Next Article in Journal
Age Estimation-Based Soft Biometrics Considering Optical Blurring Based on Symmetrical Sub-Blocks for MLBP
Previous Article in Journal
Q-Conditional Symmetries and Exact Solutions of Nonlinear Reaction–Diffusion Systems
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security

Department of Computer Science and Engineering, National Sun Yat-sen University, No. 70, Lienhai Road, Kaohsiung 804, Taiwan
*
Author to whom correspondence should be addressed.
Symmetry 2015, 7(4), 1856-1881; https://doi.org/10.3390/sym7041856
Submission received: 12 September 2015 / Revised: 30 September 2015 / Accepted: 8 October 2015 / Published: 16 October 2015

Abstract

:
In a multi-receiver encryption system, a sender chooses a set of authorized receivers and sends them a message securely and efficiently, as the message is well encrypted and only one ciphertext corresponding to the message is generated no matter how many receivers the sender has chosen. It can be applied to video conferencing systems, pay-per-view channels, remote education, and so forth. Due to privacy considerations, an authorized receiver may not expect that his identity is revealed. In 2010, anonymous multi-receiver identity-based (ID-based) encryption was first discussed, and furthermore, many works on the topic have been presented so far. Unfortunately, we find that all of those schemes fail to prove the chosen ciphertext attacks (CCA) security in either confidentiality or anonymity. In this manuscript, we propose the first anonymous multi-receiver ID-based authenticated encryption scheme with CCA security in both confidentiality and anonymity. In the proposed scheme, the identity of the sender of a ciphertext can be authenticated by the receivers after a successful decryption. In addition, the proposed scheme also is the first CCA-secure one against insider attacks. Moreover, only one pairing computation is required in decryption.

Graphical Abstract

1. Introduction

Multi-receiver encryption makes it possible for a sender to compute and transmit only one ciphertext corresponding to a message for multiple receivers. It greatly decreases communication cost, so that it is popular among some advanced services, such as video conferencing, pay-per-view TV [1,2,3] and remote education. In order to prevent unauthorized access, messages are encrypted, and the encryption keys change every session. When a new member joins the communication group, the system will assign a long-term key to him, and the key will be revoked once the member leaves the group. The system must deal with key management effectively. Another important issue in such services is the authentication of the sender, which can guarantee the source and legality of the digital products. Many researchers focused on this topic and have proposed interesting results [4,5,6].
In 2001, Boneh and Franklin [7] first proposed an ID-based encryption scheme from the Weil pairing. In 2005, Du et al. [6] presented an ID-based broadcast encryption scheme for key distribution. They used matrix operations for encryption and decryption. In 2005, Wang and Wu [5] proposed an ID-based multicast encryption scheme, which has a key generation center and a group center. No users need any computation during the rekeying process. However, the sender must be the group center. In the same year, Baek et al. [4] proposed a multi-receiver ID-based encryption scheme along with a formal definition and security model for this kind of scheme. They proved the security in the selective ID model using random oracles [8]. Their second scheme was employed in the REACT technique proposed by Okamoto and Pointcheval [9].
In some situations, such as ordering sensitive TV programs, the customers may expect that their identities are not revealed. In consideration of protecting users’ privacy, Fan et al. [10] first introduced the concept of anonymous mutli-receiver ID-based encryption (AMRIBE) in 2010. They also proposed a multi-receiver ID-based encryption scheme using Lagrange interpolating polynomials in order to achieve anonymity for every receiver such that nobody knows who the receivers are except the sender. However, Chien [11] pointed out that Fan et al.’s scheme does not hold the anonymity. An attacker can identify the identity of a receiver. Chien indicated that the security model defined in [10] does not cover all of the multi-receiver environments. Additionally, he also proposed an improved AMRIBE scheme.
Recently, many results of AMRIBE have been proposed [11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31]. After examining these results, however, we find that none of them satisfies the CCA (chosen ciphertext attacks) security in both confidentiality and anonymity. A major reason is that they are vulnerable to the insider attacks in anonymity, that is a selected receiver, called an insider, can derive the identities of the other receivers selected by the sender in those schemes.
Therefore, in view of the aforementioned reasons, we propose a novel type of multi-receiver encryption called anonymous multi-receiver identity-based authenticated encryption (AMRIBAE). A concrete encryption scheme has also been proposed, which achieves the CCA security in both confidentiality and anonymity, such that it is immune to not only outsider (i.e., unselected receiver) but insider attacks, as well. Let t be the number of the selected receivers of a ciphertext. In our scheme, even if the unselected receivers collude with any ( t - 1 ) selected receivers, the anonymity of the non-colluding selected receiver is still preserved. Furthermore, we also prove that the proposed scheme achieves sender authentication, i.e., the identity of the sender of a ciphertext can be confirmed by the selected receivers. In addition, we provide complete proofs with problem reduction to formally demonstrate the CCA security. Furthermore, our scheme is decryption efficient due to only one pairing computation.

Anonymous Multi-Receiver ID-Based Encryption vs. Anonymous Dynamic Broadcast ID-Based Encryption

In [32], Delerablée et al. introduced the concept of dynamic broadcast encryption. In a dynamic broadcast encryption system, a sender can arbitrarily select some or all of the users who have enrolled in the system as the receivers of a ciphertext that he or she is about to generate, and it is unnecessary for the system to re-compute the private keys of the enrolled users whenever a new user joins the system. A multi-receiver encryption system can also achieve this; however, a non-dynamic broadcast encryption system cannot. In a non-dynamic system, all of the enrolled users should be the receivers of every ciphertext in the system, that is the receiver set contains all enrolled users, and it is always fixed for every ciphertext. In addition, the receiver set should be determined before private key generation, which will imply that the private keys of all enrolled users must be re-computed whenever a new user joins the non-dynamic system. Although a non-dynamic broadcast encryption scheme [33,34,35] might not be as flexible as a dynamic one, those schemes usually provide shorter ciphertext or constant-size ciphertext. Besides, in an ID-based encryption system, the identities of the users also act as their public keys, which will largely simplify the management of the public keys as compared to a non-ID-based one, such as [36].
This research will aim at anonymous multi-receiver ID-based encryption, which can be regarded as anonymous dynamic broadcast ID-based encryption. In this manuscript, we will discuss dynamic and ID-based schemes [10,11,14,16,18,19,20,21,23,25,26,27,28,29,31] and compare them to our work.

2. Related Works

In order to protect users’ privacy, Fan et al. [10] first introduced anonymous multi-receiver identity-based encryption (AMRIBE) in 2010. Their scheme was constructed by using Lagrange interpolating polynomials. However, it cannot achieve anonymity against outside and inside attackers. The cryptanalysis on Fan et al.’s scheme [10] has been presented in [11,13,25].
In 2012, Wang et al. proposed an AMRIBE scheme [25] by improving Fan et al.’s scheme. Unfortunately, their scheme did not achieve anonymity against inside attackers. The cryptanalysis on Wang et al.’s scheme [25] has been shown in [17,29]. In the same year, Tseng et al. proposed an AMRIBE scheme and claimed that their scheme is CCA secure in both confidentiality and anonymity [21,22]. However, we found that they demonstrated the security without considering all possible attackers. In the proof of the security, they assume that the attacker must compute the symmetric encryption/decryption key corresponding to the challenge ciphertext before it wins the CCA game. That is to say, the proof does not cover the type of attackers that win the CCA game, but have not computed the key of the challenge ciphertext. The details are shown in the Appendix.
In 2013, Zhang and Takagi proposed two AMRIBE schemes [31]. They designed a deployment in an e-mail delivery system and provided some experimental results. However, their first scheme cannot achieve anonymity against inside attackers [28], and they did not provide any security proof for their second scheme. Besides, Zhang and Mao proposed an improved AMRIBE scheme [28] based on Zhang et al.’s scheme [31] in 2013. They claimed that their scheme has the CCA security. However, we have found some mistakes in their security proofs due to the inconsistency between a hash function and the hash oracle corresponding to the function, where the details are shown in the Appendix.
In 2014, there were three AMRIBE schemes [23,26,27] proposed by Tseng et al., Wang and Zhang et al., respectively. Nevertheless, we have found some mistakes in their security proof, and the details are shown in the Appendix.
The other works [11,12,14,16,18,19,20,29] either have the CPA (chosen plaintext attacks) security only or have not provided the proof for the security. The security of all of the above schemes has been summarized in Section 6 Table 3.

