Existing distributed broadcast encryption (DBE) schemes suffer from insufficient security under adaptive chosen-ciphertext attacks (CCA) and inefficient public-key verification requiring linear pairing operations. To address these issues, this paper proposes the first adaptively CCA-secure DBE scheme. Our construction supports user-generated private keys and subset-directed encryption. By introducing a semi-static CCA security model, refining the Gentry–Waters generic transformation, and leveraging bilinear groups with q-type assumptions, we provide the first rigorous proof of adaptive CCA security for DBE. Public-key verification overhead is reduced to a constant number of pairings; both ciphertexts and private keys have constant size, while the public key remains linear in the number of users. Compared to prior CPA-secure DBE schemes, our solution achieves substantial improvements in both security guarantees and computational efficiency.

Distributed broadcast encryption (DBE) is a specific kind of broadcast encryption (BE) where users independently generate their own public and private keys, and a sender can efficiently create a ciphertext for a subset of users by using the public keys of the subset users. Previously proposed DBE schemes have been proven in the adaptive chosen-plaintext attack (CPA) security model and have the disadvantage of requiring linear number of pairing operations when verifying the public key of a user. In this paper, we propose an efficient DBE scheme in bilinear groups and prove adaptive chosen-ciphertext attack (CCA) security for the first time. To do this, we first propose a semi-static CCA secure DBE scheme and prove the security under the $q$-Type assumption. Then, by modifying the generic transformation of Gentry and Waters that converts a semi-static CPA secure DBE scheme into an adaptive CPA secure DBE scheme to be applied to CCA secure DBE schemes, we propose an adaptive CCA secure DBE scheme and prove its adaptive CCA security. Our proposed DBE scheme is efficient because it requires constant size ciphertexts, constant size private keys, and linear size public keys, and the public key verification requires only a constant number of pairing operations and efficient group membership checks.