#### Abstract

In an identity-based broadcast encryption (IBBE) scheme, the ciphertext is usually appended with a set of user identities to specify intended recipients. However, as IBBE is adopted in extensive industries, the demand of anonymity for specific scenarios such as military applications is urgent and ought no more to be ignored. On the contrary, how to optimize computation and communication is an unavoidable challenge in the IBBE scheme construction, especially in the large-scaled resource-limited wireless networks such as the Internet of Things (IoT), where the cost of computation and communication should be mitigated as much as possible since other functions including connectivity and privacy should be given the top priority. Thus, we present an IBBE scheme from the lattice, in which we employ the Chinese remainder theorem and lattice basis delegation in fixed dimensions to obtain several desirable characteristics, such as constant-size public parameter, private key, and ciphertext. In addition, our encryption and decryption algorithms are more efficient than broadcast encryption (BE) schemes based on number-theoretic problems. To be noticed, our scheme can simultaneously achieve confidentiality and outsider anonymity against the chosen-plaintext attack under the hardness of the learning with error (LWE) problem.

#### 1. Introduction

IoT is a network of interconnected things/devices, in which sensors, software, network connections, and necessary electronic devices are integrated to collect and exchange information and respond to real-time data requests. IoT allows data accumulation from and exchange between the physical world and computer systems through existing network infrastructures. With these connected tiny and smart devices, one’s life can be of higher quality, safer, smarter, more convenient, comfortable, and timely informed than ever before. Security is one of the main concerns mentioned by cybersecurity experts. They believe that even end device connectivity and information sharing can be exploited to have a negative impact on a person safety and well-being. Besides hacking IoT devices to compromise online data and privacy, it can also become the entry point of invading the entire network [1, 2].

Remote terminal unit (RTU) [1] is an electronic device, which is installed in a remote site (generally, few people supervise the distant site). It is used to monitor and control sensors and equipment remotely and widely adopted in the supervisory control and data acquisition (SCADA) system. RTU usually converts the measured state or signal into a data format that can be sent on the communication medium by using the Modbus protocol. It can also receive commands sent by the central monitor computer to execute functional control of the equipment. As the Modbus protocol does not apply data encryption mechanism, the data flow between the monitor center and RTU is in plaintext. As a consequence, the data transmitted in the open network may be eavesdropped or tampered with. What is worse, the data tampering may cause disorder in the automated production process or even serious accidents of equipment damage. To keep the confidentiality of data transmission, cryptographic modules can be embedded in data collection equipment such as RTU/DTU and effectively help prevent data theft and command tampering [2]. Once the concern of confidentiality is got rid of, such devices can be safely applied to industrial control industries such as oil and gas exploitation, environmental monitoring, power transmission and transformation, oil and gas pipeline networks, and hydrological monitoring.

Fiat and Naor [3] first introduced broadcast encryption, which allows a sender to send an encrypted message to a large number of receivers via public channels, and only authorized users can obtain the message, as shown in Figure 1. Compared with the public key encryption for a single recipient, BE significantly saves computing and communication costs. Therefore, BE has been promoted to numerous applications, such as key distributing [4], encrypted file sharing [5], satellite TV subscription [6], digital right management [7], and social network service [8]. Take pay service as an example. As shown in Figure 2, nonpaying user cannot enjoy the service or just is able to enjoy limited service, while paying users can enjoy entire and high-quality service. There are a large number of related works that can be classified into the conventional BE [6, 9–13] since they are based on number-theoretic problems, such as big integer factoring and discrete logarithm problem, and rarely meet the requirements of industrial applications.

With the advent of quantum cryptography, the security of conventional BE schemes is heavily threatened. In FOCS′94, Shor [14] proposed a quantum algorithm to solve the problem of discrete logarithm and factorization in polynomial time. Thereafter, it becomes one of the most urgent topics to design BE schemes against quantum attacks.

