Jun 29, 2012 - digital content distribution, pay-per-view and multicast ...... ElGamal T. A public key cryptosystem and a signature scheme based on discrete .... INDOCRYPT 2006, LNCS 4329, Kolkata, India, December 11â13, 2006; 394â408.
INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS Int. J. Commun. Syst. 2014; 27:1034–1050 Published online 29 June 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/dac.2395
Privacy-preserving multireceiver ID-based encryption with provable security Yuh-Min Tseng1, * ,† , Yi-Hung Huang2 and Hui-Ju Chang2 1 Department
of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua 500, Taiwan, R.O.C. 2 Department of Mathematics Education, National Taichung University of Education, Taichung 403, Taiwan, R.O.C.
SUMMARY Multireceiver identity (ID) based encryption and ID-based broadcast encryption allow a sender to use the public identities of multiple receivers to encrypt messages so that only the selected receivers or a privileged set of users can decrypt the messages. It can be used for many practical applications such as digital content distribution, pay-per-view and multicast communication. For protecting the privacy of receivers or providing receiver anonymity, several privacy-preserving (or anonymous) multireceiver ID-based encryption and ID-based broadcast encryption schemes were recently proposed, in which receiver anonymity means that nobody (including any selected receiver), except the sender, knows who the other selected receivers are. However, security incompleteness or flaws were found in these schemes. In this paper, we propose a new privacy-preserving multireceiver ID-based encryption scheme with provable security. We formally prove that the proposed scheme is semantically secure for confidentiality and receiver anonymity. Compared with the previously proposed anonymous multireceiver ID-based encryption and ID-based broadcast encryption schemes, the proposed scheme has better performance and robust security. Copyright © 2012 John Wiley & Sons, Ltd. Received 14 February 2012; Revised 29 May 2012; Accepted 30 May 2012 KEY WORDS:
privacy; anonymity; ID-based; multireceiver encryption; provable security
1. INTRODUCTION With the rapid growth of communication and distributed environment, many applications such as digital content distribution, pay-per-view and multicast communication require a cryptographic mechanism to allow a sender to encrypt messages for a set of receivers so that only the privileged receivers in the set can decrypt the messages. The concrete cryptographic mechanism may be broadcast encryption [1–4] or multireceiver public key encryption [5–7], which can prevent unauthorized access and protect application data In the meantime, both kinds of encryption schemes focus on achieving better performance compared with multiple single-receiver encryptions. At times, if some authorized receiver is removed from the set, the system should revoke its capability for future decryption. Because the set of authorized receivers could be changed dynamically along with time, these schemes have to address the key management problem to prevent unauthorized accesses. The concept of broadcast encryption was first introduced by Fiat and Naor [1] in 1993. A broadcast encryption scheme consists of a broadcast center (or data provider) and a set of users (or subscribers) with private keys. The broadcast center encrypts a message (or digital content) using a random symmetric encryption key and then embeds the symmetric encryption key into ciphertexts (or called header information). Any authorized receiver may use his/her own private key *Correspondence to: Yuh-Min Tseng, Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua 500, Taiwan, R.O.C. † E-mail: ymtseng@cc.ncue.edu.tw Copyright © 2012 John Wiley & Sons, Ltd.
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
1035
to compute the symmetric encryption key and then decrypt the message. In the past, the study of broadcast encryption has received much attention from researchers, and many broadcast encryption schemes [2–4] have been proposed. Up to date, the best known broadcast encryption scheme was proposed by Boneh et al. [4], which achieves sublinear size ciphertexts and public keys, or constant size ciphertexts and linear size public keys. In 2000, Bellare et al. [5] first formalized the semantically secure concept of multireceiver public key encryption. For improving computational efficiency and network bandwidth, Kurosawa [6] adopted a ‘randomness reuse’ technique to propose a multireceiver public key encryption scheme based on the ElGamal public key encryption scheme [8]. Bellare et al. [7] further presented a general test method to examine whether an employed public key encryption scheme permits the secure randomness reuse for constructing the corresponding multireceiver public key encryption scheme. One can implement broadcast encryption schemes under either a secret key setting or a public key setting. However, the broadcast encryption schemes adopting the secret key setting are not scalable inherently because the number of shared keys that any sender needs to hold increases linearly in the number of the potential receivers. On the contrary, both the broadcast encryption schemes adopting the public key setting and multireceiver public key encryption schemes generally provide better scalability. In addition, anyone in a multireceiver public key encryption scheme is able to act as a sender, and the sender may freely choose its receivers at will. Hence, a multireceiver public key encryption scheme can be transformed into a natural broadcast encryption scheme. Certainly, a public key infrastructure must be established for the public key setting, in which certificates are used to create the mapping between users’ identities and their associated public keys to ensure validity of the latter. In 1984, the concept of identity (ID)-based setting was first introduced by Shamir [9], which uses a user’s identity (e.g., name, e-mail address, or social security number) as the user’s public key so that it can eliminate the need of certificates to simplify key management. When an ID-based public key setting is incorporated to broadcast encryption and multireceiver encryption, they are referred to as ID-based broadcast encryption (IBBE) and multireceiver ID-based encryption (MIBE), respectively. Besides the significance of encryption efficiency, it is also an important issue to protect the privacy of receivers [10–13]. In many situations, an authorized receiver does not want to reveal its identity information to other receivers, except the sender (or broadcast enter). One example is the payper-view system where one subscriber wants to hide its personal viewing selections with regard to sensitive views. Another interesting application is that many commercial sites often hope to protect the identities of their customers against competitors who would like to know their potential customers for targeted advertising. Recently, the study of privacy-preserving (or anonymous) MIBE and IBBE schemes has received much attention from cryptographic researchers. In this paper, we will focus on the design of a privacy-preserving MIBE scheme with high performance and robust security. 1.1. Related work In 2001, Boneh and Franklin [14, 15] followed Shamir’s idea to construct the first practical ID-based encryption scheme (IBE) from the Weil pairing. Subsequently, a large number of literatures have been published in various areas of ID-based cryptographic mechanisms [16–24]. Considering a situation where Boneh and Franklin’s IBE scheme [14, 15] is used for multiple receivers, when a sender would like to encrypt a message for t receivers, the sender must encrypt the message t times using Boneh and Franklin’s IBE scheme. As a result, n expensive pairing operations are required for the re-encrypting procedure. Afterward, many IBBE [25–30] and MIBE [31–33] have been proposed to improve the performance problem of encryption for multiple receivers. In 2005, Wang and Wu [25] proposed an IBBE scheme, in which only one dedicated group center is allowed to broadcast messages. Later on, Lee et al. [26] and Yang et al. [27] independently proposed several IBBE schemes. However, their schemes did not address a member joining and leaving problem so these schemes were not scalable. In 2007, Delerablee [28] proposed an efficient IBBE scheme with constant size ciphertexts and private keys, but the public key size is linearly in the maximum number of a privileged subset of receivers. Delerablee’s scheme achieves only Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1036
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
selective-ID chosen plaintext security (CPA). In 2009, Ren and Gu [29] tried to extend Delerablee’s scheme to propose a new IBBE scheme against adaptive-ID chosen ciphertext attacks (CCA). Note that a CCA-secure encryption scheme provides more robust security than a CPA-secure encryption scheme [14, 15]. Unfortunately, Ren and Gu’s scheme has been shown to be insecure [30]. In 2005, Baek et al. [31] proposed an efficient MIBE scheme providing selective-ID CPA security. By using the REACT transformation method proposed by Okamoto and Pointcheval [34], they also presented their second MIBE scheme, which is secure against selective-ID CCA attacks. In addition, they discussed how the proposed MIBE schemes lead to the associated IBBE schemes. Their MIBE schemes require a linear ciphertext size in proportion to the number of the selected receivers. In 2006, Chatterjee and Sarkar [32] proposed an efficient MIBE scheme with sublinear ciphertext size, but the proposed scheme increases the private key size of each user because of a tradeoff between the ciphertext size and private key size. Unfortunately, Park et al. [33] presented that Chatterjee and Sarkar’s MIBE scheme is insecure for providing confidentiality of encryption. Nevertheless, the mentioned MIBE or IBBE schemes above do not provide receiver anonymity or address the privacy-protecting problem. Receiver anonymity or privacy protection means that one can examine whether herself/himself is one of the selected receivers, and nobody (except the sender) knows who the other selected receivers are. In 2010, Fan et al. [11] proposed an anonymous MIBE scheme to provide receiver anonymity. They claimed that the proposed scheme achieves the anonymity for any selected receiver against the other selected receivers. Unfortunately, Chien [12] demonstrated that any selected receiver can extract the identities of the other selected receivers. Meanwhile, Chien also presented an improvement on Fan et al.’s anonymous MIBE scheme, but only heuristic arguments are given for security analysis. Very recently, Hur et al. [13] proposed a privacy-preserving IBBE scheme, but their scheme provides only selective-ID CPA security. Meanwhile, in their scheme each receiver requires three expensive pairing operations to decrypt messages.
