- H. Kobayashi, Y. Watanabe, and J. Shikata
- IMACC 2021
- LNCS 13129
Broadcast Encryption (BE) is a cryptosystem that allows a sender to specify recipients so that only the specified recipients can perform decryption. Anonymity, which is one of additional but important security requirements of BE, guarantees that no information of the designated recipients is leaked from ciphertexts, and several BE schemes with anonymity (ANO-BE) have been proposed so far. Kiayias and Samari (IH 2013) analyzed a lower bound on the ciphertext size required for ANO-BE. In their analysis, they derived the lower bound under the assumption that ANO-BE schemes meets a special property. However, it is unclear whether the special property holds for existing ANO-BE schemes. In other words, their analysis is insufficient to show that the existing ANO-BE schemes achieve the optimal ciphertext size. In this paper, we derive a lower bound on the ciphertext size in ANO-BE, assuming only properties that most existing ANO-BE schemes satisfy. In our analysis, we newly define several properties abstracted from existing (even non-anonymous) BE schemes and carefully analyze them to replace the Kiayias—Samari assumption with ours. As a result, we show that the existing ANO-BE schemes achieve the optimal ciphertext size. We further show that our analysis can be extended to the authentication setting. Specifically, we first derive a lower bound on the authenticator sizes required for anonymous broadcast authentication.