Next Article in Journal
Sustainable Renewable Energy Source Selection Using a Machine Learning-Integrated Elliptic Intuitionistic Fuzzy Muirhead Mean Framework
Previous Article in Journal
A Branch-And-Price Approach to the Platform Supply Vessel Routing and Scheduling Problem with Uncertain Demand
Previous Article in Special Issue
Constraint-Efficient Comparators via Weighted Accumulation
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors

1
School of Computer, Xijing University, Xi’an 710123, China
2
School of Cyberspace Security, Xi’an University of Posts and Telecommunications, Xi’an 710121, China
*
Author to whom correspondence should be addressed.
Mathematics 2026, 14(10), 1632; https://doi.org/10.3390/math14101632
Submission received: 15 March 2026 / Revised: 20 April 2026 / Accepted: 6 May 2026 / Published: 11 May 2026
(This article belongs to the Special Issue Applied Cryptography and Information Security with Application)

Abstract

Under the paradigm of the Internet of Things (IoT), the processing of large-scale data not only imposes higher demands on data-sharing efficiency but also increases the risk of user privacy leakage. To address these challenges, this paper proposes a blockchain-assisted traceable and revocable broadcast encryption scheme for preventing malicious encryptors (BATR). To resist trapdoor attacks by malicious encryptors, the scheme utilizes the uniform distribution property of hash function outputs to generate the random numbers required for the encryption algorithm. To block malicious users from leaking private keys, which attackers could exploit to construct piracy decoders with decryption capabilities, the scheme enhances the traditional broadcast encryption system by incorporating public tracing and revocation mechanisms. The scheme employs personalized transmission technology, allowing data owners to share public data with a set of authorized users while also sharing personalized data with specific authorized users. Additionally, users communicate using pseudonyms to ensure that their real identities are not accessible to third parties, thereby meeting privacy protection requirements. With the assistance of blockchain, trusted authorities and users can invoke smart contract interfaces to trigger blockchain peer nodes to execute smart contracts, thereby acquiring or updating identity authentication information stored on the blockchain to achieve secure authentication. This paper provides an analysis of the correctness and security of BATR, demonstrating that BATR satisfies chosen-ciphertext security under the Random Oracle Model. We also present performance evaluations and describe the experimental setup used to obtain operation-time baselines. Finally, this paper conducts a performance analysis of the BATR scheme, which exhibits high computational efficiency and compact communication bandwidth, resulting in significant performance improvements.

1. Introduction

In recent years, broadcast encryption (BE) [1] has seen extensive adoption across diverse domains including IoT, electronic healthcare and satellite radio communications. Broadcast encryption enables a broadcaster to securely encode messages and distribute the ciphertext to a group of authorized users. However, in some practical BE application scenarios, broadcasting not only requires sending common broadcast information but also needs to deliver personalized messages to individual users. To address this issue, Ohtake [2] first proposed the concept of personalized transmission, known as Data Outsourcing with Simultaneous Individual Transmission (DOSIT). Each authorized user can utilize their private key to access both publicly shared data and personalized content.
However, some authorized users may exhibit malicious behavior. Malicious users might leak private keys to attackers for illicit gains, enabling the latter to forge decryption-capable pirate decoder by using these private keys. Traitor tracing is designed to prevent such scenarios [3]. Upon detecting pirated decryption devices, the mechanism interacts with it to ultimately trace the malicious users involved in constructing the pirate decoder. Additionally, when the access rights of malicious users are revoked, regenerating ciphertext and keys requires substantial computational resources. Therefore, it is also essential to develop efficient revocation mechanisms.
If we regard the traitor tracing system as the protocol jointly operated through the data provider, the encryptor, the decryptor, the tracer, and the pirate decoder, then we must also evaluate the threat of trapdoor attacks embedded by malicious encryptors [4]. Since the encryptor is not always aligned with the digital content provider, we should consider the existence of this attack model in the real application of broadcast encryption. On the one hand, paying authorized subscribers can normally decrypt ciphertext using their private keys; on the other hand, the encryptor may leak trapdoors to attackers, who can then use simple attacks to obtain the plaintext underlying the broadcast ciphertext.
If the encryptor exhibits malicious behavior, traditional traitor tracing systems may fail to function properly in such scenarios. This is because the pirate box constructed by the attacker is not composed of private keys from authorized users but rather of trapdoors embedded by the malicious encryptor. In this case, the set of malicious users output by the traditional traitor tracing system would be empty, leading to tracing failure. Therefore, designing an efficient traitor tracing system to prevent malicious encryptors holds significant theoretical importance and practical application value.
In 2008, the emergence of blockchain-based digital currency, also known as Bitcoin, made the application of blockchain technology to IoT feasible. As a decentralized ledger, blockchain features distribution, traceability and tamper-resistance. Nodes jointly preserve the ledger through consensus protocols to guarantee data integrity [5]. As a result, blockchain surpasses commonly used cloud and database systems in aspects such as resistance to tampering, privacy preservation, and identity authentication [6]. Secondly, the full-node synchronization and real-time updating of transaction information in the blockchain ensure information transparency. The transparency and traceability inherent in blockchain allows transaction records to be viewed in real time. Multiple blockchain peer nodes can jointly manage the blockchain, ensuring that all users must register on the blockchain, thereby providing a unified identity authentication service. Operations related to user identity verification are written into smart contracts. Meanwhile, users and trusted institutions can invoke corresponding smart contract interfaces (APIs) to retrieve or update information stored on the blockchain, achieving secure authentication.
Unlike traditional centralized databases or cloud storage systems that rely on a single trusted administrator and thus suffer from a single point of failure, the blockchain in BATR serves as a decentralized and tamper-resistant Authentication Information Ledger (AIL). This design is particularly important under our threat model, because malicious entities may attempt to covertly modify or delete authentication, tracing, or revocation records. By leveraging multi-node consensus and ledger immutability, blockchain ensures that these records remain publicly verifiable and non-forgeable, which cannot be guaranteed by conventional centralized platforms.

1.1. Contributions

This paper introduces a blockchain-assisted traceable and revocable broadcast encryption scheme for preventing malicious encryptors (BATR). The main contributions of this paper are as follows:
(1)
BATR ensures resistance against malicious encryptors attacks and supports personalized message transmission, while user keys are jointly generated by users and a trusted authority, thereby avoiding key escrow issues and certificate management problems. Additionally, users communicate using pseudonyms to ensure that their real identities are not accessible to third parties, meeting the requirements for privacy protection.
(2)
With the assistance of blockchain, the scheme supports a dual tracing mechanism. When a data breach occurs, access records stored on the blockchain can be used to identify malicious users. In cases where user private keys are compromised, the tracking algorithm can be used to interact with the pirate decoder to get the malicious user information. Without compromising the decryption functionality of other legitimate users, BATR supports the dynamic revocation of malicious users’ access rights through de-anonymization.
(3)
The trusted authority and users can invoke smart contract interfaces to trigger blockchain peer nodes to execute smart contracts, enabling the retrieval or updating of identity authentication information stored on the blockchain, thereby achieving secure authentication.
(4)
BATR has a fixed decryption cost and storage overhead. Additionally, the scheme features compact communication bandwidth and high computing efficiency.