1.2. Contribution Because the security notions of receiver anonymity defined by Fan et al. [11] cannot capture the semantic of a multireceiver setting [12], it is not surprising that Fan et al.’s scheme did not achieve their anonymity proclamation. In [11], Fan et al. presented the security notions (i.e., confidentiality and receiver anonymity) of anonymous MIBE scheme. For confidentiality, they followed the similar definitions in [31] that include ‘indistinguishability of encryptions against selective multi-ID chosen plaintext attack’ (IND-sMID-CPA) and ‘indistinguishability of encryptions against selective multi-ID chosen ciphertext attack’ (IND-sMID-CCA). For receiver anonymity, they defined ‘anonymous indistinguishability of encryptions under selective-ID, chosen plaintext attacks’ (ANON-IND-sID-CPA) and ‘anonymous indistinguishability of encryptions under selective-ID, chosen ciphertext attacks’ (ANON-IND-sID-CCA). Although Chien [12] found the flaws of the ANON-IND-sID-CPA and ANON-IND-sID-CCA games in [11], he did not give new formal definitions for receiver anonymity. In this article, we will redefine the security notions of privacy-preserving MIBE scheme that include ANON-IND-sID-CPA and ANON-INDsID-CCA attacks. We then propose a new privacypreserving MIBE scheme against the IND-sMID-CCA and ANON-IND-sID-CCA attacks under the Gap Bilinear Diffie–Hellman (Gap-BDH) assumption [31, 35]. In the random oracle model [36, 37], we formally prove that the proposed scheme is semantically secure under the redefined security notions. Comparisons are made to demonstrate that the proposed scheme has better performance and robust security compared with the previously proposed privacy-preserving (or anonymous) MIBE schemes [11, 12] and IBBE scheme [13].
1.3. Organization The rest of the paper is organized as follows. Preliminaries are given in Section 2. We formally define the framework and security notions of privacy-preserving MIBE scheme in Section 3. Then Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
1037
a concrete privacy-preserving MIBE scheme is presented in Section 4. We analyze the security of the proposed scheme in Section 5. Section 6 gives comparisons and discussions. Section 7 draws the conclusions. 2. PRELIMINARIES In this section, we briefly review the properties of bilinear pairings, and several relevant security assumptions on which our proposed scheme is based. 2.1. Bilinear pairings Let G1 be an additive cyclic group of large prime order q and G2 be a multiplicative cyclic group of the same order q. In particular, G1 is a subgroup of the group of points on an elliptic curve over a finite field and G2 is a subgroup of the multiplicative group over a finite field. Let P be a generator of G1 . A bilinear pairing is a map eO W G1 G1 ! G2 and satisfies the following properties: (1) Bilinear: e.aP O , bQ/ D e.P O , Q/ab for all P , Q 2 G1 and a, b 2 Zq . (2) Nondegenerate: There exist P , Q 2 G1 such that e.P O , Q/ ¤ 1. (3) Computable: For P , Q 2 G1 , there exists an efficient algorithm to compute e.P O , Q/. A bilinear map that satisfies the above three properties is called an admissible bilinear map. Such nondegenerate admissible bilinear maps can be obtained from the Weil, Tate or Ate pairings over supersingular elliptic curves or abelian varieties [14, 15, 21]. Some research results for the relationship between security levels and speed of pairing computations on microprocessors were presented in [38, 39]. 2.2. Security problems and assumptions Here, we present several mathematical hard problems and define the security assumptions on which our proposed scheme is based. Bilinear Diffie–Hellman (BDH) problem [14]: Given P , aP , bP , cP 2 G1 for unknown a, b,
c 2 Zq , computing e.P O , P /abc 2 G2 . Decision Bilinear Diffie-Hellman (DBDH) problem [40]: Given P , aP, bP, cP 2 G1 for unknown a, b, c 2 Zq , and R 2 G2 , deciding whether e.P O , P /abc D R. Gap-BDH problem [31, 35]: Given P , aP, bP, cP2 G1 for unknown a, b, c 2 Zq , computing e.P O , P /abc 2 G2 with the help of the DBDH oracle. Definition 1 (BDH assumption) [14]. Given P , aP , bP , cP 2 G1 for unknown a, b, c 2 Zq , there exists no probabilistic polynomial-time (PPT) adversary A with non-negligible advantage within running time who can compute e.P O , P /abc 2 G2 . The successful advantage of the adversary A is presented as h i O , P /abc > , Adv BDH D P r A P , aP , bP , cP D e.P
where the probability is over the random choice consumed by the adversary A. We say that the ( , )-BDH assumption holds if there exists no PPT adversary A with non-negligible advantage within running time in solving the BDH problem. Definition 2 (DBDH assumption) [40]. Given P , aP , bP , cP 2 G1 for unknown a, b, c 2 Zq , and R 2 G2 , there exists no PPT adversary A with non-negligible advantage within running time who can decide whether e.P O , P /abc D R or not. The successful advantage of the adversary A is presented as ˇ ˇ h i ˇ ˇ O , P /abc D 1 P rŒA.P , aP , bP , cP , R/ D 1ˇ > , Adv DBDH D ˇP r A P , aP , bP , cP , e.P Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1038
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
where the probability is over the random choice consumed by the adversary A. We say that the ( , )-DBDH assumption holds if there exists no PPT adversary A with non-negligible advantage within running time in solving the DBDH problem. Definition 3 (Gap-BDH assumption) [31, 35]. Given P , aP , bP , cP 2 G1 for unknown a, b, c 2 Zq , there exists no PPT adversary A with non-negligible advantage within running time who can compute e.P O , P /abc 2 G2 with the help of the DBDH oracle. The DBDH oracle means that given (P , aP , bP , cP , R/, outputs 1 if e.P O , P /abc D R and 0 otherwise. The successful advantage of the adversary A is presented as h i O , P /abc > , Adv Gap-BDH D P r A P , aP , bP , cP D e.P where the probability is over the random choice consumed by the adversary A. We say that the ( , qg , )-Gap-BDH assumption holds if there exists no PPT adversary A with non-negligible advantage within running time by making q g DBDH-oracle queries in solving the Gap-BDH problem. 3. FRAMEWORK AND SECURITY NOTIONS For a privacy-preserving (or anonymous) MIBE scheme, the point is that any sender can encrypt a message for multiple receivers (identities). In addition, everyone can get the ciphertext, but only the selected receivers may decrypt the ciphertext while any selected receiver is unable to know the identities of the other selected receivers. Without loss of generality, one sender would like to send a message mto t receivers with identities IDi , where 16 i 6 t , that results in a ciphertext. Upon receiving the ciphertext, these selected receivers can recover the message m while remaining receiver anonymity. In the following, we formally present the framework and security notions of privacy-preserving MIBE scheme. 3.1. Framework Here, we define the formal framework of privacy-preserving MIBE scheme. Note that the framework is the same as one of general MIBE. Definition 4 A privacy-preserving (or anonymous) MIBE is a 4-tuple of polynomial-time algorithms (G, KE, ME, DE ), denoted by …: - System setup algorithm G is a probabilistic algorithm that takes as input a security parameter l. It returns a system secret key s and public parameters Parms. The public parameters Parms are made public and implicitly inputted to all the following algorithms. - Key extract algorithm KE is a deterministic algorithm that takes as input the system secret key s and a user’s identity ID2{0, 1} , then returns the user’s secret key DID. - Multi-Encryption algorithm ME takes input a message m and multiple identities (ID1 , ID2 , . . . , IDt /. The sender runs the algorithm to generate a ciphertext C . We write C D ME(Parms, (ID1 , ID2 , . . . , IDt /, m/. - Decryption algorithm DE is a deterministic algorithm that takes as input one selected receiver’s secret key DIDi and a ciphertext C . Then it gets a decryption value D, which is either a certain plaintext m or a message “reject”. We denote D D DE (Parms, DIDi , C /. 3.2. Security notions In the following, we define the security notions of privacy-preserving MIBE that include confidentiality and receiver anonymity. For confidentiality, we follow the similar definitions of multireceiver ID-based encryption in [31] that include IND-sMID-CPA and IND-sMID-CCA. By redefining the Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
