# Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security

^{*}

## Abstract

**:**

## 1. Introduction

#### Anonymous Multi-Receiver ID-Based Encryption vs. Anonymous Dynamic Broadcast ID-Based Encryption

## 2. Related Works

## 3. Preliminaries

**Definition 1.**An anonymous multi-receiver identity-based authenticated encryption (AMRIBAE) scheme consists of the following algorithms:

- -
- Setup is an algorithm that takes as input a security parameter l. It returns a master secret key $msk$ and system parameters $params$.
- -
- KeyExtract is an algorithm that takes as input $params$, $msk$ and a user’s identity $I{D}_{i}\in {\{0,1\}}^{*}$ and then returns the secret key ${d}_{i}$ of the user.
- -
- Encrypt is an algorithm that takes as input $params$, a message M, the identity $I{D}_{s}$ of the sender, the private key ${d}_{s}$ of the sender and an identity set $\{I{D}_{1},I{D}_{2},\cdots ,I{D}_{t}\}$ and returns a ciphertext C. We write $C=Encrypt(params,I{D}_{s},I{D}_{1},I{D}_{2},\cdots ,I{D}_{t},M,{d}_{s})$.
- -
- Decrypt is an algorithm that takes as input $params$, a ciphertext C and the secret key ${d}_{i}$ of user $I{D}_{i}$ and returns a message M. We write $M=Decrypt(params,C,{d}_{i})$.

**Definition 2**(The Bilinear Diffie–Hellman (BDH) Problem). Given $(P,aP,bP,cP)$ for some random $a,b,c\in {\mathbb{Z}}_{q}^{*}$, compute $e{(P,P)}^{abc}$.

**Definition 3**(The Decisional Bilinear Diffie–Hellman (DBDH) Problem). Given $(P,aP,bP,cP,Z)$ for some random $a,b,c\in {\mathbb{Z}}_{q}^{*}$ and $Z{\in}_{R}\{e{(P,P)}^{abc},Y{\in}_{R}{G}_{2}e{(P,P)}^{abc}\}$, decide if $Z=e{(P,P)}^{abc}$.

**Definition 4**(The DBDH Assumption [7]). Define that an algorithm $\mathcal{A}$ with output $\beta \in \{0,1\}$ has advantage ϵ in solving the DBDH problem if:

**Definition 7**(The Modified Decisional Bilinear Diffie–Hellman (M-DBDH) Problem). Given $(P,aP,bP,cP,e{(P,P)}^{{b}^{2}c},Z)$ for some random $a,b,c\in {\mathbb{Z}}_{q}^{*}$ and $Z{\in}_{R}\{e{(P,P)}^{abc},Y{\in}_{R}{G}_{2}e{(P,P)}^{abc}\}$, decide if $Z=e{(P,P)}^{abc}$. Define that an algorithm $\mathcal{A}$ with output $\beta \in \{0,1\}$ has advantage ϵ in solving the M-DBDH problem if:

**Theorem 8.**No polynomial-time algorithm has a non-negligible advantage in solving the M-DBDH problem if the 1-wDBDHI assumption holds.

**Proof.**If there exists a polynomial-time algorithm $\mathcal{A}$ with non-negligible advantage ϵ in solving the M-DBDH problem, then we can construct a polynomial-time algorithm $\mathcal{B}$ with non-negligible advantage in solving the 1-wDBDHI problem as follows. Given a 1-wDBDHI instance $(P,bP,cP,Z)$, $\mathcal{B}$ forms an M-DBDH instance via the following operations:

- Randomly choose $a\in {Z}_{q}^{*}$, and compute $aP$.
- Compute ${Z}_{1}=e{(bP,cP)}^{a}$.
- Set the M-DBDH instance as $(P,aP,bP,cP,Z,{Z}_{1})$, and input it into $\mathcal{A}$.

**Definition 9**(The M-DBDH Assumption). We say that the M-DBDH assumption holds if no polynomial-time algorithm has non-negligible advantage in solving the M-DBDH problem.

## 4. Our Scheme

Notation | Meaning |
---|---|

${G}_{1}$ | a cyclic additive group of prime order q |

${G}_{2}$ | a cyclic multiplicative group of prime order q |

e | a bilinear mapping; $e:{G}_{1}\times {G}_{1}\to {G}_{2}$ |

P | a generator of ${G}_{1}$ |

KGC | the key generation center |

${P}_{pub}$ | the public key of KGC |

M | a message |

$I{D}_{i}$ | the identity of user i |

${Q}_{i}$ | the hashed value of $I{D}_{i}$ |

${d}_{i}$ | the private key of $I{D}_{i}$ |

**Setup**The key generation center (KGC) performs the following operations:- Choose an integer $\alpha \in {\mathbb{Z}}_{q}^{*}$ randomly as the master secret key, and set ${P}_{pub}=\alpha P$.
- Choose three cryptographic one-way hash functions, $H:{\{0,1\}}^{*}\to {G}_{1}$, ${H}_{1}:{G}_{2}\to {\mathbb{Z}}_{q}^{*}$, and ${H}_{2}:{\{0,1\}}^{*}\times {\mathbb{Z}}_{q}^{*}\to {\mathbb{Z}}_{q}^{*}$.
- Compute $\Omega =e(P,P)$.
- Publish the system parameters $params=\{{G}_{1},{G}_{2},e,q,P,{P}_{pub},H,{H}_{1},{H}_{2},\Omega \}$ and keep the master key α secret.

**KeyExtract**When user i joins the system, KGC will compute ${Q}_{i}=H\left(I{D}_{i}\right)$ and the private key ${d}_{i}=\alpha {Q}_{i}$ of the user, and then, KGC will send ${d}_{i}$ to user i in a secure manner.**Encrypt**A sender, say $I{D}_{s}$, produces the ciphertext of a message by performing the following steps:- Choose a message $M\in {G}_{2}$, and select a set of t receivers $\{I{D}_{1},\cdots ,I{D}_{t}\}$.
- Choose $k\in {\mathbb{Z}}_{q}^{*}$ at random, and compute $r={H}_{2}(M,k)$.
- For $i=1$ to t, compute ${Q}_{i}=H\left(I{D}_{i}\right)$ and ${v}_{i}={H}_{1}\left(e(r{Q}_{i},{d}_{s})\right)$.
- Compute $f\left(x\right)=k-\prod _{i=1}^{t}(x-{v}_{i})=\sum _{i=0}^{t-1}{c}_{i}{x}^{i}+{x}^{t}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$.
- Compute $U=rP,V=r{Q}_{s}$ and $W=M\xb7{\Omega}^{-k}$.
- Set the ciphertext $C=({c}_{0},{c}_{1},\cdots ,{c}_{t-1},U,V,W,I{D}_{s})$.