1.2. Related Works

The framework for broadcast encryption was initially formulated by Fiat and Naor [1] in 1994, aiming to address secure communication issues in multi-user environments. Boneh et al. [7] firstly utilized bilinear maps to propose a black-box traitor tracing scheme resistant to full collusion attacks, which can withstand collusion attacks from all unauthorized users. In recent years, anonymous broadcast encryption systems have garnered significant attention. Barth et al. [8] proposed for the first time a selective secure anonymous broadcast encryption scheme whose computing cost and communication bandwidth are linearly related to the number of system users. Additionally, they provided a generic construction achieving chosen-ciphertext security and receiver anonymity. Fazio and Perera [9] introduced the Outsider Anonymous Broadcast Encryption (OAnoBE) concept within the BE revocation framework, ensuring security under a non-standard Random Oracle Model (ROM). Outsider anonymity refers to the inability of external observers to determine the set of users included as recipients of the ciphertext, even if multiple unauthorized users collude. Lai et al. [10] employed revocation techniques to design a revocable anonymous identity-based broadcast encryption scheme, but its decryption cost grew with the number of users.
Integrating personalized transmission technology, Mandal et al. [11] constructed an outsider anonymous DOSIT scheme. This scheme features constant decryption costs, but the size of user private keys scales linearly with the total number of users, making it unsuitable for storage on resource-constrained smart devices. Yao et al. [12] proposed a fully anonymous blockchain-assisted privacy-preserving transaction scheme, achieving anonymity even among authorized users. Additionally, this scheme improved upon traditional DOSIT frameworks, addressing the key escrow issue.
Chor [3] first introduced the concept of traitor tracing at Crypto94, aiming to assist content publishers in identifying piracy. Kiayias et al. [13] integrated the traitor tracing mechanism into broadcast encryption systems, enabling efficient tracing of malicious users. Libert et al. [14] proposed a traitor tracing scheme supporting anonymity, which achieves efficient tracing while protecting user privacy; however, this scheme does not consider the revocation mechanism for malicious users’ permissions. Mandal et al. [15] introduced a fully anonymous tracing and revocation scheme that satisfies adaptive chosen-ciphertext security, but its decryption cost grows with the number of receivers.
Nevertheless, none of the aforementioned traitor tracing schemes can resist trapdoor attacks embedded by malicious encryptors. The concept of malicious encryptors embedding trapdoor attacks was first introduced by Wang and Pan et al. [4] in 2023, where attackers can use simple attacks to obtain the plaintext underlying the broadcast ciphertext. Under such attacks, traditional traitor tracing systems output an empty set of malicious users, leading to tracing failure. By improving the traitor tracing scheme in [7], their work constructed a traitor tracing scheme resistant to malicious encryptor attacks, but this scheme does not consider the anonymity of authorized users. In 2024, Liu and Pan et al. [16] proposed a traceable and revocable broadcast encryption scheme by considering the existence of malicious encryptors and incorporating personalized transmission technology. This scheme uses pseudonym technology to protect the real identities of authorized users and satisfies chosen-plaintext security. In the same year, Liu and Hu et al. [17] employed puncturing techniques to implement the revocation of malicious users’ permissions, but this scheme has high computing cost and communication overhead. In 2025, Liu and Hu et al. [18] introduced an anonymous traitor tracing scheme based on puncturable encryption, assisted by blockchain and the Interplanetary File System (IPFS). This scheme addresses data storage issues by combining blockchain with IPFS, achieving storage scalability. However, both decryption overhead and private key size grow with the number of receivers.

1.3. Organization

Section 2 introduces the fundamental knowledge of mathematics and cryptography. Section 4 details BATR’s system architecture and security model. Section 4 elaborates its concrete implementation structure. Section 5 provides proofs of the correctness and security. Section 6 presents the performance evaluation. To conclude, we provide an overview of our work.

2. Preliminary Backgrounds

2.1. Notations

Table 1 presents the notations and their corresponding meanings utilized in this paper.

2.2. Bilinear Pairings

Given two multiplicative cyclic groups G and G T of order p, where g is the generator of G. If the following properties are satisfied, then e : G × G G T is called a bilinear map.
1.
Bilinearity: x , y G , a , b Z p , e x a , y b = e x , y a b ;
2.
Non-degeneracy: e ( x , y ) is the generator of G T and e ( g , g ) 1 ;
3.
Computability: The function e can be evaluated efficiently.

2.3. Cryptographic Hash Function

Hash functions [19] have the following attributes:
1.
Unipolarity: Given a hash value y, the probability of finding an input x such that H x = y is negligible;
2.
Weak collision resistance: Given a hash value H ( x 1 ) , the probability of finding an input x 2 and x 2 x 1 such that H ( x 2 ) = H ( x 1 ) is negligible;
3.
Strong collision resistance: The probability of finding two different inputs x 1 and x 2 such that H ( x 1 ) = H ( x 2 ) is negligible.

2.4. Zero-Knowledge Protocol

In Zero-Knowledge Proof (ZKP) protocols [20], the prover P can demonstrate to the verifier V a statement’s validity without revealing any information beyond its truth. Assuming Z K { ( d 1 , d 2 ) : A = e ( g , h ) d 2 e ( d 1 , h ) = A 1 · B } is a ZKP protocol, the public input for this statement is ( P G , g , h , h , A , B ) , and d 1 and d 2 satisfy the equations A = e ( g , h ) d 2 and e ( d 1 , h ) = A 1 .
In this paper, a Zero-Knowledge Proof of Knowledge (ZK-PoK) for discrete logarithms is used, wherein the prover P can demonstrate to the verifier V the possession of a specific group element’s discrete logarithm without disclosing any additional information. The efficient ZK-PoK protocol is presented in Figure 1 [21], where P possesses ( g , x , R ) and aims to demonstrate to V, who holds ( g , R ) , that R = g x belongs to the multiplicative group G generated by g.

2.5. Complexity Assumption

The security of our scheme relies on the truncated decisional q-augmented bilinear Diffie–Hellman exponent assumption (q-ABDHE) [22]. Let G and G T be multiplicative cyclic groups of prime order p, g and g are two different generators of G. A bilinear map e : G × G G T is established. Randomly select α Z p , then publish the vector P g , α , g = ( g , g α , g α 2 , , g α q , g , g α q + 2 ) G q + 3 and an element T G T .
Given a probabilistic polynomial-time algorithm that accepts the public parameter vector P g , α , g = ( g , g α , g α 2 , , g α q , g , g α q + 2 ) G q + 3 and the element T G T , it determines whether T = e ( g , g ) α q + 1  or T is a uniformly random element Z in G T . The success probability in solving the qq-ABDHE challenge is defined in Equation (1)
A d v q - A B D H E ( λ ) = P r [ B ( P g , α , g , e ( g , g α ) ) α q + 1 ] = 1 P r [ B ( P g , α , g , T ) = 1 ] ε
Definition 1.
The truncated decisional q-ABDHE assumption holds if no PPT algorithm can solve the problem defined in Equation (1) with non-negligible advantage.

2.6. Tardos Codes

The tracing mechanism of BATR is based on the Tardos fingerprint code framework [23]. This framework consists of two core algorithms, which are described in detail as follows:
1.
( Γ , W a t M T K ) C o d e G e n 1 η , N : Input a safety parameter η and an integer N = p o l y ( η ) , the algorithm selects an error tolerance ε ( 0 , 1 ) and a maximum collusion threshold L = p o l y ( η ) N to set k = log ( 1 ε ) and the code word length l = 100 L 2 k . It uniformly and randomly selects r i from t , π 2 t with 0 < t < π 4 and sin 2 t = t . A matrix C N × l is generated, where any elements c j i and c j i with j j exhibit significant positive correlations, and the elements in the matrix tend to 1 when X i surpasses a predefined threshold. The code book Γ = w j j = 1 N is constructed, where w j 0 , 1 l represents the j-th row of code matrix C N × l . The watermarking master tracing key is W a t M T K = ( Z , X i i = 1 l ) .
2.
( T ) I d e n t i f y ( W a t M T K , w ) : Input the master tracing key W a t M T K = ( Z , X i i = 1 l and a pirated code word w of length l. Let S = w j j = 1 L ( Γ ) denote the set of colluders, and F ( S ) represents the feasible set of S containing w. The condition satisfied by F ( S ) is as follows: for w j i = b 0 , 1 , it holds that w i = b , where 1 i l , and w j i and w i denote the i-th bit of w j S and w 0 , 1 l respectively. The algorithm retrieves X i i = 1 l from the master tracing key to generate a matrix M N × l ,where the random variables m j i are independent with an expected value of 0 and a variance of 1, as defined in Equation (2).
m j i = 1 X i X i , if w j [ i ] = 1 X i 1 X i , if w j [ i ] = 0
Additionally, the algorithm extracts Z from WatMTK and evaluates whether the score computed via Equation (2) satisfies the threshold inequality i = 1 l w i · m j i > Z holds. If the inequality is satisfied, the code word w j S is considered to have participated in the creation of the pirated code word w F ( S ) . The algorithm ultimately outputs the set of colluders T.

