Anonymous Multi-Receiver Identity-Based Authenticated Encryption with CCA Security

In a multi-receiver encryption system, a sender chooses a set of authorized receivers and sends them a message securely and efficiently, as the message is well encrypted and only one ciphertext corresponding to the message is generated no matter how many receivers the sender has chosen. It can be applied to video conferencing systems, pay-per-view channels, remote education, and so forth. Due to privacy considerations, an authorized receiver may not expect that his identity is revealed. In 2010, anonymous multi-receiver identity-based (ID-based) encryption was first discussed, and furthermore, many works on the topic have been presented so far. Unfortunately, we find that all of those schemes fail to prove the chosen ciphertext attacks (CCA) security in either confidentiality or anonymity. In this manuscript, we propose the first anonymous multi-receiver ID-based authenticated encryption scheme with CCA security in both confidentiality and anonymity. In the proposed scheme, the identity of the sender of a ciphertext can be authenticated by the receivers after a successful decryption. In addition, the proposed scheme also is the first CCA-secure one against insider attacks. Moreover, only one pairing computation is required in decryption.


Introduction
Multi-receiver encryption makes it possible for a sender to compute and transmit only one ciphertext corresponding to a message for multiple receivers.It greatly decreases communication cost, so that it is popular among some advanced services, such as video conferencing, pay-per-view TV [1-3] and remote education.In order to prevent unauthorized access, messages are encrypted, and the encryption keys change every session.When a new member joins the communication group, the system will assign a long-term key to him, and the key will be revoked once the member leaves the group.The system must deal with key management effectively.Another important issue in such services is the authentication of the sender, which can guarantee the source and legality of the digital products.Many researchers focused on this topic and have proposed interesting results [4][5][6].
In 2001, Boneh and Franklin [7] first proposed an ID-based encryption scheme from the Weil pairing.In 2005, Du et al. [6] presented an ID-based broadcast encryption scheme for key distribution.They used matrix operations for encryption and decryption.In 2005, Wang and Wu [5] proposed an ID-based multicast encryption scheme, which has a key generation center and a group center.No users need any computation during the rekeying process.However, the sender must be the group center.In the same year, Baek et al. [4] proposed a multi-receiver ID-based encryption scheme along with a formal definition and security model for this kind of scheme.They proved the security in the selective ID model using random oracles [8].Their second scheme was employed in the REACT technique proposed by Okamoto and Pointcheval [9].
In some situations, such as ordering sensitive TV programs, the customers may expect that their identities are not revealed.In consideration of protecting users' privacy, Fan et al. [10] first introduced the concept of anonymous mutli-receiver ID-based encryption (AMRIBE) in 2010.They also proposed a multi-receiver ID-based encryption scheme using Lagrange interpolating polynomials in order to achieve anonymity for every receiver such that nobody knows who the receivers are except the sender.However, Chien [11] pointed out that Fan et al.'s scheme does not hold the anonymity.An attacker can identify the identity of a receiver.Chien indicated that the security model defined in [10] does not cover all of the multi-receiver environments.Additionally, he also proposed an improved AMRIBE scheme.
Recently, many results of AMRIBE have been proposed .After examining these results, however, we find that none of them satisfies the CCA (chosen ciphertext attacks) security in both confidentiality and anonymity.A major reason is that they are vulnerable to the insider attacks in anonymity, that is a selected receiver, called an insider, can derive the identities of the other receivers selected by the sender in those schemes.
Therefore, in view of the aforementioned reasons, we propose a novel type of multi-receiver encryption called anonymous multi-receiver identity-based authenticated encryption (AMRIBAE).A concrete encryption scheme has also been proposed, which achieves the CCA security in both confidentiality and anonymity, such that it is immune to not only outsider (i.e., unselected receiver) but insider attacks, as well.Let t be the number of the selected receivers of a ciphertext.In our scheme, even if the unselected receivers collude with any (t − 1) selected receivers, the anonymity of the non-colluding selected receiver is still preserved.Furthermore, we also prove that the proposed scheme achieves sender authentication, i.e., the identity of the sender of a ciphertext can be confirmed by the selected receivers.In addition, we provide complete proofs with problem reduction to formally demonstrate the CCA security.Furthermore, our scheme is decryption efficient due to only one pairing computation.
Anonymous Multi-Receiver ID-Based Encryption vs. Anonymous Dynamic Broadcast ID-Based Encryption In [32], Delerablée et al. introduced the concept of dynamic broadcast encryption.In a dynamic broadcast encryption system, a sender can arbitrarily select some or all of the users who have enrolled in the system as the receivers of a ciphertext that he or she is about to generate, and it is unnecessary for the system to re-compute the private keys of the enrolled users whenever a new user joins the system.A multi-receiver encryption system can also achieve this; however, a non-dynamic broadcast encryption system cannot.In a non-dynamic system, all of the enrolled users should be the receivers of every ciphertext in the system, that is the receiver set contains all enrolled users, and it is always fixed for every ciphertext.In addition, the receiver set should be determined before private key generation, which will imply that the private keys of all enrolled users must be re-computed whenever a new user joins the non-dynamic system.Although a non-dynamic broadcast encryption scheme [33][34][35] might not be as flexible as a dynamic one, those schemes usually provide shorter ciphertext or constant-size ciphertext.Besides, in an ID-based encryption system, the identities of the users also act as their public keys, which will largely simplify the management of the public keys as compared to a non-ID-based one, such as [36].This research will aim at anonymous multi-receiver ID-based encryption, which can be regarded as anonymous dynamic broadcast ID-based encryption.In this manuscript, we will discuss dynamic and ID-based schemes [10,11,14,16,[18][19][20][21]23,[25][26][27][28][29]31] and compare them to our work.

