## Figures

## Abstract

Most of the existing multi-recipient signcryption schemes do not take the anonymity of recipients into consideration because the list of the identities of all recipients must be included in the ciphertext as a necessary element for decryption. Although the signer’s anonymity has been taken into account in several alternative schemes, these schemes often suffer from the *cross-comparison attack* and *joint conspiracy attack*. That is to say, there are few schemes that can achieve complete anonymity for both the signer and the recipient. However, in many practical applications, such as network conference, both the signer’s and the recipient’s anonymity should be considered carefully. Motivated by these concerns, we propose a novel multi-recipient signcryption scheme with complete anonymity. The new scheme can achieve both the signer’s and the recipient’s anonymity at the same time. Each recipient can easily judge whether the received ciphertext is from an authorized source, but cannot determine the real identity of the sender, and at the same time, each participant can easily check decryption permission, but cannot determine the identity of any other recipient. The scheme also provides a public verification method which enables anyone to publicly verify the validity of the ciphertext. Analyses show that the proposed scheme is more efficient in terms of computation complexity and ciphertext length and possesses more advantages than existing schemes, which makes it suitable for practical applications. The proposed scheme could be used for network conferences, paid-TV or DVD broadcasting applications to solve the secure communication problem without violating the privacy of each participant.

Key words: Multi-recipient signcryption; Signcryption; Complete Anonymity; Public verification.

**Citation: **Pang L, Li H, Gao L, Wang Y (2013) Completely Anonymous Multi-Recipient Signcryption Scheme with Public Verification. PLoS ONE 8(5):
e63562.
https://doi.org/10.1371/journal.pone.0063562

**Editor: **Francesco Pappalardo, University of Catania, Italy

**Received: **October 18, 2012; **Accepted: **April 3, 2013; **Published: ** May 10, 2013

**Copyright: ** © 2013 Pang et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

**Funding: **National Natural Science Foundation of China under grant numbers 61103178, 61103199 and 60803151; the Research Fund for the Doctoral Program of Higher Education of China under grant number 20096102120045; Basic Science Research Fund in Xidian University under grant number K5051310006. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

**Competing interests: ** The authors have declared that no competing interests exist.

## Introduction

With development of network technology and its applications, a lot of group-oriented network services such as network multicasting or broadcasting have been proposed. Usually, in these services, a message sender is required to securely send the same messages to a group of recipients, such that only a certain number of recipients can read the messages while unauthorized recipients can extract nothing useful from these messages [1]. Therefore, the concept of multi-recipient encryption was put forward [2]–[6], and it has been considered as one of most promising solutions to solve the security problem of securing multicasting or broadcasting. Later, combining the concept of multi-recipient encryption with the idea of Zheng’s signcryption [7], Duan *et al.* [8] proposed the first multi-recipient signcryption scheme. In their scheme, to achieve the goal of sending the same message to all authorized recipients confidentially, the sender only needs to execute one signcryption operation, and at the same time, each recipient can verify the validity of messages. Since then, many excellent multi-recipient signcryption schemes [9]–[11] were proposed, which take more security properties into consideration than Duan *et al*.’s scheme. In general, multi-recipient signcryption can be used in many important applications, such as paid-TV or DVD broadcasting systems [10], where only authorized or paying users should be able to access such services.

Nevertheless, today, more and more people are concerned regarding personal privacy, thus participant anonymity should be taken into account when designing multi-recipient signcryption [12]. For example, in paid-TV and DVD broadcasting application systems, service providers do not want others to obtain the real identities from the ciphertext messages. Therefore, multi-recipient signcryption with the sender (or called the signer) anonymity had been introduced. In literature, there have been several multi-recipient signcryption schemes [13]–[17] which try to assure anonymity of the sender. The concept of anonymous signature was firstly proposed by Rivest *et al*. [18]. In 2005, Huang *et al*. [19] proposed the first anonymous signcryption scheme, which used an ID-based ring signature to assure anonymity of the signer. However, their scheme is only a single-recipient scheme. Later, based on similar thoughts, Lal *et al*. [13] extended this method for multi-recipient environments. Furthermore, a multi-recipient scheme with anonymity of the sender [14]–[17] was proposed. Although these schemes [13]–[17] provide solutions for assuring signer anonymity, there are still some unsolved issues. For example, they suffer from two new attacks known as the *cross-comparison attack* [20] and the *joint conspiracy attack* [21]. Based on the ring signature, schemes [13]–[17] construct a list which includes the real signer and several valid participants which are chosen randomly by the signer hiding the real signer in this list. Although this perfectly works to some extent, an attacker can obtain a number of different ciphertexts from the same message source by closely monitoring network traffic, thus by comparing the signers’ identities from different lists an attacker can narrow down the scope of the target signer. Using this scheme, an attacker can directly obtain the identity of the real signer. Even if the attacker does not directly obtain the real signer’s identity, he/she has narrowed down the scope of the attacker’s guess. In addition, it is still possible for such an attacker to retrieve a list which includes the real signer. Then, he/she can cooperate with some participants in the list to narrow down the scope and guess the real signer with a larger probability. In addition, the list of chosen participants can increase the length of the ciphertext quite significantly, potentially reducing the transmission efficiency. More important, the identities of all the authorized recipients are usually included in the ciphertext of these anonymous schemes in plaintext [13]–[19], which is not always wanted.

