Tight lower bounds and optimal constructions of anonymous broadcast encryption and authentication

Broadcast Encryption (BE) is public-key encryption allowing a sender to encrypt a message by specifing recipients, and only the specified recipients can decrypt the message. In several BE applications, since the privacy of recipients allowed to access the message is often as important as the confidentiality of the message, anonymity is introduced as an additional but important security requirement for BE. Kiayias and Samari (IH 2013) presented an asymptotic lower bound on the ciphertext sizes in BE schemes satisfying anonymity (ANO-BE for short). More precisely, their lower bound is derived under the assumption that ANO-BE schemes have a special property. However, it is insufficient to show their lower bound is asymptotically tight since it is unclear whether existing ANO-BE schemes meet the special property. In this work, we derive asymptotically tight lower bounds on the ciphertext size in ANO-BE by assuming only properties that most existing ANO-BE schemes satisfy. With a similar technique, we first derive asymptoticallyqueryPlease provide MSC codes. For more details, please visit http://www.ams.org/msc/. tight lower bounds on the authenticator sizes in Anonymous Broadcast Authentication (ABA). Furthermore, we extend the above result and present (non-asymptotically) tight lower and upper bounds on thequeryPlease check and confirm the Running title. ciphertext sizes in ANO-BE. We show that a variant of ANO-BE scheme proposed by Li and Gong (ACNS 2018) is optimal. We also provide tight bounds on the authenticator sizes in ABA via the same approach as ANO-BE, and propose an optimal construction for ABA.

cute it. For example, the systems manager can bring IoT devices infected with malware to a halt remotely and securely. Moreover, anonymity of ABA guarantees that authenticators do not reveal any information on which devices are designated, which is sensitive information (see [37] for details). In this work, we also give an analysis of the authenticator sizes required for ABA, though we mainly focus on Anonymous BE. Ciphertext size of anonymous BE The previous work [3,20,24,25] has presented several Anonymous BE schemes having ciphertexts where its size grows linearly with the number of designated recipients or all recipients. Specifically, the ciphertext sizes of the ANO-BE schemes are O (|S| · κ) and those of the Full-ANO-BE schemes are O (N · κ), where |S| and N are the numbers of designated recipients and all recipients in the system, respectively, and κ is a security parameter. Therefore, these constructions establish upper bounds on the ciphertext-sizes of Anonymous BEs.
On the other hand, Kiayias and Samari [20] investigated lower bounds on ciphertext-sizes of Anonymous BEs (i.e., ANO-BE and Full-ANO-BE). In particular, they showed that the ciphertext-sizes are required (|S| · κ) for ANO-BE and (N · κ) for Full-ANO-BE, for a limited class of (Anonymous) BE and listed several BE schemes in [3,25,30] in the class. 4 Previous work and its issue We emphasize that Kiayias and Samari implicitly assumed a special property for BE schemes in their main theorem [20,Theorem 1]. More precisely, they indeed proved "if a BE scheme is anonymous and has the special property, then the lower bound holds." However, it is hard to check whether the existing Anonymous BEs in the limited class (e.g., [3,20,25]) meet the property (see Sect. 1.2 for details), and it is not clearly shown that their lower bound on the ciphertext-sizes is asymptotically tight.

Our contributions
Asymptotically tight lower bounds In this paper, assuming only properties most existing (Anonymous) BE schemes have, we show that asymptotic lower bounds on ciphertext size for ANO-BE and Full-ANO-BE are (|S| · κ) and (N · κ), respectively. We note that our lower bounds are asymptotically tight since they are applicable to the existing Anonymous BE schemes while Kiayias and Samari's ones are not. Our results also show that it is impossible to modify existing non-Anonymous BE schemes to meet anonymity unless their ciphertext size meets our lower bound, since the properties we assume can be applied for existing (even non-Anonymous) BE schemes.
We derive the lower bounds by extending the Kiayias and Samari's approach [20]: they considered Atomic BE (AtBE) allowing each ciphertext and decryption key to be explicitly divided into multiple sub-elements, called atomic ciphertexts and decryption keys, respectively, and the AtBE covers several BE schemes in [3,25,30]. They then showed lower bounds on the number of atomic ciphertexts in anonymous AtBE schemes instead of deriving lower bounds on the ciphertext-sizes directly. However, in the proof, they implicitly assumed a special property for AtBE schemes, which is hard to be applied to the existing schemes.
To provide the lower bounds without the special property, we modify the Kiayias and Samari's strategy as follows: first, we extract several properties of existing BE schemes to derive a lower bound without the special property. Also, to formalize these properties, we modify the Kiayias and Samari's AtBE, which was given only an informal syntax in [20]. Note that our AtBE covers a broad range of (both Anonymous and non-Anonymous) BE schemes [1-3, 6, 15, 16, 24, 25, 30, 38]. We then provide lower bounds on the number of atomic ciphertexts in our AtBE with anonymity.
We summarize the differences between Kiayias and Samari's analysis and ours below.
• We assume several properties that most of the existing BE schemes have. To formally describe them, we give a formal syntax of AtBE, whereas Kiayias and Samari considered an informal one. • Our lower bounds hold for most of the previous Anonymous BEs (i.e., BE schemes in [3,24,25]), since we only assume the properties common to them. On the other hand, it is unclear that the special property implicitly assumed in [20] holds for these BE schemes.
Note that our syntax of AtBE and properties cannot be trivially obtained from Kiayias and Samari's results.
We also present lower bounds on the authenticator size required for ABA by taking a similar approach to ANO-BE's one. Our lower bounds on the authenticator size are (|S| · κ) and (N · κ) for BA with anonymity (ANO-BA) or full anonymity (Full-ANO-BA), respectively. These are asymptotically tight as there exists concrete ABA schemes proposed in [37] that meet our lower bounds on the authenticator size. There are several broadcast authentication protocols [7,32,33] including TESLA [34] with constant-sized authenticators. We cannot give a fair efficiency comparison between them and ABA since the existing protocols aim to broadcast information to all receivers and do not allow a sender to choose an arbitrary subset of receivers. Nevertheless, as in Anonymous BE, our results seem to show anonymity notions require large authenticator overheads depending on the number of designated or all recipients. (Non-asymptotically) tight upper bounds and lower bounds In this work, we further aim to derive (non-asymptotically) tight upper bounds and lower bounds in Anonymous BE. First, we show that upper bounds on the ciphertext-size for ANO-BE and Full-ANO-BE are |S|·κ +o(|S|·κ), N ·κ +o(N ·κ), respectively. Throught this paper, we call a scheme optimal if a coefficient of a dominant term in the ciphertext-size is one. Li and Gong [24] proposed an optimal ANO-BE scheme where the ciphertext-size is (|S| + 6) · κ. On the other hand, there exists no optimal Full-ANO-BE scheme. The only Full-ANO-BE scheme explicitly described is Libert et al.'s one [25], and it has ciphertexts whose size is N · |pke.ct| + |σ |. Since any ciphertext-size in IND-CCA secure PKE must be at least 2 · κ to the best of our knowldege, the most efficient Full-ANO-BE scheme in terms of the ciphertext-size has ciphertexts whose size is 2N · κ + |σ |. In this paper, we propose a Full-ANO-BE scheme where the ciphertext-size is (N + 6) · κ based on Li and Gong's ANO-BE scheme [24]. From our Full-ANO-BE scheme and ANO-BE scheme in [24], we show that the ciphertext-size in ANO-BE and Full-ANO-BE are upper bounded by |S| · κ + o(|S| · κ), N · κ + o(N · κ), respectively. A comparison of the ciphertext-size is given in Table 1.
We also show that lower bounds on the ciphertext-size for ANO-BE and Full-ANO-BE are |S| · κ + o(|S| · κ), N · κ + o(N · κ), respectively. In computationally secure cryptographic constructions, especially in algebraic ones, a coefficient of a dominant term in ciphertextsizes is greater than or equal to 1 since each parameter depends on the number of group elements (see, for example, [39]). Therefore, the coefficient of the dominant term in our asymptotic lower bounds can also be regarded as 1 or higher. Then, from the above upper bounds and the asymptotic lower bounds, we also show that the ciphertext-size for ANO-BE and Full-ANO-BE are lower bounded by |S| · κ + o(|S| · κ), N · κ + o(N · κ), respectively.
In addition, we apply a similar discussion as above to anonymous broadcast authentication (ABA). In this paper, we propose optimal constructions of ABA with anonymity and full anonymity, respectively. Table 2 shows a comparison of the authenticator size. Finally, via the Table 1 A comparison of the ciphertext-size between (Full-)ANO-BE schemes Scheme |ct S | Security [24] (|S| + 6) · κ Anonymity [25] N · |pke.ct| + |ots.sig| Full-anonymity Ours (N + 6) · κ Full-anonymity Let |S| and N be the size of a recipient set S and the number of all users in a system, respectively. |pke.ct| and |ots.sig| denote the ciphertext-size in IND-CCA secure PKE and the signature-size in sUF-CMA secure one-time signature, respectively. Note that Libert et al.'s scheme [25,Sect. 3.1] meets Full-Anonymity, though the original paper [25] only mentioned that it satisfies Anonymity Table 2 A comparison of the authenticator size between ABA schemes Scheme |cmd S | Security [37] (2|S| + 2) · κ Anonymity Ours (|S| + 2) · κ Anonymity [37] (2N + 2) · κ Full-anonymity Ours (N + 2) · κ Full-anonymity Let |S| and N be the size of a recipient set S and the number of all users in a system, respectively same analysis as ANO-BE, we show that lower bounds and upper bounds on the authenticator size for ABA to satisfy anonymity and full anonymity are |S| · κ + o(|S| · κ), N · κ + o(N · κ), respectively. Differences from the conference paper [22] This paper is an extended version of the conference version [22]. First, since the proof of Lemma 1 in the conference version [22] has a fatal flaw, we revisit a way to prove the lower bounds. Specifically, we restate the lemma (see Lemma 2 in Sect. 4) in a computational-security sense, i.e., there is no probabilistic polynomial-time adversary to find secret keys that fulfil a certain condition, while the lemma in [22] deals with adversaries with unbounded computational power. Second, we additionally show (non-asymptotically) tight lower bounds and upper bounds while the conference version [22] covers only asymptotically tight lower bounds.

