Tight lower bounds and optimal constructions of anonymous broadcast encryption and authentication

Abstract

Broadcast Encryption (BE) is public-key encryption allowing a sender to encrypt a message by specifing recipients, and only the specified recipients can decrypt the message. In several BE applications, since the privacy of recipients allowed to access the message is often as important as the confidentiality of the message, anonymity is introduced as an additional but important security requirement for BE. Kiayias and Samari (IH 2013) presented an asymptotic lower bound on the ciphertext sizes in BE schemes satisfying anonymity (ANO-BE for short). More precisely, their lower bound is derived under the assumption that ANO-BE schemes have a special property. However, it is insufficient to show their lower bound is asymptotically tight since it is unclear whether existing ANO-BE schemes meet the special property. In this work, we derive asymptotically tight lower bounds on the ciphertext size in ANO-BE by assuming only properties that most existing ANO-BE schemes satisfy. With a similar technique, we first derive asymptoticallyqueryPlease provide MSC codes. For more details, please visit http://www.ams.org/msc/. tight lower bounds on the authenticator sizes in Anonymous Broadcast Authentication (ABA). Furthermore, we extend the above result and present (non-asymptotically) tight lower and upper bounds on thequeryPlease check and confirm the Running title. ciphertext sizes in ANO-BE. We show that a variant of ANO-BE scheme proposed by Li and Gong (ACNS 2018) is optimal. We also provide tight bounds on the authenticator sizes in ABA via the same approach as ANO-BE, and propose an optimal construction for ABA.

1 Introduction

(Anonymous) Broadcast encryption Broadcast Encryption (BE) [11] enables a sender to encrypt a message by designating a set of recipients so that only designated recipients can decrypt the encrypted message. In more detail, in a BE system, the sender encrypts a message \({\textsf{m}}\) to a subset \({\mathcal {S}}\), called a privileged set, chosen from N recipients. Any recipient in the privileged set \({\mathcal {S}}\) can decrypt the corresponding ciphertexts \(\textsf {ct}_{{{\mathcal {S}}}}\), but the recipients outside of \({\mathcal {S}}\) cannot. BE has several applications such as pay-TV services and access control in encrypted file systems thanks to its functionality. The scheme is said to be collusion resistant, which is a de-facto standard security notion of BE, even if all of recipients outside of \({\mathcal {S}}\) collude they cannot obtain any information about an encrypted message. To date, many collusion-resistant BE schemes have been proposed (e.g., [1, 2, 5, 6, 15, 16, 38, 40]).

These schemes guarantee the confidentiality of the message, but the information of the privileged set is transmitted with the ciphertext publicly for decryption in the schemes while the confidentiality of the recipients authorized to access the message is an important security requirement from a practical perspective. For example, the pay-TV service sometimes requires users’ privacy as well as the confidentiality of contents. To address to the security requirement, several works [3, 20, 24, 25] have proposed BE schemes meeting anonymity,¹ which ensures that no information on the designated recipients in \({\mathcal {S}}\) is leaked from ciphertexts \(\textsf {ct}_{{{\mathcal {S}}}}\). Two main notions were introduced for anonymity, called anonymity and full anonymity by Barth et al. [3] and Kiayias and Samari [20], respectively. Anonymity guarantees that no information on a set of designated recipients is leaked from ciphertexts except for its size while full anonymity guarantees that ciphertexts never leak even the information on the size of the set. Also Fazio et al. [10] introduced a weaker notion of anonymity, called outsider anonymity, where recipients in a privileged set are not considered to be malicious. Previous work in [10, 27] has presented Anonymous BE schemes with compact ciphertexts using this notion.² But the notion may not be sufficient for the security requirement of some BE applications since an adversary in a privileged set can obtain information on other designated recipients. Throught this paper, we do not deal with outsider anonymity, and refer to BE with anonymity and full anonymity as ANO-BE and Full-ANO-BE, respectively. Also, we refer to ANO-BE and Full-ANO-BE collectively as Anonymous BE.

There is a MAC variant of Anonymous BE, Anonymous Broadcast Authentication (ABA) [37]. ABA enables a sender to choose an arbitrary subset of receivers so that only the designated receivers can check the validity of a pair of a message and its authenticator. Moreover, ABA achieves anonymity; the authenticator does not reveal any information on which receivers are designated.³ ABA is expected to be a core cryptographic primitive for a remote-control system over IoT networks [37]. In such a system based on ABA, a systems manager can choose an arbitrary command to have only the designated IoT devices execute it. For example, the systems manager can bring IoT devices infected with malware to a halt remotely and securely. Moreover, anonymity of ABA guarantees that authenticators do not reveal any information on which devices are designated, which is sensitive information (see [37] for details). In this work, we also give an analysis of the authenticator sizes required for ABA, though we mainly focus on Anonymous BE.

Ciphertext size of anonymous BE The previous work [3, 20, 24, 25] has presented several Anonymous BE schemes having ciphertexts where its size grows linearly with the number of designated recipients or all recipients. Specifically, the ciphertext sizes of the ANO-BE schemes are \(O\left( |{\mathcal {S}}|\cdot \kappa \right) \) and those of the Full-ANO-BE schemes are \(O\left( N\cdot \kappa \right) \), where \(|{\mathcal {S}}|\) and N are the numbers of designated recipients and all recipients in the system, respectively, and \(\kappa \) is a security parameter. Therefore, these constructions establish upper bounds on the ciphertext-sizes of Anonymous BEs.

On the other hand, Kiayias and Samari [20] investigated lower bounds on ciphertext-sizes of Anonymous BEs (i.e., ANO-BE and Full-ANO-BE). In particular, they showed that the ciphertext-sizes are required \(\Omega \left( |{\mathcal {S}}|\cdot \kappa \right) \) for ANO-BE and \(\Omega \left( N\cdot \kappa \right) \) for Full-ANO-BE, for a limited class of (Anonymous) BE and listed several BE schemes in [3, 25, 30] in the class.⁴

Previous work and its issue We emphasize that Kiayias and Samari implicitly assumed a special property for BE schemes in their main theorem [20, Theorem 1]. More precisely, they indeed proved “if a BE scheme is anonymous and has the special property, then the lower bound holds.” However, it is hard to check whether the existing Anonymous BEs in the limited class (e.g., [3, 20, 25]) meet the property (see Sect. 1.2 for details), and it is not clearly shown that their lower bound on the ciphertext-sizes is asymptotically tight.

1.1 Our contributions

Asymptotically tight lower bounds In this paper, assuming only properties most existing (Anonymous) BE schemes have, we show that asymptotic lower bounds on ciphertext size for ANO-BE and Full-ANO-BE are \(\Omega \left( |{\mathcal {S}}|\cdot \kappa \right) \) and \(\Omega \left( N\cdot \kappa \right) \), respectively. We note that our lower bounds are asymptotically tight since they are applicable to the existing Anonymous BE schemes while Kiayias and Samari’s ones are not. Our results also show that it is impossible to modify existing non-Anonymous BE schemes to meet anonymity unless their ciphertext size meets our lower bound, since the properties we assume can be applied for existing (even non-Anonymous) BE schemes.

We derive the lower bounds by extending the Kiayias and Samari’s approach [20]: they considered Atomic BE (AtBE) allowing each ciphertext and decryption key to be explicitly divided into multiple sub-elements, called atomic ciphertexts and decryption keys, respectively, and the AtBE covers several BE schemes in [3, 25, 30]. They then showed lower bounds on the number of atomic ciphertexts in anonymous AtBE schemes instead of deriving lower bounds on the ciphertext-sizes directly. However, in the proof, they implicitly assumed a special property for AtBE schemes, which is hard to be applied to the existing schemes.

To provide the lower bounds without the special property, we modify the Kiayias and Samari’s strategy as follows: first, we extract several properties of existing BE schemes to derive a lower bound without the special property. Also, to formalize these properties, we modify the Kiayias and Samari’s AtBE, which was given only an informal syntax in [20]. Note that our AtBE covers a broad range of (both Anonymous and non-Anonymous) BE schemes [1,2,3, 6, 15, 16, 24, 25, 30, 38]. We then provide lower bounds on the number of atomic ciphertexts in our AtBE with anonymity.

We summarize the differences between Kiayias and Samari’s analysis and ours below.

• We assume several properties that most of the existing BE schemes have. To formally describe them, we give a formal syntax of AtBE, whereas Kiayias and Samari considered an informal one.

• Our lower bounds hold for most of the previous Anonymous BEs (i.e., BE schemes in [3, 24, 25]), since we only assume the properties common to them. On the other hand, it is unclear that the special property implicitly assumed in [20] holds for these BE schemes.

Note that our syntax of AtBE and properties cannot be trivially obtained from Kiayias and Samari’s results.

We also present lower bounds on the authenticator size required for ABA by taking a similar approach to ANO-BE’s one. Our lower bounds on the authenticator size are \(\Omega \left( |{\mathcal {S}}|\cdot \kappa \right) \) and \(\Omega \left( N\cdot \kappa \right) \) for BA with anonymity (ANO-BA) or full anonymity (Full-ANO-BA), respectively. These are asymptotically tight as there exists concrete ABA schemes proposed in [37] that meet our lower bounds on the authenticator size. There are several broadcast authentication protocols [7, 32, 33] including TESLA [34] with constant-sized authenticators. We cannot give a fair efficiency comparison between them and ABA since the existing protocols aim to broadcast information to all receivers and do not allow a sender to choose an arbitrary subset of receivers. Nevertheless, as in Anonymous BE, our results seem to show anonymity notions require large authenticator overheads depending on the number of designated or all recipients.

(Non-asymptotically) tight upper bounds and lower bounds In this work, we further aim to derive (non-asymptotically) tight upper bounds and lower bounds in Anonymous BE. First, we show that upper bounds on the ciphertext-size for ANO-BE and Full-ANO-BE are \(|{\mathcal {S}}|\cdot \kappa +o(|{\mathcal {S}}|\cdot \kappa )\), \(N\cdot \kappa +o(N\cdot \kappa )\), respectively. Throught this paper, we call a scheme optimal if a coefficient of a dominant term in the ciphertext-size is one. Li and Gong [24] proposed an optimal ANO-BE scheme where the ciphertext-size is \((|{\mathcal {S}}|+6)\cdot \kappa \). On the other hand, there exists no optimal Full-ANO-BE scheme. The only Full-ANO-BE scheme explicitly described is Libert et al.’s one [25], and it has ciphertexts whose size is \(N\cdot |\textsf {pke}.\textsf {ct}| + |\sigma |\). Since any ciphertext-size in IND-CCA secure PKE must be at least \(2\cdot \kappa \) to the best of our knowldege, the most efficient Full-ANO-BE scheme in terms of the ciphertext-size has ciphertexts whose size is \(2N\cdot \kappa + |\sigma |\). In this paper, we propose a Full-ANO-BE scheme where the ciphertext-size is \((N+6)\cdot \kappa \) based on Li and Gong’s ANO-BE scheme [24]. From our Full-ANO-BE scheme and ANO-BE scheme in [24], we show that the ciphertext-size in ANO-BE and Full-ANO-BE are upper bounded by \(|{\mathcal {S}}|\cdot \kappa +o(|{\mathcal {S}}|\cdot \kappa )\), \(N\cdot \kappa +o(N\cdot \kappa )\), respectively. A comparison of the ciphertext-size is given in Table 1.

We also show that lower bounds on the ciphertext-size for ANO-BE and Full-ANO-BE are \(|{\mathcal {S}}|\cdot \kappa +o(|{\mathcal {S}}|\cdot \kappa )\), \(N\cdot \kappa +o(N\cdot \kappa )\), respectively. In computationally secure cryptographic constructions, especially in algebraic ones, a coefficient of a dominant term in ciphertext-sizes is greater than or equal to 1 since each parameter depends on the number of group elements (see, for example, [39]). Therefore, the coefficient of the dominant term in our asymptotic lower bounds can also be regarded as 1 or higher. Then, from the above upper bounds and the asymptotic lower bounds, we also show that the ciphertext-size for ANO-BE and Full-ANO-BE are lower bounded by \(|{\mathcal {S}}|\cdot \kappa +o(|{\mathcal {S}}|\cdot \kappa )\), \(N\cdot \kappa +o(N\cdot \kappa )\), respectively.

In addition, we apply a similar discussion as above to anonymous broadcast authentication (ABA). In this paper, we propose optimal constructions of ABA with anonymity and full anonymity, respectively. Table 2 shows a comparison of the authenticator size. Finally, via the same analysis as ANO-BE, we show that lower bounds and upper bounds on the authenticator size for ABA to satisfy anonymity and full anonymity are \(|{\mathcal {S}}|\cdot \kappa +o(|{\mathcal {S}}|\cdot \kappa )\), \(N\cdot \kappa +o(N\cdot \kappa )\), respectively.

Table 1 A comparison of the ciphertext-size between (Full-)ANO-BE schemes

Table 2 A comparison of the authenticator size between ABA schemes

Differences from the conference paper [22] This paper is an extended version of the conference version [22]. First, since the proof of Lemma 1 in the conference version [22] has a fatal flaw, we revisit a way to prove the lower bounds. Specifically, we restate the lemma (see Lemma 2 in Sect. 4) in a computational-security sense, i.e., there is no probabilistic polynomial-time adversary to find secret keys that fulfil a certain condition, while the lemma in [22] deals with adversaries with unbounded computational power. Second, we additionally show (non-asymptotically) tight lower bounds and upper bounds while the conference version [22] covers only asymptotically tight lower bounds.

1.2 Technical overview

Kiayias and Samari’s approach [20] Kiayias and Samari provided a lower bound on the number of sub-elements in a BE ciphertext, not the bit length of the ciphertexts. To make it easier to deal with the sub-elements, they introduced AtBE where ciphertexts and decryption keys are composed of atomic ciphertexts and decryption keys. In more details, a ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}\) consists of \(\rho \) atomic ciphertexts \(\textsf {ct}_{{{\mathcal {S}}}}^{{({1})}}, \ldots , \textsf {ct}_{{{\mathcal {S}}}}^{{({\rho })}}\), and a decryption key for a recipient \(\textsf {id}\) consists of \(\tau \) atomic decryption keys \(\textsf {sk}_{{\textsf {id}}}^{\left( {1}\right) }, \ldots , \textsf {sk}_{{\textsf {id}}}^{\left( {\tau }\right) }\), respectively. If the recipient \(\textsf {id}\) is included in \({\mathcal {S}}\), there exists at least one pair of an atomic ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\) and decryption key \(\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) }\) that produces a message \({\textsf{m}}\) (i.e., \(\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\) can be decrypted with \(\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) }\)).

They then analyzed a lower bound on the number of the atomic ciphertexts in any anonymous AtBE scheme. More specifically, they showed in [20, Theorem 2] that “for any AtBE scheme, if there exists a set \({\mathcal {S}}\) such that the number of atomic ciphertexts in \(\textsf {ct}_{{{\mathcal {S}}}}\) is smaller than \(|{\mathcal {S}}|\), then there is a successful adversary against anonymity for the AtBE scheme.” However, the following property was implicitly assumed for AtBE in their proof:

Assumption 1

For all messages \({\textsf{m}}\), all privileged sets \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\), let \(\{\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\rho ]} = \textsf {ct}_{{{\mathcal {S}}}} \leftarrow \textsf {Enc}(\textsf {pk},{\textsf{m}},{\mathcal {S}})\), where \({\mathcal {I}}{\mathcal {D}}\) is the set of all recipients. For all \(\textsf {id}, \textsf {id}'\in {\mathcal {S}}\), if they can decrypt the same atomic ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\) contained in \(\textsf {ct}_{{{\mathcal {S}}}}\), then atomic decryption keys \(\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) }\) and \(\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) }\) used for the decryption are identical.

Namely, they indeed proved “for any AtBE scheme, if Assumption 1 holds (i.e., the AtBE scheme has the above property) and there exists a set \({\mathcal {S}}\) such that the number of atomic ciphertexts in \(\textsf {ct}_{{{\mathcal {S}}}}\) is less than \(|{\mathcal {S}}|\), then there is an adversary which can break (full) anonymity for the AtBE scheme.” However, it is difficult to check whether the above property holds for the Anonymous BE schemes; in any existing Anonymous BEs [3, 20, 24, 25], a situation where “any two recipients \(\textsf {id}, \textsf {id}' \in {\mathcal {S}}\) decrypt the same atomic ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\) contained in \(\textsf {ct}_{{{\mathcal {S}}}}\)” never occurs. Here, the contraposition of their theorem is “for any AtBE scheme, if it satisfies (full) anonymity, then Assumption 1 does not hold, or the number of atomic ciphertext in \(\textsf {ct}_{{{\mathcal {S}}}}\) is greater than or equal to \(|{\mathcal {S}}|\) for all privileged set \({\mathcal {S}}\).” In other words, the lower bound holds only if an AtBE scheme satisfies anonymity and Assumption 1 holds. For this reason, their proof is insufficient to show that their lower bound is asymptotically tight, since it is unclear whether Assumption 1 holds for existing (Anonymous) BE schemes. Note that the special property may not be removed from their proof trivially since it enables their attacker to break (full) anonymity for the AtBE scheme.

Our approach We avoid the problem by developing Kiayias and Samari’s analysis. We consider other properties common to existing (Anonymous) BE schemes and derive a lower bound with them instead of the special property. To do so, we newly give a formal definition of AtBE so that these properties can be described formally, while Kiayias and Samari only presented AtBE in an informal way. Our AtBE allows a public key \(\textsf {pk}\) to be divided into several sub-elements, called atomic public keys \(\textsf {pk}^{\left( {1}\right) }, \ldots , \textsf {pk}^{\left( {\Delta }\right) }\), as well as a ciphertext and a secret key. It also has \(\textsf {Enc}\) and \(\textsf {Dec}\) which are the same as ones of BE, and \(\textsf {Enc}\text {-}\textsf {at}\) and \(\textsf {Dec}\text {-}\textsf {at}\) algorithms to represent encryption and decryption procedures for each atomic ciphertext in the \(\textsf {Enc}\) and \(\textsf {Dec}\) algorithms of BE, respectively. In the \(\textsf {Enc}\text {-}\textsf {at}\), multiple atomic public keys \(\{\textsf {pk}^{\left( {\delta }\right) }\}_{\delta \in \Delta '}\) are used to generate an atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) corresponding to a recipient \(\textsf {id}\) in \({\mathcal {S}}\), where \(\Delta ' \subseteq \Delta \). In the \(\textsf {Dec}\text {-}\textsf {at}\), an atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) is decrypted using multiple atomic decryption keys \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) }\}_{\gamma \in \Gamma _{\textsf {id}}'}\). Note that almost all (even non-Anonymous) BE schemes [1,2,3, 5, 6, 15, 16, 20, 24, 25, 30, 38] indeed have these algorithms inside the \(\textsf {Enc}\) and \(\textsf {Dec}\). We then formalize the following four properties of our AtBE:

1. 1.

   When a ciphertext has an intended recipient set \({\mathcal {S}}\), then any recipient in \({\mathcal {S}}\) can obtain the underlying message by decrypting at least one of the corresponding atomic ciphertexts.

2. 2.

   A triplet of a recipient, recipient set, and message \((\textsf {id},{\mathcal {S}},{\textsf{m}})\) uniquely determines the minimum subset of atomic public keys required to generate an atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\).

3. 3.

   A pair of a recipient and recipient set \((\textsf {id},{\mathcal {S}})\) uniquely determines the minimum subset of atomic decryption keys required to decrypt a (correctly-generated) atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\).

4. 4.

   If two atomic ciphertexts \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\) are identical, then the two corresponding minimum subsets of atomic public keys generating \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) and \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\) are also identical.

In Sect. 3.2, we show that most existing BE schemes satisfy the above four properties.

Next, we explain how to provide a lower bound on ciphertext-sizes in Anonymous BE with those properties. In our approach, we derive a neccesary condition for AtBE schemes with the properties to meet (full) anonymity while Kiayias and Samari directly prove the contraposition of “if an AtBE scheme is (full) anonymous, then the lower bound holds”. Roughly speaking, we show the following necessary condition:

Lemma 2

(Informal, see Sect. 4) Suppose an AtBE scheme satisfies the four properties, and fix an arbitrary recipient set \(|{\mathcal {S}}|\) and an arbitrary ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}\). Then, though a part of atomic decryption keys might overlap among recipients in \(|{\mathcal {S}}|\), the minimum subsets of atomic decryption keys used to decrypt \({\textsf {ct} }_{{\mathcal {S}}}\) are different for all designated recipients.

We then prove that “for any AtBE scheme, if the lower bound does not hold, then the neccesary condition also does not hold (i.e., the AtBE does not meet anonymity)”. See Theorem 1 in Sect. 4 for the formal statement. Here, instead of Assumption 1, we assume the following property that most Anonymous BEs have [3, 24, 25] to prove Theorem 1:

Assumption 2

For any \({\mathcal {S}}\subset {\mathcal {I}}{\mathcal {D}}\), any \(\textsf {id}\in {\mathcal {S}}\), and any \({\textsf{m}}\), let \(\textsf {pk}'\) be a subset of atomic public keys that produces \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\textsf {pk}',{\mathcal {S}},{\textsf{m}},\textsf {id})\). Then, \(\textsf {pk}'\) uniquely determines a minimum subset of atomic decryption keys required to decrypt \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\).

Note that, unlike Assumption 1, one can easily check if Assumption 2 holds for all existing Anonymous BEs [3, 24, 25]. Also, we handle the above property as an assumption since it does not hold for most of existing non-Anonymous BE schemes. Finally, we prove that for any AtBE scheme satisfies the four properties and Assumption 2, if there exists a set \({\mathcal {S}}\) such that the number of atomic ciphertexts in \(\textsf {ct}_{{{\mathcal {S}}}}\) is smaller than \(|{\mathcal {S}}|\), then it contradicts the neccesary condition (Lemma 3 in Sect. 4).

2 Preliminaries

2.1 Notations

For all natural number \(n\in {\mathbb {N}}\), \(\{{1,\ldots ,n}\}\) is denoted by [n]. For a finite set \({\mathcal {X}}\), we denote by \(|{\mathcal {X}}|\) the cardinality of \({\mathcal {X}}\). For finite sets \({\mathcal {X}},{\mathcal {Y}}\), let \({\mathcal {X}}\bigtriangleup {\mathcal {Y}}\) be the symmetric difference \({\mathcal {X}}\bigtriangleup {\mathcal {Y}}:= ({\mathcal {X}} {\setminus } {\mathcal {Y}})\cup ({\mathcal {Y}} {\setminus } {\mathcal {X}})\). For any finite set \({\mathcal {X}}\) and any natural number \(N \in {\mathbb {N}}\), let \(2^{{\mathcal {X}}}_{\le N}:= \{{{\mathcal {Y}} \subset {\mathcal {X}} \mid |{\mathcal {Y}}| \le N}\}\) be the family of subsets of \({\mathcal {X}}\) whose cardinality is at most N (i.e., a part of a power set of \({\mathcal {X}}\)). For any algorithm \(\textsf {A}\), \(\textsf {out} \leftarrow \textsf {A}(\textsf {in})\) means that \(\textsf {A}\) takes \(\textsf {in}\) as input and outputs \(\textsf {out}\). For any set \({\mathcal {X}}\), if we write \(x {\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {X}}\), x is chosen uniformly at random from \({\mathcal {X}}\). For any distribution \({\mathcal {D}}\), if we write \(d {\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {D}}\), d is chosen uniformly at random from \({\mathcal {D}}\) that is uniform over some set. Throughout our paper, we denote a security parameter by \(\kappa \) and consider probabilistic polynomial-time (PPT). For any element \(x \in \{ 0,1 \}^*\), let |x| be the number of bits of x. We say a positive-valued function \(\textsf{negl}({\cdot })\) is negligible if for any polynomial \(\textsf{poly}({\cdot })\), there exists some constant \(\kappa _0\), such that \(\textsf{negl}({\kappa })<1/\textsf{poly}({\kappa })\) for all \(\kappa \ge \kappa _0\).

2.2 Prime order bilinear groups and cryptographic assumption

Prime-order group A group generator \(\textsf {GGen}\) is a PPT algorithm which takes security parameter \(1^\kappa \) as input and outputs a description \({\mathcal {G}}:= (\textsf {p}, {\mathbb {G}}, \textsf {g})\). Here \({\mathbb {G}}\) is a finite cyclic group of prime order \(\textsf {p}\) and \(\textsf {g}\) is a random generator of \({\mathbb {G}}\). For \(a \in {\mathbb {Z}}_p\) and a matrix \(\textbf{A}= (a_{ij}) \in {\mathbb {Z}}_p^{m \times n}\), we define the implicit representation [9] as \(\left[ {a}\right] := \textsf {g}^a \in {\mathbb {G}}\) and \(\left[ {\textbf{A}}\right] = (\textsf {g}^{a_{ij}}) \in {\mathbb {G}}^{m\times n}\).