1039
security definitions of receiver anonymity in [11], the security notions include ANON-IND-sIDCPA and ANON-IND-sID-CCA. A CCA-secure encryption scheme provides more robust security than a CPA-secure encryption scheme [14, 15]. That is, a CCA-secure encryption scheme is certainly a CPA-secure encryption scheme. Note that here we consider the ‘selective identity attack’ [11, 31, 40] in which an attacker must output the target attack identities in advance before the system setup phase, which is slightly weaker than the adaptive identity model proposed in [14, 15]. Definition 5 (IND-sMID-CCA). A privacy-preserving MIBE … is said to be IND-sMID-CCA if no PPT adversary A has a non-negligible advantage in the following IND-sMID-CCA game played between a challenger B and the adversary A. - Phase 1. The adversary A outputs target multiple identities (ID1 , ID2 , . . . , IDt /, where t is a positive integer. - Setup. The challenger B runs the system setup algorithm G to produce a system secret key s and public parameters Parms. Then the challenger B gives Parms to A and keeps the system secret key s to itself. - Phase 2. The adversary A may make a number of different queries to the challenger B in an adaptive manner as follows: Key extract query. Upon receiving this query with a user IDj , the challenger B runs the key extract algorithm KE to return the user’s secret key DIDj to A. A restriction here is that ID j ¤ IDi , for i D1, 2, . . . , t . Decryption query. The adversary A issues decryption queries for target identities, denoted by (C , IDi / for some i 2{1, 2, . . . , t }. Upon receiving the decryption query, the challenger B runs the key extract algorithm KE to obtain the secret key DIDi . The challenger B returns D D DE (Parms, DIDi , C / to A. - Challenge. The adversary A outputs a target plaintext pair (m0 , m1 /. Upon receiving (m0 , m1 /. The challenger B randomly chooses ˇ 2{0,1} and generates a target ciphertext C*D ME (Parms, (ID1 , ID2 , . . . , IDt /, mˇ /. The challenger B then returns C* to the adversary A. - Phase 3. The adversary A may make a number of key extract queries and decryption queries as in Phase 2. A restriction here is that the adversary A is not allowed to issue the target ciphertext C* as a decryption query. - Guess. The adversary A outputs its guess ˇ0 2{0, 1} and wins the IND-sMID-CCA game if ˇ D ˇ0. The advantage of the adversary A is defined as the probability that A wins. Such an adversary A is referred to as an IND-sMID-CCA adversary. The advantage of the IND-sMID-CCA adversary A is defined as ˇ ˇ ˇ 1 ˇˇ I NDsMIDC CA 0 ˇ Q Adv .A/ D ˇPrŒˇ D ˇ ˇ . 2 A privacy-preserving MIBE … is said to be ( , )-IND-sMID-CCA secure if no PPT adversary A has a non-negligible advantage within running time . In the IND-sMID-CPA game, the adversary A is not allowed to issue the decryption queries of Phases 2 and 3 in the IND-sMID-CCA game above. It is obvious that an encryption scheme with the IND-sMID-CCA security is stronger than one with the IND-sMID-CPA security. If a privacy-preserving MIBE scheme offers the CCA security, it must satisfy the CPA security. Definition 6 (IND-sMID-CPA). A privacy-preserving MIBE … is said to be IND-sMID-CPA if no PPT adversary A has a non-negligible advantage in the IND-sMID-CPA game played between a challenger B and the adversary A. In the following, we redefine the security notions of receiver anonymity including ANONIND-sID-CPA and ANON-IND-sID-CCA security games in [11] that take into consideration a multireceiver setting. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1040
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
Definition 7 (ANON-IND-sID-CCA). A privacy-preserving MIBE … is said to be ANON-IND-sID-CCA if no PPT adversary A has a non-negligible advantage in the following ANON-IND-sID-CCA game played between a challenger B and the adversary A. - Phase 1. The adversary A outputs a target identity pair (ID1 , ID2 /. Upon receiving the target identity pair (ID1 , ID2 /, the challenger B randomly chooses ˇ 2{1, 2}. - Setup. The challenger B runs the system setup algorithm G to produce a system secret key s and public parameters Parms. Then the challenger B gives Parms to A and keeps the system secret key s to itself. - Phase 2. The adversary A may make a number of different queries to the challenger B in an adaptive manner as follows: Key extract query. Upon receiving this query with a user’s identity IDj , the challenger B runs the key extract algorithm KE to return the secret key DIDj to A. A restriction here is that IDj ¤ IDi , for i D 1, 2. Decryption query. The adversary A issues decryption queries for target identities, denoted by (C , IDi / for some i 2{1, 2}. Upon receiving the decryption query, the challenger B first runs the key extract algorithm KE to obtain the secret key DIDi . The challenger B returns D D DE (Parms, DIDi , C / to A. - Challenge. The adversary A outputs a target plaintext m and a set of identities {ID3 , . . . , IDt }, where t >3. The challenger B generates a target ciphertext C*D ME (Parms, (IDˇ , ID3 , . . . , IDt /, m/. The challenger B then returns C* to the adversary A. - Phase 3. The adversary A may make a number of key extract queries and decryption queries as in Phase 2. A restriction here is that the adversary A is not allowed to issue the target ciphertext C* as a decryption query. - Guess. The adversary A outputs its guess ˇ0 2{1, 2} and wins the ANON-IND-sID-CCA game if ˇ D ˇ0. The advantage of the adversary A is defined as the probability that A wins. Such an adversary A is referred to as an ANON-IND-sID-CCA adversary. The advantage of the ANON-IND-sID-CCA adversary A is defined as ˇ ˇ ˇ 1ˇ ANON I NDsIDC CA .A/ D ˇˇPrŒˇ D ˇ 0 ˇˇ . AdvQ 2 A privacy-preserving MIBE … is said to be ( , )-ANON-IND-sID-CCA secure if no PPT adversary A has a non-negligible advantage within running time . In the ANON-IND-sID-CPA security game, the adversary A is not allowed to issue the decryption queries of Phases 2 and 3 in the ANON-IND-sID-CCA game above. It is also obvious that an encryption scheme with the ANON-IND-sID-CCA security is stronger than one with the ANONIND-sID-CPA security. If a privacy-preserving MIBE scheme offers the ANON-IND-sID-CCA security, it must satisfy the ANON-IND-sID-CCA security. Definition 8 (ANON-IND-sID-CPA). A privacy-preserving MIBE … is said to be ANON-IND-sID-CPA if no PPT adversary A has a non-negligible advantage in the ANON-IND-sID-CPA game played between a challenger B and the adversary A. 4. CONCRETE SCHEME Our privacy-preserving MIBE scheme includes four-tuple of polynomial-time algorithms (G, KE, ME, DE ) that are system setup, key extract, multi-encryption and decryption algorithms. We describe them in detail as follows: - System setup: Given a security parameter l, a trusted private key generation (PKG) generates two groups G1 and G2 of prime order q > 2l , an admissible bilinear map eO W G1 G1 ! G2 Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