**Decrypt**After receiving the ciphertext $C=({c}_{0},{c}_{1},\cdots ,{c}_{t-1},U,V,W,I{D}_{s})$, a selected receiver, say $I{D}_{i}$, can decrypt C as follows.- Compute ${v}_{i}^{\prime}={H}_{1}\left(e(V,{d}_{i})\right)$.
- Compute ${k}^{\prime}=f\left({v}_{i}^{\prime}\right)=\sum _{j=0}^{t-1}{c}_{j}{\left({v}_{i}^{\prime}\right)}^{j}+{\left({v}_{i}^{\prime}\right)}^{t}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$.
- Compute ${M}^{\prime}=W\xb7{\Omega}^{{k}^{\prime}}$.
- Accept ${M}^{\prime}$ if $U={H}_{2}({M}^{\prime},{k}^{\prime})P$. If the receiver wants to authenticate the identity of the sender, he can check whether $e(U,H\left(I{D}_{s}\right))=e(V,P)$.

**Figure 1.**The proposed anonymous multi-receiver identity-based authenticated encryption (AMRIBAE) scheme.

## 5. Security Models and Proofs

**Definition 10**(The IND-sMID-CCA Game). Let $\mathcal{A}$ be a polynomial-time attacker. $\mathcal{A}$ interacts with a simulator $\mathcal{S}$ in the following game.

- -
- Hash query: $\mathcal{S}$ operates hash functions on the inputs given by $\mathcal{A}$ and returns the hashed values.
- -
- KeyExtract ($I{D}_{i}$): $\mathcal{A}$ sends an identity $I{D}_{i}$ to $\mathcal{S}$ and $\mathcal{S}$ returns the private key of $I{D}_{i}$ where KeyExtract ($I{D}_{j}$) cannot be queried if $I{D}_{j}\in I{D}^{*}$.
- -
- Encrypt ($I{D}_{s},I{D}_{1},\cdots ,I{D}_{u},M$): $\mathcal{A}$ sends a sender’s identity $I{D}_{s}$, a receiver set $\{I{D}_{1},\cdots ,I{D}_{u}\}$ and a message M to $\mathcal{S}$. $\mathcal{S}$ returns a ciphertext C to $\mathcal{A}$.
- -
- Decrypt ($C,I{D}_{i}$): $\mathcal{A}$ sends an identity $I{D}_{i}$ and a ciphertext C to $\mathcal{S}$, and $\mathcal{S}$ returns the message M.

**Figure 2.**The indistinguishability of encryptions under selective multi-ID, chosen-ciphertext attacks (IND-sMID-CCA) game.

**Definition 11**(The Anon-sMID-CCA Game). Let $\mathcal{A}$ be a polynomial-time attacker. $\mathcal{A}$ interacts with a simulator $\mathcal{S}$ in the following game.

- -
- Hash query: $\mathcal{S}$ operates hash functions on the inputs given by $\mathcal{A}$ and returns the hashed values.
- -
- KeyExtract ($I{D}_{i}$): $\mathcal{A}$ sends an identity $I{D}_{i}$ to $\mathcal{S}$, and $\mathcal{S}$ returns the private key of $I{D}_{i}$ where neither KeyExtract ($I{D}_{0}^{*}$) nor KeyExtract ($I{D}_{1}^{*}$) can be queried.
- -
- Encrypt ($I{D}_{s},I{D}_{1},\cdots ,I{D}_{u},M$): $\mathcal{A}$ sends a sender’s identity $I{D}_{s}$, a receiver set $\{I{D}_{1},\cdots ,I{D}_{u}\}$ and a message M to $\mathcal{S}$. $\mathcal{S}$ returns a ciphertext C to $\mathcal{A}$.
- -
- Decrypt ($C,I{D}_{i}$): $\mathcal{A}$ sends an identity $I{D}_{i}$ and a ciphertext C to $\mathcal{S}$, and $\mathcal{S}$ returns the message M.

**Definition 12**(The Sender Authentication Game). Let $\mathcal{A}$ be a polynomial-time attacker. $\mathcal{A}$ interacts with a simulator $\mathcal{S}$ in the following game.

- -
- Hash query: $\mathcal{S}$ operates hash functions on the inputs given by $\mathcal{A}$ and returns the hashed values.
- -
- KeyExtract ($I{D}_{i}$): $\mathcal{A}$ sends an identity $I{D}_{i}$ to $\mathcal{S}$ and $\mathcal{S}$ returns the private key of $I{D}_{i}$ where neither KeyExtract ($I{D}_{s}^{*}$) nor KeyExtract ($I{D}_{R}^{*}$) can be queried.
- -
- Encrypt ($I{D}_{s},I{D}_{1},\cdots ,I{D}_{u},M$): $\mathcal{A}$ sends a sender’s identity $I{D}_{s}$, a receiver set $\{I{D}_{1},\cdots ,I{D}_{u}\}$ and a message M to $\mathcal{S}$. $\mathcal{S}$ returns a ciphertext C to $\mathcal{A}$.
- -
- Decrypt ($C,I{D}_{i}$): $\mathcal{A}$ sends an identity $I{D}_{i}$ and a ciphertext C to $\mathcal{S}$, and $\mathcal{S}$ returns the message M.

**Theorem 13.**(Confidentiality) The proposed AMRIBAE scheme is IND-sMID-CCA secure in the random oracle model if the M-DBDH assumption holds.

**Proof.**The basic concept of the proof is a proof by contradiction. Assume that the proposed scheme is not IND-sMID-CCA secure, i.e., there exists a polynomial-time adversary $\mathcal{A}$ that wins the IND-sMID-CCA game with non-negligible advantage. Then, we will construct a polynomial-time algorithm $\mathcal{S}$ that has non-negligible advantage in solving the M-DBDH problem.