Generally speaking, anonymity of participants includes both the sender’s and the recipient’s anonymity. Besides the anonymity of the sender, the anonymity of the recipient is often equally important so that designers of multi-recipient signcryption schemes should pay attention. For example, in paid-TV and DVD broadcasting application systems, no user should accept that his/her subscription of these services is publicly viewable to others especially when the service is quite sensitive. However, unfortunately, almost none of the existing schemes take the anonymity of recipients into consideration because the identity of each recipient must be included in the ciphertext as a necessary element for decryption. The list of the authorized recipients’ identities in the ciphertext is used to show who are the authorized recipients and how each authorized recipient gets his/her person-specific data for encryption from the ciphertext during the decryption process. Thus, schemes [9]–[11] directly expose the recipient’s identity and therefore violate their privacy. Also, the fact that different recipients have different person-specific data for decryption can lead to decryption unfairness. This means that if some recipient’s person-specific data are damaged due to communication errors, he/she cannot decrypt the ciphertext but the others can still decrypt the ciphertext correctly [12]. Therefore, it is urgent and challenging for researchers to solve the recipient anonymity issue of multi-recipient signcryption.

Following the arguments above, it is known that almost none of the existing multi-recipient signcryption schemes take the full anonymity of recipients and senders into account. Although there are several schemes that provide a solution for anonymity of the signer, they are not perfect, that is, they suffer from the *cross-comparison attack* and the *joint conspiracy attack*. Therefore, existing schemes cannot deal with the anonymity of the sender or the recipient properly. Furthermore, these schemes are not suitable for applications that need complete anonymity for the sender and the recipient. For example, in a network conference application, every conference participant often wants to be kept anonymous when he/she is taking part in the conference discussion. Furthermore, if a participant (i.e. sender) wants to publish criticism or objections, he/she hopes that others (i.e. recipients) do not know his/her identity. At the same time, the recipient cannot want the other recipients to reveal that he/she is an authorized recipient. In fact, today, anonymity is one of the most important prerequisites for people to talk freely and make objective decisions.

Motivated by the above, this paper proposes a completely anonymous multi-recipient signcryption scheme which meets: (1) The identity of the sender is kept secret; (2) The identities of all the recipients are kept secret; (3) Each recipient can easily judge whether the received message is from an authorized source, but he/she cannot determine the real identity of the sender; (4) Each recipient can easily judge whether he/she is an authorized recipient, but he/she cannot determine the identity of any other authorized recipient; (5) The validity of ciphertext can be verified publicly. Speaking of practical applications, the proposed scheme can be in principle used for network conference, paid-TV or DVD broadcasting application systems to assure secure communication among authorized participants, while at the same time, providing complete anonymity for all participants.

To facilitate the description of our scheme, notations used throughout the document are summarized in Table 1.

## Preliminaries

### Complexity Assumptions

The security of the proposed scheme is based on the following problems and security assumptions.

Let *G*_{1} and *G*_{2} be two cyclic groups of prime order *q* and let *P* be a generator of *G*_{1}. Let *e*: *G*_{1}×*G*_{1}→*G*_{2} be a bilinear mapping. The DBDH, CDH and DBDH-M problems can thus be defined as:

**Decisional Bilinear Diffie-Hellman (DBDH) Problem:**Given , for and unknown , determine whether holds.**Definition 1:***The advantage of any probabilistic polynomial time (PPT) algorithm*B*in solving the DBDH Problem is defined as:***DBDH assumption**: For any PPT algorithm*B*, is negligible.**Computational Diffie-Hellman (CDH) Problem**: Given , for some , compute*abP*.**Definition***2:**The advantage of any PPT algorithm*B*in solving the CDH Problem is defined as:***CDH assumption**: For any PPT algorithm*B*, is negligible.**Modified Decisional Bilinear Diffie-Hellman (DBDH-M) Problem:**Given , for and unknown , determine whether holds.**Definition 3:***The advantage of any PPT algorithm*B*in solving the*DBDH-M Problem*is defined as:***DBDH-M assumption**: For any PPT algorithm*B*, is negligible.

### Algorithm Model

Our identity(ID)-based multi-recipient signcryption scheme with complete anonymity consists of four algorithms, namely: Setup, Extract, Anony-signcrypt and De-signcrypt, shown as follows:

#### Setup.

Private Key Generator (PKG) runs this algorithm to generate a master key *s* and public parameters *params*. Note that the public parameters are publicly known while the master key must be kept secret.

#### Extract.

This algorithm is run by PKG to extract the private key of the user. With a user’s identity ID, PKG’s master key *s* and the public parameter *params* as input, it outputs the private key *D* associated with ID, namely *D* = Extract(ID, *s*, *params*). The private key *D* must be kept secret.

#### Anony-signcrypt.

This algorithm is run by the signer ID* _{S}*. With PKG’s public parameter

*params*, a plaintext message

*M*, a list of recipients’ identity

*L*= {ID

_{1},ID

_{2},…,ID

*} as input, the signer ID*

_{n}*runs this algorithm to generate a ciphertext*

_{S}*C*associated with

*M*, namely

*C*= Anony-signcrypt (

*params*,

*M*,

*L*,

*D*), which satisfies

_{S}*LC*and ID

*.*

_{S}C#### De-signcrypt.

With the ciphertext *C*, PKG’s public parameter *params*, the recipient’s identity ID* _{i}*() and its private key

*D*as input, the recipient can run this algorithm to decrypt the ciphertext. The recipient can first judge whether he/she is an authorized recipient. If not, he/she outputs an error message and exits the algorithm. Otherwise, he/she continues to carry out the decryption process and outputs the plaintext

_{i}*M*associated with

*C*, namely

*M*= De-signcrypt (

*C*,

*params*,

*D*).

