Paper 2022/256

Multi-Designated Receiver Signed Public Key Encryption

Ueli Maurer, ETH Zurich
Christopher Portmann, Concordium
Guilherme Rito, ETH Zurich

This paper introduces a new type of public-key encryption scheme, called Multi-Designated Receiver Signed Public Key Encryption (MDRS-PKE), which allows a sender to select a set of designated receivers and both encrypt and sign a message that only these receivers will be able to read and authenticate (confidentiality and authenticity). An MDRS-PKE scheme provides several additional security properties which allow for a fundamentally new type of communication not considered before. Namely, it satisfies consistency---a dishonest sender cannot make different receivers receive different messages---off-the-record---a dishonest receiver cannot convince a third party of what message was sent (e.g., by selling their secret key), because dishonest receivers have the ability to forge signatures---and anonymity---parties that are not in the set of designated receivers cannot identify who the sender and designated receivers are. We give a construction of an MDRS-PKE scheme from standard assumptions. At the core of our construction lies yet another new type of public-key encryption scheme, which is of independent interest: Public Key Encryption for Broadcast (PKEBC) which provides all the security guarantees of MDRS-PKE schemes, except authenticity. We note that MDRS-PKE schemes give strictly more guarantees than Multi-Designated Verifier Signatures (MDVS) schemes with privacy of identities. This in particular means that our MDRS-PKE construction yields the first MDVS scheme with privacy of identities from standard assumptions. The only prior construction of such schemes was based on Verifiable Functional Encryption for general circuits (Damgård et al., TCC '20).

Note: Changes: - Rewrote: Proof that ElGamal PKE scheme is tightly secure under DDH. - The proof in the previous version was wrong. - Modified the proof of Theorem 2, establishing the Robustness of the PKEBC scheme construction: added a game-hop where the public keys of all parties are assumed to be distinct. - The previous proof implicitly assumed that all parties have distinct PKEBC public keys, and did not prove this. - Corrected a few other minor typos. The claims of the paper remain unaffected by these changes.

Available format(s)
Public-key cryptography
Publication info
A major revision of an IACR publication in EUROCRYPT 2022
ConsistencyOff-The-RecordEncryption SchemesDesignated ReceiverSignatures
Contact author(s)
maurer @ inf ethz ch
chportma @ gmail com
guilherme teixeira rito @ gmail com
2023-03-13: revised
2022-03-02: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ueli Maurer and Christopher Portmann and Guilherme Rito},
      title = {Multi-Designated Receiver Signed Public Key Encryption},
      howpublished = {Cryptology ePrint Archive, Paper 2022/256},
      year = {2022},
      doi = {10.1007/978-3-031-07085-3_22},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.