Lattice cryptography can resist quantum-computing attacks [15] and has multiple advantages over the conventional cryptography. Firstly, lattice is a vector space composed of linearly independent vectors in , which only request lightweight operations such as modular addition and matrix multiplication. Thus, it is suitable for devices with limited computational ability such as smart cards. Secondly, lattice cryptography enjoys pretty strong security guaranteed by the worst-case hardness assumptions [16, 17], such as shortest vector problem (SVP) [18] and closest vector problem (CVP) [18]. Thirdly, lattice cryptography can be adopted to comparable extensive industries as its conventional cryptography was, given almost all conventional public key encryption (PKE) schemes based on big integer factoring or discrete logarithm problems can also be realized in lattice cryptography.

A desirable BE scheme on lattices should keep not only confidentiality but also anonymity as anonymity is an extremely favourable characteristic for diverse BE systems [19]. To distinguish authorized receivers from the unauthorized, BE ciphertext usually includes the intended recipients’ identities. This means users’ identity information is revealed. Specifically, such identity exposure is expected to be avoided when users’ identities are sensitive. For instance, in the military field, the set of broadcast receiver identities undoubtedly implies specific military objectives or personnel. Meanwhile, to support a large number of receivers in a BE system, the public key of every receiver can be conveniently chosen as a meaningful string, which is their unique identification, such as a passport number or an e-mail address. This is exactly the motivation of proposing an IBBE system that is capable to support exponential user scale.

##### 1.1. Our Results

Each BE system involves multiple recipients. Thus, it is intricate to construct a BE scheme in a lattice context. Our main contributions include the construction of an anonymous IBBE from the lattice and the security reduction to the LWE problem. Our design is inspired by the lattice-based BE scheme of Wang et al. [20], which depends on the Chinese remainder theorem to achieve the dynamic anonymity. In this work, we rely on the Chinese remainder theorem to construct an IBBE scheme, and the core idea is as follows.

The Chinese remainder theorem offers one-dimensional linear congruence equation that has and only has one solution . In order to construct a BE scheme on lattices, we combine the Chinese remainder theorem with the LWE hardness assumption.(i)Firstly, we extend the Chinese remainder theorem to a matrix form, such as and are extended to matrices and with dimension , respectively. Thus, the system of linear congruence equations has the similar solution; that is, , where is close to uniform distribution [20] if is a random matrix over .(ii)Then, choose a random vector , which is to blind . Blind results are used to encapsulate symmetric keys , e.g., , where and are receiver ’s public keys and is an error vector. Since the key encapsulation is constructed by the Chinese remainder theorem, its distribution is indistinguishable from the uniform distribution [20].(iii)Thirdly, when authorized receiver decrypts the ciphertext, he does not need to know the other users’ identities. He firstly computes *C _{2}* mod

*q*, where qi is his public key. and then is transformed to a LWE instance vector related to his public key , i.e., . Now, authorized receiver uses his private key to decrypt to obtain the symmetric key and then gets the broadcast message.(iv)To obtain an IBBE scheme, we need to connect users’ public keys and to identity . Firstly, we use an encoding function to map identities to matrices , i.e., [21], and a division intractable hash function to map identities to integer . Note that integer is a prime with an overwhelming probability [22] so that user ’s public key and user ’s public key are ensured mutually prime.(v)Lattice basis delegation mechanisms were proposed by Cash et al. [23] and Agrawal et al. [21]. Given a matrix and a lattice basis of , a matrix from and a random basis for can be generated. However, in [21, 23], the dimension of matrix is larger than the dimension of the given matrix . So, the ciphertext and private key sizes of their HIBE schemes increase as the hierarchy deepens. Thus, in terms of private key generation of our scheme, we employ lattice basis delegation with constant dimension technology [21] to generate the user private key, where and has the same dimension as . Thence, the private key size of our scheme is constant, and the size of the ciphertext has nothing to do with the number of recipients.

_{i}##### 1.2. Related Work

Identity-based encryption (IBE) [24] is a special kind of BE. There is one receiver set specifying intended receivers, and in an IBE scheme, the user public key can be any string as long as the string can be a uniquely identified user, such as a passport number and e-mail address. In 2008, Craig et al. [25] proposed the technology of lattice-based one-way trapdoor function and constructed an IBE scheme whose security is based on the LWE problem [26] in the random oracle model. In their scheme, trapdoor sampling algorithm [27] is used for generating the master public key and master secret key. Then, the preimage sampler [25] takes the master secret key as the input to generate the user’s secret key. Finally, both the master public key and the user’s identity are used to generate two separate pseudorandom LWE instances as the ciphertexts.