3. Preliminaries

In this section, we define anonymous multi-receiver ID-based authenticated encryption and review some hard problems and assumptions. In addition, we propose a modified decisional bilinear Diffie–Hellman (DBDH) assumption, called the M-DBDH assumption, and prove that the assumption holds if the 1-weak decisional bilinear Diffie–Hellman inversion (1-wDBDHI) problem is hard.
Definition 1. An anonymous multi-receiver identity-based authenticated encryption (AMRIBAE) scheme consists of the following algorithms:
-
Setup is an algorithm that takes as input a security parameter l. It returns a master secret key m s k and system parameters p a r a m s .
-
KeyExtract is an algorithm that takes as input p a r a m s , m s k and a user’s identity I D i { 0 , 1 } * and then returns the secret key d i of the user.
-
Encrypt is an algorithm that takes as input p a r a m s , a message M, the identity I D s of the sender, the private key d s of the sender and an identity set { I D 1 , I D 2 , , I D t } and returns a ciphertext C. We write C = E n c r y p t ( p a r a m s , I D s , I D 1 , I D 2 , , I D t , M , d s ) .
-
Decrypt is an algorithm that takes as input p a r a m s , a ciphertext C and the secret key d i of user I D i and returns a message M. We write M = D e c r y p t ( p a r a m s , C , d i ) .
Let G 1 and G 2 be two cyclic groups of prime order q, P be a generator of G 1 and e : G 1 × G 1 G 2 be a bilinear mapping.
Definition 2 (The Bilinear Diffie–Hellman (BDH) Problem). Given ( P , a P , b P , c P ) for some random a , b , c Z q * , compute e ( P , P ) a b c .
Definition 3 (The Decisional Bilinear Diffie–Hellman (DBDH) Problem). Given ( P , a P , b P , c P , Z ) for some random a , b , c Z q * and Z R { e ( P , P ) a b c , Y R G 2 e ( P , P ) a b c } , decide if Z = e ( P , P ) a b c .
Definition 4 (The DBDH Assumption [7]). Define that an algorithm A with output β { 0 , 1 } has advantage ϵ in solving the DBDH problem if:
P r [ A ( P , a P , b P , c P , e ( P , P ) a b c ) = 1 ] - P r [ A ( P , a P , b P , c P , Z ) = 1 ] ϵ
where a , b , c R Z q * and Z R { e ( P , P ) a b c , Y R G 2 e ( P , P ) a b c } . We say that the DBDH assumption holds if no polynomial-time algorithm has a non-negligible advantage in solving the DBDH problem.
Definition 5 (The l-Weak Decisional Bilinear Diffie–Hellman Inversion (l-wDBDHI) Problem [37]).
Given ( P , Y , c P , Z ) , where Z R { e ( P , P ) b l + 1 c , Y R G 2 e ( P , P ) a b c } and Y = ( b P , b 2 P , , b l P ) , decide if Z = e ( P , P ) b l + 1 c .
Definition 6 (The l-Weak Decisional Bilinear Diffie–Hellman Inversion (l-wDBDHI) Assumption [37]).
Define that an algorithm A with output β { 0 , 1 } has advantage ϵ in solving the l-wDBDHI problem if:
P r [ A ( P , Y , c P , e ( P , P ) b l + 1 c ) = 1 ] - P r [ A ( P , Y , c P , Z ) = 1 ] ϵ .
We say that the l-wDBDHI assumption holds if there exists no polynomial-time adversary that has a non-negligible advantage in solving the l-wDBDHI problem.
Definition 7 (The Modified Decisional Bilinear Diffie–Hellman (M-DBDH) Problem). Given ( P , a P , b P , c P , e ( P , P ) b 2 c , Z ) for some random a , b , c Z q * and Z R { e ( P , P ) a b c , Y R G 2 e ( P , P ) a b c } , decide if Z = e ( P , P ) a b c . Define that an algorithm A with output β { 0 , 1 } has advantage ϵ in solving the M-DBDH problem if:
P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ] - P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , Z ) = 1 ] ϵ
where a , b , c R Z q * and Z R { e ( P , P ) a b c , Y R G 2 e ( P , P ) a b c } .
Theorem 8. No polynomial-time algorithm has a non-negligible advantage in solving the M-DBDH problem if the 1-wDBDHI assumption holds.
Proof. If there exists a polynomial-time algorithm A with non-negligible advantage ϵ in solving the M-DBDH problem, then we can construct a polynomial-time algorithm B with non-negligible advantage in solving the 1-wDBDHI problem as follows. Given a 1-wDBDHI instance ( P , b P , c P , Z ) , B forms an M-DBDH instance via the following operations:
  • Randomly choose a Z q * , and compute a P .
  • Compute Z 1 = e ( b P , c P ) a .
  • Set the M-DBDH instance as ( P , a P , b P , c P , Z , Z 1 ) , and input it into A .
Let β be the output of A . B will confirm that Z = e ( P , P ) b 2 c by outputting one as the answer of the 1-wDBDHI instance if β = 1 ; otherwise, B will output zero.
Since:
P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ] - P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , W ) = 1 ] ϵ
where W R { e ( P , P ) a b c , X R G 2 e ( P , P ) a b c } ,
| P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ] - 1 2 |
P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ] - P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , W ) = 1 ] ϵ .
Let T R { e ( P , P ) b 2 c , X R G 2 e ( P , P ) a b c } . Thus, we have that:
| P r [ B ( P , b P , c P , e ( P , P ) b 2 c ) = 1 ] - P r [ B ( P , b P , c P , T ) = 1 ] |
= P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ]
- ( 1 2 P r [ B ( P , b P , c P , e ( P , P ) b 2 c ) = 1 ]
+ 1 2 P r [ B ( P , b P , c P , X ) = 1 ] )
= | 1 2 P r [ A ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ] - 1 4 | ϵ 2 .
It turns out that the polynomial-time algorithm B has a non-negligible advantage ϵ 2 in solving the 1-wDBDH problem. ☐
Definition 9 (The M-DBDH Assumption). We say that the M-DBDH assumption holds if no polynomial-time algorithm has non-negligible advantage in solving the M-DBDH problem.
By Theorem 8, the M-DBDH assumption holds.

4. Our Scheme

In this section, we will present an anonymous multi-receiver identity-based authenticated encryption scheme with provable CCA security in both confidentiality and anonymity against not only outsider, but also insider attacks. Our scheme can be viewed as a key encapsulation mechanism. The notations used in the proposed scheme are defined in Table 1.
Table 1. The notations.
Table 1. The notations.
NotationMeaning
G 1 a cyclic additive group of prime order q
G 2 a cyclic multiplicative group of prime order q
ea bilinear mapping; e : G 1 × G 1 G 2
Pa generator of G 1
KGCthe key generation center
P p u b the public key of KGC
Ma message
I D i the identity of user i
Q i the hashed value of I D i
d i the private key of I D i
The proposed scheme is described as follows.
  • Setup
    The key generation center (KGC) performs the following operations:
    • Choose an integer α Z q * randomly as the master secret key, and set P p u b = α P .
    • Choose three cryptographic one-way hash functions, H : { 0 , 1 } * G 1 , H 1 : G 2 Z q * , and H 2 : { 0 , 1 } * × Z q * Z q * .
    • Compute Ω = e ( P , P ) .
    • Publish the system parameters p a r a m s = { G 1 , G 2 , e , q , P , P p u b , H , H 1 , H 2 , Ω } and keep the master key α secret.
  • KeyExtract
    When user i joins the system, KGC will compute Q i = H ( I D i ) and the private key d i = α Q i of the user, and then, KGC will send d i to user i in a secure manner.
  • Encrypt
    A sender, say I D s , produces the ciphertext of a message by performing the following steps:
    • Choose a message M G 2 , and select a set of t receivers { I D 1 , , I D t } .
    • Choose k Z q * at random, and compute r = H 2 ( M , k ) .
    • For i = 1 to t, compute Q i = H ( I D i ) and v i = H 1 ( e ( r Q i , d s ) ) .
    • Compute f ( x ) = k - i = 1 t ( x - v i ) = i = 0 t - 1 c i x i + x t mod q .
    • Compute U = r P , V = r Q s and W = M · Ω - k .
    • Set the ciphertext C = ( c 0 , c 1 , , c t - 1 , U , V , W , I D s ) .
  • Decrypt
    After receiving the ciphertext C = ( c 0 , c 1 , , c t - 1 , U , V , W , I D s ) , a selected receiver, say I D i , can decrypt C as follows.
    • Compute v i = H 1 ( e ( V , d i ) ) .
    • Compute k = f ( v i ) = j = 0 t - 1 c j ( v i ) j + ( v i ) t mod q .
    • Compute M = W · Ω k .
    • Accept M if U = H 2 ( M , k ) P . If the receiver wants to authenticate the identity of the sender, he can check whether e ( U , H ( I D s ) ) = e ( V , P ) .
The proposed scheme also is illustrated in Figure 1, and the correctness is demonstrated as follows.
v i = H 1 ( e ( V , d i ) ) = H 1 ( e ( r Q s , α Q i ) ) = H 1 ( e ( r Q i , α Q s ) ) = H 1 ( e ( r Q i , d s ) ) = v i
and
k = f ( v i ) = f ( v i ) = k .
Thus, the selected receiver I D i can successfully recover the message by computing M = W · Ω k = W · Ω k = M , so that U = H 2 ( M , k ) P = H 2 ( M , k ) P .
After successfully recovering the message, we have e ( V , d i ) = ( r H ( I D s ) , α Q i ) = e ( r Q i , α Q s ) = e ( r Q i , d s ) for some identity I D s , which convinces the receiver that the ciphertext is encrypted with the private key of I D s . Additionally, the equation e ( U , H ( I D s ) ) = e ( V , P ) can guarantee that V = r Q s = r H ( I D s ) , which means I D s = I D s . This feature makes it possible for the receivers to authenticate the sender of the ciphertext they received. Besides, according to [38], in an anonymous multi-receiver encryption scheme, the length of a ciphertext will at least linearly grow with the number of the receivers. Thus, the ciphertext length of our scheme might be optimal in the aspect of [38].
Figure 1. The proposed anonymous multi-receiver identity-based authenticated encryption (AMRIBAE) scheme.
Figure 1. The proposed anonymous multi-receiver identity-based authenticated encryption (AMRIBAE) scheme.
Symmetry 07 01856 g001

