(2026-05) Adaptively-Secure Flexible and Identity-Based Broadcast Encryption from Decomposed LWE
2026-05-02
Broadcast encryption (BE) allows a sender to succinctly encrypt a message to any dynamically chosen subset of recipients. The gold-standard for BE is optimal succinctness (parameters independent of the number of users) and adaptive security, and attaining both from falsifiable post-quantum assumptions has been a central open problem. Recently, Goyal and Yadugiri (GY) gave the first adaptively-secure and optimally-succinct slotted distributed BE under a falsifiable lattice assumption, but their techniques inherently require an a-priori bound on the number of users and a slotted user structure. Two highly-sought-after generalizations thus remained open: flexible BE (FBE), where users asynchronously sample and register their own keys; and identity-based BE (IBBE), where a trusted authority issues keys for identities drawn from a super-polynomially large space.
In this work, we present the first adaptively-secure FBE and IBBE schemes with all parameter sizes independent of the number of users, both under the same falsifiable lattice assumption (decomposed LWE) and in the same model (Random Oracle Model) as the prior state-of-the-art for slotted distributed BE. Our FBE additionally enjoys a transparent setup, in line with the trustless ethos motivating distributed and flexible BE. At the technical heart of our results, we extend the equivocal encryption framework of GY to capture unbounded and dynamic broadcast systems, and introduce Equivocal Matrix Commitments---a strengthening of matrix commitments that supports adaptive equivocation of the committed matrix. We expect this new abstraction to find broader applications in designing adaptively-secure trustless lattice-based encryption.