Security and Communication Networks

Security and Communication Networks / 2021 / Article

Research Article | Open Access

Volume 2021 |Article ID 5519721 | https://doi.org/10.1155/2021/5519721

Yi-Fan Tseng, Chun-I Fan, "Anonymous Multireceiver Identity-Based Encryption against Chosen-Ciphertext Attacks with Tight Reduction in the Standard Model", Security and Communication Networks, vol. 2021, Article ID 5519721, 11 pages, 2021. https://doi.org/10.1155/2021/5519721

Anonymous Multireceiver Identity-Based Encryption against Chosen-Ciphertext Attacks with Tight Reduction in the Standard Model

Academic Editor: Stelvio Cimato
Received17 Feb 2021
Revised06 Apr 2021
Accepted24 May 2021
Published15 Jun 2021

Abstract

Multireceiver identity-based encryption is a cryptographic primitive, which allows a sender to encrypt a message for multiple receivers efficiently and securely. In some applications, the receivers may not want their identities to be revealed. Motivated by this issue, in 2010, Fan et al. first proposed the concept of anonymous multireceiver identity-based encryption (AMRIBE). Since then, lots of literature studies in this field have been proposed. After surveying the existing works, however, we found that most of them fail to achieve provable anonymity with tight reduction. A security proof with tight reduction means better quality of security and better efficiency of implementation. In this paper, we focus on solving the open problem in this field that is to achieve the ANON-IND-CCA security with tight reduction by giving an AMRIBE scheme. The proposed scheme is proven to be IND-MID-CCA and ANON-MID-CCA secure with tight reduction under a variant of the DBDH assumption. To the best of our knowledge, this is the first scheme proven with tight reducible full CCA security in the standard model.

1. Introduction

Identity-based encryption (IBE) is a large class of public key encryption in modern cryptography. The concept of IBE was first proposed by Shamir [1] in 1984, and the first practical construction was independently proposed by Boneh and Franklin [2] and Cocks [3] in 2001. In an IBE scheme, a user can use any string as her/his public key, such as national identifier number and e-mail address.

It is a natural question to ask how to design a multireceiver IBE to encrypt a message with better efficiency compared with individually encrypting to each user in terms of either computation cost or communication cost. Such a cryptographic primitive is popular in advanced applications such as video conferencing, pay-per-view TV [48], and distance education. The notion of multireceiver identity-based encryption (MRIBE) was first considered by Beak et al. [9] in 2005. In an MRIBE scheme, the input of the encryption algorithm is a set of identities rather than a single identity. A user who is selected in the set is able to decrypt the ciphertext. MRIBE then drew the attention of the research community, and lots of results [10, 11] have been proposed.

Another notion similar to MRIBE is identity-based broadcast encryption (IBBE) [1214]. An IBBE scheme is usually designed in the sense of key encapsulation mechanism (KEM), where the encryption algorithm takes as input only a set of identities and outputs a header and an encryption key. To encrypt a message, one then uses the encryption key with a data encryption mechanism (DEM), such as DES and AES. A user whose identity is selected in the set can use her/his private key together with the header to recover the encryption key. On the other hand, an encryption scheme can be regarded as a key encapsulation mechanism by simply setting a ciphertext as the header and the corresponding plaintext as the encryption key. In this paper, we will treat MRIBE and IBBE as the identical notion.

In some situations, such as ordering sensitive TV programs, the customers may expect that their identities are not revealed. In consideration of privacy-preserving, Fan et al. [15] first introduced the concept of anonymous multireceiver ID-based encryption (AMRIBE) in 2010. Anonymity is defined as that no one should know the identities of the receivers except the encryptor. They also proposed a multireceiver ID-based encryption scheme using Lagrange interpolating polynomials. Unfortunately, their scheme was pointed out to be flawed by Chien [16] in 2012. In Fan et al. scheme, anyone given a ciphertext is able to reveal the receivers. Chien further indicated that the security model defined in [15] does not cover all of the multireceiver scenarios. He also proposed an improved AMRIBE scheme in [16]. Since then, many results of AMRIBE have been proposed [1725].

After examining these AMRIBE schemes, we found that there is no AMRIBE scheme achieving full-ID security with tight reduction against chosen-ciphertext attacks. Filling the gap is significant for the researches of AMRIBE in terms of both theoretical and practical aspects.