Technical overview
Kiayias and Samari's approach [20] Kiayias and Samari provided a lower bound on the number of sub-elements in a BE ciphertext, not the bit length of the ciphertexts. To make it easier to deal with the sub-elements, they introduced AtBE where ciphertexts and decryption keys are composed of atomic ciphertexts and decryption keys. In more details, a ciphertext ct S consists of ρ atomic ciphertexts ct S , and a decryption key for a recipient id consists of τ atomic decryption keys sk (1) id , . . . , sk (τ ) id , respectively. If the recipient id is included in S, there exists at least one pair of an atomic ciphertext ct (θ ) S and decryption key sk (γ ) id that produces a message m (i.e., ct (θ ) S can be decrypted with sk (γ ) id ). They then analyzed a lower bound on the number of the atomic ciphertexts in any anonymous AtBE scheme. More specifically, they showed in [20,Theorem 2] that "for any AtBE scheme, if there exists a set S such that the number of atomic ciphertexts in ct S is smaller than |S|, then there is a successful adversary against anonymity for the AtBE scheme." However, the following property was implicitly assumed for AtBE in their proof: Namely, they indeed proved "for any AtBE scheme, if Assumption 1 holds (i.e., the AtBE scheme has the above property) and there exists a set S such that the number of atomic ciphertexts in ct S is less than |S|, then there is an adversary which can break (full) anonymity for the AtBE scheme." However, it is difficult to check whether the above property holds for the Anonymous BE schemes; in any existing Anonymous BEs [3,20,24,25], a situation where "any two recipients id, id ∈ S decrypt the same atomic ciphertext ct (θ ) S contained in ct S " never occurs. Here, the contraposition of their theorem is "for any AtBE scheme, if it satisfies (full) anonymity, then Assumption 1 does not hold, or the number of atomic ciphertext in ct S is greater than or equal to |S| for all privileged set S." In other words, the lower bound holds only if an AtBE scheme satisfies anonymity and Assumption 1 holds. For this reason, their proof is insufficient to show that their lower bound is asymptotically tight, since it is unclear whether Assumption 1 holds for existing (Anonymous) BE schemes. Note that the special property may not be removed from their proof trivially since it enables their attacker to break (full) anonymity for the AtBE scheme. Our approach We avoid the problem by developing Kiayias and Samari's analysis. We consider other properties common to existing (Anonymous) BE schemes and derive a lower bound with them instead of the special property. To do so, we newly give a formal definition of AtBE so that these properties can be described formally, while Kiayias and Samari only presented AtBE in an informal way. Our AtBE allows a public key pk to be divided into several sub-elements, called atomic public keys pk (1) , . . . , pk ( ) , as well as a ciphertext and a secret key. It also has Enc and Dec which are the same as ones of BE, and Enc-at and Dec-at algorithms to represent encryption and decryption procedures for each atomic ciphertext in the Enc and Dec algorithms of BE, respectively. In the Enc-at, multiple atomic public keys {pk (δ) } δ∈ are used to generate an atomic ciphertext ct S,id corresponding to a recipient id in S, where ⊆ . In the Dec-at, an atomic ciphertext ct S,id is decrypted using multiple atomic decryption keys {sk Note that almost all (even non-Anonymous) BE schemes [1-3, 5, 6, 15, 16, 20, 24, 25, 30, 38] indeed have these algorithms inside the Enc and Dec. We then formalize the following four properties of our AtBE: 1. When a ciphertext has an intended recipient set S, then any recipient in S can obtain the underlying message by decrypting at least one of the corresponding atomic ciphertexts. 2. A triplet of a recipient, recipient set, and message (id, S, m) uniquely determines the minimum subset of atomic public keys required to generate an atomic ciphertext ct S,id . 3. A pair of a recipient and recipient set (id, S) uniquely determines the minimum subset of atomic decryption keys required to decrypt a (correctly-generated) atomic ciphertext ct S,id . 4. If two atomic ciphertexts ct S,id , ct S,id are identical, then the two corresponding minimum subsets of atomic public keys generating ct S,id and ct S,id are also identical.
In Sect. 3.2, we show that most existing BE schemes satisfy the above four properties. Next, we explain how to provide a lower bound on ciphertext-sizes in Anonymous BE with those properties. In our approach, we derive a neccesary condition for AtBE schemes with the properties to meet (full) anonymity while Kiayias and Samari directly prove the contraposition of "if an AtBE scheme is (full) anonymous, then the lower bound holds". Roughly speaking, we show the following necessary condition: Lemma 2 (Informal, see Sect. 4) Suppose an AtBE scheme satisfies the four properties, and fix an arbitrary recipient set |S| and an arbitrary ciphertext ct S . Then, though a part of atomic decryption keys might overlap among recipients in |S|, the minimum subsets of atomic decryption keys used to decrypt ct S are different for all designated recipients.
We then prove that "for any AtBE scheme, if the lower bound does not hold, then the neccesary condition also does not hold (i.e., the AtBE does not meet anonymity)". See Theorem 1 in Sect. 4 for the formal statement. Here, instead of Assumption 1, we assume the following property that most Anonymous BEs have [3,24,25] to prove Theorem 1: Assumption 2 For any S ⊂ ID, any id ∈ S, and any m, let pk be a subset of atomic public keys that produces ct S,id ← Enc-at(pk , S, m, id). Then, pk uniquely determines a minimum subset of atomic decryption keys required to decrypt ct S,id .
Note that, unlike Assumption 1, one can easily check if Assumption 2 holds for all existing Anonymous BEs [3,24,25]. Also, we handle the above property as an assumption since it does not hold for most of existing non-Anonymous BE schemes. Finally, we prove that for any AtBE scheme satisfies the four properties and Assumption 2, if there exists a set S such that the number of atomic ciphertexts in ct S is smaller than |S|, then it contradicts the neccesary condition (Lemma 3 in Sect. 4).

Notations
For all natural number n ∈ N, {1, . . . , n} is denoted by [n]. For a finite set X , we denote by |X | the cardinality of X . For finite sets X , Y, let X Y be the symmetric difference X Y := (X \Y) ∪ (Y\X ). For any finite set X and any natural number N ∈ N, let 2 X ≤N := {Y ⊂ X | |Y| ≤ N } be the family of subsets of X whose cardinality is at most N (i.e., a part of a power set of X ). For any algorithm A, out ← A(in) means that A takes in as input and outputs out. For any set X , if we write x U ← X , x is chosen uniformly at random from X . For any distribution D, if we write d U ← D, d is chosen uniformly at random from D that is uniform over some set. Throughout our paper, we denote a security parameter by κ and consider probabilistic polynomial-time (PPT). For any element x ∈ {0, 1} * , let |x| be the number of bits of x. We say a positive-valued function negl(·) is negligible if for any polynomial poly(·), there exists some constant κ 0 , such that negl(κ) < 1/poly(κ) for all κ ≥ κ 0 .

Prime order bilinear groups and cryptographic assumption
Prime-order group A group generator GGen is a PPT algorithm which takes security parameter 1 κ as input and outputs a description G := (p, G, g). Here G is a finite cyclic group of prime order p and g is a random generator of G. For a ∈ Z p and a matrix A = (a i j ) ∈ Z m×n p , we define the implicit representation [9] as [a] := g a ∈ G and [A] = (g a i j ) ∈ G m×n .

Prime-order bilinear groups A group generator
PGGen is a PPT algorithm which takes security parameter 1 κ as input and outputs a description PG := (p, G 1 , G 2 , G T , e, g 1 , g 2 ) of bilinear groups. Here G 1 , G 2 , G T are finite cyclic groups of prime order p and e : G 1 ×G 2 → G T is a (non-degenerate, efficiently computable) bilinear map. g 1 ∈ G 1 and g 2 ∈ G 2 are random generators of G 1 and G 2 , and g T := e(g 1 , g 2 ) will be a generator of group G T . The bilinear map e is called symmetric in the case of G 1 = G 2 , and asymmetric in the case of G 1 = G 2 . In the case of symmetric, we let the description be PG := (p, G, G T , e, g), where e : G × G → G T . In this paper, unless otherwise noted, we consider case G 1 = G 2 . For a ∈ Z p , we define the implicit representation [9] as [a] s := g a s ∈ G s where s ∈ {1, 2, T }. We let e( AB] T for matrices A and B when the multiplication is well-defined. 5 Cryptographic assumptions For any k ∈ N, we call D k a matrix distribution if it outputs full-rank matrices in Z (k+1)×k p in polynomial time. We assume that for all A U ← D k , the first k rows of A form an invertible matrix.
We will use D k -Matrix Diffie-Hellman (D k -MDDH) assumption [9] and D k -Kernel Matrix Diffie-Hellman (D k -KerMDH) assumption [29] to construct Full-ANO-BE scheme. As discussed in [9] and [29], these assumptions are known to be standard and reasonable, and widely used to construct PKE [13,14,18,26] and IBE [4,17,19,23]. They are also used in [24] in the context of Anonymous Broadcast Encryption. Assumption1 (D k -MDDH) [9] We say that the D k -Matrix Diffie-Hellman assumption holds relative to GGen, if for any PPT algorithm A, the following advantage function is negligible in κ.
Adv mddh [29] Let s ∈ {1, 2}. We say that the D k -Kernel Matrix Diffie-Hellman Assumption holds relative to PGGen, if for any PPT algorithm A, the following advantage function is negligible in κ.