Hierarchical identity-based encryption (HIBE) [28, 29] is also a special kind of BE. Users in the broadcast set have a hierarchical structure, and the lower-level users’ keys are generated by the higher-level users. In 2010, Cash et al. [23, 30] proposed a new concept of cryptography, called bonsai tree, and constructed an HIBE scheme based on the LWE problem by utilizing the lattice basis delegation technique, which allows one to use a short basis of a certain integer lattice to generate a short random basis for a new lattice derived from . However, in their HIBE scheme, the dimension of the child lattice is greater than that of the parent lattice for the reason that, as the hierarchical structure increases, the private key and ciphertext also become longer. Shweta Agrawal and Boyen [31] proposed a lattice basis delegation technique which does not increase the dimension of the lattices involved and presented two HIBE schemes with shorter ciphertext and private keys with and without the random oracle based on the LWE problem, respectively.

Attribute-based encryption (ABE) [32] and BE are both one kind of one-to-many encryption. In the ABE system, the private key and the ciphertext are related to the attributes; when the attributes owned by the user match the ciphertext attributes, the user can obtain the ciphertext. Boyen [33] proposed an efficient ABE scheme and proved its security in the selective sense from LWE hardness assumption in the standard model. Nevertheless, BE needs to specify which users are authorized receivers.

Fiat and Naor first introduced BE [3]. In 2005, Boneh et al. [11] proposed the first fully collusion-resistant BE scheme with static security, and both the size of ciphertexts and private keys are constant, but the size of the public key is proportional to the number of receivers. In 2009, Craig and Waters [13] proposed a BE scheme with adaptive security in the random oracle model. In 2007, Delerablée [34] proposed the first IBBE scheme, which obtains adaptive chosen-ciphertext attack (CCA) in the random oracle model, as well as has constant-size ciphertexts and private keys. In 2009, Craig and Waters [13] presented the first IBBE scheme, which is against adaptively chosen-plaintext secure in the standard model. In 2014, Boneh et al. [35] proposed the first IBBE scheme, which obtains selectively CCA-secure from multilinear maps and has constant-size ciphertexts. In 2015, Jongkil Kim et al. [36] proposed an IBBE scheme, which is adaptively CCA-secure in the standard model, but uses dual encryption technique. In 2016, Dan and Zhandry [37] proposed a BE scheme, which obtains adaptive security by using indistinguishability obfuscation technique and has short ciphertexts, secret keys, and public keys.

Anonymity is a good security property; however, the aforementioned scheme cannot be obtained because the recipients’ identities are broadcasted as ciphertext. Thus, the identities’ information is exposed. In 2006, Adam et al. [12] presented two fully anonymous BE constructions; both of them obtain CCA security. The first one is a generic construction, and the decryption cost has a linear relationship with the number of receivers. The second is a specific construction, requiring a certain number of decryption operations, and the security proof relies on a random oracle model. In 2012, Libert et al. [19] proposed some fully anonymous BE schemes, which are fully anonymous and have adaptive CCA security in the standard model; at the same time, the formal security definition of the anonymous BE scheme is given. In 2012, two anonymous BE schemes with outsider anonymous were proposed by Fazio and Milinda Perera [38], and the two BE schemes have sublinear-size ciphertexts. In 2016, two anonymous BE schemes were proposed by He et al. [39]; the first one is the general scheme [39], and the second one is the specific scheme [39]. Both of these schemes are proven to be adaptive CCA-secure. However, all the aforementioned traditional BE/IBBE schemes cannot resist quantum attacks.

