Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

A Novel Multi-Receiver Signcryption Scheme with Complete Anonymity

  • Liaojun Pang ,

    ljpang@mail.xidian.edu.cn (LP); lihuixian@nwpu.edu.cn (HL)

    Affiliations State Key Lab. of Integrated Services Networks, School of Life Science and Technology, Xidian Univ., Xi’an, 710071, Shaanxi, China, Dept. of Comput. Sci., Wayne State University, Detroit, MI 48202, United States of America

  • Xuxia Yan,

    Affiliation State Key Lab. of Integrated Services Networks, School of Life Science and Technology, Xidian Univ., Xi’an, 710071, Shaanxi, China

  • Huiyang Zhao,

    Affiliation State Key Lab. of Integrated Services Networks, School of Life Science and Technology, Xidian Univ., Xi’an, 710071, Shaanxi, China

  • Yufei Hu,

    Affiliation State Key Lab. of Integrated Services Networks, School of Life Science and Technology, Xidian Univ., Xi’an, 710071, Shaanxi, China

  • Huixian Li

    ljpang@mail.xidian.edu.cn (LP); lihuixian@nwpu.edu.cn (HL)

    Affiliation School of Computer Science and Engineering, Northwestern Polytechnical Univ., Xi’an, 710072, Shaanxi, China

A Novel Multi-Receiver Signcryption Scheme with Complete Anonymity

  • Liaojun Pang, 
  • Xuxia Yan, 
  • Huiyang Zhao, 
  • Yufei Hu, 
  • Huixian Li
PLOS
x

Abstract

Anonymity, which is more and more important to multi-receiver schemes, has been taken into consideration by many researchers recently. To protect the receiver anonymity, in 2010, the first multi-receiver scheme based on the Lagrange interpolating polynomial was proposed. To ensure the sender’s anonymity, the concept of the ring signature was proposed in 2005, but afterwards, this scheme was proven to has some weakness and at the same time, a completely anonymous multi-receiver signcryption scheme is proposed. In this completely anonymous scheme, the sender anonymity is achieved by improving the ring signature, and the receiver anonymity is achieved by also using the Lagrange interpolating polynomial. Unfortunately, the Lagrange interpolation method was proven a failure to protect the anonymity of receivers, because each authorized receiver could judge whether anyone else is authorized or not. Therefore, the completely anonymous multi-receiver signcryption mentioned above can only protect the sender anonymity. In this paper, we propose a new completely anonymous multi-receiver signcryption scheme with a new polynomial technology used to replace the Lagrange interpolating polynomial, which can mix the identity information of receivers to save it as a ciphertext element and prevent the authorized receivers from verifying others. With the receiver anonymity, the proposed scheme also owns the anonymity of the sender at the same time. Meanwhile, the decryption fairness and public verification are also provided.

Introduction

Research backgroud

In 2000, Bellare et al. [1] firstly proposed the concept of multi-receiver public key encryption. In their scheme, to acquire the ciphertext which each authorized receiver can decrypt with his private key, the sender needed to repeatedly use the public key of each receiver to perform the public key encryption for the same plaintext. Although this scheme meets the requirement of the multi-receiver encryption, it is inadaptable to large-scale broadcast encryption, because its encryption computation complexity and ciphertext length are directly related to the number of the receivers. To overcome this weakness, Kurosawa [2] adopted a “randomness reuse” technique to propose a multi-receiver encryption scheme, in which the computational efficiency was improved. Later, Bellare et al. [3] further improved its performance. But these two schemes only concern how to improve the efficiency of multiple encryptions rather than how to reduce the number of encryptions.

Even so, these early multi-receiver schemes pointed out a new direction in the field of the information security: multi-receiver encryption, in which the sender only needs one encryption operation to send the same message for n receivers, and every authorized receiver can independently use his private key to decrypt the ciphertext, which significantly increases the efficiency comparing the early schemes [13]. In 2005, by introducing the idea of identity based encryption into the multi-receiver encryption, Baek et al. [4] proposed an efficient multi-receiver ID-based scheme, in which the sender only needed to encrypt the same message once and sent it to n selected receivers. This scheme required a linear ciphertext size in proportion to the number of the selected receivers. In 2006, Chatterjee and Sarkar [5] proposed an efficient multi-receiver ID-based scheme with sublinear ciphertext size. Later on, there appeared many great schemes [68] contributing to the ID-based multi-receiver encryption.

With the development of encryption, more and more researchers find that receivers need to verify the source of the message in practical applications. There are some signcryption schemes [912] have been proposed to advance the signcryption research. For the multi-receiver cryptography, multi-receiver signcryption gradually becomes the research focus. In 2006, the first ID-based multi-receiver signcryption scheme was presented by Duan et al. [13], which introduced the concept of Zheng’s signcryption [14] into multi-receiver encryption. In Duan et al.’s scheme, the sender can sign and encrypt the plaintext in only one operation as well as each authorized receiver can independently decrypt the ciphertext and verify the message source. Later on, many excellent multi-receiver signcryption schemes [1521] have been proposed by researchers. However, all these early schemes did not care the privacy of participants, because the sender and receiver list, a part of the ciphertext, are required to participate in the de-signcryption process.

Recently, with the maturity of the ID-based multi-receiver signcryption, researchers have paid more attention to the anonymity of participants. Generally speaking, the anonymity includes two parts, the receiver anonymity and the sender anonymity. In 2010, Fan et al. [22] pointed out the importance of the receiver anonymity in ID-based multi-receiver setting and proposed a multi-receiver anonymous encryption scheme to protect anonymity of receivers with the Lagrange interpolation polynomial. In their scheme, the Lagrange interpolation polynomial is used to mix and hide the identities of the receivers to avoid exposing their information, and that seems perfect to protect the receiver anonymity. Then, several multi-receiver signcryption schemes [2325] based on the Lagrange interpolation polynomial were proposed.