3. System and Security Models

3.1. System Model

As Figure 2 shows, the BATR scheme comprises multiple entities: trusted authority, authorized users, broadcasters, the tracer, blockchain, and smart contracts.
1.
Blockchain Nodes: Within blockchain systems, peer nodes are classified into two types: endorsing nodes (ENs) and ordering nodes (ONs). Endorsing nodes are primarily responsible for maintaining a complete copy of the distributed ledger and executing smart contracts. Specifically, ENs perform the following key functions: first, ENs validate the integrity of new blocks before they are appended to the blockchain; second, ENs receive transaction proposals from users and TA, execute the corresponding smart contract interfaces, and return the authenticated proposal responses to the requesters. Ordering nodes are responsible for transaction ordering and the generation of new blocks. Their main functions include collecting all validated transactions from ENs, ordering the transactions according to a predefined consensus algorithm, and packaging the ordered transactions into new blocks. This process ensures the eventual consistency of the blockchain network, meaning that all ENs maintain synchronized and consistent copies of the blockchain.
2.
Smart Contracts: The Authentication Information Ledger (AIL) is utilized to implement authentication services, storing and managing relevant data such as the pseudonyms, T I D i , p k i , and public key expiration times of legitimate users u i . The smart contract system includes four core API interfaces: saveInfo, deleteInfo, updateInfo, and queryInfo. saveInfo is exclusively accessible to TA and is used to write new identity authentication information into the AIL; deleteInfo is invoked by TA when a user is detected as disconnected or identified as a malicious node, removing the corresponding record from the AIL; updateInfo is called by TA to update public information such as user public keys, with all pseudonyms requiring periodic updates to ensure the timeliness of key information; queryInfo is open to all users, supporting queries for other users’ public keys and pseudonyms. Among these, saveInfo, deleteInfo, and updateInfo are only accessible to TA, and any invocation requests from ordinary users are automatically rejected by the smart contract. The execution of these APIs triggers state changes in the AIL, and the results are broadcast to all valid users through an event mechanism, ensuring global consistency of the system state. As a query interface, queryInfo returns results only to the requester, implementing fine-grained access control. In BATR, blockchain is not used merely as a generic storage platform. It serves as the infrastructure for maintaining the Authentication Information Ledger (AIL), which stores pseudonyms, public keys, registration information, key-update events, and revocation records. This design is necessary in our threat model. If such records were maintained by a traditional centralized database or cloud server, the system would have to rely on a fully trusted administrator, and a compromised or colluding server could secretly modify, delete, or selectively hide critical records. By contrast, blockchain provides decentralization, tamper resistance, traceability, and consensus-based consistency, thereby ensuring that authentication-related records remain auditable, verifiable, and non-forgeable.
3.
Trusted Authority (TA): Responsible for system setup, generating system public parameters, and completing user registration. Upon successful registration, TA invokes the corresponding smart contract APIs to upload user information to the AIL. When a user is disconnected or detected for malicious behavior, TA calls the API to remove the corresponding record.
4.
Authorized Users: After the user sends a registration request to TA, TA generates a pseudonym, public key, and partial private key. After obtaining the partial private key, the user completes subsequent private key generation process. Authorized users can decrypt broadcast ciphertexts by leveraging their assigned private keys, thereby obtaining the public broadcast message and the corresponding personalized message. This entity is untrusted and may leak the private key to attackers, who could then construct a decryption-capable pirated decoder.
5.
Broadcasters: Used to generate and store broadcast ciphertexts for data owners, supporting personalized transmission. The tracing algorithm in BATR is of the public tracing type, so broadcasters can assume the role of the tracer.
6.
Tracer (TT): If there is a data breach, TT can detect suspicious users by analyzing data access records within blockchain based systems, identify their pseudonyms, and send them to TA; when a pirated box is detected, TT executes the tracing algorithm to interact with the pirated decoder, trace malicious users, and submit malicious users to TA, which then revokes their decryption permissions.

3.2. Working Flow

As Figure 3, the process by which TA invokes the API to complete the update of AIL records is as follows. Firstly, TA requests to call the updateInfo through the smart contract and sends a transaction request to its nearby endorsing nodes. Secondly, these endorsing nodes verify whether the requester has the authority to modify user information. If authorized, the endorsing nodes execute the smart contract to generate a processing result, which is then returned via the API interface. Thirdly, once the TA collects a sufficient number of responses, it forwards the authenticated transaction proposals to the ordering nodes for validity verification. After completing the verification, the ordering nodes package the legitimate transactions into a new block and broadcast it to all endorsing nodes. Each endorsing node performs integrity verification on the received block. If the verification is successful, the block is added to the blockchain, and the AIL state is updated according to the transaction types within the block. Finally, these changes are disseminated to all valid users to ensure that they update their cached authentication information.

3.3. Formal Definition

As shown in Figure 4, BATR incorporates six algorithms: Setup, KeyGen, Enc, Dec, T r a c e D and Re v o k e D .
1.
m p k , m s k S e t u p λ : TA executes this algorithm with a security parameter λ to generate the system master public key m p k and the system master private key m s k .
2.
s k i , p k i K e y G e n m p k , m s k , I D i : TA inputs m p k , m s k and the identity information I D i of the user u i , generating a public key p k i and partial private key s k i for I D i . Then u i generates a complete and valid private key s k i based on s k i .
3.
C T E n c ( m p k , S , m ) : The broadcaster injects m p k , the set of authorized users S = P I D 1 , P I D 2 , , P I D n and the broadcast message m 0 , 1 l , generating the corresponding broadcast ciphertext C T = ( H d r , c 2 )
4.
( m , K i ) D e c ( m p k , s k i , p k i , C T ) : User u i inputs the broadcast ciphertext C T , m p k , s k i and p k i . If this user is authorized, this decryption algorithm returns the corresponding public encrypted data m and personalized key K i ; otherwise, it outputs ⊥.
5.
S T T r a c e D ( m p k , S ) : This is a public tracing algorithm. Any tracing entity equipped with the system public key m p k and oracle access to the pirate decoder can execute the tracing procedure and output the set of malicious users involved in constructing the pirate decoder.
6.
Re v o k e D ( m p k ) : TA executes the revocation algorithm to disable access for malicious users, and then the broadcaster completes the ciphertext update.

3.4. Security Models

  • Game 1. The game involves two participants: the adversary A and the challenger C.
  • Initialization Phase. The setup algorithm is executed by C to produce m p k and m s k , and then sends m p k to A.
  • Phase 1. A adaptively sends three types of queries to C. To process these requests, C sustains an initially empty list L = { ( I D i , p k i , s k i ) } .
1.
Public Key Query. The adversary A sends user identity information I D i to initiate a query. If L contains the corresponding ( I D i , p k i , s k i ) , C directly returns p k i to A. If not, C executes the key generation algorithm to get the public–private key pair ( p k i , s k i ) , returns p k i to A, and then adds the record ( I D i , p k i , s k i ) to L. We assume that for any I D i , A must trigger a public key retrieval before initiating any other queries.
2.
Private Key Query. The adversary A sends user identity information I D i to initiate a query. C looks up the corresponding record in L and then returns s k i to A.
3.
Decryption Query. The adversary A sends ciphertext C T and I D i to initiate a query. First, C looks up the corresponding record in L. Then C executes the decryption algorithm to get the decryption result and returns it to A.
  • Challenge. When Phase 1 is confirmed to be complete, the adversary A submits a set S * and two equal-length messages ( m 0 , m 1 ) to C. In Phase 1, A initiates no private key query for any user in S * . Then C randomly chooses b { 0 , 1 } and executes the encryption algorithm to get challenge ciphertext. Finally, C transmits C T * to the adversary A.
  • Phase 2. Similar to Phase 1, A initiates adaptive queries. A is forbidden to initiate private key queries or decryption queries for any user in S * .
  • Guess. The adversary A outputs a guess b for b. A wins this game if b = b . The advantage of A in winning this security game is defined in Equation (3), where b is the hidden challenge bit chosen by the challenger and b is the adversary’s output guess.
    A d v B A T R I N D - C C A ( λ ) = Pr [ b = b ] 1 2 .
Definition 2.
If for any PPT adversary A conducting at most q p u b public key queries, q p r i private key queries, and q d e c decryption queries, the advantage of winning this game, then BATR is said to satisfy IND-CCA security.