Related Works
In order to protect users' privacy, Fan et al. [10] first introduced anonymous multi-receiver identity-based encryption (AMRIBE) in 2010.Their scheme was constructed by using Lagrange interpolating polynomials.However, it cannot achieve anonymity against outside and inside attackers.The cryptanalysis on Fan et al.'s scheme [10] has been presented in [11,13,25].
In 2012, Wang et al. proposed an AMRIBE scheme [25] by improving Fan et al.'s scheme.Unfortunately, their scheme did not achieve anonymity against inside attackers.The cryptanalysis on Wang et al.'s scheme [25] has been shown in [17,29].In the same year, Tseng et al. proposed an AMRIBE scheme and claimed that their scheme is CCA secure in both confidentiality and anonymity [21,22].However, we found that they demonstrated the security without considering all possible attackers.In the proof of the security, they assume that the attacker must compute the symmetric encryption/decryption key corresponding to the challenge ciphertext before it wins the CCA game.That is to say, the proof does not cover the type of attackers that win the CCA game, but have not computed the key of the challenge ciphertext.The details are shown in the Appendix.
In 2013, Zhang and Takagi proposed two AMRIBE schemes [31].They designed a deployment in an e-mail delivery system and provided some experimental results.However, their first scheme cannot achieve anonymity against inside attackers [28], and they did not provide any security proof for their second scheme.Besides, Zhang and Mao proposed an improved AMRIBE scheme [28] based on Zhang et al.'s scheme [31] in 2013.They claimed that their scheme has the CCA security.However, we have found some mistakes in their security proofs due to the inconsistency between a hash function and the hash oracle corresponding to the function, where the details are shown in the Appendix.
In 2014, there were three AMRIBE schemes [23,26,27] proposed by Tseng et al., Wang and Zhang et al., respectively.Nevertheless, we have found some mistakes in their security proof, and the details are shown in the Appendix.
The other works [11,12,14,16,[18][19][20]29] either have the CPA (chosen plaintext attacks) security only or have not provided the proof for the security.The security of all of the above schemes has been summarized in Section 6 Table 3.

