Multi-recipient and threshold encryption based on hidden multipliers

Abstract

Let $S$ be a pool of $s$ parties and Alice be the dealer. In this paper, we propose a scheme that allows the dealer to encrypt messages in such a way that only one authorized coalition of parties (which the dealer chooses depending on the message) can decrypt. At the setup stage, each of the parties involved in the process receives an individual key from the dealer. To decrypt information, an authorized coalition of parties must work together to use their keys. Based on this scheme, we propose a threshold encryption scheme. For a given message $f$ the dealer can choose any threshold $m = m(f).$ More precisely, any set of parties of size at least $m$ can evaluate $f$; any set of size less than $m$ cannot do this. Similarly, the distribution of keys among the included parties can be done in such a way that authorized coalitions of parties will be given the opportunity to put a collective digital signature on any documents. This primitive can be generalized to the dynamic setting, where any user can dynamically join the pool $S$. In this case the new user receives a key from the dealer. Also any user can leave the pool $S$. In both cases, already distributed keys of other users do not change. The main feature of the proposed schemes is that for a given $s$ the keys are distributed once and can be used multiple times. The proposed scheme is based on the idea of hidden multipliers in encryption. As a platform, one can use both multiplicative groups of finite fields and groups of invertible elements of commutative rings, in particular, multiplicative groups of residue rings. We propose two versions of this scheme.