4. Proposed BATR Construction

4.1. System Setup

Input the security parameter λ ; TA gets a bilinear group p , G , G T , e , randomly selects a generator g G and elements α Z p * , h 1 , h 2 G . TA calculates g T = e g , g and g 1 = g α . Then TA selects these hash functions H 1 : 0 , 1 l Z p * , H 2 : 0 , 1 l × G T Z p * , H 3 : G × G T Z p * , H 4 : G T 0 , 1 w , H 5 : G T 0 , 1 l , H 6 : G 0 , 1 l and H 7 : 0 , 1 l × G G T , where w denotes a positive integer. The system public parameter is m p k = p , G , G T , e , g , g 1 , g T , h 1 , h 2 , H i i = 1 7 , and the master private key is m s k = α .

4.2. KeyGen

Each user is required to register with TA to obtain their pseudonym and private key. TA is responsible for storing the authentication information on the blockchain. Taking user u i as an example:
(1)
u i sends a registration request I D i , where I D i represents the real identity information of user u i .
(2)
Upon receiving the registration request, TA first verifies the validity of I D i . If the identity verification fails, the request is terminated. Otherwise, u i randomly selects c 1 , c 2 Z p * , computes R 1 = g c 1 , R 2 = g c 2 , R 3 = g 1 c 1 , and sends R 1 and R 2 to TA through a Zero-Knowledge Proof process as shown in Figure 1. If the proof fails, the request is terminated.
(3)
Otherwise, TA computes the pseudonym P I D i = I D i H 6 T I D i α and β = H 1 ( P I D i ) , where T I D i = R 1 · R 2 . TA computes the partial private key s k i = ( d 1 , d 2 ) = ( ( h 1 · g c 1 ) 1 / ( α β ) , ( h 2 · g c 2 ) 1 / ( α β ) ) , and sets p k i 1 = R 3 = g 1 c 1 , p k i 2 = R 1 1 = g c 1 , p k i 3 = R 2 1 = g c 2 , p k i 4 = p k i 1 · p k i 2 β = ( g 1 · g β ) c 1 , p k i 5 = e ( g , h 1 · p k i 2 ) = e ( g , h 1 · g c 1 ) , p k i 6 = e ( g , h 2 · p k i 3 ) = e ( g , h 2 · g c 2 ) . TA sends the obtained partial private key s k i and public key p k i = ( p k i 1 , p k i 2 , p k i 3 , p k i 4 , p k i 5 , p k i 6 , P I D i ) as a response to user u i . Simultaneously, TA invokes saveInfo to upload u i ’s authentication information to AIL, which records the legitimate user’s pseudonym P I D i , T I D i , p k i , and the public key expiration time.
(4)
User u i obtains the corresponding public key p k i and private key s k i = s k i 1 , s k i 2 , s k i 3 , s k i 4 = c 1 , c 2 , d 1 , d 2 .

4.3. Broadcast Encryption

The broadcast inputs m p k , the set of authorized users S = P I D 1 , P I D 2 , , P I D n where n N and the broadcast message m 0 , 1 l to carry out the following content.
(1)
It randomly selects s G , and the broadcast calculates the session key K = H 7 ( m , s ) . It employs a hash function to calculate r = H 2 ( M , K ) required for encryption, and computes c 01 = g r , c 02 = g 1 r , c 03 = g T r and c 2 = m H 5 ( K ) .
(2)
For each i 1 , , n , the broadcast computes ϕ 1 = p k i 4 r , ϕ 2 = c 03 and γ = H 3 ( ϕ 1 , ϕ 2 ) . For user u i , the personalized key is K i = p k i 5 r · γ · p k i 6 r .
(3)
Finally, the broadcaster computes c 1 i = ( c 1 i _ 1 , c 1 i _ 2 ) = ( H 4 ( K i ) , K · K i ) . The broadcast ciphertext header is H d r = ( c 01 , c 02 , c 03 , c 1 i i = 1 n ) , and the broadcast ciphertext is C T = ( H d r , c 2 ) .
If secure hash functions do not participate in producing the random number r required for encryption, a malicious encryptor could embed a trapdoor in the random number. For example, a malicious encryptor could use ϖ as the random number in all encryption operations. The attacker could use the trapdoor ϖ to compute ϕ 1 = p k j 4 ϖ , obtaining K j = e ( g , p k j 5 ) γ · p k j 6 ϖ and K = c 1 j _ 2 / K j where γ = H 3 ( ϕ 1 , c 03 ) , and then m = c 2 H 5 ( K ) .

4.4. Broadcast Decryption

User u i decrypts the broadcast ciphertext C T = ( H d r , c 2 ) using the private key s k i . If P I D i is not in the set of authorized users, the decryption algorithm outputs ⊥. Otherwise, the following steps are executed.
(1)
User u i computes ϕ 1 = ( c 02 ) s k i 1 · ( c 01 ) β · s k i 1 , γ = H 3 ( ϕ 1 , ϕ 2 ) and β = H 1 ( P I D i ) . Let ϕ 2 = c 03 ; the user computes K i = e ( ϕ 1 , s k i 3 γ · s k i 4 ) 1 / s k i 1 · ( ϕ 2 ) 2 ( γ · s k i 1 + s k i 2 ) .
(2)
User u i computes c 1 i _ 1 = H 4 ( K i ) , locates the corresponding c 1 i in C T , then calculates K = c 1 i _ 2 / K i and m = c 2 H 5 ( K ) .
(3)
User u i computes r = H 2 ( m , K ) . If c 03 = g T r holds, this algorithm returns the public message m and the personalized key K i for user u i . Otherwise, it outputs ⊥.

4.5. Public Tracing of Data Leakage and Pirate Decoders

We emphasize that BATR handles two different adversarial behaviors. First, trapdoor attacks introduced by malicious encryptors are prevented by construction, because the encryption randomness is generated as r = H 2 ( m , K ) , rather than being arbitrarily selected by the encryptor. Hence, the scheme neutralizes malicious encryptor trapdoors at the ciphertext-generation stage. Second, colluding malicious users who leak private keys are identified through the Tardos-code-based public tracing procedure. The maximum number of colluding users that can be reliably identified is determined by the collusion threshold L in the Tardos framework.
The tracing in this scheme can be divided into two cases. The first case is data leakage, where the broadcaster searches for suspicious users through data access records on the blockchain, identifies the pseudonyms P I D i of the suspicious users, and sends them to TA. The second type is private key leakage, where malicious users leak their private keys to attackers, who then construct a pirated decoder with decryption capabilities. The broadcaster assumes the role of the tracer.
(1)
Execute T C . C o d e G e n 1 η , N algorithm to get the code book Γ = w i i = 1 N and W a t M T K = ( Z , X i i = 1 k ) where k is the code length. Each user u i where i N corresponds to a code word w i Γ , and the set of authorized users S corresponds to the code word set S ¯ = w i : i I S Γ . Simultaneously, initialize the pirated code as w = 0 k .
(2)
For each j 1 , 2 , · · · , k , repeat the following steps.
Step 1: Randomly select a broadcast message m * 0 , 1 l , execute the encryption algorithm, and generate the corresponding tracing ciphertext c [ j ] * E n c ( m p k , S , m * ) .
Step 2: For each position j { 1 , 2 , , l } , the tracer repeatedly interacts with the pirate decoder on independently generated tracing ciphertexts and estimates the success probability p j that the decoder outputs the correct decryption result. If the empirical estimate satisfies p j 1 2 , the tracer sets w [ j ] = 1 ; otherwise, it keeps w [ j ] = 0 . We stress that this step is probabilistic rather than deterministic: the pirate code word is reconstructed from repeated sampling, and the final identification guarantee follows from the soundness of the Tardos-code tracing framework.
(3)
The tracer executes I d e n t i f y ( W a t M T K , w ) algorithm to obtain the result set T ¯ ( S ¯ ) . Finally, the tracing algorithm outputs the set of colluders S T = P I D t : w t T ¯ ( S ) , where the users in S T are the malicious users involved in constructing the pirated decoder D.
The tracing procedure in BATR is public: it only relies on the public parameter m p k , the codebook, and interactions with the pirate decoder. Hence, the broadcaster or another designated auditor can act as the tracer. By contrast, revocation is not public. Only TA has the privilege to invoke the smart-contract management interfaces and complete the de-anonymization and revocation steps.