Most of the existing AMRIBEs are only proven to be secure in the weaker “selective-ID” model, where the attacker must commit a target receiver set that it will attack at the beginning of the security game. The selective-ID model might not be appropriate for the attack model in a realistic environment, since the attackers should be able to adaptively choose their target after learning some information of the system. This characteristic is captured by another stronger model called “full-ID” model, where the attacker chooses the target at the challenge phase rather than at the beginning. In [26, 27], Boneh and Boyen show that a selective-ID secure IBE can also be proven to be full-ID secure. Roughly speaking, a challenger can make a guess on which identity, said , will be targeted at the challenge phase before it starts the simulation. If the adversary makes a query with or does not activate the challenge phase with , then the simulation is aborted. However, the proof strategy makes the reduction “lossy,” i.e., the reduction is not tight. Let be the number of allowed identities, then the reduction will lose a factor of . That is, if the adversary wins the security game with advantage , then the challenger only guarantees to solve the underlying hard problem with advantage (actually the analysis should take the running times into consideration. Here, we simply assume that the running times of the adversary and the challenger are asymptotically equivalent). More details can be referred to [26, 28].

A lossy reduction is not merely a theoretic problem; it also relates to the efficiency and efficacy of the entire system. We give a simple example for the (informal) analysis as follows. If we want to build an IBE system based on the DBDH assumption with 80-bit security level, and assume , then we need to adopt a DBDH-hard group whose order is due to the lossiness. This will make the entire system inefficient since we need a longer bit representation for the group of larger order [29]. Therefore, achieving tight reduction is a significant goal for an encryption scheme, since it affects both security and efficiency. The tight reduction allows one to construct an encryption scheme with the same security level as the underlying hard assumption. We refer the readers to [30] for more detailed examples.

The consequence of a lossy reduction will be much more worse when it comes to more complex primitives, such as AMRIBE. In the security game of AMRIBE, an adversary activates the challenge phase with receivers, where can be any positive number smaller than the number of the total possible identities. Assume that we set an identity to be an -bits string, then a challenger needs to guess the target receiver set from different combinations. This makes the scheme impractical, since either the bit length of the representation for the underlying group will be exponentially large, or the reduction will be successful only with negligible advantage in the security proof.

1.1. Contributions

For both practical and theoretical reasons mentioned above, in this paper, we propose the first AMRIBE scheme achieving full-ID security in confidentiality and anonymity with tight reduction. It is worth noting that the security of our scheme is proven in the standard model, i.e., without random oracles. The random oracle model [31] is a heuristic and idealized model used to help people to prove the security of cryptographic primitives. In the security proofs, one usually models a cryptographic hash function as a random oracle. However, there are schemes proven secure in the random oracle models while being insecure when implementing the random oracle with any hash function in the real world [32, 33]. To the best of our knowledge, our scheme is the first and only one to achieve IND-MID-CCA/ANON-MID-CCA security (the abbreviation of “Indistinguishability under full-multi-ID chosen-ciphertext attacks” and “Anonymity under full-multi-ID chosen-ciphertext attacks”) with tight reduction in the standard model. Besides, compared with other existing schemes, the encryption cost is low. Therefore, our scheme fits the scenario that a sender needs frequently to send messages for large amount of users, such as e-mail systems with receiver anonymity.

1.2. Organization

The remainder of this paper is organized as follows. Section 2 presents some preliminaries, specifically our security notions and the complexity assumptions that will be used in the security proofs. In Section 3, we introduce our AMRIBE scheme. Section 4 provides security proofs for the confidentiality and anonymity of our proposed scheme. Next, we show the comparison between our scheme and the existing works in properties and performances in Section 5. Finally, Section 6 concludes our work and provides future research directions.

2. Preliminaries

2.1. Notations

In this paper, we use multiplicative group representation. For where , we mean the successive integer set from to , i.e., . Furthermore, for an integer , denotes the integer set . For a set , by “” we mean “choose uniformly from ”. For an algorithm , by “,” we denote “ is the output of ”. For a bit-string , we denote the -th bit of as .

2.2. Bilinear Mapping

Definition 1. Let , and be three multiplicative cyclic groups of prime order . A bilinear map (pairing) satisfies the following properties in which is a generator of , respectively.(i)Bilinearity: .(ii)Nondegeneracy: if , the identity element of , then either is the identity of or is the identity of .(iii)Computability: there exists an efficient algorithm to compute the function .

In this paper, we use type 3 pairings [34, 35], where and no efficient computable isomorphisms between are known.

2.3. Complexity Assumptions

The security of the proposed scheme is based on a variant of the decisional bilinear Diffie–Hellman (DBDH) problem, called DBDH-3 problem [3639]. Let , and be three multiplicative cyclic groups of prime order , where is a generator of , respectively. Let be a type 3 pairing.

Definition 2. (a variant of DBDH problem in type 3 pairing groups—DBDH-3). Given , where decide whether or a random element in .

We say that an algorithm that outputs a bit has the advantage in solving the DBDH-3 problem if

Definition 3. (the DBDH-3 assumption). We say that the -DBDH-3 assumption holds if no -time algorithm has advantage at least in solving the DBDH-3 problem. We occasionally drop for simplicity.

