Abstract: A broadcast encryption scheme allows a user to encrypt a message to N recipients with a ciphertext whose size scales sublinearly with N. While broadcast encryption enables succinct encrypted broadcasts, it also introduces a strong trust assumption and a single point of failure; namely, there is a central authority who generates the decryption keys for all users in the system. Distributed broadcast encryption offers an appealing alternative where there is a one-time (trusted) setup process that generates a set of public parameters. Thereafter, users can independently generate their own public keys and post them to a public-key directory. Moreover, anyone can broadcast an encrypted message to any subset of user public keys with a ciphertext whose size scales sublinearly with the size of the broadcast set. Unlike traditional broadcast encryption, there are no long-term secrets in distributed broadcast encryption and users can join the system at any time (by posting their public key to the public-key directory).
Previously, distributed broadcast encryption schemes were known from standard pairing-based assumptions or from powerful tools like indistinguishability obfuscation or witness encryption. In this talk, I will show how to construct distributed broadcast encryption scheme from the (falsifiable) \ell-succinct LWE assumption introduced by Wee (CRYPTO 2024). Previously, the only lattice-based candidate for distributed broadcast encryption goes through general-purpose witness encryption, which in turn is only known from the private-coin evasive LWE assumption, a strong and non-falsifiable lattice assumption. Along the way, I'll also describe a more direct construction of broadcast encryption from \ell-succinct LWE that does not need any homomorphic evaluation machinery.
Joint work with Jeffrey Champion (www.cs.utexas....)
Part of CMU Workshop on Cryptography 2024 (sites.google.c...)
17 сен 2024