Cryptographic primitives
Symmetric key encryption A symmetric key encryption (SKE) scheme with a key space K consists of two algorithms SKE = (E, D): • c ← E K (m): the encryption algorithm generates a ciphetext c of the message m under the secret key K ∈ K. Here, K is a secret key space. Correctness For all K ∈ K and all message m, we have D K (E K (m)) = m with overwhelming probability.
Definition 1 (Semantic Security) A SKE scheme is semantically secure, if for all PPT adversary A, the following advantage function is negligible in κ.

Adv se
Furthermore, we require the symmetric encryption to be key-binding [12]. Namely, for any message m and any secret key K ∈ K, there exists no key K ∈ K such that K = K and D K (E K (m)) =⊥. Collision-resilient hash function Let H be a family of hash functions H : X → Y. Here, X := X κ , Y := Y κ are finite sets, respectively. H is said to be collision-resistant if, for all PPT algorithm A, the following advantage function is negligible in κ. Correctness For all κ ∈ N, all K ← MAC.Gen(1 κ ) and all message m ∈ M, we have MAC.Vrfy(K, MAC.Auth(K, m)) → with overwhelming probability. We define unforgeability against chosen message attack (UF-CMA) in a multi-key setting [28]. Let A be any PPT adversary against UF-CMA security. We consider an experiment Exp UF-CMA MAC ,A (κ) between a challenger C and A as follows. Exp UF-CMA MAC ,A (κ) C runs MAC.Gen(1 κ ) to get (K 1 , . . . , K (κ) ). Let M, I be empty sets and flag be a flag, where flag is initialized as 1. We denote M as a set of messages used for authentication queries. I as a set of indexes used for key derivation queries. A may adaptively issue an authentication query (id, m) ∈ (κ) × M to Authentication Oracle Auth, and Auth returns τ ← MAC.Auth(K id , m), then adds (id, m) to M. Also, A may adaptively issue a key derivation query id ∈ (κ) to Key Derivation Oracle Corr, and Corr returns K id , then adds id to I. Finally, A issues a verification query (m * , τ * , id * ) to Verification Oracle Vrfy. At this point, if id * ∈ I or (id * , m * ) ∈ M or ⊥ ← MAC.Vrfy(K id * , τ * , m * ) holds, then C sets flag := 0 For simplicity, A is restricted to issue this query only once. At some point (right after some verification query without loss of generality), A terminates the experiment, and C sets flag as the output of Exp UF-CMA MAC ,A (κ).

Core Lemma
We will use the core lemma [21], which was originally used to prove adaptive soundness of quasi-adaptive non-interactive zero-knowledge (QANIZK) proofs, to prove security of our Full-ANO-BE scheme in Sect. 5. We review a slightly simplified version of the core lemma below since it is sufficient for our purpose.
Lemma 1 (Core lemma [21]) Let k ∈ N. For any A, B ∈ Z (k+1)×k p and any (possibly unbounded) adversary A, we have . . . , a k ) means the span of the vectors a 1 , . . . , a k , A can issue α * ∈ Z p to oracle O, which returns X + α * · Y, only once.

Broadcast encryption
We define Broadcast Encryption (BE) and its security notions based on [25,37]. In this paper, we assume that the maximum number of recipients N in BE is determined at the time of setup and an arbitrary set of recipients can be specified at the time of encryption. Syntax A BE scheme BE consists of four algorithms (Setup, Join, Enc, Dec).
1. (mk, pk) ← Setup(1 κ , N ): a probabilistic algorithm for setup. It takes a security parameter 1 κ and the maximum number of recipients N ∈ N as input, and outputs a master secret key mk and a public key pk. 2. sk id ← Join(mk, id): a decryption key generation algorithm. It takes mk and an identifier id ∈ ID, as input, and outputs a decryption key sk id for id. Here, ID is a set of all possible identifiers, and |ID| := poly(κ) for some polynomial poly(·). 3. ct S ← Enc(pk, m, S; r): an encryption algorithm. It takes pk, a message m ∈ M, randomness r ∈ R, and a privileged set S ⊆ ID as input, and outputs a ciphertext ct S ∈ CT , where M is a message-space, CT is a ciphetex-space and R is a randomnessspace. It is also possible to omit r from the input. 4. m ← Dec(sk id , ct S ): a decryption algorithm. It takes sk id and ct S as inputs, and outputs m ∈ M ∪ {⊥}.
To describe properties of the existing Anonymous BE schemes, we regard Join as a deterministic algorithm in this paper. 6 Correctness For all κ, N ∈ N, all mk ← Setup(1 κ , N ), all m ∈ M, all r ∈ R, all S ⊆ ID such that |S| ≤ N , and all id ∈ S, we have m ← Dec(Join(mk, id), Enc(pk, m, S; r)) with overwhelming probability. (κ, N ) between a challenger C and A as follows. 6 It does not affect our analysis since we can covert any probabilistic Join algorithm into a deterministic one by using a pseudo-random function.
and randomly chooses b ∈ {0, 1}. Let D, CD be empty sets. We denote D as a set of recipients currently participating in the protocol, and CD as a set of identifiers of recipient from which A obtained its decryption key, respectively. A may adaptively issue the following queries to C.
• Key-generation Query: Upon a query id ∈ ID from A, C adds id to D and generates sk id ← Join(mk, id). Note that A obtains nothing, and that A is allowed to make this query at most N times. • Corruption Query: Upon a query id ∈ D from A, C adds id to CD, and returns sk id to A.
and returns ct S to A. A is allowed to make this query only.
The third and fourth conditions are intended to prevent the trivial attack when a decryption key of a user id ∈ S 0 S 1 is corrupted. We also define IND-CCA with an experiment Exp IND-CCA BE ,A (κ, N ) which is the same as N ), except for the following additional condition of the restriction for challenge query: S 0 = S 1 .
Also, (Full-)ANO-CCA can be defined with experiments Exp ANO-CCA BE ,A (κ, N ) and Definition 5 ((Full-)ANO-CCA) We say BE is X-CCA secure (X ∈ {Full-ANO, ANO}) secure if for any PPT adversary A, for all sufficiently-large κ ∈ N and all N ∈ N, it holds that

Anonymous broadcast authentication
We define Anonymous Broadcast Authentication (ABA) and its security notions based on [37]. Syntax An Anonymous Broadcast Authentication scheme ABA consists of four algorithms (Setup, Join, Auth, Vrfy).
1. ak ← Setup(1 κ , N ): a probabilistic algorithm for setup. It takes a security parameter 1 κ and the maximum number of recipients N ∈ N as input, and outputs authentication key ak. 2. vk id ← Join(ak, id): a verification key generation algorithm. It takes ak and an identifier id ∈ ID, as input, and outputs verification key vk id for id. Here, ID is a set of all possible identifiers, and |ID| := poly(κ) for some polynomial poly(·). 3. cmd S ← Auth(ak, m, S; r): an authentication algorithm. It takes ak, a message m ∈ M, a randomness r ∈ R, and a privileged set S ⊆ ID as input, and outputs ciphertext cmd S , where M is a message space and R is a randomness space. It is also possible to omit r from the input. 4. m/⊥ ← Vrfy(vk id , cmd S ): a verification algorithm. It takes vk id and cmd S as inputs, and outputs m ∈ M (accept) or ⊥ (reject).
To describe properties of the existing ABA scheme, we regard Join as a deterministic algorithm in this paper.
, Auth(ak, m, S)) holds with overwhelming probability. Otherwise, ⊥ ← Vrfy(Join(ak, id), Auth(ak, m, S)) holds with overwhelming probability. Unforgeability We define unforgeability against chosen message attack (UF-CMA) for ABA. Let A be any PPT adversary against UF-CMA security. We consider an experiment Exp UF-CMA ABA ,A (κ, N ) between a challenger C and A. Exp UF-CMA ABA ,A (κ, N ) C runs Setup(1 κ , N ) to get ak. Let D, CD, M a , M v be empty sets and flag be a flag, where flag is initialized as 0. We denote D as a set of recipients currently participating in the protocol, and CD as a set of identifiers of recipient from which A obtained its verification key, respectively. And we denote M a , M v as sets of messages used for authentication queries and verification queries, respectively. A may adaptively issue the following queries to C.
• Key-generation Query: Upon a query id ∈ ID from A, C adds id to D and generates vk id ← Join(ak, id). Note that A obtains nothing, and that A is allowed to make this query at most N times. • Corruption Query: Upon a query id ∈ D from A, C adds id to CD, and returns vk id to A. • Authentication Query: Upon a query (m, S) ∈ M × 2 D ≤N from A, C adds m to M a , and returns cmd S ← Auth(ak, m, S) to A if m is not used for a verification query (m / ∈ M v ). • Verification Query: Upon a query (m, S, cmd S ) ∈ M × 2 D ≤N × T from A, C runs Vrfy(vk id , cmd S ) and returns its output to A. C adds m to M v . If there exists at least one user id ∈ S such that all of the following conditions hold, then C sets flag := 1: A is allowed to make this query only once.
At some point (right after some verification query without loss of generality), A terminates the experiment, and C sets flag as the output of Exp UF-CMA ABA ,A (κ).
Definition 6 (Unforgeability) We say ABA is UF-CMA secure if for any PPT adversary A, for all sufficiently-large κ ∈ N and all N ∈ N, it holds that Adv UF- Anonymity We define two kinds of anonymity for ABA, full anonymity (Full-ANO-CMA) and anonymity (ANO-CMA). In this paper, we denote ABA with anonymity and ABA with full anonymity as ANO-BA and Full-ANO-BA, respectively. Let A be any PPT adversary against Full-ANO-CMA security. We consider an experiment Exp Full-ANO-CMA to get ak and randomly chooses b ∈ {0, 1}. Let D, CD, M a be empty sets. We denote D as a set of recipients currently participating in the protocol, and CD as a set of identifiers of recipient from which A obtained its verification key, respectively. And we denote M a as a set of messages used for authentication queries. A may adaptively issue the following queries to C.
• Key-generation Query: Upon a query id ∈ ID from A, C adds id to D and generates vk id ← Join(ak, id). Note that A obtains nothing, and that A is allowed to make this query at most N times. • Corruption Query: Upon a query id ∈ D from A, C adds id to CD, and returns vk id to A. • Authentication Query: Upon a query (m, S) ∈ M × 2 D ≤N from A, C adds m to M a , and returns cmd S ← Auth(ak, m, S) to A.
• Challenge Query: Upon a query (m, A is allowed to make this query only once under the restriction that At some point, A outputs b . If b = b, C then sets 1 as the output of Exp Full-ANO-CMA ABA ,A (κ, N ). Otherwise, C then sets 0. C terminates the experiment. We can also define ANO-CMA with an experiment Exp ANO-CMA ABA ,A (κ, N ) which is the same as Exp Full-ANO-CMA ABA ,A (κ, N ) except for the following additional condition of the restriction for challenge query: |S 0 | = |S 1 |.

