Document Type

Journal Article


Anonymity is one of the main concerns in group-oriented cryptography. However, most efforts, for instance, group signatures and ring signatures, are only made to provide anonymity on the sender’s side. There are merely few works done to ensure anonymity in a cryptographic sense on the recipient’s side in group-oriented communications. This paper formalizes the notion of group decryption (GD). It can be viewed as an analog of group signatures in the context of public key encryptions. In this notion, a sender can encrypt a committed message intended to any member of a group, managed by a group manager, while the recipient of the ciphertext remains anonymous. The sender can convince a verifier about this fact without leaking the plaintext or the identity of the recipient. If required, the group manager can verifiably open the identity of the recipient. We propose an efficient GD scheme that is proven secure in the random oracle model. The overhead in both computation and communication is independent of the group size. A full ciphertext is about 0.2K bytes in a typical implementation and the scheme is practical.