5. Security Models and Proofs

In this section, we will define the security models and the security notions for anonymous multi-receiver identity-based authenticated encryption. The security notions are the “indistinguishability of encryptions under selective multi-ID, chosen-ciphertext attacks” (IND-sMID-CCA) and the “anonymous indistinguishability of encryptions under selective multi-ID, chosen-ciphertext attacks” (Anon-sMID-CCA). We then will prove that our proposed scheme is provably CCA secure in confidentiality and anonymity against insider and outsider attacks.
Definition 10 (The IND-sMID-CCA Game). Let A be a polynomial-time attacker. A interacts with a simulator S in the following game.
Initialization. A chooses a set of identities I D * = { I D 1 * , I D 2 * , , I D t * } and sends I D * to S .
Setup. S runs the Setup algorithm to generate p a r a m s and m s k . S then sends p a r a m s to A .
Phase 1. A issues the following queries.
-
Hash query: S operates hash functions on the inputs given by A and returns the hashed values.
-
KeyExtract ( I D i ): A sends an identity I D i to S and S returns the private key of I D i where KeyExtract ( I D j ) cannot be queried if I D j I D * .
-
Encrypt ( I D s , I D 1 , , I D u , M ): A sends a sender’s identity I D s , a receiver set { I D 1 , , I D u } and a message M to S . S returns a ciphertext C to A .
-
Decrypt ( C , I D i ): A sends an identity I D i and a ciphertext C to S , and S returns the message M.
Challenge. A submits a sender’s identity I D s and ( M 0 , M 1 ) to S , with restrictions that M 0 , M 1 are two distinct messages of the same length, I D s I D * , and KeyExtract ( I D s ) has not been queried before. S then randomly chooses β { 0 , 1 } and generates C * = Encrypt ( I D s , I D 1 * , , I D t * , M β ) . Finally, S sends C * to A .
Phase 2. A issues the queries defined in Phase 1, excluding the Decrypt queries with C = C * and I D i I D * and the query KeyExtract ( I D s ).
Guess. Finally, A outputs β { 0 , 1 } and wins the game if β = β .
The advantage of A winning the game is defined as:
Adv I N D - s M I D - C C A ( A ) = | P r [ β = β ] - 1 2 | .
An anonymous multi-receiver identity-based authenticated encryption scheme is said to be IND-sMID-CCA secure if there exists no polynomial-time attacker that can win the IND-sMID-CCA game with non-negligible advantage. The model of this game is shown in Figure 2.
Figure 2. The indistinguishability of encryptions under selective multi-ID, chosen-ciphertext attacks (IND-sMID-CCA) game.
Figure 2. The indistinguishability of encryptions under selective multi-ID, chosen-ciphertext attacks (IND-sMID-CCA) game.
Symmetry 07 01856 g002
Definition 11 (The Anon-sMID-CCA Game). Let A be a polynomial-time attacker. A interacts with a simulator S in the following game.
Initialization. A chooses two identities { I D 0 * , I D 1 * } and sends them to S .
Setup. S runs the Setup algorithm to generate p a r a m s and m s k . S then sends p a r a m s to A .
Phase 1. A issues the following queries.
-
Hash query: S operates hash functions on the inputs given by A and returns the hashed values.
-
KeyExtract ( I D i ): A sends an identity I D i to S , and S returns the private key of I D i where neither KeyExtract ( I D 0 * ) nor KeyExtract ( I D 1 * ) can be queried.
-
Encrypt ( I D s , I D 1 , , I D u , M ): A sends a sender’s identity I D s , a receiver set { I D 1 , , I D u } and a message M to S . S returns a ciphertext C to A .
-
Decrypt ( C , I D i ): A sends an identity I D i and a ciphertext C to S , and S returns the message M.
Challenge. A submits a sender’s identity I D s , a message M and a set of identities { I D 2 , I D 3 , , I D t } to S with restrictions that I D s { I D 0 * , I D 1 * } and KeyExtract ( I D s ) has not been queried before. S then randomly chooses β { 0 , 1 } and generates C * = Encrypt ( I D s , I D β * , I D 2 , , I D t , M ) . Finally, S sends C * to A .
Phase 2. A issues the queries defined in Phase 1, excluding Decrypt ( C * , I D 0 * ), Decrypt ( C * , I D 1 * ) and KeyExtract ( I D s ).
Guess. Finally, A outputs β { 0 , 1 } and wins the game if β = β .
The advantage of A winning the game is defined as:
Adv A n o n - s M I D - C C A ( A ) = | P r [ β = β ] - 1 2 | .
An anonymous multi-receiver identity-based authenticated encryption scheme is said to be Anon-sMID-CCA secure if there exists no polynomial-time attacker that can win the Anon-sMID-CCA game with non-negligible advantage. The model of this game is shown in Figure 3.
Note that there is a restriction that KeyExtract ( I D s ) cannot be queried in both the IND-sMID-CCA game and the ANON-sMID-CCA game. This is to model that the adversary cannot collude with the sender, since the confidentiality and the anonymity will be meaningless when the collusion happens.
Figure 3. The anonymous (Anon)-sMID-CCA game.
Figure 3. The anonymous (Anon)-sMID-CCA game.
Symmetry 07 01856 g003
Definition 12 (The Sender Authentication Game). Let A be a polynomial-time attacker. A interacts with a simulator S in the following game.
Initialization. A chooses two identities { I D s * , I D R * } and sends them to S .
Setup. S runs the Setup algorithm to generate p a r a m s and m s k . S then sends p a r a m s to A .
Phase 1. A issues the following queries.
-
Hash query: S operates hash functions on the inputs given by A and returns the hashed values.
-
KeyExtract ( I D i ): A sends an identity I D i to S and S returns the private key of I D i where neither KeyExtract ( I D s * ) nor KeyExtract ( I D R * ) can be queried.
-
Encrypt ( I D s , I D 1 , , I D u , M ): A sends a sender’s identity I D s , a receiver set { I D 1 , , I D u } and a message M to S . S returns a ciphertext C to A .
-
Decrypt ( C , I D i ): A sends an identity I D i and a ciphertext C to S , and S returns the message M.
Forgery. A outputs a ciphertext C * with restrictions that the sender is I D s * and I D R * is one of the receivers, and C * was not outputted by querying the Encrypt oracle. A wins the game if C * is a valid ciphertext.
The advantage of A winning the game is defined as:
Adv S A ( A ) = P r [ D e c r y p t ( C , I D R * ) ] .
An anonymous multi-receiver identity-based authenticated encryption scheme is said to satisfy sender authentication if there exists no polynomial-time attacker that can win the sender authentication game with non-negligible advantage. The model of this game is shown in Figure 4.
Figure 4. The sender authentication game.
Figure 4. The sender authentication game.
Symmetry 07 01856 g004
Theorem 13. (Confidentiality) The proposed AMRIBAE scheme is IND-sMID-CCA secure in the random oracle model if the M-DBDH assumption holds.
Proof. The basic concept of the proof is a proof by contradiction. Assume that the proposed scheme is not IND-sMID-CCA secure, i.e., there exists a polynomial-time adversary A that wins the IND-sMID-CCA game with non-negligible advantage. Then, we will construct a polynomial-time algorithm S that has non-negligible advantage in solving the M-DBDH problem.
First, S is given < q , G 1 , G 2 , e , P , a P , b P , c P , e ( P , P ) b 2 c , Z > , which is an instance of the M-DBDH problem. S simulates the game for A as follows:
Initialization. A outputs a target identity set I D * = { I D 1 * , , I D t * } .