1041
and a generator P of G1 . The PKG randomly chooses a system secret key s 2 Zq and computes Ppub D s P 2 G1 as the system public key. The PKG picks four hash functions H0 :{0,1} ! G1 , H1 W G2 ! Zq , H2 W Zq ! ¹0, 1ºw , and H3 W ¹0, 1º ¹0, 1ºw Zq : : : Zq G1 ¹0, 1ºw ¹0, 1º ! Zq , for some positive integer w. Secure symmetric encryption and decryption functions are respectively denoted by Esk () and Dsk (), where sk is the symmetric key [41]. The public parameters and functions are presented as Params D ¹G1 , G2 , e, O P , Ppub , H0 , H1 , H2 , H3 , E, Dº. - Key extract: For a given user’s identity ID2{0, 1} , the PKG computes QID D H0 (ID) and the associated secret key DID D s QID 2 G1 . Then, DID is transmitted to the user via a secure channel. - Multi-encryption: A sender would like to send a message m to multiple identities (ID1 , ID2 , . . . , IDt /. The sender performs the following tasks: (1) Choose a random r 2 Zq , and compute U Dr P and T D rPpub . (2) Compute QIDi D H0 (IDi / and vi D H1 .e.QID O i , T //, for i D1,. . . ,t . (3) Choose a random k 2 Zq and construct a polynomial f .x/ with degree t as below: Y f .x/ D .x vi / C k. mod q/ D c0 Cc1 xC...Cct 1 x t 1 Cx t , where ci 2 Zq i D1,...,t
(4) Set the ciphertext to be C D< (c0 , c1 ,. . . , ct 1 /, U , V , > as C D< .c0 , c1 , : : :, ct 1 /, r P , EH2 .k/ .m/, H3 .m, k, c0 , c1 , : : :, ct 1 , U , V / > - Decryption: Upon receiving C D< (c0 , c1 ,. . . , ct 1 /, U , V , >, a selected receiver with identity IDj (j 6 t / can use her/his secret key DIDj to perform the following tasks: (1) Compute vj D H1 e.DID O j,U/ . (2) Set the polynomial f .x/ with degree t as f .x/ D c0 C c1 x C ... C ct 1 x t 1 C x t and compute k D f .vj / [42]. (3) Compute m D DH2 .k/ .V / and 0 D H3 .m, k, c0 , c1 ,. . . ,ct 1 , U , V /. (4) Test whether 0 D or not. If it holds, accept the message m and output ‘reject’ otherwise. In the following, we present the correctness of the decryption for the selected receiver with a secret key DIDj (j 6 t /. Because O O QIDj , r P / H1 e.DID j , U / D H1 e.s O D H1 e.QID j , r Ppub / D H1 e.QID O j,T/ D vj , We have k D f .vj / D c0 C c1 vj C ... C ct 1 vjt 1 C vjt D
Y
.vj vi / C k.mod q/.
i D1,...,t
Thus, we have m D DH2 .k/ .V /. 5. SECURITY ANALYSIS Here, we show that the proposed privacy-preserving MIBE scheme is provably secure against the IND-sMID-CCA and ANON-IND-sID-CCA attacks defined in Section 3.2. In the IND-sMID-CPA security game, the adversary cannot issue the decryption queries of Phases 2 and 3 in the INDsMID-CCA game. Because an encryption scheme with the CCA security is stronger than one with the CPA security, we say that the proposed scheme is also secure against the IND-sMID-CPA and ANON-IND-sID-CPA attacks if it has been shown to be secure against the IND-sMID-CCA and ANON-IND-sID-CCA attacks. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1042
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
5.1. Confidentiality We now prove that the proposed scheme is IND-sMID-CCA secure in the random oracle model [36,37] under the hardness of the Gap-BDH problem [31,35] defined in Section 2.2 and the semantic security of the symmetric encryption scheme [41]. Theorem 1 In the random oracle model and under the semantic security of the symmetric encryption scheme, assume that an IND-sMID-CCA adversary A has a non-negligible advantage against the proposed scheme within running time and asking qi queries to the random oracles Hi .i D 0, 1, 2, 3/, qe queries to the key extract oracle, and qd queries to the decryption oracle. Then, the Gap-BDH problem can be solved with a non-negligible advantage "0 > "
qd q
within running time 0 C .q0 C qe /O.1 / C .t q 1 C q1 qd /O.1/, where 1 is the time to perform a scalar multiplication in G1 , t is the number of multiple identities and qg > t q 1 C q1 qd is the number of queries to the BDDH oracle. Proof Suppose that an algorithm B receives a random instance (P , aP , bP , cP ) of the Gap-BDH problem, in which P , aP , bP , cP 2 G1 for unknown a, b, c 2 Zq . Meanwhile, algorithm B may make at most qg queries to the BDDH oracle of the Gap-BDH problem. The task of the algorithm B is to compute e.P O , P /abc by interacting with the adversary A as the IND-sMID-CCA game presented in Definition 5. B plays the challenger in the IND-sMID-CCA game. The challenger B can execute and answer each phase of the IND-sMID-CCA game as follows: - Phase 1. Assume that the adversary A outputs target multiple identities (ID1 , ID2 , . . . , IDt /, where t is a positive integer. - Setup. The challenger B sets Q D aP and Ppub D bP. Then B selects secure symmetric encryption and decryption functions denoted by Esk () and Dsk (), where sk is a symmetric key [39]. The challenger B gives Params D ¹G1 , G2 , e, O P , Ppub , H0 , H1 , H2 , H3 , E, Dº to the adversary A. In which, the hash functions Hi (i D 0, 1, 2, 3) are random oracles controlled by the challenger B. For the adversary A’s hash queries, the challenger B uses lists Li (i D 0, 1, 2, 3) to record the results of the hash functions Hi (i D 0, 1, 2, 3), respectively. H0 query. Upon receiving this query with IDj , the challenger B first scans the list L0 to check whether this input was already defined in L0 . If it was, the previously defined value is returned to A. Otherwise, B performs the following tasks: (1) Select a random value uj 2 Zq . (2) If IDj D IDi for some i 2{1,. . . , t }, then compute QIDj D uj Q2 G1 ; otherwise, compute QIDj D uj P2 G1 . (3) Insert the tuple (IDj , uj , QIDj / into the list L0 . Then, the challenger B returns QIDj to A. H1 query. Upon receiving this query with Xj 2 G2 for some j 2[1, q1 ] , the challenger B first scans the list L1 to check whether the input was already defined in L1 . If it was, the previously defined value is returned to A. B checks whether (P , QIDi , Ppub , cP, Xj / using the BDDH oracle for i D1, 2,. . . , t , in which QIDi D ui Q2 G1 is obtained by issuing 1 H0 query. If it is, the challenger B returns .Xj /ui and terminates the game because B has obtained the value e.P O , P /abc . Otherwise, B selects a value xj 2 Zq and inserts the tuple (Xj , xj / into the list L1 . Then, B returns xj to the adversary A. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
1043