Atomic broadcast encryption
In this section, we give a formal syntax of Atomic Broadcast Encryption (AtBE) to formally describe properties satisfied by existing BE schemes. These properties are used to formalize properties of existing Anonymous BE schemes and derive lower bounds. We further provide security definitions for AtBE.

Syntax of AtBE
Our AtBE aims to describe encryption and decryption for each recipient in a designated set performed inside the Enc and Dec algorithms of BE. Towards that aim, ciphertexts, decryption keys, and public keys are divided into multiple sub-elements. An AtBE scheme At-BE consists of six algorithms (Setup-at, Join-at, Enc, Enc-at, Dec, Dec-at), where the Enc and Dec are the same as ones of BE. N ): a probabilistic algorithm for setup. It takes a security parameter 1 κ and the maximum number of receivers N ∈ N as input, and outputs a master secret key mk and a public key pk consisting of | | atomic public keys id } γ ∈ id ← Join-at(mk, id): a decryption key generation algorithm. It takes mk and an identifier id ∈ ID, as input, and outputs a decryption key sk id for id consisting of : an atomic encryption algorithm. It takes a subset of the atomic public key {pk (δ) } δ∈ , a privileged set S ⊆ ID, a message m ∈ M, an identifier id ∈ ID, and randomness r as input, and outputs an atomic ciphertext , ct S,id ): an atomic decryption algorithm. It takes a subset of The Setup-at and Join-at are essentially equivalent to the Setup and Join in BE respectively, except for differences that public and decryption keys are explicitly divided into multiple sub-elements. As in the case of the Join in BE, we regard the Join-at as being a deterministic algorithm. On the other hand, the Enc and Dec include the Enc-at and Dec-at as sub-algorithms, respectively, though they might contain procedures other than the subalgorithms. Therefore, AtBE includes both (Enc, Dec) and (Enc-at, Dec-at).
We require a natural property for AtBE that an atomic ciphertext ct S,id contained in ciphertext ct S will be correctly decrypted by a decryption key {sk Let ct S ← Enc({pk (δ) } δ∈ , m, S; r). Then, there exists some ⊆ for every id ∈ S, such that ct S,id ← Enc-at({pk (δ) } δ∈ , id, m, S; r) and ct S,id ∈ ct S . Moreover, the following conditions hold with overwhelming probability: Namely, the above guarantees that (1) a BE ciphertext for S contains AtBE ciphertexts for all id ∈ S; (2) the BE ciphertext can be correctly decrypted by the Dec, which implies Correctness of BE; and (3) every AtBE ciphertext can be correctly decrypted by the Dec-at. Therefore, Atomic Correctness of AtBE includes Correctness of BE. Thus, we can say that a BE scheme is called an AtBE scheme if the Enc and Dec includes the Enc-at and Dec-at (satisfying the above Atomic Correctness), respectively.

Properties in existing BE schemes
As described in Sect. 1.2, Kiayias and Samari [20] assumed a special property for Anonymous BE schemes in their analysis, and it is difficult to check whether the property holds for existing Anonymous BE schemes. Therefore, our goal is to replace that property with a natural one that could be checked if it holds for existing Anonymous BE schemes. In order to achieve this, we describe four properties that holds in most of existing (i.e., both non-Anonymous and Anonymous) BE schemes in this section. In particular, we show that they hold for the pairing-based BE scheme of Boneh et al. [5]. The four properties are described as follows: Property 1 When a ciphertext has intended recipient set S, then any recipient in S can obtain the underlying message by decrypting at least one of the corresponding atomic ciphertexts. More formally, ciphertext ct S output from the Enc algorithm consists of the atomic ciphertexts ct S,id obtained by the Enc-at algorithm, and other elements. 7 In other words, let a set of atomic ciphertext contained in ct S be {ct S,id } id∈S , and let the union of {ct S,id } id∈S and other elements contained in ct S be {ct Here, the randomness r input to Enc-at is the same when generating each atomic ciphertext in {ct S,id } id∈S . Also, inside the Dec algorithm, the Dec-at algorithm takes an atomic ciphertext and a set of atomic decryption keys as input, and outputs a message. If ct S is a valid ciphertext, then there is an atomic ciphertext ct (θ ) S in ct S that can be decrypted using a subset of atomic decryption keys of a recipient id in S. Formally, we require the following property for AtBE At-BE : Property 2 A triplet of recipient, recipient set, and message (id, S, m) uniquely determines the minimum subset of atomic public keys required to generate an atomic ciphertext ct S,id . More formally, when generating ct S,id such that m ← Dec-at({sk id,S,m be the minimum subset of atomic public keys required for input to Enc-at. In this case, for any S ⊂ ID, any id ∈ S, and any m, ∈ M, * id,S,m is uniquely determined by pairs of (id, S, m) to input to Enc-at.
Property 3 A pair of recipient and recipient set (id, S) uniquely determines the minimum subset of atomic decryption keys required to decrypt a (correctly-generated) atomic ciphertext ct S,id . More formally, when m ← Dec-at({sk , ct S,id ) holds, let * id,S be the minimum subset of atomic decryption keys required for input to the Dec-at. In this case, for any S ⊂ ID and any id ∈ S, * id,S is uniquely determined by pairs of (id, S) to input to the Enc-at when generating ct S,id .

Property 4
If two atomic ciphertexts ct S,id , ct S,id are identical, then the two corresponding minimum subsets of atomic public keys generating ct S,id and ct S,id are also identical. More formally, for all (mk, with overwhelming probability. We show that the BE scheme in [5] meets Properties 1, 2, 3 and 4. in Appendix A. In addition, we can similarly show that the existing (both non-Anonymous and Anonymous) BE schemes [1-3, 6, 15, 16, 24, 25, 30, 38] satisfy Properties 1, 2, 3 and 4 as well, thus it is reasonable to assume Properties 1, 2, 3 and 4 in this paper.

Security definitions for AtBE
We define chosen ciphertext security and anonymity for AtBE in the same way as in BE. Security games for AtBE are the same as those for BE except that an attacker obtains explicitly-divided public keys, decryption keys, and a challenge ciphertext. Essentially, there is no difference in the information the attacker obtains between security games for BE and those for AtBE. Therefore except for the following changes to key-generation query, corruption query: • Key-generation Query: Upon a query id ∈ ID from A, C adds id to D and generates {sk , not sk id ← Join(mk, id). • Corruption Query: Upon a query id ∈ D from A, C adds id to CD, and returns {sk Definition 10 ((Full-)ANOat-CCA) We say At-BE is X-CCA secure (X ∈ {Full-ANOat, ANOat}) secure if for any PPT adversary A, for all sufficiently-large κ ∈ N and all N ∈ N, it holds that Adv

Asymptotic lower bounds in ANO-BE
We derive lower bounds for AtBE schemes with ANOat-CCA security and Full-ANOat-CCA security. First, we define a property assumed for AtBE schemes and show that it holds for the ANO-BE scheme of Libert et al. [25]. Then, we derive lower bounds ANO-BE and Full-ANO-BE with the property described in Sect. 4.1. In the following analysis, we assume that an AtBE scheme satisfies INDat-CCA security, although this is not explicitly stated.

A property of ANO-BE and Full-ANO-BE
In order to derive lower bounds for ANO-BE and Full-ANO-BE, we assume a property that "a minimum subset of atomic decryption keys used to decrypt ciphertexts is uniquely determined by a subset of public keys used to generate the ciphertext." Specifically, we consider the following property for both ANO-BE and Full-ANO-BE (See Sect. 1.2 for the intuitive definition.): N ) is generated, we denote PK * as a set of all atomic public keys, namely PK * := {pk (δ) } δ∈ . And, when {sk (γ ) id } γ ∈ id ← Join-at(mk, id) is generated, SK * denotes a family of the minimum subsets of atomic decryption keys to be input to the Dec-at, namely SK * := {{sk id,S } id∈ID,S⊆ID . Here, we note that SK * is uniquely determined, since Join-at is a deterministic algorithm. At this time, for all id ∈ ID, all S ⊆ ID, all m ∈ M, all r ∈ R, all pk ∈ 2 PK * , all ct S,id ← Enc-at(pk , id, m, S; r), a set of atomic decryption keys sk ∈ SK * ∪ {⊥} such that m ← Dec-at(sk , ct S,id ) is uniquely determined by the set of atomic public keys pk . ANO-BE schemes satisfying the above property include Libert et al.'s scheme [25], which is a generic construction using a public key encryption PKE and one-time signature OTS. We show that the scheme in [25] meets the property in Appendix A.
In addition, we can similarly show that all of the existing ANO-BE and Full-ANO-BE schemes in [3,20,24,25] satisfy Assumption 2.