Setup. S sets P p u b = c P , computes Ω = e ( P , P ) and outputs { G 1 , G 2 , e , q , P , P p u b , H , H 1 , H 2 , Ω } as the public parameters where H , H 1 and H 2 are three random oracles controlled by S .
Phase 1. S maintains H-list, H 1 -list and H 2 -list to store the results of querying H , H 1 and H 2 , respectively. In this phase, A can issue the following queries:
-
H-query:
This oracle takes an identity I D j { 0 , 1 } * as input. If there exists a record ( I D j , Q j , q j ) in H-list, return Q j . Otherwise, do the following:
  • Randomly select q j Z q * .
  • If I D j I D * , compute Q j = q j ( b P ) ; else Q j = q j P .
  • Return Q j , and add ( I D j , Q j , q j ) into H-list.
-
H 1 -query:
This oracle takes X j as input, where X j G 2 . If there exists a record ( X j , v j ) in H 1 -list, return v j . Otherwise, do the following:
  • Randomly choose v j Z q * .
  • Add ( X j , v j ) to H 1 -list.
  • Return v j .
-
H 2 -query:
This oracle takes M j G 2 and an integer k j Z q * as input. If there exists a record ( M j , k j , r j , U j ) in H 2 -list, return r j . Otherwise, do the following:
  • Randomly choose r j Z q * , and compute U j = r j P .
  • Add ( M j , k j , r j , U j ) to H 2 -list.
  • Return r j .
-
KeyExtract:
This oracle takes an identity I D j as input. Call H ( I D j ) and retrieve q j from H-list. Then, S does the following:
-
If I D j I D * , return “reject”.
-
Otherwise, compute d j = q j ( c P ) and return d j .
-
Encrypt:
This oracle takes u + 1 identities ( I D s , I D 1 , , I D u ) and a message M as input. Upon receiving an Encryptquery, S does the following:
  • Choose k , r Z q * at random, and set H 2 ( M , k ) = r .
  • For i = 1 to u,
    -
    if I D s I D * , compute v i = H 1 ( e ( Q i , d s ) r ) , where d s is the private key of the sender I D s ;
    -
    if I D s I D * and I D i I D * , compute v i = H 1 ( e ( d i , Q s ) r ) , where d i is the private key of the receiver I D i ;
    -
    if I D s , I D i I D * , compute v i = H 1 ( ( e ( P , P ) b 2 c ) r q s q i ) .
  • Compute f ( x ) = k - i = 1 u ( x - v i ) = i = 0 u - 1 c i x i + x u mod q .
  • Compute U = r P , V = r Q s , and W = M · e ( P , P ) - k .
  • Set the ciphertext C = ( c 0 , c 1 , , c u - 1 , U , V , W , I D s ) , and return C.
-
Decrypt:
This oracle takes an identity I D j and a ciphertext C as input. Upon receiving a Decryptquery, denoted by Decrypt ( C , I D j ) where C = ( c 0 , , c u - 1 , U , V , W , I D s ) , S does the following:
  • Search H 2 -list to get ( M i , k i , r i , U i ) with U i = U . If not found, return “reject”.
  • Search H-list to get ( I D s , Q s , q s ) with e ( U , Q s ) = e ( P , V ) . If not found, return “reject”.
  • This step can be separated into three cases:
    -
    if I D s I D * , compute v j = H 1 ( e ( Q j , d s ) r i ) ;
    -
    if I D s I D * and I D j I D * , compute v j = H 1 ( e ( d j , Q s ) r i ) ;
    -
    if I D s , I D j I D * , compute v j = H 1 ( ( e ( P , P ) b 2 c ) r i q s q j ) .
  • Compute k = c 0 + c 1 v j + + c u - 1 v j u - 1 + v j u mod q .
  • Check whether k i = k and M i = W · Ω k or not. If not, return “reject”. Otherwise, return M i .
Challenge. A sends ( M 0 , M 1 ) and a sender’s identity I D s to S , with restrictions that M 0 , M 1 are two distinct messages with the same length, I D s I D * , and KeyExtract ( I D s ) has never been queried. S performs the following operations:
  • Choose β { 0 , 1 } randomly.
  • For i = 1 to t, call H ( I D i * ) , and retrieve q i * from H-list.
  • Call H ( I D s ) , and retrieve q s from H-list.
  • Choose k Z q * , and set U * = a P and V * = q s ( a P ) .
  • For i = 1 to t, compute v i = H 1 ( Z q i * q s ) .
  • Compute f ( x ) = k - i = 1 t ( x - v i ) = i = 0 t - 1 c i x i + x t mod q and W * = M β · Ω - k .
  • Set the ciphertext C * = ( c 0 , c 1 , , c t - 1 , U * , V * , W * , I D s ) , and send C * to A .
Phase 2. A makes queries as those in Phase 1. However, if A issues a Decrypt query with input C = C * and I D i I D * or the query KeyExtract ( I D s ), S will return “reject”.
Guess. Finally, A outputs β { 0 , 1 } . If β = β , then S outputs one. Otherwise, S randomly chooses β ¯ { 0 , 1 } and outputs β ¯ .
If Z = e ( P , P ) a b c , then Z q i * q s = e ( P , P ) a b c q i * q s = e ( q i * ( b P ) , q s ( c P ) ) a = e ( Q i * , d s ) a for i = 1 to t. Therefore, C * is a correct ciphertext. Otherwise, Z is an element randomly chosen in G 2 . As the construction above, S correctly simulates the IND-sMID-CCA game. If A wins the IND-sMID-CCA game with non-negligible advantage, at least ϵ, * P r [ β = β ] - 1 2 ϵ under a correct simulation of the game, i.e., | P r [ A ( Ω ) = β = β ] - 1 2 ϵ , where Ω is a correct AMRIBAE scheme. Thus, we have that:
| P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ]
= P r [ A ( Ω ) = β ] + 1 2 ( 1 - P r [ A ( Ω ) = β ] )
= 1 2 P r [ A ( Ω ) = β ] + 1 2
and
P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , Z ) = 1 ]
= 1 2 P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ]
+ 1 2 P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , X R G 2 e ( P , P ) a b c ) = 1 ]
= 1 2 ( 1 2 P r [ A ( Ω ) = β ] + 1 2 ) + 1 2 ( 1 2 + 1 2 · 1 2 )
= 1 4 P r [ A ( Ω ) = β ] + 5 8 .
We can obtain:
P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 ] - P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , Z ) = 1 ]
= | 1 4 P r [ A ( Ω ) = β ] - 1 8 = 1 4 | P r [ A ( Ω ) = β ] - 1 2 | ϵ 4 .
Therefore, S solves the M-DBDH problem with non-negligible advantage ϵ 4 within polynomial time. ☐
Theorem 13 ensures the CCA security of confidentiality against the outside attackers (unselected receivers). In confidentiality, no inside attackers exist (selected receivers), because every selected receiver can decrypt the ciphertext.
Theorem 14. (Anonymity) The proposed AMRIBAE scheme is Anon-sMID-CCA secure in the random oracle model if the M-DBDH assumption holds.
Proof. Assume that the proposed scheme is not Anon-sMID-CCA secure, that is there exists a polynomial-time adversary A that wins the Anon-sMID-CCA game with non-negligible advantage. We will construct a polynomial-time algorithm S that has non-negligible advantage in solving the M-DBDH problem.
First, S is given < q , G 1 , G 2 , e , P , a P , b P , c P , e ( P , P ) b 2 c , Z > , which is an instance of the M-DBDH problem. S simulates the game for A as follows:
Initialization. A outputs a target identity set I D * = { I D 0 * , I D 1 * } .
Setup. S sets P p u b = c P , computes Ω = e ( P , P ) and outputs { G 1 , G 2 , e , q , P , P p u b , H , H 1 , H 2 , Ω } as the public parameters, where H , H 1 and H 2 are three random oracles controlled by S .
Phase 1. S maintains H-list, H 1 -list and H 2 -list to store the results of querying H , H 1 and H 2 , respectively. In this phase, A can issue the H, H 1 , H 2 , KeyExtract, Encrypt and Decrypt queries. The simulations are the same as those in the proof of Theorem 13.
Challenge. A sends a message M, t - 1 receivers’ identities { I D 2 , I D 3 , , I D t } and a sender’s identity I D s to S with restrictions that I D s I D * and KeyExtract ( I D s ) has never been queried. S does the following:
  • Choose β { 0 , 1 } randomly.
  • For i = 2 to t, call H ( I D i ) , and retrieve q i from H-list.