Preliminaries
In this section, we define anonymous multi-receiver ID-based authenticated encryption and review some hard problems and assumptions.In addition, we propose a modified decisional bilinear Diffie-Hellman (DBDH) assumption, called the M-DBDH assumption, and prove that the assumption holds if the 1-weak decisional bilinear Diffie-Hellman inversion (1-wDBDHI) problem is hard.Definition 1.An anonymous multi-receiver identity-based authenticated encryption (AMRIBAE) scheme consists of the following algorithms: -Setup is an algorithm that takes as input a security parameter l.It returns a master secret key msk and system parameters params.-KeyExtract is an algorithm that takes as input params, msk and a user's identity ID i ∈ {0, 1} * and then returns the secret key d i of the user.-Encrypt is an algorithm that takes as input params, a message M , the identity ID s of the sender, the private key d s of the sender and an identity set {ID 1 , ID 2 , . . ., ID t } and returns a ciphertext C. We write C = Encrypt(params, ID s , ID 1 , ID 2 , . . ., ID t , M, d s ).-Decrypt is an algorithm that takes as input params, a ciphertext C and the secret key d i of user ID i and returns a message M .We write M = Decrypt(params, C, d i ).
Let G 1 and G 2 be two cyclic groups of prime order q, P be a generator of G 1 and e ∶ G 1 × G 1 → G 2 be a bilinear mapping.
Definition 4 (The DBDH Assumption [7]).Define that an algorithm A with output β ∈ {0, 1} has advantage in solving the DBDH problem if: P r[A(P, aP, bP, cP, e(P, P where a, b, c ∈ R Z * q and Z ∈ R {e(P, P ) abc , Y ∈ R G 2 e(P, P ) abc }.We say that the DBDH assumption holds if no polynomial-time algorithm has a non-negligible advantage in solving the DBDH problem.
Define that an algorithm A with output β ∈ {0, 1} has advantage in solving the l-wDBDHI problem if: P r[A(P, ⇀ Y , cP, e(P, P We say that the l-wDBDHI assumption holds if there exists no polynomial-time adversary that has a non-negligible advantage in solving the l-wDBDHI problem.Proof.If there exists a polynomial-time algorithm A with non-negligible advantage in solving the M-DBDH problem, then we can construct a polynomial-time algorithm B with non-negligible advantage in solving the 1-wDBDHI problem as follows.Given a 1-wDBDHI instance (P, bP, cP, Z), B forms an M-DBDH instance via the following operations: 1. Randomly choose a ∈ Z * q , and compute aP .2. Compute Z 1 = e(bP, cP ) a .3. Set the M-DBDH instance as (P, aP, bP, cP, Z, Z 1 ), and input it into A.
Let β be the output of A. B will confirm that Z = e(P, P ) b 2 c by outputting one as the answer of the 1-wDBDHI instance if β = 1; otherwise, B will output zero. Since: It turns out that the polynomial-time algorithm B has a non-negligible advantage 2 in solving the 1-wDBDH problem.

Definition 9 (The M-DBDH Assumption).
We say that the M-DBDH assumption holds if no polynomial-time algorithm has non-negligible advantage in solving the M-DBDH problem.
By Theorem 8, the M-DBDH assumption holds.

Our Scheme
In this section, we will present an anonymous multi-receiver identity-based authenticated encryption scheme with provable CCA security in both confidentiality and anonymity against not only outsider, but also insider attacks.Our scheme can be viewed as a key encapsulation mechanism.The notations used in the proposed scheme are defined in Table 1.

Notation Meaning
G 1 a cyclic additive group of prime order q G 2 a cyclic multiplicative group of prime order q e a bilinear mapping; the key generation center The proposed scheme is described as follows.

• Setup
The key generation center (KGC) performs the following operations: 1. Choose an integer α ∈ Z * q randomly as the master secret key, and set P pub = αP .2. Choose three cryptographic one-way hash functions, Compute Ω = e(P, P ). 4. Publish the system parameters params = {G 1 , G 2 , e, q, P, P pub , H, H 1 , H 2 , Ω} and keep the master key α secret.
• KeyExtract When user i joins the system, KGC will compute Q i = H(ID i ) and the private key d i = αQ i of the user, and then, KGC will send d i to user i in a secure manner.
• Encrypt A sender, say ID s , produces the ciphertext of a message by performing the following steps: 1. Choose a message M ∈ G 2 , and select a set of t receivers {ID 1 , ⋯, ID t }.
If the receiver wants to authenticate the identity of the sender, he can check whether e(U, H(ID s )) = e(V, P ).
The proposed scheme also is illustrated in Figure 1, and the correctness is demonstrated as follows.
Thus, the selected receiver ID i can successfully recover the message by computing After successfully recovering the message, we have e(V, d i ) = (rH(ID ′ s ), αQ i ) = e(rQ i , αQ s ) = e(rQ i , d s ) for some identity ID ′ s , which convinces the receiver that the ciphertext is encrypted with the private key of ID ′ s .Additionally, the equation e(U, H(ID s )) = e(V, P ) can guarantee that V = rQ s = rH(ID s ), which means ID ′ s = ID s .This feature makes it possible for the receivers to authenticate the sender of the ciphertext they received.Besides, according to [38], in an anonymous multi-receiver encryption scheme, the length of a ciphertext will at least linearly grow with the number of the receivers.Thus, the ciphertext length of our scheme might be optimal in the aspect of [38].