For the sender anonymity, in 2009, Lal et al. [26] adopted Huang et al.’s [27] concept of ring signature to present a multi-receiver signcryption scheme with sender anonymity. Later, based on the ring signature, several multi-receiver signcryption schemes [2830] were proposed to protect the anonymity of the sender. However, in 2013, Pang et al. [31] pointed that these schemes whose sender anonymity is based on the ring signature shall suffer from the cross-comparison attack and the joint conspiracy attack. That is to say, the scope of the real sender could be narrowed down gradually with the increase of communication. Even, the identity of real sender could be uniquely determined. In order to solve this problem, Pang et al. improved the ring signature with a randomized method, which uses the public key of the sender multiplied by a random value to hide the identity of the sender. By this means, any receiver can only judge whether the ciphertext is from a reliable sender or not, rather than actually getting the real identity of the sender. Besides, the receiver anonymity with the Lagrange interpolation polynomial was provided in Pang et al.’s scheme [31]. So, it is a completely anonymous multi-receiver signcryption scheme.

Unfortunately, in 2012, Wang et al. [32] and Zhang et al. [33] respectively found that Fan et al.’s scheme fails to protect the receiver anonymity, because any authorized receiver can judge whether the others are authorized or not. This means that the authorized receivers may be attacked by other authorized receivers. Meanwhile, Wang et al. also made an improvement on Fan et al.’s scheme. However, in 2014, Li et al. [34] analyzed Wang et al.’s scheme and found that the Lagrange interpolation polynomial is still used to mix and hide the identities of the receivers, which is not able to really protect the receiver anonymity either. Because of the problem of Lagrange interpolation polynomial construction, any authorized receiver can judge whether other receivers is the authorized or not. Through analyses above, Pang et al.’s [31] completely anonymous multi-receiver signcryption scheme cannot realize the receiver anonymity. Then, it remains an open problem how to design a new multi-receiver signcryption scheme which can achieve the receiver anonymity and the sender anonymity at the same time.

Our contribution

Aiming at the problem discussed above, in this paper, we try to find a new construction method to design a completely anonymous multi-receiver signcryption scheme cannot realize the receiver anonymity and the sender anonymity at the same time. In order to achieve the receiver anonymity, we find a new polynomial that could be used to replace the Lagrange interpolation polynomial. With the new polynomial, we can mix the identity information of receivers to save it as ciphertext element and prevent the authorized receivers from verifying the others. That is to say, attackers not only outside the system but also inside the system can be prevented in our new scheme, which can actually realize the receiver anonymity. To protect the sender anonymity, the randomized method was also used in our scheme. Hence, our scheme simultaneously has the sender anonymity and receiver anonymity, and eliminates the anonymity problem existing in the previous scheme.

Paper organization

The rest of the paper is designed as follows. Preliminaries are given in Section 2, and Section 3 presents our new scheme. Then, we prove the security of the proposed scheme in Section 4. Section 5 gives the efficiency and performance analysis. Finally, Section 6 draws the conclusions.

Preliminaries

In this section, we will briefly review the bilinear pairings, related problems and security assumptions on which our improved scheme is based.

Bilinear pairings

Let G1 be a cyclic additive group of large prime order q, and G2 be a cyclic multiplicative group of the same order q. Let P be a generator of G1. A bilinear pairing is a map e: G1 × G1G2 and satisfies the following properties:

  1. Bilinear: e(aP, bQ) = e(P, Q)ab for all P, QG1 and .
  2. Nondegenerate: There exist P, QG1 such that e(P, Q) ≠ 1.
  3. Computable: For all P, QG1, there exists an efficient algorithm to compute e(P, Q).

A bilinear pairing map which satisfies the above three properties is called an admissible bilinear map.

Problems and security assumptions

Here, we give mathematical hard problems and define the security assumptions on which our scheme is based.

(1) CDH (Computational Diffie-Hellman) problem: Given (P, aP, bP) ∈ G1 for some , to compute abP.

Definition 1: The advantage of any PPT algorithm A in solving the Computational Diffie-Hellman (CDH) problem is defined as: (1)

CDH assumption: For any PPT algorithm A, is negligible.

(2) DBDH (Decision Bilinear Diffie-Hellman) problem: Given (P, aP, bP, cP) ∈ G1 for unknown , and RG2, to decide whether e(P, P)abc = R.

Definition 2: The advantage of any PPT algorithm A in solving the DBDH (Decision Bilinear Diffie-Hellman) problem is defined as: (2)

DBDH assumption: For any PPT algorithm A, is negligible.

(3) Gap-BDH (Gap Bilinear Diffie-Hellman) problem: Given (P, aP, bP, cP) ∈ G1 for unknown , to compute e(P, P)abcG2 with the help of the DBDH (Decision Bilinear Diffie-Hellman) oracle.

Definition 3: The advantage of any PPT algorithm A in solving the Gap-BDH (Gap Bilinear Diffie-Hellman) problem is defined as: (3)

Gap-BDH assumption: For any PPT algorithm A, is negligible.

Security models

We shall give the security models for confidentiality, unforgeability and anonymity in Definitions 4-6, respectively.

Definition 4: IND-sMIBSC-CCA (indistinguishability of ciphertexts under selective multi-ID, chosen ciphertext attack) [13].

Suppose that there is a polynomial-time attacker named A and an anonymous ID-based multi-receiver signcryption algorithm named Π. A plays a game with a Challenger B as follows:

Setup: Challenger B performs this algorithm to generate master key s and public parameters params. Then B shall send the params to A but keep s secret. After receiving the parameter, A outputs target multiple identities .

Phase 1: Challenger B shall answer a number of different queries from adversary A in an adaptive manner as follows:

Key extract query: Queried about an identity ID that A pretends to be, B shall run the Key extract algorithm to get D = Extract(parems, s, ID).

Anony-signcrypt query: Adversary A runs the Anony-signcrypt algorithm to get the ciphertext C = Anonysigncrypt(parems, M, L, DS), where M is the target plaintext chosen by adversary A, L = {ID1, ID2, ⋯, IDn} is the set of the receiver identity, IDS is the identity chosen by B and DS is the corresponding private key.