H2 query. When an element kj in Zq is submitted to the H2 oracle for some j 2[1, q2 ], the challenger B first scans the list L2 to check whether the input was already defined in L2 . If it was, the previously defined value is returned to A. Otherwise, B randomly picks a bit string wj 2{0,1}w and inserts the tuple (kj , wj / into the list L2 . Then, B returns wj to the adversary A. H3 query. When a tuple < mj , kj , cj ,0 , cj ,1 ,. . . , cj ,t 1 , Uj , Vj > is submitted to the H3 oracle for some j 2[1, q3 ], B scans the list L3 to check whether the tuple was already defined in L3 . If it was, the previously defined value is returned to A. Otherwise, B selects a value j 2 Zq at random and inserts the tuple < mj , kj , cj ,0 , cj ,1 ,. . . , cj ,t 1 , Uj , Vj , j > into the list L3 . Then, B returns j to the adversary A. - Phase 2. In this phase, the adversary A makes a number of key extract and decryption queries to the challenger B in an adaptive manner as follows: Key extract query. Upon receiving this query with IDj ¤ IDi for i 2{1, 2,. . . , t }, the challenger B first scans the list L0 to check whether the tuple (IDj , uj , QIDj / was already defined in L0 . If it was, B computes DIDj D uj Ppub . Otherwise, B randomly selects a value uj 2 Zq , and computes QIDj D uj P and DIDj D uj Ppub . Meanwhile, B inserts the tuple (IDj , uj , QIDj / into the list L0 . Finally, B returns DIDj to the adversary A. Decryption query. The adversary A issues decryption queries for target identities, denoted by (Cj , IDi / for some i 2{1, 2, . . . , t }, where Cj D< .cj ,0 , cj ,1 ,. . . , cj ,t 1 /, Uj , Vj , j >. Note that the return values of the used hash functions here are obtained from hash queries in the previous phase. Upon receiving the decryption query, the challenger B performs the following tasks: (1) Use < .cj ,0 , cj ,1 ,. . . , cj ,t 1 /, Uj , Vj , j > to scan the list L3 . If it was not found, B returns ‘failure’ and halts. Otherwise, B may get (mj , kj / from L3 . (2) Set the polynomial f .x/ with degree t as f .x/ D cj ,0 C cj ,1 x C ... C cj ,t 1 x t 1 C x t . (3) Use IDi to pick the tuple (IDi , ui , QIDi / from the list L0 to get ui and QIDi . (4) For l=1,. . . , q1 , do the following: (i) Pick the tuple (Xl , xl / from the list L1 . (ii) Check whether (P , QIDi , Ppub , Uj , Xl / using the BDDH oracle. (5) If some l of the checks above is true, compute kl D f .xl / and ml D DH2 .kl / .Vj /. (6) Test whether ml D mj . If it holds, return mj to the adversary A. Otherwise, return ‘failure’ and halts. This case means that the adversary A did not follow the proposed scheme to generate a valid ciphertext. - Challenge. The adversary A outputs a target plaintext pair (m0 , m1 /. Upon receiving (m0 , m1 /, the challenger B randomly chooses ˇ 2{0,1} and performs the following tasks. Note that the return values of the used hash functions here are obtained from hash queries in the previous phase. (1) Set U D cP. (2) Choose ´i 2 Zq , for i D 1,. . . , t . (3) Choose a random k 2 Zq and construct a polynomial f .x/ with degree t as below: f .x/ D
Y
.x ´i / C k.mod q/ D c0 C c1 x C ... C ct 1 x t 1 C x t , where ci 2 Zq .
i D1,...,t
(4) Return the ciphertext C* D< (c0 , c1 ,. . . , ct 1 /, U , V , > as C D< .c0 , c1 , : : :, ct 1 /, cP , EH2 .k/ .mˇ /, H3 .mˇ , k, c0 , c1 , : : :, ct 1 , U , V / > . - Phase 3. The adversary A makes a number of key extract queries and decryption queries as in Phase 2. A restriction here is that the adversary A is not allowed to issue the target ciphertext C* as a decryption query. - Guess. The adversary A outputs its guess ˇ0 2{0, 1} and wins the game if ˇ0 D ˇ. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1044
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
As the simulation above, the challenger B successfully simulates the hash functions Hi (i D0, 1, 2, 3) by random oracles. Meanwhile, the secret key DIDj associated to each IDj ¤ IDi created in the key extract query is identically distributed as the key in the real attack environment because of DIDj D uj Ppub D uj s PD s uj PD s H 0 (IDj /. Thus, it is obvious that B perfectly simulates the key extract query in Phases 2 and 3. In the following, we assess the challenger B’s advantage. For handling the decryption query, if < .cj ,0 , cj ,1 ,. . . , cj ,t 1 /, Uj , Vj , j > cannot be found in L3 , B returns ‘failure’ and halts. Thus, it means that the adversary A can guess a right output value of the hash function H3 . In this case, there are qd queries to the decryption oracle, so the failure probability of B is at most qd =q. If the adversary A with a non-negligible advantage wins the IND-sMID-CCA game, it denotes that the challenger B with a non-negligible advantage has received H1 queries with someXj as input, in which one of the BDDH oracle queries with (P , QIDi , Ppub , cP, Xj / for i D1,. . . , t , 1 will return 1. As in H1 queries, the challenger B may obtain .Xj /ui D e.P O , P /abc , in which (IDi , ui , QIDi / is obtained from L0 . Hence, assume that the IND-sMID-CCA adversary A has a non-negligible advantage against the proposed scheme. Then, the Gap-BDH problem can be solved with a non-negligible advantage 0 > .qd =q/. Finally, for answering queries in the simulation game above, the required computation time is 0 +(q0 C qe /O(1 / + (tq1 C q1 qd /O(1), where 1 is the time to perform a scalar multiplication in G1 , t is the number of multiple identities and qg > tq1 Cq1 qd is the maximum number of queries to the BDDH oracle. 5.2. Receiver anonymity Under the hardness of the Gap-BDH problem [31, 35] and the semantic security of the symmetric encryption scheme [41], we prove that the proposed scheme is ANON-IND-sID-CCA secure in the random oracle model [36, 37]. Theorem 2 In the random oracle model and under the semantic security of the symmetric encryption scheme, assume that an ANON-IND-sID-CCA adversary A has a non-negligible advantage against the proposed scheme within running time and asking qi queries to the random oracles Hi (i D0, 1, 2, 3), qe queries to the key extract oracle, and qd queries to the decryption oracle. Then, the Gap-BDH problem can be solved with a non-negligible advantage "0 > "
qd q
within running time 0 C .q0 C qe /O.1 / C .2q1 C q1 qd /O.1/, where 1 is the time to perform a scalar multiplication in G1 , and qg > 2q1 C q1 qd is the number of queries to the BDDH oracle. Proof Suppose that an algorithm B receives a random instance (P , aP , bP , cP ) of the Gap-BDH problem, in which P , aP , bP , cP 2 G1 for unknown a, b, c 2 Zq . Meanwhile, the algorithm B may make at most qg queries to the BDDH oracle of the Gap-BDH problem. The task of the algorithm B is to compute e.P O , P /abc by interacting with the adversary A as the ANON-IND-sID-CCA game presented in Definition 7. B plays the challenger in the ANON-IND-sID-CCA game. The challenger B can execute and answer each phase of the ANON-IND-sID-CCA game as follows: - Phase 1. Assume that the adversary A outputs a target identity pair (ID1 , ID2 /. Upon receiving the target identity pair (ID1 , ID2 /, the challenger B randomly chooses ˇ 2{1, 2}. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
1045
