Threshold Public-Key Encryption with Adaptive Security and Short Ciphertexts

Threshold public-key encryption (TPKE) allows a set of users to decrypt a ciphertext if a given threshold of authorized users cooperate. Existing TPKE schemes suffer from either long ciphertexts with size linear in the number of authorized users or can only achieve non-adaptive security. A non-adaptive attacker is assumed to disclose her target attacking set of users even before the system parameters are published. The notion of non-adaptive security is too weak to capture the capacity of the attackers in the real world. In this paper, we bridge these gaps by proposing an efficient TPKE scheme with constant-size ciphertexts and adaptive security. Security is proven under the decision Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model. This implies that our proposal preserves security even if the attacker adaptively corrupts all the users outside the authorized set and some users in the authorized set, provided that the number of corrupted users in the authorized set is less than a threshold. We also propose an efficient tradeoff between the key size and the ciphertext size, which gives the first TPKE scheme with adaptive security and sublinear-size public key, decryption keys and ciphertext.