De-signcrypt query: Adversary A shall send B(C, IDj) where C is the ciphertext produced by adversary A, IDj is the identity chosen by B and IDjL*. is the target multiple identities chosen by A. Then B shall perform the De-signcryption algorithm to get the plaintext . If M is valid, B returns it to A. Otherwise, returns “failure”.

Challenge: Adversary A shall first choose target plaintext pair(M0, M1) and pretend a sender IDS. When receiving the target plaintext and the private key DS, the challenger B randomly chooses β ∈ {0, 1} and signcrypts the message Mβ to generate the ciphertext C* = Anonysigncrypt(params, Mβ, L*, DS). Then, the challenger B returns C* to A.

Phase 2: A shall query challenge B like Phase 1. Note that A cannot query the information of in the Key extract query and C* in De-signcrypt query.

Guess: A guesses β′ ∈ {0, 1} and outputs it. If β = β′, A wins the IND-sMIBSC-CCA game. Otherwise, returns “failure”.

A’s guessing advantage is defined as follows:

The scheme Π is said to be (t, ε)-IND-sMIBSC-CCA secure, if for any IND-sMIBSC-CCA attacker A, its guessing advantage is less than ε within polynomial running time t.

Definition 5: SUF-MIBSC-CMA (strong existential unforgeability under selective multi-ID, chosen message attack) [13].

Suppose that there is a forger named F and an anonymous ID-based multi-receiver signcryption algorithm named Π. F plays a game with a challenger B as follows:

Setup: Challenger B performs this algorithm to generate master key s and public parameters params. Then B shall send the params to A but keep s secret. After receiving the parameter, F outputs target multiple identities .

Attack: The forger F may make some queries to the challenger B as phase 1 in Definition 4.

Forgery: Forger F shall output a ciphertext C* and a set of identities . If C* can be decrypted correctly by every receiver where i ∈ {1, 2, ⋯, n} in the set L*, then verify the source of the sender, C* is valid and F wins the game.

But the forger F cannot perform Key extract query to and C* cannot generated by Anony-signcrypt algorithm here.

The scheme Π is said to be (t, ε)-SUF-MIBSC-CMA secure, if for any SUF-MIBSC-CMA forger F, its guessing advantage is less than ε within polynomial running time t.

Definition 6: ANON-IND-sMID-CCA (anonymous indistinguishability of signcryption under selective multi-ID, chosen ciphertext attack) [25].

Suppose that there is a polynomial-time attacker named A and an anonymous ID-based multi-receiver signcryption algorithm named Π. In order to get the identity of anonymous receivers, A plays a game with a challenger B as follows:

Setup: Challenger B performs this algorithm to generate master key s and public parameters params. Then B shall send the params to A but keep s secret. After receiving the parameter, A choses target identities .

Phase 1: Challenger B shall answer the Key extract query and De-signcryption query from adversary A as follows:

Key extract query: Queried about an identity IDj that A pretends to be, where , B shall run the Extract algorithm to get Dj = Extract(parems, s, IDj).

De-signcrypt query: Adversary A shall send where i ∈ {1, 2} to B. Then B shall perform the De-signcryption algorithm to get the plaintext . If M is valid, B returns it to A. Otherwise, returns “failure”.

Challenge: Adversary A shall first choose target plaintext M* and the identities , where n ≥ 3. Then B shall execute the signcryption algorithm to generate the ciphertext . Then, the challenger B returns C* to A.

Phase 2: A shall query challenge B like Phase 1 without querying for C* in De-signcrypt query the information of in the Key extract query.

Guess: A guesses β′ ∈ {1, 2} and outputs it. If β = β′, A wins the ANON-IND-sMID-CCA game.

A’s guessing advantage is defined as follows:

The scheme Π is said to be ANON-IND-sMID-CCA secure, if for any ANON-IND-sMID-CCA attacker A, its guessing advantage is less than ε within polynomial running time t.

The proposed scheme

In this section, we will present our scheme, which includes four algorithms: Setup, Key extract, Anony-signcrypt, and De-signcrypt algorithms. Detailed description is as follows:

Setup algorithm

Here, PKG shall execute the following process:

  1. PKG chooses a prime order q(q ≥ 2l, l is a long integer), and then chooses G1 (an additive group) and G2 (a multiplicative group) with the same order q. Then it randomly picks a generator P of G1, and constructs a bilinear mapping e: G1 × G1G2. PKG keeps the master key s secret, which is picked up from . Select some integer w. Set Ppub = sPG1 as the system public key. The symmetric encryption and decryption are denoted as Ek() and Dk() where k is the key.
  2. PKG constructs five cryptographic hash functions: H1: {0, 1}* → G1; ; ; H4: {0, 1}w → {0, 1}|M|; .
  3. PKG publishes the system parameters params = {q, G1, G2, e, P, Ppub, H1, H2, H3, H4, H5, Ek(), Dk()}.

Key extract algorithm

PKG shall execute this algorithm to generate IDi’s private key with s, params and an identity IDi ∈ {0, 1}*. Then, PKG shall also return IDi’s private key. That means IDi has registered himself at PKG:

  1. Compute IDi’s public key Qi = H1(IDi).
  2. Compute IDi’s public key Di = sH1(IDi) = sQi.

Anony-signcrypt algorithm

This algorithm is executed by the sender. Obtaining his private key DS and params, the sender IDS shall choose n receivers with identities ID1, ID2, ⋯, IDn and encrypt the plaintext M to generate the ciphertext C:

  1. The sender firstly pick up two random integers and a bit string δ ∈ {0, 1}w, and then compute Y = rQS, U = rP, X = αY and J = rPpub, where QS is the public key of IDS.
  2. The sender computes υi = H2(e(Qi, J), where Qi = H1(IDi).
  3. The sender chooses a random and constructs a polynomial f(x) with degree n as follows:
  4. Compute V = δH3(p), Z = EH4(δ)(M) and h = H5(X, U, Z, V, a0, a1, ⋯, an−1), and then compute W = (α + h)⋅rDS, where DS is the private key of IDS.
  5. Generate the ciphertext: C = 〈Y, U, Z, V, W, a0, a1, ⋯, an−1〉.

