Completely Anonymous Multi-Recipient Signcryption Scheme with Public Verification

Most of the existing multi-recipient signcryption schemes do not take the anonymity of recipients into consideration because the list of the identities of all recipients must be included in the ciphertext as a necessary element for decryption. Although the signer’s anonymity has been taken into account in several alternative schemes, these schemes often suffer from the cross-comparison attack and joint conspiracy attack. That is to say, there are few schemes that can achieve complete anonymity for both the signer and the recipient. However, in many practical applications, such as network conference, both the signer’s and the recipient’s anonymity should be considered carefully. Motivated by these concerns, we propose a novel multi-recipient signcryption scheme with complete anonymity. The new scheme can achieve both the signer’s and the recipient’s anonymity at the same time. Each recipient can easily judge whether the received ciphertext is from an authorized source, but cannot determine the real identity of the sender, and at the same time, each participant can easily check decryption permission, but cannot determine the identity of any other recipient. The scheme also provides a public verification method which enables anyone to publicly verify the validity of the ciphertext. Analyses show that the proposed scheme is more efficient in terms of computation complexity and ciphertext length and possesses more advantages than existing schemes, which makes it suitable for practical applications. The proposed scheme could be used for network conferences, paid-TV or DVD broadcasting applications to solve the secure communication problem without violating the privacy of each participant. Key words: Multi-recipient signcryption; Signcryption; Complete Anonymity; Public verification.