Security Models and Proofs
In this section, we will define the security models and the security notions for anonymous multi-receiver identity-based authenticated encryption.The security notions are the "indistinguishability of encryptions under selective multi-ID, chosen-ciphertext attacks" (IND-sMID-CCA) and the "anonymous indistinguishability of encryptions under selective multi-ID, chosen-ciphertext attacks" (Anon-sMID-CCA).We then will prove that our proposed scheme is provably CCA secure in confidentiality and anonymity against insider and outsider attacks.
Definition 10 (The IND-sMID-CCA Game).Let A be a polynomial-time attacker.A interacts with a simulator S in the following game.
Initialization.A chooses a set of identities ID * = {ID * 1 , ID * 2 , . . ., ID * t } and sends ID * to S. Setup.S runs the Setup algorithm to generate params and msk.S then sends params to A. Phase 1.A issues the following queries.
-Hash query: S operates hash functions on the inputs given by A and returns the hashed values.
-KeyExtract (ID i ): A sends an identity ID i to S and S returns the private key of ID i where KeyExtract (ID j ) cannot be queried if and a message M to S. S returns a ciphertext C to A. -Decrypt (C, ID i ): A sends an identity ID i and a ciphertext C to S, and S returns the message M .
Challenge.A submits a sender's identity ID s and (M 0 , M 1 ) to S, with restrictions that M 0 , M 1 are two distinct messages of the same length, ID s ∉ ID * , and KeyExtract (ID s ) has not been queried before.S then randomly chooses β ∈ {0, 1} and generates C * = Encrypt (ID s , ID * 1 , . . ., ID * t , M β ).Finally, S sends C * to A. Phase 2. A issues the queries defined in Phase 1, excluding the Decrypt queries with C = C * and ID i ∈ ID * and the query KeyExtract (ID s ).Guess.Finally, A outputs β ′ ∈ {0, 1} and wins the game if β ′ = β.
The advantage of A winning the game is defined as: An anonymous multi-receiver identity-based authenticated encryption scheme is said to be IND-sMID-CCA secure if there exists no polynomial-time attacker that can win the IND-sMID-CCA game with non-negligible advantage.The model of this game is shown in Figure 2. The advantage of A winning the game is defined as: An anonymous multi-receiver identity-based authenticated encryption scheme is said to be Anon-sMID-CCA secure if there exists no polynomial-time attacker that can win the Anon-sMID-CCA game with non-negligible advantage.The model of this game is shown in Figure 3.
Note that there is a restriction that KeyExtract (ID s ) cannot be queried in both the IND-sMID-CCA game and the ANON-sMID-CCA game.This is to model that the adversary cannot collude with the sender, since the confidentiality and the anonymity will be meaningless when the collusion happens.The advantage of A winning the game is defined as: An anonymous multi-receiver identity-based authenticated encryption scheme is said to satisfy sender authentication if there exists no polynomial-time attacker that can win the sender authentication game with non-negligible advantage.The model of this game is shown in Figure 4. Proof.The basic concept of the proof is a proof by contradiction.Assume that the proposed scheme is not IND-sMID-CCA secure, i.e., there exists a polynomial-time adversary A that wins the IND-sMID-CCA game with non-negligible advantage.Then, we will construct a polynomial-time algorithm S that has non-negligible advantage in solving the M-DBDH problem.