4.6. Revocation and De-Anonymization

When users lose connection or their public key expires, TA can call deleteInfo to remove the corresponding authentication tuple from AIL. Furthermore, upon detecting malicious behavior, the tracer submits the information of malicious users, and TA uses deleteInfo to delete the corresponding records from AIL. TA then de-anonymizes the malicious user by computing I D i = P I D i H 6 ( T I D α ) and holds them accountable. Changes to AIL are propagated to all legitimate users by the blockchain peer nodes, ensuring that legitimate users can promptly delete the corresponding authentication information stored in their ledgers. Simultaneously, the broadcast only needs to remove the malicious user’s corresponding c 1 i to complete the ciphertext update.

5. Correctness and Security Analysis

5.1. Correctness of Decryption

In this subsection, we prove the correctness of BATR, namely, that any authorized user holding a valid secret key can recover the same personalized key K i and the same broadcast session key K embedded by the encryptor, and therefore correctly obtain the broadcast message m. The proof shows that the values reconstructed in the decryption phase are algebraically identical to those generated in the encryption phase.
During the decryption phase, the authorized user u i first reconstructs the intermediate value ϕ 1 according to Equation (4):
ϕ 1 = ( c 02 ) s k i 1 · ( c 01 ) β · s k i 1 = ( g 1 r ) c 1 · ( g r ) β · c 1 = ( g 1 · g β ) c 1 · r = p k i 4 r = ϕ 1
Since ϕ 2 = c 03 = g T r = ϕ 2 , it follows that γ = H 3 ( ϕ 1 , ϕ 2 ) = γ .
Subsequently, user u i calculates the personalized session key K i through the algebraic derivation shown in Equation (5):
K i = e ( ϕ 1 , s k i 3 γ · s k i 4 ) 1 / s k i 1 · ( ϕ 2 ) 2 ( γ s k i 1 + s k i 2 ) = e ( p k i 4 r ( h 1 g c 1 ) γ α β ( h 2 g c 2 ) 1 α β ) 1 c 1 e ( g , g ) 2 r ( γ c 1 + c 2 ) = e ( g α g β ) r c 1 , ( h 1 g c 1 ) γ ( h 2 g c 2 ) 1 c 1 ( α β ) e ( g , g ) 2 r ( γ c 1 + c 2 ) = e ( g r , ( h 1 g c 1 ) γ ( h 2 g c 2 ) ) e ( g , g ) 2 r ( γ c 1 + c 2 ) = e ( g , h 1 ) r γ e ( g , g ) r c 1 γ e ( g , h 2 ) r e ( g , g ) r c 2 e ( g , g ) 2 r ( γ c 1 + c 2 ) = e ( g , h 1 ) r γ e ( g , g ) r c 1 γ e ( g , h 2 ) r e ( g , g ) r c 2 = e ( g , ( h 1 g c 1 ) r γ ) e ( g , ( h 2 g c 2 ) r ) = p k 5 i r γ p k 6 i r = K i
Finally, user u i computes the session key K = c 1 i _ 2 / K i = ( K · K i ) / K i = K , and gets the broadcast message m = c 2 H 5 ( K ) = ( m H 5 ( K ) ) H 5 ( K ) = m .