Prime-order bilinear groups A group generator \(\textsf {PGGen}\) is a PPT algorithm which takes security parameter \(1^\kappa \) as input and outputs a description \({\mathcal{P}\mathcal{G}}:= (\textsf {p}, {\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, \textsf {e}, \textsf {g}_1, \textsf {g}_2)\) of bilinear groups. Here \({\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T\) are finite cyclic groups of prime order \(\textsf {p}\) and \(\textsf {e}: {\mathbb {G}}_1 \times {\mathbb {G}}_2 \rightarrow {\mathbb {G}}_T\) is a (non-degenerate, efficiently computable) bilinear map. \(\textsf {g}_1 \in {\mathbb {G}}_1\) and \(\textsf {g}_2 \in {\mathbb {G}}_2\) are random generators of \({\mathbb {G}}_1\) and \({\mathbb {G}}_2\), and \(\textsf {g}_T:= \textsf {e}(\textsf {g}_1, \textsf {g}_2)\) will be a generator of group \({\mathbb {G}}_T\). The bilinear map \(\textsf {e}\) is called symmetric in the case of \({\mathbb {G}}_1 = {\mathbb {G}}_2\), and asymmetric in the case of \({\mathbb {G}}_1 \ne {\mathbb {G}}_2\). In the case of symmetric, we let the description be \({\mathcal{P}\mathcal{G}}:= (\textsf {p}, {\mathbb {G}}, {\mathbb {G}}_T, \textsf {e}, \textsf {g})\), where \(\textsf {e}: {\mathbb {G}}\times {\mathbb {G}}\rightarrow {\mathbb {G}}_T\). In this paper, unless otherwise noted, we consider case \({\mathbb {G}}_1 \ne {\mathbb {G}}_2\). For \(a \in {\mathbb {Z}}_p\), we define the implicit representation [9] as \(\left[ {a}\right] _s:= \textsf {g}^a_s \in {\mathbb {G}}_s\) where \(s \in \{1, 2, T\}\). We let \(\textsf {e}(\left[ {\textbf{A}}\right] _1, \left[ {\textbf{B}}\right] _2):= \left[ {\textbf{A}\textbf{B}}\right] _T\) for matrices \(\textbf{A}\) and \(\textbf{B}\) when the multiplication is well-defined.⁵

Cryptographic assumptions For any \(k \in {\mathbb {N}}\), we call \({\mathcal {D}}_k\) a matrix distribution if it outputs full-rank matrices in \({\mathbb {Z}}_p^{(k+1) \times k}\) in polynomial time. We assume that for all \(\textbf{A}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {D}}_k\), the first k rows of \(\textbf{A}\) form an invertible matrix.

We will use \({\mathcal {D}}_k\)-Matrix Diffie–Hellman (\({\mathcal {D}}_k\)-MDDH) assumption [9] and \({\mathcal {D}}_k\)-Kernel Matrix Diffie–Hellman (\({\mathcal {D}}_k\)-KerMDH) assumption [29] to construct Full-ANO-BE scheme. As discussed in [9] and [29], these assumptions are known to be standard and reasonable, and widely used to construct PKE [13, 14, 18, 26] and IBE [4, 17, 19, 23]. They are also used in [24] in the context of Anonymous Broadcast Encryption.

Assumption1 (\({\mathcal {D}}_k\)-MDDH) [9] We say that the \({\mathcal {D}}_k\)-Matrix Diffie–Hellman assumption holds relative to \(\textsf {GGen}\), if for any PPT algorithm \(\textsf{A}\), the following advantage function is negligible in \(\kappa \).

$$\begin{aligned} \textsf{Adv}^{\textsf {mddh}}_{\textsf{A}, {\mathbb {G}}}(1^{\kappa }) := \left| \Pr \left[ {\textsf{A}({\mathcal {G}}, \left[ {\textbf{A}}\right] , \left[ {\textbf{A}\textbf{s}}\right] ) = 1}\right] - \Pr \left[ {\textsf{A}({\mathcal {G}}, \left[ {\textbf{A}}\right] , \left[ {\textbf{u}}\right] = 1}\right] \right| \end{aligned}$$

where \({\mathcal {G}} {\mathop {\leftarrow }\limits ^{\textsf {U}}}\textsf {GGen}(1^\kappa ), \textbf{A}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {D}}_k, \textbf{s}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^k\), and \(\textbf{u}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{k+1}\).

Assumption2 (\({\mathcal {D}}_k\)-KerMDH) [29] Let \(s \in \{1, 2\}\). We say that the \({\mathcal {D}}_k\)-Kernel Matrix Diffie–Hellman Assumption holds relative to \(\textsf {PGGen}\), if for any PPT algorithm \(\textsf{A}\), the following advantage function is negligible in \(\kappa \).

$$\begin{aligned} \textsf{Adv}^{\textsf {kddh}}_{\textsf{A}, {\mathbb {G}}_s}(1^{\kappa }) := \left| \Pr \left[ { \textbf{A}^{\top }\textbf{a}^{\perp } \wedge \textbf{a}^{\perp } \ne \textbf{0} \bigg | \left[ {\textbf{a}^{\perp } }\right] _{3-s} \leftarrow \textsf{A}({\mathbb {G}}, \left[ {\textbf{A}}\right] _s)}\right] \right| \end{aligned}$$

where \({\mathcal{P}\mathcal{G}} {\mathop {\leftarrow }\limits ^{\textsf {U}}}\textsf {PGGen}(1^\kappa ), \textbf{A}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {D}}_k\).

2.3 Cryptographic primitives

Symmetric key encryption A symmetric key encryption (SKE) scheme with a key space \({\mathcal {K}}\) consists of two algorithms \(\Pi ^{{\textsf {SKE}}}=({\textsf {E},\textsf {D}})\):

• \(\textsf {c}\leftarrow \textsf {E}_\textsf {K}({\textsf{m}})\): the encryption algorithm generates a ciphetext \(\textsf {c}\) of the message \({\textsf{m}}\) under the secret key \(\textsf {K}\in {\mathcal {K}}\). Here, \({\mathcal {K}}\) is a secret key space.

• \({\textsf{m}}\leftarrow \textsf {D}_\textsf {K}(\textsf {c})\): the decryption algorithm decrypts the ciphertext \(\textsf {c}\) using \(\textsf {K}\), and returns \({\textsf{m}}\in {\mathcal {M}}\cup \{\perp \}\).

Correctness For all \(\textsf {K}\in {\mathcal {K}}\) and all message \({\textsf{m}}\), we have \(\textsf {D}_\textsf {K}(\textsf {E}_\textsf {K}({\textsf{m}})) = {\textsf{m}}\) with overwhelming probability.

Definition 1

(Semantic Security) A SKE scheme is semantically secure, if for all PPT adversary \(\textsf{A}\), the following advantage function is negligible in \(\kappa \).

$$\begin{aligned} \textsf{Adv}_{\textsf{A}}^{\textsf {{se}}}(\kappa ) :=\left| \Pr \left[ b'=b\left| \begin{array}{l} ({\textsf{m}}_0, {\textsf{m}}_1) \leftarrow \textsf{A}(\kappa , {\mathcal {K}}), \\ \textsf {K}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {K}}, b {\mathop {\leftarrow }\limits ^{\textsf {U}}}\{0, 1\}, \\ \textsf {c}^* \leftarrow \textsf {E}_\textsf {K}({\textsf{m}}_b), \\ b' \leftarrow \textsf{A}(1^\kappa , {\mathcal {K}}, \textsf {c}^*) \end{array}\right. \right] -\frac{1}{2}\right| . \end{aligned}$$

Furthermore, we require the symmetric encryption to be key-binding [12]. Namely, for any message m and any secret key \(\textsf {K}\in {\mathcal {K}}\), there exists no key \(\textsf {K}' \in {\mathcal {K}}\) such that \(\textsf {K}' \ne \textsf {K}\) and \(\textsf {D}_{\textsf {K}'}( \textsf {E}_\textsf {K}({\textsf{m}}) ) \ne \perp \).

Collision-resilient hash function Let \({\mathcal {H}}\) be a family of hash functions \({\textsf{H}}: {\mathcal {X}} \rightarrow {\mathcal {Y}}\). Here, \({\mathcal {X}}:= {\mathcal {X}}_{\kappa }, {\mathcal {Y}}:= {\mathcal {Y}}_{\kappa }\) are finite sets, respectively. \({\mathcal {H}}\) is said to be collision-resistant if, for all PPT algorithm \(\textsf{A}\), the following advantage function is negligible in \(\kappa \).

$$\begin{aligned} \textsf{Adv}^{\textsf {hash}}_{\textsf{A}} (\kappa ) := \Pr \left[ {{\textsf{H}}(x) ={\textsf{H}}(y) \wedge \; x \ne y \;\bigg |\; {\textsf{H}}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {H}}, (x, y) \leftarrow \textsf{A}(1^\kappa , {\textsf{H}})}\right] . \end{aligned}$$

Message authentication code A message authentication code (MAC) scheme consists of three algorithms \(\Pi ^{{\textsf {MAC}}}= ({\textsf {MAC}.\textsf {Gen}, \textsf {MAC}.\textsf {Auth},\textsf {MAC}.\textsf {Vrfy}})\):

• \(\textsf {K}\leftarrow \textsf {MAC}.\textsf {Gen}(1^{\kappa })\): the key generation algorithm takes secruity parameter \(\kappa \) as inputs, and outputs a symmetric key \(\textsf {K}\).

• \(\tau \leftarrow \textsf {MAC}.\textsf {Auth}(\textsf {K}, {\textsf{m}})\): the authentication algorithm takes \(\textsf {K}\) and a message \({\textsf{m}}\in {\mathcal {M}}\) as inputs, and outputs an authentication tag \(\tau \in {\mathcal {T}}\). Here, \({\mathcal {M}}\) is a message space and \({\mathcal {T}}\) is a tag space.

• \(\top /\perp \leftarrow \textsf {MAC}.\textsf {Vrfy}(\textsf {K}, \tau , {\textsf{m}})\): the verification algorithm takes \(\textsf {K}, \tau \) and \({\textsf{m}}\) as inputs, and outputs \(\top \) (accept) or \(\perp \) (reject).

Correctness For all \(\kappa \in {\mathbb {N}}\), all \(\textsf {K}\leftarrow \textsf {MAC}.\textsf {Gen}(1^{\kappa })\) and all message \({\textsf{m}}\in {\mathcal {M}}\), we have \(\textsf {MAC}.\textsf {Vrfy}(\textsf {K}, \textsf {MAC}.\textsf {Auth}(\textsf {K}, {\textsf{m}})) \rightarrow \top \) with overwhelming probability.

We define unforgeability against chosen message attack (UF-CMA) in a multi-key setting [28]. Let \(\textsf{A}\) be any PPT adversary against UF-CMA security. We consider an experiment \(\textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{{\textsf {MAC}}},\textsf{A}}(\kappa )\) between a challenger \(\textsf{C}\) and \(\textsf{A}\) as follows.

\(\underline{\textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{{\textsf {MAC}}},\textsf{A}}(\kappa )}\)

\(\textsf{C}\) runs \(\textsf {MAC}.\textsf {Gen}(1^{\kappa })\) to get \((\textsf {K}_1, \ldots , \textsf {K}_{\ell (\kappa )})\). Let \(\widetilde{{\mathcal {M}}}, {\mathcal {I}}\) be empty sets and \(\textsf {flag}\) be a flag, where \(\textsf {flag}\) is initialized as 1. We denote \(\widetilde{{\mathcal {M}}}\) as a set of messages used for authentication queries. \({\mathcal {I}}\) as a set of indexes used for key derivation queries. \(\textsf{A}\) may adaptively issue an authentication query \((\textsf {id}, {\textsf{m}}) \in \ell (\kappa ) \times {\mathcal {M}}\) to Authentication Oracle \(\textsf {Auth}\), and \(\textsf {Auth}\) returns \(\tau \leftarrow \textsf {MAC}.\textsf {Auth}(\textsf {K}_\textsf {id}, {\textsf{m}})\), then adds \((\textsf {id}, {\textsf{m}})\) to \(\widetilde{{\mathcal {M}}}\). Also, \(\textsf{A}\) may adaptively issue a key derivation query \(\textsf {id}\in \ell (\kappa )\) to Key Derivation Oracle \(\textsf {Corr}\), and \(\textsf {Corr}\) returns \(\textsf {K}_\textsf {id}\), then adds \(\textsf {id}\) to \({\mathcal {I}}\). Finally, \(\textsf{A}\) issues a verification query \(({\textsf{m}}^*, \tau ^*, \textsf {id}^*)\) to Verification Oracle \(\textsf {Vrfy}\). At this point, if \(\textsf {id}^* \in {\mathcal {I}}\) or \((\textsf {id}^*, {\textsf{m}}^*) \in \widetilde{{\mathcal {M}}}\) or \(\bot \leftarrow \textsf {MAC}.\textsf {Vrfy}(\textsf {K}_{\textsf {id}^*}, \tau ^*, {\textsf{m}}^*)\) holds, then \(\textsf{C}\) sets \(\textsf {flag}:=0\) For simplicity, \(\textsf{A}\) is restricted to issue this query only once. At some point (right after some verification query without loss of generality), \(\textsf{A}\) terminates the experiment, and \(\textsf{C}\) sets flag as the output of \(\textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{{\textsf {MAC}}},\textsf{A}}(\kappa )\).

Definition 2

(UF-CMA) We say \(\Pi ^{{\textsf {MAC}}}\) is UF-CMA secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{{\textsf {MAC}}},\textsf{A}}(\kappa ) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{{\textsf {MAC}}},\textsf{A}}(\kappa ):= \Pr \left[ \textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{{\textsf {MAC}}}, \textsf{A}}( \kappa ) \rightarrow 1\right] \).

2.4 Core Lemma

We will use the core lemma [21], which was originally used to prove adaptive soundness of quasi-adaptive non-interactive zero-knowledge (QANIZK) proofs, to prove security of our Full-ANO-BE scheme in Sect. 5. We review a slightly simplified version of the core lemma below since it is sufficient for our purpose.

Lemma 1

(Core lemma [21]) Let \(k \in {\mathbb {N}}\). For any \(\textbf{A}, \textbf{B}\in {\mathbb {Z}}_p^{(k+1) \times k}\) and any (possibly unbounded) adversary \(\textsf{A}\), we have

$$\begin{aligned} \Pr \left[ \begin{array}{l} \textbf{u}\not \in \textrm{span}(\textbf{A}) \wedge \alpha \ne \alpha ^*\\ \wedge \, {\varvec{\pi }}^{\top } = \textbf{u}^{\top }(\textbf{X}+ \alpha \cdot \textbf{Y}) \end{array} \bigg |\begin{array}{l} \textbf{X}, \textbf{Y}{\mathop {\leftarrow }\limits ^{\textsf {U} }} {\mathbb {Z}}_p^{(k+1) \times (k+1)} \\ (\textbf{u}, \alpha , {\varvec{\pi }}) \leftarrow \textsf{A} ^{\textsf {O}(\cdot )} (\textbf{A}^{\top }\textbf{X}, \textbf{A}^{\top }\textbf{Y}, \textbf{X}\textbf{B}, \textbf{Y}\textbf{B}) \end{array}\right] \le \frac{1}{\textsf {p} }, \end{aligned}$$

where \((\textbf{u}, \alpha , \varvec{\pi }) \in {\mathbb {Z}}_p^{k+1} \times {\mathbb {Z}}_p\times {\mathbb {Z}}_p^{k}\), the span \(\textrm{span}(\textbf{A})\) of a matrix \(\textbf{A}= (\textbf{a}_1, \dots , \textbf{a}_{k})\) means the span of the vectors \(\textbf{a}_1, \dots , \textbf{a}_{k}\), \(\textsf{A} \) can issue \(\alpha ^* \in {\mathbb {Z}}_p\) to oracle \(\textsf {O} \), which returns \(\textbf{X}+ \alpha ^* \cdot \textbf{Y}\), only once.

2.5 Broadcast encryption

We define Broadcast Encryption (BE) and its security notions based on [25, 37]. In this paper, we assume that the maximum number of recipients N in BE is determined at the time of setup and an arbitrary set of recipients can be specified at the time of encryption.

Syntax A BE scheme \(\Pi ^{\textsf {BE}}\) consists of four algorithms \(({\textsf {Setup}, \textsf {Join}, \textsf {Enc}, \textsf {Dec}})\).

1. 1.

   \((\textsf {mk}, \textsf {pk}) \leftarrow \textsf {Setup}(1^{\kappa },N)\): a probabilistic algorithm for setup. It takes a security parameter \(1^{\kappa }\) and the maximum number of recipients \(N\in {\mathbb {N}}\) as input, and outputs a master secret key \(\textsf {mk}\) and a public key \(\textsf {pk}\).

2. 2.

   \(\textsf {sk}_{{\textsf {id}}} \leftarrow \textsf {Join}(\textsf {mk}, \textsf {id})\): a decryption key generation algorithm. It takes \(\textsf {mk}\) and an identifier \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), as input, and outputs a decryption key \(\textsf {sk}_{{\textsf {id}}}\) for \(\textsf {id}\). Here, \({\mathcal {I}}{\mathcal {D}}\) is a set of all possible identifiers, and \(|{\mathcal {I}}{\mathcal {D}}|:= \textsf{poly}({\kappa })\) for some polynomial \(\textsf{poly}({\cdot })\).

3. 3.

   \(\textsf {ct}_{{{\mathcal {S}}}} \leftarrow \textsf {Enc}(\textsf {pk}, {\textsf{m}},{\mathcal {S}}; {\textsf{r}})\): an encryption algorithm. It takes \(\textsf {pk}\), a message \({\textsf{m}}\in {\mathcal {M}}\), randomness \({\textsf{r}}\in {\mathcal {R}}\), and a privileged set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) as input, and outputs a ciphertext \(\textsf {ct}_{{{\mathcal {S}}}} \in {\mathcal {C}}{\mathcal {T}}\), where \({\mathcal {M}}\) is a message-space, \({\mathcal {C}}{\mathcal {T}}\) is a ciphetex-space and \({\mathcal {R}}\) is a randomness-space. It is also possible to omit \({\textsf{r}}\) from the input.

4. 4.

   \({\textsf{m}}\leftarrow \textsf {Dec}(\textsf {sk}_{{\textsf {id}}},\textsf {ct}_{{{\mathcal {S}}}})\): a decryption algorithm. It takes \(\textsf {sk}_{{\textsf {id}}}\) and \(\textsf {ct}_{{{\mathcal {S}}}}\) as inputs, and outputs \({\textsf{m}}\in {\mathcal {M}}\cup \{\bot \}\).

To describe properties of the existing Anonymous BE schemes, we regard \(\textsf {Join}\) as a deterministic algorithm in this paper.⁶

Correctness For all \(\kappa , N \in {\mathbb {N}}\), all \(\textsf {mk}\leftarrow \textsf {Setup}(1^{\kappa }, N)\), all \({\textsf{m}}\in {\mathcal {M}}\), all \({\textsf{r}}\in {\mathcal {R}}\), all \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) such that \(|{\mathcal {S}}| \le N\), and all \(\textsf {id}\in {\mathcal {S}}\), we have \({\textsf{m}}\leftarrow \textsf {Dec}(\textsf {Join}(\textsf {mk}, \textsf {id}), \textsf {Enc}(\textsf {pk}, {\textsf{m}},{\mathcal {S}}; {\textsf{r}}))\) with overwhelming probability.

Chosen ciphertext security and anonymity We define anonymity and indistinguishability against chosen ciphertext attack (Full-ANO-IND-CCA) for BE. We consider two anonymity notions, Full-ANO-IND-CCA [20, 37] and ANO-IND-CCA [24, 25] security. Let \(\textsf{A}\) be any PPT adversary against Full-ANO-IND-CCA security. Following [20, 24, 25, 37], we consider an experiment \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa , N)\) between a challenger \(\textsf{C}\) and \(\textsf{A}\) as follows.

\(\underline{\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)}\) \(\textsf{C}\) randomly chooses \(b\in \{ 0,1 \}\). \(\textsf{C}\) runs \(\textsf {Setup}(1^{\kappa },N)\) to get \(\textsf {mk}\) and randomly chooses \(b\in \{ 0,1 \}\). Let \({\mathcal {D}}, {\mathcal {C}}{\mathcal {D}}\) be empty sets. We denote \({\mathcal {D}}\) as a set of recipients currently participating in the protocol, and \({\mathcal {C}}{\mathcal {D}}\) as a set of identifiers of recipient from which \(\textsf{A}\) obtained its decryption key, respectively. \(\textsf{A}\) may adaptively issue the following queries to \(\textsf{C}\).

• Key-generation Query: Upon a query \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {D}}\) and generates \(\textsf {sk}_{{\textsf {id}}} \leftarrow \textsf {Join}(\textsf {mk},\textsf {id})\). Note that \(\textsf{A}\) obtains nothing, and that \(\textsf{A}\) is allowed to make this query at most N times.

• Corruption Query: Upon a query \(\textsf {id}\in {\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {C}}{\mathcal {D}}\), and returns \(\textsf {sk}_{{\textsf {id}}}\) to \(\textsf{A}\).

• Challenge Query: Upon a query \(({\textsf{m}}_0,{\textsf{m}}_1,{\mathcal {S}}_0, {\mathcal {S}}_1)\in {\mathcal {M}}^2 \times \left( 2^{{\mathcal {D}}}_{\le N}\right) ^2\) from \(\textsf{A}\), \(\textsf{C}\) runs \(\textsf {ct}_{{{\mathcal {S}}}}^* \leftarrow \textsf {Enc}(\textsf {pk}, {\textsf{m}}_b,{\mathcal {S}}_b)\) and returns \(\textsf {ct}_{{{\mathcal {S}}}}\) to \(\textsf{A}\). \(\textsf{A}\) is allowed to make this query only.

• Decryption Query: Upon a query \((\textsf {id}, \textsf {ct}_{{{\mathcal {S}}}}) \in {\mathcal {D}}\times {\mathcal {C}}{\mathcal {T}}\) from \(\textsf{A}\) returns \({\textsf{m}}\leftarrow \textsf {Dec}(\textsf {sk}_{{\textsf {id}}},\textsf {ct}_{{{\mathcal {S}}}})\) to \(\textsf{A}\). If \(\textsf {ct}_{{{\mathcal {S}}}}^*\) is queried, then returns \(\perp \).

At some point, \(\textsf{A}\) outputs \(b'\). If all of the following conditions hold \(\textsf{C}\) then sets 1 as the output of \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa , N)\):

• \(b' = b\)

• \(|{\textsf{m}}_0| = |{\textsf{m}}_1|\)

• \(({\mathcal {S}}_0 \bigtriangleup {\mathcal {S}}_1) \cap {\mathcal {C}}{\mathcal {D}}= \emptyset \)

• If \(({\mathcal {S}}_0 \bigtriangleup {\mathcal {S}}_1) \cap {\mathcal {C}}{\mathcal {D}}\ne \emptyset \), then \({\textsf{m}}_0 = {\textsf{m}}_1\)

Otherwise, \(\textsf{C}\) then sets 0. \(\textsf{C}\) terminates the experiment.

We can also define ANO-IND-CCA with an experiment \(\textsf{Exp}^{\textsf {ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)\) which is the same as \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)\) except for the following additional condition of the restriction for challenge query: \(|{\mathcal {S}}_0| = |{\mathcal {S}}_1|\).

Definition 3

((Full-)ANO-IND-CCA) We say \(\Pi ^{\textsf {BE}}\) is X-CCA secure (X \(\in \) {Full-ANO-IND, ANO-IND}) secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {BE}},\textsf{A}}}(\kappa , N) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {BE}},\textsf{A}}}(\kappa , N):=\left| \Pr \left[ \textsf{Exp}^{X}_{{\Pi ^{\textsf {BE}},\textsf{A}}} (\kappa , N) \rightarrow 1\right] - \frac{1}{2}\right| \).

The third and fourth conditions are intended to prevent the trivial attack when a decryption key of a user \(\textsf {id}\in {\mathcal {S}}_0 \bigtriangleup {\mathcal {S}}_1\) is corrupted.

We also define IND-CCA with an experiment \(\textsf{Exp}^{\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)\) which is the same as \(\textsf{Exp}^{\textsf {ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)\), except for the following additional condition of the restriction for challenge query: \({\mathcal {S}}_0 = {\mathcal {S}}_1\).

Definition 4

(IND-CCA) We say \(\Pi ^{\textsf {BE}}\) is IND-CCA secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa , N) <\textsf{negl}({\kappa })\), where \(\textsf{Adv}^{\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa , N):=\left| \Pr \left[ \textsf{Exp}^{\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa , N) \rightarrow 1\right] -\frac{1}{2}\right| \).

Also, (Full-)ANO-CCA can be defined with experiments \(\textsf{Exp}^{\textsf {ANO}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)\) and \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)\) which are the same as \(\textsf{Exp}^{\textsf {ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N)\) and \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa ,N,)\) respectively, except for the following additional condition of the restriction for challenge query: \({\textsf{m}}_0 = {\textsf{m}}_1\).

Definition 5

((Full-)ANO-CCA) We say \(\Pi ^{\textsf {BE}}\) is X-CCA secure (X \(\in \) {Full-ANO, ANO}) secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {BE}},\textsf{A}}}(\kappa , N) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {BE}},\textsf{A}}}(\kappa , N):=\left| \Pr \left[ \textsf{Exp}^{X}_{{\Pi ^{\textsf {BE}},\textsf{A}}} (\kappa , N) \rightarrow 1\right] - \frac{1}{2}\right| \).

2.6 Anonymous broadcast authentication

We define Anonymous Broadcast Authentication (ABA) and its security notions based on [37].