- Setup. The challenger B sets Q D aP and Ppub D bP. Then B selects secure symmetric encryption and decryption functions denoted by Esk () and Dsk (), where sk is a symmetric key [41]. The challenger B gives Params D ¹G1 , G2 , e, O P , Ppub , H0 , H1 , H2 , H3 , E, Dº to the adversary A. In which, the hash functions Hi (i D 0, 1, 2, 3) are random oracles controlled by the challenger B. For the adversary A’s hash queries, the challenger B also uses lists Li (i D 0, 1, 2, 3) to record the results of the hash functions Hi (i D 0, 1, 2, 3), respectively. H0 query. Upon receiving this query with IDj , the challenger B first scans the list L0 to check whether the input was already defined in L0 . If it was, the previously defined value is returned to A. Otherwise, B performs the following tasks: (1) Select a random value uj 2 Zq . (2) If IDj D IDi for some i 2{1, 2}, then compute QIDj D uj Q2 G1 ; otherwise, compute QIDj D uj P2 G1 . (3) Insert the tuple (IDj , uj , QIDj / into the list L0 . Then, the challenger B returns QIDj to A. H1 query. Upon receiving this query with Xj 2 G2 for some j 2[1, q1 ] , the challenger B first scans the list L1 to check whether the input was already defined in L1 . If it was, the previously defined value is returned to A. B checks whether (P , QIDi , Ppub , cP, Xj / using the BDDH oracle for i D1, 2, in which QIDi D ui Q2 G1 is obtained by issuing H0 query. If it 1 O , P /abc . is, B returns .Xj /ui and terminates the game because B has obtained the value e.P Otherwise, B selects a value xj 2 Zq at random and inserts the tuple (Xj , xj / into the list L1 . Then, B returns xj to the adversary A. H2 query. When an element kj in Zq is submitted to the H2 oracle for some j 2[1, q2 ] , the challenger B first scans the list L2 to check whether the input was already defined in L2 . If it was, the previously defined value is returned to A. Otherwise, B randomly picks a bit string wj 2{0,1}w and inserts the tuple (kj , wj / into the list L2 . Then, B returns wj to the adversary A. H3 query. When a tuple < mj , kj , cj ,0 , cj ,1 ,. . . , cj ,t 1 , Uj , Vj > is submitted to the H3 oracle for some j 2[1, q3 ] , B scans the list L3 to check whether the tuple was already defined in L3 . If it was, the previously defined value is returned to A. Otherwise, B selects a value j 2 Zq at random and inserts the tuple < mj , kj , cj ,0 , cj ,1 ,. . . , cj ,t 1 , Uj , Vj , j > into the list L3 . Then, B returns j to the adversary A. - Phase 2. In this phase, the adversary A makes a number of key extract and decryption queries to the challenger B in an adaptive manner as follows: Key extract query. Upon receiving the query with IDj ¤ IDi for i 2{1, 2}, the challenger B first scans the list L0 to check whether the tuple (IDj , uj , QIDj / was already defined in L0 . If it was, B computes DIDj D uj Ppub . Otherwise, B randomly selects a value uj 2 Zq , and computes QIDj D uj P and DIDj D uj Ppub . Meanwhile, B inserts the tuple (IDj , uj , QIDj / into the list L0 . Finally, B returns DIDj to the adversary A. Decryption query. The adversary A issues decryption queries for target identities, denoted by (Cj , IDi / for some i 2{1, 2}, where Cj D< .cj ,0 , cj ,1 ,. . . , cj ,t 1 /, Uj , Vj , j >. Note that the return values of the used hash functions here are obtained from hash queries in the previous phase. Upon receiving the decryption query, the challenger B performs the following tasks: (1) Use < .cj ,0 , cj ,1 ,. . . , cj ,t 1 /, Uj , Vj , j > to scan the list L3 . If it was not found, B returns ‘failure’ and halts. Otherwise, B may get (mj , kj / from L3 . (2) Set the polynomial f .x/ with degree t as f .x/ D cj ,0 C cj ,1 x C ... C cj ,t 1 x t 1 C x t . (3) Use IDi to pick the tuple (IDi , ui , QIDi / from the list L0 to get ui and QIDi . (4) For l D 1,. . . , q1 , do the following: (i) Pick the tuple (Xl , xl / from the list L1 . (ii) Check whether (P , QIDi , Ppub , Uj , Xl / using the BDDH oracle. (5) If some l of the checks above is true, compute kl D f .xl / and ml D DH2 .kl / .Vj /. (6) Test whether ml D mj . If it holds, return mj to the adversary A. Otherwise, return ‘failure’ and halts. This case means that the adversary A did not follow the proposed scheme to generate a valid ciphertext. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1046
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
- Challenge. Without loss of generality, the adversary A outputs a target plaintext m and a set of identities {ID3 , . . . , IDt }, where t >3. Note that the return values of the used hash functions here are obtained from hash queries in the previous phase. The challenger B performs the following tasks: (1) Set U D cP. (2) For i D 3,. . . , t , get ui from the tuples (IDi , ui , QIDi / of the list L0 and compute vi D H1 e.U O , ui Ppub / . (3) Choose a random ´ 2 Zq . (4) Choose a random k 2 Zq and construct a polynomial f .x/ with degree t as below: f .x/D.x´/
Y i D3,...,t
.x vi / C k.mod q/Dc0 Cc1 xC...Cct 2 x t 2 Cx t 1 , where ci 2 Zq .
(5) Return the ciphertext C* D< (c0 , c1 ,. . . , ct 2 /, U , V , > such that C D< .c0 , c1 , : : :, ct 2 /, cP, EH2 .k/ .m/, H3 .m, k, c0 , c1 , : : :, ct 2 , U , V / > . - Phase 3. The adversary A makes a number of key extract queries and decryption queries as in Phase 2. A restriction here is that the adversary A is not allowed to issue the target ciphertext C* as a decryption query. - Guess. The adversary A outputs its guess ˇ0 2{0.1} and wins the game if ˇ0 D ˇ. From the simulation above, the challenger B successfully simulates the hash functions Hi (i D0, 1, 2, 3) and key extract query as in Theorem 1. In the following, we assess the challenger B’s advantage. For handling the decryption query, if < .cj ,0 , cj ,1 ,. . . , cj ,t 1 /, Uj , Vj , j > cannot be found in L3 , B returns ‘failure’ and halts. It means that the adversary A can guess a right output value of the hash function H3 . In this case, there are qd queries to the decryption oracle, so the failure probability of B is at most qd =q. If the adversary A with a non-negligible advantage wins the ANON-IND-sID-CCA game, it denotes that the challenger B with a non-negligible advantage has received H1 queries with some Xj as input, in which one of the BDDH oracle queries with (P , QIDi , Ppub , cP, Xj / for i D1, 1 2, will return 1. As in H1 queries, the challenger B may obtain .Xj /ui D e.P O , P /abc , in which (IDi , ui , QIDi / is obtained from L0 . Hence, assume that the ANON-IND-sID-CCA adversary A has a non-negligible advantage against the proposed scheme. Then, the Gap-BDH problem can be solved with a non-negligible advantage "0 > " .qd =q/. Finally, for answering queries in the simulation game above, the required computation time is 0 C .q0 C qe /O.1 / C .2q1 C q1 qd /O.1/, where 1 is the time to perform a scalar multiplication in G1 and qg > 2q1 C q1 qd is the number of queries to the BDDH oracle. 6. PERFORMANCE COMPARISONS AND DISCUSSIONS In this section, we would like to compare our scheme with the previously proposed anonymous MIBE schemes [11, 12] and the privacy-preserving IBBE scheme [13]. Some performance simulation results [43–45] have demonstrated that bilinear pairing, multiplication in G1 , exponentiation in G2 and map-to-point hash function operations are more time-consuming compared with other operations. Because the plaintext message (or digital content) may be encrypted/decrypted using the secure symmetric encryption/decryption functions and all the mentioned schemes require the same processes, here we omit the computational cost and transmission size the employed symmetric encryption/decryption functions. For convenience, the following notations are used to analyze the computational cost and transmission size. TGe : The time of executing a bilinear pairing operation e, O eO W G1 G1 ! G2 . TGmul : The time of executing a multiplication operation in G1 or an exponentiation operation
in G2 . Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1047
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
Table I. Comparisons between our scheme and the previously proposed schemes.