  • Call H ( I D β * ) , and retrieve q β * from H-list.
  • Call H ( I D s ) , and retrieve q s from H-list.
  • Choose k Z q * , and set U * = a P and V * = q s ( a P ) .
  • For i = 2 to t, compute v i = H 1 ( e ( q i U * , q s ( c P ) ) ) .
  • Compute v β = H 1 ( Z q β * q s ) .
  • Compute f ( x ) = k - ( x - v β ) i = 2 t ( x - v i ) = i = 0 t - 1 c i x i + x t mod q and W * = M · Ω - k .
  • Set the ciphertext C * = ( c 0 , c 1 , , c t - 1 , U * , V * , W * , I D s ) and send C * to A .
Phase 2. A makes queries as those in Phase 1. However, if A issues a Decrypt query with input C = C * and I D i I D * or KeyExtract ( I D s ), S will return “reject”.
Guess. Finally, A outputs β { 0 , 1 } . If β = β , then S outputs one. Otherwise, S randomly chooses β ¯ { 0 , 1 } and outputs β ¯ .
If Z = e ( P , P ) a b c , then Z q β * q s = e ( P , P ) a b c q β * q s = e ( q β * ( b P ) , q s ( c P ) ) a = e ( Q β * , d s ) a for β { 0 , 1 } . Therefore, C * is a correct ciphertext. Otherwise, Z is an element randomly chosen in G 2 . As the construction above, S correctly simulates the Anon-sMID-CCA game. If A wins the game with non-negligible advantage at least ϵ, * P r [ β = β ] - 1 2 ϵ under a correct simulation of the game, i.e., * P r [ A ( Ω ) = β = β ] - 1 2 ϵ , where Ω is a correct AMRIBAE scheme. Thus, we have that:
P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , e ( P , P ) a b c ) = 1 - P r [ S ( P , a P , b P , c P , e ( P , P ) b 2 c , Z ) = 1 ]
= | ( 1 2 P r [ A ( Ω ) = β ] + 1 2 ) - ( 1 4 P r [ A ( Ω ) = β ] + 5 8 ) |
= | 1 4 P r [ A ( Ω ) = β ] - 1 8 | = 1 4 | P r [ A ( Ω ) = β ] - 1 2 | ϵ 4 .
Therefore, S solves the M-DBDH problem with non-negligible advantage ϵ 4 within polynomial time. ☐
Theorem 14 guarantees the CCA security of anonymity against both the outside attackers (unselected receivers) and the inside attackers (selected receivers) in the proposed scheme. In other words, even if an adversary compromises with any t - 1 receivers, the anonymity of the remaining receiver is still preserved in the proposed scheme. In this proof, we do not cover the following extreme case. Assume that the total number of users in the system is N. The extreme case occurs when a user (sender) encrypts a message for other N - 2 selected users (receivers), so that there would be only one unselected user, and this unselected user can no doubt figure out the identities of the N - 2 receivers.
Theorem 15. (Sender authentication) The proposed AMRIBAE scheme satisfies sender authentication in the random oracle model if the DBDH assumption holds.
Proof. Assume that there exists a polynomial-time adversary A that wins the sender authentication game with non-negligible advantage. Then, we will construct a polynomial-time algorithm S that has non-negligible advantage in solving the DBDH problem.
First, S is given < q , G 1 , G 2 , e , P , a P , b P , c P , Z > , which is an instance of the DBDH problem. S simulates the game for A as follows:
Initialization. A outputs an identity set I D * = { I D s * , I D R * } .
Setup. S sets P p u b = c P , computes Ω = e ( P , P ) and outputs { G 1 , G 2 , e , q , P , P p u b , H , H 1 , H 2 , Ω } as the public parameters, where H , H 1 and H 2 are three random oracles controlled by S .
Phase 1. S maintains H-list, H 1 -list and H 2 -list to store the results of querying H , H 1 and H 2 , respectively. In this phase, A can issue the following queries:
-
H-query:
This oracle takes an identity I D j { 0 , 1 } * as input. If there exists a record ( I D j , Q j , q j ) in H-list, return Q j . Otherwise, do the following:
  • Randomly select q j Z q * .
  • If I D j = I D s * , compute Q j = q j ( a P ) ; else if I D j = I D R * , compute Q j = q j ( b P ) ; else Q j = q j P .
  • Return Q j and add ( I D j , Q j , q j ) into H-list.
-
The simulation of H 1 -query and H 2 -query are the same as those in the proof of Theorem 13.
-
KeyExtract:
This oracle takes an identity I D j as input. Call H ( I D j ) , and retrieve q j from H-list. Then, S does the following:
-
If I D j I D * , return “reject”.
-
Otherwise, compute d j = q j ( c P ) , and return d j .
-
Encrypt:
This oracle takes u + 1 identities ( I D s , I D 1 , , I D u ) and a message M as input. Upon receiving an Encrypt query, S does the following:
  • Choose k , r Z q * at random, and set H 2 ( M , k ) = r .
  • For i = 1 to u,
    -
    if I D s I D * , compute v i = H 1 ( e ( Q i , d s ) r ) , where d s is the private key of the sender I D s ;
    -
    if I D s I D * and I D i I D * , compute v i = H 1 ( e ( d i , Q s ) r ) , where d i is the private key of the receiver I D i ;
    -
    if I D s , I D i I D * , compute v i = H 1 ( Z r q s q i ) .
  • Compute f ( x ) = k - i = 1 u ( x - v i ) = i = 0 u - 1 c i x i + x u mod q .
  • Compute U = r P , V = r Q s and W = M · Ω - k .
  • Set the ciphertext C = ( c 0 , c 1 , , c u - 1 , U , V , W , I D s ) , and return C.
-
Decrypt:
This oracle takes an identity I D j and a ciphertext C as input. Upon receiving a Decrypt query, denoted by Decrypt ( C , I D j ) , where C = ( c 0 , , c u - 1 , U , V , W , I D s ) , S does the following:
  • Search H 2 -list to get ( M i , k i , r i , U i ) with U i = U . If not found, return “reject”.
  • Search H-list to get ( I D s , Q s , q s ) with e ( U , Q s ) = e ( P , V ) . If not found, return “reject”.
  • This step can be separated into three cases:
    -
    if I D s I D * , compute v j = H 1 ( e ( Q j , d s ) r i ) ;
    -
    if I D s I D * and I D j I D * , compute v j = H 1 ( e ( d j , Q s ) r i ) ;
    -
    if I D s , I D j I D * , compute v j = H 1 ( Z r i q s q j ) .
  • Compute k = c 0 + c 1 v j + + c u - 1 v j u - 1 + v j u mod q .
  • Check whether k i = k and M i = W · Ω k or not. If not, return “reject”. Otherwise, return M i .
Forgery. Finally, A outputs C * = ( c 0 , c 1 , , c t - 1 , U * , V * , W * , I D s * ) , where C * was not outputted by querying the Encrypt oracle. Then, S performs the following.
  • Search H 2 -list to get ( M i , k i , r i , U i ) with U i = U * .
  • Call H ( I D s * ) and H ( I D R * ) to retrieve q s * and q R * from H-list.
  • Compute v = H 1 ( Z q s * q R * r i ) .
  • Compute k = c 0 + c 1 v + + c t - 1 v t - 1 + v t mod q .
  • Check whether k i = k and M i = W · Ω k or not. If it is, A wins the game.
S outputs 1 if A wins the game. Otherwise, S outputs 0. Assume A wins the game with a non-negligible advantage at least ϵ under a correct simulation. To analyze the advantage of solving the DBDH problem, we define the following events.
  • E 1 : The game has been correctly simulated.
  • E 2 : A wins the game.
Then, we have that:
P r [ S ( P , a P , b P , c P , e ( P , P ) a b c ) = 1 ]
= P r [ E 1 E 2 ] = P r [ E 1 ] P r [ E 2 | E 1 ]
1 · ϵ = ϵ
and
P r [ S ( P , a P , b P , c P , e ( P , P ) a b c ) = 1 ] - P r [ S ( P , a P , b P , c P , Z ) = 1 ]
= | 1 2 P r [ S ( P , a P , b P , c P , e ( P , P ) a b c ) = 1 ] | 1 2 ϵ .
Therefore, S solves the DBDH problem with non-negligible advantage ϵ 2 within polynomial time. ☐
Theorem 15 guarantees that the proposed scheme satisfies sender authentication. In other words, even if an adversary compromises with any t - 1 receivers, the adversary cannot impersonate a sender to send a valid ciphertext.

