Suppose there are $n$ users each with public/private key pair $(pk_i,sk_i)$ $i=1,\cdots,n$. Is there any scheme that I can encrypt $m$ using the set of public keys $(pk_1,\cdots,pk_n)$, and can decrypt it using any $sk_i$? That is $C=Enc_{(pk_1,\cdots,pk_n)}(m)$ and $m=Dec_{any\ sk_i}(C)$.
This is meaningful when these $n$ users are just a small portion of a group of $N$ users. A bit like "ring encryption" (opposite to ring signature). Thank you!
This is in no way practical, but it's relatively easy to describe a scheme.
If the public key contains (or allow easy derivation of) a unique prime (just has to be unique among the recipients - If every recipient knows the public key of any other recipient, and public keys can be ordered, we can use the first $n$ primes.), say $r_i$, you can use: $$ C=\prod_{i=1}^n r_i^{\operatorname{enc}_{pk_i}(m)} $$ (where $\operatorname{enc}$ is the function for encrypting to one recipient).
Then for decryption you "just" need to determine factor $C$ and determine the highest power of $r_i$ that divides it, and put the exponent into the function for decryption to one recipient.
I haven't tried to prove that it isn't easier to break this than to break than to break the scheme it's based on. I can't see why it would be though, and given how impractical this is, I don't think it matters much.
This is doable under RSA.
For clarity, I'm going to rename the number of users to be $u$ and the total number of users to $U$, since mod $n$ is important in RSA.
I'm going to use the following notations for RSA:
A message M is transformed via padding to an integer $m$.
Under standard RSA the message would be encrypted as $m^e$ mod $n$. The recipient would then decrypt by performing $(m^e)^d$ mod $n$. $e$ and $n$ make up the public key. $d$ is the private key.
We're going to establish some minimal value, $n_{\min}$ (which is sufficiently large). All the users will have the exact same value for $e$. Each will then generate their own $n_i \geq n_{\min}$ so that $e$ is "legal" for it (i.e., if $n_i=p_iq_i$, then $e < \lambda(n_i)=lcm(p_i-1,q_i-1)$ and $e$ is co-prime to $\lambda(n_i)$). Each will have their own private key $d_i$.
In order to send a message $M$ it is padded to an integer $0 \leq m < n_{\min}$. Let $N = \prod n_i$ (it's actually sufficient to take $N$ as the lcm of all the $n_i$ for the users receiving the message, but of course the sender doesn't know the factors of the $n_i$). Then the encrypted message is $m^e$ mod $N$.
Let the encrypted message be $x$. Then, there exists some $c$ such that $m^e = cN + x$. Therefore $m^e$ mod $n_i$ is $x$ for all $i$. Thus, $(m^e)^{d_i}$ mod $n_i$ is $m$ for all $i$.
Threats to validity: if $N$ is so large that w.h.p $m^e < N$, then any other user could decrypt the message, since $m^e$ would be plaintext. To avoid this, the padding scheme should ensure that $m$ is sufficiently large. Similarly we may need $e$ to be sufficiently large to support groups of up to $R$ users. For simplicity, if we assume that $n$ is of length $b$-bits, then we need that $e\log m >> Rb$. While HÃ¥stad's broadcast attack shouldn't be relevant, one can take $e > R$ in any case to be on the safe side.
While some messages may be encrypted to short lengths, the output is likely to be about as large as $\log N$ which would be $ub$ - where $b$ is the bit-size for the $n$'s (e.g. let $n_\min=2^b$ and let all the $n_i$'s be $b$ bits long). It's an open and interesting question if we could somehow transform the output so that it's on the order of $b$ bits (after all, the number of messages we have is $n_\min$). For example, if we could compactly encode an additional multiplier $c$ such that $cm^e$ is small, and that we could easily divide out $c$.
I think the most straight forward and obvious solution is using the standard practices of Public-key cryptography and encrypting the same key with all the public keys that you want to grant access to.
And encrypt m with that key.
Say $k$ is your key to encrypt the message $m$. Store such an array: $\{E_k(m), (pk_1,E_{pk_1}(k)), (pk_2,E_{pk_2}(k)), ... \}$
And any interested party, owning a private key key for any $pk_i$ can decrypt the respective tuple and get $k$ and decrypt the ciphertext stored at position $0$