_{i}### Message Confidentiality

The security model of ciphertext indistinguishability under chosen ciphertext attack was first proposed by Canetti *et al*. [20]. Later, Duan *et al*. [8] extended this security model for the multi-recipient environments, called as indistinguishability of ciphertexts under selective multi-ID, chosen ciphertext attack (IND-sMIBSC-CCA) shown as Definition 4.

#### Definition 4.

IND-sMIBSC-CCA: Let A be a polynomial-time attacker and be an ID-based multi-recipient scheme. Consider that A interacts with a Challenger B in the following game:

#### Setup.

Challenger B runs this algorithm to generate master key *s* and public parameters params, sends params to A, and keeps the master key *s* secret. Upon receiving public parameters, A outputs n target identities

#### Phase 1.

A performs a number of queries to B:

Extraction query: Upon receiving private key extraction query about an identity ID, , B runs the Extract algorithm to get D = Extract(ID, *s*, params).

Anony-signcrypt*ion* query: A chooses a target plaintext M, a list of recipients’ identity information *L = {ID _{1},ID_{2},…,ID_{n}}* and gives them to B. B randomly chooses an identity

*ID*, computes the private key

_{S}*D*, and generates the ciphertext C = Anony-signcrypt (params,M,L,

_{S}*D*) and returns it to A.

_{S}De-signcrypt*ion* query: *A generates the list of target identities* and a ciphertext C. B randomly chooses an identity and computes its private key D_{j}. *I*f C is a valid ciphertext, B decrypts it to obtain the corresponding plaintext M = De-signcrypt (C, params, D_{j}) and returns it to A; otherwise, B outputs an error message .

#### Challenge.

A outputs a target plaintext pair (M_{0}, M_{1}) and an arbitrary identity *ID _{S}* with its private key

*D*. Upon receiving (M

_{S}_{0}, M

_{1}) and

*D*, B picks

_{S}*up a random bit*and creates a target ciphertext , and then returns C

^{*}to A.

#### Phase 2.

A performs a number of queries like Phase 1. Note that A cannot query the identity information in L^{*} in the Extraction query, and cannot query C^{*} in the De-signcryption query.

#### Guess.

Finally, A outputs its guess . If , he wins this game.

An attacker *A* mentioned above is referred to as an IND-sMIBSC-CCA attacker. We define *A*’s guessing advantage as follows:(1)

The scheme is said to be -IND-sMIBSC-CCA secure, if for any IND-sMIBSC-CCA attacker *A*, its guessing advantage is less than within polynomial running time *t*.

### Unforgeability

This security model has been proposed by Duan *et al*. [8] and is called strong existential unforgeability under selective multi-ID, chosen message attack (SUF-MIBSC-CMA) shown as Definition 5.

#### Definition 5.

SUF-sMIBSC-CMA: Suppose F is a forger, and let be an ID-based multi-recipient scheme. Consider that F interacts with a Challenger B in the following game:

#### Setup.

B runs this algorithm to generate a master key *s* and a public parameter params. B gives the params to F and keeps *s* secretly. Upon receiving this parameter, F outputs n target identities

#### Forgery.

F finally outputs a new ciphertext message C^{*}, a list of recipient identities *L = {ID _{1},ID_{2},…,ID_{n}}*. If C

^{*}is the ciphertext of the message M generated by and can be decrypted by any of recipients in

*L*, C

^{*}is a valid ciphertext and F wins this game. The restriction here is that F cannot ask for private key extraction on , and C

^{*}cannot be produced by the Anony-signcrypt algorithm.

The scheme is said to be -SUF-sMIBSC-CMA secure, if for any SUF-sMIBSC-CMA attacker *F*, its guessing advantage is less than within polynomial running time *t*.

### Recipient Anonymity

This security model has been proposed by Fan *et al*. [5] and is called anonymous indistinguishability of encryptions under selective ID, chosen ciphertext attack (ANON-sID-CCA) and shown as Definition 6.

#### Definition 6.

ANON-sID-CCA: Let A be a polynomial-time attacker. Let be an ID-based multi-recipient scheme. Consider that A interacts with a Challenger B in the following game:

#### Setup.

Challenger B runs the Setup algorithm to generate the master key s and public parameters params. Then, B sends params to A and keeps s secret.

#### Phase 1.

A outputs a target identity pair (ID_{1}^{*}, ID_{2}^{*}). Upon receiving (ID_{1}^{*}, ID_{2}^{*}), the Challenger B randomly chooses

#### Phase 2.

A issues private key extraction queries. Upon receiving a private key extraction query, denoted by ID_{j}, Challenger B runs the private key extraction algorithm to get D_{j} = Extract(ID_{j}, s, params). The constraint here is that

#### Phase 3.

A issues de-signcryption queries for the target identities. Upon receiving a de-signcryption query about (C^{*}, ID_{i}^{*}), i = 1,2, Challenger B returns M^{*} = De-signcrypt (C^{*},params,D_{i}^{*}) to A, where D_{i}^{*}is the private key of ID_{i}^{*}.

#### Challenge.

A outputs a target plaintext M to B. Then, Challenger B creates a related ciphertext and returns it to A.

#### Phase 4.

A issues private key extraction queries as those in Phase 2 and de-signcryption queries for target identities as those in Phase 3. The restriction here is that

#### Guess.

Finally, A outputs its guess If A wins the game.

