International Association
for Cryptologic Research

To date, Anamorphic Cryptography [EC22] has been developed to support adding a hidden messages within a ciphertext of an allowed cryptosystem on a channel from the sender to the receiver, even hidden from a strong adversary that possesses the receiver's key and/or determined the sent primary message. We expand this one-to-one encrypted anamorphic communication to one-to-many anamorphism, naturally assuming communication over a broadcast channel. What we show is that using a previously designed public key system, two things can happen: First, the receiver of an added hidden message may be a party different from the actual receiver (i.e., a shadow party) who has initially collaborated with the sender. Secondly, and perhaps more surprisingly, the receiving party need not be a singleton, and can be a number of different shadow (i.e., anonymous) groups, each receiving a different message anamorphically, where all these messages are extracted from a single receiver ciphertext. The idea of having multiple hidden channels to different shadow groups is highly handy if, for example, the anamorphic messages are warnings with operational instructions, sent to the groups and will be received by a group even if the adversary is able to temporarily cut off all but one members of a channel. More specifically, we achieve the following: - First we motivate and formalize the notion of Public-Key Encryption with an Anamorphic Broadcast Mode. - We then present, as an initial result of an independent interest, the first lattice-based construction of Anonymous Multi-Channel Broadcast Encryption. It is important to note here that all Multi-Channel Broadcast schemes to date are in the pairing-based setting (and are, thus, insecure against quantum adversaries). - Finally, we show how to transform a strong form of anonymity (where the ciphertext also hides the number of channels) into a system with anamorphism in the multi-channel broadcast setting for the well-known Dual Regev Public-Key Encryption scheme. Specifically, we show that, given the public key $\pk$ for the Dual Regev encryption scheme, and a sequence of $\ell$ messages for the $\ell$ channels of broadcast scheme, it is possible to create a ciphertext that will carry the $\ell$ messages and is also a legitimate ciphertext for $\pk$.