De-signcrypt algorithm

This algorithm is executed by the receiver. With params, C = 〈Y, U, Z, V, W, a0, a1, ⋯, an−1〉, the receiver’s identity IDi and his private key Di as input, the receiver IDi has the ability to decrypt C as follows:

  1. Compute h = H5(X, U, Z, V, a0, a1, ⋯, an−1).
  2. Public verification: The one who has not registered shall execute this step. The participant who has registered shall jump to the judgment algorithm without the verification.
    If the equation e(W, P) = e(X + hY, Ppub) holds, that is to say, the ciphertext is valid. Otherwise, the ciphertext has been damaged or it is invalid.
  3. Judgment: The registered participants shall execute this step before the decryption process.
    If the equation e(W, Qi) = e(X + hY, Di) holds, IDi is one of the receivers chosen by the sender and the ciphertext is valid. Otherwise, the receiver shall quit the decryption process.
  4. Compute and .
  5. Compute δ = VH3(p) and K = H4(δ).
  6. Decryption: M′ = DH4(δ)(Z).

Every receiver who gets the ciphertext can verify the validity of the message by the public verification or judge if he is authorized by the judgment algorithm. Then, if necessary, he can decrypt the ciphertext.

Correctness and security analysis

Correctness analysis

Here, we show the correctness of the proposed scheme by stating Theorems 1-3.

Theorem 1: The public verification of the proposed scheme is correct.

Proof: Whether the equation e(W, P) = e(X + hY, Ppub) holds is used to perform the public verification because of the following:

Theorem 2: The judgement of the proposed scheme is correct.

Proof: Whether the equation e(W, Qi) = e(X + hY, Di) holds is used to perform the judgement because of the following:

Theorem 3: The decryption of the proposed scheme is correct.

Proof: The decryption of the proposed scheme is correct because of the following:

Security analysis

Here, we shall prove that the proposed multi-receiver signcryption scheme is secure against the IND-sMIBSC-CCA, SUF-MIBSC-CMA and ANON-IND-sMID-CCA attacks defined in Section 2.3, which respectively shows the confidentiality, unforgeability, and anonymity.

Theorem 4: If an IND-sMIBSC-CCA attacker A has a non-negligible advantage ε to win the game defined in Definition 4 within running time t, then the DBDH problem can be solved by the challenger B in running time t′ ≤ t with a non-negligible advantage ε′ ≥ εnqd/2k, where attacker A asks qe queries to the Key extract query, qs queries to the Anony-signcrypt query, and qd queries to the De-signcrypt query. (qH1, qH2, qH3, qH4, qH5) denote the number of queries to the hash functions H1, H2, H3, H4, H5, respectively.

Proof: An instance (P, aP, bP, cP) of the DBDH problem is given to simulate the game defined in Definition 4, and A denotes attacker, B denotes challenger. Suppose that A has a non-negligible advantage ε to break the IND-sMIBSC-CCA model, and B solves the instance of DBDH problem by interacting with A. There are five oracles H1, H2, H3, H4 and H5 to simulate the system for B. A can queries PPT times to the oracles. B executes and answers each phase of the IND-sMIBSC-CCA game as follows:

Setup: The challenger B sets Q = aP and Ppub = bP. Then, B sends 〈G1, G2, q, e, P, Ppub, H1, H2, H3, H4, H5, Ek, Dk〉 to A as the public parameters. When receiving the parameter, A outputs target multiple identities .

Phase 1: A proposes queries as follows to B.

Assume that the hash functions Hi(i = 1, 2, 3, 4, 5) are random oracles controlled by the challenger B. For the attacker A’s hash queries, the challenger B uses list Li(i = 1, 2, 3, 4, 5) to record the results of hash functions Hi(i = 1, 2, 3, 4, 5), respectively.

H1-query:

  1. If , calculate Qj = lj P; otherwise, calculate Qj = lj Q, where lj is an integer.
  2. Put it into H1-list when no (IDj, lj, Qj) exists in H1-list.
  3. B returns Qj.

H2-query: The challenger B examines if (P, Qi, Ppub, cP, Xj) uses the DBDH oracle for i ∈ [1, qH2] when he is queried with XjG2 for some j = [1, qH2]. If it exists, B shall terminate the game for e(P, P)abc equals . Otherwise, B picks a value at random and puts a tuple (Xj, xj) into the list L2. Then, the challenger B returns xj to the adversary A.

H3-query: As an integer pj is sent to the H3 oracle where j ∈ [1, qH3], B shall pick a string wj ∈ {0, 1}w at random and puts the tuple (pj, wj) into the list L3. Then, the string wj is returned to A by the challenger B.

H4-query: When querying for the string δj ∈ {0, 1}w where j ∈ [1, qH4], B shall pick a string zj ∈ {0, 1}|M| at random and puts the tuple (δj, zj) into the list L4. Then, the challenger B returns the bit string zj to the attacker A.

H5-query: Receiving the tuple 〈Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1〉 where j ∈ [1, qH5], B picks a value hj in at random and puts the tuple 〈Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1, hj〉 into the list L5. Then, B returns hj.

Key extract query: A chooses an identity where i ∈ {1, 2} and sends it to challenger B, then B scans the list L1 to find if there is the tuple (IDj, lj, Qj) in L1. If it was, B shall calculate Dj = lj Ppub(= lj bP = bQj). Otherwise, the challenger B selects a at random, and calculates Qj = lj P as well as Dj = lj Ppub. At the same time, the challenger B puts a tuple (IDj, lj, Qj) into the list L1. Finally, B sends Dj back to the attacker A.

Anony-signcrypt query: When receiving the anonymous signcryption query with (M, IDS, L) from A, B checks whether there exist . If , B can get the private key of IDS from Key extract query. Then, A can get ciphertext C from Anony-signcrypt query. Otherwise, perform the following tasks:

  1. Select and δ ∈ {0, 1}w at random, then compute Y = γlS P, U = γP, X = αY, J = γPpub.
  2. Compute υi = H2(e(Qi, J)), where Qi = H1(IDi) is the public key of the receiver.
  3. Choose at random and structure a polynomial f(x) with degree n as follows:
  4. Compute V = δH3(p), Z = EH4(δ)(M) and h = H5(X, U, Z, V, a0, a1, ⋯, an−1), and then compute W = (α + h)lS Ppub.
  5. Generate the ciphertext: C = 〈Y, U, X, Z, V, W, a0, a1, ⋯, an−1〉.