An attacker *A* mentioned above is referred to as an ANON-sID-CCA attacker. We define *A*’s guessing advantage as follows:(2)

The scheme is said to be -ANON-sID-CCA secure, if for any ANON-sID-CCA attacker *A*, its guessing advantage is less than within polynomial running time *t*.

## Methods

The proposed scheme is composed of the following four algorithms. And at the same time, we shall take the network conference application as an example to show how to use our scheme.

### Setup Algorithm

PKG performs the following process:

- Let
*G*_{1}be an additive group and*G*_{2}be a multiplicative group with the same prime order*q*, (*k*is a long integer). Let*P*be a generator of*G*_{1}. Choose a bilinear mapping*e*:*G*_{1}×*G*_{1}→*G*_{2}. - Define four one-way hash functions:
*H*_{1}:{0,1}^{*}→*G*_{1};*H*_{2}:*G*_{2}→{0,1}^{|M|};*H*_{3}:{0,1}^{*}→*Z*_{q}^{*};*H*_{4}:{0,1}^{|M|}×*G*_{1}×…×*G*_{1}→*Z*_{q}^{*}, where |*M*| is the length of the plaintext message. - Choose a random number as the master key, and set as the system’s public key. Publish the system parameter
*params =*<*G*_{1},*G*_{2},*q*,*e*,*P*,*P*,_{pub}*H*_{1},*H*_{2},*H*_{3},*H*_{4}> and keep the master key*s*secret.

Practically speaking, PKG is acted by some authority. For example, in a network conference application, the organizer of a conference should deal with the PKG, which is responsible for developing the system parameters as the steps mentioned above.

### Extract Algorithm

With *params*, *s*, and an identity as input, PKG performs this algorithm to generate the private key of the identity ID:

- Compute ID’s public key
*Q*_{ID}=*H*_{1}(ID). - Compute ID’s private key
*D*_{ID}=*sH*_{1}(ID) =*sQ*_{ID}.

Each participant, the sender or the recipient, should register himself/herself at PKG and obtain his/her private key from PKG by this algorithm. For example, in a network conference application, if someone wants to attend a conference and talk with other participants, he/she must firstly send his/her ID information to the organizer PKG to get his/her own private key computed by PKG.

### Anony-signcrypt Algorithm

With *params*, a plaintext *M* and his/her private key *D _{S}* as input, the signer ID

*chooses a list of recipients’ identity*

_{S}*L*= {ID

_{1},ID

_{2},…,ID

*} and performs this algorithm to generate the ciphertext*

_{n}*C*of the plaintext

*M*:

- Randomly choose two secret integers and a secret element and then compute , , , and , where
*Q*is the public key of ID_{S}._{S} - For
*i*= 1,2,…,*n*, compute*x*(ID_{i}= H_{3}_{i}) and , where Q_{i}is the public key of ID_{i}. - For
*i*= 1,2, …,*n*, compute , where . - For
*i*= 1, 2, …,*n*, compute and then let*T*= {*T*}._{1},T_{2},…,T_{n} - Compute , and then compute , where D
_{S}is the private key of ID_{S}. - Generate the ciphertext: .

After obtaining the private key, each participant can securely and anonymously send messages to other participants that he/she selects. For example, in a network conference application, any participant can freely select some participants as expected recipients to receive his/her messages. What he/she needs to do is to encrypt the messages by this algorithm and then broadcast the ciphertext.

### De-signcrypt Algorithm

The algorithm is carried out by the recipient. With , *params*, the recipient’s identity ID* _{i}* and his/her private key

*D*as input, the recipient ID

_{i}*decrypts*

_{i}*C*as follows:

#### Public verification.

The one, who has not registered himself/herself with PKG to get his/her private key, can use the following steps to check the integrity or validity of the ciphertext. The registered participant can skip this process and directly jump to the following judgement algorithm:

- Compute .
- Verify whether the equation
*e*(*W*,*P*) =*e*(*X*+*hY*,*P*) holds. If yes, the ciphertext is valid. Otherwise, the ciphertext is invalid or has been damaged during transmission._{pub}

#### Judgement.

The one, who has registered himself/herself with PKG to get his/her private key, can use the following steps to check whether the ciphertext is valid and whether he/she is an authorized recipient before the following encryption process:

- Compute .
- Check whether the equation
*e*(*W*,*Q*) =_{i}*e*(*X*+*hY*,*D*) holds. If yes, it means that ID_{i}is one of the recipients designated by the signer and the ciphertext is valid. Otherwise, the recipient quits the decryption process._{i}

#### De-signcryption.

The authorized user can recover the plaintext by the following steps:

- Compute
*x*=_{i}*H*_{4}(ID) and then compute ._{i} - Compute and then get the plaintext as .

The one who receives the broadcasting ciphertext can verify the validity of the message and judge whether he/she is authorized by the public verification or judgement algorithm. If necessary, he/she can use the de-signcrypt algorithm to decrypt the ciphertext. In a network conference application, due to the nature of the broadcast communication, anyone, authorized recipients or unauthorized ones, can easily receive the ciphertext and check the validity of the message and the authorization of the decryption. But, only the authorized recipients can decrypt it correctly.

## Results and Discussion

### Correctness Analyses

#### Proof.

(3)In our scheme, although the identity of the real signer is not included in the ciphertext, his/her private key is definitely necessary in the signcryption process, which ensures that only legal participants who have registered himself/herself with PKG can generate a valid ciphertext. That is to say, through this algorithm, anyone can check whether a ciphertext is generated by an authorized participant, but he/she cannot determine the real identity of the signer.