Lower bounds in ANOat-CCA secure AtBE
First, we show two lemmas, Lemma 2 and 3, for an ANOat-CCA secure AtBE with Properties 1, 2, 3 and 4 described in Sect. 3.2. In Lemma 2, we show that "if an AtBE is ANOat-CCA secure, then for ciphertexts with a set S 0 , S 1 whose size is equal, sets of atomic decryption keys used by a receipient id for each decryption is identical with overwhelming probability." Then, in Lemma 3, we show that "if an AtBE is ANOat-CCA secure, then for any set S with more than two elements, recipients id, id ∈ S must not share a set of atomic decryption keys used to decrypt ct S with overwhelming probability." Then, for an ANOat-CCA secure AtBE with the property described in Assumption 2, we will derive a lower bound on ciphertext-size by Theorem 1.
For convenience, for any S 0 , S 1 ⊆ ID, we call (S 0 , S 1 ) challengeable sets if it can be used for a challenge query in the ANOat-CCA game Exp ANOat-CCA At-BE ,A .

Lemma 2 If AtBE
At-BE is ANOat-CCA secure, no PPT adversary A in the ANOat-CCA game can find id ∈ ID and challengable sets with non-negligible probability.
Proof We show this lemma by contraposition. Suppose that there exists a PPT adversary A that can find (id, S 0 , S 1 ) in the ANOat-CCA game such that (S 0 , S 1 ) is challengeable sets and it holds that id ∈ S 0 ∩ S 1 , |S 0 | = |S 1 |, and {sk with nonnegligible probability. Note that by Property 3, * id,S 0 and * id,S 1 are uniquely determined. Then, A can break ANOat-CCA security as follows. During the ANOat-CCA game, A can A then issues key-generation queries for every id ∈ S 0 ∪ S 1 and a corruption query for id * (if A has not done them yet), and obtains a decryption key {sk Note that A can get the decryption key for id * since id * ∈ S 0 ∩ S 1 and (S 0 , S 1 ) can be used for the challenge query. Finally, , and b = 1 otherwise. In this case, A can output b such that b = b with non-negligible probability.

Lemma 3 If AtBE
At-BE is ANOat-CCA secure, no PPT adversary A in the ANOat-CCA game with non-negligible probability.
Proof Assume on the contrary that there exists a PPT adversary A that can find (id, id , S) such that id, id ∈ S and {sk with non-negligible probability. Note that by Property 3, * id,S and * id ,S are uniquely determined. Then, we will show that it contradicts Property 1 of AtBE in Sect. 3.2 for any S such that id ∈ S , id / ∈ S , and |S| = |S |.
Suppose that A has atomic decryption keys {sk by key-generation queries and corruption queries. Since id ∈ S , we have m ← Dec-at({sk , ct S ,id ). However, since id / ∈ S holds, the above contradicts Property 1.
In the following, we derive a lower bound on ciphertext-size in ANOat-CCA secure AtBE with the property described in Assumption 2. Specifically, we show the statement: When there exists a set S such that the number of atomic ciphertexts ct S contained in ct S is less than |S| with non-negligible probability, a contradiction occurs for Lemma 3. Proof For some set of recipients S * ∈ 2 ID ≤N and message m * ∈ M, we assume that with nonnegligible probability, the Enc outputs ct S * = {ct

Theorem 1 If AtBE
and β S * < |S * |. Let A be any fixed PPT adversary against the ANOat-CCA game. Then, A can identify such (S * , m * ) with non-negligible probability since A knows the concrete procedure of the Enc (since it should be public due to Kerckhoffs' principle). 9 We then show that A can find (id, id , S * ) that contradicts Lemma 3. Now, from β S * ≥ 1, we consider that |S * | ≥ 2 holds. From β S * < |S * |, for a set of atomic ciphertexts {ct (θ ) S * } θ ∈β S * , there exists at least one atomic ciphertext ct (θ * ) S * that can be decrypted by two recipients id, id ∈ S * . That is, for id, id ∈ S * , it holds that ct where r * is the same randomness in the Enc above. Note that by Property 2, * id,S * ,m * and * id ,S * ,m * are uniquely determined, and by Property 4, it holds {pk (δ) } δ∈ * id,S * ,m * = {pk (δ) } δ∈ * id ,S * ,m * . In addition, by Atomic Correctness and Property 1, we have Note that by Property 3, {sk (γ ) id } γ ∈ * id,S * and {sk respectively. As mentioned above, it holds {pk (δ) } δ∈ * id,S * ,m * = {pk (δ) } δ∈ * id ,S * ,m * . Therefore, despite ANOat-CCA security of At-BE , A can obtain {sk id ,S * , which contradicts Lemma 3. 9 From the descriptions of the Enc, A can extract the conditions for obtaining ct S * = {ct (θ) S * } θ∈[β S * ] such that β S * < |S * | with non-negligible probability (even if β S * is determined randomly) since the Enc is a PPT algorithm. Note that A does not need to know the concrete randomness r * to be used to compute ct S * , though A seems to need to know how the randomness is used in the Enc.

Lower bounds in Full-ANOat-CCA secure AtBE
We derive a lower bound on ciphertext size in Theorem 2 for Full-ANOat-CCA secure AtBE with the property described in Assumption 2, using Theorem 1. Proof Since Full-ANOat-CCA security implies ANOat-CCA security, for any S ∈ 2 ID ≤N , we at least have (|S| · κ) with overwhelming probability from Theorem 1. Now, we assume that for some set of recipients S * ∈ 2 ID ≤N and message m * ∈ M, Enc outputs Here, from the assumption that |S * | ≤ β S * < N , A can trivially break Full-ANOat-CCA, but it contradicts the premise. Thus, the size of ciphertexts for any S ∈ 2 ID ≤N must be equal to that of ciphertexts for [N ] at least, i.e., (N · κ).

Non-asymptotic bounds and optimal constructions of ANO-BE
We show (non-asymptotic) upper bounds and lower bounds on the ciphertext-size in ANO-BE. Li and Gong [24] proposed an ANO-BE scheme where the ciphertext-size is (|S|+6)·κ, which is indeed optimal in the sense that the scheme attains the lower bound on the ciphertext size (i.e., Theorem 1) non-asymptotically (see Theorem 5). On the other hand, there exists no optimal Full-ANO-BE scheme. To show a non-asymptotic upper bound on the ciphertext-size in Full-ANO-BE, we propose an optimal Full-ANO-BE scheme.
Our scheme is achieved by modifying the encryption algorithm Enc and the decryption algorithm Dec in Li and Gong [24]'s ANO-BE.
Select a key-binding secure symmetric encryption scheme SKE = (E, D) with the key space K := G 1 . Sample a collision-resilient hash function H : {0, 1} * → Z p from H uniformly at random. The public key pk is PG, (E, D), H; and the master secret key is {k id } N id=1 . • Join(mk, id): Output the secret key sk id := k id .
• Enc(pk, m, S): Let n be the number of recipients currently participating in the system, and suppose that sk id 1 , . . . , sk id n have been generated by the Join so far. Sample r U ← Z k p , and compute u := r A . Select a session key K U ← G 1 and compute c 0 := E K (m). Compute the following for all id ∈ [N ]: Here, in the scheme of [24], only c id (id ∈ S) is calculated in the Eq. (1), and the following ciphertext is output.
-If j = |S|, return ⊥ and halt; otherwise, do the first step with j := j + 1.
We show the correctness of the above Full-ANO-BE scheme. Suppose that ct S = ( u , c 0 , c 1 , . . . , c N , [π ] 1 ), sk id = k id (id ∈ S) are correctly generated. Then the following equation holds: where α : = H( u , c 0 , c 1 , . . . , c N ). Given c j := r A k id 1 · K, we have K = c j / u k id 1 and and the Dec will return m by the correctness of symmetric encryption scheme SKE = (E, D). Given c j := r A k id 1 · K, we have K = c j / u k id 1 for some id / ∈ S with overwhelming probability, and the Dec will return ⊥ from key-binding of SKE = (E, D).

Theorem 3 The construction described above is Full-ANO-IND-CCA secure assuming that: (1) H is collision-resistant; (2) the D k -MDDH assumption holds in G 1 ; (3) the D k -KerMDH assumptions holds in G 2 ; (4) SKE is semantically secure and key-binding.
Our security proof is the same as that of Li and Gong [24]'s ANO-BE except that we added c id U ← G 1 (if id / ∈ S) to their scheme. We prove Full-ANO-IND-CCA security by defining the following games: Game Real : This is the same as the Full-ANO-IND-CCA game.
: This is the same as Game 2 except for the following modification: Let q D is the maximum number of decryption queries to the Decryption Oracle. Regarding the first j queries, the Decryption Oracle returns ⊥ if (1) or (3) or 1 holds instead of (2 ). Here, "||" denotes the OR operation which ignores the second operand if the first one is satisfied. For the rest of queries, the Decryption Oracle returns ⊥ if (1) or (3) or (2 ) as in Game 2 . Let S Real , S i (0 ≤ i ≤ 2), and S 2, j (0 ≤ j ≤ q D ) be the probabilities that the event b = b occurs in Game Real , Game i , and Game 2, j respectively. We have The rest of the proof follows from the following lemmas.

