Ad-Hoc Threshold Broadcast Encryption with Shorter Ciphertexts

In a threshold broadcast encryption scheme, a sender chooses (ad-hoc) a set of n receivers and a threshold t, and then encrypts a message by using the public keys of all the receivers, in such a way that the original plaintext can be recovered only if at least t receivers cooperate. This kind of scheme has many applications in mobile ad-hoc networks, characterized by their lack of infrastructure as well as for the high dynamism of their nodes. Threshold broadcast encryption schemes are much more appropriate for mobile ad-hoc scenarios than standard threshold public key encryption schemes, where the set of receivers and the threshold for decryption must be known in advance (and remain the same for the rest of the protocol). Previously proposed threshold broadcast encryption schemes have ciphertexts which contain at least n group elements. In this paper, we propose a new scheme where the ciphertexts contain essentially n − t group elements. The construction uses secret sharing techniques and the ElGamal public key cryptosystem as basic tools. We formally prove the security of the scheme, by reduction to the security of ElGamal cryptosystem.