De-signcrypt query: The attacker A queries B and send where i ∈ {1, 2} and Cj = 〈Yj, Uj, Xj, Zj, Vj, Wj, aj0, aj1, ⋯, ajn−1〉 When receiving the decryption query, B executes the following steps:

  1. Check the list L5 to find the tuple 〈Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1. If it was found, B can get (Zj, Vj) from L5. Otherwise, B returns “failure”.
  2. Construct the polynomial f(x) = aj0 + aj1 x + ⋯+ajn−1 xn−1+xn.
  3. Searching the tuple (IDj, lj, Qj) in the list L1.
  4. For l = 1, 2, ⋯, qH2, perform as follows:
    1. Search the tuple (Xl, xl) from the list L2.
    2. Examine whether (P, Qi, Ppub, Uj, Xj) uses the DBDH oracle by verifying the equation e(P, P)lj = Xj.
    3. If the step above is true, calculate pl = f(xl), , and .
  5. Test whether the equation e(Wj, P) = e(Xj + hj Yj, Ppub) or the equation e(Wj, Qi) = e(Xj + hj Yj, Di) holds where hj = H5(Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1). If it holds, then return Mj to A.
  6. Otherwise, B sends “failure” to A, which means that there is not a valid ciphertext generated following the proposed scheme.

Challenge: A outputs a target plaintext pair (M0, M1) and a private key DS. Upon receiving (M0, M1) and DS, the challenger B randomly chooses β ∈ {0, 1} and signcrypts the message Mβ. B finally creates a target ciphertext C* = 〈Y, U, X, Z, V, a0, a1, ⋯, an−1〉, where Y = γlS P, U = γP, X = αY, Z = EH4(δ)(M), V = δH3(p) and W = (α + h)lS Ppub, then returns C*to A.

Phase 2: A shall query challenge B like Phase 1. Note that A cannot query the information of in the Key extract query and C* in De-signcrypt query.

Guess: The attacker A gives its guess β′ ∈ {0, 1}. If β′ = β, B wins the game because the equation Ψ = e(Ppub, P1)α = e(P, P)abc holds. Otherwise, B outputs “failure”.

According the above discussion, we can get the advantage of B as following equation. For qd times De-signcrypt query, the probability for B to reject the valid plaintext is less than nqd/2k. So, if A wins the game, B’s advantage is

Theorem 5: If a SUF-sMIBSC-CMA forger F has a non-negligible advantage ε to win the game defined in Definition 5 within time t, then the challenger B can solve the CDH problem with an advantage ε′ ≥ εqs/2k in running time t′ ≤ t, where the forger F can ask at most qe Key extract queries, qs Anony-signcrypt queries and qd De-signcrypt queries. (qH1, qH2, qH3, qH4, qH5) denote the number of queries to the hash functions H1, H2, H3, H4, H5, respectively.

Proof: An instance (P, aP, bP) of the CDH problem is given to simulate the game defined in Definition 5, and F denotes the forger, B denotes challenger. Suppose that F has a non-negligible advantage ε to break the SUF-sMIBSC-CMA model, and B solves the instance of CDH problem by interacting with F. There are five oracles H1, H2, H3, H4 and H5 to simulate the system for B. F can queries PPT times to the oracles. B executes and answers each phase of this game as follows:

Setup: The challenger B sets Ppub = bP and sends 〈G1, G2, q, e, P, Ppub, H1, H2, H3, H4, H5, Ek, Dk〉 to F as the public parameters. When receiving the parameter, F outputs target multiple identities .

Attack: F does several queries to B. These queries are the same as those in Phase 1 of Theorem 4.

Forgery: The forger F outputs a new ciphertext C = 〈Y, U, X, Z, V, W, a0, a1, ⋯, an−1〉. If the forgery succeeds, the equation holds. Define , then compute . Now, we will easily get the solution of CDH problem: abP = W*(α + h)−1.

Here, we consider the advantage of F’s success. For qs queries to the Anony-signcrypt queries, the probability for B to answer a failure Anony-signcrypt query is less than qs/2k. So, if the forger F wins the game, B’s advantage is ε′ ≥ εqs/2k.

Theorem 6: If an ANON-IND-sMID-CCA attacker A has a non-negligible advantage ε to win the game defined in Definition 6 within running time t, then the Gap-BDH problem can be solved by the challenger B with a non-negligible advantage ε′ ≥ (εqd/2l)/nqH2, where (qε, qd, qH1, qH2, qH3, qH4, qH5) denote the number of Key extract queries, De-signcrypt queries, queries to the hash functions H1, H2, H3, H4, H5, respectively. And the running time in which the scheme needs to execute is t′ ≈ t + (qε + qH1)O(t1) + (qH2 + qH5)O(t2) + qdO(t1 + t2) + (qH3 + qH4)O(1), where t1 is the time to perform a scalar multiplication in G1 and t2 is the time to perform a pairing e.

Proof: Receiving the instance (P, aP, bP, cP) of the Gap-BDH problem, where are unknowns, the attacker A can make at most qg queries to compute e(P, P)abc by playing the game with challenger B as demonstrated in Definition 6. B answers every phase of the ANON-IND-sMID-CCA game in the following way:

Suppose that A outputs the target identities after receiving the params. When obtaining the identities , B selects S = (IDβ1, IDβ2, ⋯, IDβ1) at random where S ⊂ (ID1, ID2, ⋯, IDn).

Setup: The challenger B sets Q = aP, Ppub = bP and sends the params ≡ {q, G1, G2, e, P, Ppub, H1, H2, H3, H4, H5, Ek(), Dk()} to the attacker A. When receiving this query with IDj, B answers these queries:

H1-query:

  1. If , calculate Qj = lj P; otherwise, calculate Qj = lj Q, where lj is an integer.
  2. Put it into H1-list when no (IDj, lj, Qj) exists in H1-list.
  3. B returns Qj.