#### Proof.

For each authorized ID* _{i}* where , we have

(4)Similarly, because the private key of the real signer is necessary in the signcryption process, this algorithm can also be used to check the validity of ciphertext. At the same time, this algorithm can help a participant, who has registered himself/herself with PKG, to judge whether himself/herself is an authorized recipient, because the private key of the recipient is also necessary in the judgement.

### Security Analyses

We shall give security proof of the proposed scheme on confidentiality, unforgeability and anonymity under the random oracle model.

#### Theorem 4.

*In the* IND-sMIBSC-CCA *security model, if an adversary A has an advantage* *against the game defined in Definition 4 within running time t (where* A mak*es* at most q_{e} private key extraction queries, q_{s} *anony-signcryption queries, q _{d}* de

*-sign*cryption queries and queries to the Hash functions H

_{1}, H

_{2}, H

_{3}and H

_{4},

*respectively), then there is a algorithm*B

*in solving the DBDH problem in the time*

*with an advantage*.

#### Proof.

The challenger *B* is challenged with an instance of the DBDH problem. Assume that there is an adversary *A* who is capable of breaking the IND-sMIBSC-CCA security with a non-negligible advantage . *B* makes use of *A* to solve the DBDH instance. *B* simulates the system with various oracles *H*_{1}, *H*_{2}, *H*_{3} and *H*_{4} and allows *A* to make polynomially bounded number of queries, adaptive to these oracles. The game between *A* and *B* is demonstrated below:

#### Setup.

*B* sets *P*_{1} = *cP*, *P _{pub} = bP*, and gives <

*G*

_{1},

*G*

_{2},

*q*,

*e*,

*P*,

*P*,

_{pub}*H*

_{1},

*H*

_{2},

*H*

_{3},

*H*

_{4}> to the attacker

*A*as the public parameters. Upon receiving the system parameters,

*A*outputs

*n*target identities .

#### Phase 1.

*A* performs a number of queries to *B*:

Let *H*_{1}, *H*_{2}, *H*_{3} and *H*_{4} be random oracles controlled by *B* as follows. The results of querying *H*_{1}, *H*_{2}, *H*_{3} and *H*_{4} are stored in *H*_{1}-list, *H*_{2}-list, *H*_{3}-list and *H*_{4}-list, respectively.

*H*_{1}-query.

Input an identity to *H*_{1}. If there exists (ID* _{j}*,

*l*,

_{j}*Q*) in

_{j}*H*

_{1}-list,

*B*returns

*Q*; othzerwise, does as follows:

_{j}- Choose an integer at random;
- If , compute
*Q*=_{j}*l*; otherwise, compute_{j}P*Q*=_{j}*l*-_{j}P*P*_{1}; - Put (ID
,_{j}*l*,_{j}*Q*) into_{j}*H*_{1}-list; - Return
*Q*._{j}

*H*_{i}-query.

_{i}

: To answer these inquiries, *B* searches the corresponding list *H _{i}*-

*list*(

*i*= 2,3,4). If the corresponding answer has existed already,

*B*returns the answer to

*A*. Otherwise,

*B*randomly chooses an element in proper scope as the result and returns it to

*A*, and at the same time,

*B*adds the inquiry and the result into the corresponding list.

#### Extraction query.

Upon receiving private key extraction query on identity ID* _{j}* ,

*B*searches for (ID

*,*

_{j}*l*,

_{j}*Q*) in

_{j}*H*

_{1}-list.

*B*recovers triple (ID

*,*

_{j}*l*,

_{j}*Q*) in

_{j}*H*

_{1}-query and computes his private key

*D*=

*l*=

_{j}P_{pub}*l*, and returns it to

_{j}bP*A*. If ,

*B*aborts and outputs “failure”.

#### Anony-signcryption query.

Upon receiving *A*’s anony-signcryption query (*M*, ID* _{S}*,

*L*),

*B*checks if . If ,

*B*shall get the private key of ID

*through the Extraction query. After that,*

_{S}*B*can run the Anony-signcryption query to generate the ciphertext

*M*. An alternative to this is:

*B*randomly chooses two secret integers , and then computes*Y*=*rl*, , , and ._{s}P- For
*i*= 1, 2, …,*n*, compute*x*=_{i}*H*_{3}(ID) and , where_{i}*Q*is the public key of ID_{i}_{i.} - For
*i*= 1,2,…,*n*, compute: , where . - For
*i*= 1,2,…,*n*, compute and then let*T*= {*T*_{1},*T*_{2},…,*T*}._{n} *B*randomly chooses an integer , where is set as the output for the random oracle query (This is possible because the random oracles are manipulated by*B*). Then,*B*computes .*B*gets the ciphertext and returns it to*A*.

#### De-signcryption query.

On receiving the De-signcryption query of the ciphertext *C* together with an identity ID* _{j}*,

*B*proceeds as follows:

- If ,
*B*shall return that the ciphertext*C*is invalid because*B*does not know the private key of ID. - If ,
*B*computes , and verifies whether the equation*e*(*W*,*P*) =*e*(*X*+*hY*,*P*) holds. If it does not hold, the ciphertext is not valid and then_{pub}*B*outputs . If it holds,*B*does the following steps:- Find the secret key
*D*corresponding to ID from the*H*_{1}-list. - Compute according to
*T*. - Compute and then get the plaintext as .

