## CryptoDB

### Paper: Group Encryption: Full Dynamicity, Message Filtering and Code-Based Instantiation

Authors: Khoa Nguyen Reihaneh Safavi-Naini Willy Susilo Huaxiong Wang Yanhong Xu Neng Zeng Search ePrint Search Google Slides Group encryption (\textsf{GE}), introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), is the encryption analogue of group signatures. It allows to send verifiably encrypted messages satisfying certain requirements to certified members of a group, while keeping the anonymity of the receivers. Similar to the tracing mechanism in group signatures, the receiver of any ciphertext can be identified by an opening authority - should the needs arise. The primitive of \textsf{GE} is motivated by a number of interesting privacy-preserving applications, including the filtering of encrypted emails sent to certified members of an organization. This paper aims to improve the state-of-affairs of \textsf{GE} systems. Our first contribution is the formalization of fully dynamic group encryption (\textsf{FDGE}) - a \textsf{GE} system simultaneously supporting dynamic user enrolments and user revocations. The latter functionality for \textsf{GE} has not been considered so far. As a second contribution, we realize the message filtering feature for \textsf{GE} based on a list of $t$-bit keywords and $2$ commonly used policies: permissive'' - accept the message if it contains at least one of the keywords as a substring; prohibitive'' - accept the message if all of its $t$-bit substrings are at Hamming distance at least $d$ from all keywords, for $d \geq 1$. This feature so far has not been substantially addressed in existing instantiations of \textsf{GE} based on DCR, DDH, pairing-based and lattice-based assumptions. Our third contribution is the first instantiation of GE under code-based assumptions. The scheme is more efficient than the lattice-based construction of Libert et al. (Asiacrypt'16) - which, prior to our work, is the only known instantiation of \textsf{GE} under post-quantum assumptions. Our scheme supports the $2$ suggested policies for message filtering, and in the random oracle model, it satisfies the stringent security notions for \textsf{FDGE} that we put forward.
##### BibTeX
@article{pkc-2021-31008,
title={Group Encryption: Full Dynamicity, Message Filtering and Code-Based Instantiation},
booktitle={Public-Key Cryptography - PKC 2021},
publisher={Springer},
author={Khoa Nguyen and Reihaneh Safavi-Naini and Willy Susilo and Huaxiong Wang and Yanhong Xu and Neng Zeng},
year=2021
}