Syntax An Anonymous Broadcast Authentication scheme \(\Pi ^{\textsf {ABA}}\) consists of four algorithms \(({\textsf {Setup}, \textsf {Join}, \textsf {Auth}, \textsf {Vrfy}})\).

1. 1.

   \(\textsf {ak}\leftarrow \textsf {Setup}(1^{\kappa },N)\): a probabilistic algorithm for setup. It takes a security parameter \(1^{\kappa }\) and the maximum number of recipients \(N\in {\mathbb {N}}\) as input, and outputs authentication key \(\textsf {ak}\).

2. 2.

   \(\textsf {vk}_{{\textsf {id}}} \leftarrow \textsf {Join}(\textsf {ak}, \textsf {id})\): a verification key generation algorithm. It takes \(\textsf {ak}\) and an identifier \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), as input, and outputs verification key \(\textsf {vk}_{{\textsf {id}}}\) for \(\textsf {id}\). Here, \({\mathcal {I}}{\mathcal {D}}\) is a set of all possible identifiers, and \(|{\mathcal {I}}{\mathcal {D}}|:= \textsf{poly}({\kappa })\) for some polynomial \(\textsf{poly}({\cdot })\).

3. 3.

   \(\textsf {cmd}_{{{\mathcal {S}}}} \leftarrow \textsf {Auth}(\textsf {ak}, {\textsf{m}}, {\mathcal {S}}; {\textsf{r}})\): an authentication algorithm. It takes \(\textsf {ak}\), a message \({\textsf{m}}\in {\mathcal {M}}\), a randomness \({\textsf{r}}\in {\mathcal {R}}\), and a privileged set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) as input, and outputs ciphertext \(\textsf {cmd}_{{{\mathcal {S}}}}\), where \({\mathcal {M}}\) is a message space and \({\mathcal {R}}\) is a randomness space. It is also possible to omit \({\textsf{r}}\) from the input.

4. 4.

   \({\textsf{m}}/ \bot \leftarrow \textsf {Vrfy}(\textsf {vk}_{{\textsf {id}}},\textsf {cmd}_{{{\mathcal {S}}}})\): a verification algorithm. It takes \(\textsf {vk}_{{\textsf {id}}}\) and \(\textsf {cmd}_{{{\mathcal {S}}}}\) as inputs, and outputs \({\textsf{m}}\in {\mathcal {M}}\) (accept) or \(\bot \) (reject).

To describe properties of the existing ABA scheme, we regard \(\textsf {Join}\) as a deterministic algorithm in this paper.

Correctness For all \(\kappa , N \in {\mathbb {N}}\), all \(\textsf {ak}\leftarrow \textsf {Setup}(1^{\kappa },N)\), all \({\textsf{m}}\in {\mathcal {M}}\), all \({\textsf{r}}\in {\mathcal {R}}\), and all \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) such that \(|{\mathcal {S}}| \le N\), if \(\textsf {id}\in {\mathcal {S}}\), then \({\textsf{m}}\leftarrow \textsf {Vrfy}(\textsf {Join}(\textsf {ak}, \textsf {id}), \textsf {Auth}(\textsf {ak}, {\textsf{m}},{\mathcal {S}}))\) holds with overwhelming probability. Otherwise, \(\bot \leftarrow \textsf {Vrfy}(\textsf {Join}(\textsf {ak}, \textsf {id}), \textsf {Auth}(\textsf {ak}, {\textsf{m}},{\mathcal {S}}))\) holds with overwhelming probability.

Unforgeability We define unforgeability against chosen message attack (UF-CMA) for ABA. Let \(\textsf{A}\) be any PPT adversary against UF-CMA security. We consider an experiment \(\textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa , N)\) between a challenger \(\textsf{C}\) and \(\textsf{A}\).

\(\underline{\textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa ,N)}\)

\(\textsf{C}\) runs \(\textsf {Setup}(1^{\kappa },N)\) to get \(\textsf {ak}\). Let \({\mathcal {D}}, {\mathcal {C}}{\mathcal {D}}, {\mathcal {M}}_{{\textsc {a}}}, {\mathcal {M}}_{{\textsc {v}}}\) be empty sets and \(\textsf {flag}\) be a flag, where \(\textsf {flag}\) is initialized as 0. We denote \({\mathcal {D}}\) as a set of recipients currently participating in the protocol, and \({\mathcal {C}}{\mathcal {D}}\) as a set of identifiers of recipient from which \(\textsf{A}\) obtained its verification key, respectively. And we denote \({\mathcal {M}}_{{\textsc {a}}}, {\mathcal {M}}_{{\textsc {v}}}\) as sets of messages used for authentication queries and verification queries, respectively. \(\textsf{A}\) may adaptively issue the following queries to \(\textsf{C}\).

• Key-generation Query: Upon a query \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {D}}\) and generates \(\textsf {vk}_{{\textsf {id}}} \leftarrow \textsf {Join}(\textsf {ak},\textsf {id})\). Note that \(\textsf{A}\) obtains nothing, and that \(\textsf{A}\) is allowed to make this query at most N times.

• Corruption Query: Upon a query \(\textsf {id}\in {\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {C}}{\mathcal {D}}\), and returns \(\textsf {vk}_{{\textsf {id}}}\) to \(\textsf{A}\).

• Authentication Query: Upon a query \(({\textsf{m}}, {\mathcal {S}}) \in {\mathcal {M}}\times 2^{{\mathcal {D}}}_{\le N}\) from \(\textsf{A}\), \(\textsf{C}\) adds \({\textsf{m}}\) to \({\mathcal {M}}_{{\textsc {a}}}\), and returns \(\textsf {cmd}_{{{\mathcal {S}}}} \leftarrow \textsf {Auth}(\textsf {ak}, {\textsf{m}}, {\mathcal {S}})\) to \(\textsf{A}\) if \({\textsf{m}}\) is not used for a verification query (\({\textsf{m}}\not \in {\mathcal {M}}_{{\textsc {v}}}\)).

• Verification Query: Upon a query \(({\textsf{m}}, {\mathcal {S}}, \textsf {cmd}_{{{\mathcal {S}}}}) \in {\mathcal {M}}\times 2^{{\mathcal {D}}}_{\le N} \times {\mathcal {T}}\) from \(\textsf{A}\), \(\textsf{C}\) runs \(\textsf {Vrfy}(\textsf {vk}_{{\textsf {id}}},\textsf {cmd}_{{{\mathcal {S}}}})\) and returns its output to \(\textsf{A}\). \(\textsf{C}\) adds \({\textsf{m}}\) to \({\mathcal {M}}_{{\textsc {v}}}\). If there exists at least one user \(\textsf {id}\in {\mathcal {S}}\) such that all of the following conditions hold, then \(\textsf{C}\) sets \(\textsf {flag}:= 1\):

  • \(\textsf {Vrfy}(\textsf {vk}_{{\textsf {id}}},\textsf {cmd}_{{{\mathcal {S}}}}) = {\textsf{m}},\)

  • \(\textsf {id}\not \in {\mathcal {C}}{\mathcal {D}},\)

  • \({\textsf{m}}\not \in {\mathcal {M}}_{{\textsc {a}}}.\)

  \(\textsf{A}\) is allowed to make this query only once.

At some point (right after some verification query without loss of generality), \(\textsf{A}\) terminates the experiment, and \(\textsf{C}\) sets flag as the output of \(\textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa )\).

Definition 6

(Unforgeability) We say \(\Pi ^{\textsf {ABA}}\) is UF-CMA secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa , N) <\textsf{negl}({\kappa })\), where \(\textsf{Adv}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa , N):= \Pr \left[ \textsf{Exp}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}}, \textsf{A}}( \kappa , N) \rightarrow 1\right] \).

Anonymity We define two kinds of anonymity for ABA, full anonymity (Full-ANO-CMA) and anonymity (ANO-CMA). In this paper, we denote ABA with anonymity and ABA with full anonymity as ANO-BA and Full-ANO-BA, respectively. Let \(\textsf{A}\) be any PPT adversary against Full-ANO-CMA security. We consider an experiment \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa , N)\) between a challenger \(\textsf{C}\) and \(\textsf{A}\).

\(\underline{\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa ,N)}\)

\(\textsf{C}\) randomly chooses \(b\in \{ 0,1 \}\). \(\textsf{C}\) runs \(\textsf {Setup}(1^{\kappa },N)\) to get \(\textsf {ak}\) and randomly chooses \(b\in \{ 0,1 \}\). Let \({\mathcal {D}}, {\mathcal {C}}{\mathcal {D}}, {\mathcal {M}}_{{\textsc {a}}}\) be empty sets. We denote \({\mathcal {D}}\) as a set of recipients currently participating in the protocol, and \({\mathcal {C}}{\mathcal {D}}\) as a set of identifiers of recipient from which \(\textsf{A}\) obtained its verification key, respectively. And we denote \({\mathcal {M}}_{{\textsc {a}}}\) as a set of messages used for authentication queries. \(\textsf{A}\) may adaptively issue the following queries to \(\textsf{C}\).

• Key-generation Query: Upon a query \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {D}}\) and generates \(\textsf {vk}_{{\textsf {id}}} \leftarrow \textsf {Join}(\textsf {ak},\textsf {id})\). Note that \(\textsf{A}\) obtains nothing, and that \(\textsf{A}\) is allowed to make this query at most N times.

• Corruption Query: Upon a query \(\textsf {id}\in {\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {C}}{\mathcal {D}}\), and returns \(\textsf {vk}_{{\textsf {id}}}\) to \(\textsf{A}\).

• Authentication Query: Upon a query \(({\textsf{m}}, {\mathcal {S}}) \in {\mathcal {M}}\times 2^{{\mathcal {D}}}_{\le N}\) from \(\textsf{A}\), \(\textsf{C}\) adds \({\textsf{m}}\) to \({\mathcal {M}}_{{\textsc {a}}}\), and returns \(\textsf {cmd}_{{{\mathcal {S}}}} \leftarrow \textsf {Auth}(\textsf {ak}, {\textsf{m}}, {\mathcal {S}})\) to \(\textsf{A}\).

• Challenge Query: Upon a query \(({\textsf{m}},{\mathcal {S}}_0,{\mathcal {S}}_1)\in {\mathcal {M}}\times \left( 2^{{\mathcal {D}}}_{\le N}\right) ^2\) from \(\textsf{A}\), \(\textsf{C}\) runs \(\textsf {cmd}_{{{\mathcal {S}}_b}} \leftarrow \textsf {Auth}(\textsf {ak}, {\textsf{m}},{\mathcal {S}}_b)\) and returns \(\textsf {cmd}_{{{\mathcal {S}}_b}}\) to \(\textsf{A}\). \(\textsf{A}\) is allowed to make this query only once under the restriction that \(({\mathcal {S}}_0 \bigtriangleup {\mathcal {S}}_1) \cap {\mathcal {C}}{\mathcal {D}}= \emptyset , {\textsf{m}}\not \in {\mathcal {M}}_{{\textsc {a}}}\).

At some point, \(\textsf{A}\) outputs \(b'\). If \(b'=b\), \(\textsf{C}\) then sets 1 as the output of \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa ,N)\). Otherwise, \(\textsf{C}\) then sets 0. \(\textsf{C}\) terminates the experiment.

We can also define ANO-CMA with an experiment \(\textsf{Exp}^{\textsf {ANO}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa ,N)\) which is the same as \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa ,N)\) except for the following additional condition of the restriction for challenge query: \(|{\mathcal {S}}_0| = |{\mathcal {S}}_1|\).

Definition 7

(Anonymity) We say \(\Pi ^{\textsf {ABA}}\) is X secure (X \(\in \) {Full-ANO-CMA, ANO-CMA}) if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {ABA}},\textsf{A}}}(\kappa , N) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {ABA}},\textsf{A}}}(\kappa , N):=\left| \Pr \left[ \textsf{Exp}^{X}_{{\Pi ^{\textsf {ABA}},\textsf{A}}} (\kappa ,N) \rightarrow 1\right] - \frac{1}{2}\right| \).

3 Atomic broadcast encryption

In this section, we give a formal syntax of Atomic Broadcast Encryption (AtBE) to formally describe properties satisfied by existing BE schemes. These properties are used to formalize properties of existing Anonymous BE schemes and derive lower bounds. We further provide security definitions for AtBE.

3.1 Syntax of AtBE

Our AtBE aims to describe encryption and decryption for each recipient in a designated set performed inside the \(\textsf {Enc}\) and \(\textsf {Dec}\) algorithms of BE. Towards that aim, ciphertexts, decryption keys, and public keys are divided into multiple sub-elements. An AtBE scheme \(\Pi ^{\textsf {At}\text {-}\textsf {BE}}\) consists of six algorithms \(({\textsf {Setup}\text {-}\textsf {at}, \textsf {Join}\text {-}\textsf {at}, \textsf {Enc}, \textsf {Enc}\text {-}\textsf {at}, \textsf {Dec}, \textsf {Dec}\text {-}\textsf {at}})\), where the \(\textsf {Enc}\) and \(\textsf {Dec}\) are the same as ones of BE.

1. 1.

   \((\textsf {mk}, \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }) \leftarrow \textsf {Setup}\text {-}\textsf {at}(1^{\kappa },N)\): a probabilistic algorithm for setup. It takes a security parameter \(1^{\kappa }\) and the maximum number of receivers \(N\in {\mathbb {N}}\) as input, and outputs a master secret key \(\textsf {mk}\) and a public key \(\textsf {pk}\) consisting of \(|\Delta |\) atomic public keys \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }\).

2. 2.

   \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {mk}, \textsf {id})\): a decryption key generation algorithm. It takes \(\textsf {mk}\) and an identifier \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), as input, and outputs a decryption key \(\textsf {sk}_{{\textsf {id}}}\) for \(\textsf {id}\) consisting of \(|\Gamma _{\textsf {id}}|\) atomic decryption keys \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\).

3. 3.

   \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta '}, {\mathcal {S}}, {\textsf{m}}, \textsf {id}; {\textsf{r}})\): an atomic encryption algorithm. It takes a subset of the atomic public key \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta '}\), a privileged set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\), a message \({\textsf{m}}\in {\mathcal {M}}\), an identifier \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), and randomness \({\textsf{r}}\) as input, and outputs an atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\), where \(\Delta ' \subseteq \Delta \).

4. 4.

   \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}})\): an atomic decryption algorithm. It takes a subset of atomic decryption keys \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}\), and \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) as input, and outputs a message \({\textsf{m}}\in {\mathcal {M}}\cup \{\bot \}\), where \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\).

The \(\textsf {Setup}\text {-}\textsf {at}\) and \(\textsf {Join}\text {-}\textsf {at}\) are essentially equivalent to the \(\textsf {Setup}\) and \(\textsf {Join}\) in BE respectively, except for differences that public and decryption keys are explicitly divided into multiple sub-elements. As in the case of the \(\textsf {Join}\) in BE, we regard the \(\textsf {Join}\text {-}\textsf {at}\) as being a deterministic algorithm. On the other hand, the \(\textsf {Enc}\) and \(\textsf {Dec}\) include the \(\textsf {Enc}\text {-}\textsf {at}\) and \(\textsf {Dec}\text {-}\textsf {at}\) as sub-algorithms, respectively, though they might contain procedures other than the sub-algorithms. Therefore, AtBE includes both \((\textsf {Enc},\textsf {Dec})\) and \((\textsf {Enc}\text {-}\textsf {at},\textsf {Dec}\text {-}\textsf {at})\).

We require a natural property for AtBE that an atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) contained in ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}\) will be correctly decrypted by a decryption key \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\) of a recipient \(\textsf {id}\in {\mathcal {S}}\) as follows:

Atomic correctness Fix any \(\kappa , N \in {\mathbb {N}}\), any \((\textsf {mk}, \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }) \leftarrow \textsf {Setup}\text {-}\textsf {at}(1^{\kappa },N)\), any \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) such that \(|{\mathcal {S}}| \le N\), any \({\textsf{m}}\in {\mathcal {M}}\), any \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {mk}, \textsf {id})\), any \({\textsf{r}}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {R}}\). Let \(\textsf {ct}_{{{\mathcal {S}}}} \leftarrow \textsf {Enc}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }, {\textsf{m}}, {\mathcal {S}};{\textsf{r}})\). Then, there exists some \(\Delta ' \subseteq \Delta \) for every \(\textsf {id}\in {\mathcal {S}}\), such that \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta '}, \textsf {id}, {\textsf{m}}, {\mathcal {S}};{\textsf{r}})\) and \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\in \textsf {ct}_{{{\mathcal {S}}}}\). Moreover, the following conditions hold with overwhelming probability:

• \(\textsf {Dec}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}, \textsf {ct}_{{{\mathcal {S}}}}) \rightarrow {\textsf{m}}\).

• \(\textsf {Dec}\text {-}\textsf {at}( \{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma '_{\textsf {id}}}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}}) \rightarrow {\textsf{m}}\) for some \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\).

Namely, the above guarantees that (1) a BE ciphertext for \({\mathcal {S}}\) contains AtBE ciphertexts for all \(\textsf {id}\in {\mathcal {S}}\); (2) the BE ciphertext can be correctly decrypted by the \(\textsf {Dec}\), which implies Correctness of BE; and (3) every AtBE ciphertext can be correctly decrypted by the \(\textsf {Dec}\text {-}\textsf {at}\). Therefore, Atomic Correctness of AtBE includes Correctness of BE. Thus, we can say that a BE scheme is called an AtBE scheme if the \(\textsf {Enc}\) and \(\textsf {Dec}\) includes the \(\textsf {Enc}\text {-}\textsf {at}\) and \(\textsf {Dec}\text {-}\textsf {at}\) (satisfying the above Atomic Correctness), respectively.

3.2 Properties in existing BE schemes

As described in Sect. 1.2, Kiayias and Samari [20] assumed a special property for Anonymous BE schemes in their analysis, and it is difficult to check whether the property holds for existing Anonymous BE schemes. Therefore, our goal is to replace that property with a natural one that could be checked if it holds for existing Anonymous BE schemes. In order to achieve this, we describe four properties that holds in most of existing (i.e., both non-Anonymous and Anonymous) BE schemes in this section. In particular, we show that they hold for the pairing-based BE scheme of Boneh et al. [5]. The four properties are described as follows:

Property 1

When a ciphertext has intended recipient set \({\mathcal {S}}\), then any recipient in \({\mathcal {S}}\) can obtain the underlying message by decrypting at least one of the corresponding atomic ciphertexts. More formally, ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}\) output from the \(\textsf {Enc}\) algorithm consists of the atomic ciphertexts \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) obtained by the \(\textsf {Enc}\text {-}\textsf {at}\) algorithm, and other elements.⁷ In other words, let a set of atomic ciphertext contained in \(\textsf {ct}_{{{\mathcal {S}}}}\) be \(\{\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}}\), and let the union of \(\{\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}}\) and other elements contained in \(\textsf {ct}_{{{\mathcal {S}}}}\) be \(\{\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}}}]}\), it holds that \(\{\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}} \subseteq \{\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}}}]} \subseteq \textsf {ct}_{{{\mathcal {S}}}}\). Here, the randomness \({\textsf{r}}\) input to \(\textsf {Enc}\text {-}\textsf {at}\) is the same when generating each atomic ciphertext in \(\{\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}}\). Also, inside the \(\textsf {Dec}\) algorithm, the \(\textsf {Dec}\text {-}\textsf {at}\) algorithm takes an atomic ciphertext and a set of atomic decryption keys as input, and outputs a message. If \(\textsf {ct}_{{{\mathcal {S}}}}\) is a valid ciphertext, then there is an atomic ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\) in \(\textsf {ct}_{{{\mathcal {S}}}}\) that can be decrypted using a subset of atomic decryption keys of a recipient \(\textsf {id}\) in \({\mathcal {S}}\). Formally, we require the following property for AtBE \(\Pi ^{\textsf {At}\text {-}\textsf {BE}}\):

For all \(\kappa ,N \in {\mathbb {N}}\), all \((\textsf {mk}, \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }) \leftarrow \textsf {Setup}\text {-}\textsf {at}(1^{\kappa },N)\), all \({\textsf{m}}\in {\mathcal {M}}\), all \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) such that \(|{\mathcal {S}}| \le N\), all \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), all \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {mk}, \textsf {id})\), all \({\textsf{r}}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {R}}\), all \(\{\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}}}]} \subseteq \textsf {ct}_{{{\mathcal {S}}}} \leftarrow \textsf {Enc}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }, {\textsf{m}}, {\mathcal {S}};{\textsf{r}})\), if \(\textsf {id}\in {\mathcal {S}}\), then for some \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\), there exists \(\theta \in [\beta _{{{\mathcal {S}}}}]\) such that \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma '_{\textsf {id}}}, \textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}})\) with overwhelming probability. If \(\textsf {id}\notin {\mathcal {S}}\), then for all \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\), there is no \(\theta \in [\beta _{{{\mathcal {S}}}}]\) such that \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma '_{\textsf {id}}}, \textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}})\) with overwhelming probability.

Property 2

A triplet of recipient, recipient set, and message \((\textsf {id},{\mathcal {S}},{\textsf{m}})\) uniquely determines the minimum subset of atomic public keys required to generate an atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\). More formally, when generating \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) such that \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}})\) for some \(\gamma \in \Gamma _{\textsf {id}}'\), let \(\Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}\) be the minimum subset of atomic public keys required for input to \(\textsf {Enc}\text {-}\textsf {at}\). In this case, for any \({\mathcal {S}}\subset {\mathcal {I}}{\mathcal {D}}\), any \(\textsf {id}\in {\mathcal {S}}\), and any \({\textsf{m}}, \in {\mathcal {M}}\), \(\Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}\) is uniquely determined by pairs of \((\textsf {id}, {\mathcal {S}}, {\textsf{m}})\) to input to \(\textsf {Enc}\text {-}\textsf {at}\).

Property 3

A pair of recipient and recipient set \((\textsf {id},{\mathcal {S}})\) uniquely determines the minimum subset of atomic decryption keys required to decrypt a (correctly-generated) atomic ciphertext \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\). More formally, when \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}})\) holds, let \(\Gamma _{\textsf {id}, {\mathcal {S}}}^*\) be the minimum subset of atomic decryption keys required for input to the \(\textsf {Dec}\text {-}\textsf {at}\). In this case, for any \({\mathcal {S}}\subset {\mathcal {I}}{\mathcal {D}}\) and any \(\textsf {id}\in {\mathcal {S}}\), \(\Gamma _{\textsf {id}, {\mathcal {S}}}^*\) is uniquely determined by pairs of \((\textsf {id}, {\mathcal {S}})\) to input to the \(\textsf {Enc}\text {-}\textsf {at}\) when generating \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\).

Property 4

If two atomic ciphertexts \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\) are identical, then the two corresponding minimum subsets of atomic public keys generating \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) and \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\) are also identical. More formally, for all \((\textsf {mk}, \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }) \leftarrow \textsf {Setup}(1^{\kappa },N), \textsf {id}, \textsf {id}' \in {\mathcal {I}}{\mathcal {D}}\), all \({\mathcal {S}}\subset {\mathcal {I}}{\mathcal {D}}\) such that \(\{\textsf {id}, \textsf {id}'\} \subseteq {\mathcal {S}}\), all \({\textsf{m}}\in {\mathcal {M}}, {\textsf{r}}\in {\mathcal {R}}\), all \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}}, \textsf {id}, {\textsf{m}}, {\mathcal {S}}; {\textsf{r}}), \textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta '}\right) } \}_{\delta ' \in \Delta ^*_{\textsf {id}', {\mathcal {S}}, {\textsf{m}}}}, \textsf {id}', {\textsf{m}}, {\mathcal {S}}; {\textsf{r}})\), if \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}= \textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\) holds, then we have \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}} = \{\textsf {pk}^{\left( {\delta '}\right) } \}_{\delta ' \in \Delta ^*_{\textsf {id}', {\mathcal {S}}, {\textsf{m}}}}\) with overwhelming probability.

We show that the BE scheme in [5] meets Properties 1, 2, 3 and 4. in Appendix A. In addition, we can similarly show that the existing (both non-Anonymous and Anonymous) BE schemes [1,2,3, 6, 15, 16, 24, 25, 30, 38] satisfy Properties 1, 2, 3 and 4 as well, thus it is reasonable to assume Properties 1, 2, 3 and 4 in this paper.

3.3 Security definitions for AtBE

We define chosen ciphertext security and anonymity for AtBE in the same way as in BE. In the following, we give definitions of anonymity and indistinguishability against chosen ciphertext attacks for AtBE ((Full-)ANOat-IND-CCA), IND-CCA (INDat-CCA) and (full) anonymity ((Full-)ANOat-CCA).

Security games for AtBE are the same as those for BE except that an attacker obtains explicitly-divided public keys, decryption keys, and a challenge ciphertext. Essentially, there is no difference in the information the attacker obtains between security games for BE and those for AtBE. Therefore, we consider (Full-)ANOat-IND-CCA, INDat-CCA and (Full-)ANOat-CCA defined below to be equivalent security notions as (Full-)ANO-IND-CCA, IND-CCA and (Full-)ANO-CCA, respectively.