Lemma 4 |S
Note that B knows the master secret key mk := {k id } N id=1 . Then Note that B knows the master secret key mk := {k id } N id=1 . Key-generation Oracle and Corruption Oracle. B can simulate the oracles since it knows the master secret key. Challenge. B simulates the challenge as the same as Game 0 . Decryption Oracle. B can simulate the oracle for the same reason as Key-generation and Corruption Oracle. Upon a decryption query (id, ct S = ( u , c 0 , c 1 , . . . , c N , [π] 1 )), B check whether the conditions (2), (2 ) hold. If the condition (2) does not hold but (2 ) does, B outputs t := π − u (X + α · Y) 1 .
Here, t 1 is a solution to the D k -KMDH problem since t = 0 from (2 ) and t ∈ Ker(B) from (2).
Proof Game 2, j−1 is the same as Game 2, j unless A sends the j-th decryption query which is rejected by the condition (2 ) but passes through the condition (2 ). That is, if the event that the j-th decryption query satisfies u / ∈ span(A) and survives (1), (2 ), (3) does not occur, there is no difference between the two games. First, we suppose that α = α * holds for such a query. Then, the decryption query (id, ct S = ( u , c 0 , c 1 , . . . , c N , [π] 1 )) must satisfy α = α * , u / ∈ span(A) and [π] 1 = u (X + α · Y)B 1 , but this happens with probability at most 1 p from the core lemma (Lemma 1 [21]). Note that A never obtain more information than A X, A Y by the first j-th decryption queries thanks to the condition u * / ∈ span(A). Next, we show that the above query must satisfy α = α * . Here, if a decryption query survives the condition (3), ct S = ct S * 1 or α = α * holds. Therefore, we need to show that ct S = ct S * 1 holds regarding decryption query which survives under the condition (1), (2 ), (3) with u / ∈ span(A). We suppose ct S = ct S * 1 . We can see that if π = π * , then the query is rejected by the condition (1), and if π = π * , then the query is rejected by the condition (2 ). Thus, since a decryption query with ct S = ct S * 1 cannot survive the conditions, α = α * holds.
We prove Lemma 8 by considering two cases. Case (a) : CD ∩ (S 0 ∩ S 1 ) = ∅. In this case, we define the following additional games.
Game 3 : This is the same as Game 2,q D except that the challenger samples c id U ← G 1 for all id ∈ S b in the challenge ciphertext. Game 4 : This is the same as Game 3 except that the challenger computes c 0 = E K (0 κ ) in the challenge ciphertext.
Proof We claim that Game 2,q D is statistically indistinguishable from Game 3 . In Game 2,q D , A learns information on k id (id ∈ S b ) only from pk since Decryption Oracle returns for A's queries such that u / ∈ span(A), and u * / ∈ span(A) holds with overwhelming probability.
is uniformly distributed over G 1 from the fact that for any u * outside the span of A, u * k id is uniformly random given Proof Game 4 is indistinguishable from Game 3 due to the semantic security of (E, D). Finally, we have S 4 = 1 2 since the challenge ciphertext has no information about b. Case (b) : CD ∩ (S 0 ∩ S 1 ) = ∅. We define the following game.
Game 3 : This is the same as Game 2,q D except that the challenger samples c id Proof We claim that Game 2,q D is statistically indistinguishable from Game 3 . This follows from the same discussion as in Case (a), that is, the fact that all u * k id S is uniformly distributed over G 1 conditioned on pk, Key-Generation Oracle and Decryption Oracle. Although c id (id ∈ S b ∩ S 1−b ) are not changed, no information about b is leaked from the challenge ciphertext since m 0 = m 1 must hold in this case. We then have S 3 = 1 2 .

Proof of Lemma 8
Let S a and S b be the probabilities that A outputs (S 0 , S 1 ) in Case (a) and Case (b), respectively. Then, we have

Proof of Theorem 3 From Lemmas 4-8 we have
Here, the above construction has a ciphertext whose size is (N + 6) · κ where k = 1. 10 Therefore, from Li and Gong's ANO-BE [24] and our Full-ANO-BE scheme, we obtain upper bounds on the ciphertext-size in (Full)-ANO-BE. From these upper bounds and the asymptotic lower bounds in Sect. 4, we show tight lower bounds on the ciphertext-size in (Full)-ANO-BE. (N · κ), and our Full-ANO-BE scheme attains the lower bound tightly, which is optimal. · κ), and the ANO-BE scheme in [24] attains the lower bound tightly, which is optimal.

Atomic broadcast authentication
In this section, we give a syntax of Atomic Broadcast Authentication (AtBA) to formally describe properties satisfied by the existing ABA scheme and derive lower bounds. We further provide security definitions for ABA covered by AtBA.

Syntax of AtBA
Our AtBA describes authentication and verification for each recipient in a designated set performed inside the Auth and Vrfy algorithms of ABA. We define a model for Atomic BA At-BA = (Setup-at, Join-at, Auth, Auth-at, Vrfy, Vrfy-at) as follows, where the Auth and Vrfy are the same as ones of ABA. -at(1 κ , N ): a probabilistic algorithm for setup. It takes a security parameter 1 κ and the maximum number of receivers N ∈ N as input, and outputs authentication key ak consisting of | | atomic authentication keys : a verification key generation algorithm. It takes {ak (δ) } δ∈ and an identifier id ∈ ID, as input, and outputs verification key vk id for id consisting of | id | atomic verification keys {vk 3. cmd S,id ← Auth-at({ak (δ) } δ∈ , S, m, id; r): an atomic authenticate algorithm. It takes {ak (δ) } δ∈ , a message m ∈ M, a privileged set S ⊆ ID, an identifier id ∈ ID and randomness r ∈ R as input, and outputs an atomic authenticator cmd S,id , where ⊆ . id } γ ∈ id , and cmd S,id as input, and outputs a message m(accept) or ⊥(reject), where id ⊆ id .

m/⊥ ← Vrfy-at({vk
The Setup-at and Join-at are essentially equivalent to the Setup and Join in ABA respectively, except for difference that authentication and verification keys are explicitly divided into multiple sub-elements. As in the case of the Join in BE, we regard the Join-at as being a deterministic algorithm. On the other hand, Auth and Vrfy include Auth-at and Vrfy-at as subalgorithms, respectively, though they might contain procedures other than the sub-algorithms. Therefore, AtBA includes both (Auth, Vrfy) and (Auth-at, Vrfy-at).
We require a natural property for AtBA that an atomic authenticator cmd S,id contained in authenticator cmd S will be correctly verified by a verification key {vk (γ ) id } γ ∈ id of a recipient id ∈ S as follows: Atomic correctness Fix any κ, N ∈ N, any {ak (δ) } δ∈ ← Setup-at (1 κ , N ), any S ⊆ ID such that |S| ≤ N , any m ∈ M, any {vk Let cmd S ← Auth({ak (δ) } δ∈ , m, S; r). Then, there exists some ⊆ for every id ∈ S, such that cmd S,id ← Auth-at({ak (δ) } δ∈ , S, m, id; r) and cmd S,id ∈ cmd S . Moreover, the following conditions hold with overwhelming probability: Namely, the above guarantees that (1) a ABA authenticator for S contains AtBA authenticators for all id ∈ S; (2) the ABA authenticator can be correctly verified by the Vrfy, which implies Correctness of ABA; and (3) every AtBA authenticator can be correctly verified by the Vrfy-at. Therefore, Atomic Correctness of AtBA includes Correctness of ABA. Thus, we can say that an ABA scheme is called an AtBA scheme if the Auth and Vrfy includes the Auth-at and Vrfy-at (satisfying the above Atomic Correctness), respectively.

Security definitions for AtBA
We define anonymity for AtBA in the same way as in BE. In the following, we give definitions of full anonymity (Full-ANOat-CMA) and anonymity (ANOat-CMA). Security games for AtBA are the same as those for ABA except that an attacker obtains verification keys and a challenge authenticator is explicitly-devided into multiple sub-elements. Essentially, there is no difference in information the attacker obtains between security games for BA and those for AtBA. Therefore, we consider (Full-)ANOat-CMA defined below to be equivalent security notions as (full) anonymity.
Let A be any PPT adversary against Full-ANOat-CMA security. We consider an experiment Exp Full • Key-generation Query: Upon a query id ∈ ID from A, C adds id to D and generates {vk id } γ ∈ id ← Join-at(ak, id), not vk id ← Join(ak, id). • Corruption Query: Upon a query id ∈ D from A, C adds id to CD, and returns {vk We also define ANOat-CMA with an experiment Exp ANOat-CMA At-BA ,A (κ, N ) which is the same as Exp Full-ANOat-CMA At-BA ,A (κ, N ) except for the following additional condition of the restriction for challenge query: |S 0 | = |S 1 |.
Definition 11 ((Full-)ANOat-CMA) We say At-BA is X secure (X ∈ Full-ANOat-CMA, ANOat-CMA) if for any PPT adversary A, for all sufficiently-large κ ∈ N and all

Properties in an existing ABA scheme
In this section, we describe four properties that holds for an existing ABA scheme. The four properties are as follows.

Property 5
Authenticator cmd S output from the Auth algorithm consists of atomic authenticators cmd S,id obtained by the Auth-at algorithm, and other elements. In other words, let a set of atomic authenticators contained in cmd S be {cmd S,id } id∈S , and let the union of {cmd S,id } id∈S and some elements contained in cmd S be {cmd Here, the randomness r input to the Auth-at is the same when generating {cmd S,id } id∈S respectively. Also, inside the Vrfy algorithm, the Vrfy-at algorithm takes an atomic authenticator and a set of atomic verification keys as input, and outputs a message. If cmd S is a valid authenticator, then there is an atomic authenticator cmd (θ ) S in cmd S that can be verified using a subset of atomic verification keys of a recipient id in S. Formally, we require the following property for AtBA At-BA : For all κ, N ∈ N, all ak ← Setup(1 κ , N ), all m ∈ M, all S ⊆ ID such that |S| ≤ N , such that m ← Vrfy-at({vk Property 6 When generating cmd S,id such that m ← Vrfy-at({vk id } γ ∈ id , cmd S,id ) for some γ ∈ id , let * id,S,m be a minimum subset of atomic authentication keys required for the input to Auth-at. In this case, * id,S,m is uniquely determined by pairs of the recipient's identifier, the message, and the set (id, S, m) to input to Auth-at.