5.2. IND-CCA Security Under the q-ABDHE Assumption

Theorem 1.
Suppose there exists a PPT adversary A that can break the security of BATR with advantage ε by making at most q p r i private key and q d e c decryption queries where q = q S + q D + 1 . Then a simulator B can solve the Decisional q-ABDHE hard problem with equivalent advantage.
Proof. 
B is given a random instance ( p , G , G T , e , g , g α , g α 2 , . . . , g α q , g , g α q + 2 , T ) of the Decisional q-ABDHE hard problem. The purpose of B is to determine whether the equation T = e ( g , g ) α q + 1 is true. □
Initialization Phase. B executes S e t u p λ algorithm to generate ( p , G , G T , e , g ) . It randomly selects an element α Z p * , and then computes g T = e ( g , g ) and g 1 = g α . The simulator B randomly selects two q-degree polynomials f 1 ( x ) , f 2 ( x ) Z p [ x ] , and computes h 1 = g f 1 ( x ) and h 2 = g f 2 ( x ) . B employs these hash functions H 1 : 0 , 1 l Z p * , H 2 : 0 , 1 l × G T Z p * , H 3 : G × G T Z p * , H 4 : G T 0 , 1 w , H 5 : G T 0 , 1 l , H 6 : G 0 , 1 l and H 7 : 0 , 1 l × G G T , where w represents a positive integer parameter. The system public parameter is m p k = p , G , G T , e , g , g 1 , g T , h 1 , h 2 , H i i = 1 7 , l , w and the master private key is m s k = α . B transmits m p k to A.
Phase 1. A adaptively sends three types of queries to B. To process these requests, B sustains an initially empty list L = { ( I D i , p k i , s k i ) } .
(1)
Public Key Query. A sends user identity information I D i to initiate a query. B defines two ( q 1 ) -degree polynomial functions F i 1 ( x ) = ( f 1 ( x ) f 1 ( β ) ) / ( x β ) and F i 2 ( x ) = ( f 2 ( x ) f 2 ( β ) ) / ( x β ) . Then B computes the private key s k i = s k i 1 , s k i 2 , s k i 3 , s k i 4 = ( f 1 ( β ) , g F i 1 ( α ) , f 2 ( β ) , g F i 2 ( α ) ) for user I D i based on ( g , g α , g α 2 , , g α q ) . Since
g F i 1 ( α ) = g ( f 1 ( α ) f 1 ( β ) ) / ( α β ) = ( g f 1 ( α ) · g f 1 ( β ) ) 1 / ( α β ) = ( h 1 · g f 1 ( β ) ) 1 / ( α β ) ,
g F i 2 ( α ) = g ( f 2 ( α ) f 2 ( β ) ) / ( α β ) = ( g f 2 ( α ) · g f 2 ( β ) ) 1 / ( α β ) = ( h 2 · g f 2 ( β ) ) 1 / ( α β ) ,
s k i is a valid private key for I D i . The simulator B computes the public key elements p k i 1 = g 1 f 1 ( β ) , p k i 2 = g f 1 ( β ) , p k i 3 = g f 2 ( β ) , p k i 4 = p k i 1 · p k i 2 β = ( g 1 · g β ) f 1 ( β ) , p k i 5 = e ( g , h 1 · p k i 2 ) = e ( g , h 1 · g f 1 ( β ) ) , p k i 6 = e ( g , h 2 · p k i 3 ) = e ( g , h 2 · g f 2 ( β ) ) . The public key is p k i = ( p k i 1 , p k i 2 , p k i 3 , p k i 4 , p k i 5 , p k i 6 , P I D i ) . Finally, B adds ( I D i , p k i , s k i ) to L and returns p k i to A. For all I D i , A must initiate a public key query before initiating the following two types of queries.
(2)
Private Key Query. The adversary A sends I D i to initiate a private key query. B looks up the corresponding record ( I D i , p k i , s k i ) in L and returns the private key s k i corresponding to I D i .
(3)
Decryption Query. A sends ciphertext C T and I D i to initiate a decryption query. Assume the broadcast ciphertext is C T = ( H d r , c 2 ) , where H d r = ( c 01 , c 02 , c 03 , c 1 i i = 1 n ) . First, B looks up the corresponding record ( I D i , p k i , s k i ) in L. Second, B executes the D e c ( m p k , s k i , p k i , C T ) algorithm, computing ϕ 1 = ( c 02 ) s k i 1 · ( c 01 ) β · s k i 1 , γ = H 3 ( ϕ 1 , ϕ 2 ) and K i = e ( ϕ 1 , s k i 3 γ · s k i 4 ) 1 / s k i 1 · ( ϕ 2 ) 2 ( γ · s k i 1 + s k i 2 ) where β = H 1 ( P I D i ) and ϕ 2 = c 03 . By computing c 1 i _ 1 = H 4 ( K i ) , B locates the corresponding c 1 i in C T . Then B calculates K = c 1 i _ 2 / K i and m = c 2 H 5 ( K ) . Finally, the algorithm computes r = H 2 ( m , K ) . If c 03 = g T r holds, it outputs the public message m and the personalized key K i for user I D i ; if not, it outputs ⊥. Finally, B transmits the result to A.
Challenge. When Phase 1 is confirmed to be complete, A sends a set S * and two equal-length messages ( m 0 , m 1 ) to B. In Phase 1, A initiates no private key query for any user in S * . B randomly chooses b { 0 , 1 } and computes the challenge ciphertext C T * as follows:
Firstly, for all users in S * , B specifies the polynomial expression F i ( x ) = ( x q + 2 β i q + 2 ) / ( x β i ) = t = 0 q + 1 W i t · x t , where W i t is the t-th coefficient of the expansion of F i ( x ) . Based on ( g , g α , g α 2 , , g α q , g , g α q + 2 , T ) , B computes ϕ 1 = ( g α q + 2 · g β i q + 2 ) s k i 1 , ϕ 2 = T W i q + 1 · e ( t = 0 q ( g α t ) W i t , g ) and γ = H 3 ( ϕ 1 , ϕ 2 ) . Then, B computes the personalized private key K i = e ( ϕ 1 , s k i 3 γ · s k i 4 ) 1 / s k i 1 · ( ϕ 2 ) 2 ( γ · s k i 1 + s k i 2 ) .
Next, B randomly selects an element s G , computes the session key K = H 7 ( m , s ) and generates the partial ciphertext c 1 i * = ( c 1 i _ 1 * , c 1 i _ 2 * ) = ( H 4 ( K i ) , K · K i ) . Thus B gets H d r * = ( c 0 * , c 11 * , c 12 * , , c 1 n * ) where c 0 * = ϕ 2 . B randomly chooses b { 0 , 1 } and calculates C 2 * = m b H 5 ( K ) . The challenge ciphertext is C T * = ( H d r * , C 2 * ) .
Finally, B transmits C T * to the adversary A.
Phase 2. Similar to Phase 1, A initiates these queries. A is forbidden to initiate private key queries or decryption queries for any users in S * .
Guess. A outputs a guess b for b. If b = b , then B outputs 1, which means T = e ( g , g ) α q + 1 . If b b , then B outputs 0, which means T e ( g , g ) α q + 1 .
The advantage of B is analyzed as follows:
-
If T = e ( g , g ) α q + 1 , then r i = log g g · F i ( α ) , and the following components defined in Equations (6) and (7) are correctly formed:
ϕ 1 = g α q + 2 · g β i q + 2 s k i 1 = g s k i 1 · log g g · α q + 2 β i q + 2 = g s k i 1 · r i α β i = p k 4 r i
ϕ 2 = T W i q + 1 · e t = 0 q g α t W i t , g = e ( g , g ) α q + 1 W i q + 1 · e t = 0 q g α t W i t , g = e ( g , g ) log g g · t = 0 q + 1 a t · W t = g T r i
As a result, the challenge ciphertext generated based on Equations (6) and (7) is indistinguishable from a real ciphertext.
When T = e ( g , g ) α q + 1 , ϕ 1 and ϕ 2 are valid values. Therefore, the broadcast ciphertext C T * generated based on ϕ 1 and ϕ 2 is also valid. At this point, the success probability of A guessing b is Pr [ b = b ] 1 / 2 ε .
-
If T e ( g , g ) α q + 1 , then T is a random element in G T , so ϕ 1 and ϕ 2 are invalid values. Therefore, the broadcast ciphertext C T * generated based on ϕ 1 and ϕ 2 is also invalid. At this point, the success probability of A guessing b is Pr [ b = b ] = 1 / 2 .
Therefore, the advantage of B in solving the Decisional q-ABDHE hard problem is
| Pr [ B ( g , g α , g α 2 , , g α q , g , g α q + 2 , e ( g , g ) α q + 1 ) = 1 ] Pr [ B ( g , g α , g α 2 , , g α q , g , g α q + 2 , T ) = 1 ] | ( 1 / 2 ± ε ) 1 / 2 = ε .

6. Performance Evaluation

6.1. Functionality

Table 2 presents a comparative analysis of the security attributes between BATR and existing schemes. During the communication process, user I D i employs a pseudonym P I D i for communication, which effectively safeguards user privacy. Only TA can compute the real identity of the user from the pseudonym information. Therefore, this scheme ensures the anonymity of user identities. Secondly, the BATR scheme supports personalized transmission, and this feature not implemented in schemes [10,15,18]. Additionally, the BATR scheme incorporates a dual-tracking method, effectively preventing data leakage and user private key compromise. In contrast, the schemes [10,11] lack tracking capabilities, while the schemes [15,16] do not account for tracking in the event of data leakage. Our scheme achieves the revocation of malicious users. Finally, BATR relies on the property that the output of the hash function is uniformly distributed to resist the malicious encryptor’s embedded trapdoor attack. However, schemes [10,11,15] are not resistant to such attacks. Although the scheme [16] can resist trapdoor attacks by malicious encryptors, the user’s private key in [16] is computed solely by KGC, thus failing to address the key escrow issue.

6.2. Efficiency Analysis

To ensure reproducibility, the operation times reported in Table 3 were obtained from a proof-of-concept implementation written in the C programming language by using the native API of the Pairing-Based Cryptography (PBC) library version 0.5.14 [24]. The experiments were conducted on a laptop equipped with an Intel(R) Core(TM) i7-8550U CPU @ 2.00 GHz, 8 GB RAM, and a 64-bit Windows 11 operating system.
The implementation uses a Type-A symmetric pairing in PBC, instantiated over a supersingular elliptic curve of the form y 2 = x 3 + x defined over a finite field F p . The base-field size is 512 bits and the prime-order subgroup size is 160 bits. Under this parameterization, the element sizes used in the analytical communication/storage comparison are approximately | G | = | G 1 | = | G 2 | = 160 bits and | G T | = 1024 bits.
For each primitive operation listed in Table 3, we first executed 100 warm-up runs to reduce the influence of initialization and cache effects. After that, the same operation was executed 1000 times in one batch, and the average runtime per operation in that batch was recorded. This batch measurement procedure was repeated independently 30 times. The final value reported in Table 3 is the arithmetic mean of the 30 batch averages.
The timings in Table 3 are used as primitive-operation baselines. The computational-cost expressions in Table 4 are obtained by counting the dominant cryptographic operations in the corresponding encryption and decryption algorithms and then substituting the average per-operation runtimes from Table 3. The communication and storage expressions in Table 5 are derived analytically by counting the number of transmitted or stored group elements and multiplying them by the corresponding element sizes.