Chosen ciphertext security and anonymity for AtBE Let \(\textsf{A}\) be any PPT adversary against Full-ANOat-IND-CCA security. We define Full-ANOat-IND-CCA with an experiment \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANOat}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}\) which is the same as \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}\) except for the following changes to key-generation query, corruption query:

• Key-generation Query: Upon a query \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {D}}\) and generates \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {mk}, \textsf {id})\), not \(\textsf {sk}_{{\textsf {id}}} \leftarrow \textsf {Join}(\textsf {mk},\textsf {id})\).

• Corruption Query: Upon a query \(\textsf {id}\in {\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {C}}{\mathcal {D}}\), and returns \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\) to \(\textsf{A}\), not \(\textsf {sk}_{{\textsf {id}}}\).

We can also define ANOat-IND-CCA with an experiment \(\textsf{Exp}^{\textsf {ANOat}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\) which is the same as \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANOat}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\) except for the following additional condition of the restriction for challenge query: \(|{\mathcal {S}}_0| = |{\mathcal {S}}_1|\).

Definition 8

((Full-)ANOat-IND-CCA) We say \(\Pi ^{\textsf {At}\text {-}\textsf {BE}}\) is X-CCA secure (X \(\in \) {Full-ANOat-IND, ANOat-IND}) secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}}(\kappa , N) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}}(\kappa , N):= \left| \Pr \left[ \textsf{Exp}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}}(\kappa , N) \rightarrow 1\right] - \frac{1}{2}\right| \).

We also define INDat-CCA with an experiment \(\textsf{Exp}^{\textsf {INDat}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\) which is the same as \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANOat}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\), except for the following additional condition of the restriction for challenge query: \({\mathcal {S}}_0 = {\mathcal {S}}_1\).

Definition 9

(INDat-CCA) We say \(\Pi ^{\textsf {At}\text {-}\textsf {BE}}\) is INDat-CCA secure secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{\textsf {INDat}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa , N) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{\textsf {INDat}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa , N):=\left| \Pr \left[ \textsf{Exp}^{\textsf {INDat}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa , N) \rightarrow 1\right] -\frac{1}{2}\right| \).

Also, (Full-)ANOat-CCA can be defined with experiments \(\textsf{Exp}^{ \textsf {Full}\text {-}\textsf {ANOat}\text {-}\textsf {CCA} }_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\) and \(\textsf{Exp}^{\textsf {ANOat}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\) which are the same as \(\textsf{Exp}^{{\textsf {Full}\text {-}\mathsf ANOat}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\) and \(\textsf{Exp}^{\textsf {ANOat}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}(\kappa ,N)\) respectively, except for the following additional condition of the restriction for challenge query: \({\textsf{m}}_0 = {\textsf{m}}_1\).

Definition 10

((Full-)ANOat-CCA) We say \(\Pi ^{\textsf {At}\text {-}\textsf {BE}}\) is X-CCA secure (X \(\in \) {Full-ANOat, ANOat}) secure if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}}(\kappa , N) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}}(\kappa , N):=\left| \Pr \left[ \textsf{Exp}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}} (\kappa , N) \rightarrow 1\right] - \frac{1}{2}\right| \).

4 Asymptotic lower bounds in ANO-BE

We derive lower bounds for AtBE schemes with ANOat-CCA security and Full-ANOat-CCA security. First, we define a property assumed for AtBE schemes and show that it holds for the ANO-BE scheme of Libert et al. [25]. Then, we derive lower bounds ANO-BE and Full-ANO-BE with the property described in Sect. 4.1. In the following analysis, we assume that an AtBE scheme satisfies INDat-CCA security, although this is not explicitly stated.

4.1 A property of ANO-BE and Full-ANO-BE

In order to derive lower bounds for ANO-BE and Full-ANO-BE, we assume a property that “a minimum subset of atomic decryption keys used to decrypt ciphertexts is uniquely determined by a subset of public keys used to generate the ciphertext.” Specifically, we consider the following property for both ANO-BE and Full-ANO-BE (See Sect. 1.2 for the intuitive definition.):

Assumption 2 When \((\textsf {mk}, \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }) \leftarrow \textsf {Setup}(1^{\kappa },N)\) is generated, we denote \(\mathcal{P}\mathcal{K}^*\) as a set of all atomic public keys, namely \(\mathcal{P}\mathcal{K}^*:= \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }\). And, when \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {mk}, \textsf {id})\) is generated, \(\mathcal{S}\mathcal{K}^*\) denotes a family of the minimum subsets of atomic decryption keys to be input to the \(\textsf {Dec}\text {-}\textsf {at}\), namely \(\mathcal{S}\mathcal{K}^*:= \{\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) }\}_{\gamma \in \Gamma _{\textsf {id}, {\mathcal {S}}}^*}\}_{\textsf {id}\in {\mathcal {I}}{\mathcal {D}}, {\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}}\). Here, we note that \(\mathcal{S}\mathcal{K}^*\) is uniquely determined, since \(\textsf {Join}\text {-}\textsf {at}\) is a deterministic algorithm. At this time, for all \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), all \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\), all \({\textsf{m}}\in {\mathcal {M}}\), all \({\textsf{r}}\in {\mathcal {R}}\), all \(\textsf {pk}' \in 2^{\mathcal{P}\mathcal{K}^*}\), all \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\textsf {pk}', \textsf {id}, {\textsf{m}}, {\mathcal {S}}; {\textsf{r}})\), a set of atomic decryption keys \(\textsf {sk}_{{}}' \in \mathcal{S}\mathcal{K}^*\cup \{\bot \}\) such that \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\textsf {sk}_{{}}', \textsf {ct}_{{\mathcal {S}}, \textsf {id}})\) is uniquely determined by the set of atomic public keys \(\textsf {pk}'\).

ANO-BE schemes satisfying the above property include Libert et al.’s scheme [25], which is a generic construction using a public key encryption \(\textsf {PKE}\) and one-time signature \(\textsf {OTS}\). We show that the scheme in  [25] meets the property in Appendix A.

In addition, we can similarly show that all of the existing ANO-BE and Full-ANO-BE schemes in [3, 20, 24, 25] satisfy Assumption 2.

4.2 Lower bounds in ANOat-CCA secure AtBE

First, we show two lemmas, Lemma 2 and 3, for an ANOat-CCA secure AtBE with Properties 1, 2, 3 and 4 described in Sect. 3.2. In Lemma 2, we show that “if an AtBE is ANOat-CCA secure, then for ciphertexts with a set \({\mathcal {S}}_0, {\mathcal {S}}_1\) whose size is equal, sets of atomic decryption keys used by a receipient \(\textsf {id}\) for each decryption is identical with overwhelming probability.” Then, in Lemma 3, we show that “if an AtBE is ANOat-CCA secure, then for any set \({\mathcal {S}}\) with more than two elements, recipients \(\textsf {id}, \textsf {id}' \in {\mathcal {S}}\) must not share a set of atomic decryption keys used to decrypt \(\textsf {ct}_{{{\mathcal {S}}}}\) with overwhelming probability.”

Then, for an ANOat-CCA secure AtBE with the property described in Assumption 2, we will derive a lower bound on ciphertext-size by Theorem 1.

For convenience, for any \({\mathcal {S}}_0,{\mathcal {S}}_1\subseteq {\mathcal {I}}{\mathcal {D}}\), we call \(({\mathcal {S}}_0, {\mathcal {S}}_1)\) challengeable sets if it can be used for a challenge query in the ANOat-CCA game \(\textsf{Exp}^{\textsf {ANOat}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BE}},\textsf{A}}\).

Lemma 2

If AtBE \(\Pi ^{\textsf {At} \text {-}{} \textsf {BE} }\) is ANOat-CCA secure, no PPT adversary \(\textsf{A} \) in the ANOat-CCA game can find \(\textsf {id} \in {\mathcal {I}}{\mathcal {D}}\) and challengable sets \(({\mathcal {S}}_0, {\mathcal {S}}_1)\in \left( 2^{{\mathcal {D}}}_{\le N}\right) ^2\) such that \(\textsf {id} \in {\mathcal {S}}_0 \cap {\mathcal {S}}_1\), \(|{\mathcal {S}}_0|=|{\mathcal {S}}_1|\), and \(\{\textsf {sk} _{\textsf {id} }^{\left( \gamma \right) }\}_{\gamma \in \Gamma ^*_{\textsf {id} , {\mathcal {S}}_0}} \ne \{\textsf {sk} _{\textsf {id} }^{\left( \gamma \right) }\}_{\gamma \in \Gamma ^*_{\textsf {id} , {\mathcal {S}}_1}}\) with non-negligible probability.

Proof

We show this lemma by contraposition. Suppose that there exists a PPT adversary \(\textsf{A}\) that can find \((\textsf {id}, {\mathcal {S}}_0, {\mathcal {S}}_1)\) in the ANOat-CCA game such that \(({\mathcal {S}}_0, {\mathcal {S}}_1)\) is challengeable sets and it holds that \(\textsf {id}\in {\mathcal {S}}_0 \cap {\mathcal {S}}_1\), \(|{\mathcal {S}}_0|=|{\mathcal {S}}_1|\), and \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}_0}} \ne \{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}_1}}\) with non-negligible probability. Note that by Property 3, \(\Gamma ^*_{\textsf {id}, {\mathcal {S}}_0}\) and \(\Gamma ^*_{\textsf {id}, {\mathcal {S}}_1}\) are uniquely determined. Then, \(\textsf{A}\) can break ANOat-CCA security as follows. During the ANOat-CCA game, \(\textsf{A}\) can find \((\textsf {id}^*, {\mathcal {S}}_0, {\mathcal {S}}_1)\) such that \(\{\textsf {sk}_{{\textsf {id}^*}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}^*, {\mathcal {S}}_0}} \ne \{\textsf {sk}_{{\textsf {id}^*}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}^*, {\mathcal {S}}_1}}\). \(\textsf{A}\) then issues key-generation queries for every \(\textsf {id}\in {\mathcal {S}}_0 \cup {\mathcal {S}}_1\) and a corruption query for \(\textsf {id}^*\) (if \(\textsf{A}\) has not done them yet), and obtains a decryption key \(\{\textsf {sk}_{{\textsf {id}^*}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}^*}}\). \(\textsf{A}\) then issues a challenge query \(({\textsf{m}}, {\mathcal {S}}_0, {\mathcal {S}}_1)\) to obtain \(\{\textsf {ct}_{{{\mathcal {S}}_b}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}_b}}]} \subseteq \textsf {ct}_{{{\mathcal {S}}_b}}\). Note that \(\textsf{A}\) can get the decryption key for \(\textsf {id}^*\) since \(\textsf {id}^* \in {\mathcal {S}}_0 \cap {\mathcal {S}}_1\) and \(({\mathcal {S}}_0, {\mathcal {S}}_1)\) can be used for the challenge query. Finally, \(\textsf{A}\) outputs \(b'=0\) if there exists \(\theta \in [\beta _{{{\mathcal {S}}_b}}]\) such that \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}^*}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}^*, {\mathcal {S}}_0}}, \textsf {ct}_{{{\mathcal {S}}_b}}^{{({\theta })}})\), and \(b'=1\) otherwise. In this case, \(\textsf{A}\) can output \(b'\) such that \(b=b'\) with non-negligible probability. \(\square \)

Lemma 3

If AtBE \(\Pi ^{\textsf {At} \text {-}{} \textsf {BE} }\) is ANOat-CCA secure, no PPT adversary \(\textsf{A} \) in the ANOat-CCA game can find \((\textsf {id} , \textsf {id} ', {\mathcal {S}}) \in {\mathcal {I}}{\mathcal {D}}^2 \times 2^{{\mathcal {D}}}_{\le N}\) such that \(\textsf {id} , \textsf {id} ' \in {\mathcal {S}}\) and \(\{\textsf {sk} _{\textsf {id} }^{\left( \gamma \right) }\}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}} \ne \{\textsf {sk} _{\textsf {id} '}^{\left( \gamma '\right) }\}_{\gamma ' \in \Gamma ^*_{\textsf {id} ', {\mathcal {S}}}}\) with non-negligible probability.

Proof

Assume on the contrary that there exists a PPT adversary \(\textsf{A}\) that can find \((\textsf {id},\textsf {id}',{\mathcal {S}})\) such that \(\textsf {id},\textsf {id}'\in {\mathcal {S}}\) and \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}} =\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}}}\) with non-negligible probability. Note that by Property 3, \(\Gamma ^*_{\textsf {id}, {\mathcal {S}}}\) and \(\Gamma ^*_{\textsf {id}', {\mathcal {S}}}\) are uniquely determined. Then, we will show that it contradicts Property 1 of AtBE in Sect. 3.2 for any \({\mathcal {S}}'\) such that \(\textsf {id}\in {\mathcal {S}}'\), \(\textsf {id}' \notin {\mathcal {S}}'\), and \(|{\mathcal {S}}|=|{\mathcal {S}}'|\). Suppose that \(\textsf{A}\) has atomic decryption keys \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\) and \(\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma _{\textsf {id}'}}\) by key-generation queries and corruption queries. Since \(\textsf {id}\in {\mathcal {S}}'\), we have \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}'}}, \textsf {ct}_{{\mathcal {S}}', \textsf {id}})\). From Lemma 2, we have \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}'}} =\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}}\) with overwhelming probability.⁸

Hence, we have \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}( \{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}}, \textsf {ct}_{{\mathcal {S}}', \textsf {id}})\). Here, since \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}} =\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}}}\) from the assumption, we have \({\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}}}, \textsf {ct}_{{\mathcal {S}}', \textsf {id}})\). However, since \(\textsf {id}' \not \in {\mathcal {S}}'\) holds, the above contradicts Property 1. \(\square \)

In the following, we derive a lower bound on ciphertext-size in ANOat-CCA secure AtBE with the property described in Assumption 2. Specifically, we show the statement: When there exists a set \({\mathcal {S}}\) such that the number of atomic ciphertexts \(\textsf {ct}_{{{\mathcal {S}}}}\) contained in \(\textsf {ct}_{{{\mathcal {S}}}}\) is less than \(|{\mathcal {S}}|\) with non-negligible probability, a contradiction occurs for Lemma 3.

Theorem 1

If AtBE \(\Pi ^{\textsf {At} \text {-}{} \textsf {BE} }\) is ANOat-CCA secure and has the property in Assumption 2, the size of ciphertexts for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\) is \(\Omega (|{\mathcal {S}}| \cdot k)\) with overwhelming probability, where \(k = \underset{{\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}, \theta \in [\beta _{{{\mathcal {S}}}}]}{\min } |\textsf {ct} _{{\mathcal {S}}}^{{(\theta )}}|\) and the probability is taken over the internal randomness of the \(\textsf {Setup}\text {-}\textsf {at} \), \(\textsf {Enc} \), and \(\textsf {Enc}\text {-}\textsf {at} \). In other words, if AtBE \(\Pi ^{\textsf {At} \text {-}{} \textsf {BE} }\) is ANOat-CCA secure and has the property in Assumption 2, for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\), the \(\textsf {Enc} \) outputs a ciphertext of size \(\Omega (|{\mathcal {S}}| \cdot k)\) with overwhelming probability.

Proof

For some set of recipients \({\mathcal {S}}^* \in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and message \({\textsf{m}}^* \in {\mathcal {M}}\), we assume that with non-negligible probability, the \(\textsf {Enc}\) outputs \(\textsf {ct}_{{{\mathcal {S}}^*}} = \{\textsf {ct}_{{{\mathcal {S}}^*}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}^*}}]} \leftarrow \textsf {Enc}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }, {\textsf{m}}^*, {\mathcal {S}}^*;{\textsf{r}}^*)\) and \(\beta _{{{\mathcal {S}}^*}} < |{\mathcal {S}}^*|\). Let \(\textsf{A}\) be any fixed PPT adversary against the ANOat-CCA game. Then, \(\textsf{A}\) can identify such \(({\mathcal {S}}^*, {\textsf{m}}^*)\) with non-negligible probability since \(\textsf{A}\) knows the concrete procedure of the \(\textsf {Enc}\) (since it should be public due to Kerckhoffs’ principle).⁹ We then show that \(\textsf{A}\) can find \((\textsf {id},\textsf {id}',{\mathcal {S}}^*)\) that contradicts Lemma 3. Now, from \(\beta _{{{\mathcal {S}}^*}} \ge 1\), we consider that \(|{\mathcal {S}}^*| \ge 2\) holds. From \(\beta _{{{\mathcal {S}}^*}} < |{\mathcal {S}}^*|\), for a set of atomic ciphertexts \(\{\textsf {ct}_{{{\mathcal {S}}^*}}^{{({\theta })}}\}_{\theta \in \beta _{{{\mathcal {S}}^*}}}\), there exists at least one atomic ciphertext \(\textsf {ct}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}}\) that can be decrypted by two recipients \(\textsf {id}, \textsf {id}' \in {\mathcal {S}}^*\). That is, for \(\textsf {id}, \textsf {id}' \in {\mathcal {S}}^*\), it holds that \(\textsf {ct}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}} = \textsf {ct}_{{\mathcal {S}}, \textsf {id}}= \textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\), where \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\) is generated by

$$\begin{aligned}&\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}, {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*), \\&\textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\leftarrow \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}', {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*), \end{aligned}$$

where \({\textsf{r}}^*\) is the same randomness in the \(\textsf {Enc}\) above. Note that by Property 2, \(\Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}\) and \(\Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}\) are uniquely determined, and by Property 4, it holds \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}} = \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}\). In addition, by Atomic Correctness and Property 1, we have

$$\begin{aligned}&{\textsf{m}}^* \leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}, \textsf {ct}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}}), \\&{\textsf{m}}^* \leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}, \textsf {ct}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}}). \end{aligned}$$

Note that by Property 3, \(\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}\) and \(\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}\) are uniquely determined. From Assumption 2, \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}}\) and \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}\) uniquely determine \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}\) and \(\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}\) such that

$$\begin{aligned}&{\textsf{m}}^* \leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}, \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}, {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*)), \\&{\textsf{m}}^* \leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}, \textsf {Enc}\text {-}\textsf {at}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}', {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*)), \end{aligned}$$

respectively. As mentioned above, it holds \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}} = \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}\). Therefore, despite ANOat-CCA security of \(\Pi ^{\textsf {At}\text {-}\textsf {BE}}\), \(\textsf{A}\) can obtain \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}} = \{\textsf {sk}_{{\textsf {id}'}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}\), which contradicts Lemma 3. \(\square \)

4.3 Lower bounds in Full-ANOat-CCA secure AtBE

We derive a lower bound on ciphertext size in Theorem 2 for Full-ANOat-CCA secure AtBE with the property described in Assumption 2, using Theorem 1.

Theorem 2

If AtBE \(\Pi ^{\textsf {At} \text {-}{} \textsf {BE} }\) is Full-ANOat-CCA secure and has the property in Assumption 2, the size of ciphertexts for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\) is \(\Omega (N \cdot k)\) with overwhelming probability, where \(k = \underset{{\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}, \theta \in [\beta _{{{\mathcal {S}}}}]}{\min } |\textsf {ct} _{{\mathcal {S}}}^{{(\theta )}}|\) and the probability is taken over the internal randomness of the \(\textsf {Setup}\text {-}\textsf {at} \), \(\textsf {Enc} \), and \(\textsf {Enc}\text {-}\textsf {at} \). In other words, if AtBE \(\Pi ^{\textsf {At} \text {-}{} \textsf {BE} }\) is Full-ANOat-CCA secure and has the property in Assumption 2, for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\), the \(\textsf {Enc} \) outputs a ciphertext of size \(\Omega (N \cdot k)\) with overwhelming probability.

Proof

Since Full-ANOat-CCA security implies ANOat-CCA security, for any \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\), we at least have \(\Omega (|{\mathcal {S}}| \cdot \kappa )\) with overwhelming probability from Theorem 1. Now, we assume that for some set of recipients \({\mathcal {S}}^* \in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and message \({\textsf{m}}^* \in {\mathcal {M}}\), \(\textsf {Enc}\) outputs \(\textsf {ct}_{{{\mathcal {S}}^*}} = \{\textsf {ct}_{{{\mathcal {S}}^*}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}^*}}]} \leftarrow \textsf {Enc}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }, {\textsf{m}}^*, {\mathcal {S}}^*;{\textsf{r}}^*)\) such that \(|{\mathcal {S}}^*|\le \beta _{{{\mathcal {S}}^*}} < N\), with non-negligible probability. Let \(\textsf{A}\) be any fixed PPT adversary against the Full-ANOat-CCA game. Then, \(\textsf{A}\) can identify such \(({\mathcal {S}}^*, {\textsf{m}}^*)\) with non-negligible probability since \(\textsf{A}\) knows the concrete procedure of \(\textsf {Enc}\) (since it should be public due to Kerckhoffs’ principle). \(\textsf{A}\) then issues a challenge query \(({\textsf{m}}^*, {\mathcal {S}}^*, {\mathcal {S}})\), where \({\mathcal {S}}= [N]\) and \({\mathcal {S}}^*\) is any set in \(2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\setminus [N]\). Here, from the assumption that \(|{\mathcal {S}}^*| \le \beta _{{{\mathcal {S}}^*}} < N\), \(\textsf{A}\) can trivially break Full-ANOat-CCA, but it contradicts the premise. Thus, the size of ciphertexts for any \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) must be equal to that of ciphertexts for [N] at least, i.e., \(\Omega (N \cdot \kappa )\). \(\square \)

5 Non-asymptotic bounds and optimal constructions of ANO-BE

We show (non-asymptotic) upper bounds and lower bounds on the ciphertext-size in ANO-BE. Li and Gong [24] proposed an ANO-BE scheme where the ciphertext-size is \((|{\mathcal {S}}|+6)\cdot \kappa \), which is indeed optimal in the sense that the scheme attains the lower bound on the ciphertext size (i.e., Theorem 1) non-asymptotically (see Theorem 5). On the other hand, there exists no optimal Full-ANO-BE scheme. To show a non-asymptotic upper bound on the ciphertext-size in Full-ANO-BE, we propose an optimal Full-ANO-BE scheme.

Our scheme is achieved by modifying the encryption algorithm \(\textsf {Enc}\) and the decryption algorithm \(\textsf {Dec}\) in Li and Gong [24]’s ANO-BE.

• \(\textsf {Setup}(1^{\kappa },N)\): Run \(\textsf {PGGen}(1^\kappa )\) to get \({\mathcal{P}\mathcal{G}}:= (\textsf {p}, {\mathbb {G}}_1, {\mathbb {G}}_2, {\mathbb {G}}_T, \textsf {e}, \textsf {g}_1, \textsf {g}_2)\). Let \(\textbf{A}, \textbf{B}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {D}}_k\) and \(\textbf{X}, \textbf{Y}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1) \times (k+1)}\). For all \(\textsf {id}\in [N]\), sample \(\textbf{k}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1)}\).

  Select a key-binding secure symmetric encryption scheme \(\Pi ^{{\textsf {SKE}}}=(\textsf {E}, \textsf {D})\) with the key space \({\mathcal {K}}:= {\mathbb {G}}_1\). Sample a collision-resilient hash function \({\textsf{H}}: \{0, 1\}^* \rightarrow {\mathbb {Z}}_p\) from \({\mathcal {H}}\) uniformly at random. The public key \(\textsf {pk}\) is

  $$\begin{aligned} \left( {\mathcal{P}\mathcal{G}}, (\textsf {E}, \textsf {D}), {\textsf{H}}; \begin{array}{ll} \left[ {\textbf{A}^{\top }}\right] _1, \left\{ \left[ {\textbf{A}^{\top } \textbf{k}_\textsf {id}}\right] _1 \right\} ^{N}_{\textsf {id}= 1}, \left[ {\textbf{B}}\right] _2, \\ \left[ {\textbf{A}^{\top }\textbf{Y}}\right] _1, \left[ {\textbf{A}^{\top }\textbf{X}}\right] _1,\left[ {\textbf{X}\textbf{B}}\right] _2, \left[ {\textbf{Y}\textbf{B}}\right] _2 \end{array}\right) . \end{aligned}$$

  and the master secret key is \(\left\{ {\textbf{k}_\textsf {id}} \right\} ^{N}_{\textsf {id}= 1}\).

• \(\textsf {Join}(\textsf {mk}, \textsf {id})\): Output the secret key \(\textsf {sk}_{{\textsf {id}}}:= \textbf{k}_\textsf {id}\).

