6

In identity-based broadcast encryption, suppose the broadcast ciphertext $(r_1,r_2,\dots,r_i,U,W,V)$ is sent to the receiver. It does not describe which user corresponds to which ciphertext part. User $i$ should decrypt using the corresponding $r_i$ value. How do the users know about that?

In some cases, they use some function $f(x)=k-\prod_{i=1}^{t} (x-v_{i})$ to get $k$ by replacing $v_{i}^{'}$ in place of $x$.

In real implementation, how to define such kind of function for unknown $x$ for $n$ receivers.

Example paper: Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security (PDF) by Fan et al.

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
myat
  • 353
  • 1
  • 9

1 Answers1

1

User $i$ should decrypt using the corresponding $r_i$ value. How do the users know about that?

From my understanding, a sender $S$ computes a polynomial $f(x)=\sum_{i\in\{0,...,t\}}c_ix^i$ which evaluates to $k$ if the the value of $x$ corresponds to the "share" of any of the designated user $ID_1,...,ID_t$ --- a share of a user $i$ as computed by $S$ is $v_i:=H_1(e(rQ_i,d_S))$, where $r=H_2(M,k)$. A receiver $i$, once it sees the polynomial, evaluates it on his share $v_i'=H_1(e(V,d_i))$ and if $v_i=v_i'$ it gets the gets back the key $k=f(v_i')$ (i.e., correctness). So, there is no correspondence between the users and the values of $c_i$s.

In real implementation, how to define such kind of function for unknown $x$ for $n$ receivers.

As done in the paper, one just sends the coefficients of the function $f(x)$.

P.S. I hope I am not missing something.

ckamath
  • 5,488
  • 2
  • 25
  • 42