- Find the secret key

If all the above verifications are true, then *B* outputs the message . Otherwise, the ciphertext is invalid, and *B* outputs .

#### Challenge.

*A* outputs a target plaintext pair (*M*_{0}, *M*_{1}) and a private key *D _{S}*. Upon receiving (

*M*

_{0},

*M*

_{1}) and

*D*,

_{S}*B*picks up a random bit and signcrypts the message . Firstly,

*B*searches

*H*

_{1}-list to get related to and their public key , then computes to get .

*B*finally creates the target ciphertext where , , and , and then returns

*C*

^{*}to

*A*.

#### Phase 2.

*A* performs a number of queries as Phase 1. Note that *A* cannot query the identity information of in extraction query, and cannot query *C*^{*} in de-signcryption query.

#### Guess.

Finally, *A* outputs its guess . If , *B* wins this game and outputs 1 as the answer of DBDH problem because . Otherwise, *B* outputs 0.

From the above discussion, we shall analyze the advantages of *B* in the following. For *q _{d}* de-signcryption queries, the probability to reject a valid ciphertext is not greater than . If

*A*wins the IND-sMIBSC-CCA game, the advantage of

*B*is

#### Theorem 5.

*In the* SUF-sMIBSC-CMA *security model,* if there is an adversary F who can win the game in the time t with a non-negligible advantage as described in the definition 5, there will exist an algorithm B which can solve the CDH problem in the time with an advantage , where F can ask at most q_{e} extraction queries, q_{s} anony-signcryption queries and queries to H_{1}, H_{2}, H_{3}, H_{4}, respectively.

#### Proof.

The challenge *B* is given (*P*,*aP*,*bP*) as an instance of the CDH problem. Assume that there is an adversary *F* who has a non-negligible advantage in breaking the SUF-sMIBSC-CMA security. Then, *B* uses *F* to solve the CDH problem. Firstly, *B* simulates the system with the various oracles *H*_{1}, *H*_{2}, *H*_{3} and *H*_{4}, and then allows *F* to adaptively ask polynomially bounded number of queries to these oracles. The game between *B* and *F* is demonstrated below:

#### Setup.

*B* sets *P _{pub} = bP*, and gives <

*G*

_{1},

*G*

_{2},

*q*,

*e*,

*P*,

*P*,

_{pub}*H*

_{1},

*H*

_{2},

*H*

_{3},

*H*

_{4}> to the attacker

*F*as the public parameters. Upon receiving the system parameters,

*F*outputs

*n*target identities .

#### Attack.

*F* adaptively performs polynomially bounded number of queries to the various oracles in this phase, which are similar to those in Theorem 4.

#### Forgery.

*F* generates a target ciphertext . If the forgery is successful, the equation holds. Define *Q _{S}^{*}* =

*l*=

_{S}^{*}P*aP*, and then we have . Now, it will be very easy to extract the CDH problem’s solution .

We consider the advantage of *F*’s success here. As in the anony-signcryption query, the probability for *B* to answer a failure signcryption query is not greater than *q _{s}*/2

*, and then the advantage is .*

^{k}#### Theorem 6.

*In the* ANON-sID-CCA *security model, if an adversary A has advantage* *against the game defined in Definition 6 within running time t (where* A mak*es* at most q_{e} private key extraction queries, q_{s} *anony-signcryption queries,* q_{d} de*-sign*cryption queries and queries to the Hash functions H_{1},H_{2},H_{3} and H_{4}, *respectively), then there is an algorithm* B *in solving the DBDH-M problem with an advantage .*

#### Proof.

The challenger *B* is challenged with an instance of the DBDH-M problem. Assume that there is an adversary *A* who is capable of breaking the ANON-sID-CCA security with a non-negligible advantage . *B* makes use of *A* to solve the DBDH-M instance. *B* simulates the system with hash functions *H*_{1}, *H*_{2}, *H*_{3} and *H*_{4}, and allows *A* to make polynomially bounded number of queries. The game between *B* and *A* is demonstrated below:

#### Setup.

*B* sets the public key and lets , where , and *aP* and *bP* are given from the instance of the DBDH-M problem. Here, *B* does not know *a* and *b*. *A* performs polynomially bounded number of queries to *H*_{1}, *H*_{2}, *H*_{3} and *H*_{4}, which are similar to those in Theorem 4.

#### Phase 2.

Upon receiving the private key extraction query of an identity ID* _{j}* such that , for , according to

*Q*=

_{j}*l*=

_{j}P*aP*,

*B*computes

*D*=

_{j}*l*.

_{j}P_{pub}#### Phase 3.

Upon receiving a decryption query about (*C*^{*}, ID_{i}^{*}) *i* = 1,2 and . Challenger *B* performs the following steps:

- Compute .
- Compute .
- Judge whether holds. If not, return “reject” to
*A*, otherwise return to*A*.

#### Challenge.

*A* outputs a target plaintext *M*. Upon receiving *M*, *B* does the following steps:

- Compute .
- Compute .
- Create a target ciphertext and return it to
*A*.