• \(\textsf {Enc}(\textsf {pk}, {\textsf{m}},{\mathcal {S}})\): Let n be the number of recipients currently participating in the system, and suppose that \(\textsf {sk}_{{\textsf {id}_1}}, \ldots , \textsf {sk}_{{\textsf {id}_n}}\) have been generated by the \(\textsf {Join}\) so far. Sample \(\textbf{r}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^k\), and compute \(\left[ {\textbf{u}^{\top }}\right] := \left[ {\textbf{r}^\top \textbf{A}^\top }\right] \). Select a session key \(\textsf {K}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {G}}_1\) and compute \(\textsf {c}_0:= \textsf {E}_\textsf {K}({\textsf{m}})\). Compute the following for all \(\textsf {id}\in [N]\):

  $$\begin{aligned} \left\{ \begin{array}{ll} \textsf {c}_\textsf {id}:= \left[ {\textbf{r}^\top \textbf{A}^\top \textbf{k}_\textsf {id}}\right] _1 \cdot \textsf {K}, \text {if } \textsf {id}\in {\mathcal {S}}, \\ \textsf {c}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {G}}_1, \text {if } \textsf {id}\not \in {\mathcal {S}}. \end{array}\right. \end{aligned}$$

  (1)

  Choose a random permutation \(\sigma \) from \(\{\sigma _i:[N] \rightarrow [N]\}_{i \in \{0,1\}^{\kappa }}\) and compute \(\left[ {{\varvec{\pi }}}\right] _1:= \left[ {\textbf{r}^\top \textbf{A}^\top (\textbf{X}+ \alpha \cdot \textbf{Y})}\right] _1\) where \(\alpha := {\textsf{H}}(\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_{\sigma (1) }, \ldots , \textsf {c}_{\sigma (N) })\). The ciphertext is

  $$\begin{aligned} \textsf {ct}_{{{\mathcal {S}}}} := (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_{\sigma (1) }, \ldots , \textsf {c}_{\sigma (N) }, \left[ {{\varvec{\pi }}}\right] _1). \end{aligned}$$

  Here, in the scheme of [24], only \(\textsf {c}_\textsf {id}\;(\textsf {id}\in {\mathcal {S}})\) is calculated in the Eq. (1), and the following ciphertext is output.

  $$\begin{aligned} \textsf {ct}_{{{\mathcal {S}}}} := (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_{\sigma (1) }, \ldots , \textsf {c}_{\sigma (|{\mathcal {S}}|) }, \left[ {{\varvec{\pi }}}\right] _1). \end{aligned}$$

• \(\textsf {Dec}(\textsf {sk}_{{\textsf {id}}},\textsf {ct}_{{{\mathcal {S}}}})\): Let \(\textsf {sk}_{{\textsf {id}}} = \textbf{k}_\textsf {id}, \textsf {ct}_{{{\mathcal {S}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N}, \left[ {{\varvec{\pi }}}\right] _1)\). Compute \(\alpha :={\textsf{H}}(\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N})\) and check

  $$\begin{aligned} e(\left[ {{\varvec{\pi }}}\right] _1, \left[ {\textbf{B}}\right] _2) = e(\left[ {\textbf{u}^{\top }}\right] _1, \left[ { (\textbf{X}+ \alpha \cdot \textbf{Y}) \textbf{B}}\right] _2). \end{aligned}$$

  (2)

  If the above equation does not hold, return \(\perp \); otherwise, do the following two steps from \(j:= 1\).

  • Compute \(\textsf {K}':= \textsf {c}_j / \left[ {\textbf{u}^{\top } \textbf{k}_\textsf {id}}\right] _1\) and \({\textsf{m}}':= \textsf {D}_{\textsf {K}'}(\textsf {c}_0)\). If \({\textsf{m}}' \ne \perp \), return \({\textsf{m}}'\) and halt; otherwise, go to the second step.

  • If \(j = N\), return \(\perp \) and halt; otherwise, do the first step with \(j:= j + 1\).

  Here, in the scheme of [24], parse \(\textsf {ct}_{{{\mathcal {S}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{|{\mathcal {S}}|}, \left[ {{\varvec{\pi }}}\right] _1)\), compute \(\alpha := {\textsf{H}}(\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{|{\mathcal {S}}|})\), and check whether the equation (2) holds. Also, the second step above is described as follows.

  • If \(j = |{\mathcal {S}}|\), return \(\perp \) and halt; otherwise, do the first step with \(j:= j + 1\).

We show the correctness of the above Full-ANO-BE scheme. Suppose that \(\textsf {ct}_{{{\mathcal {S}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N}, \left[ {{\varvec{\pi }}}\right] _1), \textsf {sk}_{{\textsf {id}}} = \textbf{k}_\textsf {id}(\textsf {id}\in {\mathcal {S}})\) are correctly generated. Then the following equation holds:

$$\begin{aligned} e(\left[ {{\varvec{\pi }}}\right] _1, \left[ {\textbf{B}}\right] _2) = e(\left[ {\textbf{u}^{\top }}\right] _1, \left[ { (\textbf{X}+ \alpha \cdot \textbf{Y}) \textbf{B}}\right] _2), \end{aligned}$$

where \(\alpha := {\textsf{H}}(\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N})\). Given \(\textsf {c}_j:= \left[ {\textbf{r}^\top \textbf{A}^\top \textbf{k}_\textsf {id}}\right] _1 \cdot \textsf {K}\), we have \(\textsf {K}= \textsf {c}_j / \left[ {\textbf{u}^{\top } \textbf{k}_\textsf {id}}\right] _1\) and and the \(\textsf {Dec}\) will return \({\textsf{m}}\) by the correctness of symmetric encryption scheme \(\Pi ^{{\textsf {SKE}}}=(\textsf {E}, \textsf {D})\). Given \(\textsf {c}_{j}:= \left[ {\textbf{r}^\top \textbf{A}^\top \textbf{k}_{\textsf {id}}}\right] _1 \cdot \textsf {K}\), we have \(\textsf {K}\ne \textsf {c}_j / \left[ {\textbf{u}^{\top } \textbf{k}_{\textsf {id}'} }\right] _1\) for some \(\textsf {id}' \not \in {\mathcal {S}}\) with overwhelming probability, and the \(\textsf {Dec}\) will return \(\bot \) from key-binding of \(\Pi ^{{\textsf {SKE}}}=(\textsf {E}, \textsf {D})\).

Theorem 3

The construction described above is Full-ANO-IND-CCA secure assuming that: (1) \({\mathcal {H}}\) is collision-resistant; (2) the \({\mathcal {D}}_k\)-MDDH assumption holds in \({\mathbb {G}}_1\); (3) the \({\mathcal {D}}_k\)-KerMDH assumptions holds in \({\mathbb {G}}_2\); (4) \(\Pi ^{\textsf {SKE} }\) is semantically secure and key-binding.

Our security proof is the same as that of Li and Gong [24]’s ANO-BE except that we added \(\textsf {c}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {G}}_1 \; (\text {if } \textsf {id}\not \in {\mathcal {S}})\) to their scheme. We prove Full-ANO-IND-CCA security by defining the following games:

\(\textsf {Game}_{\textsf {Real}}\): This is the same as the Full-ANO-IND-CCA game.

\(\textsf {Game}_0\): This is the same as \(\textsf {Game}_{\textsf {Real}}\) except that the challenger samples \(\textbf{u}^* {\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1)}\) and generates the challenge ciphertext \(\textsf {ct}_{{{\mathcal {S}}}}^*:= (\left[ {{\textbf{u}^*}^{\top }}\right] , \textsf {c}^*_0, \textsf {c}^*_{\sigma (1) }, \ldots , \textsf {c}^*_{\sigma (|{\mathcal {S}}|) }, \left[ {{\varvec{\pi }}}\right] ^*_1)\) using \(\textbf{u}^*\).

\(\textsf {Game}_1\): This is the same as \(\textsf {Game}_0\) except for the following modification: Let \((\textsf {id}, \textsf {ct}_{{{\mathcal {S}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N}, \left[ {{\varvec{\pi }}}\right] _1) )\) be a decryption query, and we denote \(\overline{\textsf {ct}_{{{\mathcal {S}}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N})\). The Decryption Oracle computes \(\alpha = {\textsf{H}}(\overline{\textsf {ct}_{{{\mathcal {S}}}}})\) and returns \(\perp \) if one of the following conditions hold:

$$\begin{aligned} \begin{array}{ll} (1) \; \textsf {ct}_{{{\mathcal {S}}}} = \textsf {ct}_{{{\mathcal {S}}}}^*, \\ (2) \; e(\left[ {{\varvec{\pi }}}\right] _1, \left[ {\textbf{B}}\right] _2) \ne e(\left[ {\textbf{u}^{\top }}\right] _1, \left[ { (\textbf{X}+ \alpha \cdot \textbf{Y}) \textbf{B}}\right] _2), \\ (3) \; \overline{\textsf {ct}_{{{\mathcal {S}}}}} \ne \overline{\textsf {ct}_{{{\mathcal {S}}}}^*} \;\text {and}\; \alpha =\alpha ^*, \end{array} \end{aligned}$$

where \(\alpha ^* = {\textsf{H}}(\overline{\textsf {ct}_{{{\mathcal {S}}}}^*})\).

\(\textsf {Game}_2\): This is the same as \(\textsf {Game}_1\) except that the condition (2) is replaced by the following one:

$$\begin{aligned} (2') \; \left[ {{\varvec{\pi }}}\right] _1 \ne \left[ { \textbf{u}^{\top } (\textbf{X}+ \alpha \cdot \textbf{Y})}\right] _1. \end{aligned}$$

\(\textsf {Game}_{2, j} \; (1 \le j \le q_D)\): This is the same as \(\textsf {Game}_2\) except for the following modification: Let \(q_D\) is the maximum number of decryption queries to the Decryption Oracle. Regarding the first j queries, the Decryption Oracle returns \(\perp \) if (1) or (3) or

$$\begin{aligned} (2'') \; \textbf{u}\not \in \textrm{span}(\textbf{A}) \;||\; \left[ {{\varvec{\pi }}}\right] _1 \ne \left[ { \textbf{u}^{\top }(\textbf{X}+ \alpha \cdot \textbf{Y})}\right] _1 \end{aligned}$$

holds instead of \((2')\). Here, “||” denotes the OR operation which ignores the second operand if the first one is satisfied. For the rest of queries, the Decryption Oracle returns \(\perp \) if (1) or (3) or \((2')\) as in \(\textsf {Game}_2\).

Let \(S_{\textsf {Real}}\), \(S_i \; (0 \le i \le 2)\), and \(S_{2, j} \;(0 \le j \le q_D)\) be the probabilities that the event \(b' = b\) occurs in \(\textsf {Game}_{\textsf {Real}}, \textsf {Game}_i\), and \(\textsf {Game}_{2, j}\) respectively. We have

$$\begin{aligned} \textsf{Adv}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa , N)&\le \left| S_{\textsf {Real}} -S_0\right| + \left| S_0 - S_1\right| + \left| S_1 - S_2\right| \\&\quad + \Sigma _{j=1}^{q_D}\left| S_{2, j-1} - S_{2, j}\right| +\left| S_{2, q_D} - \frac{1}{2}\right| . \end{aligned}$$

The rest of the proof follows from the following lemmas.

Lemma 4

\(\left| S_{\textsf {Real} } - S_0\right| \le \textsf{Adv} ^{\textsf {mddh} }_{\textsf{B} , {\mathbb {G}}_1}(\kappa )\).

Proof

At the beginning, a PPT adversary \(\textsf{B}\) receives an instance \((\left[ {\textbf{A}}\right] _1, T)\) of the MDDH problem. Then, \(\textsf{B}\) randomly selects \(\textbf{B}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {D}}_k\) and \(\textbf{X}, \textbf{Y}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1) \times (k+1)}\). For all \(\textsf {id}\in [N]\), \(\textsf{B}\) samples \(\textbf{k}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1)}\). \(\textsf{B}\) selects a key-binding secure symmetric encryption scheme \(\Pi ^{{\textsf {SKE}}}=(\textsf {E}, \textsf {D})\) with the key space \({\mathcal {K}}:= {\mathbb {G}}_1\) and a collision-resilient hash function \({\textsf{H}}: \{0, 1\}^* \rightarrow {\mathbb {Z}}_p\). \(\textsf{B}\) sends the following master public key:

$$\begin{aligned} \textsf {pk}:= \left( {\mathcal{P}\mathcal{G}}, (\textsf {E}, \textsf {D}), {\textsf{H}}; \begin{array}{ll} \left[ {\textbf{A}^{\top }}\right] _1, \left\{ \left[ {\textbf{A}^{\top } \textbf{k}_\textsf {id}}\right] _1 \right\} ^{N}_{\textsf {id}= 1}, \left[ {\textbf{B}}\right] _2, \\ \left[ {\textbf{A}^{\top }\textbf{Y}}\right] _1, \left[ {\textbf{A}^{\top }\textbf{X}}\right] _1,\left[ {\textbf{X}\textbf{B}}\right] _2, \left[ {\textbf{Y}\textbf{B}}\right] _2 \end{array}\right) . \end{aligned}$$

Note that \(\textsf{B}\) knows the master secret key \(\textsf {mk}:= \left\{ {\textbf{k}_\textsf {id}} \right\} ^{N}_{\textsf {id}= 1}\).

Key-generation Oracle and Corruption Oracle. \(\textsf{B}\) can simulate the oracles since it knows the master secret key.

Decryption Oracle. \(\textsf{B}\) can simulate the oracle for the same reason as Key-generation and Corruption Oracle.

Challenge. \(\textsf{B}\) receives \(({\textsf{m}}_0,{\textsf{m}}_1,{\mathcal {S}}_0,{\mathcal {S}}_1)\) from \(\textsf{A}\). \(\textsf{B}\) randomly chooses \(d {\mathop {\leftarrow }\limits ^{\textsf {U}}}\{0, 1\}\) and selects a session key \(\textsf {K}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {G}}_1\) and compute \(\textsf {c}_0:= \textsf {E}_\textsf {K}({\textsf{m}}_d)\). \(\textsf{B}\) sets \(\left[ {{\textbf{u}^*}^{\top }}\right] := T\) and computes the following for all \(\textsf {id}\in [N]\):

$$\begin{aligned} \left\{ \begin{array}{ll} \textsf {c}_\textsf {id}:= \left[ {{\textbf{u}^*}^{\top } \textbf{k}_\textsf {id}}\right] _1 \cdot \textsf {K}, \text {if } \textsf {id}\in {\mathcal {S}}_d, \\ \textsf {c}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {G}}_1, \text {if } \textsf {id}\not \in {\mathcal {S}}_d. \end{array}\right. \end{aligned}$$

Then \(\textsf{B}\) chooses a random permutation \(\sigma \) from \(\{\sigma _i:[N] \rightarrow [N]\}_{i \in \{0,1\}^{\kappa }}\) and computes \(\left[ {{\varvec{\pi }}}\right] _1:= \left[ {{\textbf{u}^*}^{\top }(\textbf{X}+ \alpha \cdot \textbf{Y})}\right] _1\) where \(\alpha := {\textsf{H}}(\left[ {{\textbf{u}^*}^{\top }}\right] _1, \textsf {c}_0, \textsf {c}_{\sigma (1) }, \ldots , \textsf {c}_{\sigma (N) })\). \(\textsf{B}\) sends the following ciphertext:

$$\begin{aligned} \textsf {ct}_{{{\mathcal {S}}}} := (\left[ {{\textbf{u}^*}^{\top }}\right] _1, \textsf {c}_0, \textsf {c}_{\sigma (1)}, \ldots , \textsf {c}_{\sigma (N) }, \left[ {{\varvec{\pi }}}\right] _1). \end{aligned}$$

If \(b=0\), then \(\textbf{u}^* {\mathop {\leftarrow }\limits ^{\textsf {U}}}\textrm{span}(\textbf{A})\). If \(b=1\), then \(\textbf{u}^* {\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{k+1}\). After receiving d from \(\textsf{A}\), \(\textsf{B}\) sends \(b' = 1\) to the challenger of the \({\mathcal {D}}_k\)-MDDH problem if \(d' = d\). Otherwise, \(\textsf{B}\) sends \(b' = 0\) to the challenger. \(\square \)

Lemma 5

\(\left| S_0 - S_1\right| \le \textsf{Adv} ^{\textsf {hash} }_{\textsf{B} }(\kappa ).\) (From Difference Lemma [36])

Proof

By the collision-resilience of \({\mathcal {H}}\), \(\textsf {Game}_1\) is indistinguishable from \(\textsf {Game}_0\). When \(\textsf{A}\) issues a decryption query \((\textsf {id}, \textsf {ct}_{{{\mathcal {S}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N}, \left[ {{\varvec{\pi }}}\right] _1) )\) such that \(\overline{\textsf {ct}_{{{\mathcal {S}}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N})\) is not identical to \(\overline{\textsf {ct}_{{{\mathcal {S}}}}^*}\), \(\textsf{B}\) check whether the condition (3) holds. If it does not hold, then \(\textsf{B}\) simulates the Decryption Oracle by returning \(\perp \). Otherwise, \(\textsf{B}\) can break the collision-resilience of \({\mathcal {H}}\) since \((\overline{\textsf {ct}_{{{\mathcal {S}}}}}, {\textsf{H}}(\overline{\textsf {ct}_{{{\mathcal {S}}}}}))\) is a successful collision. \(\square \)

Lemma 6

\(\left| S_1 - S_2\right| \le \textsf{Adv} ^{\textsf {kmdh} }_{\textsf{B} , {\mathbb {G}}_2}(\kappa ).\) (From Difference Lemma [36])

Proof

\(\textsf {Game}_2\) is the same as \(\textsf {Game}_1\) unless \(\textsf{A}\) sends a decryption query which is rejected by the condition (2) but passes through the condition \((2')\). If such a query is issued, we can construct a PPT adversary \(\textsf{B}\) solving the KMDH problem. At the beginning, \(\textsf{B}\) receives an instance \((\left[ {\textbf{B}}\right] _2)\) of the KMDH problem. Then, \(\textsf{B}\) randomly selects \(\textbf{A}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {D}}_k\) and \(\textbf{X}, \textbf{Y}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1) \times (k+1)}\). For all \(\textsf {id}\in [N]\), \(\textsf{B}\) samples \(\textbf{k}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1)}\). \(\textsf{B}\) selects a key-binding secure symmetric encryption scheme \(\Pi ^{{\textsf {SKE}}}=(\textsf {E}, \textsf {D})\) with the key space \({\mathcal {K}}:= {\mathbb {G}}_1\) and a collision-resilient hash function \({\textsf{H}}: \{0, 1\}^* \rightarrow {\mathbb {Z}}_p\). \(\textsf{B}\) sends the following master public key:

$$\begin{aligned} \textsf {pk}:= \left( {\mathcal{P}\mathcal{G}}, (\textsf {E}, \textsf {D}), {\textsf{H}}; \begin{array}{ll} \left[ {\textbf{A}^{\top }}\right] _1, \left\{ \left[ {\textbf{A}^{\top } \textbf{k}_\textsf {id}}\right] _1 \right\} ^{N}_{\textsf {id}= 1}, \left[ {\textbf{B}}\right] _2, \\ \left[ {\textbf{A}^{\top }\textbf{Y}}\right] _1, \left[ {\textbf{A}^{\top } \textbf{X}}\right] _1,\left[ {\textbf{X}\textbf{B}}\right] _2, \left[ {\textbf{Y}\textbf{B}}\right] _2 \end{array}\right) . \end{aligned}$$

Note that \(\textsf{B}\) knows the master secret key \(\textsf {mk}:= \left\{ {\textbf{k}_\textsf {id}} \right\} ^{N}_{\textsf {id}= 1}\).

Key-generation Oracle and Corruption Oracle. \(\textsf{B}\) can simulate the oracles since it knows the master secret key.

Challenge. \(\textsf{B}\) simulates the challenge as the same as \(\textsf {Game}_0\).

Decryption Oracle. \(\textsf{B}\) can simulate the oracle for the same reason as Key-generation and Corruption Oracle. Upon a decryption query \((\textsf {id}, \textsf {ct}_{{{\mathcal {S}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N}, \left[ {{\varvec{\pi }}}\right] _1) )\), \(\textsf{B}\) check whether the conditions \((2), (2')\) hold. If the condition (2) does not hold but \((2')\) does, \(\textsf{B}\) outputs

$$\begin{aligned} \left[ {\textbf{t}^{\top } := {\varvec{\pi }} - \textbf{u}^{\top }(\textbf{X}+ \alpha \cdot \textbf{Y})}\right] _1 . \end{aligned}$$

Here, \(\left[ {\textbf{t}^{\top }}\right] _1\) is a solution to the \({\mathcal {D}}_k\)-KMDH problem since \(\textbf{t}^{\top } \ne \textbf{0}\) from \((2')\) and \(\textbf{t}^{\top } \in \textbf{Ker}(\textbf{B})\) from (2). \(\square \)

Lemma 7

\(\left| S_{2, j-1} - S_{2, j}\right| \le \frac{1}{p}.\) (From Difference Lemma [36])

Proof

\(\textsf {Game}_{2, j-1}\) is the same as \(\textsf {Game}_{2, j}\) unless \(\textsf{A}\) sends the j-th decryption query which is rejected by the condition \((2')\) but passes through the condition \((2'')\). That is, if the event that the j-th decryption query satisfies \(\textbf{u}\not \in \textrm{span}(\textbf{A})\) and survives \((1), (2'), (3)\) does not occur, there is no difference between the two games. First, we suppose that \(\alpha \ne \alpha ^*\) holds for such a query. Then, the decryption query \((\textsf {id}, \textsf {ct}_{{{\mathcal {S}}}} = (\left[ {\textbf{u}^{\top }}\right] , \textsf {c}_0, \textsf {c}_1, \ldots , \textsf {c}_{N}, \left[ {{\varvec{\pi }}}\right] _1) )\) must satisfy \(\alpha \ne \alpha ^*,\textbf{u}\not \in \textrm{span}(\textbf{A})\) and \(\left[ {{\varvec{\pi }}}\right] _1 = \left[ { \textbf{u}^{\top }(\textbf{X}+ \alpha \cdot \textbf{Y}) \textbf{B}}\right] _1\), but this happens with probability at most \(\frac{1}{p}\) from the core lemma (Lemma 1 [21]). Note that \(\textsf{A}\) never obtain more information than \(\textbf{A}^{\top }\textbf{X}, \textbf{A}^{\top }\textbf{Y}\) by the first j-th decryption queries thanks to the condition \(\textbf{u}^* \not \in \textrm{span}(\textbf{A})\).

Next, we show that the above query must satisfy \(\alpha \ne \alpha ^*\). Here, if a decryption query survives the condition (3), \(\overline{\textsf {ct}_{{{\mathcal {S}}}}} = {\textsf {ct}_{{{\mathcal {S}}}}}^*_1\) or \(\alpha \ne \alpha ^*\) holds. Therefore, we need to show that \(\overline{\textsf {ct}_{{{\mathcal {S}}}}} \ne {\textsf {ct}_{{{\mathcal {S}}}}}^*_1\) holds regarding decryption query which survives under the condition \((1), (2''), (3)\) with \(\textbf{u}\not \in \textrm{span}(\textbf{A})\). We suppose \(\overline{\textsf {ct}_{{{\mathcal {S}}}}} = {\textsf {ct}_{{{\mathcal {S}}}}}^*_1\). We can see that if \({\varvec{\pi }} = {\varvec{\pi }}^*\), then the query is rejected by the condition (1), and if \({\varvec{\pi }} \ne {\varvec{\pi }}^*\), then the query is rejected by the condition \((2')\). Thus, since a decryption query with \(\overline{\textsf {ct}_{{{\mathcal {S}}}}} = {\textsf {ct}_{{{\mathcal {S}}}}}^*_1\) cannot survive the conditions, \(\alpha \ne \alpha ^*\) holds. \(\square \)

Lemma 8

\( \left| S_{2, q_D} - \frac{1}{2}\right| \le 2 \cdot \textsf{Adv} ^{\textsf {se} }_{\textsf{B} }(\kappa ).\)

We prove Lemma 8 by considering two cases.

In this case, we define the following additional games.

\(\textsf {Game}_3\): This is the same as \(\textsf {Game}_{2, q_D}\) except that the challenger samples \(\textsf {c}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {G}}_1\) for all \(\textsf {id}\in {\mathcal {S}}_b\) in the challenge ciphertext.

\(\textsf {Game}_4\): This is the same as \(\textsf {Game}_3\) except that the challenger computes \(\textsf {c}_0 = \textsf {E}_\textsf {K}(0^{\kappa })\) in the challenge ciphertext.

Lemma 9

\(S_{2, q_D} = S_{3}.\)

Proof

We claim that \(\textsf {Game}_{2, q_D}\) is statistically indistinguishable from \(\textsf {Game}_3\). In \(\textsf {Game}_{2, q_D}\), \(\textsf{A}\) learns information on \(\textbf{k}_\textsf {id}\;(\textsf {id}\in {\mathcal {S}}_b)\) only from \(\textsf {pk}\) since Decryption Oracle returns for \(\textsf{A}\)’s queries such that \(\textbf{u}\not \in \textrm{span}(\textbf{A})\), and \(\textbf{u}^* \not \in \textrm{span}(\textbf{A})\) holds with overwhelming probability. Then, \(\left[ {{\textbf{u}^*}^{\top } \textbf{k}_\textsf {id}}\right] _1 (\textsf {id}\in {\mathcal {S}}_b)\) is uniformly distributed over \({\mathbb {G}}_1\) from the fact that for any \(\textbf{u}^*\) outside the span of \(\textbf{A}\), \({\textbf{u}^*}^{\top } \textbf{k}_\textsf {id}\) is uniformly random given \({\textbf{A}}^{\top } \textbf{k}_\textsf {id}\) where \(\textbf{k}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p^{(k+1)}\). \(\square \)

Lemma 10

\(|S_3 - S_4| \le 2\cdot \textsf{Adv} ^{\textsf {se} }_{\textsf{B} }(\kappa ).\)

Proof

\(\textsf {Game}_4\) is indistinguishable from \(\textsf {Game}_3\) due to the semantic security of (\(\textsf {E}, \textsf {D}\)). Finally, we have \(S_4 = \frac{1}{2}\) since the challenge ciphertext has no information about b. \(\square \)

We define the following game.

