International Association for Cryptologic Research

International Association
for Cryptologic Research


Group Encryption: Full Dynamicity, Message Filtering and Code-Based Instantiation

Khoa Nguyen
Reihaneh Safavi-Naini
Willy Susilo
Huaxiong Wang
Yanhong Xu
Neng Zeng
DOI: 10.1007/978-3-030-75248-4_24
Search ePrint
Search Google
Presentation: Slides
Abstract: Group encryption (\textsf{GE}), introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), is the encryption analogue of group signatures. It allows to send verifiably encrypted messages satisfying certain requirements to certified members of a group, while keeping the anonymity of the receivers. Similar to the tracing mechanism in group signatures, the receiver of any ciphertext can be identified by an opening authority - should the needs arise. The primitive of \textsf{GE} is motivated by a number of interesting privacy-preserving applications, including the filtering of encrypted emails sent to certified members of an organization. This paper aims to improve the state-of-affairs of \textsf{GE} systems. Our first contribution is the formalization of fully dynamic group encryption (\textsf{FDGE}) - a \textsf{GE} system simultaneously supporting dynamic user enrolments and user revocations. The latter functionality for \textsf{GE} has not been considered so far. As a second contribution, we realize the message filtering feature for \textsf{GE} based on a list of $t$-bit keywords and $2$ commonly used policies: ``permissive'' - accept the message if it contains at least one of the keywords as a substring; ``prohibitive'' - accept the message if all of its $t$-bit substrings are at Hamming distance at least $d$ from all keywords, for $d \geq 1$. This feature so far has not been substantially addressed in existing instantiations of \textsf{GE} based on DCR, DDH, pairing-based and lattice-based assumptions. Our third contribution is the first instantiation of GE under code-based assumptions. The scheme is more efficient than the lattice-based construction of Libert et al. (Asiacrypt'16) - which, prior to our work, is the only known instantiation of \textsf{GE} under post-quantum assumptions. Our scheme supports the $2$ suggested policies for message filtering, and in the random oracle model, it satisfies the stringent security notions for \textsf{FDGE} that we put forward.
Video from PKC 2021
  title={Group Encryption: Full Dynamicity, Message Filtering and Code-Based Instantiation},
  booktitle={Public-Key Cryptography - PKC 2021},
  author={Khoa Nguyen and Reihaneh Safavi-Naini and Willy Susilo and Huaxiong Wang and Yanhong Xu and Neng Zeng},