Contributions to Identity-Based Broadcast Encryption and Its Anonymity

Broadcast encryption was introduced to improve the efficiency of encryption when a message should be sent to or shared with a group of users. Only the legitimate users chosen in the encryption phase are able to retrieve the message. The primary challenge in construction a broadcast encryption scheme is to achieve collusion resistance such that the unchosen users learn nothing about the content of the encrypted message even they collude

Realizing Flexible Broadcast Encryption: How to Broadcast to a Public-Key Directory

Suppose a user wants to broadcast an encrypted message to $K$ recipients. With public-key encryption, the sender would construct $K$ different ciphertexts, one for each recipient. The size of the broadcasted message then scales linearly with $K$. A natural question is whether the sender can encrypt the message with a ciphertext whose size scales sublinearly with the number of recipients. Broadcast encryption offers one solution to this problem, but at the cost of introducing a central trusted party who issues keys to different users (and correspondingly, has the ability to decrypt all ciphertexts). Recently, several works have introduced notions like distributed broadcast encryption and flexible broadcast encryption, which combine the decentralized, trustless model of traditional public-key encryption with the efficiency guarantees of broadcast encryption. In the specific case of a flexible broadcast encryption scheme, users generate their own public/private keys and can then post their public key in any public-key directory. Subsequently, a user can encrypt to an arbitrary set of user public keys with a ciphertext whose size scales polylogarithmically with the number of public keys in the broadcast set. A distributed broadcast encryption scheme is a more restrictive primitive where each public key is also associated with an index, and one can only encrypt to a set of public keys corresponding to different indices. In this work, we introduce a generic compiler that takes any distributed broadcast encryption scheme and produces a flexible broadcast encryption scheme. Moreover, whereas existing concretely-efficient constructions of distributed broadcast encryption have public keys whose size scales with the maximum number of users in the system, our resulting flexible broadcast encryption scheme has the appealing property that the size of each public key scales with the size of the maximum broadcast set. We provide an implementation of the flexible broadcast encryption scheme obtained by applying our compiler to the distributed broadcast encryption scheme of Kolonelos, Malavolta, and Wee (ASIACRYPT 2023). With our scheme, a sender can encrypt a 128-bit symmetric key to a set of over 1000 recipients (from a directory with a million users) with a 2 KB ciphertext. This is 16$\times$ smaller than separately encrypting to each user using standard ElGamal encryption. The cost is that the user public keys in flexible broadcast encryption are much larger (50 KB) compared to standard ElGamal public keys (32 bytes). Compared to the similarly-instantiated distributed broadcast encryption scheme, we achieve a 32$\times$ reduction in the user\u27s public key size (50 KB vs. 1.6 MB) without changing the ciphertext size. Thus, flexible broadcast encryption provides an efficient way to encrypt messages to large groups of users at the cost of larger individual public keys (relative to vanilla public-key encryption)

Short message multichannel broadcast encryption

The current use of short messages in wireless networks is highly growing. Messaging applications in mobile terminals with wireless coverage are very common in shopping, educational and transport centers, i.e. in centers of massive influx of people. This requires improving its efficiency, without losing security in such a hostile environment. In this paper, we propose an improvement in the use of the medium through a new multichannel broadcast encryption paradigm. Firstly, we rigorously demonstrate the security of our model that is characterized by two main issues: short messages and maintaining privacy in a shared frame. The improvements are obtained by reducing the transmitted overheads, saving bandwidth and airtime. To implement them, we improve the efficiency of communications, reducing the security headers to a single one, which will be shared by all receivers, while the payload is multiplexed via Chinese Remainder Theorem. In this way we reduce the packet length (less headers) and set the ratio of the encrypted text/plaintext equals to one, if we do not take into account padding and security headers. Although the model can be used by all types of networks, both wired and wireless, the improvement is more noticeable in the latter type. To make it remarkable, we quantify what this gain will consist of

Lattice-Inspired Broadcast Encryption and Succinct Ciphertext-Policy ABE

Broadcast encryption remains one of the few remaining central cryptographic primitives that are not yet known to be achievable under a standard cryptographic assumption (excluding obfuscation-based constructions, see below). Furthermore, prior to this work, there were no known direct candidates for post-quantum-secure broadcast encryption. We propose a candidate ciphertext-policy attribute-based encryption (CP-ABE) scheme for circuits, where the ciphertext size depends only on the depth of the policy circuit (and not its size). This, in particular, gives us a Broadcast Encryption (BE) scheme where the size of the keys and ciphertexts have a poly-logarithmic dependence on the number of users. This goal was previously only known to be achievable assuming ideal multilinear maps (Boneh, Waters and Zhandry, Crypto 2014) or indistinguishability obfuscation (Boneh and Zhandry, Crypto 2014) and in a concurrent work from generic bilinear groups and the learning with errors (LWE) assumption (Agrawal and Yamada, Eurocrypt 2020). Our construction relies on techniques from lattice-based (and in particular LWE-based) cryptography. We analyze some attempts at cryptanalysis, but we are unable to provide a security proof

Efficient identity-based broadcast encryption without random oracles.

We propose a new efficient identity-based broadcast encryption scheme without random oracles and prove that it achieves selective identity, chosen plaintext security. Our scheme is constructed based on bilinear Diffie-Hellman inversion assumption and it is a good efficient hybrid encryption scheme, which achieves O(1)-size ciphertexts, public parameters and constant size private keys. In our scheme, either ciphertexts or public parameters has no relation with the number of receivers, moreover, both the encryption and decryption only require one pairing computation. Compared with other identity-based broadcast encryption schemes, our scheme has comparable properties, but with a better efficiency