I have a group of subscribers who are subscribed to a message broker in an IoT setting, let's say to the topic 'sensor/temperature'. Now, I want to create a public/private key pair in such a way that only the subscribers are capable of generating the pair, while the broker remains unaware of it. The publisher will encrypt the message using the public key, broadcast the encrypted message with the assistance of the broker, and only the subscribers will possess the ability to decrypt the message.
I have explored group signatures but determined that they may not be suitable for this scenario, particularly considering the need for revocation. When a user is revoked, both the private and public keys should be refreshed, rendering the revoked user unable to decrypt subsequent messages.
I thought of using set-membership zero knowledge proof with ephemeral public key but that requires the subscriber to directly interact with the publisher and the decoupling ensure by the publish subscriber model is no longer there. Also, it will be very inefficient since every time a subscriber is revoked the subscribers will have to again give a proof of membership and the publisher will have to encrypt the message for every single subscriber using their ephemeral public keys.
I have also looked into MPC and joint computation as potential solutions.However, I am still working on obtaining a clear understanding of this concept. If you have any insights or suggestions regarding suitable paradigms or approaches for achieving this goal, I would greatly appreciate your input.
