Anonymous Broadcast Encryption
One implicit requirement of the standard setting of broadcast encryption is that, whenever the digital content is encrypted and sent in broadcast, information about the set of authorized receivers is necessary to decrypt it correctly. Therefore, the set of authorized receivers is transmitted as part of the ciphertext. This in particular implies that an eavesdropper, even if unable to recover the message, can still easily discover the identities of the actual receivers of the content.
An interesting variant of the broadcast encryption setting was proposed by Barth, Boneh and Waters in 2006. Therein, the authors introduce the notion of private broadcast encryption scheme, explicitly aiming at protecting the identities of the receivers. As a proof-of-concept, they also suggest both generic and number-theoretic public-key constructions that do not leak any information about the list of authorized receivers, and are secure in the standard model and in the random oracle model, respectively. The proposed schemes, however, have communication complexity linear in the number of recipients.
In , Fazio and Perera propose the first broadcast encryption scheme with sublinear ciphertexts to achieve meaningful guarantees of receiver anonymity. In particular,  puts forth the notion of outsider-anonymous broadcast encryption (oABE), a class of schemes that enjoy a degree of anonymity lying between the lack of protection characteristic of traditional broadcast encryption schemes on one end, and full anonymity on the other end. More specifically, in the oABE setting, recipient identities are hidden from users not authorized to receive the message, but individual recipients might be able to learn who else is getting the same message. The work of  contains a generic oABE construction based on any anonymous identity-based encryption scheme (AIBE). Additionally, by adapting the techniques of Barth et al., Fazio and Perera obtain an efficient construction with enhanced decryption, where for a given oABE ciphertext, the decryption algorithm executes a single (AIBE) decryption operation.
In , Fazio and Perera also present a variant of the scheme with even shorter ciphertexts (linear in the number of revoked users), at a price on the other parameters, most notably user storage and decryption complexity.
The results in  have applications to the secure distribution of tactical data in military missions with ad-hoc team formation, which are discussed in .
 N. Fazio and I.M. Perera.Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts. In the 15th IACR International Conference on Practice and Theory of Public-Key Cryptography (PKC '12), pp. 225--242, LNCS 7293, Springer 2012.
 N. Fazio and I.M. Perera.Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts. Journal version of . In submission to the Journal of Cryptology, 2012.
 N. Fazio and I.M. Perera.Protecting Receivers Identities in Secure Data Distribution. To appear in the Annual Conference of International Technology Alliance (ACITA '12).
This research is supported in part by the National Science Foundation under Grant CNS #1117675 and by the U.S. Army Research Laboratory and the U.K. Ministry of Defence and was accomplished under Agreement Number W911NF-06-3-0001. This project was also partially sponsored by PSC-CUNY Awards 63356-00 41 and 64578-00 42, jointly funded by The Professional Staff Congress and The City University of New York.