### Efficiency Analysis

We compare our scheme with existing signcryption schemes [9], [10], [11], [12], [13], [15], [17], [19] in terms of calculation costs and communication traffic (ciphertext length). In order to facilitate the description, we define the following symbols shown in Table 2:

First, we talk about the signcryption process. In the proposed scheme, the operation about Lagrange interpolation can also be pre-processed, so these operations can be excluded when considering computational complexity. In order to signcrypt a message *M*, our scheme needs 1 bilinear operation, 2 addition operations in *G*_{1}, 6 scalar multiplications in *G*_{1}, 1 exponentiation in *G*_{2} and 2 hash operations. The length of the ciphertext is (*n*+4)|*G*_{1}|+|*M*|. The specific comparison results are shown in Table 3, from which one can see that our scheme performs much better than most of the existing schemes in terms of number of parameters, computation complexity and the ciphertext length.

Regarding the de-signcryption in our scheme, some calculations of the de-signcryption algorithm are used to judge the validity of ciphertext and the authorization of the recipient, which is important for broadcast-based communications to avoid receiving unwanted information (e.g. SPAM). Note that although the schemes [9], [10], [11], [13], [15] directly provide the recipients’ true identities in the ciphertext, in fact the recipient cannot absolutely ensure whether he/she is authorized before checking the validity of the ciphertext. The number of pair operations (*T _{p}*, the most time-consuming operation in the existing schemes and our scheme) in our decryption algorithm is smaller than those of the existing schemes, which makes our scheme more attractive in terms of computation performance. Table 4 shows a comparison between the proposed scheme and the existing ones [9], [10], [11], [12], [13], [15], [17], [19].

### Discussion of Merit and Demerit

Compared to existing schemes, our scheme has some advantages. To achieve the signer’s anonymity, the identity of the signer is no longer included in the ciphertext, although the private key of the signer is necessary for signcryption. The recipients can therefore only judge if the ciphertext received is from a trusted signer, but they cannot determine the real identity of the signer. To achieve the recipient’s anonymity, the ID information of all authorized recipients is mixed by the Lagrange interpolation polynomial during the signcryption process, which prevents the recipient’s ID from being exposed. This method also ensures that only the recipient, who has got the entire ciphertext, can decrypt the ciphertext, thus achieving the decryption fairness. The ID-based cryptography enables one user to confidentially send messages to other users, despite of whether the latter is a registered user, and the public verification property of our scheme enables unregistered users to judge the validity of the received ciphertext before having to register himself/herself with PKG. The merit/demerit comparison between the existing schemes and our scheme is summarized in Table 5.

From Table 5, we can see: (1) The schemes [12], [13], [15], [17], [19] have taken anonymity of the sender into account. However, they are all prone to the *cross-comparison attack* and *joint conspiracy attack*. In these schemes, in order to protect the privacy of the sender, the sender randomly chooses some legitimate participants to hide the true identity. But in practice, these schemes are vulnerable to the *cross-comparison attack* and *joint conspiracy attack* mentioned above. (2) The schemes [9], [10], [11] cannot assure the anonymity of the sender because the identity of the sender is directly given in the ciphertext. (3) The schemes [9], [10], [11], [13], [15], [17], [19] cannot assure the anonymity of the recipient. In these schemes, the ciphertext includes two parts: a recipient identity list and each recipient’s specific data. A recipient identity list is required so that an authorized recipient is able to find his/her specific data required for decryption of the ciphertext. Because the recipient identity list is given in plaintext, the ID information of each recipient is exposed, and thus the anonymity of recipients is not assured. This has the advantage that, as long as an authorized recipient receives his/her specific data correctly, he/she can decrypt the ciphertext to retrieve the corresponding message even if other recipients’ specific data are invalidated during transmission. While this seems to represent an advantage on the first sight, it also represents a problem regarding decryption fairness. Decryption unfairness can cause the sender to cheat some recipients actively by just sending incorrect recipient-specific data. (4) In all the existing schemes, public verification is not considered because the identity of the sender or the recipient must be given in the ciphertext in plaintext form, thus there are no requirements for public verification. But in a completely anonymous scheme, public verification is a necessity for recipients so that receiving or operating on unwanted messages is prevented.

To summarize, the ciphertext in our scheme no longer contains the real identity information of all participants, thus our scheme meets anonymity of the sender and recipients at the same time, and efficiently protects the privacy of all involved participants. Even more important, this scheme possesses fair decryption and public verification properties. Furthermore, our scheme is easy to implement in exsiting applications. Here, we also take a network conference application as an example. In such a case, a message sender needs only to transform the plaintext message to a ciphertext message using our encryption algorithm and then broadcasts it through the broadcast communication channel, while a message recipient simply needs to decrypt the ciphertext using our decryption algorithm. Our scheme requires only extra encryption or decryption operations for each participant and leaves the original implementation untouched, which in fact should represent an easy implementation of our scheme. While our scheme has the advantages mentioned above, it also has some disadvantages, namely its application, which increases the costs for the implementation. For example, it probably takes a great deal to establish PKG and maintain it, which may affect routine application of our scheme to some extent.

### Conclusions

Due to the nature of broadcasting communications, the anonymity of both the sender and the recipient is of upmost importance in multi-recipient signcryption. However, almost none of the existing multi-recipient signcryption schemes take the anonymity of recipients into account. Although there are several schemes that provide a solution to the anonymity of the signer, they have known limitations. Owing to practical application requirements, a completely anonymous multi-recipient signcryption becomes more and more important. Aiming at the participants’ anonymity, a completely anonymous multi-recipient signcryption is proposed in this paper. The new scheme ensures anonymity of all participants, the sender and all recipients. Furthermore, each recipient can easily judge whether the received message is from an authorized source, but he/she cannot determine the true identity of the sender. Each recipient can easily judge whether he/she is an authorized recipient, but he/she cannot determine the identity of any other authorized recipient. At the same time, the validity of the ciphertext can be verified publicly. The confidentiality, unforgeablity and anonymity of our scheme are formally proven using the random oracles model. Compared to existing schemes, our scheme is more efficient in computation and ciphertext length, and possesses more merits, which makes our scheme suitable for practical applications. Our scheme is important in group-oriented network applications, such as the network conference, paid-TV or DVD broadcasting. The proposed scheme solves the secure communication problem among authorized participants, while at the same time, it provides complete anonymity for all involved participants.