Introduction
With development of network technology and its applications, a lot of group-oriented network services such as network multicasting or broadcasting have been proposed. Usually, in these services, a message sender is required to securely send the same messages to a group of recipients, such that only a certain number of recipients can read the messages while unauthorized recipients can extract nothing useful from these messages [1]. Therefore, the concept of multi-recipient encryption was put forward [2][3][4][5][6], and it has been considered as one of most promising solutions to solve the security problem of securing multicasting or broadcasting. Later, combining the concept of multi-recipient encryption with the idea of Zheng's signcryption [7], Duan et al. [8] proposed the first multi-recipient signcryption scheme. In their scheme, to achieve the goal of sending the same message to all authorized recipients confidentially, the sender only needs to execute one signcryption operation, and at the same time, each recipient can verify the validity of messages. Since then, many excellent multirecipient signcryption schemes [9][10][11] were proposed, which take more security properties into consideration than Duan et al.'s scheme. In general, multi-recipient signcryption can be used in many important applications, such as paid-TV or DVD broad-casting systems [10], where only authorized or paying users should be able to access such services.
Nevertheless, today, more and more people are concerned regarding personal privacy, thus participant anonymity should be taken into account when designing multi-recipient signcryption [12]. For example, in paid-TV and DVD broadcasting application systems, service providers do not want others to obtain the real identities from the ciphertext messages. Therefore, multi-recipient signcryption with the sender (or called the signer) anonymity had been introduced. In literature, there have been several multirecipient signcryption schemes [13][14][15][16][17] which try to assure anonymity of the sender. The concept of anonymous signature was firstly proposed by Rivest et al. [18]. In 2005, Huang et al. [19] proposed the first anonymous signcryption scheme, which used an ID-based ring signature to assure anonymity of the signer. However, their scheme is only a single-recipient scheme. Later, based on similar thoughts, Lal et al. [13] extended this method for multi-recipient environments. Furthermore, a multi-recipient scheme with anonymity of the sender [14][15][16][17] was proposed. Although these schemes [13][14][15][16][17] provide solutions for assuring signer anonymity, there are still some unsolved issues. For example, they suffer from two new attacks known as the crosscomparison attack [20] and the joint conspiracy attack [21]. Based on the ring signature, schemes [13][14][15][16][17] construct a list which includes the real signer and several valid participants which are chosen randomly by the signer hiding the real signer in this list. Although this perfectly works to some extent, an attacker can obtain a number of different ciphertexts from the same message source by closely monitoring network traffic, thus by comparing the signers' identities from different lists an attacker can narrow down the scope of the target signer. Using this scheme, an attacker can directly obtain the identity of the real signer. Even if the attacker does not directly obtain the real signer's identity, he/she has narrowed down the scope of the attacker's guess. In addition, it is still possible for such an attacker to retrieve a list which includes the real signer. Then, he/she can cooperate with some participants in the list to narrow down the scope and guess the real signer with a larger probability. In addition, the list of chosen participants can increase the length of the ciphertext quite significantly, potentially reducing the transmission efficiency. More important, the identities of all the authorized recipients are usually included in the ciphertext of these anonymous schemes in plaintext [13][14][15][16][17][18][19], which is not always wanted.
Generally speaking, anonymity of participants includes both the sender's and the recipient's anonymity. Besides the anonymity of the sender, the anonymity of the recipient is often equally important so that designers of multi-recipient signcryption schemes should pay attention. For example, in paid-TV and DVD broadcasting application systems, no user should accept that his/her subscription of these services is publicly viewable to others especially when the service is quite sensitive. However, unfortunately, almost none of the existing schemes take the anonymity of recipients into consideration because the identity of each recipient must be included in the ciphertext as a necessary element for decryption. The list of the authorized recipients' identities in the ciphertext is used to show who are the authorized recipients and how each authorized recipient gets his/her person-specific data for encryption from the ciphertext during the decryption process. Thus, schemes [9][10][11] directly expose the recipient's identity and therefore violate their privacy. Also, the fact that different recipients have different person-specific data for decryption can lead to decryption unfairness. This means that if some recipient's person-specific data are damaged due to communication errors, he/she cannot decrypt the ciphertext but the others can still decrypt the ciphertext correctly [12]. Therefore, it is urgent and challenging for researchers to solve the recipient anonymity issue of multi-recipient signcryption.
Following the arguments above, it is known that almost none of the existing multi-recipient signcryption schemes take the full anonymity of recipients and senders into account. Although there are several schemes that provide a solution for anonymity of the signer, they are not perfect, that is, they suffer from the crosscomparison attack and the joint conspiracy attack. Therefore, existing schemes cannot deal with the anonymity of the sender or the recipient properly. Furthermore, these schemes are not suitable for applications that need complete anonymity for the sender and the recipient. For example, in a network conference application, every conference participant often wants to be kept anonymous when he/she is taking part in the conference discussion. Furthermore, if a participant (i.e. sender) wants to publish criticism or objections, he/she hopes that others (i.e. recipients) do not know his/her identity. At the same time, the recipient cannot want the other recipients to reveal that he/she is an authorized recipient. In fact, today, anonymity is one of the most important prerequisites for people to talk freely and make objective decisions.
Motivated by the above, this paper proposes a completely anonymous multi-recipient signcryption scheme which meets: (1) The identity of the sender is kept secret; (2) The identities of all the recipients are kept secret; (3) Each recipient can easily judge whether the received message is from an authorized source, but he/she cannot determine the real identity of the sender; (4) Each recipient can easily judge whether he/she is an authorized recipient, but he/she cannot determine the identity of any other authorized recipient; (5) The validity of ciphertext can be verified publicly. Speaking of practical applications, the proposed scheme can be in principle used for network conference, paid-TV or DVD broadcasting application systems to assure secure communication among authorized participants, while at the same time, providing complete anonymity for all participants.
To facilitate the description of our scheme, notations used throughout the document are summarized in Table 1.

Complexity Assumptions
The security of the proposed scheme is based on the following problems and security assumptions.
Let G 1 and G 2 be two cyclic groups of prime order q and let P be a generator of G 1 . Let e: G 1 6G 1 RG 2 be a bilinear mapping. The DBDH, CDH and DBDH-M problems can thus be defined as:

Algorithm Model
Our identity(ID)-based multi-recipient signcryption scheme with complete anonymity consists of four algorithms, namely: Setup, Extract, Anony-signcrypt and De-signcrypt, shown as follows: Setup. Private Key Generator (PKG) runs this algorithm to generate a master key s and public parameters params. Note that the public parameters are publicly known while the master key must be kept secret.
Extract. This algorithm is run by PKG to extract the private key of the user. With a user's identity ID, PKG's master key s and the public parameter params as input, it outputs the private key D associated with ID, namely D = Extract(ID, s, params). The private key D must be kept secret.
Anony-signcrypt. This algorithm is run by the signer ID S . With PKG's public parameter params, a plaintext message M, a list of recipients' identity L = {ID 1 ,ID 2 ,...,ID n } as input, the signer ID S runs this algorithm to generate a ciphertext C associated with M, namely C = Anony-signcrypt (params, M, L, D S ), which satisfies L6 [C and ID S6 [ C.
De-signcrypt. With the ciphertext C, PKG's public parameter params, the recipient's identity ID i (i[f1,2,:::,ng) and its private key D i as input, the recipient can run this algorithm to decrypt the ciphertext. The recipient can first judge whether he/she is an authorized recipient. If not, he/she outputs an error message \ and exits the algorithm. Otherwise, he/she continues to carry out the decryption process and outputs the plaintext M associated with C, namely M = De-signcrypt (C, params, D i ).

Message Confidentiality
The security model of ciphertext indistinguishability under chosen ciphertext attack was first proposed by Canetti et al. [20]. Later, Duan et al. Definition 4. IND-sMIBSC-CCA: Let A be a polynomialtime attacker and P be an ID-based multi-recipient scheme. Consider that A interacts with a Challenger B in the following game: Setup. Challenger B runs this algorithm to generate master key s and public parameters params, sends params to A, and keeps the master key s secret. Upon receiving public parameters, A outputs n target identities L Ã~f ID Ã 1 ,ID Ã 2 ,:::,ID Ã n g: Phase 1. A performs a number of queries to B: Extraction query: Upon receiving private key extraction query about an identity ID, ID=ID Ã i , i~1,2,:::,n, B runs the Extract algorithm to get D = Extract(ID, s, params).
Anony-signcryption query: A chooses a target plaintext M, a list of recipients' identity information L = {ID 1 ,ID 2 ,...,ID n } and gives them to B. B randomly chooses an identity ID S , computes the private key D S , and generates the ciphertext C = Anony-signcrypt (params,M,L, D S ) and returns it to A.
De-signcryption query: A generates the list of target identities L Ã~f ID Ã 1 ,ID Ã 2 ,:::,ID Ã n g and a ciphertext C. B randomly chooses an identity ID j [L and computes its private key D j . If C is a valid ciphertext, B decrypts it to obtain the corresponding plaintext M = De-signcrypt (C, params, D j ) and returns it to A; otherwise, B outputs an error message \.
Challenge. A outputs a target plaintext pair (M 0 , M 1 ) and an arbitrary identity ID S with its private key D S . Upon receiving (M 0 , M 1 ) and D S , B picks up a random bit b[f0,1g and creates a target ciphertext C Ã~A nony{signcrypt(params,M b ,L Ã ,D S ), and then returns C * to A.
Phase 2. A performs a number of queries like Phase 1. Note that A cannot query the identity information in L * in the Extraction query, and cannot query C * in the De-signcryption query.
Guess. Finally, A outputs its guess b'[f0,1g. If b'~b, he wins this game.
An attacker A mentioned above is referred to as an IND-sMIBSC-CCA attacker. We define A's guessing advantage as follows: The scheme P is said to be (t,e)-IND-sMIBSC-CCA secure, if for any IND-sMIBSC-CCA attacker A, its guessing advantage is less than e within polynomial running time t.

Unforgeability
This security model has been proposed by Duan et al. [8] and is called strong existential unforgeability under selective multi-ID, chosen message attack (SUF-MIBSC-CMA) shown as Definition 5.
Definition 5. SUF-sMIBSC-CMA: Suppose F is a forger, and let P be an ID-based multi-recipient scheme. Consider that F interacts with a Challenger B in the following game: Setup. B runs this algorithm to generate a master key s and a public parameter params. B gives the params to F and keeps s secretly. Upon receiving this parameter, F outputs n target identities L Ã~f ID Ã 1 ,ID Ã 2 ,:::,ID Ã n g: Attack. F performs a number of queries to B as described in Definition 4.
Forgery. F finally outputs a new ciphertext message C * , a list of recipient identities L = {ID 1 ,ID 2 ,...,ID n }. If C * is the ciphertext of the message M generated by ID Ã i i[f1,2,:::,ng and can be decrypted by any of recipients in L, C * is a valid ciphertext and F wins this game. The restriction here is that F cannot ask for private key extraction on ID Ã i , and C * cannot be produced by the Anony-signcrypt algorithm.
The scheme P is said to be (t,e)-SUF-sMIBSC-CMA secure, if for any SUF-sMIBSC-CMA attacker F, its guessing advantage is less than e within polynomial running time t.