The DBDH problem
First, S is given < q, G 1 , G 2 , e, P, aP, bP, cP, e(P, P ) b 2 c , Z >, which is an instance of the M-DBDH problem.S simulates the game for A as follows: Initialization.A outputs a target identity set ID * = {ID * 1 , ⋯, ID * t }.Setup.S sets P pub = cP , computes Ω = e(P, P ) and outputs {G 1 , G 2 , e, q, P, P pub , H, H 1 , H 2 , Ω} as the public parameters where H, H 1 and H 2 are three random oracles controlled by S. Phase 1. S maintains H-list, H 1 -list and H 2 -list to store the results of querying H, H 1 and H 2 , respectively.In this phase, A can issue the following queries: -H-query: This oracle takes an identity ID j ∈ {0, 1} * as input.If there exists a record (ID j , Q j , q j ) in H-list, return Q j .Otherwise, do the following: 1. Randomly select q j ∈ Z * q .2. If ID j ∈ ID * , compute Q j = q j (bP ); else Q j = q j P .3. Return Q j , and add (ID j , Q j , q j ) into H-list.
-H 1 -query: This oracle takes X j as input, where X j ∈ G 2 .If there exists a record (X j , v j ) in H 1 -list, return v j .Otherwise, do the following: -H 2 -query: This oracle takes M j ∈ G 2 and an integer k j ∈ Z * q as input.If there exists a record (M j , k j , r j , U j ) in H 2 -list, return r j .Otherwise, do the following: 1. Randomly choose r j ∈ Z * q , and compute U j = r j P .2. Add (M j , k j , r j , U j ) to H 2 -list.3.Return r j . -KeyExtract: This oracle takes an identity ID j as input.Call H(ID j ) and retrieve q j from H-list.Then, S does the following: -If ID j ∈ ID * , return "reject".
-Otherwise, compute d j = q j (cP ) and return d j .
-Encrypt: This oracle takes u + 1 identities (ID s , ID 1 , . . ., ID u ) and a message M as input.Upon receiving an Encryptquery, S does the following: 1. Choose k, r ∈ Z * q at random, and set , where d i is the private key of the receiver -Decrypt: This oracle takes an identity ID j and a ciphertext C as input.Upon receiving a Decryptquery, denoted by Decrypt(C, ID j ) where C = (c 0 , . . ., c u−1 , U, V, W, ID s ), S does the following: 1. Search H 2 -list to get (M i , k i , r i , U i ) with U i = U .If not found, return "reject".
2. Search H-list to get (ID s , Q s , q s ) with e(U, Q s ) = e(P, V ).If not found, return "reject".
3. This step can be separated into three cases: Challenge.A sends (M 0 , M 1 ) and a sender's identity ID s to S, with restrictions that M 0 , M 1 are two distinct messages with the same length, ID s ∉ ID * , and KeyExtract (ID s ) has never been queried.S performs the following operations: 1. Choose β ∈ {0, 1} randomly.2. For i = 1 to t, call H(ID * i ), and retrieve q * i from H-list. 3.Call H(ID s ), and retrieve q s from H-list. 4. Choose k ∈ Z * q , and set U * = aP and V * = q s (aP ). 5. For i = 1 to t, compute v i = H 1 (Z q * i qs ).
If Z = e(P, P ) abc , then Z q * i qs = e(P, P ) abcq * i qs = e(q * i (bP ), q s (cP )) a = e(Q * i , d s ) a for i = 1 to t.Therefore, C * is a correct ciphertext.Otherwise, Z is an element randomly chosen in G 2 .As the construction above, S correctly simulates the IND-sMID-CCA game.If A wins the IND-sMID-CCA game with non-negligible advantage, at least , P r[β ′ = β] − 1 2 ≥ under a correct simulation of the game, i.e., P r where Ω is a correct AMRIBAE scheme.Thus, we have that: P r[S(P, aP, bP, cP, e(P, P ) b 2 c , e(P, P ) abc ) = 1] P r[S(P, aP, bP, cP, e(P, P 9. Set the ciphertext C * = (c 0 , c 1 , . . ., c t−1 , U * , V * , W * , ID s ) and send C * to A.
If Z = e(P, P ) abc , then Z q * β qs = e(P, P ) abcq * β qs = e(q * β (bP ), q s (cP )) a = e(Q * β , d s ) a for β ∈ {0, 1}.Therefore, C * is a correct ciphertext.Otherwise, Z is an element randomly chosen in G 2 .As the construction above, S correctly simulates the Anon-sMID-CCA game.If A wins the game with non-negligible advantage at least , P r[β ′ = β] − 1 2 ≥ under a correct simulation of the game, i.e., P r where Ω is a correct AMRIBAE scheme.Thus, we have that: P r[S(P, aP, bP, cP, e(P, P ) b 2 c , e(P, P ) abc ) = 1 − P r[S(P, aP, bP, cP, e(P, P Therefore, S solves the M-DBDH problem with non-negligible advantage 4 within polynomial time. Theorem 14 guarantees the CCA security of anonymity against both the outside attackers (unselected receivers) and the inside attackers (selected receivers) in the proposed scheme.In other words, even if an adversary compromises with any t − 1 receivers, the anonymity of the remaining receiver is still preserved in the proposed scheme.In this proof, we do not cover the following extreme case.Assume that the total number of users in the system is N .The extreme case occurs when a user (sender) encrypts a message for other N − 2 selected users (receivers), so that there would be only one unselected user, and this unselected user can no doubt figure out the identities of the N − 2 receivers.Proof.Assume that there exists a polynomial-time adversary A that wins the sender authentication game with non-negligible advantage.Then, we will construct a polynomial-time algorithm S that has non-negligible advantage in solving the DBDH problem.First, S is given < q, G 1 , G 2 , e, P, aP, bP, cP, Z >, which is an instance of the DBDH problem.S simulates the game for A as follows: Initialization.A outputs an identity set ID * = {ID * s , ID * R }. Setup.S sets P pub = cP , computes Ω = e(P, P ) and outputs {G 1 , G 2 , e, q, P, P pub , H, H 1 , H 2 , Ω} as the public parameters, where H, H 1 and H 2 are three random oracles controlled by S.