H2-query: The challenger B examines if (P, Qi, Ppub, cP, Xj) uses the DBDH oracle for i ∈ [1, qH2] when he is queried with XjG2 for some j = [1, qH2]. If it exists, B shall terminate the game for e(P, P)abc equals . Otherwise, B picks a value at random and puts a tuple (Xj, xj) into the list L2. Then, the challenger B returns xj to the adversary A.

H3-query: As an integer pj is sent to the H3 oracle where j ∈ [1, qH3], B shall pick a string wj ∈ {0, 1}w at random and puts the tuple (pj, wj) into the list L3. Then, the string wj is returned to A by the challenger B.

H4-query: When querying for the string δj ∈ {0, 1}w where j ∈ [1, qH4], B shall pick a string zj ∈ {0, 1}|M| at random and puts the tuple (δj, zj) into the list L4. Then, the challenger B returns the bit string zj to the attacker A.

H5-query: Receiving the tuple 〈Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1〉 where j ∈ [1, qH5], B picks a value at random and puts the tuple 〈Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1, hj〉 into the list L5. Then, B returns hj.

Phase 1: Challenger B shall answer the Key extract query and De-signcrypt query from attacker A as follows:

Key extract query: A chooses an identity where i ∈ {1, 2} and sends it to challenger B, then B scans the list L1 to find if there is the tuple (IDj, lj, Qj) in L1. If it was, B shall calculate Dj = lj Ppub(= lj bP = bQj). Otherwise, the challenger B selects a at random, and calculates Qj = lj P as well as Dj = lj Ppub. At the same time, the challenger B puts a tuple (IDj, lj, Qj) into the list L1. Finally, B sends Dj back to the attacker A.

De-signcrypt query: The attacker A queries B and send where i ∈ {1, 2, ⋯, n} and Cj = 〈Yj, Uj, Xj, Zj, Vj, Wj, aj0, aj1, ⋯, ajn−1〉 When receiving the decryption query, B executes the following steps:

  1. Check the list L5 to find the tuple 〈Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1〉. If it was found, B can get (Zj, Vj) from L5. Otherwise, B returns “failure”.
  2. Construct the polynomial f(x) = aj0 + aj1 x + ⋯+ajn−1 xn−1+xn.
  3. Searching the tuple (IDj, lj, Qj) in the list L1.
  4. For l = 1, 2, ⋯, qH2, perform as follows:
    1. Search the tuple (Xl, xl) from the list L2.
    2. Examine whether (P, Qi, Ppub, Uj, Xj) uses the DBDH oracle by verifying the equation e(P, P)lj = Xj.
    3. If the step above is true, calculate pl = f(xl), , and .
  5. Test whether the equation e(Wj, P) = e(Xj + hj Yj, Ppub) or the equation e(Wj, Qi) = e(Xj + hj Yj, Di) holds where hj = H5(Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1). If it holds, then return Mj to A.
  6. Otherwise, B sends “failure” to A, which means that there is not a valid ciphertext generated following the proposed scheme.

Challenge: A sends the plaintext M to B. Then B executes the following steps:

  1. Select δ ∈ {0, 1}w at random.
  2. Set U = γP = cP.
  3. As i = 1, 2, ⋯, n, B shall check the tuples (IDj, lj, Qj) in the list L1 and compute υi = H2(e(Di, U)).
  4. Choose at random and structure a polynomial f(x) as follows:
  5. B returns the ciphertext C* to A.

Phase2: A shall query challenge B like Phase 1 without querying the information of S in the Key extract query and C* in De-signcrypt query.

Guess: The attacker A gives its guess β′ ∈ {1, 2, ⋯, n}. At the same time, the challenger B picks a tuple (Xj, xj) at random from the list L2 where jβ′, and chooses the tuple (IDj, lj, Qj) from the list L1. Finally, B outputs as the solution to the given instance of the Gap-BDH problem.

Here, we shall discuss the advantage of challenger B. For answering the De-signcrypt query, the challenger B shall check 〈Xj, Uj, Zj, Vj, aj0, aj1, ⋯, ajn−1〉 in L5, and send back “failure” if it is not found. That is to say, the right value of H5 hash function can be guessed by the attacker A. In this case, B may fail at the most probability of qd/q with qd queries to the De-signcrypt oracle. In phase Guess, the challenger B shall output the right answer e(P, P)abc at the least probability of 2/nqH2, where qH2 is the time of the H2 hash oracle query, and n is the number of multiple identities. Hence, the Gap-BDH problem can be solved with a non-negligible advantage ε′ ≥ (εqd/2l)/nqH2, where ε is the non-negligible advantage of attacker A. And the required computation time is t′ ≈ t + (qε + qH1)O(t1) + (qH2 + qH5)O(t2) + qdO(t1 + t2) + (qH3 + qH4)O(1), for answering queries in the simulation game above.

Functional comparison and efficiency analysis

In this section, we will evaluate the functional and efficiency comparison of our scheme with the existing schemes.

Functional comparison

In terms of the funcation, we compare our scheme with some existing schemes in the sender anonymity, receiver anonymity, decryption fairness and public verification, respectively. The comparison is shown in Table 1.

As is shown in Table 1, the schemes [15, 17, 20] cannot protect the sender anonymity. Though the schemes [2629] can ensure the sender anonymity to some degree, they could suffer from the cross-comparison attack and the joint conspiracy attack for the use of ring signature.

Table 1 shows that the schemes [15, 17, 20, 2629, 31] cannot reach the receiver anonymity. For the schemes [15, 17, 20, 2629], the receivers’ identities are stored in the ciphertext in the form of plaintext, which can lead to the leakage of receivers’ privacy. The scheme [31] also cannot realize the receiver anonymity for the use of the Lagrange interpolation polynomial, each authorized receiver can judge whether anyone else is authorized or not. Meanwhile, the schemes [15, 17, 20, 2629] cannot realize the fair decryption and public verification properties.

