A Novel Multi-Receiver Signcryption Scheme with Complete Anonymity

Anonymity, which is more and more important to multi-receiver schemes, has been taken into consideration by many researchers recently. To protect the receiver anonymity, in 2010, the first multi-receiver scheme based on the Lagrange interpolating polynomial was proposed. To ensure the sender’s anonymity, the concept of the ring signature was proposed in 2005, but afterwards, this scheme was proven to has some weakness and at the same time, a completely anonymous multi-receiver signcryption scheme is proposed. In this completely anonymous scheme, the sender anonymity is achieved by improving the ring signature, and the receiver anonymity is achieved by also using the Lagrange interpolating polynomial. Unfortunately, the Lagrange interpolation method was proven a failure to protect the anonymity of receivers, because each authorized receiver could judge whether anyone else is authorized or not. Therefore, the completely anonymous multi-receiver signcryption mentioned above can only protect the sender anonymity. In this paper, we propose a new completely anonymous multi-receiver signcryption scheme with a new polynomial technology used to replace the Lagrange interpolating polynomial, which can mix the identity information of receivers to save it as a ciphertext element and prevent the authorized receivers from verifying others. With the receiver anonymity, the proposed scheme also owns the anonymity of the sender at the same time. Meanwhile, the decryption fairness and public verification are also provided.


Research backgroud
In 2000, Bellare et al. [1] firstly proposed the concept of multi-receiver public key encryption. In their scheme, to acquire the ciphertext which each authorized receiver can decrypt with his private key, the sender needed to repeatedly use the public key of each receiver to perform the public key encryption for the same plaintext. Although this scheme meets the requirement of the multi-receiver encryption, it is inadaptable to large-scale broadcast encryption, because its encryption computation complexity and ciphertext length are directly related to the number of the receivers. To overcome this weakness, Kurosawa [2] adopted a "randomness reuse" technique to propose a multi-receiver encryption scheme, in which the computational efficiency was improved. Later, Bellare et al. [3] further improved its performance. But these two schemes only concern how to improve the efficiency of multiple encryptions rather than how to reduce the number of encryptions.
Even so, these early multi-receiver schemes pointed out a new direction in the field of the information security: multi-receiver encryption, in which the sender only needs one encryption operation to send the same message for n receivers, and every authorized receiver can independently use his private key to decrypt the ciphertext, which significantly increases the efficiency comparing the early schemes [1][2][3]. In 2005, by introducing the idea of identity based encryption into the multi-receiver encryption, Baek et al. [4] proposed an efficient multi-receiver ID-based scheme, in which the sender only needed to encrypt the same message once and sent it to n selected receivers. This scheme required a linear ciphertext size in proportion to the number of the selected receivers. In 2006, Chatterjee and Sarkar [5] proposed an efficient multi-receiver ID-based scheme with sublinear ciphertext size. Later on, there appeared many great schemes [6][7][8] contributing to the ID-based multi-receiver encryption.
With the development of encryption, more and more researchers find that receivers need to verify the source of the message in practical applications. There are some signcryption schemes [9][10][11][12] have been proposed to advance the signcryption research. For the multireceiver cryptography, multi-receiver signcryption gradually becomes the research focus. In 2006, the first ID-based multi-receiver signcryption scheme was presented by Duan et al. [13], which introduced the concept of Zheng's signcryption [14] into multi-receiver encryption. In Duan et al.'s scheme, the sender can sign and encrypt the plaintext in only one operation as well as each authorized receiver can independently decrypt the ciphertext and verify the message source. Later on, many excellent multi-receiver signcryption schemes [15][16][17][18][19][20][21] have been proposed by researchers. However, all these early schemes did not care the privacy of participants, because the sender and receiver list, a part of the ciphertext, are required to participate in the de-signcryption process.
Recently, with the maturity of the ID-based multi-receiver signcryption, researchers have paid more attention to the anonymity of participants. Generally speaking, the anonymity includes two parts, the receiver anonymity and the sender anonymity. In 2010, Fan et al. [22] pointed out the importance of the receiver anonymity in ID-based multi-receiver setting and proposed a multi-receiver anonymous encryption scheme to protect anonymity of receivers with the Lagrange interpolation polynomial. In their scheme, the Lagrange interpolation polynomial is used to mix and hide the identities of the receivers to avoid exposing their information, and that seems perfect to protect the receiver anonymity. Then, several multi-receiver signcryption schemes [23][24][25] based on the Lagrange interpolation polynomial were proposed.
For the sender anonymity, in 2009, Lal et al. [26] adopted Huang et al.'s [27] concept of ring signature to present a multi-receiver signcryption scheme with sender anonymity. Later, based on the ring signature, several multi-receiver signcryption schemes [28][29][30] were proposed to protect the anonymity of the sender. However, in 2013, Pang et al. [31] pointed that these schemes whose sender anonymity is based on the ring signature shall suffer from the cross-comparison attack and the joint conspiracy attack. That is to say, the scope of the real sender could be narrowed down gradually with the increase of communication. Even, the identity of real sender could be uniquely determined. In order to solve this problem, Pang et al. improved the ring signature with a randomized method, which uses the public key of the sender multiplied by a random value to hide the identity of the sender. By this means, any receiver can only judge whether the ciphertext is from a reliable sender or not, rather than actually getting the real identity of the sender. Besides, the receiver anonymity with the Lagrange interpolation polynomial was provided in Pang et al.'s scheme [31]. So, it is a completely anonymous multi-receiver signcryption scheme.
Unfortunately, in 2012, Wang et al. [32] and Zhang et al. [33] respectively found that Fan et al.'s scheme fails to protect the receiver anonymity, because any authorized receiver can judge whether the others are authorized or not. This means that the authorized receivers may be attacked by other authorized receivers. Meanwhile, Wang et al. also made an improvement on Fan et al.'s scheme. However, in 2014, Li et al. [34] analyzed Wang et al.'s scheme and found that the Lagrange interpolation polynomial is still used to mix and hide the identities of the receivers, which is not able to really protect the receiver anonymity either. Because of the problem of Lagrange interpolation polynomial construction, any authorized receiver can judge whether other receivers is the authorized or not. Through analyses above, Pang et al.'s [31] completely anonymous multi-receiver signcryption scheme cannot realize the receiver anonymity. Then, it remains an open problem how to design a new multi-receiver signcryption scheme which can achieve the receiver anonymity and the sender anonymity at the same time.

Our contribution
Aiming at the problem discussed above, in this paper, we try to find a new construction method to design a completely anonymous multi-receiver signcryption scheme cannot realize the receiver anonymity and the sender anonymity at the same time. In order to achieve the receiver anonymity, we find a new polynomial that could be used to replace the Lagrange interpolation polynomial. With the new polynomial, we can mix the identity information of receivers to save it as ciphertext element and prevent the authorized receivers from verifying the others. That is to say, attackers not only outside the system but also inside the system can be prevented in our new scheme, which can actually realize the receiver anonymity. To protect the sender anonymity, the randomized method was also used in our scheme. Hence, our scheme simultaneously has the sender anonymity and receiver anonymity, and eliminates the anonymity problem existing in the previous scheme.

Paper organization
The rest of the paper is designed as follows. Preliminaries are given in Section 2, and Section 3 presents our new scheme. Then, we prove the security of the proposed scheme in Section 4. Section 5 gives the efficiency and performance analysis. Finally, Section 6 draws the conclusions.

Preliminaries
In this section, we will briefly review the bilinear pairings, related problems and security assumptions on which our improved scheme is based.

Bilinear pairings
Let G 1 be a cyclic additive group of large prime order q, and G 2 be a cyclic multiplicative group of the same order q. Let P be a generator of G 1 . A bilinear pairing is a map e: G 1 × G 1 ! G 2 and satisfies the following properties: 1. Bilinear: e(aP, bQ) = e(P, Q) ab for all P, Q 2 G 1 and a; b 2 Z Ã q .
3. Computable: For all P, Q 2 G 1 , there exists an efficient algorithm to compute e(P, Q).
A bilinear pairing map which satisfies the above three properties is called an admissible bilinear map.

Problems and security assumptions
Here, we give mathematical hard problems and define the security assumptions on which our scheme is based.
(1) CDH (Computational Diffie-Hellman) problem: Given (P, aP, bP) 2 G 1 for some a; b 2 Z Ã q , to compute abP. Definition 1: The advantage of any PPT algorithm A in solving the Computational Diffie-Hellman (CDH) problem is defined as:
Suppose that there is a polynomial-time attacker named A and an anonymous ID-based multi-receiver signcryption algorithm named P. A plays a game with a Challenger B as follows: Setup: Challenger B performs this algorithm to generate master key s and public parameters params. Then B shall send the params to A but keep s secret. After receiving the parameter, A outputs target multiple identities L Ã ¼ fID Ã 1 ; ID Ã 2 ; Á Á Á ; ID Ã n g. Phase 1: Challenger B shall answer a number of different queries from adversary A in an adaptive manner as follows: Key extract query: Queried about an identity ID that A pretends to be, B shall run the Key extract algorithm to get D = Extract(parems, s, ID).
Anony-signcrypt query: Adversary A runs the Anony-signcrypt algorithm to get the ciphertext C = Anony − signcrypt(parems, M, L, D S ), where M is the target plaintext chosen by adversary A, L = {ID 1 , ID 2 , Á Á Á, ID n } is the set of the receiver identity, ID S is the identity chosen by B and D S is the corresponding private key.
De-signcrypt query: Adversary A shall send B(C, ID j ) where C is the ciphertext produced by adversary A, ID j is the identity chosen by B and ID j 2 L Ã . L Ã ¼ fID Ã 1 ; ID Ã 2 ; Á Á Á ; ID Ã n g is the target multiple identities chosen by A. Then B shall perform the De-signcryption algorithm to get the plaintext M ¼ De À signcryptðC Ã ; params; D Ã i Þ. If M is valid, B returns it to A. Otherwise, returns "failure".
Challenge: Adversary A shall first choose target plaintext pair(M 0 , M 1 ) and pretend a sender ID S . When receiving the target plaintext and the private key D S , the challenger B randomly chooses β 2 {0, 1} and signcrypts the message M β to generate the ciphertext C Ã = Anony − signcrypt(params, M β , L Ã , D S ). Then, the challenger B returns C Ã to A.
A's guessing advantage is defined as follows: The scheme P is said to be (t, ε)-IND-sMIBSC-CCA secure, if for any IND-sMIBSC-CCA attacker A, its guessing advantage is less than ε within polynomial running time t.
Suppose that there is a forger named F and an anonymous ID-based multi-receiver signcryption algorithm named P. F plays a game with a challenger B as follows: Setup: Challenger B performs this algorithm to generate master key s and public parameters params. Then B shall send the params to A but keep s secret. After receiving the parameter, F outputs target multiple identities The forger F may make some queries to the challenger B as phase 1 in Definition 4. Forgery: Forger F shall output a ciphertext C Ã and a set of identities If C Ã can be decrypted correctly by every receiver ID Ã i where i 2 {1, 2, Á Á Á, n} in the set L Ã , then verify the source of the sender, C Ã is valid and F wins the game.
But the forger F cannot perform Key extract query to ID Ã i and C Ã cannot generated by Anony-signcrypt algorithm here.
The scheme P is said to be (t, ε)-SUF-MIBSC-CMA secure, if for any SUF-MIBSC-CMA forger F, its guessing advantage is less than ε within polynomial running time t.
Suppose that there is a polynomial-time attacker named A and an anonymous ID-based multi-receiver signcryption algorithm named P. In order to get the identity of anonymous receivers, A plays a game with a challenger B as follows: Setup: Challenger B performs this algorithm to generate master key s and public parameters params. Then B shall send the params to A but keep s secret. After receiving the parameter, A choses target identities ðID Ã 1 ; ID Ã 2 Þ. Phase 1: Challenger B shall answer the Key extract query and De-signcryption query from adversary A as follows: Key extract query: Queried about an identity ID j that A pretends to be, where ID j 6 ¼ ðID Ã 1 ; ID Ã 2 Þ, B shall run the Extract algorithm to get D j = Extract(parems, s, ID j ).

De-signcrypt query: Adversary
Then B shall perform the De-signcryption algorithm to get the plaintext Challenge: Adversary A shall first choose target plaintext M Ã and the identities fID Ã 3 ; ID Ã 4 ; Á Á Á ; ID Ã n g, where n ! 3. Then B shall execute the signcryption algorithm to generate the ciphertext Phase 2: A shall query challenge B like Phase 1 without querying for C Ã in De-signcrypt query the information of ðID Ã 1 ; ID Ã 2 Þ in the Key extract query. Guess: A guesses β 0 2 {1, 2} and outputs it.
A's guessing advantage is defined as follows: The scheme P is said to be ANON-IND-sMID-CCA secure, if for any ANON-IND-sMID-CCA attacker A, its guessing advantage is less than ε within polynomial running time t.

The proposed scheme
In this section, we will present our scheme, which includes four algorithms: Setup, Key extract, Anony-signcrypt, and De-signcrypt algorithms. Detailed description is as follows:

Setup algorithm
Here, PKG shall execute the following process: 1. PKG chooses a prime order q(q ! 2 l , l is a long integer), and then chooses G 1 (an additive group) and G 2 (a multiplicative group) with the same order q. Then it randomly picks a generator P of G 1 , and constructs a bilinear mapping e: G 1 × G 1 ! G 2 . PKG keeps the master key s secret, which is picked up from Z Ã q . Select some integer w. Set P pub = sP 2 G 1 as the system public key. The symmetric encryption and decryption are denoted as E k () and D k () where k is the key.

Key extract algorithm
PKG shall execute this algorithm to generate ID i 's private key with s, params and an identity ID i 2 {0, 1} Ã . Then, PKG shall also return ID i 's private key. That means ID i has registered himself at PKG:

Anony-signcrypt algorithm
This algorithm is executed by the sender. Obtaining his private key D S and params, the sender ID S shall choose n receivers with identities ID 1 , ID 2 , Á Á Á, ID n and encrypt the plaintext M to generate the ciphertext C: 1. The sender firstly pick up two random integers g; a 2 Z Ã q and a bit string δ 2 {0, 1} w , and then compute Y = rQ S , U = rP, X = αY and J = rP pub , where Q S is the public key of ID S .

The sender computes
3. The sender chooses a random p 2 Z Ã q and constructs a polynomial f(x) with degree n as follows: 5. Generate the ciphertext: C = hY, U, Z, V, W, a 0 , a 1 , Á Á Á, a n−1 i.

De-signcrypt algorithm
This algorithm is executed by the receiver. With params, C = hY, U, Z, V, W, a 0 , a 1 , Á Á Á, a n−1 i, the receiver's identity ID i and his private key D i as input, the receiver ID i has the ability to decrypt C as follows: 1. Compute h = H 5 (X, U, Z, V, a 0 , a 1 , Á Á Á, a n−1 ).

Public verification:
The one who has not registered shall execute this step. The participant who has registered shall jump to the judgment algorithm without the verification. If the equation e(W, P) = e(X + hY, P pub ) holds, that is to say, the ciphertext is valid. Otherwise, the ciphertext has been damaged or it is invalid.
3. Judgment: The registered participants shall execute this step before the decryption process. If the equation e(W, Q i ) = e(X + hY, D i ) holds, ID i is one of the receivers chosen by the sender and the ciphertext is valid. Otherwise, the receiver shall quit the decryption process.
Every receiver who gets the ciphertext can verify the validity of the message by the public verification or judge if he is authorized by the judgment algorithm. Then, if necessary, he can decrypt the ciphertext.

Correctness analysis
Here, we show the correctness of the proposed scheme by stating Theorems 1-3.

Theorem 3:
The decryption of the proposed scheme is correct. Proof: The decryption of the proposed scheme is correct because of the following:

Security analysis
Here, we shall prove that the proposed multi-receiver signcryption scheme is secure against the IND-sMIBSC-CCA, SUF-MIBSC-CMA and ANON-IND-sMID-CCA attacks defined in Section 2.3, which respectively shows the confidentiality, unforgeability, and anonymity.
Theorem 4: If an IND-sMIBSC-CCA attacker A has a non-negligible advantage ε to win the game defined in Definition 4 within running time t, then the DBDH problem can be solved by the challenger B in running time t 0 t with a non-negligible advantage ε 0 ! ε − nq d /2 k , where attacker A asks q e queries to the Key extract query, q s queries to the Anony-signcrypt query, and q d queries to the De-signcrypt query.
q at random and puts the tuple hX j , U j , Z j , V j , a j 0 , a j 1 , Á Á Á, a j n−1 , h j i into the list L 5 . Then, B returns h j .
Key extract query: A chooses an identity ID j 6 ¼ ID Ã i where i 2 {1, 2} and sends it to challenger B, then B scans the list L 1 to find if there is the tuple (ID j , l j , Q j ) in L 1 . If it was, B shall calculate D j = l j P pub (= l j bP = bQ j ). Otherwise, the challenger B selects a l j 2 Z Ã q at random, and calculates Q j = l j P as well as Dj = l j P pub . At the same time, the challenger B puts a tuple (ID j , l j , Q j ) into the list L 1 . Finally, B sends D j back to the attacker A.

Compute
is the public key of the receiver.
3. Choose p 2 Z Ã q at random and structure a polynomial f(x) with degree n as follows: 4. Compute V = δ L H 3 (p), Z = E H 4 (δ) (M) and h = H 5 (X, U, Z, V, a 0 , a 1 , Á Á Á, a n−1 ), and then compute W = (α + h)l S P pub . 5. Generate the ciphertext: C = hY, U, X, Z, V, W, a 0 , a 1 , Á Á Á, a n−1 i. De-signcrypt query: The attacker A queries B and send BðC j ; ID Ã i Þ where i 2 {1, 2} and C j = hY j , U j , X j , Z j , V j , W j , a j 0 , a j 1 , Á Á Á, a j n−1 i When receiving the decryption query, B executes the following steps: 1. Check the list L 5 to find the tuple hX j , U j , Z j , V j , a j 0 , a j 1 , Á Á Á, a j n−1 . If it was found, B can get (Z j , V j ) from L 5 . Otherwise, B returns "failure".
3. Searching the tuple (ID j , l j , Q j ) in the list L 1 .
b. Examine whether (P, Q i , P pub , U j , X j ) uses the DBDH oracle by verifying the equation e (P, P) l j bγ = X j .
c. If the step above is true, calculate

Test whether the equation e(W j , P)
. If it holds, then return M j to A.
6. Otherwise, B sends "failure" to A, which means that there is not a valid ciphertext generated following the proposed scheme.
Challenge: A outputs a target plaintext pair (M 0 , M 1 ) and a private key D S . Upon receiving (M 0 , M 1 ) and D S , the challenger B randomly chooses β 2 {0, 1} and signcrypts the message M β . B finally creates a target ciphertext C Ã = hY, U, X, Z, V, a 0 , a 1 , Á Á Á, a n−1 i, where Y = γl S P, U = γP, X = αY, Z = E H 4 (δ) (M), V = δ L H 3 (p) and W = (α + h)l S P pub , then returns C Ã to A. Phase 2: A shall query challenge B like Phase 1. Note that A cannot query the information of ðID Ã 1 ; ID Ã 2 ; Á Á Á ; ID Ã n Þ in the Key extract query and C Ã in De-signcrypt query. Guess: The attacker A gives its guess β 0 2 {0, 1}. If β 0 = β, B wins the game because the equation C = e(P pub , P 1 ) α = e(P, P) abc holds. Otherwise, B outputs "failure".
According the above discussion, we can get the advantage of B as following equation. For q d times De-signcrypt query, the probability for B to reject the valid plaintext is less than nq d /2 k . So, if A wins the game, B's advantage is ε 0 ¼ jPr½AðaP; bP; cP; wÞ ¼ 1 À Pr½AðaP; bP; cP; eðP; PÞ abc Þ ¼ 1j Theorem 5: If a SUF-sMIBSC-CMA forger F has a non-negligible advantage ε to win the game defined in Definition 5 within time t, then the challenger B can solve the CDH problem with an advantage ε 0 ! ε − q s /2 k in running time t 0 t, where the forger F can ask at most q e Key extract queries, q s Anony-signcrypt queries and q d De-signcrypt queries. (q H 1 , q H 2 , q H 3 , q H 4 , q H 5 ) denote the number of queries to the hash functions H 1 , H 2 , H 3 , H 4 , H 5 , respectively.
Proof: An instance (P, aP, bP) of the CDH problem is given to simulate the game defined in Definition 5, and F denotes the forger, B denotes challenger. Suppose that F has a non-negligible advantage ε to break the SUF-sMIBSC-CMA model, and B solves the instance of CDH problem by interacting with F. There are five oracles H 1 , H 2 , H 3 , H 4 and H 5 to simulate the system for B. F can queries PPT times to the oracles. B executes and answers each phase of this game as follows: Setup: The challenger B sets P pub = bP and sends hG 1 , G 2 , q, e, P, P pub , H 1 , H 2 , H 3 , H 4 , H 5 , E k , D k i to F as the public parameters. When receiving the parameter, F outputs target multiple identities ðID Ã 1 ; ID Ã 2 ; Á Á Á ; ID Ã n Þ. Attack: F does several queries to B. These queries are the same as those in Phase 1 of Theorem 4.
Here, we consider the advantage of F's success. For q s queries to the Anony-signcrypt queries, the probability for B to answer a failure Anony-signcrypt query is less than q s /2 k . So, if the forger F wins the game, B's advantage is ε 0 ! ε − q s /2 k . Theorem 6: If an ANON-IND-sMID-CCA attacker A has a non-negligible advantage ε to win the game defined in Definition 6 within running time t, then the Gap-BDH problem can be solved by the challenger B with a non-negligible advantage  1. If ID j 6 ¼ ID Ã i ; i 2 f1; 2; Á Á Á ; ng, calculate Q j = l j P; otherwise, calculate Q j = l j Q, where l j is an integer.
2. Put it into H 1 -list when no (ID j , l j , Q j ) exists in H 1 -list.

B returns Q j .
H 2 -query: The challenger B examines if (P, Q i , P pub , cP, X j ) uses the DBDH oracle for i 2 [1, q H 2 ] when he is queried with X j 2 G 2 for some j = [1, q H 2 ]. If it exists, B shall terminate the game for e(P, P) abc equals ðX j Þ l À 1 i . Otherwise, B picks a value x j 2 Z Ã q at random and puts a tuple (X j , x j ) into the list L 2 . Then, the challenger B returns x j to the adversary A. H 3 -query: As an integer p j is sent to the H 3 oracle where j 2 [1, q H 3 ], B shall pick a string w j 2 {0, 1} w at random and puts the tuple (p j , w j ) into the list L 3 . Then, the string w j is returned to A by the challenger B.
H 4 -query: When querying for the string δ j 2 {0, 1} w where j 2 [1, q H 4 ], B shall pick a string z j 2 {0, 1} |M| at random and puts the tuple (δ j , z j ) into the list L 4 . Then, the challenger B returns the bit string z j to the attacker A.
H 5 -query: Receiving the tuple hX j , U j , Z j , V j , a j 0 , a j 1 , Á Á Á, a j n−1 i where j 2 [1, q H 5 ], B picks a value h j 2 Z Ã q at random and puts the tuple hX j , U j , Z j , V j , a j 0 , a j 1 , Á Á Á, a j n−1 , h j i into the list L 5 . Then, B returns h j .

Phase 1:
Challenger B shall answer the Key extract query and De-signcrypt query from attacker A as follows: Key extract query: A chooses an identity ID j 6 ¼ ID Ã i where i 2 {1, 2} and sends it to challenger B, then B scans the list L 1 to find if there is the tuple (ID j , l j , Q j ) in L 1 . If it was, B shall calculate D j = l j P pub (= l j bP = bQ j ). Otherwise, the challenger B selects a l j 2 Z Ã q at random, and calculates Q j = l j P as well as D j = l j P pub . At the same time, the challenger B puts a tuple (ID j , l j , Q j ) into the list L 1 . Finally, B sends D j back to the attacker A.
De-signcrypt query: The attacker A queries B and send BðC j ; ID Ã i Þ where i 2 {1, 2, Á Á Á, n} and C j = hY j , U j , X j , Z j , V j , W j , a j 0 , a j 1 , Á Á Á, a j n−1 i When receiving the decryption query, B executes the following steps: 1. Check the list L 5 to find the tuple hX j , U j , Z j , V j , a j 0 , a j 1 , Á Á Á, a j n−1 i. If it was found, B can get (Z j , V j ) from L 5 . Otherwise, B returns "failure".
3. Searching the tuple (ID j , l j , Q j ) in the list L 1 .
b. Examine whether (P, Q i , P pub , U j , X j ) uses the DBDH oracle by verifying the equation e (P, P) l j bγ = X j .
c. If the step above is true, calculate 5. Test whether the equation e(W j , P) = e(X j + h j Y j , P pub ) or the equation e(W j , Q i ) = e(X j + h j Y j , D i ) holds where h j = H 5 (X j , U j , Z j , V j , a j 0 , a j 1 , Á Á Á, a j n−1 ). If it holds, then return M j to A.
6. Otherwise, B sends "failure" to A, which means that there is not a valid ciphertext generated following the proposed scheme.
Challenge: A sends the plaintext M to B. Then B executes the following steps: 1. Select δ 2 {0, 1} w at random.
4. Choose p 2 Z Ã q at random and structure a polynomial f(x) as follows: 5. B returns the ciphertext C Ã to A.
Phase2: A shall query challenge B like Phase 1 without querying the information of S in the Key extract query and C Ã in De-signcrypt query.

Guess:
The attacker A gives its guess β 0 2 {1, 2, Á Á Á, n}. At the same time, the challenger B picks a tuple (X j , x j ) at random from the list L 2 where j 2 β 0 , and chooses the tuple (ID j , l j , Q j ) from the list L 1 . Finally, B outputs ðX j Þ l À 1 2 as the solution to the given instance of the Gap-BDH problem.
Here, we shall discuss the advantage of challenger B. For answering the De-signcrypt query, the challenger B shall check hX j , U j , Z j , V j , a j 0 , a j 1 , Á Á Á, a j n−1 i in L 5 , and send back "failure" if it is not found. That is to say, the right value of H 5 hash function can be guessed by the attacker A. In this case, B may fail at the most probability of q d /q with q d queries to the De-signcrypt oracle. In phase Guess, the challenger B shall output the right answer e(P, P) abc at the least probability of 2/nq H 2 , where q H 2 is the time of the H 2 hash oracle query, and n is the number of multiple identities. Hence, the Gap-BDH problem can be solved with a non-negligible advantage ε 0 ! (ε − q d /2 l )/nq H 2 , where ε is the non-negligible advantage of attacker A. And the required computation time is , for answering queries in the simulation game above.

Functional comparison and efficiency analysis
In this section, we will evaluate the functional and efficiency comparison of our scheme with the existing schemes.

Functional comparison
In terms of the funcation, we compare our scheme with some existing schemes in the sender anonymity, receiver anonymity, decryption fairness and public verification, respectively. The comparison is shown in Table 1.
As is shown in Table 1, the schemes [15,17,20] cannot protect the sender anonymity. Though the schemes [26][27][28][29] can ensure the sender anonymity to some degree, they could suffer from the cross-comparison attack and the joint conspiracy attack for the use of ring signature. Table 1 shows that the schemes [15,17,20,[26][27][28][29]31] cannot reach the receiver anonymity. For the schemes [15,17,20,[26][27][28][29], the receivers' identities are stored in the ciphertext in the form of plaintext, which can lead to the leakage of receivers' privacy. The scheme [31] also cannot realize the receiver anonymity for the use of the Lagrange interpolation polynomial, each authorized receiver can judge whether anyone else is authorized or not. Meanwhile, the schemes [15,17,20,[26][27][28][29] cannot realize the fair decryption and public verification properties.
As Table 1 shows, our proposed scheme owns these four functions of the sender anonymity, receiver anonymity, decryption fairness, and public verification. The randomized method were used in our scheme, which uses the public key of the sender multiplied by a random value to hide the identity of the sender and avoid the cross-comparison attack and the joint conspiracy attack. In terms of the weakness of the receiver anonymity existed in Lagrange interpolation polynomial, we adopt the new polynomial method which can solve the problem that the authorized receiver can judge the identity of other receivers. So, our scheme simultaneously owns the sender anonymity and the receiver anonymity, which achieves the complete anonymity. In addition, the decryption fairness and public verification properties are also guaranteed in our scheme.

Efficiency analysis
For the efficiency, we compare our scheme with several existing schemes in terms of computation complexity and ciphertext length from two aspects: signcryption and de-signcryption. The comparison is shown in Tables 2 and 3 respectively, where E stands for bilinear pairing operation, A stands for the addition operation in G 1 , Mu stands for the scalar multiplication in G 1 , Ex stands for the exponentiation in G 2 , H stands for hash operation in the encryption step, S stands for symmetric encryption and Param stands for the number of parameters in the ciphertext. In our scheme, the operation of the polynomial can be pre-processed, so these operations are excluded when considering computational complexity.
As is shown in Table 2, we can see that our proposed scheme used one bilinear pairing operation E. Though the bilinear pairing operation has high cost, our scheme controls it within acceptable limits by comparing with others. In terms of hash operation, because of lower cost than other operation, it is within acceptable limits. Encryption algorithm S is used in our scheme, which can be chosen according to practical applications. So, it is easy to reasonably control its communication cost. Meanwhile, our scheme has obvious improvement in operation A, scalar multiplication, exponentiation and ciphertext operation. It can be seen that our scheme has better efficiency in signcryption. On the other hand, in the de-signcryption process, there are generally three algorithms affecting the efficiency: public verification, judgment, and decryption. We will compare the proposed scheme with the existing schemes about these three algorithms, respectively.
As shown in Table 3, our scheme and sheme [31] have obviously higer efficiency in public verification and authorization judgement comparing with the other schemes [15,17,20,[26][27][28][29], where N/A indicates that the scheme only considered the single receiver environment, which is tansfered via unicast channel. In this case, it is unnecessary to judge whether the receiver is authorized or not. Meanwhile, our scheme has higher efficiency than others in decryption.
From the above analysis, though our scheme has unobvious improvement on the efficiency in general, it owns the complete anonymity containing the sender and receiver anonymity, which is an excellent contribution we think. In our scheme, any receiver can only judge whether the ciphertext is from a reliable sender or not, rather than actually getting the real identity of the sender. Attackers not only outside the system but also inside the system can be prevented in our new scheme.
Besides the above theoretical analysis on efficiency, we shall also give some experiment results to compare our scheme with the existing ones more intuitively. Like the work [35][36][37], we shall also pay attention to those time-consuming operations and overlook the other ones that do not consume much time. We define the following notations in Table 4, and borrow the experiment testing results from [35][36][37].
Then, with the results in Table 4, the efficiency comparison of our scheme with the existing ones can be shown by Tables 5 and 6. Tables 5 and 6 also show the relative high efficiency of our scheme when compared with the exiting schemes with the same functions.

Conclusion
A novel multi-receiver signcryption scheme with complete anonymity is proposed in this paper. By using a new polynomial technology, our scheme actually achieves the receiver anonymity. Attackers not only outside the system but also inside the system can be prevented in our new scheme. Meanwhile, in the process of signcryption, the sender used the randomized method to hide its public key, which ensures the sender anonymity. So, our scheme simultaneously owns the sender anonymity and the receiver anonymity, which achieves the complete anonymity. In addition, the decryption fairness and public verification properties are guaranteed in our scheme. This new scheme can be applied better to secure broadcast, network meeting, paying-TV and data sharing on the cloud.

Author Contributions
Conceptualization: LP HL.