Phase 1. S maintains H-list, H 1 -list and H 2 -list to store the results of querying H, H 1 and H 2 , respectively.In this phase, A can issue the following queries: -H-query: This oracle takes an identity ID j ∈ {0, 1} * as input.If there exists a record (ID j , Q j , q j ) in H-list, return Q j .Otherwise, do the following: 1. Randomly select q j ∈ Z * q .2. If ID j = ID * s , compute Q j = q j (aP ); else if ID j = ID * R , compute Q j = q j (bP ); else Q j = q j P .3. Return Q j and add (ID j , Q j , q j ) into H-list.
-The simulation of H 1 -query and H 2 -query are the same as those in the proof of Theorem 13. -KeyExtract: This oracle takes an identity ID j as input.Call H(ID j ), and retrieve q j from H-list.Then, S does the following: -If ID j ∈ ID * , return "reject".
-Otherwise, compute d j = q j (cP ), and return d j .
-Encrypt: This oracle takes u + 1 identities (ID s , ID 1 , . . ., ID u ) and a message M as input.Upon receiving an Encrypt query, S does the following: 1. Choose k, r ∈ Z * q at random, and set H 2 (M, k) = r.2. For i = 1 to u,  -Decrypt: This oracle takes an identity ID j and a ciphertext C as input.Upon receiving a Decrypt query, denoted by Decrypt (C, ID j ), where C = (c 0 , . . ., c u−1 , U, V, W, ID s ), S does the following: 1. Search H 2 -list to get (M i , k i , r i , U i ) with U i = U .If not found, return "reject".
2. Search H-list to get (ID s , Q s , q s ) with e(U, Q s ) = e(P, V ).If not found, return "reject".
3. This step can be separated into three cases: 5. Check whether k i = k and M i = W ⋅ Ω k or not.If not, return "reject".Otherwise, return M i .
s ) and H(ID * R ) to retrieve q * s and q * R from H-list.
S outputs 1 if A wins the game.Otherwise, S outputs 0. Assume A wins the game with a non-negligible advantage at least under a correct simulation.To analyze the advantage of solving the DBDH problem, we define the following events.
E 1 : The game has been correctly simulated.E 2 : A wins the game.
Then, we have that: P r[S(P, aP, bP, cP, e(P, P ) abc ) = 1] Therefore, S solves the DBDH problem with non-negligible advantage 2 within polynomial time.
Theorem 15 guarantees that the proposed scheme satisfies sender authentication.In other words, even if an adversary compromises with any t − 1 receivers, the adversary cannot impersonate a sender to send a valid ciphertext.
The security comparison is shown in Table 3.The schemes of [11,29] and the second scheme of [31] lack the proofs for confidentiality and anonymity.The scheme [19] did not provide the proof for anonymity, but it is CPA secure in confidentiality.The schemes [14,16,18] and [20] are CPA secure in both confidentiality and anonymity, where the proof of [20] is under a standard model.The scheme [10] is CCA secure in confidentiality, but it is not with anonymity, which has been indicated in [11,13,25].The scheme of [25] and the first scheme of [31] are CCA secure in confidentiality and anonymity against outsider attacks; however, the authors of [17,29] and [28], respectively, have shown that they not with anonymity against insider attacks.In addition, we demonstrate that there exist some problems in the proofs of the schemes [21][22][23][26][27][28], where the details are shown in the Appendix.Our scheme is the first one that can achieve the CCA security under the random oracle model against outside attackers and inside attackers simultaneously.The confidentiality and anonymity of our scheme have been formally proven in Section 5. •T p : the cost of a pairing operation; •T h : the cost of a hash operation; •T m : the cost of a modular multiplication in Z * q ; •T e : the cost of a modular exponentiation in Z * q ; •T s : the cost of a scalar multiplication in an additive group or an exponentiation in a multiplicative group; •T a : the cost of an addition in an additive group or a multiplication in a multiplicative group; •T poly : the cost of constructing a polynomial; •T CRT : the cost of applying the Chinese remainder theorem; •t: the number of receivers; • ID : the bit length of an identity; •q: a large prime; •u: the bit length of an element in an additive group; •v: the bit length of an element in a multiplicative group; •w: the bit length of a symmetric encryption key.[23] In their proofs, the authors have not considered the attackers who can win the game without getting the key.As a result, their proof does not cover all possible attackers.The comment is similar to that of [21].
A.1.3.Comment on Zhang et al.'s Scheme [27] In their proofs, the authors have not considered the attackers who can win the game without getting the key.As a result, their proof does not cover all possible attackers.The comment is similar to that of [21].
A.1.4.Comment on Zhang et al.'s Scheme [28] In 2013, Zhang and Mao proposed an AMRIBE scheme as follows.The details of the scheme and the proofs can be referred to [28].