6. Comparisons

In this section, we compare the proposed scheme to [10,11,14,16,18,19,20,21,23,25,26,27,28,29] and [31] in performance and security. According to [39,40,41] and [42], we can obtain that T p 5 T e , T s 29 T m , T e 240 T m , T h 23 T m and T a 0 . 12 T m , shown in Table 2, which summarizes the comparison in the computation cost of encryption/decryption and the ciphertext length for multiple receivers. Especially, our scheme is efficient in decryption.
The security comparison is shown in Table 3. The schemes of [11,29] and the second scheme of [31] lack the proofs for confidentiality and anonymity. The scheme [19] did not provide the proof for anonymity, but it is CPA secure in confidentiality. The schemes [14,16,18] and [20] are CPA secure in both confidentiality and anonymity, where the proof of [20] is under a standard model. The scheme [10] is CCA secure in confidentiality, but it is not with anonymity, which has been indicated in [11,13,25]. The scheme of [25] and the first scheme of [31] are CCA secure in confidentiality and anonymity against outsider attacks; however, the authors of [17,29] and [28], respectively, have shown that they are not with anonymity against insider attacks. In addition, we demonstrate that there exist some problems in the proofs of the schemes [21,22,23,26,27,28], where the details are shown in the Appendix. Our scheme is the first one that can achieve the CCA security under the random oracle model against outside attackers and inside attackers simultaneously. The confidentiality and anonymity of our scheme have been formally proven in Section 5.
Table 2. Performance comparison.
Table 2. Performance comparison.
Encryption CostDecryption CostCiphertext Length
[10] ( 2 t + 3 ) T h + 2 t T m + ( t 2 + 2 ) T s 4 T h + ( t + 2 ) T s
+ ( t 2 - t ) T a + t T p o l y + T p + T e + t T a + 2 T p ( t + 2 ) u + w
( 29 t 2 + 48 t + 1567 ) T m + t T p o l y ( 29 t + 2550 ) T m
[11] ( 2 t + 1 ) T h + ( t + 1 ) T s + t T p t T h + t T s + t T p ( t + 2 ) u + w
( 1275 t + 52 ) T m 1252 t T m
[25] ( 2 t + 3 ) T h + 2 t T m + ( 2 t 2 + t + 1 ) T s 4 T h + ( 2 t + 2 ) T s
+ 2 ( t 2 - t ) T a + t T p o l y + T p + t T e + 2 t T a + 2 T p ( 2 t + 2 ) u + w
( 58 t 2 + 317 t + 1298 ) T m + t T p o l y ( 58 t + 2550 ) T m
[21] ( t + 1 ) T h + 2 T s + t T p + T p o l y T h + t T m + T p t | q | + u + w
( 1223 t + 1223 ) T m + T p o l y ( t + 1223 ) T m
[18] ( t + 2 ) T s + ( t + 1 ) T p + T C R T T p t | q | + 2 u + w
( 1229 t + 1258 ) T m + T C R T 1200 T m
[16] t T h + ( t + 1 ) T e + ( 2 t + 5 ) T s + ( t + 1 ) T e T h + T e + t ( 2 T p + T e + T s ) ( t + 2 ) u + w
( 1251 t + 1585 ) T m ( 2669 t + 1223 ) T m
[29] ( 2 t + 4 ) T h + 2 t T m + ( t 2 + t + 1 ) T s 4 T h + ( t + 1 ) T s
+ 2 ( t 2 - t ) T a + t T p o l y + T p + t T e + t T a + 2 t T p ( 2 t + 2 ) u + w
( 29 t 2 + 317 t + 1233 ) T m + t T p o l y ( 2429 t + 121 ) T m
[31]-Scheme 1 ( t + 1 ) T h + 2 t T e + 2 T s ( t + 1 ) T h + T s
+ t T a + 2 t T p + T a + 2 T p ( t + 2 ) u + w
( 1703 t + 1281 ) T m ( 23 t + 2452 ) T m
[31]-Scheme 2 ( t + 1 ) T h + 2 t T e + 2 T s ( t + 1 ) T h + T s
+ t T a + 2 t T p + T a + 2 T p ( t + 2 ) u + w
( 1703 t + 1281 ) T m ( 23 t + 2452 ) T m
[14] ( 2 t + 1 ) T h + ( 3 t + 2 ) T s
+ T e + n T a t ( T p + T a + T h ) ( t + 1 ) v + w
( 133 t + 1281 ) T m 1223 t T m
[19] t T h + t 2 T m + ( t + 4 ) T s T h + T p o l y
+ ( t + 1 ) T e + T p o l y + 2 T a + ( t + 1 ) T s + 4 T p ( t + 3 ) u + v
( t 2 + 1252 t + 1316 ) T m ( 29 t + 4852 ) T m + T p o l y
[28] ( 2 t + 1 ) T h + ( t + 1 ) T m
+ t T e + ( 2 t + 2 ) T s ( t + 1 ) T h + ( t + 1 ) T p + t T s ( t + 2 ) u + w
( 1305 t + 82 ) T m ( 1252 t + 1223 ) T m
[20] t T h + ( t + 1 ) T m + ( t 2 + 1 ) T s T h + T m + T e
+ ( t 2 - t ) | I D | T a + T e + t T p o l y + t T a + t T s + 2 T p ( t + 1 ) u + v
( 29 t 2 + 24 t + 270 ) T m + t T p o l y ( 29 t + 2664 ) T m
[23] ( 3 t + 1 ) T h + 2 T s + t T p 2 T h + T e ( t + 1 ) u + | q | + w
( 1269 t + 81 ) T m 1246 T m
[27] ( 2 t + 2 ) T h + 4 T s + t T p + T p o l y 3 T h + t T m + 3 T p + T s + T a t | q | + 3 u + | I D |
( 1246 t + 162 ) T m + T p o l y ( t + 3698 ) T m
[26] ( t + 2 ) T h + ( t + 2 ) T s + t T p 4 T h + t T s + T e ( t + 2 ) u + w
( 1252 t + 104 ) T m ( 29 t + 1292 ) T m
Ours ( 2 t + 1 ) T h + 4 T s + t T p + T p o l y 2 T h + t T m + T p + T s t | q | + 2 u + v
( 1246 t + 139 ) T m + T p o l y ( t + 1275 ) T m
Tp: the cost of a pairing operation; •Th: the cost of a hash operation; •Tm: the cost of a modular multiplication in Z q * ; •Te: the cost of a modular exponentiation in Z q * ; •Ts: the cost of a scalar multiplication in an additive group or an exponentiation in a multiplicative group; •Ta: the cost of an addition in an additive group or a multiplication in a multiplicative group; •Tpoly: the cost of constructing a polynomial; •TCRT: the cost of applying the Chinese remainder theorem; •t: the number of receivers; •|ID|: the bit length of an identity; •q: a large prime; •u: the bit length of an element in an additive group; •v: the bit length of an element in a multiplicative group; •w: the bit length of a symmetric encryption key.
Table 3. Properties comparison. CPA, chosen plaintext attack.
Table 3. Properties comparison. CPA, chosen plaintext attack.
ConfidentialityAnonymitySecurityModelSender Authentication
OutsiderInsider
[10]CCAROMNo
[11]No
[25]CCACCAROMNo
[21,22]ROMNo
[18]CPACPACPAROMNo
[29]No
[16]CPACPACPAROMNo
[31]-Scheme 1CCACCAROMNo
[31]-Scheme 2No
[14]CPACPACPAROMNo
[19]CPAROMNo
[28]ROMNo
[20]CPACPACPASTDNo
[23]ROMNo
[27]ROMYes
[26]ROMNo
OursCCACCACCAROMYes
△: the authors claimed that their scheme is CCA secure, but it has some security flaws or there exist some problems in the security proofs.