- -
- H-query:This oracle takes an identity $I{D}_{j}\in {\{0,1\}}^{*}$ as input. If there exists a record $(I{D}_{j},{Q}_{j},{q}_{j})$ in H-list, return ${Q}_{j}$. Otherwise, do the following:
- Randomly select ${q}_{j}\in {\mathbb{Z}}_{q}^{*}$.
- If $I{D}_{j}\in I{D}^{*}$, compute ${Q}_{j}={q}_{j}\left(bP\right)$; else ${Q}_{j}={q}_{j}P$.
- Return ${Q}_{j}$, and add $(I{D}_{j},{Q}_{j},{q}_{j})$ into H-list.

- -
- ${H}_{1}$-query:This oracle takes ${X}_{j}$ as input, where ${X}_{j}\in {G}_{2}$. If there exists a record $({X}_{j},{v}_{j})$ in ${H}_{1}$-list, return ${v}_{j}$. Otherwise, do the following:
- Randomly choose ${v}_{j}\in {\mathbb{Z}}_{q}^{*}$.
- Add $({X}_{j},{v}_{j})$ to ${H}_{1}$-list.
- Return ${v}_{j}$.

- -
- ${H}_{2}$-query:This oracle takes ${M}_{j}\in {G}_{2}$ and an integer ${k}_{j}\in {\mathbb{Z}}_{q}^{*}$ as input. If there exists a record $({M}_{j},{k}_{j},{r}_{j},{U}_{j})$ in ${H}_{2}$-list, return ${r}_{j}$. Otherwise, do the following:
- Randomly choose ${r}_{j}\in {\mathbb{Z}}_{q}^{*}$, and compute ${U}_{j}={r}_{j}P$.
- Add $({M}_{j},{k}_{j},{r}_{j},{U}_{j})$ to ${H}_{2}$-list.
- Return ${r}_{j}$.

- -
- KeyExtract:This oracle takes an identity $I{D}_{j}$ as input. Call $H\left(I{D}_{j}\right)$ and retrieve ${q}_{j}$ from H-list. Then, $\mathcal{S}$ does the following:
- -
- If $I{D}_{j}\in I{D}^{*}$, return “reject”.
- -
- Otherwise, compute ${d}_{j}={q}_{j}\left(cP\right)$ and return ${d}_{j}$.

- -
- Encrypt:This oracle takes $u+1$ identities $(I{D}_{s},I{D}_{1},\cdots ,I{D}_{u})$ and a message M as input. Upon receiving an Encryptquery, $\mathcal{S}$ does the following:
- Choose $k,r\in {\mathbb{Z}}_{q}^{*}$ at random, and set ${H}_{2}(M,k)=r$.
- For $i=1$ to u,
- -
- if $I{D}_{s}I{D}^{*}$, compute ${v}_{i}={H}_{1}\left(e{({Q}_{i},{d}_{s})}^{r}\right)$, where ${d}_{s}$ is the private key of the sender $I{D}_{s}$;
- -
- if $I{D}_{s}\in I{D}^{*}$ and $I{D}_{i}I{D}^{*}$, compute ${v}_{i}={H}_{1}\left(e{({d}_{i},{Q}_{s})}^{r}\right)$, where ${d}_{i}$ is the private key of the receiver $I{D}_{i}$;
- -
- if $I{D}_{s},I{D}_{i}\in I{D}^{*}$, compute ${v}_{i}={H}_{1}\left({\left(e{(P,P)}^{{b}^{2}c}\right)}^{r{q}_{s}{q}_{i}}\right)$.

- Compute $f\left(x\right)=k-\prod _{i=1}^{u}(x-{v}_{i})=\sum _{i=0}^{u-1}{c}_{i}{x}^{i}+{x}^{u}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$.
- Compute $U=rP,V=r{Q}_{s},$ and $W=M\xb7e{(P,P)}^{-k}$.
- Set the ciphertext $C=({c}_{0},{c}_{1},\cdots ,{c}_{u-1},U,V,W,I{D}_{s})$, and return C.

- -
- Decrypt:This oracle takes an identity $I{D}_{j}$ and a ciphertext C as input. Upon receiving a Decryptquery, denoted by Decrypt$(C,I{D}_{j})$ where $C=({c}_{0},\cdots ,{c}_{u-1},U,V,W,I{D}_{s})$, $\mathcal{S}$ does the following:
- Search ${H}_{2}$-list to get $({M}_{i},{k}_{i},{r}_{i},{U}_{i})$ with ${U}_{i}=U$. If not found, return “reject”.
- Search H-list to get $(I{D}_{s},{Q}_{s},{q}_{s})$ with $e(U,{Q}_{s})=e(P,V)$. If not found, return “reject”.
- This step can be separated into three cases:
- -
- if $I{D}_{s}I{D}^{*}$, compute ${v}_{j}={H}_{1}\left(e{({Q}_{j},{d}_{s})}^{{r}_{i}}\right)$;
- -
- if $I{D}_{s}\in I{D}^{*}$ and $I{D}_{j}I{D}^{*}$, compute ${v}_{j}={H}_{1}\left(e{({d}_{j},{Q}_{s})}^{{r}_{i}}\right)$;
- -
- if $I{D}_{s},I{D}_{j}\in I{D}^{*}$, compute ${v}_{j}={H}_{1}\left({\left(e{(P,P)}^{{b}^{2}c}\right)}^{{r}_{i}{q}_{s}{q}_{j}}\right)$.

- Compute $k={c}_{0}+{c}_{1}{v}_{j}+\cdots +{c}_{u-1}{v}_{j}^{u-1}+{v}_{j}^{u}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$.
- Check whether ${k}_{i}=k$ and ${M}_{i}=W\xb7{\Omega}^{k}$ or not. If not, return “reject”. Otherwise, return ${M}_{i}$.