\(\textsf {Game}_3'\): This is the same as \(\textsf {Game}_{2, q_D}\) except that the challenger samples \(\textsf {c}_\textsf {id}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {G}}_1\) for all \(\textsf {id}\in {\mathcal {S}}_b {\setminus } {\mathcal {S}}_{1-b}\).

Lemma 11

\(S_{2, q_D} = S_{3'}.\)

Proof

We claim that \(\textsf {Game}_{2, q_D}\) is statistically indistinguishable from \(\textsf {Game}_3\). This follows from the same discussion as in \(\textsf {Case (a)}\), that is, the fact that all \(\left[ {{\textbf{u}^*}^{\top } \textbf{k}_\textsf {id}}\right] _1 (\textsf {id}\in {\mathcal {S}}_b {\setminus } {\mathcal {S}}_{1-b})\) in \(\overline{\textsf {ct}_{{{\mathcal {S}}}}^*}\) is uniformly distributed over \({\mathbb {G}}_1\) conditioned on \(\textsf {pk}\), Key-Generation Oracle and Decryption Oracle. Although \(\textsf {c}_\textsf {id}\; (\textsf {id}\in {\mathcal {S}}_b \cap {\mathcal {S}}_{1-b})\) are not changed, no information about b is leaked from the challenge ciphertext since \({\textsf{m}}_0 = {\textsf{m}}_1\) must hold in this case. We then have \(S_{3'} = \frac{1}{2}\).

\(\square \)

Proof of Lemma 8

Let \(S_a\) and \(S_b\) be the probabilities that \(\textsf{A}\) outputs \(({\mathcal {S}}_0, {\mathcal {S}}_1)\) in \(\textsf {Case (a)}\) and \(\textsf {Case (b)}\), respectively. Then, we have

$$\begin{aligned} S_{2, q_D}&= S_{3}\cdot S_a + S_{3'}\cdot S_b \\&\le |S_{3} - S_{4}| \cdot S_a + S_{4} \cdot S_a + S_{3'}\cdot S_b \\&\le 2 \cdot \textsf{Adv}^{\textsf {se}}_{\textsf{B}}(\kappa ) + \frac{1}{2} \end{aligned}$$

where \(S_a+ S_b = 1\). \(\square \)

Proof of Theorem 3

From Lemmas 4–8 we have

$$\begin{aligned} \textsf{Adv}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {IND}\text {-}\textsf {CCA}}_{\Pi ^{\textsf {BE}},\textsf{A}}(\kappa , N)&\le \textsf{Adv}^{\textsf {mddh}}_{\textsf{B}, {\mathbb {G}}_1}(\kappa ) + \textsf{Adv}^{\textsf {hash}}_{\textsf{B}}(\kappa ) +\textsf{Adv}^{\textsf {kmdh}}_{\textsf{B}, {\mathbb {G}}_2}(\kappa ) \\&\quad + q_D \cdot \frac{1}{p} + 2 \cdot \textsf{Adv}^{\textsf {se}}_{\textsf{B}}(\kappa ). \end{aligned}$$

\(\square \)

Here, the above construction has a ciphertext whose size is \((N+6)\cdot \kappa \) where \(k=1\).¹⁰ Therefore, from Li and Gong’s ANO-BE [24] and our Full-ANO-BE scheme, we obtain upper bounds on the ciphertext-size in (Full)-ANO-BE.

From these upper bounds and the asymptotic lower bounds in Sect. 4, we show tight lower bounds on the ciphertext-size in (Full)-ANO-BE.

Theorem 4

If BE \(\Pi ^{\textsf {BE} }\) with properties shown in Sects. 3.2 and 4.1 is Full-ANOat-CCA secure, a non-asymptotic lower bound on the ciphertext-size with any recipient set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) is \(N\cdot \kappa +o(N\cdot \kappa )\), and our Full-ANO-BE scheme attains the lower bound tightly, which is optimal.

Theorem 5

If BE \(\Pi ^{\textsf {BE} }\) with properties shown in Sects. 3.2 and 4.1 is ANOat-CCA secure, a non-asymptotic lower bound on the ciphertext-size with any recipient set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) is \(|{\mathcal {S}}|\cdot \kappa +o(|{\mathcal {S}}|\cdot \kappa )\), and the ANO-BE scheme in [24] attains the lower bound tightly, which is optimal.

6 Atomic broadcast authentication

In this section, we give a syntax of Atomic Broadcast Authentication (AtBA) to formally describe properties satisfied by the existing ABA scheme and derive lower bounds. We further provide security definitions for ABA covered by AtBA.

6.1 Syntax of AtBA

Our AtBA describes authentication and verification for each recipient in a designated set performed inside the \(\textsf {Auth}\) and \(\textsf {Vrfy}\) algorithms of ABA. We define a model for Atomic BA \(\Pi ^{\textsf {At}\text {-}\textsf {BA}}=({\textsf {Setup}\text {-}\textsf {at}, \textsf {Join}\text {-}\textsf {at}, \textsf {Auth}, \textsf {Auth}\text {-}\textsf {at}, \textsf {Vrfy}, \textsf {Vrfy}\text {-}\textsf {at}})\) as follows, where the \(\textsf {Auth}\) and \(\textsf {Vrfy}\) are the same as ones of ABA.

1. 1.

   \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta } \leftarrow \textsf {Setup}\text {-}\textsf {at}(1^{\kappa },N)\): a probabilistic algorithm for setup. It takes a security parameter \(1^{\kappa }\) and the maximum number of receivers \(N\in {\mathbb {N}}\) as input, and outputs authentication key \(\textsf {ak}\) consisting of \(|\Delta |\) atomic authentication keys \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta }\).

2. 2.

   \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta },\textsf {id})\): a verification key generation algorithm. It takes \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta }\) and an identifier \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), as input, and outputs verification key \(\textsf {vk}_{{\textsf {id}}}\) for \(\textsf {id}\) consisting of \(|\Gamma _{\textsf {id}}|\) atomic verification keys \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\).

3. 3.

   \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta '}, {\mathcal {S}}, {\textsf{m}}, \textsf {id}; {\textsf{r}})\): an atomic authenticate algorithm. It takes \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta '}\), a message \({\textsf{m}}\in {\mathcal {M}}\), a privileged set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\), an identifier \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\) and randomness \({\textsf{r}}\in {\mathcal {R}}\) as input, and outputs an atomic authenticator \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\), where \(\Delta ' \subseteq \Delta \).

4. 4.

   \({\textsf{m}}/ \bot \leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {cmd}_{{\mathcal {S}}, \textsf {id}})\): an atomic verification algorithm. It takes a subset of atomic verification keys \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}\), and \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\) as input, and outputs a message \({\textsf{m}}\)(accept) or \(\bot \)(reject), where \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\).

The \(\textsf {Setup}\text {-}\textsf {at}\) and \(\textsf {Join}\text {-}\textsf {at}\) are essentially equivalent to the \(\textsf {Setup}\) and \(\textsf {Join}\) in ABA respectively, except for difference that authentication and verification keys are explicitly divided into multiple sub-elements. As in the case of the \(\textsf {Join}\) in BE, we regard the \(\textsf {Join}\text {-}\textsf {at}\) as being a deterministic algorithm. On the other hand, \(\textsf {Auth}\) and \(\textsf {Vrfy}\) include \(\textsf {Auth}\text {-}\textsf {at}\) and \(\textsf {Vrfy}\text {-}\textsf {at}\) as sub-algorithms, respectively, though they might contain procedures other than the sub-algorithms. Therefore, AtBA includes both \((\textsf {Auth},\textsf {Vrfy})\) and \((\textsf {Auth}\text {-}\textsf {at},\textsf {Vrfy}\text {-}\textsf {at})\).

We require a natural property for AtBA that an atomic authenticator \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\) contained in authenticator \(\textsf {cmd}_{{{\mathcal {S}}}}\) will be correctly verified by a verification key \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\) of a recipient \(\textsf {id}\in {\mathcal {S}}\) as follows:

Atomic correctness Fix any \(\kappa , N \in {\mathbb {N}}\), any \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta } \leftarrow \textsf {Setup}\text {-}\textsf {at}(1^{\kappa },N)\), any \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) such that \(|{\mathcal {S}}| \le N\), any \({\textsf{m}}\in {\mathcal {M}}\), any \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta },\textsf {id})\), any \({\textsf{r}}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {R}}\). Let \(\textsf {cmd}_{{{\mathcal {S}}}} \leftarrow \textsf {Auth}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta }, {\textsf{m}}, {\mathcal {S}}; {\textsf{r}})\). Then, there exists some \(\Delta ' \subseteq \Delta \) for every \(\textsf {id}\in {\mathcal {S}}\), such that \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta '}, {\mathcal {S}}, {\textsf{m}}, \textsf {id}; {\textsf{r}})\) and \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\in \textsf {cmd}_{{{\mathcal {S}}}}\). Moreover, the following conditions hold with overwhelming probability:

• \(\textsf {Vrfy}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'},\textsf {cmd}_{{{\mathcal {S}}}}) \rightarrow {\textsf{m}}\).

• \(\textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {cmd}_{{\mathcal {S}}, \textsf {id}}) \rightarrow {\textsf{m}}\) for some \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\).

Namely, the above guarantees that (1) a ABA authenticator for \({\mathcal {S}}\) contains AtBA authenticators for all \(\textsf {id}\in {\mathcal {S}}\); (2) the ABA authenticator can be correctly verified by the \(\textsf {Vrfy}\), which implies Correctness of ABA; and (3) every AtBA authenticator can be correctly verified by the \(\textsf {Vrfy}\text {-}\textsf {at}\). Therefore, Atomic Correctness of AtBA includes Correctness of ABA. Thus, we can say that an ABA scheme is called an AtBA scheme if the \(\textsf {Auth}\) and \(\textsf {Vrfy}\) includes the \(\textsf {Auth}\text {-}\textsf {at}\) and \(\textsf {Vrfy}\text {-}\textsf {at}\) (satisfying the above Atomic Correctness), respectively.

6.2 Security definitions for AtBA

We define anonymity for AtBA in the same way as in BE. In the following, we give definitions of full anonymity (Full-ANOat-CMA) and anonymity (ANOat-CMA). Security games for AtBA are the same as those for ABA except that an attacker obtains verification keys and a challenge authenticator is explicitly-devided into multiple sub-elements. Essentially, there is no difference in information the attacker obtains between security games for BA and those for AtBA. Therefore, we consider (Full-)ANOat-CMA defined below to be equivalent security notions as (full) anonymity.

Let \(\textsf{A}\) be any PPT adversary against Full-ANOat-CMA security. We consider an experiment \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANOat}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}(\kappa , N)\) between a challenger \(\textsf{C}\) and \(\textsf{A}\). Let \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANOat}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}\) be the experiment with the following changes to Key-generation Query and Corruption Query in experiment \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANO}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}\).

• Key-generation Query: Upon a query \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {D}}\) and generates \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {ak}, \textsf {id})\), not \(\textsf {vk}_{{\textsf {id}}} \leftarrow \textsf {Join}(\textsf {ak},\textsf {id})\).

• Corruption Query: Upon a query \(\textsf {id}\in {\mathcal {D}}\) from \(\textsf{A}\), \(\textsf{C}\) adds \(\textsf {id}\) to \({\mathcal {C}}{\mathcal {D}}\), and returns \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\) to \(\textsf{A}\), not \(\textsf {vk}_{{\textsf {id}}}\).

We also define ANOat-CMA with an experiment \(\textsf{Exp}^{\textsf {ANOat}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}(\kappa ,N)\) which is the same as \(\textsf{Exp}^{\textsf {Full}\text {-}\textsf {ANOat}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}(\kappa , N)\) except for the following additional condition of the restriction for challenge query: \(|{\mathcal {S}}_0| = |{\mathcal {S}}_1|\).

Definition 11

((Full-)ANOat-CMA) We say \(\Pi ^{\textsf {At}\text {-}\textsf {BA}}\) is X secure (X \(\in \) Full-ANOat-CMA, ANOat-CMA) if for any PPT adversary \(\textsf{A}\), for all sufficiently-large \(\kappa \in {\mathbb {N}}\) and all \(N \in {\mathbb {N}}\), it holds that \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}}(\kappa , N) < \textsf{negl}({\kappa })\), where \(\textsf{Adv}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}}(\kappa , N):= \left| \Pr \left[ \textsf{Exp}^{X}_{{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}}(\kappa ,N) \rightarrow 1\right] -\frac{1}{2}\right| \).

6.3 Properties in an existing ABA scheme

In this section, we describe four properties that holds for an existing ABA scheme. The four properties are as follows.

Property 5

Authenticator \(\textsf {cmd}_{{{\mathcal {S}}}}\) output from the \(\textsf {Auth}\) algorithm consists of atomic authenticators \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\) obtained by the \(\textsf {Auth}\text {-}\textsf {at}\) algorithm, and other elements. In other words, let a set of atomic authenticators contained in \(\textsf {cmd}_{{{\mathcal {S}}}}\) be \(\{\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}}\), and let the union of \(\{\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}}\) and some elements contained in \(\textsf {cmd}_{{{\mathcal {S}}}}\) be \(\{\textsf {cmd}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}}}]}\), it holds that \(\{\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}} \subseteq \{\textsf {cmd}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}}}]} \subseteq \textsf {cmd}_{{{\mathcal {S}}}}\). Here, the randomness \({\textsf{r}}\) input to the \(\textsf {Auth}\text {-}\textsf {at}\) is the same when generating \(\{\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\}_{\textsf {id}\in {\mathcal {S}}}\) respectively. Also, inside the \(\textsf {Vrfy}\) algorithm, the \(\textsf {Vrfy}\text {-}\textsf {at}\) algorithm takes an atomic authenticator and a set of atomic verification keys as input, and outputs a message. If \(\textsf {cmd}_{{{\mathcal {S}}}}\) is a valid authenticator, then there is an atomic authenticator \(\textsf {cmd}_{{{\mathcal {S}}}}^{{({\theta })}}\) in \(\textsf {cmd}_{{{\mathcal {S}}}}\) that can be verified using a subset of atomic verification keys of a recipient \(\textsf {id}\) in \({\mathcal {S}}\). Formally, we require the following property for AtBA \(\Pi ^{\textsf {At}\text {-}\textsf {BA}}\):

For all \(\kappa ,N \in {\mathbb {N}}\), all \(\textsf {ak}\leftarrow \textsf {Setup}(1^{\kappa },N)\), all \({\textsf{m}}\in {\mathcal {M}}\), all \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) such that \(|{\mathcal {S}}| \le N\), all \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), all \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {ak}, \textsf {id})\), all \({\textsf{r}}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {R}}\), all \(\{\textsf {cmd}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}}}]} \subseteq \textsf {cmd}_{{{\mathcal {S}}}}\leftarrow \textsf {Auth}(\textsf {ak}, {\textsf{m}}, {\mathcal {S}}; {\textsf{r}})\), if \(\textsf {id}\in {\mathcal {S}}\), then for some \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\), there exists \(\theta \in [\beta _{{{\mathcal {S}}}}]\) such that \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma '_{\textsf {id}}}, \textsf {cmd}_{{{\mathcal {S}}}}^{{({\theta })}})\). If \(\textsf {id}\notin {\mathcal {S}}\), then for all \(\Gamma _{\textsf {id}}' \subseteq \Gamma _{\textsf {id}}\), there is no \(\theta \in [\beta _{{{\mathcal {S}}}}]\) such that \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma '_{\textsf {id}}}, \textsf {cmd}_{{{\mathcal {S}}}}^{{({\theta })}})\).

Property 6

When generating \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\) such that \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}( \{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {cmd}_{{\mathcal {S}}, \textsf {id}})\) for some \(\gamma \in \Gamma _{\textsf {id}}'\), let \(\Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}\) be a minimum subset of atomic authentication keys required for the input to \(\textsf {Auth}\text {-}\textsf {at}\). In this case, \(\Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}\) is uniquely determined by pairs of the recipient’s identifier, the message, and the set \((\textsf {id}, {\mathcal {S}}, {\textsf{m}})\) to input to \(\textsf {Auth}\text {-}\textsf {at}\).

Property 7

When \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {cmd}_{{\mathcal {S}}, \textsf {id}})\) holds, let \(\Gamma _{\textsf {id}, {\mathcal {S}}}^*\) be a minimum subset of atomic verification keys required for the input to \(\textsf {Vrfy}\text {-}\textsf {at}\). In this case, \(\Gamma _{\textsf {id}, {\mathcal {S}}}^*\) is uniquely determined by pairs of the recipient’s identifier, and the set \((\textsf {id}, {\mathcal {S}})\) to input to \(\textsf {Auth}\text {-}\textsf {at}\) when generating \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\).

Property 8

For all \((\textsf {ak}, \{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta }) \leftarrow \textsf {Setup}(1^{\kappa },N), \textsf {id}, \textsf {id}' \in {\mathcal {I}}{\mathcal {D}}\), all \({\mathcal {S}}\) such that \(\{\textsf {id}, \textsf {id}'\} \subseteq {\mathcal {S}}\), all \({\textsf{m}}\in {\mathcal {M}}, {\textsf{r}}\in {\mathcal {R}}\), all \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}}, \textsf {id}, {\textsf{m}}, {\mathcal {S}}; {\textsf{r}}), \textsf {cmd}_{{\mathcal {S}}, \textsf {id}'}\leftarrow \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta '}\right) } \}_{\delta ' \in \Delta ^*_{\textsf {id}', {\mathcal {S}}, {\textsf{m}}}},\textsf {id}',{\textsf{m}}, {\mathcal {S}};{\textsf{r}})\), if \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}= \textsf {cmd}_{{\mathcal {S}}, \textsf {id}'}\) holds, then we have \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}} = \{\textsf {ak}^{\left( {\delta '}\right) } \}_{\delta ' \in \Delta ^*_{\textsf {id}', {\mathcal {S}}, {\textsf{m}}}}\) with overwhelming probability.

Here, we can see that the existing ABA scheme [37] satisfies the above properties in a similar way in Sect. 3.2.

7 Asymptotic lower bounds in anonymous broadcast authentication

In order to derive lower bounds for ANO-BA and Full-ANO-BA, we assume a property that “a minimum subset of atomic verification keys used to verify authenticators is uniquely determined by a subset of authentication keys used to generate the authenticator.” Specifically, we consider the following property for ANO-BA and Full-ANO-BA:

Assumption 3 When \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta } \leftarrow \textsf {Setup}(1^{\kappa },N)\) is generated, we denote \({\mathcal {A}}{\mathcal {K}}^*\) as a set of all authentication keys, namely \({\mathcal {A}}{\mathcal {K}}^*:= \{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta }\). And, when \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}} \leftarrow \textsf {Join}\text {-}\textsf {at}(\textsf {ak}, \textsf {id})\) is generated, \({\mathcal {V}}{\mathcal {K}}^*\) denotes a family of the minimum subsets of atomic verification keys to be input to the \(\textsf {Vrfy}\text {-}\textsf {at}\), namely \({\mathcal {V}}{\mathcal {K}}^*:= \{\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) }\}_{\gamma \in \Gamma _{\textsf {id}, {\mathcal {S}}}^*}\}_{\textsf {id}\in {\mathcal {I}}{\mathcal {D}}, {\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}}\). Here, we note that \({\mathcal {V}}{\mathcal {K}}^*\) is uniquely determined, since \(\textsf {Join}\text {-}\textsf {at}\) is a deterministic algorithm. At this time, for all \(\textsf {id}\in {\mathcal {I}}{\mathcal {D}}\), all \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\), all \({\textsf{m}}\in {\mathcal {M}}\), all \({\textsf{r}}\in {\mathcal {R}}\), all \(\textsf {ak}' \in 2^{{\mathcal {A}}{\mathcal {K}}^*}\), all \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Auth}\text {-}\textsf {at}(\textsf {ak}', \textsf {id}, {\textsf{m}}, {\mathcal {S}}; {\textsf{r}})\), a set of atomic verification keys \(\textsf {vk}_{{}}' \in {\mathcal {V}}{\mathcal {K}}^*\cup \{\bot \}\) such that \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\textsf {vk}_{{}}', \textsf {cmd}_{{\mathcal {S}}, \textsf {id}})\) is uniquely determined by the set of atomic authentication keys \(\textsf {ak}'\).

The above property holds for Watanabe et al.’s ANO-BA and Full-ANO-BA schemes [37], which is a generic construction using message authentication code and pseudo-random function. Since it can be shown that they satisfies the above property in the same way as the ANO-BE scheme of Libert et al. [25], we omit a detailed discussion here.

7.1 Lower bounds in ANOat-CMA secure AtBA

First, we show two lemmas, Lemmas 12 and 13, for ANOat-CMA secure AtBA with Properties 5, 6, 7 and 8 described in Sect. 6.3. In Lemma 12, we show that “if an AtBA is ANOat-CMA secure, then for authenticators with a set \({\mathcal {S}}_0, {\mathcal {S}}_1\) whose size is equal, sets of atomic verification keys used by a receipient \(\textsf {id}\) for each verification is equal with overwhelming probability.” Then, in Lemma 13, we show that “if an AtBA is ANOat-CMA secure, then for any set \({\mathcal {S}}\) with more than two elements, recipients \(\textsf {id}, \textsf {id}' \in {\mathcal {S}}\) must not share a set of atomic verification keys used to verify \(\textsf {cmd}_{{{\mathcal {S}}}}\) with overwhelming probability.”

Then, for ANOat-CMA secure AtBA with the property described in Assumption 3, we will derive a lower bound on authenticator-size by Theorem 6.

For convenience, for any \({\mathcal {S}}_0,{\mathcal {S}}_1\subseteq {\mathcal {I}}{\mathcal {D}}\), we call \(({\mathcal {S}}_0, {\mathcal {S}}_1)\) challengeable sets if it can be used for a challenge query in the ANOat-CMA game \(\textsf{Exp}^{\textsf {ANOat}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {At}\text {-}\textsf {BA}},\textsf{A}}\).

Lemma 12

If AtBA \(\Pi ^{\textsf {At} \text {-}{} \textsf {BA} }\) is ANOat-CMA secure, no PPT adversary \(\textsf{A} \) in the ANOat-CMA game can find \(\textsf {id} \in {\mathcal {I}}{\mathcal {D}}\) and challengable sets \(({\mathcal {S}}_0, {\mathcal {S}}_1)\in \left( 2^{{\mathcal {D}}}_{\le N}\right) ^2\) such that \(\textsf {id} \in {\mathcal {S}}_0 \cap {\mathcal {S}}_1\), \(|{\mathcal {S}}_0|=|{\mathcal {S}}_1|\), and \(\{\textsf {vk} _{\textsf {id} }^{\left( \gamma \right) }\}_{\gamma \in \Gamma ^*_{\textsf {id} , {\mathcal {S}}_0}} \ne \{\textsf {vk} _{\textsf {id} }^{\left( \gamma \right) }\}_{\gamma \in \Gamma ^*_{\textsf {id} , {\mathcal {S}}_1}}\) with non-negligible probability.

Proof

We show this lemma by contraposition. Suppose that there exists a PPT adversary \(\textsf{A}\) that can find \((\textsf {id}, {\mathcal {S}}_0, {\mathcal {S}}_1)\) in the ANOat-CMA game such that \(({\mathcal {S}}_0, {\mathcal {S}}_1)\) is challengeable sets and it holds that \(\textsf {id}\in {\mathcal {S}}_0 \cap {\mathcal {S}}_1\), \(|{\mathcal {S}}_0|=|{\mathcal {S}}_1|\), and \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}_0}} \ne \{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}_1}}\) with non-negligible probability. Note that by Property 3, \(\Gamma ^*_{\textsf {id}, {\mathcal {S}}_0}\) and \(\Gamma ^*_{\textsf {id}, {\mathcal {S}}_1}\) are uniquely determined. Then, \(\textsf{A}\) can break ANOat-CMA security as follows. During the ANOat-CMA game, \(\textsf{A}\) can find \((\textsf {id}^*, {\mathcal {S}}_0, {\mathcal {S}}_1)\) such that \(\{\textsf {vk}_{\textsf {id}^*}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}^*, {\mathcal {S}}_0}} \ne \{\textsf {vk}_{\textsf {id}^*}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}^*, {\mathcal {S}}_1}}\). \(\textsf{A}\) then issues key-generation queries for every \(\textsf {id}\in {\mathcal {S}}_0 \cup {\mathcal {S}}_1\) and a corruption query for \(\textsf {id}^*\) (if \(\textsf{A}\) has not done them yet), and obtains a verification key \(\{\textsf {vk}_{\textsf {id}^*}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}^*}}\). \(\textsf{A}\) then issues a challenge query \(({\textsf{m}}, {\mathcal {S}}_0, {\mathcal {S}}_1)\) to obtain \(\{\textsf {cmd}_{{{\mathcal {S}}_b}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}_b}}]} \subseteq \textsf {cmd}_{{{\mathcal {S}}_b}}\). Note that \(\textsf{A}\) can get the verification key for \(\textsf {id}^*\) since \(\textsf {id}^* \in {\mathcal {S}}_0 \cap {\mathcal {S}}_1\) and \(({\mathcal {S}}_0, {\mathcal {S}}_1)\) can be used for the challenge query. Finally, \(\textsf{A}\) outputs \(b'=0\) if there exists \(\theta \in [\beta _{{{\mathcal {S}}_b}}]\) such that \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}^*}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}^*, {\mathcal {S}}_0}}, \textsf {cmd}_{{{\mathcal {S}}_b}}^{{({\theta })}})\), and \(b'=1\) otherwise. In this case, \(\textsf{A}\) can output \(b'\) such that \(b=b'\) with non-negligible probability. \(\square \)

Lemma 13

If AtBA \(\Pi ^{\textsf {At} \text {-}{} \textsf {BA} }\) is ANOat-CMA secure, no PPT adversary \(\textsf{A} \) in the ANOat-CMA game can find \((\textsf {id} , \textsf {id} ', {\mathcal {S}}) \in {\mathcal {I}}{\mathcal {D}}^2 \times 2^{{\mathcal {D}}}_{\le N}\) such that \(\textsf {id} , \textsf {id} ' \in {\mathcal {S}}\) and \(\{\textsf {vk} _{\textsf {id} }^{\left( \gamma \right) }\}_{\gamma \in \Gamma ^*_{\textsf {id} , {\mathcal {S}}}} \ne \{\textsf {vk} _{\textsf {id}' }^{\left( \gamma '\right) }\}_{\gamma ' \in \Gamma ^*_{\textsf {id} ', {\mathcal {S}}}}\) with non-negligible probability.