In 2010, Wang and Bi [40] proposed a secure lattice-based IBBE scheme using the basis delegation technique [23], and their scheme can be easily extended to a hierarchical IBBE. However, their lattice basis delegation technique increases the dimension of users’ identity matrix. In 2013, Georgescu [41] used a tag-based hint system which is secure based on ring-LWE hardness and an IND-CCA-secure public key encryption scheme from LWE to construct a CCA-secure lattice-based anonymous BE scheme. In 2015, Wang et al. [20] used the Chinese remainder theorem to construct a dynamical and outsider-anonymous BE scheme over the lattice, which is proven semantic secure in the standard model under the hardness of the LWE problem. In 2020, Brakerski and Vaikuntanathan [42] proposed a lattice-based BE scheme where the size of the key and ciphertext has a logarithmic correlation with the number of users. However, their BE construction is based on a heuristic that allows to “invert” the key succinctness of the BGG + KP-ABE scheme [43] and does not have a security reduction for this heuristic; its security is an open problem. In 2020, Agrawal and Yamada [44] improved Boneh et al.’s [35] BE scheme which used multilinear maps by using LWE and bilinear mapping, and the parameters of the improved solution were also very small. Thus, in this paper, we construct an anonymous IBBE scheme on the lattice. We make a detailed function comparison between our scheme and other schemes in Table 1.

#### 2. Preliminaries

Let us briefly introduce some of the symbols and definitions used throughout the paper.

##### 2.1. Collision Intractability [22]

is a family of hash functions. If it is difficult to find two inputs that hash to the same output, is collision intractable. Formally, for every probability polynomial-time (PPT) adversary , there is a negligible function negl() such that

##### 2.2. Division Intractability [22]

is a hashing family; if it is division intractable, it is hard to find distinct inputs such that divides . Formally, for every PPT adversary , there is a negligible function negl() such that

It is not difficult to see that a hash family that is division intractable must also be collision intractable, but the reverse is not true. Such a function is easy to obtain by setting (or only the lowest bit of ) to be one.

##### 2.3. Lattice and Lattice Problems

###### 2.3.1. Lattice [45]

Lattice is generated by a set of linearly independent vectors such that

###### 2.3.2. -ary Lattices [45]

are some integers, is a parity check matrix, and -ary lattices are defined as

In fact, all vectors in lattice are orthogonal modulo to the matrix row vector.

###### 2.3.3. Gaussian over Lattices [45]

Gaussian function is defined asfor any and dimension . The discrete Gaussian distribution over the coset , , whose probability is proportional to , and probability is zero elsewhere.

###### 2.3.4. LWE Problem [26, 45]

Let , , the error distribution be over , and be distributed according to . Given , the decision variant LWE problem is to distinguish from uniform distribution.

###### 2.3.5. Gaussian Error Distributions 26

The standard error distribution is the Gaussian distribution on , and the deviation is . According to the distribution , the error vector can be effectively sampled, as shown in the following:(i)Sample comes from the Gaussian distribution on (ii)Let where is used to represent the integer closest to (iii)Let be the error vector in the LWE problem instance

###### 2.3.6. Trapdoor Sampling Algorithm [21]

Let be odd and . There exists a PPT algorithm *(*TrapGen) , and it outputs a matrix A and a full rank set , where ’s distribution is statistically close to a uniform distribution, is a lattice basis of , which satisfies , and with almost negligible probability.

The trapdoor can be utilized to solve the LWE problem; that is, given where is any “short enough” vector, it can be used to recover as follows [25]:(i)Calculate and . Now, since both and contain small entries, each entry of the vector is less than , so .(ii)LWE secret can be recovered via .

###### 2.3.7. Algorithm Basis Delegation [21]

The basic delegation algorithm *BasisDel* will not increase the dimension of the basic matrix [21]. On inputting a rank matrix in , a -invertible matrix in sampled from , a basis of , and the parameter , output a basis of , where in .

###### 2.3.8. Algorithm Sample *R*21

Our security proof uses algorithm sample *R*. The sample matrix in comes from a distribution that is statistically close to [21]. On the canonical basis of the lattice , run for . If is invertible, then output ; otherwise, run the sample Gaussian algorithm repeatedly.

Algorithm sample *R* with basis is used in our security proof, which gives a random rank matrix in and generates a “low-norm” matrix from and the short base of as follows.

###### 2.3.9. Algorithm Sample *R* with Basis 21

are the columns of the matrix .(i)Run TrapGen(*q*, *n*) to generate a matrix with random rank , as well as lattice base , where(ii)For , do(1)Sample *r _{i}* by running SamplePre, and we have , , where is sampled from a distribution statistically close to (2)Repeat Step (1) until is linearly independent of (iii)Let be the matrix with columns . Then, has rank . Output and .