Comments
In the proof of confidentiality, the H 1 oracle is queried by the adversary with two input elements of G 1 .Additionally, the two elements must be recorded in order to simulate the decryption oracle.However, the hash function H 1 has only one input element of G 2 in the proposed scheme.Therefore, they cannot simulate the decryption oracle successfully, and thus, the proof is incorrect.The same mistake also exists in the proof of anonymity.
A.1.5.Comment on Wang's Scheme [26] In 2014, Wang proposed an AMRIBE scheme as follows.The detailed description of the scheme can be referred to [26].

The Simulation of the CCA Game for Confidentiality
We only show the Decrypt oracle here.Decrypt: C is given the ciphertext-receiver pair (C, ID j ) where C = (R 1 i , . . ., R t i , U 1 i , U 2 i , V i ).If ID j does not belong to the challenge identity set S a , C gets d i and decrypts C. If ID ∈ S a , C looks for the table T H 3 .If there exists the records ( * , R 1 i , . . ., R t i , U 1 i , U 2 i , l * ), * , l * are default.If * = σ j , C checks whether H(σ j )P ?= U 2 i .If it holds, go to the next step.Otherwise, C checks the next record until it holds.Suppose that the satisfied record is * = σ * and the corresponding hash value is l * .C computes M * = D l * (V i ).If there exists the record (M * , σ, U 1 i , U 2 i , z * ), where z * is default, C returns M * .Otherwise, fail.

Comments
An adversary can make the Decrypt oracle perform decryption incorrectly as follows.
Forgery.A outputs a ciphertext C * with restrictions that the sender is ID * s and ID * R is one of the receivers, and C * was not outputted by querying the Encrypt oracle.A wins the game if C * is a valid ciphertext.

Theorem 15 .
(Sender authentication) The proposed AMRIBAE scheme satisfies sender authentication in the random oracle model if the DBDH assumption holds.
where d s is the private key of the senderID s ; if ID s ∈ ID * and ID i ∉ ID * , compute v i = H 1 (e(d i , Q s ) r ), where d i is the private key of the receiver ID i