6.2.1. Computation Cost

In the performance analysis below, we use n = | S | to denote the number of authorized users in the broadcast set. This notation is introduced to avoid confusion with the symbol L used earlier in the Tardos-code framework to denote the collusion threshold.
In this paper, the computational-cost expressions in Table 4 are analytically derived by counting the dominant cryptographic operations appearing in the encryption and decryption algorithms of each scheme, including hash evaluations, bilinear pairings, exponentiations in G / G 1 , and exponentiations in G T . Lightweight operations are disregarded, with focus solely placed on several complex algebraic computations. The execution times for these critical operations are presented in Table 3. Our analysis focuses on computational costs across encryption and decryption phases. Table 4 presents a cost comparison between BATR and other schemes. As illustrated in Figure 4, the encryption costs for both BATR and existing schemes increase with the number of users. However, compared to scheme [18], BATR exhibits a slower rate of increase and lower encryption costs. Nevertheless, since the BATR scheme requires the transmission of personalized data for authorized users, its encryption costs are higher than those of the other three referenced schemes. Meanwhile, the decryption costs for the BATR scheme and schemes [11,16] remain constant, not affected by user quantity. In contrast, the decryption costs for schemes [10,18] increase with the number of users. Therefore, compared to existing schemes, BATR demonstrates superior encryption and decryption algorithms.
Figure 5, Figure 6 and Figure 7 are generated from the analytical expressions in Table 4 and Table 5 under the parameter setting specified in Section 6.2. Therefore, these figures should be interpreted as comparative performance trends rather than raw benchmark measurements.
For BATR, the encryption algorithm performs three constant hash evaluations, namely H 7 ( m , s ) , H 2 ( m , K ) , and H 5 ( K ) , two exponentiations in G for c 01 = g r and c 02 = g 1 r , and one exponentiation in G T for c 03 = g T r . In addition, for each authorized user, encryption requires one exponentiation in G to compute ϕ 1 = p k i 4 r , one hash evaluation H 3 ( ϕ 1 , ϕ 2 ) , two exponentiations in G T to compute p k i 5 r γ and p k i 6 r , and one hash evaluation H 4 ( K i ) . Therefore, the total encryption cost is ( 2 n + 3 ) H + ( n + 2 ) E + ( 2 n + 1 ) S .
For decryption, BATR requires one evaluation of H 1 ( P I D i ) , two exponentiations in G to reconstruct ϕ 1 , one evaluation of H 3 , one pairing operation, one additional exponentiation in G, two exponentiations in G T , and three further hash evaluations H 4 , H 5 , and H 2 . Hence, the total decryption cost is 5 H + P + 3 E + 2 S .

6.2.2. Communication Cost

A comparison of communication costs between existing schemes and the BATR scheme is presented in Table 5. As depicted in Figure 5, the ciphertext size for BATR and existing schemes increases with the number of users. Additionally, the communication overhead of BATR is nearly identical to that of schemes [11,16]. However, compared to scheme [18], BATR exhibits a slower rate of increase in ciphertext size and lower communication costs.
Figure 5, Figure 6 and Figure 7 are plotted from the analytical expressions in Table 4 and Table 5 by substituting the primitive-operation baselines reported in Table 3. Therefore, these figures should be interpreted as analytical comparison trends rather than raw one-shot benchmark measurements.
The communication-cost expressions in Table 5 are also analytically derived. They are obtained by counting the number of transmitted or stored group elements in the ciphertext, public parameters, and private keys, and then multiplying by the corresponding element sizes.

6.2.3. Storage Cost

Table 5 presents a performance comparison between existing schemes and BATR in terms of storage costs. As illustrated in Figure 6, the size of the public parameter in BATR remains constant with a space complexity of O ( 1 ) . Conversely, the size of the system public parameter for other schemes grows with the number of users, leading to a significant increase in storage overhead on the user side. Further analysis of Figure 7 reveals that both BATR and scheme [16] achieve optimization in user private key length, with the private key size fixed at two group elements and a space complexity of O ( 1 ) . On the other hand, the user private key size in schemes [11,18] grows proportionally to the number of users, resulting in a space complexity of O ( n ) . BATR’s constant-level storage complexity makes it particularly suitable for resource-constrained lightweight application environments, such as IoT terminal devices or mobile computing platforms.
The communication-cost expressions in Table 5 are obtained by counting the number of group elements appearing in the ciphertext header and message component. For BATR, the ciphertext consists of two elements in G, namely c 01 and c 02 , together with one element in G T , namely c 03 , and n personalized components c 1 i , each contributing one element in G T . Therefore, the ciphertext communication cost is 2 | G | + ( n + 1 ) | G T | . The storage expressions are derived in the same way by counting the number of public-parameter and private-key elements stored by the scheme.

7. Conclusions

This paper proposes a blockchain-assisted traceable and revocable broadcast encryption scheme for preventing malicious encryptors (BATR). This scheme leverages uniform distribution property of hash function outputs to resist attacks by malicious encryptors and supports personalized transmission. With the support of blockchain technology, TA and users can dynamically acquire or update identity authentication information stored on the blockchain by invoking APIs, thereby achieving secure authentication. Additionally, in the event of a data breach, malicious users can be accurately identified and located by analyzing data access records stored on the blockchain. If malicious users are found to have leaked their private key, the scheme can effectively trace the malicious users through an interaction between the tracing algorithm and the piracy decoder. Furthermore, the BATR scheme supports the dynamic revocation of access permissions for malicious users, achieved by invoking APIs combined with de-anonymization techniques. Finally, BATR satisfies chosen-ciphertext security. Compared to existing schemes, this scheme exhibits significant performance advantages.