Computational cost for encryption Computational cost for decryption (each receiver) Transmission size Receiver anonymity Provable security
Fan et al. [11]
Chien [12]
Hur et al [13]
Our scheme
TGe + (t 2 C t C3)TGmul +tTGH
tTGe + (t +2)TGmul +tTGH
(t +1)TGe + (t +3)TGmul +tTGH
tTGe +2TGmul +tTGH
2TGe +(t 1)TGmul (t +2)jG1 j C w No Broken
TGe +tTGmul (t +2)jG1 j C w Yes Heuristic
3TGe +TGmul (t +2)jG1 j Yes Only CPA
TGe (t +1)jqj C jG1 j Yes CPA and CCA
TGH : The time of executing a map-to-point hash function H0 ( ). juj: The bit length of a data element u. t : The number of receivers. w: The bit length of a symmetric encryption/decryption key.
Table I lists the comparisons among the schemes of Fan et al. [11], Chien [12], Hur et al. [13] and the proposed privacy-preserving MIBE scheme in terms of computational cost of encryption/ decryption, transmission size, anonymous property and security properties. For the encryption/ decryption processes, our scheme is better than the previously proposed schemes [11–13]. For communication efficiency, it is obvious that the transmission size of our scheme is also less than one of the previously proposed schemes because of jqj < jG1 j. In addition, Chien [12] has shown that Fan et al.’s scheme is unable to offer receiver anonymity. In Chien’s scheme, only heuristic arguments were given for security analysis. The scheme of Hur et al. [13] was shown to be only secure against the IND-sMID-CPA and ANON-IND-sID-CPA attacks. As shown in Section 5, we have demonstrated that our privacy-preserving MIBE scheme is secure against the IND-sMID-CCA and ANON-IND-sID-CCA attacks for confidentiality and receiver anonymity, respectively. Because our scheme offers the CCA-level security, it certainly provides the CPA-level security as mentioned in Section 3.2. Thus, we say that the proposed privacy-preserving MIBE scheme offers robust security. We note that all existing privacy-preserving (or anonymous) IBBE or MIBE schemes were constructed in the random oracle model [36, 37]. Although the constructions based on the random oracle model can offer better performance, the resulting schemes could be insecure when random oracles are instantiated with some concrete hash functions [46]. Up to date, no privacy-preserving IBBE or MIBE schemes without random oracle model are proposed. This is an interesting problem to construct a provably secure privacy-preserving IBBE or MIBE scheme in the standard model (without random oracle model). In addition, to our best knowledge, no existing MIBE or IBBE schemes with/without random oracle model are secure in the adaptive-ID model. We leave it as an interesting open problem.
7. CONCLUSIONS In this article, we redefined the security notions of receiver anonymity in a privacy-preserving MIBE scheme to simulate attackers’ abilities in the real attacking environment. We proposed a new privacypreserving MIBE scheme with better performance and robust security In the random oracle model, we have shown that the proposed scheme is semantically secure against the IND-sMID-CCA and ANON-IND-sID-CCA attacks under the Gap-BDH assumption. Furthermore, performance comparisons were given to demonstrate that the proposed scheme has better performance compared with the previously proposed anonymous MIBE and IBBE schemes in terms of the computational cost of encryption/decryption and the transmission size. Meanwhile, our proposed scheme is provably secure and offers the CCA-level security. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1048
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
ACKNOWLEDGEMENTS
The authors would like to thank the anonymous referees for their valuable comments and constructive suggestions. This research was partially supported by National Science Council, Taiwan, R.O.C., under contract no. NSC100-2221-E-018-027.
REFERENCES 1. Fiat A, Naor M. Broadcast encryption. In Proceedings of Crypto’93, LNCS 773, Santa Barbara, CA, USA, August 22–26, 1993; 480–491. 2. Naor D, Naor M, Lotspiech J. Revocation and tracing schemes for stateless receivers. In Proceedings of Crypto’01, LNCS 2139, Santa Barbara, CA, USA, August 19–23, 2001; 41–62. 3. Dodis Y, Fazio N. Public key broadcast encryption for stateless receivers. In Proceedings of DRM’2002, LNCS 2696, Washington, DC, USA, November 18, 2002; 61–80. 4. Boneh D, Gentry C, Waters B. Collusion resistant broadcast encryption with short ciphertexts and private keys. In Proceedings of Crypto’05, LNCS 3621, Santa Barbara, CA, USA, August 14–18, 2005; 258–275. 5. Bellare M, Boldyreva A, Micali S. Public-key encryption in a multi-user setting: security proofs and improvements. In Proceedings of Eurocrypt’00, LNCS 1807, Bruges, Belgium, May 14–18, 2000; 259–274. 6. Kurosawa K. Multi-recipient public-key encryption with shortened ciphertext. In Proceedings of PKC2002, LNCS 2274, Paris, France, February 12–14, 2002; 48–63. 7. Bellare M, Boldyreva A, Pointcheval D. Multi-recipient encryption schemes: security notions and randomness re-use. In Proceedings of PKC2003, LNCS 2567, Miami, FL, USA, January 6–8, 2003; 85–99. 8. ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 1985; 31(4):469–472. 9. Shamir A. Identity-based cryptosystems and signature schemes. In Proceedings of Crypto’84, LNCS 196, Santa Barbara, CA, USA, August 19–22, 1984; 47–53. 10. Boyen X, Waters B. Anonymous hierarchical identity-based encryption (without random oracles). In Proceedings of Crypto’06, LNCS 4117, Santa Barbara, CA, USA, August 20–24, 2006; 290–307. 11. Fan CI, Huang LY, Ho PH. Anonymous multireceiver identity-based encryption. IEEE Transactions on Computers 2010; 59(9):1239–1249. 12. Chien HY. Improved anonymous multi-receiver identity-based encryption. The Computer Journal 2012; 55(4): 439–446. 13. Hur J, Park C, Hwang SO. Privacy-preserving identity-based broadcast encryption. Information Fusion 2012; 13(4):296–303. 14. Boneh D, Franklin M. Identity-based encryption from the Weil pairing. In Proceedings of Crypto’01, LNCS 2139, Santa Barbara, CA, USA, August 19–23, 2001; 213–229. 15. Boneh D, Franklin M. Identity-based encryption from the Weil pairing. SIAM Journal on Computing 2003; 32(3):586–615. 16. Zhong S, Chen T. An efficient identity-based protocol for private matching. International Journal of Communication Systems 2011; 24(4):543–552. 17. Han K, Yeun CY, Shon T, Park J, Kim K. A scalable and efficient key escrow model for lawful interception of IDBC-based secure communication. International Journal of Communication Systems 2011; 24(4):461–472. 18. Tseng YM, Wu TY, Wu JD. An efficient and provably secure ID-based signature scheme with batch verifications. International Journal of Innovative Computing, Information and Control 2009; 5(11):3911–3922. 