcast center then broadcasts the set \( (e,\lbrace {N_{1}}…{N_{m}}\rbrace ,\lbrace {S_{1}}…{S_{m}}\rbrace ,\lbrace {C_{1}}…{C_{m}}\rbrace ) \) to all users.

3.3. Decryption

Each user receives the broadcast message and uses their private key \( ({d_{i}},{n_{i}}) \) to decrypt the broadcast message and obtain the secret key set \( \lbrace {K_{1}},…,{K_{i}}\rbrace ,where(1≤i≤m) \) . The user then uses the secret keys to decrypt the ciphertext set \( \lbrace {C_{1}}…{C_{m}}\rbrace \) to retrieve the corresponding plaintext messages:

\( {K_{i}}=S_{i}^{{d_{i}}} mod {n_{i}} \) (7)

\( {M_{i}}=D({K_{i}},{C_{i}}) \) (8)

4. Feasibility proof

By selecting \( e \) , \( p \) , and \( q \) , the private key \( (d,n) \) and public key \( (e,N) \) can be obtained using formulas (1) and (2). Let the plaintext be \( M \) . By applying formula (4), the secret key \( K \) is derived. If \( N \) is a multiple of \( n \) , then applying formula (7) will yield the correct \( K \) . If \( N \) is not a multiple of \( n \) , the correct \( K \) will not be obtained. The proof is as follows:

\( S={K^{e}} mod N \)

\( K={S^{d}} mod n=({K^{ed}} mod N) mod n \)

Since the private key is generated such that \( ed≡1 mod φ(n) \) , it follows that:

\( {K^{ed}}={K^{φ(n)+1}} \)

Thus:

\( K=({K^{φ(n)+1}} mod N) mod n=({K^{φ(n)+1}}-αN) mod n=(K-αN) mod n \)

For the proof of \( ({K^{φ(n)+1}}-αN) mod n=(K-αN) mod n \) , consider the following two cases:

When \( K \) is coprime with \( n \) :

According to Euler's theorem, if \( gcd{(α,n)}=1 \) , then \( {α^{φ(n)}}≡1 mod n \) . Thus:

\( {K^{φ(n)}}≡1 mod n \)

Therefore:

\( ({K^{φ(n)+1}}-αN) mod n=(K[{K^{φ(n)}}] - αN) mod n=(K-αN) mod n \)

When \( K \) is not coprime with \( n \) :

Assume \( K=c*p \) , and \( M \lt n \) . Since \( K \lt n \) , \( K \) cannot be a multiple of both \( p \) and \( q \) , implying that \( K \) must be coprime with \( q \) . By Euler's theorem, \( {K^{φ(q)}}≡1 mod q \) ,hence:

\( {[{K^{φ(p)}}]^{φ(q)}}≡1 mod q \)

This implies:

\( {K^{φ(n)}}≡1 mod q \)

Therefore:

\( {K^{φ(n)}}=1+b*q \)

Consequently:

\( {K^{φ(n)+1}} mod n=K+K*b*q mod n=K+cpbq mod n=K+cbn mod n=K \)

Thus, it follows that:

\( ({K^{φ(n)+1}}-αN) mod n=(K-αN) mod n \)

When \( N \) is a multiple of \( n \) , \( αN mod n=0 \) . Since \( K \lt n \) , it follows that \( K mod n=K \) . Therefore:

\( (K-αN) mod n=K-0=K \)

Using \( M=D(K,C) \) , the correct plaintext can be decrypted. When \( N \) is not a multiple of \( n \) \( (K-αN) mod n=K-(αN mod n) \) , and the correct \( K \) cannot be obtained, aligning with the expected decryption.

5. Security analysis

If an attacker (an unauthorized user) attempts to access all broadcast messages directed to \( m \) users, they must break either the RSA encryption or symmetric encryption. Since each broadcast round varies in message and key sets, private and secret keys also differ per round. Therefore, even if an attacker obtains keys from one round, they are invalid for previous and the subsequent rounds, ensuring both forward and backward security. If an attacker intercepts the secret key ciphertext \( {S_{i}} \) and the information ciphertext \( {C_{i}} \) they must attack the RSA encryption, that is, obtain the secret key KKK of the user with the highest privilege. Since the secret key \( K \) is encrypted using the RSA algorithm, its security is based on the difficulty of factoring large integers, consistent with the security of the standard RSA algorithm. If the attacker intercepts only the information ciphertext \( {C_{i}} \) , they must conduct an attack on DES encryption \( m \) times. Because each plaintext \( {M_{i}} \) is encrypted with a different secret key \( {S_{i}} \) , the attacker cannot ascertain the privilege level of the user and thus cannot determine the set of secret keys accessible to the user. In this scenario, the user remains anonymous to the attacker. Even if one secret key is cracked, the attacker cannot identify the corresponding user.

6. Conclusion

This paper presents an RSA broadcast encryption scheme suitable for a privilege division system. By differentiating user privilege levels, high-privilege users can decrypt more information, while low-privilege users can decrypt less, improving applicability and usability. By constructing different public key moduli \( {N_{i}} \) , the scheme implements user privilege division and provides a relatively secure RSA encryption scheme for network applications with a privilege hierarchy or for paid content access scenarios, thus expanding the use cases for RSA encryption and increasing its security and practicality. In this scheme, users do not need to possess multiple private keys; a single private key enables users to decrypt one or multiple plaintext messages. Additionally, unauthorized low-privilege users cannot correctly decrypt the secret keys of other users. During any given round of broadcasting, as users dynamically join or leave, the remaining users do not need to update their keys. Although the scheme proposes a multi-privilege public key broadcast encryption system for paid content access, limitations still exist in scenarios involving privilege division. For instance, if a user \( {u_{x}} \) only needs to obtain the \( x \) -th message, this scheme currently allows the user to access the message set \( \lbrace {M_{1}},{M_{2}},…,{M_{x}}\rbrace \) . To address such cases, further optimization of this scheme can be considered, such as enabling users to hold multiple private keys to satisfy specific user message retrieval needs, thereby providing broader applications for public key cryptography and the development of broadcast encryption technologies.