- Choose $\beta \in \{0,1\}$ randomly.
- For $i=1$ to t, call $H\left(I{D}_{i}^{*}\right)$, and retrieve ${q}_{i}^{*}$ from H-list.
- Call $H\left(I{D}_{s}\right)$, and retrieve ${q}_{s}$ from H-list.
- Choose $k\in {\mathbb{Z}}_{q}^{*}$, and set ${U}^{*}=aP$ and ${V}^{*}={q}_{s}\left(aP\right)$.
- For $i=1$ to t, compute ${v}_{i}={H}_{1}\left({Z}^{{q}_{i}^{*}{q}_{s}}\right)$.
- Compute $f\left(x\right)=k-\prod _{i=1}^{t}(x-{v}_{i})=\sum _{i=0}^{t-1}{c}_{i}{x}^{i}+{x}^{t}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$ and ${W}^{*}={M}_{\beta}\xb7{\Omega}^{-k}$.
- Set the ciphertext ${C}^{*}=({c}_{0},{c}_{1},\cdots ,{c}_{t-1},{U}^{*},{V}^{*},{W}^{*},I{D}_{s})$, and send ${C}^{*}$ to $\mathcal{A}$.

**Theorem 14.**(Anonymity) The proposed AMRIBAE scheme is Anon-sMID-CCA secure in the random oracle model if the M-DBDH assumption holds.

**Proof.**Assume that the proposed scheme is not Anon-sMID-CCA secure, that is there exists a polynomial-time adversary $\mathcal{A}$ that wins the Anon-sMID-CCA game with non-negligible advantage. We will construct a polynomial-time algorithm $\mathcal{S}$ that has non-negligible advantage in solving the M-DBDH problem.

- Choose $\beta \in \{0,1\}$ randomly.
- For $i=2$ to t, call $H\left(I{D}_{i}\right)$, and retrieve ${q}_{i}$ from H-list.
- Call $H\left(I{D}_{\beta}^{*}\right)$, and retrieve ${q}_{\beta}^{*}$ from H-list.
- Call $H\left(I{D}_{s}\right)$, and retrieve ${q}_{s}$ from H-list.
- Choose $k\in {\mathbb{Z}}_{q}^{*}$, and set ${U}^{*}=aP$ and ${V}^{*}={q}_{s}\left(aP\right)$.
- For $i=2$ to t, compute ${v}_{i}={H}_{1}\left(e({q}_{i}{U}^{*},{q}_{s}\left(cP\right))\right)$.
- Compute ${v}_{\beta}={H}_{1}\left({Z}^{{q}_{\beta}^{*}{q}_{s}}\right)$.
- Compute $f\left(x\right)=k-(x-{v}_{\beta})\prod _{i=2}^{t}(x-{v}_{i})=\sum _{i=0}^{t-1}{c}_{i}{x}^{i}+{x}^{t}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$ and ${W}^{*}=M\xb7{\Omega}^{-k}$.
- Set the ciphertext ${C}^{*}=({c}_{0},{c}_{1},\cdots ,{c}_{t-1},{U}^{*},{V}^{*},{W}^{*},I{D}_{s})$ and send ${C}^{*}$ to $\mathcal{A}$.

**Theorem 15.**(Sender authentication) The proposed AMRIBAE scheme satisfies sender authentication in the random oracle model if the DBDH assumption holds.

**Proof.**Assume that there exists a polynomial-time adversary $\mathcal{A}$ that wins the sender authentication game with non-negligible advantage. Then, we will construct a polynomial-time algorithm $\mathcal{S}$ that has non-negligible advantage in solving the DBDH problem.

- -
- H-query:This oracle takes an identity $I{D}_{j}\in {\{0,1\}}^{*}$ as input. If there exists a record $(I{D}_{j},{Q}_{j},{q}_{j})$ in H-list, return ${Q}_{j}$. Otherwise, do the following:
- Randomly select ${q}_{j}\in {\mathbb{Z}}_{q}^{*}$.
- If $I{D}_{j}=I{D}_{s}^{*}$, compute ${Q}_{j}={q}_{j}\left(aP\right)$; else if $I{D}_{j}=I{D}_{R}^{*}$, compute ${Q}_{j}={q}_{j}\left(bP\right)$; else ${Q}_{j}={q}_{j}P$.
- Return ${Q}_{j}$ and add $(I{D}_{j},{Q}_{j},{q}_{j})$ into H-list.

- -
- The simulation of ${H}_{1}$-query and ${H}_{2}$-query are the same as those in the proof of Theorem 13.
- -
- KeyExtract:This oracle takes an identity $I{D}_{j}$ as input. Call $H\left(I{D}_{j}\right)$, and retrieve ${q}_{j}$ from H-list. Then, $\mathcal{S}$ does the following:
- -
- If $I{D}_{j}\in I{D}^{*}$, return “reject”.
- -
- Otherwise, compute ${d}_{j}={q}_{j}\left(cP\right)$, and return ${d}_{j}$.

- -
- Encrypt:This oracle takes $u+1$ identities $(I{D}_{s},I{D}_{1},\cdots ,I{D}_{u})$ and a message M as input. Upon receiving an Encrypt query, $\mathcal{S}$ does the following:
- Choose $k,r\in {\mathbb{Z}}_{q}^{*}$ at random, and set ${H}_{2}(M,k)=r$.
- For $i=1$ to u,
- -
- if $I{D}_{s}\in I{D}^{*}$, compute ${v}_{i}={H}_{1}\left(e{({Q}_{i},{d}_{s})}^{r}\right)$, where ${d}_{s}$ is the private key of the sender $I{D}_{s}$;
- -
- if $I{D}_{s}\in I{D}^{*}$ and $I{D}_{i}\in I{D}^{*}$, compute ${v}_{i}={H}_{1}\left(e{({d}_{i},{Q}_{s})}^{r}\right)$, where ${d}_{i}$ is the private key of the receiver $I{D}_{i}$;
- -
- if $I{D}_{s},I{D}_{i}\in I{D}^{*}$, compute ${v}_{i}={H}_{1}\left({Z}^{r{q}_{s}{q}_{i}}\right)$.

- Compute $f\left(x\right)=k-\prod _{i=1}^{u}(x-{v}_{i})=\sum _{i=0}^{u-1}{c}_{i}{x}^{i}+{x}^{u}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$.
- Compute $U=rP,V=r{Q}_{s}$ and $W=M\xb7{\Omega}^{-k}$.
- Set the ciphertext $C=({c}_{0},{c}_{1},\cdots ,{c}_{u-1},U,V,W,I{D}_{s})$, and return C.