###### 2.3.10. Chinese Remainder Theorem [46]

If and are integers, , and are arbitrary integers, a system of linear congruenceequations has only one solution:where , , and for .

We can also extend the Chinese remainder theorem to a matrix form, such as and are extended to matrices and with dimension , respectively; the system of linear congruence has the same solution; that is,where is close to uniform distribution [20].

#### 3. Identity-Based Broadcast Encryption

(i)Init: adversary outputs two receiver subsets and that he wants to attack; it is required that in order to avoid trivial attacks(ii)Setup: challenger first runs Setup to generate the public parameters and a master secret key , then gives to adversary , and keeps to itself(iii)Phase 1: adversary adaptively issues the private key for identity query, and challenger runs Extract and returns to adversary (iv)Challenge: adversary selects two equal-length messages and sends to challenger , and challenger flips a random coin and returns the challenge ciphertext Encrypt to adversary (v)Phase 2: adversary continues to adaptively issue queries as in Phase 1(vi)Guess: adversary outputs a guess

*Definition 1. *An IBBE scheme consists of four algorithms (, , , ) [19, 34] as follows:(i)Setup: intake a security parameter , and output the public parameters and a master secret key (ii)Extract: intake a master secret key and an identity , and output a private key for identity (iii)Enc: intake the public parameters , a receiver set , and a message , and output a ciphertext (iv)Dec: intake a private key and a ciphertext , and output either a message or an error symbol The correctness property requires that, for all , if (, ) , , ), and , , ), then , with overwhelming probability.

In the above definition, the set is not required to intake the decryption algorithm which keeps the anonymity of an IBBE system.

We now present the security requirements for an IBBE scheme to be outsider anonymous against the chosen-plaintext attack (CPA). In an outsider-anonymous IBBE scheme, when the adversary receives a ciphertext of which he is not a legal recipient, he will be unable to learn anything about the identities of the legal recipients, but for those ciphertexts for which the adversary is in the authorized set of recipients, he might also learn the identities of some other legal recipients. First, we define the CPA of an outsider-anonymous IBBE scheme as a game, which we term oAIBBE-IND-CPA, played between a probabilistic polynomial-time (PPT) adversary and a challenger . Meanwhile, we present a selective indistinguishable chosen-plaintext security game (sIND-CPA), where selective security is a weaker notion which forces the adversary to announce ahead of time the identities it will target.

*Definition 2. *The oAIBBE-sIND-CCA game defined for an oAIBBE scheme = (Setup, Extract, Enc, Dec), a PPT adversary , and a challenger is as follows:

*Definition 3. *Define adversary ’s advantage in the above oAIBBE-sIND-CPA game as . We say that an IBBE scheme is oAIBBE-sIND-CPA secure if for any PPT adversary , the advantage is negligible in the above oAIBBE-sIND-CPA game.

#### 4. Construction

Our lattice-based IBBE scheme is designed by translating the lattice-based BE scheme of Wang et al. [20] into an identity-based environment. The private key generation depends on the lattice basis delegation without increasing the dimension [21].(i)Setup: intake a secure parameter , set to be odd and , and let be a division intractability hash function and be a hash function. Invoke trapdoor sampling algorithm *TrapGen* to generate a uniformly random matrix with a basis satisfying such that . Output public parameters and a master key .(ii)Extract: intake public parameters , a master key , and an identity , and compute and . Evaluate to obtain a short random basis for . Output identity ’s private key .(iii)Encrypt: intake public parameters , a broadcast set , and message , and compute = for . Moreover, to ensure the correctness of decryption, we need . According to the Chinese remainder theorem, it needs to compute and , where . Calculate for , choose random vector and and a symmetric key , and compute the ciphertext as follows:(iv)Decrypt: user with identity in the broadcast set uses his private key to decrypt ciphertext as follows:

#### 5. Analysis of the Proposed Anonymous IBBE Construction

##### 5.1. Parameters and Correctness

Given the security parameter , the analysis of parameters and correctness for our scheme is as follows.(i)To ensure that *TrapGen* can operate, the following requirements should be met: and [21].(ii)To guarantee the decryption of the ciphertext, the error term should be less than , and let be set as [23, 47](iii)Parameters should always satisfy and .