As Table 1 shows, our proposed scheme owns these four functions of the sender anonymity, receiver anonymity, decryption fairness, and public verification. The randomized method were used in our scheme, which uses the public key of the sender multiplied by a random value to hide the identity of the sender and avoid the cross-comparison attack and the joint conspiracy attack. In terms of the weakness of the receiver anonymity existed in Lagrange interpolation polynomial, we adopt the new polynomial method which can solve the problem that the authorized receiver can judge the identity of other receivers. So, our scheme simultaneously owns the sender anonymity and the receiver anonymity, which achieves the complete anonymity. In addition, the decryption fairness and public verification properties are also guaranteed in our scheme.

Efficiency analysis

For the efficiency, we compare our scheme with several existing schemes in terms of computation complexity and ciphertext length from two aspects: signcryption and de-signcryption. The comparison is shown in Tables 2 and 3 respectively, where E stands for bilinear pairing operation, A stands for the addition operation in G1, Mu stands for the scalar multiplication in G1, Ex stands for the exponentiation in G2, H stands for hash operation in the encryption step, S stands for symmetric encryption and Param stands for the number of parameters in the ciphertext. In our scheme, the operation of the polynomial can be pre-processed, so these operations are excluded when considering computational complexity.

As is shown in Table 2, we can see that our proposed scheme used one bilinear pairing operation E. Though the bilinear pairing operation has high cost, our scheme controls it within acceptable limits by comparing with others. In terms of hash operation, because of lower cost than other operation, it is within acceptable limits. Encryption algorithm S is used in our scheme, which can be chosen according to practical applications. So, it is easy to reasonably control its communication cost. Meanwhile, our scheme has obvious improvement in operation A, scalar multiplication, exponentiation and ciphertext operation. It can be seen that our scheme has better efficiency in signcryption.

On the other hand, in the de-signcryption process, there are generally three algorithms affecting the efficiency: public verification, judgment, and decryption. We will compare the proposed scheme with the existing schemes about these three algorithms, respectively.

As shown in Table 3, our scheme and sheme [31] have obviously higer efficiency in public verification and authorization judgement comparing with the other schemes [15, 17, 20, 2629], where N/A indicates that the scheme only considered the single receiver environment, which is tansfered via unicast channel. In this case, it is unnecessary to judge whether the receiver is authorized or not. Meanwhile, our scheme has higher efficiency than others in decryption.

From the above analysis, though our scheme has unobvious improvement on the efficiency in general, it owns the complete anonymity containing the sender and receiver anonymity, which is an excellent contribution we think. In our scheme, any receiver can only judge whether the ciphertext is from a reliable sender or not, rather than actually getting the real identity of the sender. Attackers not only outside the system but also inside the system can be prevented in our new scheme.

Besides the above theoretical analysis on efficiency, we shall also give some experiment results to compare our scheme with the existing ones more intuitively. Like the work [3537], we shall also pay attention to those time-consuming operations and overlook the other ones that do not consume much time. We define the following notations in Table 4, and borrow the experiment testing results from [3537].

Then, with the results in Table 4, the efficiency comparison of our scheme with the existing ones can be shown by Tables 5 and 6.

Tables 5 and 6 also show the relative high efficiency of our scheme when compared with the exiting schemes with the same functions.

Conclusion

A novel multi-receiver signcryption scheme with complete anonymity is proposed in this paper. By using a new polynomial technology, our scheme actually achieves the receiver anonymity. Attackers not only outside the system but also inside the system can be prevented in our new scheme. Meanwhile, in the process of signcryption, the sender used the randomized method to hide its public key, which ensures the sender anonymity. So, our scheme simultaneously owns the sender anonymity and the receiver anonymity, which achieves the complete anonymity. In addition, the decryption fairness and public verification properties are guaranteed in our scheme. This new scheme can be applied better to secure broadcast, network meeting, paying-TV and data sharing on the cloud.

Author Contributions

  1. Conceptualization: LP HL.
  2. Data curation: XY.
  3. Formal analysis: LP XY HZ YH HL.
  4. Funding acquisition: LP HL.
  5. Investigation: XY HZ YH.
  6. Methodology: LP XY YH HL.
  7. Project administration: LP.
  8. Resources: LP.
  9. Software: XY.
  10. Supervision: LP.
  11. Validation: LP XY HL.
  12. Visualization: YH.
  13. Writing – original draft: LP XY YH.
  14. Writing – review & editing: LP XY YH.