- -
- Decrypt:This oracle takes an identity $I{D}_{j}$ and a ciphertext C as input. Upon receiving a Decrypt query, denoted by Decrypt $(C,I{D}_{j})$, where $C=({c}_{0},\cdots ,{c}_{u-1},U,V,W,I{D}_{s})$, $\mathcal{S}$ does the following:
- Search ${H}_{2}$-list to get $({M}_{i},{k}_{i},{r}_{i},{U}_{i})$ with ${U}_{i}=U$. If not found, return “reject”.
- Search H-list to get $(I{D}_{s},{Q}_{s},{q}_{s})$ with $e(U,{Q}_{s})=e(P,V)$. If not found, return “reject”.
- This step can be separated into three cases:
- -
- if $I{D}_{s}\in I{D}^{*}$, compute ${v}_{j}={H}_{1}\left(e{({Q}_{j},{d}_{s})}^{{r}_{i}}\right)$;
- -
- if $I{D}_{s}\in I{D}^{*}$ and $I{D}_{j}\in I{D}^{*}$, compute ${v}_{j}={H}_{1}\left(e{({d}_{j},{Q}_{s})}^{{r}_{i}}\right)$;
- -
- if $I{D}_{s},I{D}_{j}\in I{D}^{*}$, compute ${v}_{j}={H}_{1}\left({Z}^{{r}_{i}{q}_{s}{q}_{j}}\right)$.

- Compute $k={c}_{0}+{c}_{1}{v}_{j}+\cdots +{c}_{u-1}{v}_{j}^{u-1}+{v}_{j}^{u}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$.
- Check whether ${k}_{i}=k$ and ${M}_{i}=W\xb7{\Omega}^{k}$ or not. If not, return “reject”. Otherwise, return ${M}_{i}$.

- Search ${H}_{2}$-list to get $({M}_{i},{k}_{i},{r}_{i},{U}_{i})$ with ${U}_{i}={U}^{*}$.
- Call $H\left(I{D}_{s}^{*}\right)$ and $H\left(I{D}_{R}^{*}\right)$ to retrieve ${q}_{s}^{*}$ and ${q}_{R}^{*}$ from H-list.
- Compute $v={H}_{1}\left({Z}^{{q}_{s}^{*}{q}_{R}^{*}{r}_{i}}\right)$.
- Compute $k={c}_{0}+{c}_{1}v+\cdots +{c}_{t-1}{v}^{t-1}+{v}^{t}\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$.
- Check whether ${k}_{i}=k$ and ${M}_{i}=W\xb7{\Omega}^{k}$ or not. If it is, $\mathcal{A}$ wins the game.

- ${E}_{1}$: The game has been correctly simulated.
- ${E}_{2}$: $\mathcal{A}$ wins the game.

## 6. Comparisons

Encryption Cost | Decryption Cost | Ciphertext Length | |
---|---|---|---|

[10] | $(2t+3){T}_{h}+2t{T}_{m}+({t}^{2}+2){T}_{s}$ | $4{T}_{h}+(t+2){T}_{s}$ | |

$+({t}^{2}-t){T}_{a}+t{T}_{poly}+{T}_{p}+{T}_{e}$ | $+t{T}_{a}+2{T}_{p}$ | $(t+2)u+w$ | |

$\approx (29{t}^{2}+48t+1567){T}_{m}+t{T}_{poly}$ | $\approx (29t+2550){T}_{m}$ | ||

[11] | $(2t+1){T}_{h}+(t+1){T}_{s}+t{T}_{p}$ | $t{T}_{h}+t{T}_{s}+t{T}_{p}$ | $(t+2)u+w$ |

$\approx (1275t+52){T}_{m}$ | $\approx 1252t{T}_{m}$ | ||

[25] | $(2t+3){T}_{h}+2t{T}_{m}+(2{t}^{2}+t+1){T}_{s}$ | $4{T}_{h}+(2t+2){T}_{s}$ | |

$+2({t}^{2}-t){T}_{a}+t{T}_{poly}+{T}_{p}+t{T}_{e}$ | $+2t{T}_{a}+2{T}_{p}$ | $(2t+2)u+w$ | |

$\approx (58{t}^{2}+317t+1298){T}_{m}+t{T}_{poly}$ | $\approx (58t+2550){T}_{m}$ | ||

[21] | $(t+1){T}_{h}+2{T}_{s}+t{T}_{p}+{T}_{poly}$ | ${T}_{h}+t{T}_{m}+{T}_{p}$ | $t\left|q\right|+u+w$ |

$\approx (1223t+1223){T}_{m}+{T}_{poly}$ | $\approx (t+1223){T}_{m}$ | ||

[18] | $(t+2){T}_{s}+(t+1){T}_{p}+{T}_{CRT}$ | ${T}_{p}$ | $t\left|q\right|+2u+w$ |

$\approx (1229t+1258){T}_{m}+{T}_{CRT}$ | $\approx 1200{T}_{m}$ | ||

[16] | $t{T}_{h}+(t+1){T}_{e}+(2t+5){T}_{s}+(t+1){T}_{e}$ | ${T}_{h}+{T}_{e}+t(2{T}_{p}+{T}_{e}+{T}_{s})$ | $(t+2)u+w$ |

$\approx (1251t+1585){T}_{m}$ | $\approx (2669t+1223){T}_{m}$ | ||

[29] | $(2t+4){T}_{h}+2t{T}_{m}+({t}^{2}+t+1){T}_{s}$ | $4{T}_{h}+(t+1){T}_{s}$ | |

$+2({t}^{2}-t){T}_{a}+t{T}_{poly}+{T}_{p}+t{T}_{e}$ | $+t{T}_{a}+2t{T}_{p}$ | $(2t+2)u+w$ | |

$\approx (29{t}^{2}+317t+1233){T}_{m}+t{T}_{poly}$ | $\approx (2429t+121){T}_{m}$ | ||