Recipient Anonymity
This security model has been proposed by Fan et al. [5] and is called anonymous indistinguishability of encryptions under selective ID, chosen ciphertext attack (ANON-sID-CCA) and shown as Definition 6. Definition 6. ANON-sID-CCA: Let A be a polynomial-time attacker. Let P be an ID-based multi-recipient scheme. Consider that A interacts with a Challenger B in the following game: Setup. Challenger B runs the Setup algorithm to generate the master key s and public parameters params. Then, B sends params to A and keeps s secret. Phase 2. A issues private key extraction queries. Upon receiving a private key extraction query, denoted by ID j , Challenger B runs the private key extraction algorithm to get D j = Extract(ID j , s, params). The constraint here is that Phase 4. A issues private key extraction queries as those in Phase 2 and de-signcryption queries for target identities as those in Phase 3. The restriction here is that C=C Ã : Guess. Finally, A outputs its guess b'[f1,2g: If b~b', A wins the game.
An attacker A mentioned above is referred to as an ANON-sID-CCA attacker. We define A's guessing advantage as follows: The scheme P is said to be (t,e)-ANON-sID-CCA secure, if for any ANON-sID-CCA attacker A, its guessing advantage is less than e within polynomial running time t.

Methods
The proposed scheme is composed of the following four algorithms. And at the same time, we shall take the network conference application as an example to show how to use our scheme.

Setup Algorithm
PKG performs the following process: (1) Let G 1 be an additive group and G 2 be a multiplicative group with the same prime order q, (q §2 k , k is a long integer). Let P be a generator of G 1 . Choose a bilinear mapping e: (2) Define four one-way hash functions: where |M| is the length of the plaintext message.
(3) Choose a random number s[Z Ã q as the master key, and set P pub~s P[G 1 as the system's public key. Publish the system parameter params = ,G 1 ,G 2 ,q,e,P,P pub ,H 1 ,H 2 ,H 3 ,H 4 . and keep the master key s secret.
Practically speaking, PKG is acted by some authority. For example, in a network conference application, the organizer of a conference should deal with the PKG, which is responsible for developing the system parameters as the steps mentioned above.

Extract Algorithm
With params, s, and an identity ID[f0,1g Ã as input, PKG performs this algorithm to generate the private key of the identity ID: (1) Compute ID's public key Q ID = H 1 (ID).
Each participant, the sender or the recipient, should register himself/herself at PKG and obtain his/her private key from PKG by this algorithm. For example, in a network conference application, if someone wants to attend a conference and talk with other participants, he/she must firstly send his/her ID information to the organizer PKG to get his/her own private key computed by PKG.

Anony-signcrypt Algorithm
With params, a plaintext M and his/her private key D S as input, the signer ID S chooses a list of recipients' identity L = {ID 1 ,I-D 2 ,...,ID n } and performs this algorithm to generate the ciphertext C of the plaintext M: (1) Randomly choose two secret integers r,a[Z Ã q and a secret element P 1 [G 1 , and then compute Y~rQ s , U~aP, X~aY , v~e(P pub ,P 1 ) a and s~H 2 (v)+M, where Q S is the public key of ID S .
(2) For i = 1,2,…,n, compute x i = H 3 (ID i ) and y i~a (P 1 zQ i ), where Q i is the public key of ID i . After obtaining the private key, each participant can securely and anonymously send messages to other participants that he/she selects. For example, in a network conference application, any participant can freely select some participants as expected recipients to receive his/her messages. What he/she needs to do is to encrypt the messages by this algorithm and then broadcast the ciphertext.

De-signcrypt Algorithm
The algorithm is carried out by the recipient. With C~vY ,X ,U,s,W ,Tw, params, the recipient's identity ID i and his/her private key D i as input, the recipient ID i decrypts C as follows: Public verification. The one, who has not registered himself/herself with PKG to get his/her private key, can use the following steps to check the integrity or validity of the ciphertext. The registered participant can skip this process and directly jump to the following judgement algorithm: (1) Compute h~H 4 (s,X ,U,T).
(2) Verify whether the equation e(W, P) = e(X+hY, P pub ) holds. If yes, the ciphertext is valid. Otherwise, the ciphertext is invalid or has been damaged during transmission.
Judgement. The one, who has registered himself/herself with PKG to get his/her private key, can use the following steps to check whether the ciphertext is valid and whether he/she is an authorized recipient before the following encryption process: (1) Compute h~H 4 (s,X ,U,T).
(2) Check whether the equation e(W, Q i ) = e(X+hY, D i ) holds. If yes, it means that ID i is one of the recipients designated by the signer and the ciphertext is valid. Otherwise, the recipient quits the decryption process.
De-signcryption. The authorized user can recover the plaintext by the following steps: (1) C o m p u t e x i = H 4 ( I D i ) and then compute g i~T1 zx i T 2 z:::z(x i n{1 mod q)T n .
The one who receives the broadcasting ciphertext can verify the validity of the message and judge whether he/she is authorized by the public verification or judgement algorithm. If necessary, he/ she can use the de-signcrypt algorithm to decrypt the ciphertext. In a network conference application, due to the nature of the broadcast communication, anyone, authorized recipients or unauthorized ones, can easily receive the ciphertext and check the validity of the message and the authorization of the decryption. But, only the authorized recipients can decrypt it correctly.

Results and Discussion
Correctness Analyses In our scheme, although the identity of the real signer is not included in the ciphertext, his/her private key is definitely necessary in the signcryption process, which ensures that only legal participants who have registered himself/herself with PKG can generate a valid ciphertext. That is to say, through this algorithm, anyone can check whether a ciphertext is generated by an authorized participant, but he/she cannot determine the real identity of the signer.
Similarly, because the private key of the real signer is necessary in the signcryption process, this algorithm can also be used to check the validity of ciphertext. At the same time, this algorithm can help a participant, who has registered himself/herself with PKG, to judge whether himself/herself is an authorized recipient, because the private key of the recipient is also necessary in the judgement.
Theorem 3. The decryption algorithm in the De-signcrypt algorithm is correct.

Security Analyses
We shall give security proof of the proposed scheme on confidentiality, unforgeability and anonymity under the random oracle model. Theorem 4. In the IND-sMIBSC-CCA security model, if an adversary A has an advantage e against the game defined in Definition 4 within running time t (where A makes at most q e private key extraction queries, q s anony-signcryption queries, q d de-signcryption queries and q H1 ,q H2 ,q H3 ,q H4 queries to the Hash functions H 1 , H 2 , H 3 and H 4 , respectively), then there is a algorithm B in solving the DBDH problem in the time t'ƒt with an advantage e' §e{nq d =2 k .
Proof. The challenger B is challenged with an instance (P,aP,bP,cP) of the DBDH problem. Assume that there is an adversary A who is capable of breaking the IND-sMIBSC-CCA security with a non-negligible advantage e. B makes use of A to solve the DBDH instance. B simulates the system with various oracles H 1 , H 2 , H 3 and H 4 and allows A to make polynomially bounded number of queries, adaptive to these oracles. The game between A and B is demonstrated below: Setup. B sets P 1 = cP, P pub = bP, and gives ,G 1 ,G 2 ,q,e,P,P-G1 ,G 2 ,q,e,P,P pub ,H 1 ,H 2 ,H 3 ,H 4 . to the attacker A as the public parameters. Upon receiving the system parameters, A outputs n target identities (ID Ã 1 ,ID Ã 2 ,:::,ID Ã n ). (1) Choose an integer l j [Z Ã q at random; (2) If ID j =ID Ã i ,i[f1,2,:::,ng, compute Q j = l j P; otherwise, compute Q j = l j P-P 1 ; (3) Put (ID j , l j , Q j ) into H 1 -list; (4) Return Q j . Extraction query. Upon receiving private key extraction query on identity ID j (ID j =ID Ã i , i~1,2,:::,n), B searches for (ID j , l j , Q j ) in H 1 -list. B recovers triple (ID j , l j , Q j ) in H 1 -query and computes his private key D = l j P pub = l j bP, and returns it to A. If ID j~I D Ã i , B aborts and outputs ''failure''. Anony-signcryption query. Upon receiving A's anony-signcryption query (M, ID S , L), B checks if ID S =ID Ã i (i~1,2,:::,n). If ID S =ID Ã i (i~1,2,:::,n), B shall get the private key of ID S through the Extraction query. After that, B can run the Anony-signcryption query to generate the ciphertext M. An alternative to this is: (1) B randomly chooses two secret integers r,a[Z Ã q , and then computes Y = rl s P, X~aY , U~aP, v~e(P pub ,P 1 ) a and s~H 2 (v)+M.
(2) For i = 1, 2, …,n, compute x i = H 3 (ID i ) and y i~a (P 1 zQ i ), where Q i is the public key of ID i. De-signcryption query. On receiving the De-signcryption query of the ciphertext C together with an identity ID j , B proceeds as follows: (1) If ID j~I D Ã i , B shall return that the ciphertext C is invalid because B does not know the private key of ID. If all the above verifications are true, then B outputs the message M'. Otherwise, the ciphertext is invalid, and B outputs \.
Challenge. A outputs a target plaintext pair (M 0 , M 1 ) and a private key D S . Upon receiving (M 0 , M 1 ) and D S , B picks up a random bit b[f0,1g and signcrypts the message M b . Firstly, B searches H 1 -list to get l Ã i related to ID Ã i ,i[f1,2,:::,ng, and their public key Q i~l Ã i P{P 1 , then computes y Ã i~a (P 1 zQ i )~a(P 1 zl i Ã P{P 1 ) al i Ã P to get T Ã i ,i[f1,2,:::,ng. B finally creates the target ciphertext C Ã~v Y ,X ,U,s,W ,T Ã w where X~al S P, U~aP, W~(azh)l S bP and P 1~c P, and then returns C * to A. Phase 2. A performs a number of queries as Phase 1. Note that A cannot query the identity information of (ID Ã 1 ,ID Ã 2 ,:::,ID Ã n ) in extraction query, and cannot query C * in de-signcryption query.
Guess. Finally, A outputs its guess b'[f0,1g. If b'~b, B wins this game and outputs 1 as the answer of DBDH problem because Y~e(P pub ,P 1 ) a~e (bP,cP) a~e (P,P) abc . Otherwise, B outputs 0.
From the above discussion, we shall analyze the advantages of B in the following. For q d de-signcryption queries, the probability to reject a valid ciphertext is not greater than nq d =2 k . If A wins the IND-sMIBSC-CCA game, the advantage of B is Theorem 5. In the SUF-sMIBSC-CMA security model, if there is an adversary F who can win the game in the time t with a nonnegligible advantage e as described in the definition 5, there will exist an algorithm B which can solve the CDH problem in the time t'ƒt with an advantage e' §e{q s =2 k , where F can ask at most q e extraction queries, q s anony-signcryption queries and q H1 ,q H2 ,q H3 ,q H4 queries to H 1 , H 2 , H 3 , H 4 , respectively.
Proof. The challenge B is given (P,aP,bP) as an instance of the CDH problem. Assume that there is an adversary F who has a non-negligible advantage e in breaking the SUF-sMIBSC-CMA security. Then, B uses F to solve the CDH problem. Firstly, B simulates the system with the various oracles H 1 , H 2 , H 3 and H 4 , and then allows F to adaptively ask polynomially bounded number of queries to these oracles. The game between B and F is demonstrated below: Setup. B sets P pub = bP, and gives ,G 1 , G 2 , q, e, P, P pub , H 1 , H 2 , H 3 , H 4 . to the attacker F as the public parameters. Upon receiving the system parameters, F outputs n target identities L Ã~f ID Ã 1 ,ID Ã 2 ,:::,ID Ã n g. Attack. F adaptively performs polynomially bounded number of queries to the various oracles in this phase, which are similar to those in Theorem 4.
We consider the advantage of F's success here. As in the anonysigncryption query, the probability for B to answer a failure signcryption query is not greater than q s /2 k , and then the advantage is e' §e{q s =2 k . Theorem 6. In the ANON-sID-CCA security model, if an adversary A has advantage e against the game defined in Definition 6 within running time t (where A makes at most q e private key extraction queries, q s anony-signcryption queries, q d de-signcryption queries and q H1 ,q H2 ,q H3 ,q H4 queries to the Hash functions H 1 ,H 2 ,H 3 and H 4 , respectively), then there is an algorithm B in solving the DBDH-M problem with an advantage e' §e.
Proof. The challenger B is challenged with an instance (P,aP,bP,C) of the DBDH-M problem. Assume that there is an adversary A who is capable of breaking the ANON-sID-CCA security with a non-negligible advantage e. B makes use of A to solve the DBDH-M instance. B simulates the system with hash functions H 1 , H 2 , H 3 and H 4 , and allows A to make polynomially bounded number of queries. The game between B and A is demonstrated below: Phase 1. Suppose that A outputs a target identity pair (ID 1 * , ID 2 * ). Setup. B sets the public key P pub~c1 bP and lets P 1~a P, where c 1 ,c 2 [Z Ã q , and aP and bP are given from the instance of the DBDH-M problem. Here, B does not know a and b. A performs polynomially bounded number of queries to H 1 , H 2 , H 3 and H 4 , which are similar to those in Theorem 4.
Phase 2. Upon receiving the private key extraction query of an identity ID j such that ID j =ID Ã i , for i[f1,2g, according to Q j = l j P = aP, B computes D j = l j P pub .

Challenge.
A outputs a target plaintext M. Upon receiving M, B does the following steps: (1) Compute U~abP{c 1 P.
(3) Create a target ciphertext C~vY ,X ,U,s,W ,T 1 w and return it to A.

Phase4.
A issues private key extraction queries as those in Phase 2 and decryption queries for target identities as those in Phase 3, where a restriction here is that C=C Ã . Guess.

Efficiency Analysis
We compare our scheme with existing signcryption schemes [9,10,11,12,13,15,17,19] in terms of calculation costs and communication traffic (ciphertext length). In order to facilitate the description, we define the following symbols shown in Table 2: First, we talk about the signcryption process. In the proposed scheme, the operation about Lagrange interpolation can also be pre-processed, so these operations can be excluded when considering computational complexity. In order to signcrypt a message M, our scheme needs 1 bilinear operation, 2 addition operations in G 1 , 6 scalar multiplications in G 1 , 1 exponentiation in G 2 and 2 hash operations. The length of the ciphertext is (n+4)|G 1 |+|M|. The specific comparison results are shown in Table 3, from which one can see that our scheme performs much better than most of the existing schemes in terms of number of parameters, computation complexity and the ciphertext length.
Regarding the de-signcryption in our scheme, some calculations of the de-signcryption algorithm are used to judge the validity of ciphertext and the authorization of the recipient, which is important for broadcast-based communications to avoid receiving unwanted information (e.g. SPAM). Note that although the schemes [9,10,11,13,15] directly provide the recipients' true identities in the ciphertext, in fact the recipient cannot absolutely ensure whether he/she is authorized before checking the validity of the ciphertext. The number of pair operations (T p , the most time-consuming operation in the existing schemes and our scheme) in our decryption algorithm is smaller than those of the existing schemes, which makes our scheme more attractive in terms of computation performance. Table 4 shows a comparison between the proposed scheme and the existing ones [9,10,11,12,13,15,17,19].

Discussion of Merit and Demerit
Compared to existing schemes, our scheme has some advantages. To achieve the signer's anonymity, the identity of the signer is no longer included in the ciphertext, although the private key of the signer is necessary for signcryption. The recipients can therefore only judge if the ciphertext received is from a trusted signer, but they cannot determine the real identity of the signer. To achieve the recipient's anonymity, the ID information of all authorized recipients is mixed by the Lagrange interpolation polynomial during the signcryption process, which prevents the recipient's ID from being exposed. This method also ensures that only the recipient, who has got the entire ciphertext, can decrypt the ciphertext, thus achieving the decryption fairness. The IDbased cryptography enables one user to confidentially send messages to other users, despite of whether the latter is a registered user, and the public verification property of our scheme enables unregistered users to judge the validity of the received ciphertext before having to register himself/herself with PKG. The merit/demerit comparison between the existing schemes and our scheme is summarized in Table 5.
From Table 5, we can see: (1) The schemes [12,13,15,17,19] have taken anonymity of the sender into account. However, they are all prone to the cross-comparison attack and joint conspiracy attack. In these schemes, in order to protect the privacy of the sender, the sender randomly chooses some legitimate participants to hide the true identity. But in practice, these schemes are vulnerable to the cross-comparison attack and joint conspiracy attack mentioned above. (2) The schemes [9,10,11] cannot assure the anonymity of the sender because the identity of the sender is directly given in the ciphertext. (3) The schemes [9,10,11,13,15,17,19] cannot assure the anonymity of the recipient. In these schemes, the ciphertext includes two parts: a recipient identity list and each recipient's specific data. A recipient identity list is required so that an authorized recipient is able to find his/her specific data required for decryption of the ciphertext. Because the recipient identity list is given in plaintext, the ID information of each recipient is exposed, and thus the anonymity of recipients is not assured. This has the advantage that, as long as an authorized recipient receives his/her specific data correctly, he/she can decrypt the ciphertext to retrieve the corresponding message even if other recipients' specific data are invalidated during transmission. While this seems to represent an advantage on the first sight, it also represents a problem regarding decryption fairness. Decryption unfairness can cause the sender to cheat some recipients actively by just sending incorrect recipient-specific data. (4) In all the existing schemes, public verification is not considered because the identity of the sender or the recipient must be given in the ciphertext in plaintext form, thus there are no requirements for public verification. But in a completely anonymous scheme, public verification is a necessity for recipients so that receiving or operating on unwanted messages is prevented.
To summarize, the ciphertext in our scheme no longer contains the real identity information of all participants, thus our scheme meets anonymity of the sender and recipients at the same time, and efficiently protects the privacy of all involved participants. Even more important, this scheme possesses fair decryption and public verification properties. Furthermore, our scheme is easy to implement in exsiting applications. Here, we also take a network conference application as an example. In such a case, a message sender needs only to transform the plaintext message to a ciphertext message using our encryption algorithm and then broadcasts it through the broadcast communication channel, while a message recipient simply needs to decrypt the ciphertext using our decryption algorithm. Our scheme requires only extra encryption or decryption operations for each participant and  leaves the original implementation untouched, which in fact should represent an easy implementation of our scheme. While our scheme has the advantages mentioned above, it also has some disadvantages, namely its application, which increases the costs for the implementation. For example, it probably takes a great deal to establish PKG and maintain it, which may affect routine application of our scheme to some extent.

Conclusions
Due to the nature of broadcasting communications, the anonymity of both the sender and the recipient is of upmost importance in multi-recipient signcryption. However, almost none of the existing multi-recipient signcryption schemes take the anonymity of recipients into account. Although there are several schemes that provide a solution to the anonymity of the signer, they have known limitations. Owing to practical application requirements, a completely anonymous multi-recipient signcryption becomes more and more important. Aiming at the participants' anonymity, a completely anonymous multi-recipient signcryption is proposed in this paper. The new scheme ensures anonymity of all participants, the sender and all recipients. Furthermore, each recipient can easily judge whether the received message is from an authorized source, but he/she cannot determine the true identity of the sender. Each recipient can easily judge whether he/she is an authorized recipient, but he/she cannot determine the identity of any other authorized recipient. At the same time, the validity of the ciphertext can be verified publicly. The confidentiality, unforgeablity and anonymity of our scheme are formally proven using the random oracles model. Compared to existing schemes, our scheme is more efficient in computation and ciphertext length, and possesses more merits, which makes our scheme suitable for practical applications. Our scheme is important in group-oriented network applications, such as the network conference, paid-TV or DVD broadcasting. The proposed scheme solves the secure communication problem among authorized participants, while at the same time, it provides complete anonymity for all involved participants.