7. Conclusions

In consideration of privacy preservation, Fan et al. first introduced the concept of anonymous multi-receiver identity-based encryption in 2010. Many works on the topic have been proposed recently. It is an interesting topic and worthy of study in both practical and theoretical aspects, because customers always pay much attention to their privacy in modern societies.
However, there is no anonymous multi-receiver identity-based encryption scheme proposed in the literature that possesses complete CCA security. In order to cope with the problem, we have proposed a new anonymous multi-receiver identity-based encryption scheme, which is provably CCA secure in both confidentiality and anonymity against not only outside attackers, but also inside attackers. Furthermore, the proposed scheme has also achieved sender authentication. All of the properties of our scheme are guaranteed based on the DBDH assumption and the M-DBDH assumption, whose hardness has been proven in this paper.

Acknowledgments

This work was partially supported by the Ministry of Science and Technology of the Taiwan under grants MOST 104-2221-E-110-043 and “Aim for the Top University Plan” of the National Sun Yat-sen University and Ministry of Education, Taiwan.

Author Contributions

The authors contributed equally to this work.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix

A.1. Cryptanalysis to Other AMRIBEs

The notations used in this section are shown in Table 4.
Table 4. The notations.
Table 4. The notations.
NotationMeaning
G 1 a cyclic groups of prime order q
G 2 a cyclic groups of prime order q
ea bilinear mapping; e : G 1 × G 1 G 2
Pa generator of G 1
KGCthe key generation center
P p u b the public key of KGC
Mthe message that the sender wants to send
( E k , D k ) a secure symmetric encryption scheme with secret key k
Q i the hash value of I D i

A.1.1. Comment on Tseng et al.’S Scheme [21,22]

In 2012, Tseng et al. proposed an AMRIBE scheme with provable security, which is briefly described and discussed as follows. The detailed description of the scheme and the proofs can be referred to [21].

Comments

The simulation will be terminated when the challenger B receives a five-tuple ( P , Q I D i , P p u b , c P , X j ) from the adversary A and e ( Q I D i , c P p u b ) = X j is true. If so, B will solve the gap-BDH problem by outputting ( X j ) u i - 1 , which equals e ( P , P ) a b c . Since U = c P in the challenge phase, if A can compute X j , it implies that he or she is capable of computing v i = H 1 ( X j ) and getting the symmetric encryption/decryption key k = f ( v i ) corresponding to the challenge ciphertext, and thus, he or she will be able to win the CCA game. However, the proof only aims at the attackers who are capable of getting the key, k, before winning the CCA game. The authors have not considered the attackers who can win the game without getting the key. As a result, their proof does not cover all possible attackers. Besides, the same problem exists in the proof for anonymity, too. Similar situations happen in the schemes of [23,27].

A.1.2. Comment on Tseng et al.’s Scheme [23]

In their proofs, the authors have not considered the attackers who can win the game without getting the key. As a result, their proof does not cover all possible attackers. The comment is similar to that of [21].

A.1.3. Comment on Zhang et al.’s Scheme [27]

In their proofs, the authors have not considered the attackers who can win the game without getting the key. As a result, their proof does not cover all possible attackers. The comment is similar to that of [21].

A.1.4. Comment on Zhang et al.’s Scheme [28]

In 2013, Zhang and Mao proposed an AMRIBE scheme as follows. The details of the scheme and the proofs can be referred to [28].

Comments

In the proof of confidentiality, the H 1 oracle is queried by the adversary with two input elements of G 1 . Additionally, the two elements must be recorded in order to simulate the decryption oracle. However, the hash function H 1 has only one input element of G 2 in the proposed scheme. Therefore, they cannot simulate the decryption oracle successfully, and thus, the proof is incorrect. The same mistake also exists in the proof of anonymity.

A.1.5. Comment on Wang’s Scheme [26]

In 2014, Wang proposed an AMRIBE scheme as follows. The detailed description of the scheme can be referred to [26].

The Simulation of the CCA Game for Confidentiality

We only show the D e c r y p t oracle here.
D e c r y p t : C is given the ciphertext-receiver pair ( C , I D j ) where C = ( R 1 i , , R t i , U 1 i , U 2 i , V i ) . If I D j does not belong to the challenge identity set S a , C gets d i and decrypts C. If I D S a , C looks for the table T H 3 . If there exists the records ( * , R 1 i , , R t i , U 1 i , U 2 i , l * ) , * , l * are default. If * = σ j , C checks whether H ( σ j ) P = ? U 2 i . If it holds, go to the next step. Otherwise, C checks the next record until it holds. Suppose that the satisfied record is * = σ * and the corresponding hash value is l * . C computes M * = D l * ( V i ) . If there exists the record ( M * , σ , U 1 i , U 2 i , z * ) , where z * is default, C returns M * . Otherwise, fail.

Comments

An adversary can make the D e c r y p t oracle perform decryption incorrectly as follows.
  • Choose a receiver set { I D d 1 , I D 2 , , I D t } , where I D d 1 is the target identity.
  • Choose σ , r to compute R d 1 , R 2 , , R t and U 1 as that in the E n c r y p t algorithm of their scheme.
  • Choose σ , M , and compute U 2 = H ( σ ) P , l = H 3 ( σ , R d 1 , R 2 , , R t , U 1 , U 2 ) .
  • Query H 4 ( M , σ , U 1 , U 2 ) .
  • Set V = E l ( M ) and C = ( R d 1 , R 2 , , R t , U 1 , U 2 , V ) .
The ciphertext C is invalid since σ used to compute R i and σ used to compute l and U 2 are not identical, so that the authorized receivers I D 2 , , I D t cannot decrypt C. However, if the adversary queries Decrypt ( C , I D d 1 ) , the simulator will successfully perform the Decrypt oracle and return M.