[31]-Scheme 1 | $(t+1){T}_{h}+2t{T}_{e}+2{T}_{s}$ | $(t+1){T}_{h}+{T}_{s}$ | |

$+t{T}_{a}+2t{T}_{p}$ | $+{T}_{a}+2{T}_{p}$ | $(t+2)u+w$ | |

$\approx (1703t+1281){T}_{m}$ | $\approx (23t+2452){T}_{m}$ | ||

[31]-Scheme 2 | $(t+1){T}_{h}+2t{T}_{e}+2{T}_{s}$ | $(t+1){T}_{h}+{T}_{s}$ | |

$+t{T}_{a}+2t{T}_{p}$ | $+{T}_{a}+2{T}_{p}$ | $(t+2)u+w$ | |

$\approx (1703t+1281){T}_{m}$ | $\approx (23t+2452){T}_{m}$ | ||

[14] | $(2t+1){T}_{h}+(3t+2){T}_{s}$ | ||

$+{T}_{e}+n{T}_{a}$ | $t({T}_{p}+{T}_{a}+{T}_{h})$ | $(t+1)v+w$ | |

$\approx (133t+1281){T}_{m}$ | $\approx 1223t{T}_{m}$ | ||

[19] | $t{T}_{h}+{t}^{2}{T}_{m}+(t+4){T}_{s}$ | ${T}_{h}+{T}_{poly}$ | |

$+(t+1){T}_{e}+{T}_{poly}$ | $+2{T}_{a}+(t+1){T}_{s}+4{T}_{p}$ | $(t+3)u+v$ | |

$\approx ({t}^{2}+1252t+1316){T}_{m}$ | $\approx (29t+4852){T}_{m}+{T}_{poly}$ | ||

[28] | $(2t+1){T}_{h}+(t+1){T}_{m}$ | ||

$+t{T}_{e}+(2t+2){T}_{s}$ | $(t+1){T}_{h}+(t+1){T}_{p}+t{T}_{s}$ | $(t+2)u+w$ | |

$\approx (1305t+82){T}_{m}$ | $\approx (1252t+1223){T}_{m}$ | ||

[20] | $t{T}_{h}+(t+1){T}_{m}+({t}^{2}+1){T}_{s}$ | ${T}_{h}+{T}_{m}+{T}_{e}$ | |

$+({t}^{2}-t)\left|ID\right|{T}_{a}+{T}_{e}+t{T}_{poly}$ | $+t{T}_{a}+t{T}_{s}+2{T}_{p}$ | $(t+1)u+v$ | |

$\approx (29{t}^{2}+24t+270){T}_{m}+t{T}_{poly}$ | $\approx (29t+2664){T}_{m}$ | ||

[23] | $(3t+1){T}_{h}+2{T}_{s}+t{T}_{p}$ | $2{T}_{h}+{T}_{e}$ | $(t+1)u+\left|q\right|+w$ |

$\approx (1269t+81){T}_{m}$ | $\approx 1246{T}_{m}$ | ||

[27] | $(2t+2){T}_{h}+4{T}_{s}+t{T}_{p}+{T}_{poly}$ | $3{T}_{h}+t{T}_{m}+3{T}_{p}+{T}_{s}+{T}_{a}$ | $t\left|q\right|+3u+\left|ID\right|$ |

$\approx (1246t+162){T}_{m}+{T}_{poly}$ | $\approx (t+3698){T}_{m}$ | ||

[26] | $(t+2){T}_{h}+(t+2){T}_{s}+t{T}_{p}$ | $4{T}_{h}+t{T}_{s}+{T}_{e}$ | $(t+2)u+w$ |

$\approx (1252t+104){T}_{m}$ | $\approx (29t+1292){T}_{m}$ | ||

Ours | $(2t+1){T}_{h}+4{T}_{s}+t{T}_{p}+{T}_{poly}$ | $2{T}_{h}+t{T}_{m}+{T}_{p}+{T}_{s}$ | $t\left|q\right|+2u+v$ |

$\approx (1246t+139){T}_{m}+{T}_{poly}$ | $\approx (t+1275){T}_{m}$ |

_{p}: the cost of a pairing operation; •T

_{h}: the cost of a hash operation; •T

_{m}: the cost of a modular multiplication in ${\mathbb{Z}}_{q}^{*}$; •T

_{e}: the cost of a modular exponentiation in ${\mathbb{Z}}_{q}^{*}$; •T

_{s}: the cost of a scalar multiplication in an additive group or an exponentiation in a multiplicative group; •T

_{a}: the cost of an addition in an additive group or a multiplication in a multiplicative group; •T

_{poly}: the cost of constructing a polynomial; •T

_{CRT}: the cost of applying the Chinese remainder theorem; •t: the number of receivers; •|ID|: the bit length of an identity; •q: a large prime; •u: the bit length of an element in an additive group; •v: the bit length of an element in a multiplicative group; •w: the bit length of a symmetric encryption key.

Confidentiality | Anonymity | SecurityModel | Sender Authentication | ||
---|---|---|---|---|---|