To ensure that decryption works, we first note that is designed according to the Chinese remainder theorem, and recall that and ; then, and for . Hence, it would be valid.

By the properties of basis delegation, , where ; therefore,

Finally, we know ,

##### 5.2. Security

Theorem 1. *The above scheme is oAIBBE-sIND-CPA secure if the LWE problem is hard and is simulated as a random oracle.*

*Proof. *Suppose there exists a PPT adversary that is able to distinguish the above scheme’s ciphertext from random elements with advantage . Then, there is a challenger with advantage at least that distinguishes between the two distributions(i)Init: adversary outputs two different subsets and that he wants to distinguish. Challenger samples random matrices by running (described in Section 3.1), where all are invertible mod *q*.(ii)Setup: challenger chooses two collision-intractable hash functions and . is a division intractability hash function, and is simulated as a random oracle. Let be the number of queries made by . Let the master public key be , and the master secret key is unknown to . The system parameters are given to .(iii)Phase 1: adversary adaptively issues queries as follows:(iv)Random oracle hash queries: may adaptively query the random oracle on any identity of its choice at any time. answers the query as follows.If , define , return to adversary , and save the tuple in a list .

If , sample a random matrix , where is invertible mod , compute , and then run sample *R* with basis (described in Section 3.1) to obtain a random matrix and a short basis forSave the tuple in a list for future use, and return to adversary .(i)Secret key queries: makes interactive key extraction queries on arbitrary identity . answers a query on as follows: If , aborts and fails. If , retrieves the saved tuple from the hash oracle query list ; else, it runs the random oracle hash query on . Let and be a short basis for , and return to adversary . Notice that is exactly the encryption matrix for , and therefore, is a trapdoor for . Challenge: adversary chooses two equal-length messages and sends to challenger . Challenger chooses at random a symmetric key and a random bit ; challenger computes , where and , and then returns the challenge ciphertext to adversary .(ii)Phase 2: adversary adaptively issues queries as Phase 1.(iii)Guess: adversary outputs a guess bit , and wins the game if .(iv)Analysis: in the following, we analyse the correctness of the challenge ciphertext.(v)On the one hand, if is a uniformly random matrix, then the challenge ciphertext is also uniformly random, regardless of the choice of . Hence, in this case, outputs 1 with probability at most .(vi)On the other hand, if , then the challenge ciphertext is is uniformly distributed (since and 2 are relatively prime). This is identical to the output distribution of the real ciphertext.

Hence, if adversary succeeds in guessing the right and with probability , then challenger will correctly guess the nature of the LWE oracle with probability at least . This concludes the proof of the security reduction.

*Remark. *The above scheme cannot achieve the anonymity for the insider attacker. Because any authorized receiver can obtain the private information *s, e*, and *K*, he/she uses *s, e*, and *K* to decrypt *C _{2}*. The decryption process is similar to Thrapdoor Sampling Algorithm of Section 2.1 Therefore, in order to ensure whether or not is an authorized receiver, adversary only needs to calculate whether and are equal. If yes, is an authorized receiver; otherwise, is not an authorized receiver.

#### 6. Conclusions

We propose a lattice-based anonymous IBBE scheme employing the Chinese remainder theorem and lattice basis delegation in fixed dimensions. Our scheme achieves chosen-plaintext security in the random oracle model and is with multiple attractive properties, such as constant-size private/public key and ciphertext and constant encryption/decryption overhead.

#### Data Availability

All the data included in this study are available upon request by contact with the corresponding author.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was partially supported by the National Science Foundation of China (NSFC) (Grant nos.61902067 and 62102166), Foundation for Young Innovative Talents in Ordinary Universities of Guangdong (2018KQNCX255), Opening Project of Guangdong Province Key Laboratory of Information Security Technology (Grant no.2020B1212060078), Dongguan Science and Technology of Social Development Program (2020507140146), Dongguan University of Technology (2021KTSCX134), Key-Area Research and Development Program of Guangdong Province (Grant no. 2020B0101360001), Guangdong Basic and Applied Basic Research Foundation (Grant no. 2020A1515111175), and Guangdong Natural Science Key Field Project (2019KZDZX1008).