Proof

Assume on the contrary that there exists a PPT adversary \(\textsf{A}\) that can find \((\textsf {id},\textsf {id}',{\mathcal {S}})\) such that \(\textsf {id},\textsf {id}'\in {\mathcal {S}}\) and \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}} = \{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}}}\) with non-negligible probability. Note that by Property 7, \(\Gamma ^*_{\textsf {id}, {\mathcal {S}}}\) and \(\Gamma ^*_{\textsf {id}', {\mathcal {S}}}\) are uniquely determined. Then, we will show that it contradicts Property 5 of AtBA in Sect. 6.3) for any \({\mathcal {S}}'\) such that \(\textsf {id}\in {\mathcal {S}}'\), \(\textsf {id}' \notin {\mathcal {S}}'\), and \(|{\mathcal {S}}|=|{\mathcal {S}}'|\). Suppose that \(\textsf{A}\) has atomic verification keys \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}\) and \(\{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma _{\textsf {id}'}}\) by key-generation queries and corruption queries. Since \(\textsf {id}\in {\mathcal {S}}'\), we have \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}'}}, \textsf {cmd}_{{\mathcal {S}}', \textsf {id}})\). From Lemma 12, we have \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}'}} = \{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}}\) with overwhelming probability as discussed in Lemma 3. Hence, we have \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}( \{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}}, \textsf {cmd}_{{\mathcal {S}}', \textsf {id}})\). Here, since \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}}} = \{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}}}\) from the assumption, we have \({\textsf{m}}\leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}}}, \textsf {cmd}_{{\mathcal {S}}', \textsf {id}})\). However, since \(\textsf {id}' \not \in {\mathcal {S}}'\) holds, the above contradicts Property 5. \(\square \)

In the following, we derive a lower bound on authenticator-size in ANOat-CMA secure AtBA with the property described in Assumption 3. Specifically, we show the statement: When there exists a set \({\mathcal {S}}\) such that the number of atomic authenticators \(\textsf {cmd}_{{{\mathcal {S}}}}\) contained in \(\textsf {cmd}_{{{\mathcal {S}}}}\) is less than \(|{\mathcal {S}}|\) with non-negligible probability, a contradiction occurs for Lemma 13.

Theorem 6

If AtBA \(\Pi ^{\textsf {At} \text {-}{} \textsf {BA} }\) with the property shown in Assumption 3 is ANOat-CMA secure, the size of authenticators for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\) is \(\Omega (|{\mathcal {S}}| \cdot k)\) with overwhelming probability, where \(k = \underset{{\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}, \theta \in [\beta _{{{\mathcal {S}}}}]}{\min } |\textsf {cmd} _{{\mathcal {S}}}^{{(\theta )}}|\) and the probability is taken over the internal randomness of the \(\textsf {Setup}\text {-}\textsf {at} \), \(\textsf {Auth} \), and \(\textsf {Auth}\text {-}\textsf {at} \). In other words, if AtBA \(\Pi ^{\textsf {At} \text {-}{} \textsf {BA} }\) is ANOat-CMA secure and has the property in Assumption 3, for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\), the \(\textsf {Auth} \) outputs a authenticator of size \(\Omega (|{\mathcal {S}}| \cdot k)\) with overwhelming probability.

Proof

For some set of recipients \({\mathcal {S}}^* \in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and message \({\textsf{m}}^* \in {\mathcal {M}}\), we assume that with non-negligible probability, the \(\textsf {Auth}\) outputs \(\textsf {cmd}_{{{\mathcal {S}}^*}} = \{\textsf {cmd}_{{{\mathcal {S}}^*}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}^*}}]} \leftarrow \textsf {Auth}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta }, {\textsf{m}}^*, {\mathcal {S}}^*;{\textsf{r}}^*)\) and \(\beta _{{{\mathcal {S}}^*}} < |{\mathcal {S}}^*|\). Let \(\textsf{A}\) be any fixed PPT adversary against the ANOat-CMA game. Then, as discussed in Theorem 1, \(\textsf{A}\) can identify such \(({\mathcal {S}}^*, {\textsf{m}}^*)\) with non-negligible probability since \(\textsf{A}\) knows the concrete procedure of \(\textsf {Auth}\) (since it should be public due to Kerckhoffs’ principle). We then show that \(\textsf{A}\) can find \((\textsf {id},\textsf {id}',{\mathcal {S}}^*)\) that contradicts Lemma 13. Now, from \(\beta _{{{\mathcal {S}}^*}} \ge 1\), we consider that \(|{\mathcal {S}}^*| \ge 2\) holds. From \(\beta _{{{\mathcal {S}}^*}} < |{\mathcal {S}}^*|\), for a set of atomic authenticators \(\{\textsf {cmd}_{{{\mathcal {S}}^*}}^{{({\theta })}}\}_{\theta \in \beta _{{{\mathcal {S}}^*}}}\), there exists at least one atomic authenticator \(\textsf {cmd}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}}\) that can be decrypted by two recipients \(\textsf {id}, \textsf {id}' \in {\mathcal {S}}^*\). That is, for \(\textsf {id}, \textsf {id}' \in {\mathcal {S}}^*\), it holds that \(\textsf {cmd}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}} = \textsf {cmd}_{{\mathcal {S}}, \textsf {id}}= \textsf {cmd}_{{\mathcal {S}}, \textsf {id}'}\), where \(\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}, \textsf {cmd}_{{\mathcal {S}}, \textsf {id}'}\) is generated by

$$\begin{aligned}&\textsf {cmd}_{{\mathcal {S}}, \textsf {id}}\leftarrow \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}, {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*), \\&\textsf {cmd}_{{\mathcal {S}}, \textsf {id}'}\leftarrow \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}', {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*), \end{aligned}$$

where \({\textsf{r}}^*\) is the same randomness in \(\textsf {Auth}\) above. Note that by Property 6, \(\Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}\) and \(\Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}\) are uniquely determined, and by Property 8, it holds \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}} = \{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}\). In addition, by Atomic Correctness and Property 5, we have

$$\begin{aligned}&{\textsf{m}}^* \leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}, \textsf {cmd}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}}), \\&{\textsf{m}}^* \leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}, \textsf {cmd}_{{{\mathcal {S}}^*}}^{{({\theta ^*})}}). \end{aligned}$$

Note that by Property 7, \(\{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}\) and \(\{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}\) are uniquely determined. From Assumption 3, \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}}\) and \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}\) uniquely determine \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}\) and \(\{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}\) such that

$$\begin{aligned}&{\textsf{m}}^* \leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}}, \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}, {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*)), \\&{\textsf{m}}^* \leftarrow \textsf {Vrfy}\text {-}\textsf {at}(\{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}, \textsf {Auth}\text {-}\textsf {at}(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}, \textsf {id}', {\textsf{m}}^*, {\mathcal {S}}^*; {\textsf{r}}^*)), \end{aligned}$$

respectively. As mentioned above, it holds \(\{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}^*, {\textsf{m}}^*}} = \{\textsf {ak}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}', {\mathcal {S}}^*, {\textsf{m}}^*}}\). Therefore, despite ANOat-CMA security of \(\Pi ^{\textsf {At}\text {-}\textsf {BA}}\), \(\textsf{A}\) can obtain \(\{\textsf {vk}_{\textsf {id}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma ^*_{\textsf {id}, {\mathcal {S}}^*}} = \{\textsf {vk}_{\textsf {id}'}^{\left( {\gamma '}\right) } \}_{\gamma ' \in \Gamma ^*_{\textsf {id}', {\mathcal {S}}^*}}\), which contradicts Lemma 13. \(\square \)

7.2 Lower bounds in Full-ANOat-CMA secure AtBA

We derive a lower bound on authenticator size in Theorem 7 for Full-ANOat-CMA secure AtBA with the property described in Assumption 3, using Theorem 6.

Theorem 7

If AtBA \(\Pi ^{\textsf {At} \text {-}{} \textsf {BA} }\) with the property shown in Assumption 3 is Full-ANOat-CMA secure, the size of authenticators for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\) is \(\Omega (N \cdot k)\) with overwhelming probability, where \(k = \underset{{\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}, \theta \in [\beta _{{{\mathcal {S}}}}]}{\min } |\textsf {cmd} _{{\mathcal {S}}}^{{(\theta )}}|\) and the probability is taken over the internal randomness of the \(\textsf {Setup}\text {-}\textsf {at} \), \(\textsf {Auth} \), and \(\textsf {Auth}\text {-}\textsf {at} \). In other words, if AtBA \(\Pi ^{\textsf {At} \text {-}{} \textsf {BA} }\) is Full-ANOat-CMA secure and has the property in Assumption 3, for any recipient set \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and any message \({\textsf{m}} \in {\mathcal {M}}\), the \(\textsf {Auth} \) outputs a authenticator of size \(\Omega (N \cdot k)\) with overwhelming probability.

Proof

Since Full-ANOat-CMA security implies ANOat-CMA security, for any \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\), we at least have \(\Omega (|{\mathcal {S}}| \cdot \kappa )\) with overwhelming probability from Theorem 6. Now, we assume that for some set of recipients \({\mathcal {S}}^* \in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) and message \({\textsf{m}}^* \in {\mathcal {M}}\), \(\textsf {Auth}\) outputs \(\textsf {cmd}_{{{\mathcal {S}}^*}} =\{\textsf {cmd}_{{{\mathcal {S}}^*}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}^*}}]} \leftarrow \textsf {Auth}(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }, {\textsf{m}}^*, {\mathcal {S}}^*;{\textsf{r}}^*)\) such that \(|{\mathcal {S}}^*|\le \beta _{{{\mathcal {S}}^*}} < N\), with non-negligible probability. Let \(\textsf{A}\) be any fixed PPT adversary against the Full-ANOat-CMA game. Then, \(\textsf{A}\) can identify such \(({\mathcal {S}}^*, {\textsf{m}}^*)\) with non-negligible probability since \(\textsf{A}\) knows the concrete procedure of \(\textsf {Auth}\) (since it should be public due to Kerckhoffs’ principle). \(\textsf{A}\) then issues a challenge query \(({\textsf{m}}^*, {\mathcal {S}}^*, {\mathcal {S}})\), where \({\mathcal {S}}= [N]\) and \({\mathcal {S}}^*\) is any set in \(2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\setminus [N]\). Here, from the assumption that \(|{\mathcal {S}}^*| \le \beta _{{{\mathcal {S}}^*}} < N\), \(\textsf{A}\) can trivially break Full-ANOat-CMA, but it contradicts the premise. Thus, the size of authenticators for any \({\mathcal {S}}\in 2^{{\mathcal {I}}{\mathcal {D}}}_{\le N}\) must be equal to that of authenticators for [N] at least, i.e., \(\Omega (N \cdot \kappa )\). \(\square \)

8 Non-asymptotic bounds and optimal constructions of ABA

We show (non-asymptotic) upper and lower bounds on the authenticator-size in ABA. Specifically, we propose optimal constructions of ABA with anonymity and full-anonymity, respectively, to show non-asymptotic upper bounds of the authenticator size.

Our UF-CMA secure and Full-ANO-CMA secure ABA is as follows.

• \(\textsf {Setup}(1^{\kappa },N)\): For all \(\textsf {id}\in [N]\), run \(\textsf {K}_\textsf {id}\leftarrow \textsf {MAC}.\textsf {Gen}(1^{\kappa })\) to get \(\{\textsf {K}_\textsf {id}\}_{\textsf {id}\in [N]}\). Output the authentication key \(\textsf {ak}:= \{\textsf {K}_\textsf {id}\}_{\textsf {id}\in [N]}\).

• \(\textsf {Join}(\textsf {mk}, \textsf {id})\): Output the verification key \(\textsf {vk}_{{\textsf {id}}}:= \textsf {K}_\textsf {id}\).

• \(\textsf {Auth}(\textsf {ak}, {\textsf{m}}, {\mathcal {S}})\): Let n be the number of recipients currently participating in the system, and suppose that \(\textsf {vk}_{{\textsf {id}_1}}, \ldots , \textsf {vk}_{{\textsf {id}_n}}\) have been generated by \(\textsf {Join}\) so far. Let \(\textsf {ak}= \{\textsf {K}_\textsf {id}\}_{\textsf {id}\in [N]}, x {\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {R}}\), and compute the following for all \(\textsf {id}\in [N]\):

  $$\begin{aligned} \left\{ \begin{array}{ll} \tau \leftarrow \textsf {MAC}.\textsf {Auth}(\textsf {K}_\textsf {id}, {\textsf{m}}|| x), \;\text {if } \textsf {id}\in {\mathcal {S}}, \\ \tau \leftarrow \textsf {MAC}.\textsf {Auth}(\textsf {K}_\textsf {id}, 0^{\kappa }|| x), \;\text {if } \textsf {id}\not \in {\mathcal {S}}. \end{array}\right. \end{aligned}$$

  Here, \({\mathcal {R}}\) is a random space. Choose a random permutation \(\sigma \) from \(\{\sigma _i:[N] \rightarrow [N]\}_{i \in \{0,1\}^{\kappa }}\) and the authenticator is

  $$\begin{aligned} \textsf {cmd}_{{{\mathcal {S}}}} := ({\textsf{m}}, x, \tau _{\sigma (1) }, \ldots , \tau _{\sigma (N)}). \end{aligned}$$

• \(\textsf {Vrfy}(\textsf {vk}_{{\textsf {id}}},\textsf {cmd}_{{{\mathcal {S}}}})\): Let \(\textsf {vk}_{{\textsf {id}}} = \textsf {K}_\textsf {id}, \textsf {cmd}_{{{\mathcal {S}}}} = ({\textsf{m}}, x, \tau _1, \ldots , \tau _N)\). Do the following two steps from \(j:= 1\).

  • Run \(\textsf {MAC}.\textsf {Vrfy}(\textsf {K}_\textsf {id}, \tau _j, {\textsf{m}}|| x)\) and if its output is \(\top \), return \({\textsf{m}}\) and halt; otherwise, go to the second step.

  • If \(j = N\), return \(\perp \) and halt; otherwise, do the first step with \(j:= j + 1\).

A proof of UF-CMA security in the above construction is intuitively almost identical to an evaluation of a probability that an adversary forges a MAC in a multi-key setting. However, due to an existence of the Key Derivation Oracle, we cannot simply apply the standard hybrid argument for the number of recipients assuming pseudo-randomness for \(\Pi ^{{\textsf {MAC}}}\) (when the hybrid argument can be applied, i.e., there is no Key Derivation Oracle, we can prove UF-CMA security assuming pseudo-randomness for \(\Pi ^{{\textsf {MAC}}}\) in a single-key setting.). Although it is not impossible to prove the security with the Key Derivation Oracle in the standard model assuming pseudo-randomness for \(\Pi ^{{\textsf {MAC}}}\) in a multi-key setting, it is known to be a very inefficient reduction [28]. A simple proof is possible in the non-standard model where \(\textsf {MAC}.\textsf {Auth}\) is regarded as a public random function (Random Oracle). Therefore, in this paper, we give a proof under an assumption that \(\textsf {MAC}.\textsf {Auth}\) is the public random function.

Theorem 8

Assume that \(\textsf {MAC}.\textsf {Auth} \) is a public random function. If \(\Pi ^{\textsf {MAC} }\) is UF-CMA secure, the above construction is UF-CMA secure and Full-ANO-CMA secure.

The UF-CMA security can be proved by the H-Coefficient technique [31], which is a standard framework to analyze the security of symmetric key cryptographic modes (See [8] for example. However, [8] does not deal with a multi-key setting and a decision game because they show a proof for a security that combines PRF and UF-CMA security). In the proof, \(\sigma \) in the authenticator \(\textsf {cmd}_{{{\mathcal {S}}}}\) is omitted because it does not contribute to the security (it only contributes to the Full-ANO-CMA security).

First, we consider \(\textsf {MAC}.\textsf {Auth}\) as a public random function (Random Oracle) and introduce the so-called Primitive Oracle \(\textsf {Prim}\). This returns \(\textsf {MAC}.\textsf {Auth}(\tilde{\textsf {K}}, \tilde{{\textsf{m}}})\) upon an input \((\tilde{\textsf {K}}, \tilde{{\textsf{m}}}) \in {\mathcal {K}}\times {\mathcal {M}}\). Then, we express the advantage of an adversary against UF-CMA security by that of a distinguisher \(\textsf{D}\) trying to distinguish the real world \(({\textsf {Auth}_o,\textsf {Vrfy}_o,\textsf {Corr},\textsf {Prim}})\) and an ideal world \(({\textsf {Auth}_o,\textsf {Rej},\textsf {Corr},\textsf {Prim}})\). \(\textsf {Auth}_o\) oracle receives a query \(({\textsf{m}}, {\mathcal {S}})\) and returns \(\textsf {Auth}(\textsf {ak}, {\textsf{m}}, {\mathcal {S}})\) as described at Sect. 2.6. \(\textsf {Vrfy}_o\) receives \((\textsf {id},\textsf {cmd}_{{{\mathcal {S}}}})\) and returns \(\textsf {Vrfy}(\textsf {vk}_{{\textsf {id}}},\textsf {cmd}_{{{\mathcal {S}}}})\). Here, \(\textsf {Rej}\) oracle returns \(\bot \) upon a verification query \((\textsf {id}, \textsf {cmd}_{{{\mathcal {S}}}}=({\textsf{m}}, x, \tau _{\sigma (1) }, \ldots , \tau _{\sigma (N)}))\) unless \(\textsf {K}_\textsf {id}\) has already been exposed by \(\textsf {Corr}\), or \(\textsf {MAC}.\textsf {Auth}( \textsf {K}_\textsf {id},{\textsf{m}}|| x)\) is included in an output section of \(\textsf {Auth}_o\) oracle for a query response to a recipient \(\textsf {id}\); otherwise returns the correct value using \(\textsf {K}_\textsf {id}\) and a query history in \(\textsf {Auth}_o\) oracle. Let us assume that the number of queries to \(\textsf {Auth}_o\) are \(q_a\) and queries to \(\textsf {Prim}\) are \(q_p\) (queries to \(\textsf {Corr}\) do not specifically contribute to a success probability). Let

$$\begin{aligned} \phi _{\textsf {Prim}} = ((\tilde{\textsf {K}}_1, \tilde{{\textsf{m}}}_1, \tilde{\tau }_1), \ldots , (\tilde{\textsf {K}}_{q_p}, \tilde{{\textsf{m}}}_{q_p}, \tilde{\tau }_{q_p})) \end{aligned}$$

be the list of queries to \(\textsf {Prim}\) and corresponding answers. Let also

$$\begin{aligned} \phi _{\textsf {Auth}} = (({\textsf{m}}_1, x_1, \tau _1), \ldots , ({\textsf{m}}_{q_a}, x_{q_a}, \tau _{q_a})) \end{aligned}$$

be the list of queries to \(\textsf {Auth}\) and corresponding answers.

We let

$$\begin{aligned} \phi _{\textsf {Vrfy}} = ({\textsf{m}}^*, \tau ^*, b^*), \end{aligned}$$

denote a query to \(\textsf {Vrfy}\), where \(b^*\in \{\top ,\bot \}\). The tuple \(\phi = (\phi _{\textsf {Prim}}, \phi _{\textsf {Auth}}, \phi _{\textsf {Vrfy}}, \{\textsf {K}_\textsf {id}\}_{\textsf {id}\in {\mathcal {A}}})\) forms the transcript of the attack, where \({\mathcal {A}}\) is a set of all identities involved in the game, namely those queried to \(\textsf {Corr}\) and those included in the queries to \(\textsf {Auth}_o\) and \(\textsf {Vrfy}_o\). We assume that the subset of these keys not queried to \(\textsf {Corr}\) is attached to the script after the adversary made all queries (so that the adversary cannot use them to make further queries, which would trivially break any scheme); this is a common technique to simplify the proof. Also, we assume that all the keys are distributed uniformly for both worlds, that means, the keys those queried to \(\textsf {Rej}\) (and never queried to other oracles) in the ideal world are dummy keys. We say that a transcript \(\phi \) is attainable if the probability of getting this transcript in the ideal world is non-zero. We denote \(\Phi \) as the set of attainable transcripts. We also let \(X_{\textsf {Real}}, X_{\textsf {Ideal}}\) denote the transcript random variable induced by the real world and the ideal world, respectively. Here, we say that an attainable transcript is bad if one of the following conditions holds:

1. 1.

   There exists two distinct recipients \(\textsf {id}, \textsf {id}'\)such that \(\textsf {K}_{\textsf {id}} = \textsf {K}_{\textsf {id}'}\).

2. 2.

   There exists a symmetric key \(\tilde{\textsf {K}}\) in a query \((\tilde{\textsf {K}}, \tilde{{\textsf{m}}})\) to \(\textsf {Prim}\) and a verification key \(\textsf {K}_{\textsf {id}}\) such that \((\tilde{\textsf {K}} = \textsf {K}_{\textsf {id}})\).

3. 3.

   A non-trivial forgery exists, i.e., \(\phi _{\textsf {Vrfy}} = ({\textsf{m}}^*, \tau ^*, b^*)\) with \(b^*=\top \).

We denote \(\Phi _{bad}, \Phi _{good}\) as a set of bad transcripts and good transcripts, respectively.

Then, we will upper bound the advantage of the distinguisher by the H-coefficients technique:

Lemma 14

([31]) Let \(\Phi = \Phi _{good} \cup \Phi _{bad}\) be a set of attainable transcripts. If there exists \(\epsilon \) such that for any \(\phi \in \Phi _{good}\), we have

$$\begin{aligned} \frac{\Pr [X_{\textsf {Real} } = \phi ]}{\Pr [X_{\textsf {Ideal} } = \phi ]} \ge 1 - \epsilon , \end{aligned}$$

and that there exists \(\epsilon '\) such that \(\Pr [X_{\textsf {Ideal} } \in \Phi _{bad}] \le \epsilon '\), the advantage of a distinguisher \(\textsf{D} \) then is upper bounded as \(\textsf{Adv} (\textsf{D} ) \le \epsilon + \epsilon '\).

We now show a upper bound of the probability to get a bad transcript in the ideal world.

Lemma 15

Let \(t\le N\) is the number of recipients appearing in a query to \(\textsf {Auth} \) or \(\textsf {Vrfy} \). For any integers \(q_p\),

$$\begin{aligned} \Pr [X_{\textsf {Ideal} } \in \Phi _{bad}] \le \frac{(2t^2+ t\cdot q_p)}{|{\mathcal {K}}|}. \end{aligned}$$

Proof

First, we consider the condition 1. For verification keys \(\textsf {K}_\textsf {id}, \textsf {K}_\textsf {id}'\), there are \(\left( {\begin{array}{c}t\\ 2\end{array}}\right) \) possible choices for \(\textsf {id}, \textsf {id}'\). Then, the probability that the attainable transcript satisfy the condition is \(\left( {\begin{array}{c}t\\ 2\end{array}}\right) /|{\mathcal {K}}|\).

Next, we consider the condition 2. For each query to \(\textsf {Prim}\), the distinguisher select a symmetric key \(\tilde{\textsf {K}}\) such that \(\tilde{\textsf {K}} = \textsf {K}_\textsf {id}\) for some \(\textsf {id}\) with probability \(\frac{t}{|{\mathcal {K}}|}\). Thus, we can upper bound the probability that the condition 2 is satisfied by \(\frac{t\cdot q_p}{|{\mathcal {K}}|}\). The condition 3 trivially never holds in the ideal world. From above we have

$$\begin{aligned} \Pr [X_{\textsf {Ideal}} \in \Phi _{bad}]&\le \frac{\left( {\begin{array}{c}t\\ 2\end{array}}\right) + t\cdot q_p}{|{\mathcal {K}}|} \\&\le \frac{(2t^2+ t\cdot q_p)}{|{\mathcal {K}}|}. \end{aligned}$$

\(\square \)

Lemma 16

For any good transcript \(\phi \),

$$\begin{aligned} \frac{\Pr [X_{\textsf {Real} } = \phi ]}{\Pr [X_{\textsf {Ideal} } = \phi ]} \ge 1 - \frac{N}{|{\mathcal {T}}|}, \end{aligned}$$

where \(|{\mathcal {S}}| \le N\).