Outsider | Insider | ||||

[10] | CCA | △ | △ | ROM | No |

[11] | – | – | – | – | No |

[25] | CCA | CCA | △ | ROM | No |

[21,22] | △ | △ | △ | ROM | No |

[18] | CPA | CPA | CPA | ROM | No |

[29] | – | – | – | – | No |

[16] | CPA | CPA | CPA | ROM | No |

[31]-Scheme 1 | CCA | CCA | △ | ROM | No |

[31]-Scheme 2 | – | – | – | – | No |

[14] | CPA | CPA | CPA | ROM | No |

[19] | CPA | – | – | ROM | No |

[28] | △ | △ | △ | ROM | No |

[20] | CPA | CPA | CPA | STD | No |

[23] | △ | △ | △ | ROM | No |

[27] | △ | △ | △ | ROM | Yes |

[26] | – | △ | △ | ROM | No |

Ours | CCA | CCA | CCA | ROM | Yes |

## 7. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## Appendix

#### A.1. Cryptanalysis to Other AMRIBEs

Notation | Meaning |
---|---|

${G}_{1}$ | a cyclic groups of prime order q |

${G}_{2}$ | a cyclic groups of prime order q |

e | a bilinear mapping; $e:{G}_{1}\times {G}_{1}\to {G}_{2}$ |

P | a generator of ${G}_{1}$ |

KGC | the key generation center |

${P}_{pub}$ | the public key of KGC |

M | the message that the sender wants to send |

$({E}_{k},{D}_{k})$ | a secure symmetric encryption scheme with secret key k |

${Q}_{i}$ | the hash value of $I{D}_{i}$ |

#### A.1.1. Comment on Tseng et al.’S Scheme [21,22]

#### Comments

#### A.1.2. Comment on Tseng et al.’s Scheme [23]

#### A.1.3. Comment on Zhang et al.’s Scheme [27]

#### A.1.4. Comment on Zhang et al.’s Scheme [28]

#### Comments

#### A.1.5. Comment on Wang’s Scheme [26]

#### The Simulation of the CCA Game for Confidentiality

#### Comments

- Choose a receiver set $\{I{D}_{{d}_{1}},I{D}_{2},\cdots ,I{D}_{t}\}$, where $I{D}_{{d}_{1}}$ is the target identity.
- Choose $\sigma ,r$ to compute ${R}_{{d}_{1}},{R}_{2},\cdots ,{R}_{t}$ and ${U}_{1}$ as that in the $Encrypt$ algorithm of their scheme.
- Choose ${\sigma}^{\prime},M$, and compute ${U}_{2}=H\left({\sigma}^{\prime}\right)P$, $l={H}_{3}({\sigma}^{\prime},{R}_{{d}_{1}},{R}_{2},\cdots ,{R}_{t},{U}_{1},{U}_{2})$.
- Query ${H}_{4}(M,{\sigma}^{\prime},{U}_{1},{U}_{2})$.
- Set $V={E}_{l}\left(M\right)$ and $C=({R}_{{d}_{1}},{R}_{2},\cdots ,{R}_{t},{U}_{1},{U}_{2},V)$.

