Paper 2025/342

Traceable Threshold Encryption without Trusted Dealer

Jan Bormet, TU Darmstadt
Jonas Hofmann, TU Darmstadt
Hussien Othman, TU Darmstadt
Abstract

The fundamental assumption in $t$-out-of-$n$ threshold encryption is that the adversary can only corrupt less than $t$ parties. Unfortunately, it may be unfounded in practical scenarios where shareholders could be incentivized to collude. Boneh, Partap, and Rotem (Crypto'24) recently addressed the setting where $t$ or more shareholders work together to decrypt illegally. Inspired by the well-established notion of traitor tracing in broadcast encryption, they added a traceability mechanism that guarantees identifying at least one of the colluders. They provide several constructions that enable traceability, all of which require a trusted dealer to distribute the secret shares. While the trusted dealer can be replaced with a DKG for conventional threshold encryption, it is unclear how to do so without compromising traceability. As thresholdizing is meant to mitigate a single point of failure, a natural question that remains is: Can we construct an efficient traceable threshold encryption scheme that does not rely on a trusted party to distribute the secret shares? In this paper, we achieve two dealerless traceable threshold encryption constructions with different merits by extending the PLBE primitive of Boneh et al. (Eurocrypt'06) and combining it with the silent setup threshold encryption construction of Garg et al. (Crypto'24). Our first construction achieves an amortized ciphertext of size $O(1)$ (for $O(n)$ ciphertexts). Our second construction achieves constant ciphertext size even in the worst case but requires a less efficient preprocessing phase as a tradeoff. Both our constructions enjoy a constant secret key size and do not require any interaction between the parties. An additional restriction in the constructions of Boneh et al. is that they can only guarantee to find at least one colluder, leaving techniques to identify more traitors as an open problem. In this paper, we take a first step towards solving this question by formalizing a technique and applying it to our first construction. Namely, our first construction enables tracing $t$ traitors.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
traceabilitythreshold encryption
Contact author(s)
jan bormet @ tu-darmstadt de
jonas hofmann1 @ tu-darmstadt de
hussien othman @ gmail com
History
2025-02-25: approved
2025-02-24: received
See all versions
Short URL
https://ia.cr/2025/342
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/342,
      author = {Jan Bormet and Jonas Hofmann and Hussien Othman},
      title = {Traceable Threshold Encryption without Trusted Dealer},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/342},
      year = {2025},
      url = {https://eprint.iacr.org/2025/342}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.