International Association for Cryptologic Research
A group encryption scheme allows anyone to form a ciphertext for a given group member while keeping the receiver's identity private. At the same time, the encryptor is capable of proving that some (anonymous) group member is able to decrypt the ciphertext and, optionally, that the corresponding plaintext satisfies some a priori relation (to prevent sending bogus messages). Finally, in case of a dispute, the identity of the intended receiver can be recovered by a designated authority. In this paper, the authors abstract a generic approach to construct group encryption schemes. They also introduce several new implementation tricks. As a result, they obtain group encryption schemes that significantly improve the state of the art. Both interactive and non-interactive constructions are considered.