19. Chuang YH, Tseng YM. Towards generalized ID-based user authentication for mobile multi-server environment. International Journal of Communication Systems 2012; 25(4):447–460. 20. He D, Chen J, Hu J. A pairing-free certificateless authenticated key agreement protocol. International Journal of Communication Systems 2012; 25(2):221–230. 21. Chen L, Cheng Z, Smart NP. Identity-based key agreement protocols from pairings. International Journal of Information Security 2007; 6(4):213–241. 22. Wu TY, Tseng YM. An efficient user authentication and key exchange protocol for mobile client-server environment. Computer Networks 2010; 54(9):1520–1530. 23. Tsai JL, Wu TC, Tsai KY. New dynamic ID authentication scheme using smart cards. International Journal of Communication Systems 2010; 23(12):1449–1462. 24. Wu TY, Tseng YM, Yu CW. A secure ID-based authenticated group key exchange protocol resistant to insider attacks. Journal of Information Science and Engineering 2011; 27(3):915–932. 25. Wang L, Wu CK. Efficient identity-based multicast scheme from bilinear pairing. IEE Proceedings - Communications 2005; 152(6):877–882. 26. Lee JW, Hwang YH, Lee PJ. Efficient pubic key broadcast encryption using identifier of receivers. In Proceedings of ISPEC 2006, LNCS 3903, Hangzhou, China, April 11–14, 2006; 153–164. 27. Yang C, Cheng X, Ma W, Wang X. A new ID-based broadcast encryption scheme. In Proceedings of Autonomic and Trusted Computing 2006, LNCS 4158, Wuhan, China, September 3–6, 2006; 487–492. 28. Delerablee C. Identity-based broadcast encryption with constant size ciphertexts and private keys. In Proceedings of ASIACRYPT 2007, LNCS 4833, Barcelona, Spain, May 20–24, 2007; 200–215. Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
PRIVACY-PRESERVING MULTI-RECEIVER ID-BASED ENCRYPTION
1049
29. Ren Y, Gu D. Fully CCA2 secure identity-based broadcast encryption without random oracles. Information Processing Letters 2009; 109(11):527–533. 30. Wang XA, Weng J, Yang X, Yang Y. Cryptanalysis of an identity based broadcast encryption scheme without random oracles. Information Processing Letters 2011; 111(10):461–464. 31. Baek J, Safavi-Naini R, Susilo W. Efficient multi-receiver identity-based encryption and its application to broadcast encryption. In Proceedings of PKC 2005, LNCS 3386, Les Diablerets, Switzerland, January 23–26, 2005; 380–397. 32. Chatterjee S, Sarkar P. Multi-receiver identity-based key encapsulation with shortened ciphertext. In Proceedings of INDOCRYPT 2006, LNCS 4329, Kolkata, India, December 11–13, 2006; 394–408. 33. Park JH, Kim KT, Lee DH. Cryptanalysis and improvement of a multi-receiver identity-based key encapsulation at INDOCRYPT’06. In Proceedings of ASIACCS ’08, Tokyo, Japan, March 18–20, 2008; 373–380. 34. Okamoto T, Pointcheval D. REACT: Rapid enhanced-security asymmetric cryptosystem transform. In Proceedings of CT-RSA 2001, LNCS 2020, San Francisco, CA, USA, April 8–12, 2001; 159–174. 35. Okamoto T, Pointcheval D. The gap-problems: a new class of problems for the security of cryptographic schemes. In Proceedings of PKC 2001, LNCS 1992, Cheju Island, Korea, February 13–15, 2001; 104–118. 36. Bellare M, Rogaway P. Random oracles are practical: a paradigm for designing efficient protocols. In Proceedings of CCS’93, Fairfax, VA, USA, November 3–5, 1993; 62–73. 37. Canetti R, Goldreich O, Halevi S. The random oracle methodology, revisited. Journal of ACM 2004; 51(4):557–594. 38. Galbraith S, Paterson K, Smart NP. Pairings for cryptographers. Discrete Applied Mathematics 2008; 156(16): 3113–3121. 39. Wu TY, Tseng YM. An ID-based mutual authentication and key exchange protocol for low-power mobile devices. The Computer Journal 2010; 53(7):1062–1070. 40. Canetti R, Halevi S, Katz J. A forward-secure public-key encryption scheme. In Proceedings of Eurocrypt 2003, LNCS 2656, Warsaw, Poland, May 4–8, 2003; 255–271. 41. Fujisaki E, Okamoto T. Secure integration of asymmetric and symmetric encryption schemes. In Proceedings of Crypto ’99, LNCS 1666, Santa Barbara, CA, USA, August 15–19, 1999; 537–554. 42. Knuth D. The Art of Computer Programming, Volume 2: Seminumerical Algorithms, (3rd edn). Addison-Wesley: Boston, 1997. 43. Scott M. Computing the Tate pairing. In Proceedings of CT-RSA05, San Francisco, CA, USA, February 14–18, 2005; 293–304. 44. Scott M, Costigan N, Abdulwahab W. Implementing cryptographic pairings on smartcards, 2006. Cryptology ePrint Archive, Report 2006/144. 45. Cao X, Zeng X, Kou W, Hu L. Identity-based anonymous remote authentication for value-added services in mobile networks. IEEE Transactions on Vehicular Technology 2009; 58(7):3508–3517. 46. Bellare M, Boldyreva A, Palacio A. An uninstantiable random oracle model scheme for a hybrid encryption problem. In Proceedings of Eurocrypt’04, LNCS 3027, Interlaken, Switzerland, May 2–6, 2004; 171–188.
AUTHORS’ BIOGRAPHIES
Yuh-Min Tseng is currently a professor at the Department of Mathematics, National Changhua University of Education, Taiwan. He has published over a hundred scientific journal and conference papers on cryptography and network security topics. In 2006, his paper obtained the Wilkes Award from The British Computer Society. He also serves as an editor of several international Journals including Computer Standards &Interfaces, International Journal of Advancements in Computing Technology, International Journal of Security and Its Applications, Wireless Engineering and Technology, abnd ISRN Communications and Networking. His research interests include cryptography, information security, network security management, computer network and mobile communications.
Yi-Hung Huang received the BS, MS, and Ph.D. degrees from the Department of Applied Mathematics, National Chung-Hsing University, Taiwan, in 1986, 1990, and 1999, respectively. He is currently an associate professor at the Department of Mathematics Education, National Taichung University of Education, Taiwan. His research interests include computer network, routing protocol and mobile communications.
Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac
1050
Y.-M. TSENG, Y.-H. HUANG AND H.-J. CHANG
Hui-Ju Chang received the BS degree from the Department of Mathematics and Information Education, National Taipei University of Education, Taiwan, in 2002. She is pursuing her MS degree from the Department of Mathematics Education, National Taichung University of Education, Taiwan. Her research interests include applied cryptography, computer network and network security management.
Copyright © 2012 John Wiley & Sons, Ltd.
Int. J. Commun. Syst. 2014; 27:1034–1050 DOI: 10.1002/dac