In the last session of the first day at PKC there were two talks dealing with anonymity in broadcast encryption. The aim of broadcast encryption (BE) is to efficiently send a message to a large set of receivers from some universe; application-wise it is epitomised by Pay TV. The notion was introduced by Fiat and Naor in 1993, and since then, security notions have evolved, now considering adaptive adversaries and collusion-resistance.
While the focus of recent research has been on minimizing the ciphertext length, one aspect of security seems to have been overlooked: in the common model of BE, the decryption algorithm requires, besides a user's secret key, knowledge of the set of recipients. Applied to Pay TV, this means a subscriber must know who else subscribed to the programme.
This arguably represents a severe breach of users' privacy, and the paper by Libert, Paterson and Quaglia, presented by Elizabeth, addresses this issue. They define the notion of anonymous BE, which guarantees that a ciphertext not only hides the encrypted message, but also the set of users it is broadcast to. Their first, straightforward instantiation leads to ciphertexts whose length is linear in the size of the universe. They then improve on this presenting a scheme whose ciphertext size only depends on the number of recipients. As previous schemes also require the recipient set to be transmitted, this means that, asymptotically, anonymity essentially comes for free.
The second talk was on outsider anonymity in BE, introduced by Fazio and Perera, which only guarantees that the ciphertext hides the set of users to non-receivers. So, in the application to Pay TV, in order to find out who is receiving a programme, it would suffice to subscribe to it too. Relaxing the security notion, they manage to improve on efficiency by giving a scheme with sub-linear ciphertext length.