Author Contributions

Conceptualization, L.Y.; writing—original draft, H.P.; data curation, J.S.; investigation, M.C.; supervision and methodology, S.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Fiat, A.; Naor, M. Broadcast encryption. In Proceedings of the Advances in Cryptology—CRYPTO’93: 13th Annual International Cryptology Conference, Santa Barbara, CA, USA, 22–26 August 1993; Proceedings 13; Springer: Berlin/Heidelberg, Germany, 1994; pp. 480–491. [Google Scholar]
  2. Ohtake, G.; Hanaoka, G.; Ogawa, K. Efficient broadcast encryption with personalized messages. In Proceedings of the Provable Security: 4th International Conference, ProvSec 2010, Malacca, Malaysia, 13–15 October 2010; Proceedings 4; Springer: Berlin/Heidelberg, Germany, 2010; pp. 214–228. [Google Scholar]
  3. Chor, B. Tracing traitors. In Advances in Cryptology, Proceedings of the Crypto’94; Springer: Berlin/Heidelberg, Germany, 1994; pp. 480–491. [Google Scholar]
  4. Wang, X.A.; Pan, L.; Liu, H.; Yang, X. Traitor tracing revisited: New attackers, stronger security model and new construction. Cryptol. ePrint Arch. 2023. [Google Scholar]
  5. Berdik, D.; Otoum, S.; Schmidt, N.; Porter, D.; Jararweh, Y. A survey on blockchain for information systems management and security. Inf. Process. Manag. 2021, 58, 102397. [Google Scholar] [CrossRef]
  6. Cheng, L.; Liu, J.; Xu, G.; Zhang, Z.; Wang, H.; Dai, H.N.; Wu, Y.; Wang, W. SCTSC: A semicentralized traffic signal control mode with attribute-based blockchain in IoVs. IEEE Trans. Comput. Soc. Syst. 2019, 6, 1373–1385. [Google Scholar] [CrossRef]
  7. Boneh, D.; Sahai, A.; Waters, B. Fully collusion resistant traitor tracing with short ciphertexts and private keys. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2006; pp. 573–592. [Google Scholar]
  8. Barth, A.; Boneh, D.; Waters, B. Privacy in encrypted content distribution using private broadcast encryption. In Proceedings of the International Conference on Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2006; pp. 52–64. [Google Scholar]
  9. Fazio, N.; Perera, I.M. Outsider-anonymous broadcast encryption with sublinear ciphertexts. In Proceedings of the Public Key Cryptography–PKC 2012: 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; Proceedings 15; Springer: Berlin/Heidelberg, Germany, 2012; pp. 225–242. [Google Scholar]
  10. Lai, J.; Mu, Y.; Guo, F.; Susilo, W.; Chen, R. Anonymous identity-based broadcast encryption with revocation for file sharing. In Proceedings of the Information Security and Privacy: 21st Australasian Conference, ACISP 2016, Melbourne, VIC, Australia, 4–6 July 2016; Proceedings, Part II 21; Springer: Cham, Switzerland, 2016; pp. 223–239. [Google Scholar]
  11. Mandal, M.; Dutta, R. Identity-based outsider anonymous cloud data outsourcing with simultaneous individual transmission for IoT environment. J. Inf. Secur. Appl. 2021, 60, 102870. [Google Scholar] [CrossRef]
  12. Yao, S.; Zhang, D. BPRT: A blockchain-based privacy-preserving transaction scheme based on an efficient broadcast encryption with personalized messages. Trans. Emerg. Telecommun. Technol. 2023, 34, e4675. [Google Scholar] [CrossRef]
  13. Kiayias, A.; Pehlivanoglu, S. Pirate evolution: How to make the most of your traitor keys. In Proceedings of the Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2007; pp. 448–465. [Google Scholar]
  14. Libert, B.; Paterson, K.G.; Quaglia, E.A. Anonymous broadcast encryption: Adaptive security and efficient constructions in the standard model. In Proceedings of the Public Key Cryptography–PKC 2012: 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, Germany, 21–23 May 2012; Proceedings 15; Springer: Berlin/Heidelberg, Germany, 2012; pp. 206–224. [Google Scholar]
  15. Mandal, M.; Sarkar, R.; Hur, J.; Nuida, K. Efficient fully anonymous public-key trace and revoke with adaptive IND-cca security. In Proceedings of the Information Security Practice and Experience: 16th International Conference, ISPEC 2021, Nanjing, China, 17–19 December 2021; Proceedings 16; Springer: Cham, Switzerland, 2021; pp. 168–189. [Google Scholar]
  16. Liu, S.; Pan, H.; Wang, X.A.; Zhao, S.; Li, Q. A traceable and revocable broadcast encryption scheme for preventing malicious encryptors in Medical IoT. J. Syst. Archit. 2024, 149, 103100. [Google Scholar] [CrossRef]
  17. Liu, S.; Hu, Y.; Wang, X.A.; Liu, X.; Yin, Y.; Wang, T. Puncturable-based broadcast encryption with tracking for preventing malicious encryptors in cloud file sharing. J. Inf. Secur. Appl. 2024, 84, 103803. [Google Scholar] [CrossRef]
  18. Liu, Y.; Hu, Y.; Lv, X.; Zhou, S.; Li, J.; Liu, S. A blockchain and IPFS-Aided anonymous traitor tracing scheme based on puncturable encryption in Industrial Internet of Things. Comput. Electr. Eng. 2025, 122, 109896. [Google Scholar] [CrossRef]
  19. Coron, J.S.; Dodis, Y.; Malinaud, C.; Puniya, P. Merkle-Damgård revisited: How to construct a hash function. In Proceedings of the Annual International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 2005; pp. 430–448. [Google Scholar]
  20. Goldreich, O.; Micali, S.; Wigderson, A. Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM 1991, 38, 690–728. [Google Scholar] [CrossRef]
  21. Camenisch, J. Group Signature Schemes and Payment Systems Based on the Discrete Logarithm Problem. Ph.D. Thesis, ETH Zurich, Zurich, Switzerland, 1998. [Google Scholar]
  22. Gentry, C. Practical identity-based encryption without random oracles. In Proceedings of the Advances in Cryptology-EUROCRYPT 2006: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, 28 May–1 June 2006; Proceedings 25; Springer: Berlin/Heidelberg, Germany, 2006; pp. 445–464. [Google Scholar]
  23. Tardos, G. Optimal probabilistic fingerprint codes. J. ACM 2008, 55, 1–24. [Google Scholar] [CrossRef]
  24. Lynn, B. On the Implementation of Pairing-Based Cryptosystems. Ph.D. Thesis, Stanford University, Stanford, CA, USA, 2007. [Google Scholar]
Figure 1. ZK-PoK of R.
Figure 1. ZK-PoK of R.
Mathematics 14 01632 g001
Figure 2. The system model of BATR.
Figure 2. The system model of BATR.
Mathematics 14 01632 g002
Figure 3. Working flow of the BATR.
Figure 3. Working flow of the BATR.
Mathematics 14 01632 g003
Figure 4. Formal definition of BATR.
Figure 4. Formal definition of BATR.
Mathematics 14 01632 g004
Figure 5. Comparison of Analytically Derived Computational Cost vs. Authorized User Count [10,11,16,18].
Figure 5. Comparison of Analytically Derived Computational Cost vs. Authorized User Count [10,11,16,18].
Mathematics 14 01632 g005
Figure 6. Comparison of Analytically Derived Computational Overhead vs. Authorized User Count [11,16,18].
Figure 6. Comparison of Analytically Derived Computational Overhead vs. Authorized User Count [11,16,18].
Mathematics 14 01632 g006
Figure 7. Comparison of storage overhead for public parameters and user secret keys [11,16,18].
Figure 7. Comparison of storage overhead for public parameters and user secret keys [11,16,18].
Mathematics 14 01632 g007
Table 1. Notations.
Table 1. Notations.
       Notations       Meaning
λ , η Security parameter
NTotal number of receivers
m p k System public key
m s k System secret key
I D i User identity
p k i I D i ’s public key
s k i I D i ’s private key
P I D i I D i ’s pseudonym
{ H i } i = 1 7 Hash functions
SA set of receive users
mCommon message
lThe bit length of message
KPublic Session Key
K i Personalized Session Key
T A Trusted Authority
T T Tracing entity
E N Endorsing Node
C T Broadcast ciphertext
S T A set of traitors
O N Ordering Node
A I L Authentication Information Ledger
TID i Tracing identity tag of user u i
H d r ciphertext header
D O S I T Data Outsourcing with Simultaneous Individual Transmission
Table 2. Security functions analysis and comparison.
Table 2. Security functions analysis and comparison.
SchemesAnonymityDOSITTraceabilityRevocationResist Trapdoors
 [10]YesNoNoYesNo
[11]YesYesNoNoNo
[15]YesNoYesYesNo
[16]YesYesYesYesYes
[18]YesNoYesYesYes
BATRYesYesYesYesYes
Table 3. Various operations and operation times.
Table 3. Various operations and operation times.
NotationsDescriptionTime (ms)
HHash operation 13.581
PBilinear operation G T 11.479
EExponential operation in G/ G 1 5.914
SExponential operation in G T 1.341
Table 4. Comparison of computation cost.
Table 4. Comparison of computation cost.
SchemesEncDec
 [10] 3 H + 2 P + 2 n E + 2 S      2 H + 2 P + ( 2 n 1 ) E     
[11] P + ( n + 3 ) E + 3 S 2 P
[16]     H + ( n + 1 ) P + ( n + 1 ) E + ( n + 3 ) S      3 P
[18] P + 8 n E + n S 7 n E
BATR ( 2 n + 3 ) H + ( n + 2 ) E + ( 2 n + 1 ) S 5 H + P + 3 E + 2 S
Table 5. Comparison of communication and storage.
Table 5. Comparison of communication and storage.
SchemesCommunication CTStorage mpkStorage SK
 [11] 2 | G | + ( n + 1 ) | G T |      ( 2 n + 5 ) | G | + | G T |      ( n + 2 ) | G |
[16] 3 | G | + ( n + 1 ) | G T | 3 n | G | + | G T | 2 | G |
[18]     8 n | G | + ( n + 1 ) | G T |      ( 3 n + 3 ) | G | + n | G T | ( n + 4 ) | G |
BATR 2 | G | + ( n + 1 ) | G T | 4 | G | + | G T | 2 | G |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Yan, L.; Pan, H.; Sun, J.; Cui, M.; Liu, S. Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors. Mathematics 2026, 14, 1632. https://doi.org/10.3390/math14101632

AMA Style

Yan L, Pan H, Sun J, Cui M, Liu S. Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors. Mathematics. 2026; 14(10):1632. https://doi.org/10.3390/math14101632

Chicago/Turabian Style

Yan, Lu, Hailun Pan, Jing Sun, Mengyuan Cui, and Shuanggen Liu. 2026. "Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors" Mathematics 14, no. 10: 1632. https://doi.org/10.3390/math14101632

APA Style

Yan, L., Pan, H., Sun, J., Cui, M., & Liu, S. (2026). Traceable and Revocable Broadcast Encryption Scheme for Preventing Malicious Encryptors. Mathematics, 14(10), 1632. https://doi.org/10.3390/math14101632

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop