Hindawi Mathematical Problems in Engineering Volume 2018, Article ID 1486437, 13 pages https://doi.org/10.1155/2018/1486437
Research Article Efficient Certificateless Anonymous Multi-Receiver Encryption Scheme without Bilinear Parings Ronghai Gao ,1 Jiwen Zeng ,1 and Lunzhi Deng 1
2
School of Mathematical Sciences, Xiamen University, Xiamen 361005, China School of Mathematical Sciences, Guizhou Normal University, Guiyang 550001, China
2
Correspondence should be addressed to Ronghai Gao;
[email protected] Received 9 May 2018; Accepted 11 July 2018; Published 24 July 2018 Academic Editor: Giuseppe DβAniello Copyright Β© 2018 Ronghai Gao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. With the growing development of Internet technology and popularization of mobile devices, we easily access the Internet anytime and anywhere by mobile devices. It has brought great convenience for our lives. But it brought more challenges than traditional wired communication, such as confidentiality and privacy. In order to improve security and privacy protection in using mobile network, numerous multi-receiver identity-based encryption schemes have been proposed with bilinear pairing and probabilistic hap-to-point (HTP) function. To address the troubles of private key escrow in multi-receiver encryption scheme based on ID-PKC, recently, some certificateless anonymous multi-receiver encryption (CLAMRE) schemes are introduced. But previous CLAMRE schemes using the bilinear pairing are not suitable to mobile device because the use of bilinear pairing and probabilistic hashto-point (HTP) function results in expensive operation costs in encryption or decryption. In this paper, we propose an efficient CLAMRE scheme using elliptic curve cryptography (ECC) without bilinear pairing and HTP hash function. Since our scheme does not use bilinear pairing and HTP operation during the encryption and decryption process, the proposed CLAMRE scheme has much less computation cost than the latest CLAMRE schemes. Performance analysis shows that runtime of our scheme is much less when the sender generates ciphertext, compared with existing schemes. Security analysis shows proposed CLAMRE scheme provides confidentiality of message and receiver anonymity under the random oracle model with the difficulties of decision DiffieHellman problem and against the adversaries defined in CL-PKC system.
1. Introduction With the rapid development of the Internet technology and wireless communications and the popularity of mobile devices, we can access the Internet freely anytime and anywhere using mobile devices. This brings great convenience to our lives by Internet services. But we have to face the security problems of the openness of the wireless network. How to protect the security and privacy of wireless communications using mobile devices has been extensively considered by scholars. In order to achieve this goal, many encryption schemes (Fu Z et al. [1, 2]; Xia Z et al. [3]; Huang X et al. [4]), authentication schemes (Guo P et al. [5]; Shen J et al. [6]; Huang X et al. [4, 7];) and signature schemes (Ren Y et al. [8]; Wang J et al. [9]; Lee C C et al. [10]) have been proposed in recent years.
The multi-receiver encryption (MRE) or broadcast encryption (BEN) scheme is an important cryptographic primitive, in which a sender produces an identical ciphertext π by enciphering message π and then sends π to group π of selected receivers, and anyone in the group π can decrypt the received ciphertext using his/her private key, and any user outside the privileged set S should not be able to recover the message. In fact, the application of multi-receiver confidential communication is very extensive, such as pay TV, video on demand, software protect, distribution of copyrighted material, and online gaming. When transmitting encrypted information to a public channel, the confidentiality of the information and the anonymity of the receiver are greatly challenged. The confidentiality is that only the authorized receiver can decrypt ciphertext π and message π correctly. On the other hand, identity protection means that any
2 receiver of the group cannot identify the identity of other receivers. MRE scheme is suitable for protecting the usersβ security and privacy. Therefore, it is necessary to consider how to design efficient and secure broadcast encryption and multiple receivers encryption scheme. In order to meet security requirements of the practical application, many MRE schemes (Kurosawa K [11]; Bellare M et al. [12]; Dodis Y et al. [13]; Kurosawa K [14]; Bellare M [15]) were proposed using the public key infrastructure (PKI). In multi-receivers encryption schemes [11β15], existing management, distribution, and revocation of public key certificate need to bear huge storage space and high computing cost. To solve this problem, Beak et al. [16] constructed an efficient multi-receivers identity-based encryption (ID-based MRE); only one bilinear pair is required to encrypt a single message for π receivers. In 2006, Chatterjee S et al. [17] proposed a multi-receiver identity-based key encapsulation mechanism with security in the full model and sublinear size ciphertext. In this scheme, a controllable trade-off is achieved between the ciphertext size and the private size. However, Park et al. gave a way to attack the scheme of Chatterjee S [17] and proved that it is not secure. In 2006, another IBBE scheme is designed by Yang et al. [18] using elliptic curve bilinear paring. However, they did not consider joining and departure of the recipientβs membership in the design process, so the scheme was not suitable for a dynamic set. In scheme [16β18], the application scenario is single domain environment; that is, π receivers come from the same management domain. However, in realistic applications, usually π receivers will come from different management domains and they need once the bilinear pairing computation for one message, so their scheme becomes inefficient. In 2014, Wang H et al. [19] proposed an efficient multiple domain multireceiver identity-based encryption scheme that only requires one pairing computation to encrypt a single message for π receivers from different administrative domains. However, the above ID-based MRE schemes [16β19] cannot consider the receiver anonymity. To achieve preserving privacy of receivers, in 2010, Fan et al. [20] presented a new ID-based MRE scheme and claimed that it can protect receiver anonymity; the scheme is highly efficient for each receiver as it requires only two pairing operations. In 2012, Chien [21] found that the scheme of Fan et al. [20] failed to protect receiver anonymity and proposed an improved scheme which proves that the scheme enhances security and protects the anonymity of recipients. It is very unfortunate that Wang [22] pointed out the fact that Chienβs scheme does not satisfy the indiscernibility of encryption under selective multi-identity, chosen ciphertext attacks. In 2015, Zhang [23] proposed the most efficient anonymous MRIBE scheme in terms of computational cost and communication overhead, compared with schemes of [20β22]. Although the above ID-based MRE schemes have many advantages, all of them face the problem of the private key escrow, which means that key generator center (KGC) calculates private key for every user by user identity and master private key of KGC; KGC retains all users private key; thus the userβs privacy is easy to be leaked if KGC is not fully trusted. In order to address this security weakness, in 2003, Al-Riyami
Mathematical Problems in Engineering et al. [24] introduced the concept of the certificateless cryptography (CLC). In the CLC, the usersβ private key contains two parts: KGC and the user generate a partial private key and a secret value, respectively. Based on Al-Riyami et al.βs work, most certificateless signature (encryption) schemes [25β29] are proposed. In the existing research literature, certificateless multi-receiver encryption (CLMRE) scheme did not get more attention; Islam et al. [27] presented the concept of certificateless anonymous multi-receiver encryption (CLAMRE) and proposed the first CLAMRE scheme using the elliptic curve cryptography (ECC). Hung et al. [28] pointed out that scheme of [27] is less efficient and is not suitable in mobile devices environment, because the cost of encryption calculation is square of number of recipients, and proposed a new CLAMRE using the bilinear pairing. However, Hung et al.βs CLAMRE scheme still does not suit mobile devices because of using bilinear pairing. In encryption, the sender that needs to operate bilinear pairs grows linearly because of the increase in the receiversβ number. Our Contribution. In this paper, we propose an efficient CLAMRE scheme using elliptic curve cryptography (ECC) without bilinear pairing and MTP hash function. Since our scheme does not use bilinear pairing and HTP operation during the encryption process, the proposed CLAMRE scheme has much less computation cost than the latest CLAMRE schemes; runtime of our scheme is much less in both encryption and decryption, compared with existing scheme [28, 29]. Our scheme provides confidentiality of message and anonymity of receiver under the random oracle model with the difficulties of computational Diffie-Hellman problem and against the adversaries defined in CL-PKC system. In this paper, we propose an efficient CLAMRE scheme using elliptic curve cryptography (ECC) without bilinear pairing and MTP hash function. Since our scheme does not use bilinear pairing and HTP operation during the encryption process, the proposed CLAMRE scheme has much less computation cost than the latest CLAMRE schemes; runtime of our scheme is much less in both encryption and decryption, compared with existing scheme [28, 29]. Our scheme provides confidentiality of message and anonymity of receiver under the random oracle model with the difficulties of computational Diffie-Hellman problem and against the adversaries defined in CL-PKC system. Organization. The rest of the paper is organized as follows. Mathematical preliminaries are introduced in Section 2. Formal definition of our CLAMRE scheme is presented in Section 3. Our CLAMRE scheme is proposed in Section 4. In Section 5, we give some security analysis of our CLAMRE scheme. Some performance analysis of our CLAMRE scheme is given in Section 6. At last, some conclusions of the paper are presented. The rest of the paper is organized as follows. Mathematical preliminaries are introduced in Section 2. Formal definition of our CLAMRE scheme is presented in Section 3. Our CLAMRE scheme is proposed in Section 4. In Section 5, we give some security analysis of our CLAMRE scheme. Some performance analysis of our CLAMRE scheme is given
Mathematical Problems in Engineering in Section 6. At last, some conclusions of the paper are presented.
2. Mathematical Preliminaries Here, we introduced the basic theory about the elliptic curve and existing some intractable problems. 2.1. Elliptic Curve. Suppose that πΉπ is a finite field determined by a prime number π. The elliptic curve πΈ(πΉπ ) over πΉπ is the set of solutions (π₯, π¦) β πΉπ Γ πΉπ to the congruence π¦2 β‘ π₯3 + ππ₯ + π(ππππ), where π, π β πΉπ are constants such that 4π3 + 27π2 =ΜΈ 0(ππππ), together with a special point O called the point at infinity or zero point. The addition operation β+β on πΈ is defined as follows (where all arithmetic operations are performed in πΉπ ): the point at infinity, O, will be the identity element, so π + O = O + π = π for arbitrary π β πΈ. Suppose π, π β πΈ, if π =ΜΈ π and reflection of the point π with respect to the π₯-axis is not the point π; let π be the line through π and π; otherwise π = π; we define π to be the tangent line through the point π. We denote π
σΈ as the third point in which π intersects πΈ; if we reflect π
σΈ in the π₯-axis, then we get a point which we call π
. We define the following: π + π = π
. If reflection of the point π with respect to the π₯axis is point π, let π = βπ; we define the following: π + π = π + (βπ) = π β π = O. The scalar point multiplication of the elliptic curve πΈ is defined as π‘π = π + π + β
β
β
+ π(π‘ times). Point π has order π if π is the smallest positive integer such that ππ = O. So (πΈ, +) is an abelian group. 2.2. Computational Problems and Some Assumptions. Here, we mainly introduce the definitions of negligible function, decision Diffie-Hellman problem, and discrete logarithm (DL) problem, and assumptions are given. Negligible Function. We call function π(π) negligible if, for every π > 0, there exists π0 such that π(π) β€ 1/ππ for every π β₯ π0 . We call function π(π) negligible if, for every π > 0, there exists π0 such that π(π) β€ 1/ππ for every π β₯ π0 . Discrete Logarithm (DL) Problem. Given a random instance (π, π₯π), where π β πΈ, and π₯ β ππβ , computation of π₯ is computationally hard by a polynomial time-bounded algorithm. The probability that a polynomial time-bounded algorithm π·πΏ (π) = A can solve the DL problem is defined as π΄πVA β ππ[A(π, π₯π) = π₯ : π β πΈ; π₯ β ππ ]. Given a random instance (π, π₯π), where π β πΈ, and π₯ β ππβ , computation of π₯ is computationally hard by a polynomial time-bounded algorithm. The probability that a polynomial time-bounded algorithm A can solve the DL π·πΏ (π) = ππ[A(π, π₯π) = π₯ : π β problem is defined as π΄πVA β πΈ; π₯ β ππ ]. Discrete Logarithm (DL) Assumption. For any probabilistic π·πΏ (π) is neglipolynomial time-bounded algorithm A, π΄πVA π·πΏ gible if π΄πVA (π) β€ π, for negligible function π.
3 For any probabilistic polynomial time-bounded algoπ·πΏ π·πΏ (π) is negligible if π΄πVA (π) β€ π, for rithm A, π΄πVA negligible function π. Decision Diffie-Hellman (DDH) Problem. Suppose that π is point with order π on πΈ, and π΄ = ππ, π΅ = ππ, π are random points on β¨πβ©, where π, π β ππβ . Determining if π = πππ holds is hard by a polynomial time-bounded algorithm. The probability that a polynomial time-bounded algorithm π·π·π» (π) = A can solve the DDH problem is defined as π΄πVA |ππ[A(π, ππ, ππ, π) | π = πππ] β 1/2| Suppose that π is point with order π on πΈ, and π΄ = ππ, π΅ = ππ, π are random points on β¨πβ©, where π, π β ππβ . Determining if π = πππ holds is hard by a polynomial timebounded algorithm. The probability that a polynomial timebounded algorithm A can solve the DDH problem is defined π·π·π» (π) = |ππ[A(π, ππ, ππ, π) | π = πππ] β 1/2| as π΄πVA Decision Diffie-Hellman Assumption. For any probabilistic π·π·π» (π) is negpolynomial time-bounded algorithm A, π΄πVA π·π·π» ligible if π΄πVA (π) β€ π, for negligible function π. For any probabilistic polynomial time-bounded algoπΆπ·π» π·π·π» rithm A, π΄πVA (π) is negligible if π΄πVA (π) β€ π, for negligible function π.
3. Formal Definition of the CLAMRE Scheme The CLAMRE scheme includes three categories of participants, that is, the sender of information, the private key generation center, and the group of selective receivers, respectively. We denote π = {R1 , R2 , β
β
β
, Rπ } as group of π receivers selected by sender, πΌπ· = {πΌπ·1 , πΌπ·2 , β
β
β
, πΌπ·π } are their group identities, ππ = {ππ1 , ππ2 , β
β
β
, πππ } are group public key, and π π1 , π π2 , β
β
β
, π ππ are the full private key. In CLAMRE scheme, sender generates ciphertext π for message π using public key {ππ1 , ππ2 β
β
β
, πππ } and identities {πΌπ·1 , πΌπ·2 , β
β
β
, πΌπ·π } of receivers {R1 , R2 , β
β
β
, Rπ }. Ciphertext π is conveyed to the receiver through the public channel. Every receiver Rπ in group π can correctly decrypt ciphertext π by using private key π ππ for π β {1, 2, β
β
β
, π}. And arbitrary two receivers π
π , π
π (π =ΜΈ π) in selected receiver group π do not disclose the identity with each other. Figure 1 demonstrates intuitively the process of CLAMRE scheme. In the following, we depict the definition of the CLAMRE scheme. In generally, a certificateless anonymous multi-receiver encryption scheme consists of a tuple (πππ‘π’π, ππππ‘πππ β πππVππ‘π β πΎππ¦ β πΈπ₯π‘ππππ‘, πππ‘ β ππππππ‘ β ππππ’π, πππ‘ β πππVππ‘π β πΎππ¦, πππ‘ β ππ’ππππ β πΎππ¦, ππ’ππ‘π β πππππ¦ππ‘πππ, πππππ’ππ‘π β πππππ¦ππ‘πππ.) (i) πππ‘π’π: selecting a security parameter π as input, semitrusted private key generation center (KGC) executes this algorithm to generate the systemβs public parameters Ξ© and KGCβs the master public/private key pair (πππ, ππ π). Ξ©ππππππ are published, and the master private ππ π is kept by KGC. (ii) ππππ‘πππ β πππVππ‘π β πΎππ¦ β πΈπ₯π‘ππππ‘: this algorithm is executed by KGC, according to the identity πΌπ·π of
Mathematical Problems in Engineering
Receiver1
Ci ph er
tex t
4
PK = {pk1 , . . . , pkn }
Plaintext
Multiencryption
t tex her p i C
.. .
Ciphertext er ph Ci t
tex
Sender
Receiver2
Receivern-1
ID = {ID1 , . . . , IDn }
Receivern
Figure 1: Process of a CLAMRE scheme.
receiver Rπ ; the PKG computes the corresponding partial private key π πΌπ·π using the master private key and delivers it to receiver Rπ via an secure channel. (iii) πππ‘ β π πππππ‘ β Vπππ’π: this algorithm is executed by receiver with identity πΌπ·π himself/herself to generate his/her secret value π‘π . (iv) πππ‘ β πππVππ‘π β πΎππ¦: this algorithm is executed by receiver Rπ with identity πΌπ·π . It takes (Ξ©, π πΌπ·π , π‘π ) as input and returns the full private key π ππ to Rπ as output. (v) πππ‘ β ππ’ππππ β πΎππ¦: this algorithm is executed by receiver Rπ himself/herself to generate his/her public key πππ according to his/her secret value π‘π . (vi) ππ’ππ‘π β πππππ¦ππ‘πππ:this is PPT algorithm. Sender executes this algorithm to generate a ciphertext for message π by identities and full public of selected receivers. (vii) ππ’ππ‘π β πππππ¦ππ‘πππ: a selected receiver runs this algorithm to decrypt the received ciphertext using the receivers full private key.
4. Description of the Proposed CLAMRE Scheme In this section, we introduced our certificateless anonymous multi-receiver encryption (CLAMRE) scheme using elliptic curve cryptography (ECC) without bilinear pairings. The proposed scheme has three kinds of participants, i.e., a sender π, set π consisting of selected π receivers R1 , R2 , β
β
β
, Rπ , and a KGC. Sender generates ciphertext π by encrypting message π only for selected receivers R1 , R2 , β
β
β
, Rπ ; then
sender delivers the ciphertext π to the receivers. Every receiver π
π in π can correctly decrypt ciphertext π receive by using his/her full private key π ππ for π β {1, 2, β
β
β
, π}. And arbitrary two receivers π
π , π
π (π =ΜΈ π) in selective receiver set π do not disclose the identity with each other. The PKG generates the systems parameter and identity-based partial private keys of all the receivers π
π for π β {1, 2, β
β
β
, π}. The proposed scheme includes the following seven algorithms (πππ‘π’π, ππππ‘πππ β πππVππ‘π β πΎππ¦ β πΈπ₯π‘ππππ‘, πππ‘ β ππππππ‘ β ππππ’π, πππ‘ β πππVππ‘π β πΎππ¦, πππ‘ β ππ’ππππ β πΎππ¦, ππ’ππ‘π β πππππ¦ππ‘πππ, πππππ’ππ‘π β πππππ¦ππ‘πππ.) (i) πππ‘π’π: With the given security parameter π, this algorithm is executed KGC to generate the systemβs parameters. The following steps will be implemented KGC in this algorithm. (1) Choose two π-bits prime integers π, π, two π-bits integers π1 , π2 , and an elliptic curve πΈ defined on πΉπ . Let πΊ be additive group on elliptic curve πΈ, and πΊπ be subgroup of πΊ with prime order π. (2) Select randomly a generator π β πΊπ . (3) Randomly choose π₯βπ
ππβ as the master key and πππ’π = π₯ β
π. (4) Select four secure one-way hash functions π»π : {0, 1}β σ³¨β ππβ (π = 1, 2, 3); π»4 : {0, 1}β σ³¨β {0, 1}π1 +π2 . (5) Publish systemβs parameters Ξ© = {π, π, π1 , π2 , πΈ, πΊ, πΊπ, π, πππ’π, π»1, π»2, π»3 , π»4 } and message space π = {0, 1}π1 .
(ii) πππ‘ β π πππππ‘ β Vπππ’π: A receiver Rπ with πΌπ·π randomly selects π‘π β ππβ as his or her secret value and computes ππΎπΌπ·π = π‘π β
π as the corresponding public key, and Rπ sends (ππΎπΌπ·π , πΌπ·π ) to KGC.
(iii) ππππ‘πππ β πππVππ‘π β πΎππ¦ β πΈπ₯π‘ππππ‘: According to the identity πΌπ·π of receiver Rπ , the KGC performs the following steps: (1) Randomly choose ππ βπ
ππβ and compute π
πΌπ·π = ππ β
π. (2) Calculate ππΌπ·π = π»1 (π
πΌπ·π , ππΎπΌπ·π , πΌπ·π ) and π πΌπ·π = ππ + ππΌπ·π π₯ mod (π) (3) The tuple (π
πΌπ·π , π πΌπ·π ) is delivered to receiver π
π by authenticated secure channel. Here, π πΌπ·π is receiver Rπ βs partial private key. Partial private key π πΌπ·π is valid if verify that equation π πΌπ·π π = π
πΌπ·π +π»1 (π
πΌπ·π , ππΎπΌπ·π , πΌπ·π )πππ’π is true and vice versa. Since we have π
πΌπ·π + π»1 (π
πΌπ·π , ππΎπΌπ·π , πΌπ·π ) πππ’π = ππ π + ππΌπ·π πππ’π = ππ π + ππΌπ·π π₯π = (ππ + ππΌπ·π π₯) π = π πΌπ·π π
(1)
(iv) πππ‘ β πππVππ‘π β πΎππ¦: Receiver Rπ secret keeps π ππ = (ππ , π‘π ) as his or her the full private. (v) πππ‘ β ππ’ππππ β πΎππ¦: Reciever Rπ keeps πππ = (π
πΌπ·π , ππΎπΌπ·π ) as full public key.
Mathematical Problems in Engineering
5
(vi) ππ’ππ‘π β πππππ¦ππ‘πππ: This algorithm is executed by sender S to generate a ciphertext for given message π and selected π receivers R1 , R2 , β
β
β
, Rπ with identity πΌπ·1 , πΌπ·2 , β
β
β
πΌπ·π respectively. The following steps will be performed in this algorithm. (1) Choose randomly π β {0, 1}π2 and given message π β π. Calculate π = π»2 (π, π) and π = π π. (2) Compute ππ = π β
(π
πΌπ·π + ππΌπ·π πππ’π + ππΎπΌπ·π ) and ππ = π»3 (ππ , πΌπ·π , πππ ), where π = 1, 2, β
β
β
, π. (3) Randomly select πβπ
ππβ and compute a polynomial π(π₯) with degree π as follows: π
π (π₯) = β (π₯ β ππ ) + π (modπ) π=1
= π₯π + ππβ1 π₯πβ1 + β
β
β
+ π1 π₯ + π0 ,
(2)
where ππ β ππβ (π = 0, 1, . . . , π β 1) (4) Compute πΆ = π»4 (π, π) β (π β π) (5) Generate ciphertext π = (π, πΆ, π). (vii) ππ’ππ‘π β πππππ¦ππ‘πππ: This algorithm is executed by selected receiver Rπ to extract plaintext from the received ciphertext π = (π, πΆ, π). Rπ performs following steps: (1) Compute ππ = (π πΌπ·π + π‘π )π and ππ = π»3 (ππ , πΌπ·π , πππ ), π β {1, 2, β
β
β
, π}. (2) Calculate π(π₯) = π₯π + ππβ1 π₯πβ1 + β
β
β
+ π1 π₯ + π0 and π = π(ππ ). (3) Compute π β π = π»4 (π, π) β πΆ (4) Verify if π = π»2 (π, π)π holds. If not, Rπ stops the process; otherwise, Rπ output the plaintext π.
5. Security Analysis of the Proposed CLAMRE Scheme 5.1. Security Model. In order to prove the security of the CLAMRE scheme, we take into account of the malicious-butpassive KGC. The robust security model is proposed by Hung et al. [28] in the CLAMRE scheme. Two kinds of adversaries are defined as follows. Type I adversaryA1 : A1 is a malicious outside adversary who can replace the users public key with a value chosen by himself/herself. However, A1 cannot access the master private key of KGC. Type II adversaryA2 : A2 behaves as a honest-but-curious KGC who owns the master key. However it does not allow him/her to replace public key of any user. Define the security of a CLAMRE scheme as a game played between an adversary A β {A1 , A2 } and a challenger C. During the game, A can make the following queries to C. πΆππππ‘π β ππ ππ query: C generates private key and public key for the user ππ . C sends the user ππ βs public key to A.
ππ’ππππ β πΎππ¦ β π
ππ‘πππVπ query: C returns the matching user ππ s public key to A. ππ’ππππ β πΎππ¦ β π
ππππππ query: C replaces the associated users public key with new public key chosen by himself/herself. ππππ‘πππβπππVππ‘πβπΎππ¦βπΈπ₯π‘ππππ‘ query: C sends the users partial private key to A. ππππππ‘ β ππππ’π β πΈπ₯π‘ππππ‘ query: C sends the users secret value to A. π·ππππ¦ππ‘πππ query: C decrypts the received ciphertext and sends plaintext to A. We define the confidentiality of a CLAMRE scheme as the indistinguishability against selective multi-identity chosen ciphertext attack (IND-sMID-CCA). The IND-sMID-CCA game is defined as follows. Game I. This game is to prove the confidentiality of the CLAMRE scheme. This game is to prove the confidentiality of the CLAMRE scheme. Phase 1. In this phase, adversary A selects π target users with identities πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π and delivers them to C. C performs setup to generate system parameters and master key. In this phase, adversary A selects π target users with identities πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π and delivers them to C. C performs setup to generate system parameters and master key. Phase 2. A could adaptively make the aforementioned oracle query but does not allow him/her to make ππππ‘πππ β πππVππ‘π β πΈπ₯π‘ππππ‘/ππ’ππππ β πΎππ¦ β π
ππππππ query with πΌπ· β {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π } if he/she is A1 /A2 . A could adaptively make the aforementioned oracle query but does not allow him/her to make ππππ‘πππ β πππVππ‘π β πΈπ₯π‘ππππ‘/ππ’ππππ β πΎππ¦ β π
ππππππ query with πΌπ· β {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π } if he/she is A1 /A2 . Challenge. A chooses two plaintexts {π0 , π1 } with the same length, then delivers {π0 , π1 } to C. C randomly selects π β {0, 1} and uses {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π } and the corresponding public key to encrypt the message ππ for generation the ciphertext πΆπβ . Then C sends πΆπβ to A. A chooses two plaintexts {π0 , π1 } with the same length, then delivers {π0 , π1 } to C. C randomly selects π β {0, 1} and uses {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π } and the corresponding public key to encrypt the message ππ for generation the ciphertext πΆπβ . Then C sends πΆπβ to A. Phase 3. In this phase, A can make the same queries as he/she does in Phase 2 except that he/she cannot make π·ππππ¦ππ‘πππ query with πΆπβ and {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π }. In this phase, A can make the same queries as he/she does in Phase 2 except that he/she cannot make π·ππππ¦ππ‘πππ query with πΆπβ and {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π }. Guess. Finally, A outputs πσΈ β {0, 1}, that is, his/her guess value about π. We say that A wins the game if πσΈ = π. The
6
Mathematical Problems in Engineering
advantage is that A against the CLAMRE scheme is defined πΌππ·βπ ππΌπ·βπΆπΆπ΄ by π΄πVπΆπΏπ΄ππ
πΈ (A) = |ππ[πσΈ = π] β 1/2|. Finally, A outputs πσΈ β {0, 1}, that is, his/her guess value about π. We say that A wins the game if πσΈ = π. The advantage is that A against the CLAMRE scheme is defined πΌππ·βπ ππΌπ·βπΆπΆπ΄ by π΄πVπΆπΏπ΄ππ
πΈ (A) = |ππ[πσΈ = π] β 1/2|.
advantage is that A against the game is defined by π΄πππβπΌππ·βπ πΌπ·βπΆπΆπ΄ π΄πVπΆπΏπ΄ππ
πΈ (A) = |ππ[πσΈ = π] β 1/2|. Finally, A returns πσΈ β {0, 1} as his/her guess value about π. We say that A wins the game if πσΈ = π. The advantage is that A against the game is defined by π΄πππβπΌππ·βπ πΌπ·βπΆπΆπ΄ π΄πVπΆπΏπ΄ππ
πΈ (A) = |ππ[πσΈ = π] β 1/2|.
Definition 1. We say a CLAMRE scheme is IND-sMIDπΌππ·βπ ππΌπ·βπΆπΆπ΄ CCA secure if π΄πVπΆπΏπ΄ππ
πΈ (A) is negligible for any polynomial-time-bounded adversary A.
Definition 2. We say a CLAMRE scheme is ANON-IND-sIDπ΄πππβπΌππ·βπ πΌπ·βπΆπΆπ΄ CCA secure if π΄πVπΆπΏπ΄ππ
πΈ (A) is negligible for any polynomial-time-bounded adversary A.
The receiver anonymity of a CLAMRE scheme is defined by the anonymous indistinguishability against selective identity chosen ciphertext attack (ANON-IND-sID-CCA). The ANON-IND-sID-CCA game is defined as follows. Game II. This game is to prove the anonymity of the CLAMRE scheme This game is to prove the anonymity of the CLAMRE scheme
5.2. Security Theorems. In this subsection, we will analyze in detail security of the proposed CLAMRE scheme. Through the analysis, it is shown that the proposed CLAMRE scheme is IND-sMID-CCA secure and ANON-IND-sIDCCA secure against two types of adversaries A1 , A2 . Theorem 3. The proposed CLMRE scheme correctly generates the ciphertext π = (π, πΆ, π), where π = (π1 , π2 , β
β
β
, ππβ1 ) and receiver Rπ (1 β€ π β€ π) decrypts it appropriately.
Phase 1. In this phase, A selects two target users with identities {πΌπ·0 , πΌπ·1 } and sends them to C. Then C runs setup to generate system parameters and the master key. In this phase, A selects two target users with identities {πΌπ·0 , πΌπ·1 } and sends them to C. Then C runs setup to generate system parameters and the master key.
Proof. Due to the fact that (π‘π + π πΌπ·π )π = (π‘π + ππ + ππΌπ·π π₯)π π = π (π‘π π + ππ π + ππΌπ·π πππ’π ) = π (ππΎπΌπ·π + π
πΌπ·π + ππΌπ·π πππ’π ) = ππ , receiver Rπ computes the following:ππ = π»3 (ππ , πΌπ·π , πππ ) and π = π(ππ ).π β π = π»4 (π, π) β πΆ, and π = π»2 (π, π) is true. So we proposed that CLAMRE scheme is correct and consistent.
Phase 2. In this phase, A could adaptively make the aforementioned the oracle query. However he/she cannot make πΆππππ‘πβππ ππ, ππππππ‘βππππ’πβπΈπ₯π‘ππππ‘/ππ’ππππβπΎππ¦βπ
ππππππ query with πΌπ· β {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π } if he/she is A1 /A2 . In this phase, A could adaptively make the aforementioned the oracle query. However he/she cannot make πΆππππ‘πβππ ππ, ππππππ‘βππππ’πβπΈπ₯π‘ππππ‘/ππ’ππππβπΎππ¦βπ
ππππππ query with πΌπ· β {πΌπ·π
1 , πΌπ·π
2 , β
β
β
, πΌπ·π
π } if he/she is A1 /A2 .
Theorem 4. In the random oracle model, our CLAMRE scheme satisfies the IND-sMID-CCA against the adversary A1 with the hardness assumption of DDH problem.
Challenge. A picks message π together with identities πΌπ·π
σΈ 2 , β
β
β
, πΌπ·π
σΈ π and sends them to C; C randomly selects π β {0, 1} and uses {πΌπ·π , πΌπ·π
σΈ 2 , β
β
β
, πΌπ·π
σΈ π } and the corresponding public keys to generate a ciphertext πΆπβ of a message ππ . Then C delivers πΆπβ to A. A picks message π together with identities πΌπ·π
σΈ 2 , β
β
β
, σΈ πΌπ·π
π and sends them to C; C randomly selects π β {0, 1} and uses {πΌπ·π , πΌπ·π
σΈ 2 , β
β
β
, πΌπ·π
σΈ π } and the corresponding public keys to generate a ciphertext πΆπβ of a message ππ . Then C delivers πΆπβ to A. Phase 3. In this phase, A can make the same queries as he/she does in Phase 2 except that he/she cannot make π·ππππ¦ππ‘πππ query with πΆπβ and {πΌπ·π , πΌπ·π
σΈ 2 , β
β
β
, πΌπ·π
σΈ π }. In this phase, A can make the same queries as he/she does in Phase 2 except that he/she cannot make π·ππππ¦ππ‘πππ query with πΆπβ and {πΌπ·π , πΌπ·π
σΈ 2 , β
β
β
, πΌπ·π
σΈ π }. Guess. Finally, A returns πσΈ β {0, 1} as his/her guess value about π. We say that A wins the game if πσΈ = π. The
Proof. A1 is the polynomial time-bounded adversary, if A1 has the ability to break the security of the proposed CLAMRE scheme. Then we can construct a probabilistic polynomial time-bounded challenger C to solve the DDH problem by interacting with the adversary A1 ; that is, given an instance (π, ππ, ππ, π) of the DDH problem, challenger C is able to determine if π = ππ β
π holds. Challenger C maintains the following initial-empty lists in order to achieve the consistency between queries made by the adversary A1 : Phase 1 In this phase, A1 selects π target identities; we denote these identities as πΌπ·1 , β
β
β
, πΌπ·π . C sets πππ’π βσ³¨ π₯ β
π, and executes setup algorithm to generate other parameters. Then C delivers {π, π, π1 , π2 , πΈ, πΊ, πΊπ , π, πππ’π , π»1 , π»2 , π»3 , π»4 } to A1 . To achieve the random πππ π‘ oracles, C maintains four lists πΏπππ π‘ π»π , where πΏ π»π is initialized empty (π = 1, 2, 3, 4). The four random oracles make the following answer for A1 s queries. (i) π»1 (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π ) : C checks if (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π , ππΌπ·π ) exists in πΏπππ π‘ π»1 . If so, C sends ππΌπ·π to A1 . Otherwise, C randomly chooses value ππΌπ·π β ππβ , inserts (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π , ππΌπ·π ) into πΏπππ π‘ π»1 , and sends ππΌπ·π . (ii) π»2 (π, π): C checks if (π, π, π ) exists in πΏπππ π‘ π»1 . If so, C returns π to A1 . Otherwise, C randomly chooses value π β ππβ , inserts (π, π, π ) into πΏπππ π‘ π»2 , and returns π .
Mathematical Problems in Engineering (iii) π»3 (ππ , πΌπ·π , πππ ): C checks if (ππ , πΌπ·π , πππ , ππ ) exists in πΏπππ π‘ π»3 . If so, C returns ππ to A1 . Otherwise, C randomly chooses value ππ β ππβ , inserts (ππ , πΌπ·π , πππ , ππ ) into πΏπππ π‘ π»3 , and returns ππ . (iv) π»4 (π, π): C checks if (π, π, π) exists in πΏπππ π‘ π»4 . If so, C returns π to A1 . Otherwise, C randomly selects an element π β {0, 1}π1 +π2 , inserts (π, π, π) into πΏπππ π‘ π»4 , and returns π. Phase 2 A1 can adaptively make queries to C.C maintains a list πΏπππ π‘ π
, which is initialized empty. Challenger C responded to these queries made by adversary A1 as follows. (i) πΆππππ‘π β ππ ππ(πΌπ·Rπ ) query: C checks if (πΌπ·Rπ , ππ , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If so, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A1 . Otherwise, C executes the following processes. (ii) If πΌπ·Rπ β {πΌπ·1 , β
β
β
, πΌπ·π } holds, without losing generality, we suppose πΌπ·Rπ = πΌπ·π , C randomly picks ππ , π‘π β ππβ , computes ππΎπΌπ·π = π‘π π, π
πΌπ·π = ππ ππ, ππΌπ·π = π»1 (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π ), and sets π πΌπ·π βσ³¨β₯. C inserts (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π , ππΌπ·π ) and πππ π‘ (πΌπ·π , ππ , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) into πΏπππ π‘ π»1 and πΏ π
, respectively. At last, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A1 . (iii) Otherwise πΌπ·Rπ β {πΌπ·1 , β
β
β
, πΌπ·π }; C randomly picks π‘π , π πΌπ·π , ππΌπ·π β ππβ and computes π
πΌπ·π = π πΌπ·π π β ππΌπ·π πππ’π , ππΎπΌπ·π = π‘π π. C inserts (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π , ππΌπ·π ) and (πΌπ·π , ππ , πππ π‘ π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) into πΏπππ π‘ π»1 and πΏ π
, respectively. At last, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A1 . (iv) ππ’ππππ β πΎππ¦-Retrieve(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the CreateUser query with πΌπ·π first. Then, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A1 . σΈ σΈ , ππΎπΌπ· ): C checks (v) ππ’ππππ β πππ¦ β π
ππππππ(πΌπ·π
π , π
πΌπ· π π πππ π‘ if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏ π
. If not, C makes the Create-User query with πΌπ·π first. Then, C replaces σΈ σΈ , ππΎπΌπ· ) (π
πΌπ·π , ππΎπΌπ·π ) with (πΌπ·π , π
πΌπ· π π (vi) ππππ‘πππ β πππVππ‘π β πΎππ¦ β πΈπ₯π‘ππππ‘(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the Create-User query with πΌπ·π
π first. Then, C returns π πΌπ·π to A1 . (vii) ππππππ‘ β ππππ’π β πΈπ₯π‘ππππ‘(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the Create-User query with πΌπ·π
π first. Then, C returns π‘π to A1 . β (viii) π·ππππ¦ππ‘πππ(πΌπ·π
π , ππ ): C checks if πΌπ·Rπ {πΌπ·1 , β
β
β
, πΌπ·π } holds, where ππ = (ππ , πΆπ , ππ ). If not, C looks up πΏπππ π‘ π
for (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) and uses (π πΌπ·π , π‘π ) to decrypt the ciphertext. Otherwise πΌπ·Rπ β {πΌπ·1 , β
β
β
, πΌπ·π }, C responds according to the following steps. (ix) C looks up πΏπππ π‘ π»4 for (ππ , ππ , ππ ). If not, C outputs failure and stops. (x) C searches the tuple (ππ , ππ , π π ) from πΏπππ π‘ π»2 and checks if ππ = π π π holds. If so, C keeps (ππ , ππ ); if not, C outputs failure and stops. (xi) C checks if πΆπ = ππ β (ππ β ππ ) holds. If not, C outputs failure and stops. Otherwise return ππ to A1 Challenge. After making the above queries, A1 picks two messages π0 and π1 with length π2 and sends them to challenger C, C chooses π β {0, 1} at random and performs the following steps.
7 (i) C sets πβ βσ³¨ π β
π. (ii) Let ππ = (ππΌπ·π π₯ + π‘π )πβ + ππ π, and compute ππ = π»3 (ππ , πΌπ·π , πππ ), π = 1, 2, β
β
β
, π (iii) C chooses π β ππβ at random and computes a polynomial π(π₯) with degree π as follows: π
π (π₯) = β (π₯ β ππ ) + π (modπ) π=1
β = π₯π + ππβ1 π₯πβ1 + β
β
β
+ π1β π₯ + π0β ,
(3)
where ππ β ππβ (π = 0, 1, . . . , π β 1) (iv) C chooses πβ β {0, 1}π1 +12 and πβ β {0, 1}π2 at random and computes πΆβ = πβ β (ππ β πβ ). Final, C sends the ciphertext πβ = (πβ , πΆβ , πβ ). Phase 3 In this phase, A1 can make the same queries in Phase 2 except that it cannot make decryption queries with πΌπ·β β {πΌπ·1 , πΌπ·2 , β
β
β
, πΌπ·π } and πβ . Guess A1 outputs πσΈ β {0, 1} as his/her guess value about π. If π = πσΈ , then C outputs 1; otherwise,C outputs 0. A1 wins the game if and only if π = πσΈ holds. Based on the above oracle queries, the simulation of C is perfect. Next, we consider the probability that challenger C fails in Game I. Combined with the previous description, we know that C fails in π·ππππ¦ππ‘πππ query if (ππ , ππ ) is not in πΏπππ π‘ π»4 . The probability that A1 can correctly guess the output of π»4 : {0, 1}β σ³¨β {0, 1}π1 +π2 is 1/2π1 +π2 . Therefore, the probability of C failure in game I is less than ππ /2π1 +π2 , where ππ denote the decryption query times in the game. If π = πππ holds, then πβ is valid ciphertext. Thus, A1 is able to distinguish π with nonnegligible advantage π. ππ [π = 1 | π = πππ] = ππ [π = πσΈ | π = πππ] =
1 + π. 2
(4)
If π =ΜΈ πππ, then the ciphertext distribution is random and uniform when π = 0 or π = 1, so A1 cannot distinguish π with any advantage. 1 ππ [π = 1 | π =ΜΈ πππ] = ππ [π = πσΈ | π =ΜΈ πππ] = . 2
(5)
Therefore, if A1 can break the IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage π, then challenger C can solve the DDH problem with a nonnegligible advantage π β ππ /2π1 +π2 , because the DDH problem is difficult. Therefore, the proposed CLAMRE scheme is IND-sMID-CCA secure against A1 . Theorem 5. Our CLAMRE scheme is IND-sMID-CCA secure against type II adversary A2 under random oracle model with the difficulties of computational Diffie-Hellman problem. Proof. A2 is the polynomial time-bounded adversary, if A2 has the ability to break the security of the proposed CLAMRE
8 scheme. Then we can construct a probabilistic polynomial time-bounded challenger C to solve the DDH problem by interacting with the adversary A2 ; that is, for given an instance (π, ππ, ππ, π) of the DDH problem, challenger C is able to determine if π = ππ β
π holds. Challenger C maintains the following initial-empty lists in order to achieve the consistency between queries made by adversary A2 . Phase 1 In this phase, A2 selects π target identities; we denote these identities as πΌπ·1 , β
β
β
, πΌπ·π . C picks π₯ β ππβ at random as system private key and computes corresponding public key πππ’π = π₯ β
π. C performs πππ‘π’π algorithm to construct other parameters. At last, C delivers {π, π, π1 , π2 , πΈ, πΊ, πΊπ , π, πππ’π , π»1 , π»2 , π»3 , π»4 } to A2 and master private key π₯ to A2 . To achieve the random πππ π‘ oracles, C maintains four lists πΏπππ π‘ π»π , where initial πΏ π»π is empty (π = 1, 2, 3, 4). The four random oracles make the following answer for A2 π queries. (i) π»1 (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π ): C checks if (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π , ππΌπ·π ) exists in πΏπππ π‘ π»1 . If so, C returns ππΌπ·π to A2 . Otherwise, C randomly selects an element ππΌπ·π β ππβ , inserts (πΌπ·π , ππΎπΌπ·π ,
π
πΌπ·π , ππΌπ·π ) into πΏπππ π‘ π»1 , and returns ππΌπ·π . (ii) π»2 (π, π): C checks if (π, π, π ) exists in πΏπππ π‘ π»1 . If so, C returns π to A2 . Otherwise, C randomly selects an element π β ππβ , inserts (π, π, π ) into πΏπππ π‘ π»2 , and returns π . (iii) π»3 (ππ , πΌπ·π , πππ ): C checks if (ππ , πΌπ·π , πππ , ππ ) exists in πΏπππ π‘ π»3 . If so, C returns ππ to A2 . Otherwise, C randomly selects an element ππ β ππβ , inserts (ππ , πΌπ·π , πππ , ππ ) into πΏπππ π‘ π»3 , and returns ππ . (iv) π»4 (π, π): C checks if (π, π, π) exists in πΏπππ π‘ π»4 . If so, C returns π to A2 . Otherwise, C randomly selects an element π β {0, 1}π1 +π2 , inserts (π, π, π) into πΏπππ π‘ π»4 , and returns π. Phase 2 In this phase, A2 can adaptively make a lot of queries to C. C maintains a list πΏπππ π‘ π
, which is initialized empty. These queries are responded as follows. (i) πΆππππ‘π β ππ ππ(πΌπ·Rπ ) query: C checks if (πΌπ·Rπ , ππ , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If so, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A2 . Otherwise, C performs the following steps. (ii) If πΌπ·Rπ β {πΌπ·1 , β
β
β
, πΌπ·π } holds, without losing generality, we suppose πΌπ·Rπ = πΌπ·π , C randomly chooses ππ , π‘π β ππβ and calculates ππΎπΌπ·π = π‘π β
ππ, π
πΌπ·π = ππ π, ππΌπ·π = π»1 (ππΎπΌπ·π , π
π , πΌπ·π ), π πΌπ·π = ππ + ππΌπ·π π₯ mod π. C inserts (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π , and πΏπππ π‘ ππΌπ·π ) and (πΌπ·π , ππ , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) into πΏπππ π‘ 1 π
, respectively. At last, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A2 . (iii) Otherwise πΌπ·Rπ β {πΌπ·1 , β
β
β
, πΌπ·π }; C randomly picks π‘π , ππ , ππΌπ·π β ππβ and computes π
πΌπ·π = ππ π, π πΌπ·π = ππ + ππΌπ·π π mod π, ππΎπΌπ·π = π‘π β
π. C inserts (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π , ππΌπ·π ) and (πΌπ·π , ππ , πππ π‘ π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) into πΏπππ π‘ 1 and πΏ π
, respectively. At last, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A2 . (iv) ππ’ππππ β πΎππ¦-Retrieve(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the Create-User query with πΌπ·π first. Then, C returns π
πΌπ·π , ππΎπΌπ·π to A2 . (v) ππππ‘πππ β πππVππ‘π β πΎππ¦ β πΈπ₯π‘ππππ‘(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the
Mathematical Problems in Engineering Create-User query with πΌπ·π
π first. Then, C returns π πΌπ·π to A2 . (vi) ππππππ‘ β ππππ’π β πΈπ₯π‘ππππ‘(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏ π
. If not, C makes the Create-User query with πΌπ·π
π first. Then, C returns π‘π to A1 . (vii) π·ππππ¦ππ‘πππ(πΌπ·π
π , ππ ): C checks if πΌπ·Rπ β {πΌπ·1 , β
β
β
, πΌπ·π } holds, where ππ = (ππ , πΆπ , ππ ), ππ = (ππ0 , ππ1 , β
β
β
, ππ(πβ1) ). If not, C looks up πΏπππ π‘ π
for (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) and uses (π πΌπ·π , π‘π ) to decrypt the ciphertext. Otherwise πΌπ·Rπ β {πΌπ·1 , β
β
β
, πΌπ·π }, C responds according to the following steps. (viii) C looks up πΏπππ π‘ 4 for (ππ , ππ , ππ ). If not, C outputs failure and stops. (ix) C searches the tuple (ππ , ππ , π π ) from πΏπππ π‘ π»2 and checks if ππ = π π π holds. If so, C keeps (ππ , ππ ); if not, C outputs failure and stops. (x) C checks if πΆπ = ππ β (ππ β ππ ) holds. If not, C outputs failure and stops. Otherwise, return ππ to A2 Challenge After making the above queries, A2 picks two messages π0 and π1 with length π2 and sends them to challenger C; C chooses π β {0, 1} at random and implements the following process. (i) C sets πβ βσ³¨ π β
π. (ii) Let ππ = (ππΌπ·π π₯ + ππ )πβ + π‘π β
π, and compute ππ = π»3 (ππ , πΌπ·π , πππ ).π = 1, 2, β
β
β
, π (iii) C chooses π β ππβ at random and computes a polynomial π(π₯) with degree π as follows: π
π (π₯) = β (π₯ β ππ ) + π (modπ) π=1 π
β π₯πβ1 + β
β
β
+ π1β π₯ + π0β , = π₯ + ππβ1
(6)
where ππ β ππβ (π = 0, 1, . . . , π β 1)
(iv) C chooses πβ β {0, 1}π1 +12 and πβ β {0, 1}π2 at random and computes πΆβ = πβ β (ππ β πβ ). Final, C sends the ciphertext πβ = (πβ , πΆβ , πβ ). Phase 3 In this phase, A2 can make the same queries in Phase 2 except that he cannot make decryption queries with πΌπ·β β {πΌπ·1 , πΌπ·2 , β
β
β
, πΌπ·π } and πβ . Guess A2 outputs πσΈ β {0, 1} as his/her guess value about π. If π = πσΈ , then C outputs 1; otherwise, C outputs 0. A2 wins the game if and only if π = πσΈ holds. According to the above oracle queries, we know that the simulation of C is perfect. Now, we analyze the probability that C fails in Game I. Based on the above description, we know that C fails in decryption query if (ππ , ππ ) is not in πΏπππ π‘ 4 . The probability that A2 can correctly guess the output of π»4 : {0, 1}β σ³¨β {0, 1}π1 +π2 is 1/2π1 +π2 . Therefore, the probability that C fails in the game is less than ππ /2π1 +π2 , where ππ denotes the decryption queries involved in the game. If π = πππ holds, then πβ is valid ciphertext. Thus, A1 is able to distinguish π with nonnegligible advantage π. ππ [π = 1 | π = πππ] = ππ [π = πσΈ | π = πππ]
Mathematical Problems in Engineering =
9
1 + π. 2 (7)
If π =ΜΈ πππ, then the ciphertext distribution is random and uniform when π = 0πππ = 1. So A2 cannot distinguish π with any advantage. 1 ππ [π = 1 | π =ΜΈ πππ] = ππ [π = πσΈ | π =ΜΈ πππ] = . 2
(8)
Therefore, if A2 can break the IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage π, then challenger C can solve the DDH problem with a nonnegligible advantage π β ππ /2π1 +π2 . If A2 can break the IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage π, then we know C can solve the CDH problem with a nonnegligible advantage π β ππ /2π1 +π2 . Due to the fact that the CDH problem is hard, we know that the proposed CLAMRE scheme is IND-sMID-CCA secure against adversary A2 . Theorem 6. In the random oracle model, our proposed CLAMRE scheme is ANON-IND-sID-CCA secure against adversary A1 with the difficulty assumption of DDH problem. Proof. Assume that the adversary A1 can breach our CLAMRE scheme, then we will be able to design a challenger C for solving an instance of DDH problem; that is, for given an instance (π, π β
π, π β
π, π) of DDH problem, challenger C can determine if π = πππ holds by interacting with adversary πππ π‘ A1 . Similar to Theorem 4, let lists πΏπππ π‘ π»π (π = 1, 2, 3, 4) and πΏ π
be maintained by challenger C. Phase 1. Assume that adversary A1 selects two target users with identities πΌπ·0 , πΌπ·1 . Challenger C randomly selects π β {0, 1} Assume that adversary A1 selects two target users with identities πΌπ·0 , πΌπ·1 . Challenger C randomly selects π β {0, 1} C sets πππ’π βσ³¨ π₯ β
π, and implements πππ‘π’π algorithm to construct other parameters. At last, C delivers {π, π, π1 , π2 , πΈ, πΊ, πΊπ , π, πππ’π , π»1 , π»2 , π»3 , π»4 } to A1 . Challenger C returns answers to the adversary A1 s queries in the following ways. Hash queries to π»π (π = 1, 2, 3, 4): these queries are the same as those performed in Theorem 4. Phase 2. Now, challenger C will respond to the queries made by the adversary A1 in the following ways. Now, challenger C will respond to the queries made by the adversary A1 in the following ways. (i) πΆππππ‘π β ππ ππ(πΌπ·Rπ ) query: C checks if (πΌπ·Rπ , ππ , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If so, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A1 . Otherwise, C executes the following processes. (ii) If πΌπ·Rπ = πΌπ·π for π β {0, 1} holds, C randomly chooses ππ , π‘π β ππβ , computes ππΎπΌπ·π = π‘π β
π, π
πΌπ·π = ππ β
ππ, ππΌπ·π = π»1 (πΌπ·π , ππΎπΌπ·π , π
πΌπ·π ), and sets π πΌπ·π βσ³¨β₯. C inserts
(πΌπ·π , π
πΌπ·π , ππΌπ·π ) and (πΌπ·π , ππ , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) into πΏπππ π‘ π»1 and , respectively. At last, C returns (π
, ππΎ ) to A πΏπππ π‘ πΌπ·π πΌπ·π 1. π
(iii) Otherwise πΌπ·Rπ β {πΌπ·0 , πΌπ·1 }; C randomly picks π‘π , π πΌπ·π , ππΌπ·π β ππβ and computes π
πΌπ·π = π πΌπ·π π β ππΌπ·π πππ’π , ππΎπΌπ·π = π‘π π. C inserts (πΌπ·π , π
πΌπ·π , ππΌπ·π ) and (πΌπ·π , ππ , π πΌπ·π , π‘π , πππ π‘ π
πΌπ·π , ππΎπΌπ·π ) into πΏπππ π‘ 1 and πΏ π
, respectively. At last, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A1 . (iv) ππ’ππππ β πΎππ¦-Retrieve(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the Create-User query with πΌπ·π first. Then, C returns (π
πΌπ·π , ππΎπΌπ·π ) to A1 . σΈ σΈ , ππΎπΌπ· ): C checks (v) ππ’ππππ β πππ¦ β π
ππππππ(πΌπ·π
π , π
πΌπ· π π πππ π‘ if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏ π
. If not, C makes the Create-User query with πΌπ·π first. Then, C replaces σΈ σΈ , ππΎπΌπ· ). (π
πΌπ·π , ππΎπΌπ·π ) with (πΌπ·π , π
πΌπ· π π (vi) ππππ‘πππ β πππVππ‘π β πΎππ¦ β πΈπ₯π‘ππππ‘(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the Create-User query with πΌπ·π
π first. Then, C returns π πΌπ·π to A1 . (vii) ππππππ‘ β ππππ’π β πΈπ₯π‘ππππ‘(πΌπ·π
π ): C checks if (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) exists in πΏπππ π‘ π
. If not, C makes the Create-User query with πΌπ·π
π first. Then, C returns π‘π to A1 . (viii) π·ππππ¦ππ‘πππ(πΌπ·π
π , ππ ): C checks if πΌπ·Rπ β {πΌπ·0 , πΌπ·1 } holds, where ππ = (ππ , πΆπ , ππ ). If not, C looks up πΏπππ π‘ π
for (πΌπ·π
π , π πΌπ·π , π‘π , π
πΌπ·π , ππΎπΌπ·π ) and uses full private key (π πΌπ·π , π‘π ) to decrypt the ciphertext. Otherwise πΌπ·Rπ β {πΌπ·0 , πΌπ·1 }, C responds as follows. (ix) C looks up πΏπππ π‘ π»4 for (ππ , ππ , ππ ). If not, C outputs failure and stops. (x) C searches the tuple (ππ , ππ , π π ) from πΏπππ π‘ π»2 and checks if ππ = π π π holds. If so, C keeps (ππ , ππ ); if not, C outputs failure and stops. (xi) C checks if πΆπ = ππ β (ππ β ππ ) holds. If not, C outputs failure and stops. Otherwise return ππ to A1 Challenge. After making the above queries, A1 picks plaintext π together with identities {πΌπ·2 , β
β
β
, πΌπ·π } on which he wants to be challenged. C chooses π β {0, 1} at random and implements the following process. After making the above queries, A1 picks plaintext π together with identities {πΌπ·2 , β
β
β
, πΌπ·π } on which he wants to be challenged. C chooses π β {0, 1} at random and implements the following process. (i) C sets πβ βσ³¨ π β
π. (ii) Let ππ = (ππΌπ·π π₯ + π‘π )πβ + ππ π, and compute ππ = π»3 (ππ , πΌπ·π , πππ ), π = 1, 2, β
β
β
, π. (iii) C chooses π β ππβ at random and computes a polynomial π(π₯) with degree π as follows: π
π (π₯) = β (π₯ β ππ ) + π (modπ) π=1
β = π₯π + ππβ1 π₯πβ1 + β
β
β
+ π1β π₯ + π0β ,
(9)
where ππ β ππβ (π = 0, 1, β
β
β
, π β 1) (iv) C chooses πβ β {0, 1}π1 +12 and πβ β {0, 1}π2 at random and computes πΆβ = πβ β (ππ β πβ ).
10
Mathematical Problems in Engineering Final, C sends the ciphertext πβ = (πβ , πΆβ , πβ ).
Table 1: Runtime of related operations.
Phase 3. In this phase, A1 can make the same queries in Phase 2 except that he cannot make decryption queries with πΌπ·β β {πΌπ·π , πΌπ·2 , β
β
β
, πΌπ·π } and πβ . In this phase, A1 can make the same queries in Phase 2 except that he cannot make decryption queries with πΌπ·β β {πΌπ·π , πΌπ·2 , β
β
β
, πΌπ·π } and πβ . Guess. A1 outputs πσΈ β {0, 1} as his/her guess value about π. If π = πσΈ , then C outputs 1; otherwise, C outputs 0. A1 wins the game if and only if π = πσΈ holds. A1 outputs πσΈ β {0, 1} as his/her guess value about π. If π = πσΈ , then C outputs 1; otherwise, C outputs 0. A1 wins the game if and only if π = πσΈ holds. Based on the above oracle queries, the simulation of C is perfect. Next, we consider the probability that challenger C fails in Game I. Combined with the previous description, we know that C fails in π·ππππ¦ππ‘πππ query if (ππ , ππ ) is not in πΏπππ π‘ π»4 . The probability that A1 can correctly guess the output of π»4 : {0, 1}β σ³¨β {0, 1}π1 +π2 is 1/2π1 +π2 . Therefore, the probability of C failure in Game I is less than ππ /2π1 +π2 , where ππ denotes the decryption query times in the game. If π = πππ holds, then πβ is valid ciphertext. Thus, A1 is able to distinguish π with nonnegligible advantage π. ππ [π = 1 | π = πππ] = ππ [π = πσΈ | π = πππ] =
1 + π. 2
(10)
If π =ΜΈ πππ, then the ciphertext distribution is random and uniform when π = 0 or π = 1, so A1 cannot distinguish π with any advantage. 1 ππ [π = 1 | π =ΜΈ πππ] = ππ [π = πσΈ | π =ΜΈ πππ] = . 2
(11)
Therefore, if A1 can break the ANON-IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage π, then challenger C can solve the DDH problem with a nonnegligible advantage π β ππ /2π1 +π2 . Because the DDH problem is difficult, the proposed CLAMRE scheme is ANON-IND-sMID-CCA secure against A1 . Theorem 7. In the random oracle model, our proposed CLAMRE scheme is ANON-IND-sID-CCA secure against the adversary A2 with the hardness assumption of CDH problem. Proof. The proof of this theorem is similar to that of Theorem 5. To save space, we will not give the details here.
6. Performance Analysis In this section, we mainly analyzed computational cost of the proposed CLAMRE scheme. The proposed CLAMRE scheme is compared with Hung et al.βs CLAMRE scheme (Hung et al. 2015) and He et al.βs CLAMRE scheme (He et al. 2017) to calculate cost.
Notations πππ πβπ‘π ππ πβπΊ1 ππππβπΊ1 πππ₯πβπΊ2 πππ’πβπΊ2 ππ πβπΊΜ ππππβπΊΜ ππβ ππ π
Runtime (milliseconds) 32.713 33.582 13.405 0.056 2.249 0.008 3.335 0.014 0.006 0.001
Let πΊ1 be an additive group defined on a super singular elliptic curve over a prime field πΉπ with the prime order π, and the lengths of π and π are 512 bits and 160 bits, respectively. The Tate bilinear pairing πΜ : πΊ1 Γ πΊ1 σ³¨β πΊ2 , in order to achieve the same security. For the CLAME scheme based on the elliptic curve cryptography, we also think about an Μ defined on a nonsingular elliptic curve over additive group πΊ a prime field πΉπ with the prime order π; lengths of π and π are 160 bits. For convenience, the concept of runtime for some cryptographic operations is defined as follows. (i) πππ is the runtime required for computing a bilinear pairing. (ii) ππ»ππ is the runtime required for finishing a hash-topoint operation. (iii) ππ πβπΊ1 is the runtime required for computing a scale multiplication in πΊ1 . (iv) ππππβπΊ1 is the runtime required for computing an addition in πΊ1 . (v) πππ’πβπΊ2 is the runtime required for computing a multiplication in πΊ2 . (vi) πππ₯πβπΊ2 is the runtime required for executing an exponentiation operation in πΊ2 . (vii) ππ πβπΊΜ is the runtime required for computing a scale Μ multiplication in πΊ. (viii) ππππβπΊΜ is the runtime required for computing an Μ addition in πΊ. (ix) ππβ is the runtime required for executing a general hash operation. (x) ππ π is the runtime required for executing a symmetric cryptography operation. He et al.[30] have implemented related operations on a mobile phone (Samsung Galaxy S5 with a Quad-core 2.45G processor, 2G bytes memory, and the Google Android 4.4.2 operating system) using a famous cryptographic library (MIRACL). The implementation results are shown in Table 1. We denote π the number of the receivers. In order to encrypt a given message π, in Hung et al.βs CLAMRE scheme, the sender needs to perform 2π scale multiplication operations in πΊ1 , π bilinear pairing operations, π exponentiation operations in πΊ2 , π hash-to-point operations, 3π + 2 general hash operations, and one symmetric cryptography operation. Therefore, in Hung et al.βs CLAMRE scheme, the runtime
Mathematical Problems in Engineering
11
Hungβs scheme Heβ scheme Our scheme
Encryption 95.372 Γ π + 0.013 10.044 Γ π + 3.348 6.704 Γ π + 3.348
Decryption 46.149 6.714 6.689
of the sender is π Γ πππ + π Γ πβπ‘π + 2π Γ ππ πβπΊ1 + π Γ πππ₯πβπΊ2 + (3π + 2) Γ ππβ + ππ π = π Γ 32.713 + π Γ 33.582 + 2π Γ 13.405 + π Γ 2.249 + (3π + 2) Γ 0.006 + 0.001 = (95.372Γπ+0.013) ms. For decrypting the received ciphertext, receiver needs to implement following operations: one scale multiplication in πΊ1 , one bilinear pairing, five general hash, and one symmetric cryptography operations. Therefore, the runtime of the receiver in Hung et al.βs CLAMRE scheme is πππ + ππ πβπΊ1 + 5 Γ ππβ + ππ π = 32.713 + 13.405 + 5 Γ 0.006 + 0.001 = 46.149 ms. In He et al.βs [29] scheme, to encrypt a given message π, the sender needs to perform the following operations: π Μ 3π + 1 times scale multiplication in πΊ, Μ times addition in πΊ, 4π + 2 times general hash, and one symmetric encryption operation and π times exclusive or operation (here, exclusive or operation is approximately equal to symmetric encryption operation). Therefore, the runtime of encryption is (3π + 1) Γ ππ πβπΊΜ + π Γ ππππβπΊΜ + (4π + 2) Γ ππβ + (π + 1)ππ π = (3π + 1) Γ 3.335 + π Γ 0.014 + (4π + 2) Γ 0.006 + (π + 1)0.001 = (10.044π+3.348) ms. In order to get plaintext from the received ciphertext, the receiver needs to finish seven general hash operations, two scale multiplication operations Μ one symmetric encryption operation, and one exclusive in πΊ, or operation. Therefore, the runtime of the receiver in our scheme is 2 Γ ππ πβπΊΜ + 7 Γ ππβ + 2ππ π = 6.714 ms. In the proposed CLAMRE scheme, to encrypt a given message π, the sender needs to perform the following operaΜ 2π+1 times scale multiplication tions: 2π times addition in πΊ, Μ π + 2 times general hash, and one exclusive or operation. in πΊ, Therefore, in our CLAMRE scheme, the runtime of the sender is (2π + 1) Γ ππ πβπΊΜ + 2π Γ ππππβπΊΜ + (π + 2) Γ ππβ + ππ π = (2π + 1) Γ 3.335 + 2π Γ 0.014 + (π + 2) Γ 0.006 + 0.001 = (6.704π+3.348) ms. In order to get plaintext from the received ciphertext, the receiver needs to finish three general Μ hash operations, two scale multiplication operations in πΊ, and one exclusive or operation. Therefore, the runtime of the receiver in our scheme is 2 Γ ππ πβπΊΜ + 3 Γ ππβ + ππ π = 6.689 ms. We list the runtime of encryption and decryption in Huang et al.βs scheme, He et al.βs scheme, and our scheme in Table 2. For a more intuitive understanding, we also present the runtime of multiencryption algorithms in Figure 2. According to comparisons in Table 2 and Figure 2, we can conclude that the proposed CLAMRE scheme has much less runtime in both encryption and decryption than the recent scheme. Therefore, our proposed CLAMRE scheme has better performance.
The runtime of Multi-Encryption (millisecond)
Table 2: Comparison of runtime (milliseconds). 2500
2000
1500
1000
500
10
20 30 40 The number of receivers
50
Huang etalβs scheme He et alβs scheme Our scheme
Figure 2: Runtime comparison of multiencryption (milliseconds).
scheme using the elliptic curve cryptography. By comparing with recent literature, it shows that our scheme has better performance. We also demonstrate that the proposed CLAMRE scheme provides message confidentiality and protects the privacy of receiver under the random oracle model with the difficulties of decision Diffie-Hellman problem and against the adversaries defined in CL-PKC system. In summary, our CL-MRE scheme has the following merits: (1) in encryption and decryption process, not using bilinear pairing and probabilistic HTP hash function; (2) achieving confidentiality of message and protecting the privacy of receiver; (3) resisting all known security attacks; (4) low computation and communication costs; (5) avoidance of private key escrow problem and public key certificate management; (6) provable security against IND-sMID-CAA and ANON-IND-sID-CAA under the random oracle.
Data Availability The data used in our manuscript was the runtime of some cryptographic operations. He et al. have implemented the runtime of the relevant operations on a mobile phone (Samsung Galaxy S5 with a Quad-core2.45G processor, 2G bytes memory, and the Google Android 4.4.2 operating system) using a famous cryptographic library (MIRACL) in literature [30]. The data (the runtime of some cryptographic operations) used to support the findings of this study is derived from literature [29, 30].
7. Conclusion
Conflicts of Interest
In order to keep up with the rapid development of mobile Internet, in this study, we proposed an efficient CLAMRE
The authors declare that there are no conflicts of interest regarding the publication of this paper.
12
Mathematical Problems in Engineering
Acknowledgments This research is supported by the National Natural Science Foundation of China under Grant no. 61562012; the Innovation Group Major Research Projects of Department of Education of Guizhou Province under Grant no. KY[2016]026.
[14]
References
[15]
[1] Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, βEnabling personalized search over encrypted outsourced data with efficiency improvement,β IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 9, pp. 2546β2559, 2016. [2] Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, βAchieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing,β IEICE Transactions on Communications, vol. E98B, no. 1, pp. 190β200, 2015.
[16]
[17]
[3] Z. Xia, X. Wang, X. Sun, Q. Liu, and Q. Wang, βA secure and dynamic multi-keyword ranked search scheme over encrypted cloud data,β IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 2, pp. 340β352, 2016.
[18]
[4] X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, βRobust multi-factor authentication for fragile communications,β IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 6, pp. 568β581, 2014.
[19]
[5] P. Guo, J. Wang, B. Li, and S. Lee, βA variable threshold-value authentication architecture for wireless mesh networks,β Journal of Internet Technology, vol. 15, no. 6, pp. 929β935, 2014. [6] J. Shen, H. Tan, J. Wang, J. Wang, and S. Lee, βA novel routing protocol providing good transmission reliability in underwater sensor networks,β Journal of Internet Technology, vol. 16, no. 1, pp. 171β178, 2015. [7] X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, βA generic framework for three-factor authentication: Preserving security and privacy in distributed systems,β IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 8, pp. 1390β1397, 2011.
[20]
[21]
[22]
[8] Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, βMutual verifiable provable data auditing in public cloud storage,β Journal of Internet Technology, vol. 16, no. 2, pp. 317β323, 2015.
[23]
[9] J. Wang, X. Chen, X. Huang, I. You, and Y. Xiang, βVerifiable auditing for outsourced database in cloud computing,β Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 64, no. 11, pp. 3293β3303, 2015.
[24]
[10] C.-C. Lee, Y.-M. Lai, C.-L. Chen, and L. A. Chen, βA novel designated verifier signature scheme based on bilinear pairing,β Information Technology and Control, vol. 42, no. 3, pp. 247β252, 2013.
[25]
[11] K. Kurosawa, βMulti-recipient Public-Key Encryption with Shortened Ciphertext,β in Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pp. 48β63, Springer, Berlin, Germany, 2002.
[26]
[12] M. Bellare, A. Boldyreva, and S. Micali, βPublic-key encryption in a multi-user setting: security proofs and improvements,β in Advances in Cryptologyβ(EUROCRYPT β2000), B. Preneel, Ed., vol. 1807 of Lecture Notes in Computer Science, pp. 259β274, Springer, Berlin, Germany, 2000. [13] Y. Dodis and N. Fazio, βPublic key broadcast encryption for stateless receivers,β in Security and Privacy in Digital Rights
[27]
[28]
[29]
Management, ACM CCS-9 Workshop, J. Feigenbaum, Ed., vol. 2696 of Lecture Notes in Computer Science, pp. 61β80, Springer, Berlin, Germany, 2003. K. Kurosawa, βMulti-recipient Public-Key Encryption with Shortened Ciphertext,β in Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pp. 48β63, Springer Berlin Heidelberg, Berlin, Germany, 2002. M. Bellare, A. Boldyreva, and D. Pointcheval, βMultirecipient encryption schemes: security notions and randomness re-use,β in Proceedings of the Advances in Cryptology (PKC 03, LNCS 2567, pp. 85β99, Miami, Florida, USA, 2003. J. Baek, R. Safavi-Naini, and W. Susilo, βEfficient multi-receiver identity-based encryption and its application to broadcast encryption,β in Public key cryptographyβPKC 2005, vol. 3386 of Lecture Notes in Computer Science, pp. 380β397, Springer, Berlin, Germany, 2005. S. Chatterjee and P. Sarkar, βMulti-receiver identity-based key encapsulation with shortened ciphertext,β in Progress in cryptologyβINDOCRYPT 2006, vol. 4329 of Lecture Notes in Computer Science, pp. 394β408, Springer, Berlin, Germany, 2006. J. H. Park and D. H. Lee, βSecurity analysis of a multireceiver identity-based key encapsulation mechanism,β IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E92-A, no. 1, pp. 329β331, 2009. H. Wang, P. Zeng, and K.-K. R. Choo, βMDMR-IBE: Efficient multiple domain multi-receiver identity-based encryption,β Security and Communication Networks, vol. 7, no. 11, pp. 1641β 1651, 2014. C. Fan I, L. Huang Y, and H. Ho P, βAnonymous multireceiver identity-based encryption,β IEEE Transactions on Computers, vol. 59, no. 9, pp. 1239β1249, 2010. H.-Y. Chien, βImproved anonymous multi-receiver identitybased encryption,β The Computer Journal, vol. 55, no. 4, pp. 439β 446, 2012. H. Wang, βInsecurity of improved anonymous multi-receiver identity-based encryption,β The Computer Journal, vol. 57, no. 4, pp. 636β638, 2014. J. Zhang and J. Mao, βAn improved anonymous multi-receiver identity-based encryption scheme,β International Journal of Communication Systems, vol. 28, no. 4, pp. 645β658, 2015. S. S. Al-Riyami and K. G. Paterson, βCertificateless public key cryptography,β in Advances in Cryptology-ASIACRYPT, vol. 2894 of Lecture Notes in Computer Science, pp. 452β473, Springer, 2003. Y. Chen, W. Xu, and H. Xiong, βStrongly secure certificateless key-insulated signature secure in the standard model,β Annals of Telecommunications-Annales des TΒ΄elΒ΄ecommunications, vol. 70, no. 9-10, pp. 395β405, 2015. H. Du and Q. Wen, βCertificateless proxy multi-signature,β Information Sciences, vol. 276, pp. 21β30, 2014. S. H. Islam, M. K. Khan, and A. M. Al-Khouri, βAnonymous and provably secure certificateless multireceiver encryption without bilinear pairing,β Security and Communication Networks, vol. 8, no. 13, pp. 2214β2231, 2015. Y. Hung, S. Huang, Y. Tseng, and T. Tsai, βEfficient Anonymous Multireceiver Certificateless Encryption,β IEEE Systems Journal, vol. 11, no. 4, pp. 2602β2613, 2017. D. He, H. Wang, L. Wang, J. Shen, and X. Yang, βEfficient certificateless anonymous multi-receiver encryption scheme for
Mathematical Problems in Engineering mobile devices,β Soft Computing, vol. 21, no. 22, pp. 6801β6810, 2017. [30] D. He, S. Zeadally, N. Kumar, and W. Wu, βEfficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures,β IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 2052β2064, 2016.
13
Advances in
Operations Research Hindawi www.hindawi.com
Volume 2018
Advances in
Decision Sciences Hindawi www.hindawi.com
Volume 2018
Journal of
Applied Mathematics Hindawi www.hindawi.com
Volume 2018
The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com www.hindawi.com
Volume 2018 2013
Journal of
Probability and Statistics Hindawi www.hindawi.com
Volume 2018
International Journal of Mathematics and Mathematical Sciences
Journal of
Optimization Hindawi www.hindawi.com
Hindawi www.hindawi.com
Volume 2018
Volume 2018
Submit your manuscripts at www.hindawi.com International Journal of
Engineering Mathematics Hindawi www.hindawi.com
International Journal of
Analysis
Journal of
Complex Analysis Hindawi www.hindawi.com
Volume 2018
International Journal of
Stochastic Analysis Hindawi www.hindawi.com
Hindawi www.hindawi.com
Volume 2018
Volume 2018
Advances in
Numerical Analysis Hindawi www.hindawi.com
Volume 2018
Journal of
Hindawi www.hindawi.com
Volume 2018
Journal of
Mathematics Hindawi www.hindawi.com
Mathematical Problems in Engineering
Function Spaces Volume 2018
Hindawi www.hindawi.com
Volume 2018
International Journal of
Differential Equations Hindawi www.hindawi.com
Volume 2018
Abstract and Applied Analysis Hindawi www.hindawi.com
Volume 2018
Discrete Dynamics in Nature and Society Hindawi www.hindawi.com
Volume 2018
Advances in
Mathematical Physics Volume 2018
Hindawi www.hindawi.com
Volume 2018