References

  1. 1. Bellare M, Boldyreva A, Micali S. Public-key encryption in a multi-user setting: security proofs and improvements [C]. Eurocrypt 2000, Springer-Verlag, LNCS 1807, pp. 259–274.
  2. 2. Kurosawa K. Multi-recipient public-key encryption with shortened ciphertext [C]. PKC 2002, Springer-Verlag, LNCS 2274, pp. 48–63.
  3. 3. Bellare M, Boldyreva A, Staddon J. Multi-recipient encryption schemes: security notions and randomness re-use [C]. PKC 2003, Springer-Verlag, LNCS 2567, pp. 85–99.
  4. 4. Baek J, Safavi-Naini R, Susilo W. Efficient multi-receiver identity-based encryption and its application to broadcast encryption [C]. PKC 2005, Springer-Verlag, LNCS 3386, pp. 380–397.
  5. 5. Chatterjee S, Sarkar P. Multi-receiver identity-based key encapsulation with shortened ciphertext. In Proceedings of INDOCRYPT 2006, LNCS 4329, pp: 394–408.
  6. 6. Ming Y, Shen X. Multi-receiver Identity-Based Key Encapsulation in the Standard Model[C].. Information Science and Management Engineering (ISME), 2010 International Conference of. IEEE, pp: 382–385.
  7. 7. Park JH, Kim KT, Lee DH. Cryptanalysis and improvement of a multi-receiver identity-based key encapsulation at INDOCRYPT’06. In Proceedings of ASIACCS’08, 2008, pp: 373–380.
  8. 8. Qin L, Cao Z, Dong X. Multi-receiver identity-based encryption in multiple PKG environment[C]. 2008 IEEE Global Telecommunications Conference. 2008.
  9. 9. Li F, Khan M, Alghathbar K, Takagi T. Identity-based online/offline signcryption for low power devices. Journal of Network and Computer Applications, 2012, 35(1): 340–347.
  10. 10. Li F, Fahad M, Khan M, Takagi T. Lattice-based Signcryption. Concurrency and Computation: Practice and Experience, 2013, 25(14): 2112–2122.
  11. 11. Li F, Khan M. A Biometric Identity-based Signcryption Scheme. Future Generation Computer Systems, 2012, 28(1): 306–310.
  12. 12. Li F, Khan M. A Survey of Identity-Based Signcryption. IETE Technical Review, 2011, 28(3): 265–272.
  13. 13. Duan S, Cao Z. Efficient and provably secure multi-receiver identity-based signcryption [C]. ACISP 2006, Springer-Verlag, LNCS 4058, pp. 195–206.
  14. 14. Zheng Y. Digital signcryption or how to achieve cost (signature & encryption) ≪ cost (signature) + cost (encryption) [C]. In Advances in Cryptology-CRYPTO’97, 1997, Spring-Verlag, LNCS 1294, pp. 165–179.
  15. 15. Yu Y, Yang B, Huang X, et al. Efficient identity-based signcryption scheme for multiple receivers [C]. ATC 2007, Springer-Verlag, LNCS 4610, pp. 13–21.
  16. 16. Yang X, Li M, Wei L, et al. New ECDSA-verifiable multi-receiver generalization signcryption [C]. High Performance Computing and Communications, 2008. HPCC’08. 10th IEEE International Conference on. IEEE, pp. 1042–1047.
  17. 17. Elkamchouchi H, Abouelseoud Y. MIDSCYK: an efficient provably secure multi-recipient identity-based signcryption scheme [J]. ICNM 2009, pp. 70–75.
  18. 18. Li F, Xiong H, Nie X. A new multi-receiver ID-based signcryption scheme for group communications[C]. Communications, Circuits and Systems, 2009. ICCCAS 2009. International Conference on. IEEE, 2009: 296–300.
  19. 19. Li F, Hu Y, Liu Sh. Efficient and provably secure multi-recipient signcryption from bilinear pairings [J]. Wuhan University Journal of Natural Sciences, 2007, 12(1): 17–20.
  20. 20. Selvi S, Vivek S, Srinivasan R. An efficient identity-based signcryption scheme for multiple receivers [C]. PKC IWSEC 2009, Springer-Verlag, LNCS 5824, pp. 71–88.
  21. 21. Li Z, Xu X, Li C. Multi-recipient signcryption algorithm for communication of mobile Ad Hoc networks [C]. NCIS 2012, Springer-Verlag, pp. 388–394.
  22. 22. Fan C, Huang L, Ho P. Anonymous multi-receiver identity-based encryption [J]. IEEE Transactions on Computers, 2010, 59(9): 1239–1249.
  23. 23. Pang L, Li H, Wang Y. nMIBAS: A novel multi-receiver ID-based anonymous signcryption with decryption fairness [J]. Computing and Informatics, 2013, 32 (3): 441–460.
  24. 24. Khullar S, Richhariya Vivek, Richhariya Vineet. An efficient identity based multi-receiver signcryption scheme using ECC [J]. IJACT 2013, 2(4): 189–193.
  25. 25. Pang L, Gao L, Li H, et al. Anonymous multi-receiver ID-based signcryption scheme [J]. IET Information Security, 2015, 9(3): 194–201.
  26. 26. Lal S, Kushwah P. Anonymous ID based signcryption scheme for multiple receivers [J]. IACR Cryptology ePrint Archive, 2009, pp. 345–354.
  27. 27. Huang X, Susilo W, Mu Y, et al. Identity based ring signcryption scheme: cryptographic primitive for preserving privacy and authenticity in the ubiquitous world [J]. AINA 2005, pp. 649–654.
  28. 28. Zhang J, Gao S, Chen H, et al. A novel ID-based anonymous signcryption scheme [C]. Proceedings of the Advances in Data and Web Management Joint International Conferences. Suzhou, China, 2009, pp. 604–610.
  29. 29. Zhang B, Xu Q. An ID-based anonymous signcryption scheme for multiple receivers secure in the standard model [C]. AST/UCMA/ISA/ACN. Springer-Verlag, LNCS 6059. 2010, pp. 15–27.
  30. 30. Qin H, Dai Y, Wang Z. Identity-based multi-receiver threshold signcryption scheme [J]. Security and Communication Networks, 2011, 4(11):1331–1337.
  31. 31. Pang L, Li H, Gao L, Wang Y. Completely anonymous multi-recipient signcryption scheme with public verification [J]. PLoS ONE, 2013, 8(5): e63562. pmid:23675490
  32. 32. Wang H, Zhang Y, Xiong H, et al. Cryptanalysis and improvements of an anonymous multi-receiver identity-based encryption scheme [J]. IET Information Security, 2012, 6(1): 20–27.
  33. 33. Zhang J, Xu Y. Comment on anonymous multi-receiver Identity-based encryption scheme [J]. INCoS 2012, pp. 473–476.
  34. 34. Li H, Pang L. Cryptanalysis and improvements of an anonymous multi-receiver identity-based encryption scheme [J]. IET Information Security, 2014, 8(1): 8–11.
  35. 35. Islam S, Biswas G. Provably secure and pairing-free certificateless digital signature scheme using elliptic curve cryptography [J]. International Journal of Computer Mathematics, 2013, 90(11): 2244–2258.
  36. 36. Islam S, Biswas G. A pairing-free identity-based authenticated group key agreement protocol for imbalanced mobile networks [J]. Annals of télécommunications-annales des telecommunications, 2012, 67(11-12): 547–558.
  37. 37. Cao X, Kou W, Du X. A pairing-free identity-based authenticated key agreement protocol with minimal message exchanges[J]. Information Sciences, 2010, 180(15): 2895–2903.