Property 7 When m ← Vrfy-at({vk
, cmd S,id ) holds, let * id,S be a minimum subset of atomic verification keys required for the input to Vrfy-at. In this case, * id,S is uniquely determined by pairs of the recipient's identifier, and the set (id, S) to input to Auth-at when generating cmd S,id .
, id , m, S; r), if cmd S,id = cmd S,id holds, then we have with overwhelming probability.
Here, we can see that the existing ABA scheme [37] satisfies the above properties in a similar way in Sect. 3.2.

Asymptotic lower bounds in anonymous broadcast authentication
In order to derive lower bounds for ANO-BA and Full-ANO-BA, we assume a property that "a minimum subset of atomic verification keys used to verify authenticators is uniquely determined by a subset of authentication keys used to generate the authenticator." Specifically, we consider the following property for ANO-BA and Full-ANO-BA: N ) is generated, we denote AK * as a set of all authentication keys, namely AK * := {ak (δ) } δ∈ . And, when {vk id } γ ∈ id ← Join-at(ak, id) is generated, VK * denotes a family of the minimum subsets of atomic verification keys to be input to the Vrfy-at, namely VK * := {{vk id,S } id∈ID,S⊆ID . Here, we note that VK * is uniquely determined, since Join-at is a deterministic algorithm. At this time, for all id ∈ ID, all S ⊆ ID, all m ∈ M, all r ∈ R, all ak ∈ 2 AK * , all cmd S,id ← Auth-at(ak , id, m, S; r), a set of atomic verification keys vk ∈ VK * ∪ {⊥} such that m ← Vrfy-at(vk , cmd S,id ) is uniquely determined by the set of atomic authentication keys ak . The above property holds for Watanabe et al.'s ANO-BA and Full-ANO-BA schemes [37], which is a generic construction using message authentication code and pseudo-random function. Since it can be shown that they satisfies the above property in the same way as the ANO-BE scheme of Libert et al. [25], we omit a detailed discussion here.

Lower bounds in ANOat-CMA secure AtBA
First, we show two lemmas, Lemmas 12 and 13, for ANOat-CMA secure AtBA with Properties 5, 6, 7 and 8 described in Sect. 6.3. In Lemma 12, we show that "if an AtBA is ANOat-CMA secure, then for authenticators with a set S 0 , S 1 whose size is equal, sets of atomic verification keys used by a receipient id for each verification is equal with overwhelming probability." Then, in Lemma 13, we show that "if an AtBA is ANOat-CMA secure, then for any set S with more than two elements, recipients id, id ∈ S must not share a set of atomic verification keys used to verify cmd S with overwhelming probability." Then, for ANOat-CMA secure AtBA with the property described in Assumption 3, we will derive a lower bound on authenticator-size by Theorem 6.
For convenience, for any S 0 , S 1 ⊆ ID, we call (S 0 , S 1 ) challengeable sets if it can be used for a challenge query in the ANOat-CMA game Exp ANOat-CMA At-BA ,A .

Lemma 12
If AtBA At-BA is ANOat-CMA secure, no PPT adversary A in the ANOat-CMA game can find id ∈ ID and challengable sets (S 0 , S 1 ) ∈ 2 D ≤N 2 such that id ∈ S 0 ∩ S 1 , with non-negligible probability.
Proof We show this lemma by contraposition. Suppose that there exists a PPT adversary A that can find (id, S 0 , S 1 ) in the ANOat-CMA game such that (S 0 , S 1 ) is challengeable sets and it holds that id ∈ S 0 ∩ S 1 , |S 0 | = |S 1 |, and {vk with nonnegligible probability. Note that by Property 3, * id,S 0 and * id,S 1 are uniquely determined. Then, A can break ANOat-CMA security as follows. During the ANOat-CMA game, A can A then issues key-generation queries for every id ∈ S 0 ∪ S 1 and a corruption query for id * (if A has not done them yet), and obtains a verification key {vk Note that A can get the verification key for id * since id * ∈ S 0 ∩S 1 and (S 0 , S 1 ) can be used for the challenge query. Finally, with non-negligible probability.
Proof Assume on the contrary that there exists a PPT adversary A that can find (id, id , S) such that id, id ∈ S and {vk with non-negligible probability. Note that by Property 7, * id,S and * id ,S are uniquely determined. Then, we will show that it contradicts Property 5 of AtBA in Sect. 6.3) for any S such that id ∈ S , id / ∈ S , and |S| = |S |. Suppose that A has atomic verification keys {vk id } γ ∈ id and {vk (γ ) id } γ ∈ id by key-generation queries and corruption queries. Since id ∈ S , we have m ← Vrfy-at({vk id,S with overwhelming probability as discussed in Lemma 3. Hence, we have m ← Vrfy-at({vk , cmd S ,id ). However, since id / ∈ S holds, the above contradicts Property 5.
In the following, we derive a lower bound on authenticator-size in ANOat-CMA secure AtBA with the property described in Assumption 3. Specifically, we show the statement: When there exists a set S such that the number of atomic authenticators cmd S contained in cmd S is less than |S| with non-negligible probability, a contradiction occurs for Lemma 13. At-BA is ANOat-CMA secure and has the property in Assumption 3, for any recipient set S ∈ 2 ID ≤N and any message m ∈ M, the Auth outputs a authenticator of size (|S| · k) with overwhelming probability.
Proof For some set of recipients S * ∈ 2 ID ≤N and message m * ∈ M, we assume that with non-negligible probability, the Auth outputs cmd S * = {cmd m * , S * ; r * ) and β S * < |S * |. Let A be any fixed PPT adversary against the ANOat-CMA game. Then, as discussed in Theorem 1, A can identify such (S * , m * ) with non-negligible probability since A knows the concrete procedure of Auth (since it should be public due to Kerckhoffs' principle). We then show that A can find (id, id , S * ) that contradicts Lemma 13. Now, from β S * ≥ 1, we consider that |S * | ≥ 2 holds. From β S * < |S * |, for a set of atomic authenticators {cmd (θ ) S * } θ ∈β S * , there exists at least one atomic authenticator cmd (θ * ) S * that can be decrypted by two recipients id, id ∈ S * . That is, for id, id ∈ S * , it holds that cmd where r * is the same randomness in Auth above. Note that by Property 6, * Note that by Property 7, {vk (γ ) id } γ ∈ * id,S * and {vk respectively. As mentioned above, it holds {ak (δ) } δ∈ * id,S * ,m * = {ak (δ) } δ∈ * id ,S * ,m * . Therefore, despite ANOat-CMA security of At-BA , A can obtain {vk id ,S * , which contradicts Lemma 13.

Lower bounds in Full-ANOat-CMA secure AtBA
We derive a lower bound on authenticator size in Theorem 7 for Full-ANOat-CMA secure AtBA with the property described in Assumption 3, using Theorem 6. Proof Since Full-ANOat-CMA security implies ANOat-CMA security, for any S ∈ 2 ID ≤N , we at least have (|S| · κ) with overwhelming probability from Theorem 6. Now, we assume that for some set of recipients S * ∈ 2 ID ≤N and message m * ∈ M, Auth outputs with non-negligible probability. Let A be any fixed PPT adversary against the Full-ANOat-CMA game. Then, A can identify such (S * , m * ) with non-negligible probability since A knows the concrete procedure of Auth (since it should be public due to Kerckhoffs' principle). A then issues a challenge query (m * , S * , S), where S = [N ] and S * is any set Here, from the assumption that |S * | ≤ β S * < N , A can trivially break Full-ANOat-CMA, but it contradicts the premise. Thus, the size of authenticators for any S ∈ 2 ID ≤N must be equal to that of authenticators for [N ] at least, i.e., (N · κ).

