In
even shorter ciphertexts (linear in the number of revoked users), at a price on the other
parameters, most notably user storage and decryption complexity.
Anonymous Broadcast Encryption [less]
Conventional encryption provides the means for secret transmission of data in point-to-point communication. The setting of broadcast encryption, instead, consists of a sender, an insecure unidirectional broadcast channel, and a universe of receivers. When the sender wants to transmit some digital content, it specifies the set of authorized receivers and creates an encrypted version of the content. A secure broadcast encryption scheme enables legitimate receivers to recover the original content, while ensuring that excluded users just obtain meaningless data, even in the face of collusions.
One implicit requirement of the standard setting of broadcast encryption is that, whenever the digital content is encrypted and sent in broadcast, information about the set of authorized receivers is necessary to decrypt it correctly. Therefore, the set of authorized receivers is transmitted as part of the ciphertext. This in particular implies that an eavesdropper, even if unable to recover the message, can still easily discover the identities of the actual receivers of the content.
An interesting variant of the broadcast encryption setting was proposed by Barth, Boneh and Waters in 2006. Therein, the authors introduce the notion of private broadcast encryption scheme, explicitly aiming at protecting the identities of the receivers. As a proof-of-concept, they also suggest both generic and number-theoretic public-key constructions that do not leak any information about the list of authorized receivers, and are secure in the standard model and in the random oracle model, respectively. The proposed schemes, however, have communication complexity linear in the number of recipients.
In [1], Fazio and Perera propose the first broadcast encryption scheme with sublinear ciphertexts to achieve meaningful guarantees of receiver anonymity. In particular, [1] puts forth the notion of outsider-anonymous broadcast encryption (oABE), a class of schemes that enjoy a degree of anonymity lying between the lack of protection characteristic of traditional broadcast encryption schemes on one end, and full anonymity on the other end. More specifically, in the oABE setting, recipient identities are hidden from users not authorized to receive the message, but individual recipients might be able to learn who else is getting the same message. The work of [1] contains a generic oABE construction based on any anonymous identity-based encryption scheme (AIBE). Additionally, by adapting the techniques of Barth et al., Fazio and Perera obtain an efficient construction with enhanced decryption, where for a given oABE ciphertext, the decryption algorithm executes a single (AIBE) decryption operation.
The results in [1] have applications to the secure distribution of tactical data in military missions with ad-hoc team formation, which are discussed in [3].
[1]
Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts,
N. Fazio and I.M. Perera
Public Key Cryptography – PKC 2012, LNCS 7293, pp. 225-242, Springer, 2012
[2]
Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts,
N. Fazio and I.M. Perera
Journal version of [1]. In submission to the Journal of Cryptology, 2012
[3]
Protecting Receivers Identities in Secure Data Distribution,
N. Fazio and I.M. Perera
The Annual Conference of International Technology Alliance (ACITA ’12), 2012
This research is supported in part by the National Science Foundation under CAREER award #1253927 and grant CNS #1117675 and by the U.S. Army Research Laboratory and the U.K. Ministry of Defence and was accomplished under Agreement Number W911NF-06-3-0001. This project was also partially sponsored by PSC-CUNY awards 63356-00 41 and 64578-00 42
of the Professional Staff Congress and the City University of New York.