Tight lower bounds and optimal constructions of anonymous broadcast encryption and authentication

Abstract

Broadcast Encryption (BE) is public-key encryption allowing a sender to encrypt a message by specifing recipients, and only the specified recipients can decrypt the message. In several BE applications, since the privacy of recipients allowed to access the message is often as important as the confidentiality of the message, anonymity is introduced as an additional but important security requirement for BE. Kiayias and Samari (IH 2013) presented an asymptotic lower bound on the ciphertext sizes in BE schemes satisfying anonymity (ANO-BE for short). More precisely, their lower bound is derived under the assumption that ANO-BE schemes have a special property. However, it is insufficient to show their lower bound is asymptotically tight since it is unclear whether existing ANO-BE schemes meet the special property. In this work, we derive asymptotically tight lower bounds on the ciphertext size in ANO-BE by assuming only properties that most existing ANO-BE schemes satisfy. With a similar technique, we first derive asymptoticallyqueryPlease provide MSC codes. For more details, please visit http://www.ams.org/msc/. tight lower bounds on the authenticator sizes in Anonymous Broadcast Authentication (ABA). Furthermore, we extend the above result and present (non-asymptotically) tight lower and upper bounds on thequeryPlease check and confirm the Running title. ciphertext sizes in ANO-BE. We show that a variant of ANO-BE scheme proposed by Li and Gong (ACNS 2018) is optimal. We also provide tight bounds on the authenticator sizes in ABA via the same approach as ANO-BE, and propose an optimal construction for ABA.