## References

- Arul, T.; Shoufan, A. Consumer Opinions on Short-Interval Charging for Pay-TV over IPTV. In Proceedings of the 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA), Fukuoka, Japan, 26–29 March 2012; pp. 147–153.
- Msgna, M.G.; Markantonakis, K.; Mayes, K.; Akram, R.N. Subscriber Centric Conditional Access System for Pay-TV Systems. In Proceedings of the 2013 IEEE 10th International Conference on e-Business Engineering (ICEBE), Coventry, UK, 11–13 September 2013; pp. 450–455.
- Liu, Y.; Duan, J.; Tang, Q.; Zhang, Y. A Simple and Efficient Re-Scrambling Scheme for DTV Programs. IEEE Trans. Multimed.
**2014**, 16, 137–146. [Google Scholar] [CrossRef] - Baek, J.; Safavi-Naini, R.; Susilo, W. Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption. In Proceedings of the 8th International Conference on Theory and Practice in Public Key Cryptography, Les Diablerets, Switzerland, 23–26 January 2005; pp. 380–397.
- Wang, L.; Wu, C.K. Efficient identity-based multicast scheme from bilinear pairing. IEEE Proc. Commun.
**2005**, 152, 877–882. [Google Scholar] [CrossRef] - Du, X.; Wang, Y.; Ge, J.; Wang, Y. An ID-based broadcast encryption scheme for key distribution. IEEE Trans. Broadcast.
**2015**, 51, 264–266. [Google Scholar] [CrossRef] - Boneh, D.; Franklin, M. Identity-based encryption from the weil pairing. In Proceedings of the 21st Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2001; pp. 213–229.
- Bellare, M.; Rogaway, P. Random Oracles Are Practical: A Paradigm for Designing Efficient Protocols. In Proceedings of the 1st ACM Conference on Compute and Communications Security, Fairfax, VA, USA, 3–5 November 1993; pp. 62–73.
- Okamoto, T.; Pointcheval, D. REACT: Rapid Enhenced-Security Asymmetric Cryptosystem Transform. In Topics in Cryptology CT-RSA 2001; Springer-Verlag Berling Heiderlberg: New York, NY, USA, 2001; pp. 159–175. [Google Scholar]
- Fan, C.I.; Huang, L.Y.; Ho, P.H. Anonymous Multireciever identity-based encryption. IEEE Trans. Comput.
**2010**, 59, 1239–1249. [Google Scholar] [CrossRef] - Chien, H.Y. Improved anonymous multi-receiver identity-based encryption. Comput. J.
**2012**, 55, 439–446. [Google Scholar] [CrossRef] - Chen, Z.; Li, S.; Wang, C.; Shen, Y. Two constructions of multireceiver encryption supporting constant keys, short ciphertexts, and identity privacy. Int. J. Netw. Secur.
**2012**, 14, 270–279. [Google Scholar] - Chen, Z.; Li, S.; Wang, C.; Zhang, M. Comments on FHH anonymous multireceiver encryption. Int. J. Netw. Secur.
**2014**, 16, 285–288. [Google Scholar] - Cui, H.; Mu, Y.; Guo, F. Server-aided identity-based anonymous broadcast encryption. Int. J. Netw. Secur.
**2013**, 8, 29–39. [Google Scholar] [CrossRef] - Harn, L.; Chang, C.C.; Wu, H.L. An anonymous multi-receiver encryption based on RSA. Int. J. Netw. Secur.
**2013**, 15, 307–312. [Google Scholar] - Hur, J.; Park, C.; Hwang, S.O. Privacy-preserving identity-based broadcast encryption. Inf. Fusion
**2012**, 13, 296–303. [Google Scholar] [CrossRef] - Li, H.; Pang, L. Cryptanalysis of Wang et al’s improved anonymous multi-receiver identity-based encryption scheme. IET Inf. Secur.
**2013**, 8, 8–11. [Google Scholar] [CrossRef] - Muthulakshmi, A.; Anitha, R.; Rohini, S.; Princy, K. Identity Based Privacy Preserving Dynamic Broadcast Encryption for multi-privileged group. In Recent Trends in Computer Networks and Distributed Systems Security; Spring: Berlin Heidelberg, Germany, 2012; Volume 335, pp. 272–282. [Google Scholar]
- Pang, L.; Guo, L.; Pei, Q.; Gui, J.; Wang, Y. A new ID-based multi-recipient public-key Encryption Scheme. Chin. J. Electron.
**2013**, 22, 89–92. [Google Scholar] - Ren, Y.; Niu, Z.; Zhang, X. Fully anonymous identity-based broadcast encryption without random oracles. Int. J. Netw. Secur.
**2014**, 16, 256–264. [Google Scholar] - Tseng, Y.M.; Huang, Y.H.; Chang, H.J. Privacy-preserving multireceiver ID-based encryption with provable security. Int. J. Commun. Syst.
**2014**, 27, 1034–1050. [Google Scholar] [CrossRef] - Tseng, Y.M.; Huang, Y.H.; Chang, H.J. CCA-Secure Anonymous Multi-Receiver ID-Based Encryption. In 26th International Conference on Advanced Information Networking and Applications Workshops, Fukuoka, Japan, 26–29 March 2012; pp. 177–182.
- Tseng, Y.M.; Tsai, T.T.; Huang, S.S.; Chien, H.Y. Efficient anonymous multi-receiver ID-based encryption with constant decryption cost. In Proceedings of the 2014 International Conference on Information Science, Electronics and Electrical Engineering (ISEEE), Sapporo, Japan, 26–28 April 2014; pp. 131–137.
- Wang, H. Insecurity of “Improved Anonymous Multi-Receiver Identity-Based Encryption”. Comput. J.
**2013**. [Google Scholar] [CrossRef] - Wang, H.; Zhang, Y.; Xiong, H.; Qing, B. Crytanalysis and improvements of an anonymous multi-receiver identity-based encryption scheme. IET Inf. Secur.
**2012**, 6, 20–27. [Google Scholar] [CrossRef] - Wang, H. Provably Secure Anonymous Multi-receiver Identity-Based Encryption with Shorter Ciphertext. In Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), Dalian, China, 24–27 August 2014; pp. 85–90.
- Zhang, B.; Sun, T.; Yu, D. ID-Based Anonymous Multi-Receiver Key Encapsulation Mechanism with Sender Authentication. In Algorithm and Architectures for Parallel Processing; Lecture Notes in Computer Science; Springer-Verlag Berlin Heidelberg: New York, NY, USA, 2014; Volume 8631, pp. 645–658. [Google Scholar]
- Zhang, J.; Mao, J. An improved anonymous multi-receiver identity-based encryption Scheme. Int. J. Commun. Syst.
**2015**, 28, 645–658. [Google Scholar] [CrossRef] - Zhang, J.; Xu, Y. Comment on Anonymous Multi-Receiver Identity-Based Encryption Scheme. In Proceedings of the 4th International Conference on Intelligent Networking and Collaborative Systems, Barcelona, Spain, 19–21 September 2012; pp. 473–476.
- Zhang, J.; Xu, Y.; Zou, J. Comment on Wang et al.’s anonymous multi-receiver ID-based encryption scheme and its improved schemes. Int. J. Intell. Inf. Database Syst.
**2013**, 7, 400–413. [Google Scholar] [CrossRef] - Zhang, M.; Takagi, T. Efficient constructions of anonymous multireceiver encryption protocol and their deployment in group E-Mail systems with privacy preservation. IEEE Syst. J.
**2013**, 7, 410–419. [Google Scholar] [CrossRef] - Delerablée, C.; Paillier, P.; Pointcheval, D. Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size or Decryption Keys. In Pairing-Based Cryptography—Pairing 2007; Takagi, T., Ed.; Springer: Berlin, Germany, 2007; Volume 4575, pp. 39–59. [Google Scholar]
- Delerablée, C. Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys. In Advances in Cryptology-EUROCRYPT 2007; Springer: Berlin Heidelberg, Germany, 2007; pp. 200–215. [Google Scholar]
- Nelly, F.; Perera, I.M. Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts. In Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; pp. 225–242.
- Zhang, L.; Wu, Q.; Mu, Y. Anonymous Identity-Based Broadcast Encryption with Adaptive Security. In Proceedings of the 5th International Symposium, CSS 2013, Zhangjiajie, Hunan, China, 13–15 November 2013; pp. 258–271.
- Libert, B.; Paterson, K.G.; Quaglia, E.A. Anonymous Broadcast Encryption: Adaptive Security and Efficient Construction in the Standard Model. In Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; pp. 225–242.
- Boneh, D.; Boyen, X.; Goh, E.J. Hierarchical Identity Based Encryption with Constant Size Ciphertext. In Advances in Cryptology-EUROCRYPT 2005; Springer: Berlin Heidelberg, Germany, 2005; pp. 440–456. [Google Scholar]
- Kiayias, A.; Samari, K. Lower Bound for Private Broadcast Encryption. In Information Hiding; Springer: Berlin/Heidelberg, Germany, 2013; pp. 176–190. [Google Scholar]
- Neal, K.; Alfred, M.; Vanstone, S. The state of elliptic curve cryptography. Des. Codes Cryptogr.
**2000**, 19, 173–193. [Google Scholar] - Menezes, A.J.; Vanstone, S.A.; van Oorschot, P.C. Handbook of Applied Cryptography; CRC Press, Inc.: Boca Raton, FL, USA, 2001. [Google Scholar]
- Scott, M. Implementing Cryptographic Pairings. In Proceedings of the Pairing-Based Cryptography, Tokyo, Japan, 2–4 July 2007; pp. 177–196.
- Zhang, Y.; Liu, W.; Lou, W.; Fang, Y. Securing mobile Ad Hoc networks with certificateless public keys. IEEE Trans. Depend. Secur. Comput.
**2006**, 3, 386–399. [Google Scholar] [CrossRef]

© 2015 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Fan, C.-I.; Tseng, Y.-F.
Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security. *Symmetry* **2015**, *7*, 1856-1881.
https://doi.org/10.3390/sym7041856

**AMA Style**

Fan C-I, Tseng Y-F.
Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security. *Symmetry*. 2015; 7(4):1856-1881.
https://doi.org/10.3390/sym7041856

**Chicago/Turabian Style**

Fan, Chun-I, and Yi-Fan Tseng.
2015. "Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security" *Symmetry* 7, no. 4: 1856-1881.
https://doi.org/10.3390/sym7041856