Non-asymptotic bounds and optimal constructions of ABA
We show (non-asymptotic) upper and lower bounds on the authenticator-size in ABA. Specifically, we propose optimal constructions of ABA with anonymity and full-anonymity, respectively, to show non-asymptotic upper bounds of the authenticator size.
Our UF-CMA secure and Full-ANO-CMA secure ABA is as follows.
-Run MAC.Vrfy(K id , τ j , m||x) and if its output is , return m and halt; otherwise, go to the second step. -If j = N , return ⊥ and halt; otherwise, do the first step with j := j + 1.
A proof of UF-CMA security in the above construction is intuitively almost identical to an evaluation of a probability that an adversary forges a MAC in a multi-key setting. However, due to an existence of the Key Derivation Oracle, we cannot simply apply the standard hybrid argument for the number of recipients assuming pseudo-randomness for MAC (when the hybrid argument can be applied, i.e., there is no Key Derivation Oracle, we can prove UF-CMA security assuming pseudo-randomness for MAC in a single-key setting.). Although it is not impossible to prove the security with the Key Derivation Oracle in the standard model assuming pseudo-randomness for MAC in a multi-key setting, it is known to be a very inefficient reduction [28]. A simple proof is possible in the non-standard model where MAC.Auth is regarded as a public random function (Random Oracle). Therefore, in this paper, we give a proof under an assumption that MAC.Auth is the public random function.
Theorem 8 Assume that MAC.Auth is a public random function. If MAC is UF-CMA secure, the above construction is UF-CMA secure and Full-ANO-CMA secure.
The UF-CMA security can be proved by the H-Coefficient technique [31], which is a standard framework to analyze the security of symmetric key cryptographic modes (See [8] for example. However, [8] does not deal with a multi-key setting and a decision game because they show a proof for a security that combines PRF and UF-CMA security). In the proof, σ in the authenticator cmd S is omitted because it does not contribute to the security (it only contributes to the Full-ANO-CMA security).
First, we consider MAC.Auth as a public random function (Random Oracle) and introduce the so-called Primitive Oracle Prim. This returns MAC.Auth(K,m) upon an input (K,m) ∈ K × M. Then, we express the advantage of an adversary against UF-CMA security by that of a distinguisher D trying to distinguish the real world (Auth o , Vrfy o , Corr, Prim) and an ideal world (Auth o , Rej, Corr, Prim). Auth o oracle receives a query (m, S) and returns Auth(ak, m, S) as described at Sect. 2.6. Vrfy o receives (id, cmd S ) and returns Vrfy(vk id , cmd S ). Here, Rej oracle returns ⊥ upon a verification query (id, cmd S = (m, x, τ σ (1) , . . . , τ σ (N ) )) unless K id has already been exposed by Corr, or MAC.Auth(K id , m||x) is included in an output section of Auth o oracle for a query response to a recipient id; otherwise returns the correct value using K id and a query history in Auth o oracle. Let us assume that the number of queries to Auth o are q a and queries to Prim are q p (queries to Corr do not specifically contribute to a success probability). Let φ Prim = ((K 1 ,m 1 ,τ 1 ), . . . , (K q p ,m q p ,τ q p )) be the list of queries to Prim and corresponding answers. Let also φ Auth = ((m 1 , x 1 , τ 1 ), . . . , (m q a , x q a , τ q a )) be the list of queries to Auth and corresponding answers.
We let forms the transcript of the attack, where A is a set of all identities involved in the game, namely those queried to Corr and those included in the queries to Auth o and Vrfy o . We assume that the subset of these keys not queried to Corr is attached to the script after the adversary made all queries (so that the adversary cannot use them to make further queries, which would trivially break any scheme); this is a common technique to simplify the proof. Also, we assume that all the keys are distributed uniformly for both worlds, that means, the keys those queried to Rej (and never queried to other oracles) in the ideal world are dummy keys. We say that a transcript φ is attainable if the probability of getting this transcript in the ideal world is non-zero. We denote as the set of attainable transcripts. We also let X Real , X Ideal denote the transcript random variable induced by the real world and the ideal world, respectively. Here, we say that an attainable transcript is bad if one of the following conditions holds: 1. There exists two distinct recipients id, id such that K id = K id .
We denote bad , good as a set of bad transcripts and good transcripts, respectively.
Then, we will upper bound the advantage of the distinguisher by the H-coefficients technique: and that there exists such that Pr[X Ideal ∈ bad ] ≤ , the advantage of a distinguisher D then is upper bounded as Adv(D) ≤ + .
We now show a upper bound of the probability to get a bad transcript in the ideal world.

Lemma 15
Let t ≤ N is the number of recipients appearing in a query to Auth or Vrfy. For any integers q p , Proof First, we consider the condition 1. For verification keys K id , K id , there are t 2 possible choices for id, id . Then, the probability that the attainable transcript satisfy the condition is t 2 /|K|.
Next, we consider the condition 2. For each query to Prim, the distinguisher select a symmetric keyK such thatK = K id for some id with probability t |K| . Thus, we can upper bound the probability that the condition 2 is satisfied by t·q p |K| . The condition 3 trivially never holds in the ideal world. From above we have
be a good transcript. When φ is good, the keys involved in the game has no non-trivial collisions, hence the outputs of Prim oracle are independent from other oracle responses except the trivial ones (those queried to both Prim and Corr). Moreover, all the responses from Auth o are perfectly random except the trivial overlap of queried ids. This immediately implies that the probability ratio is the probability ratio for the event that Vrfy o returns ⊥ (i.e., b * = ⊥), since other variables in the transcript have identical distributions for the both worlds. In the ideal world, the probability of b * = ⊥ is one by definition. While in the real world, because the random oracle returns the completely random output for any distinct input, and the set of keys involved in the verification query must contain a distinct one from the definition of bad events and the game definition (that serves as the distinct input to the random oracle), the probability of b * = ⊥ is identical to the random guess of the true tag values. Hence it is at most |S|/|T | when the verification query uses the id set S. Therefore, we have which proves Lemma 16.

Proof of Theorem 8
For the UF-CMA secuity, by combining Lemmas 14, 15, and 16 we have which concludes the proof. Next, we now consider the Full-ANO-CMA security. Under the assumption that MAC.Auth is a public random function, when two kinds of key collisions does not occur (i.e. conditions 1 or 2 does not hold), the Full-ANO-CMA security can be proven since a set of recipients included in a symmetric difference (S 0 S 1 ) in a challenge query is completely unpredictable and a permutation σ is chosen completely at random for each challenge query.
In addition, we can construct ABA that is UF-CMA secure and ANO-CMA secure by modifying the Auth and Vrfy algorithms in the above construction as follows:  • Vrfy(vk id , cmd S ): Let vk id = K id , cmd S = (m, x, τ 1 , . . . , τ |S| ). Do the following two steps from j := 1.
-Run MAC.Vrfy(K id , τ j , m||x) and if its output is , return m and halt; otherwise, go to the second step. -If j = |S|, return ⊥ and halt; otherwise, do the first step with j := j + 1.

Theorem 9
Assume that MAC.Auth is a public random function. If MAC is UF-CMA secure, the above construction is UF-CMA secure and ANO-CMA secure.
Proof As in Theorem 8, we can prove that the above scheme meets the UF-CMA security. Also, the ANO-CMA security can be shown in a similar way to Theorem 8. Note that a leakage of information about the number of designated recipients S does not involve the ANO-CMA security thanks to the condition |S 0 | = |S 1 | in Exp ANO-CMA ABA ,A (κ, N ) Here, by the same discussion as in Sect. 5, from the above constructions and the asymptotic lower bounds in Sect. 7, we show lower bounds on the authenticator-size in (Full)-ANO-BA.
Theorem 10 If ABA ABA with properties shown in Sects. 6.3 and 7 is Full-ANOat-CMA secure, a non-asymptotic lower bound on the authenticator-size with any recipient set S ⊆ ID is N · κ + o(N · κ), and our Full-ANO-BA scheme attains the lower bound tightly, which is optimal.
Theorem 11 If ABA ABA with properties shown in Sects. 6.3 and 7 is ANOat-CMA secure, a non-asymptotic lower bound on the authenticator-size with any recipient set S ⊆ ID is |S|·κ + o(|S|·κ), and our ANO-BA scheme attains the lower bound tightly, which is optimal.

Conclusion
We analyzed an efficiency limit of anonymous Broadcast Encryption (BE) which is a cryptosystem realizing a basic access control. Specifically, we derived an asymptotic lower bound on the ciphertext size in BE with anonymity (Anonymous BE), assuming only properties that most existing (Full-)ANO-BE schemes satisfy. Our lower bounds can be applied to the existing (Full-)ANO-BE schemes while Kiayias and Samari's ones [20] are hard to apply. As a result, we show that the existing ANO-BE schemes achieve the optimal ciphertext size. We further showed that our analysis can be extended to the authentication setting. Specifically, we first derived asymptotic lower bounds on the authenticator size required for anonymous broadcast authentication (ABA). Furthermore, we extended the above result to derive non-asymptotic lower bounds on the ciphertext size in (Full-)ANO-BE, by proposing an optimal construction based on Li and Gong's ANO-BE scheme [24]. In addition, we applied the same analysis to ABA, and proposed an optimal construction of ABA to show non-asymptotic lower bounds on the authenticator size in ABA.

Appendix A
In this section, we show that the BE scheme in [5] meets the properties defined in Sect. 3.2. We review Boneh et al's scheme. BGW05 [5] • Setup (1 κ 1, 2, . . . , N , N + 2, . . . , 2N , compute g id = g α id . The public key is pk := g, g 1 , . . . , g n , g N +2 , . . . , g 2N , v and the master secret key is s. • Join(mk, id): Output the secret key sk id := (d id = g s id , pk). • Enc(pk, m, S): Sample r U ← Z p and set K = e(g N +1 , g) r . Next, compute ct S := (g r , (v · j∈S g N +1− j ) r , K · m, S) and output ct S . • Dec(sk id , ct S ): Let sk id = (d id = g s id , pk), ct S = (C 0 , C 1 , C 2 , S). Then output We show the correctness of the above scheme. We use the fact that g (α j ) i = g i+ j for any i, j. Suppose that ct S = (g r , (v · j∈S g N +1− j ) r , K · m, S) are correctly generated. Then the following equation holds: Here, we can see the above scheme meets the properties. First, its public key, private key of a recipient id ∈ [N ], and ciphertext with S can be described in AtBE's notation as follows: {pk (δ) } δ∈ := {g, g 1 , . . . , g N , g N +2 , . . . , g 2N , v}, {sk According to an atomic ciphertext, the following equations hold: where Dec-at corresponds to Dec algorithm in BGW05 scheme. Hence, Property 1 is satisfied. According to a public key, a minimum subset of atomic public keys used to generate ct S,id is uniquely determined as {pk (δ) } δ∈ * id,S,m := {g, {g N +1− j } j∈S , v}. Therefore, Property 2 is met.
According to a decryption key, a minimum subset of atomic decryption keys used to decrypt ct S,id , is uniquely determined as {sk with overwhelming probability. Therefore, Property 4 is also satisfied.
We also show that the ANO-BE scheme in [25] has the property in Assumption 2 defined in Sect. 4.1. We review Libert et al's Full-ANO-BE scheme [25].