## Acknowledgments

The authors would like to thank the anonymous reviewers of this paper for his/her objective comments and helpful suggestions while at the same time helping us to improve the English spelling and grammar throughout the manuscript.

## Author Contributions

Proved the security of the scheme: LP HL LG. Conceived and designed the experiments: LP HL. Analyzed the data: LP HL LG YW. Wrote the paper: LP HL LG YW.

## References

- 1. Pang LJ, Li HX, Pei QQ (2012) Improved multicast key management of Chinese wireless local area network security standard. IET Communications 6: 1126–1130 .
- 2. Pang L, Li H, Jiao L, Wang Y (2009) Design and analysis of a provable secure multi-recipient public key encryption scheme. Journal of Software 20: 2739–2745 .
- 3.
Malone-Lee J (2002) Identity based signcryption. Cryptology ePrint Archive. Report 2002/098. Available: http://eprint.iacr.org/2002/098.pdf.
- 4.
Baek J, Safavi-Naini R, Susilo W (2005) Efficient multi-receiver identity-based encryption and its application to broadcast encryption. Proc. the 8th International Workshop on Theory and Practice in Public Key Cryptography. Les Diablerets, Switzerland: 380–397. .
- 5. Fan C, Huang L, Ho P (2010) Anonymous multireceiver identity-based encryption. IEEE Transactions on Computers 59: 1239–1249 .
- 6. Wang X, Wang A, Wang L (2009) Efficient ID-based secure encryption scheme for anonymous receivers. Academy Publisher 4: 1239–1249 .
- 7.
Zhang B, Xu Q (2010) An ID-based anonymous signcryption scheme for multiple receivers secure in the standard model. Proc. the Advances in Computer Science and Information Technology Japan: 15–27.
- 8.
Duan S, Cao Z (2006) Efficient and provably secure multi receiver identity based signcryption. Proc. the Information Security and Privacy 11th Australasian Conference. Melbourne, Australia: 195–206. .
- 9.
Yu Y, Yang B, Huang X, Zhang M (2007) Efficient identity-based signcryption scheme for multiple receivers. Proc. the Autonomic and Trusted Computing 4th International Conference. Hong Kong, China: 13–21. doi:10.1007/978-3-540-73547-2_4.
- 10.
Sharmila S, Sree S, Srinivasan R, Pandu C (2009) An efficient identity-based signcryption scheme for multiple receivers. Proc. the Advances in Information and Computer Security 4th International Workshop on Security. Toyama, Japan: 71–88. .
- 11.
Elkamchouchi H, Abouelseoud Y (2009) MIDSCYK: An efficient provably secure multirecipient identity-based signcryption scheme. Proc. the International Conference on Networking and Media Convergence. Cairo, Egypt: 70–75. .
- 12. Pang L, Cui J, Li H, Pei Q, Jiang Z, et al. (2011) A new multi-receiver ID-based anonymous signcryption. Chinese journal of computer 34: 2104–2113 .
- 13.
Lal S, Kushwah P (2009) Anonymous ID based signcryption scheme for multiple receivers. Cryptology ePrint Archive. Available: http://eprint.iacr.org/2009/345.pdf.
- 14. Qin H, Dai Y, Wang Z (2011) Identity-based multi-receiver threshold signcryption scheme. Security and Communication Networks 4: 1331–1337 .
- 15.
Zhang B, Xu Q (2010) An ID-based anonymous signcryption scheme for multiple receivers secure in the standard model. Proc. of the AST/UCMA/ISA/CAN conferences. Miyazaki, Japan: 15–27. .
- 16.
Zheng Y (1997) Digital signcryption or how to achieve cost (signature & encryption)<<cost (signature)+cost (encryption) Proc. the 17th Annual International Cryptology Conference on Advances in Cryptology. London, UK: 165–179. .
- 17.
Zhang J, Gao S, Chen H, Geng Q (2009) A novel ID-based anonymous signcryption scheme. Proc. the Advances in Data and Web Management Joint International Conferences. Suzhou, China: 604–610. doi:.
- 18.
Rivest R, Shamir A, Tauman Y (2001) How to leak a secret: Theory and applications of ring signatures. Proc. the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology. London, UK: 552–565. .
- 19.
Huang X, Susilo W, Mu Y, Zhang F (2005) Identity based ring signcryption scheme: Cryptographic primitive for preserving privacy and authenticity in the ubiquitous world. Proc. the 19th International Conference on Advanced Information Networking and Applications. Taipei, Taiwan: 649–654. .
- 20.
Gafurov D, Snekkenes E, Buvarp T (2006) Robustness of biometric gait authentication against impersonation attack. Proc. The OTM Workshops. Montpellier, France: 479–488. .
- 21. Xie Q, Yu X (2005) A new (t, n) threshold signature scheme withstanding the conspiracy attack. Wuhan University Journal of Natural Sciences 10: 107–110 .