References

  1. Arul, T.; Shoufan, A. Consumer Opinions on Short-Interval Charging for Pay-TV over IPTV. In Proceedings of the 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA), Fukuoka, Japan, 26–29 March 2012; pp. 147–153.
  2. Msgna, M.G.; Markantonakis, K.; Mayes, K.; Akram, R.N. Subscriber Centric Conditional Access System for Pay-TV Systems. In Proceedings of the 2013 IEEE 10th International Conference on e-Business Engineering (ICEBE), Coventry, UK, 11–13 September 2013; pp. 450–455.
  3. Liu, Y.; Duan, J.; Tang, Q.; Zhang, Y. A Simple and Efficient Re-Scrambling Scheme for DTV Programs. IEEE Trans. Multimed. 2014, 16, 137–146. [Google Scholar] [CrossRef]
  4. Baek, J.; Safavi-Naini, R.; Susilo, W. Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption. In Proceedings of the 8th International Conference on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, 23–26 January 2005; pp. 380–397.
  5. Wang, L.; Wu, C.K. Efficient identity-based multicast scheme from bilinear pairing. IEEE Proc. Commun. 2005, 152, 877–882. [Google Scholar] [CrossRef]
  6. Du, X.; Wang, Y.; Ge, J.; Wang, Y. An ID-based broadcast encryption scheme for key distribution. IEEE Trans. Broadcast. 2015, 51, 264–266. [Google Scholar] [CrossRef]
  7. Boneh, D.; Franklin, M. Identity-based encryption from the weil pairing. In Proceedings of the 21st Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2001; pp. 213–229.
  8. Bellare, M.; Rogaway, P. Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the 1st ACM Conference on Compute and Communications Security, Fairfax, VA, USA, 3–5 November 1993; pp. 62–73.
  9. Okamoto, T.; Pointcheval, D. REACT: Rapid Enhenced-Security Asymmetric Cryptosystem Transform. In Topics in Cryptology CT-RSA 2001; Springer-Verlag Berling Heiderlberg: New York, NY, USA, 2001; pp. 159–175. [Google Scholar]
  10. Fan, C.I.; Huang, L.Y.; Ho, P.H. Anonymous Multireciever identity-based encryption. IEEE Trans. Comput. 2010, 59, 1239–1249. [Google Scholar] [CrossRef]
  11. Chien, H.Y. Improved anonymous multi-receiver identity-based encryption. Comput. J. 2012, 55, 439–446. [Google Scholar] [CrossRef]
  12. Chen, Z.; Li, S.; Wang, C.; Shen, Y. Two constructions of multireceiver encryption supporting constant keys, short ciphertexts, and identity privacy. Int. J. Netw. Secur. 2012, 14, 270–279. [Google Scholar]
  13. Chen, Z.; Li, S.; Wang, C.; Zhang, M. Comments on FHH anonymous multireceiver encryption. Int. J. Netw. Secur. 2014, 16, 285–288. [Google Scholar]
  14. Cui, H.; Mu, Y.; Guo, F. Server-aided identity-based anonymous broadcast encryption. Int. J. Netw. Secur. 2013, 8, 29–39. [Google Scholar] [CrossRef]
  15. Harn, L.; Chang, C.C.; Wu, H.L. An anonymous multi-receiver encryption based on RSA. Int. J. Netw. Secur. 2013, 15, 307–312. [Google Scholar]
  16. Hur, J.; Park, C.; Hwang, S.O. Privacy-preserving identity-based broadcast encryption. Inf. Fusion 2012, 13, 296–303. [Google Scholar] [CrossRef]
  17. Li, H.; Pang, L. Cryptanalysis of Wang et al’s improved anonymous multi-receiver identity-based encryption scheme. IET Inf. Secur. 2013, 8, 8–11. [Google Scholar] [CrossRef]
  18. Muthulakshmi, A.; Anitha, R.; Rohini, S.; Princy, K. Identity Based Privacy Preserving Dynamic Broadcast Encryption for multi-privileged group. In Recent Trends in Computer Networks and Distributed Systems Security; Spring: Berlin Heidelberg, Germany, 2012; Volume 335, pp. 272–282. [Google Scholar]
  19. Pang, L.; Guo, L.; Pei, Q.; Gui, J.; Wang, Y. A new ID-based multi-recipient public-key Encryption Scheme. Chin. J. Electron. 2013, 22, 89–92. [Google Scholar]
  20. Ren, Y.; Niu, Z.; Zhang, X. Fully anonymous identity-based broadcast encryption without random oracles. Int. J. Netw. Secur. 2014, 16, 256–264. [Google Scholar]
  21. Tseng, Y.M.; Huang, Y.H.; Chang, H.J. Privacy-preserving multireceiver ID-based encryption with provable security. Int. J. Commun. Syst. 2014, 27, 1034–1050. [Google Scholar] [CrossRef]
  22. Tseng, Y.M.; Huang, Y.H.; Chang, H.J. CCA-Secure Anonymous Multi-Receiver ID-Based Encryption. In 26th International Conference on Advanced Information Networking and Applications Workshops, Fukuoka, Japan, 26–29 March 2012; pp. 177–182.
  23. Tseng, Y.M.; Tsai, T.T.; Huang, S.S.; Chien, H.Y. Efficient anonymous multi-receiver ID-based encryption with constant decryption cost. In Proceedings of the 2014 International Conference on Information Science, Electronics and Electrical Engineering (ISEEE), Sapporo, Japan, 26–28 April 2014; pp. 131–137.
  24. Wang, H. Insecurity of “Improved Anonymous Multi-Receiver Identity-Based Encryption”. Comput. J. 2013. [Google Scholar] [CrossRef]
  25. Wang, H.; Zhang, Y.; Xiong, H.; Qing, B. Crytanalysis and improvements of an anonymous multi-receiver identity-based encryption scheme. IET Inf. Secur. 2012, 6, 20–27. [Google Scholar] [CrossRef]
  26. Wang, H. Provably Secure Anonymous Multi-receiver Identity-Based Encryption with Shorter Ciphertext. In Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), Dalian, China, 24–27 August 2014; pp. 85–90.
  27. Zhang, B.; Sun, T.; Yu, D. ID-Based Anonymous Multi-Receiver Key Encapsulation Mechanism with Sender Authentication. In Algorithm and Architectures for Parallel Processing; Lecture Notes in Computer Science; Springer-Verlag Berlin Heidelberg: New York, NY, USA, 2014; Volume 8631, pp. 645–658. [Google Scholar]
  28. Zhang, J.; Mao, J. An improved anonymous multi-receiver identity-based encryption Scheme. Int. J. Commun. Syst. 2015, 28, 645–658. [Google Scholar] [CrossRef]
  29. Zhang, J.; Xu, Y. Comment on Anonymous Multi-Receiver Identity-Based Encryption Scheme. In Proceedings of the 4th International Conference on Intelligent Networking and Collaborative Systems, Barcelona, Spain, 19–21 September 2012; pp. 473–476.
  30. Zhang, J.; Xu, Y.; Zou, J. Comment on Wang et al.’s anonymous multi-receiver ID-based encryption scheme and its improved schemes. Int. J. Intell. Inf. Database Syst. 2013, 7, 400–413. [Google Scholar] [CrossRef]
  31. Zhang, M.; Takagi, T. Efficient constructions of anonymous multireceiver encryption protocol and their deployment in group E-Mail systems with privacy preservation. IEEE Syst. J. 2013, 7, 410–419. [Google Scholar] [CrossRef]
  32. Delerablée, C.; Paillier, P.; Pointcheval, D. Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size or Decryption Keys. In Pairing-Based Cryptography—Pairing 2007; Takagi, T., Ed.; Springer: Berlin, Germany, 2007; Volume 4575, pp. 39–59. [Google Scholar]
  33. Delerablée, C. Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys. In Advances in Cryptology-EUROCRYPT 2007; Springer: Berlin Heidelberg, Germany, 2007; pp. 200–215. [Google Scholar]
  34. Nelly, F.; Perera, I.M. Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts. In Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; pp. 225–242.
  35. Zhang, L.; Wu, Q.; Mu, Y. Anonymous Identity-Based Broadcast Encryption with Adaptive Security. In Proceedings of the 5th International Symposium, CSS 2013, Zhangjiajie, Hunan, China, 13–15 November 2013; pp. 258–271.
  36. Libert, B.; Paterson, K.G.; Quaglia, E.A. Anonymous Broadcast Encryption: Adaptive Security and Efficient Construction in the Standard Model. In Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; pp. 225–242.
  37. Boneh, D.; Boyen, X.; Goh, E.J. Hierarchical Identity Based Encryption with Constant Size Ciphertext. In Advances in Cryptology-EUROCRYPT 2005; Springer: Berlin Heidelberg, Germany, 2005; pp. 440–456. [Google Scholar]
  38. Kiayias, A.; Samari, K. Lower Bound for Private Broadcast Encryption. In Information Hiding; Springer: Berlin/Heidelberg, Germany, 2013; pp. 176–190. [Google Scholar]
  39. Neal, K.; Alfred, M.; Vanstone, S. The state of elliptic curve cryptography. Des. Codes Cryptogr. 2000, 19, 173–193. [Google Scholar]
  40. Menezes, A.J.; Vanstone, S.A.; van Oorschot, P.C. Handbook of Applied Cryptography; CRC Press, Inc.: Boca Raton, FL, USA, 2001. [Google Scholar]
  41. Scott, M. Implementing Cryptographic Pairings. In Proceedings of the Pairing-Based Cryptography, Tokyo, Japan, 2–4 July 2007; pp. 177–196.
  42. Zhang, Y.; Liu, W.; Lou, W.; Fang, Y. Securing mobile Ad Hoc networks with certificateless public keys. IEEE Trans. Depend. Secur. Comput. 2006, 3, 386–399. [Google Scholar] [CrossRef]

Share and Cite

MDPI and ACS Style

Fan, C.-I.; Tseng, Y.-F. Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security. Symmetry 2015, 7, 1856-1881. https://doi.org/10.3390/sym7041856

AMA Style

Fan C-I, Tseng Y-F. Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security. Symmetry. 2015; 7(4):1856-1881. https://doi.org/10.3390/sym7041856

Chicago/Turabian Style

Fan, Chun-I, and Yi-Fan Tseng. 2015. "Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security" Symmetry 7, no. 4: 1856-1881. https://doi.org/10.3390/sym7041856

Article Metrics

Back to TopTop