Proof

Let \(\phi = (\phi _{\textsf {Prim}}, \phi _{\textsf {Auth}}, \phi _{\textsf {Vrfy}}, \{\textsf {K}_\textsf {id}\}_{\textsf {id}\in {\mathcal {A}}})\) be a good transcript. When \(\phi \) is good, the keys involved in the game has no non-trivial collisions, hence the outputs of \(\textsf {Prim}\) oracle are independent from other oracle responses except the trivial ones (those queried to both \(\textsf {Prim}\) and \(\textsf {Corr}\)). Moreover, all the responses from \(\textsf {Auth}_o\) are perfectly random except the trivial overlap of queried \(\textsf {id}\)s. This immediately implies that the probability ratio is the probability ratio for the event that \(\textsf {Vrfy}_o\) returns \(\bot \) (i.e., \(b^*=\bot \)), since other variables in the transcript have identical distributions for the both worlds. In the ideal world, the probability of \(b^*=\bot \) is one by definition. While in the real world, because the random oracle returns the completely random output for any distinct input, and the set of keys involved in the verification query must contain a distinct one from the definition of bad events and the game definition (that serves as the distinct input to the random oracle), the probability of \(b^*=\bot \) is identical to the random guess of the true tag values. Hence it is at most \(|{\mathcal {S}}|/|{\mathcal {T}}|\) when the verification query uses the id set \({\mathcal {S}}\). Therefore, we have

$$\begin{aligned} \frac{\Pr [X_{\textsf {Real}} = \phi ]}{\Pr [X_{\textsf {Ideal}} = \phi ]} =\frac{\Pr _{\textsf {Real}}[b^*= \bot ]}{\Pr _{\textsf {Ideal}}[b^*= \bot ]} \ge 1 - \frac{|{\mathcal {S}}|}{|{\mathcal {T}}|}, \end{aligned}$$

which proves Lemma 16. \(\square \)

Proof of Theorem 8

For the UF-CMA secuity, by combining Lemmas 14, 15, and 16 we have

$$\begin{aligned} \textsf{Adv}^{\textsf {UF}\text {-}\textsf {CMA}}_{\Pi ^{{\textsf {MAC}}},\textsf{A}}(\kappa ) \le \frac{(2t^2+ t\cdot q_p)}{|{\mathcal {K}}|} +\frac{1}{|{\mathcal {T}}|}, \end{aligned}$$

which concludes the proof.

Next, we now consider the Full-ANO-CMA security. Under the assumption that \(\textsf {MAC}.\textsf {Auth}\) is a public random function, when two kinds of key collisions does not occur (i.e. conditions 1 or 2 does not hold), the Full-ANO-CMA security can be proven since a set of recipients included in a symmetric difference (\({\mathcal {S}}_0\bigtriangleup {\mathcal {S}}_1\)) in a challenge query is completely unpredictable and a permutation \(\sigma \) is chosen completely at random for each challenge query. \(\square \)

In addition, we can construct ABA that is UF-CMA secure and ANO-CMA secure by modifying the \(\textsf {Auth}\) and \(\textsf {Vrfy}\) algorithms in the above construction as follows:

• \(\textsf {Auth}(\textsf {ak}, {\textsf{m}}, {\mathcal {S}})\): Let n be the number of recipients currently participating in the system, and suppose that \(\textsf {vk}_{{\textsf {id}_1}}, \ldots , \textsf {vk}_{{\textsf {id}_n}}\) have been generated by \(\textsf {Join}\) so far. Let \(\textsf {ak}= \{\textsf {K}_\textsf {id}\}_{\textsf {id}\in [N]}, x {\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathcal {R}}\), and compute \(\tau \leftarrow \textsf {MAC}.\textsf {Auth}(\textsf {K}_\textsf {id}, {\textsf{m}}|| x)\) for all \(\textsf {id}\in {\mathcal {S}}\). Choose a random permutation \(\sigma \) from \(\{\sigma _i:[|{\mathcal {S}}|] \rightarrow [|{\mathcal {S}}|]\}_{i \in \{0,1\}^{\kappa }}\) and the authenticator is

  $$\begin{aligned} \textsf {cmd}_{{{\mathcal {S}}}} := ({\textsf{m}}, x, \tau _{\sigma (1) }, \ldots , \tau _{\sigma (|{\mathcal {S}}|)}). \end{aligned}$$

• \(\textsf {Vrfy}(\textsf {vk}_{{\textsf {id}}},\textsf {cmd}_{{{\mathcal {S}}}})\): Let \(\textsf {vk}_{{\textsf {id}}} = \textsf {K}_\textsf {id}, \textsf {cmd}_{{{\mathcal {S}}}} = ({\textsf{m}}, x, \tau _1, \ldots , \tau _{|{\mathcal {S}}|})\). Do the following two steps from \(j:= 1\).

  • Run \(\textsf {MAC}.\textsf {Vrfy}(\textsf {K}_\textsf {id}, \tau _j, {\textsf{m}}|| x)\) and if its output is \(\top \), return \({\textsf{m}}\) and halt; otherwise, go to the second step.

  • If \(j = |{\mathcal {S}}|\), return \(\perp \) and halt; otherwise, do the first step with \(j:= j + 1\).

Theorem 9

Assume that \(\textsf {MAC}.\textsf {Auth} \) is a public random function. If \(\Pi ^{\textsf {MAC} }\) is UF-CMA secure, the above construction is UF-CMA secure and ANO-CMA secure.

Proof

As in Theorem 8, we can prove that the above scheme meets the UF-CMA security. Also, the ANO-CMA security can be shown in a similar way to Theorem 8. Note that a leakage of information about the number of designated recipients \({\mathcal {S}}\) does not involve the ANO-CMA security thanks to the condition \(|{\mathcal {S}}_0| =|{\mathcal {S}}_1|\) in \(\textsf{Exp}^{\textsf {ANO}\text {-}\textsf {CMA}}_{\Pi ^{\textsf {ABA}},\textsf{A}}(\kappa ,N)\) \(\square \)

Here, by the same discussion as in Sect. 5, from the above constructions and the asymptotic lower bounds in Sect. 7, we show lower bounds on the authenticator-size in (Full)-ANO-BA.

Theorem 10

If ABA \(\Pi ^{\textsf {ABA} }\) with properties shown in Sects. 6.3 and 7 is Full-ANOat-CMA secure, a non-asymptotic lower bound on the authenticator-size with any recipient set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) is \(N\cdot \kappa +o(N\cdot \kappa )\), and our Full-ANO-BA scheme attains the lower bound tightly, which is optimal.

Theorem 11

If ABA \(\Pi ^{\textsf {ABA} }\) with properties shown in Sects. 6.3 and 7 is ANOat-CMA secure, a non-asymptotic lower bound on the authenticator-size with any recipient set \({\mathcal {S}}\subseteq {\mathcal {I}}{\mathcal {D}}\) is \(|{\mathcal {S}}|\cdot \kappa +o(|{\mathcal {S}}|\cdot \kappa )\), and our ANO-BA scheme attains the lower bound tightly, which is optimal.

9 Conclusion

We analyzed an efficiency limit of anonymous Broadcast Encryption (BE) which is a cryptosystem realizing a basic access control. Specifically, we derived an asymptotic lower bound on the ciphertext size in BE with anonymity (Anonymous BE), assuming only properties that most existing (Full-)ANO-BE schemes satisfy. Our lower bounds can be applied to the existing (Full-)ANO-BE schemes while Kiayias and Samari’s ones [20] are hard to apply. As a result, we show that the existing ANO-BE schemes achieve the optimal ciphertext size. We further showed that our analysis can be extended to the authentication setting. Specifically, we first derived asymptotic lower bounds on the authenticator size required for anonymous broadcast authentication (ABA).

Furthermore, we extended the above result to derive non-asymptotic lower bounds on the ciphertext size in (Full-)ANO-BE, by proposing an optimal construction based on Li and Gong’s ANO-BE scheme [24]. In addition, we applied the same analysis to ABA, and proposed an optimal construction of ABA to show non-asymptotic lower bounds on the authenticator size in ABA.

Appendix A

In this section, we show that the BE scheme in [5] meets the properties defined in Sect. 3.2. We review Boneh et al’s scheme.

BGW05 [5]

• \(\textsf {Setup}(1^{\kappa },N)\): Run \(\textsf {PGGen}(1^\kappa )\) to get \({\mathcal{P}\mathcal{G}}:= (\textsf {p}, {\mathbb {G}}, {\mathbb {G}}_T, \textsf {e}, g)\). Let \({\mathbb {Z}}_p:= \{1, \ldots , \textsf {p}-1\}, \alpha , \textsf {s}{\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p\) and set \(\textsf {v}=\textsf {g}^{\textsf {s}}\). For all \(\textsf {id}= 1, 2, \ldots , N, N+2, \ldots , 2N\), compute \(\textsf {g}_\textsf {id}= \textsf {g}^{\alpha ^{\textsf {id}}}\). The public key is \(\textsf {pk}:=\textsf {g}, \textsf {g}_1, \ldots , \textsf {g}_n, \textsf {g}_{N+2}, \ldots , \textsf {g}_{2N},\textsf {v}\) and the master secret key is \(\textsf {s}\).

• \(\textsf {Join}(\textsf {mk}, \textsf {id})\): Output the secret key \(\textsf {sk}_{{\textsf {id}}}:= (\textsf {d}_\textsf {id}= \textsf {g}_\textsf {id}^{\textsf {s}}, \textsf {pk})\).

• \(\textsf {Enc}(\textsf {pk}, {\textsf{m}},{\mathcal {S}})\): Sample \(r {\mathop {\leftarrow }\limits ^{\textsf {U}}}{\mathbb {Z}}_p\) and set \(\textsf {K}= \textsf {e}(\textsf {g}_{N+1}, \textsf {g})^r\). Next, compute

  $$\begin{aligned} \textsf {ct}_{{{\mathcal {S}}}} := (\textsf {g}^r, (\textsf {v}\cdot \underset{j \in {\mathcal {S}}}{\Pi } \textsf {g}_{N+1-j})^r, \textsf {K}\cdot {\textsf{m}}, {\mathcal {S}}) \end{aligned}$$

  and output \(\textsf {ct}_{{{\mathcal {S}}}}\).

• \(\textsf {Dec}(\textsf {sk}_{{\textsf {id}}},\textsf {ct}_{{{\mathcal {S}}}})\): Let \(\textsf {sk}_{{\textsf {id}}} = (\textsf {d}_\textsf {id}= \textsf {g}_\textsf {id}^{\textsf {s}}, \textsf {pk}), \textsf {ct}_{{{\mathcal {S}}}} = (\textsf{C}_0, \textsf{C}_1, \textsf{C}_2, {\mathcal {S}})\). Then output

  $$\begin{aligned} {\textsf{m}}= \frac{\textsf{C}_2 \cdot \textsf {e}\left( \textsf {d}_\textsf {id}\cdot \underset{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}{\Pi } \textsf {g}_{N+1-j+\textsf {id}}, \textsf{C}_0 \right) }{\textsf {e}\left( \textsf {g}_\textsf {id}, \textsf{C}_1 \right) }. \end{aligned}$$

We show the correctness of the above scheme. We use the fact that \(\textsf {g}_i^{(\alpha _j)} = \textsf {g}_{i+j}\) for any i, j. Suppose that \(\textsf {ct}_{{{\mathcal {S}}}} = (\textsf {g}^r, (\textsf {v}\cdot \underset{j \in {\mathcal {S}}}{\Pi } \textsf {g}_{N+1-j})^r, \textsf {K}\cdot {\textsf{m}}, {\mathcal {S}})\) are correctly generated. Then the following equation holds:

$$\begin{aligned}&\frac{\textsf {e}\left( \textsf {g}_\textsf {id}, \textsf{C}_1 \right) }{\textsf {e}\left( \textsf {d}_\textsf {id}\cdot \underset{ \begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array} }{\Pi } \textsf {g}_{N+1-j+\textsf {id}}, \textsf{C}_0\right) } = \frac{ \textsf {e}\left( \textsf {g}^{(\alpha ^\textsf {id})}, (\textsf {v}\cdot \underset{j \in {\mathcal {S}}}{\Pi } \textsf {g}_{N+1-j})^r \right) }{\textsf {e}\left( \textsf {v}^{ (\alpha ^\textsf {id}) } \cdot \underset{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}{\Pi } \textsf {g}_{N+1-j+\textsf {id}}, \textsf {g}^r \right) } \\&\quad = \frac{ \textsf {e}\left( \textsf {g}^{(\alpha ^\textsf {id})}, (\textsf {g}_{N+1-\textsf {id}})^r\right) \cdot \textsf {e}\left( \textsf {g}^{(\alpha ^\textsf {id})}, (\textsf {v}\cdot \underset{ \begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array} }{\Pi } \textsf {g}_{N+1-j})^r \right) }{\textsf {e}\left( \textsf {v}^{(\alpha ^\textsf {id})} \cdot \underset{ \begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array} }{\Pi } \textsf {g}_{N+1-j+\textsf {id}}, \textsf {g}^r \right) } \\&\quad = \frac{\textsf {e}\left( \textsf {g}_{N+1}, \textsf {g}\right) ^r \cdot \textsf {e}\left( \textsf {g}^{(\alpha ^\textsf {id})}, (\textsf {v}\cdot \underset{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}{\Pi } \textsf {g}_{N+1-j})^r \right) }{\textsf {e}\left( \textsf {v}^{(\alpha ^\textsf {id})} \cdot \underset{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}{\Pi } \textsf {g}_{N+1-j+\textsf {id}}, \textsf {g}^r \right) } \\&\quad = \frac{\textsf {e}\left( \textsf {g}_{N+1}, \textsf {g}\right) ^r \cdot \textsf {e}\left( \textsf {g}, (\textsf {v}^{(\alpha ^\textsf {id})} \cdot \underset{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}{\Pi } \textsf {g}_{N+1-j+\textsf {id}})^r \right) }{\textsf {e}\left( \textsf {v}^{(\alpha ^\textsf {id})} \cdot \underset{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}{\Pi } \textsf {g}_{N+1-j+\textsf {id}}, \textsf {g}^r \right) } \\&\quad = \textsf {e}\left( \textsf {g}_{N+1}, \textsf {g}\right) ^r \\&\quad = \textsf {K}. \end{aligned}$$

Here, we can see the above scheme meets the properties. First, its public key, private key of a recipient \(\textsf {id}\in [N]\), and ciphertext with \({\mathcal {S}}\) can be described in AtBE’s notation as follows: \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }:= \{\textsf {g}, \textsf {g}_1, \ldots , \textsf {g}_N, \textsf {g}_{N+2}, \ldots , \textsf {g}_{2N}, \textsf {v}\}\), \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}}:= \{\textsf {g}_{\textsf {id}}^s\} \cup \{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta }\), \(\{\textsf {ct}_{{{\mathcal {S}}}}^{{({\theta })}}\}_{\theta \in [\beta _{{{\mathcal {S}}}}]} = \textsf {ct}_{{{\mathcal {S}}}}:= \{(\textsf {g}^r, (\textsf {v}\cdot \underset{j \in {\mathcal {S}}}{\Pi } \textsf {g}_{N+1-j})^r), \textsf {K}\cdot {\textsf{m}}, {\mathcal {S}}\}\).

According to an atomic ciphertext, the following equations hold:

$$\begin{aligned}&\textsf {ct}_{{\mathcal {S}}, \textsf {id}}:= \{(\textsf {g}^r, (\textsf {v}\cdot \underset{j \in {\mathcal {S}}}{\Pi } \textsf {g}_{N+1-j})^r, \textsf {K}\cdot {\textsf{m}}, {\mathcal {S}})\}, \\&\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'} := \{\textsf {g}_{\textsf {id}}^s, \textsf {g}, \{\textsf {g}_{N+1-j+\textsf {id}}\}_{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}, \textsf {v}\}, \\&{\textsf{m}}\leftarrow \textsf {Dec}\text {-}\textsf {at}(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}}'}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}}). \end{aligned}$$

where \(\textsf {Dec}\text {-}\textsf {at}\) corresponds to \(\textsf {Dec}\) algorithm in BGW05 scheme. Hence, Property 1 is satisfied.

According to a public key, a minimum subset of atomic public keys used to generate \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\) is uniquely determined as \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}}:= \{\textsf {g}, \{\textsf {g}_{N+1-j}\}_{j \in {\mathcal {S}}}, \textsf {v}\}\). Therefore, Property 2 is met.

According to a decryption key, a minimum subset of atomic decryption keys used to decrypt \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}\), is uniquely determined as \(\{\textsf {sk}_{{\textsf {id}}}^{\left( {\gamma }\right) } \}_{\gamma \in \Gamma _{\textsf {id}, {\mathcal {S}}}^*}:= \{ \textsf {g}_{\textsf {id}}^s, \textsf {g}, \{\textsf {g}_{N+1-j+\textsf {id}}\}_{\begin{array}{c} j \in {\mathcal {S}}\\ j \ne \textsf {id} \end{array}}, \textsf {v}\}\). Therefore, Property 3 is satisfied.

An atomic ciphertext with \(\textsf {id}'\) is given as \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}'}:= \{(\textsf {g}^r, (\textsf {v}\cdot \underset{j \in {\mathcal {S}}}{\Pi } \textsf {g}_{N+1-j})^r), \textsf {K}\cdot {\textsf{m}}, {\mathcal {S}}\}\), and if \(\textsf {ct}_{{\mathcal {S}}, \textsf {id}}= \textsf {ct}_{{\mathcal {S}}, \textsf {id}'}\) holds, then we have \(\{\textsf {pk}^{\left( {\delta }\right) } \}_{\delta \in \Delta ^*_{\textsf {id}, {\mathcal {S}}, {\textsf{m}}}} = \{\textsf {pk}^{\left( {\delta '}\right) } \}_{\delta ' \in \Delta ^*_{\textsf {id}', {\mathcal {S}}, {\textsf{m}}}}\) with overwhelming probability. Therefore, Property 4 is also satisfied.

From the above, we can see that the BE scheme in [5] meets Properties 1, 2, 3 and 4. In addition, we can similarly show that the existing (both non-anonymous and anonymous) BE schemes [1,2,3, 6, 15, 16, 24, 25, 30, 38] satisfy Properties 1, 2, 3 and 4 as well, thus it is reasonable to assume Properties 1, 2, 3 and 4 in this paper.

We also show that the ANO-BE scheme in [25] has the property in Assumption 2 defined in Sect. 4.1. We review Libert et al’s Full-ANO-BE scheme [25].

LPQ12 [25]

• \(\textsf {Setup}(1^{\kappa },N)\): Let \(\textsf {PKE}:= (\textsf {PKE}.\textsf {KGen}, \textsf {PKE}.\textsf {Enc}, \textsf {PKE}.\textsf {Dec})\) be a PKE scheme with message space \({\mathcal {M}}= \{0, 1\}^m\) and \(\textsf {OTS}:= (\textsf {OTS}.\textsf {KGen}, \textsf {OTS}.\textsf {Sign}, \textsf {OTS}.\textsf {Vrfy})\) be an one-time signature scheme with key space \(\mathcal{S}\mathcal{K}= \{0, 1\}^v\), for some \(v \in \textsf{poly}({1^\kappa })\). For all \(\textsf {id}\in [N]\), run \((\textsf {pke}.\textsf {pk}_\textsf {id}, \textsf {pke}.\textsf {sk}_\textsf {id}) \leftarrow \textsf {PKE}.\textsf {KGen}(1^{\kappa })\). The public key \(\textsf {pk}\) is

  $$\begin{aligned} \left( \left\{ \textsf {pke}.\textsf {pk}_\textsf {id}\right\} ^{N}_{\textsf {id}= 1}, \textsf {OTS}, 1^{\kappa }\right) . \end{aligned}$$

  and the master secret key is \(\left\{ \textsf {pke}.\textsf {sk}_\textsf {id}\right\} ^{N}_{\textsf {id}= 1}\), where \(\textsf {OTS}\) is

• \(\textsf {Join}(\textsf {mk}, \textsf {id})\): Output the secret key \(\textsf {sk}_{{\textsf {id}}}:= \textsf {pke}.\textsf {sk}_\textsf {id}\).

• \(\textsf {Enc}(\textsf {pk}, {\textsf{m}},{\mathcal {S}})\): Let n be the number of recipients currently participating in the system, and suppose that \(\textsf {sk}_{{\textsf {id}_1}}, \ldots , \textsf {sk}_{{\textsf {id}_n}}\) have been generated by \(\textsf {Join}\) so far. Compute the following for all \(\textsf {id}\in [N]\):

  $$\begin{aligned} \left\{ \begin{array}{ll} \textsf {pke}.\textsf {ct}_\textsf {id}\leftarrow \textsf {PKE}.\textsf {Enc}(\textsf {pke}.\textsf {pk}_\textsf {id}, {\textsf{m}}||\textsf {ots}.\textsf {vk}), \text {if } \textsf {id}\in {\mathcal {S}}, \\ \textsf {pke}.\textsf {ct}_\textsf {id}\leftarrow \textsf {PKE}.\textsf {Enc}(\textsf {pke}.\textsf {pk}_\textsf {id}, 0^{v}||\textsf {ots}.\textsf {vk}), \text {if } \textsf {id}\not \in {\mathcal {S}}. \end{array}\right. \end{aligned}$$

  Run \((\textsf {ots}.\textsf {sk}, \textsf {ots}.\textsf {vk}) \leftarrow \textsf {OTS}.\textsf {KGen}(1^{\kappa })\). Choose a random permutation \(\sigma \) from \(\{\sigma _i:[N] \rightarrow [N]\}_{i \in \{0,1\}^{\kappa }}\) and run \(\sigma \leftarrow \textsf {OTS}.\textsf {Sign}(\textsf {ots}.\textsf {sk}, \left\{ \textsf {pke}.\textsf {ct}_\textsf {id}\right\} ^{N}_{\textsf {id}= 1})\). The ciphertext is

  $$\begin{aligned} \textsf {ct}_{{{\mathcal {S}}}} := (\textsf {pke}.\textsf {ct}_{\sigma (1) }, \ldots , \textsf {pke}.\textsf {ct}_{\sigma (N)}, \sigma ). \end{aligned}$$

• \(\textsf {Dec}(\textsf {sk}_{{\textsf {id}}},\textsf {ct}_{{{\mathcal {S}}}})\): Let \(\textsf {sk}_{{\textsf {id}}} = \textsf {pke}.\textsf {sk}_\textsf {id}, \textsf {ct}_{{{\mathcal {S}}}} = (\sigma , \textsf {pke}.\textsf {ct}_1, \ldots , \textsf {pke}.\textsf {ct}_{N})\). Do the following two steps from \(j:= 1\).

  • Compute \({\textsf{m}}' \leftarrow \textsf {PKE}.\textsf {Dec}(\textsf {pke}.\textsf {sk}_\textsf {id}, \textsf {pke}.\textsf {ct}_j)\) and parse \({\textsf{m}}'\) as \({\textsf{m}}|| \textsf {ots}.\textsf {vk}\) for some bitstrings \({\textsf{m}}\in \{0, 1\}^{m-v}\) and \(\textsf {ots}.\textsf {vk}\in \{0, 1\}^{v}\). Then, if \(\textsf {OTS}.\textsf {Vrfy}(\textsf {ots}.\textsf {vk}, (\textsf {pke}.\textsf {ct}_1, \ldots , \textsf {pke}.\textsf {ct}_{N}), \sigma ) \rightarrow 1\) and \({\textsf{m}}' \notin \{0^{v}, \perp \}\), return \({\textsf{m}}\) and halt; otherwise, go to the second step.

  • If \(j = N\), return \(\perp \) and halt; otherwise, do the first step with \(j:= j + 1\).

The correctness of the above scheme follows directly from the correctness of \(\textsf {PKE}\) and \(\textsf {OTS}\).

In the above scheme, \(\textsf {PKE}.\textsf {Enc}\) executed inside \(\textsf {Enc}\) corresponds to \(\textsf {Enc}\text {-}\textsf {at}\), and \(\textsf {PKE}.\textsf {Dec}\) executed inside \(\textsf {Dec}\) corresponds to \(\textsf {Dec}\text {-}\textsf {at}\). Then, \(\mathcal{P}\mathcal{K}^*\) and \(\mathcal{S}\mathcal{K}^*\) indicates \(\{\textsf {pke}.\textsf {pk}_\textsf {id}\}_{\textsf {id}\in [N]}\) and \(\{\{\textsf {pke}.\textsf {sk}_{1}\}, \ldots , \{\textsf {pke}.\textsf {sk}_{N}\}\}\) respectively, and \(\textsf {pke}.\textsf {sk}_\textsf {id}= \textsf {sk}_{{}}'\) such that \({\textsf{m}}' \leftarrow \textsf {PKE}.\textsf {Dec}(\textsf {pke}.\textsf {sk}_\textsf {id}, \textsf {ct}_{{\mathcal {S}}, \textsf {id}})\) is uniquely determined by \(\textsf {pke}.\textsf {pk}_\textsf {id}\in 2^{\mathcal{P}\mathcal{K}^*}\). Therefore, Libert et al.’s scheme satisfies the property in Assumption 2.