2.4. Anonymous Multireceiver Identity-Based Encryption

An AMRIBE scheme consists of the following algorithms:(i): this algorithm takes as input a security parameter and outputs the master secret key and the system parameter . Note that all algorithms except Setup will implicitly take param as one of the inputs, and thus, we will omit the term param for simplicity.(ii): this algorithm takes as inputs the master secret key and an identity and then outputs the private key for user .(iii): this algorithm takes as inputs an identity set for any positive and a message and then outputs a ciphertext .(iv): this algorithm takes as inputs a ciphertext and a private key for and then outputs a message or a dedicated error symbol .

Correctness. For all :(i)If , then (ii)If , then

2.4.1. Confidentiality

Next, we will give the security definition for confidentiality. Consider the following game played between a challenger and an adversary . The security game consists of four phases as follows:Setup: generates the system parameter and sends it to .Phase 1: is allowed to make queries from the following oracles:: makes a query with an identity , and returns the private key to : makes a query with a ciphertext and an identity , and returns the result of Challenge: the adversary submits two messages with the same length and a target identity set for any positive integer , with the restriction that all identities in should not be submitted to oracle in Phase 1. then randomly chooses and generates . Finally, is returned to .Phase 2: is allowed to make queries as in Phase 1, except for queries with and queries with .Guess: finally, outputs a bit and wins the game if .

One can observe that the above game is modelled for the security notion IND-MID-CCA. The security games for IND-sMID-CCA and IND-MID-CPA can be obtained by forcing to commit before Setup and disallowing to query oracle, respectively. The advantage of winning the game is defined as

We say that an AMRIBE scheme is -IND-MID-CCA secure if all -time adversaries have at most advantage in winning the above IND-MID-CCA game.

2.4.2. Anonymity

Next, we define the anonymity for an AMRIBE. Consider the following game played between a challenger and an adversary . The security game consists of four phases as follows:Setup: generates the system parameter and sends it to .Phase 1: is allowed to make queries from the following oracles:: makes a query with an identity , and returns the private key to : makes a query with a ciphertext and an identity , and returns the result of Challenge: the adversary submits a message , a target identity set , and an identity set for any positive integer , with the restriction that all identities in should not be submitted to oracle in Phase 1. then randomly chooses , sets , and generates . Finally, is returned to .Phase 2: is allowed to make queries as in Phase 1, except for queries with and queries with .Guess: finally, outputs a bit and wins the game if .

The above game is modelled for the security notion ANON-MID-CCA (the security games for ANON-sMID-CCA and ANON-MID-CPA can be obtained by forcing to commit ID before Setup and disallowing to query Decrypt oracle, respectively). The advantage of winning the game is defined as follows:

We say that an AMRIBE scheme is -ANON-MID-CCA secure if all -time adversaries have at most advantage in winning the above ANON-MID-CCA game.

Remark 1. Note that this definition is actually modelled against insider adversaries, since is allowed to query the private key for , and the encrypted message is chosen by .

Remark 2. The ANON-MID-CCA game defined above is slightly different from some existing works, such as [19, 20, 22]. In their definition, submits two different identity sets , where , with the restriction that all have not been queried to oracle. In our model, one can image that and , and thus, , where is minimal. Actually, our model may be a stronger model since we allow an adversary to query as much private keys as possible, as long as the trivial way to win the game is prevented from the adversary.

2.5. Tight Security Reduction

In this section, we introduce the notion of tight security reduction. To prove the security of a cryptographic primitive, we usually construct a reduction between the security of the primitive and a well-studied hard assumption. That is, if there is an algorithm breaks the security of the primitive, then there exists an algorithm that makes black-box use of to solve the hard problem. Assume that the algorithm breaks the primitive with advantage in time , and the algorithm breaks the assumption with advantage in time . In a conventional sense [40], a reduction is said to be tight if and . Another weaker notion of tight reduction is defined in [30, 41]. The quality of a reduction can also be measured by the ratio between and . Let

In the above equation, “” is the “loss” for the reduction. A reduction is efficient if the loss is polynomially bounded. If is constant, then the reduction is said to be weakly tight. From this definition, we can see why an efficient (or ideally, tight) reduction is important. We briefly explain the reason. Assume that , then we have

If is exponentially large, then may be negligible; even if the adversary’s advantage is nonnegligible, we cannot base the security of our protocol on the underlying complexity assumptions.

3. Anonymous Multireceiver Identity-Based Encryption with Tight Reduction

In this section, we demonstrate a novel AMRIBE scheme with tight reduction. The proposed AMRIBE scheme is, to the best of our knowledge, the first such scheme with full security under tight reduction in the standard model.

3.1. The Proposed AMRIBE with Tight Reduction

Let , and be three cyclic multiplicative groups with prime order and be the generators of , respectively. In this scheme, we adopt type 3 pairing, i.e., . The proposed scheme consists of the following algorithms:

: taking as input a security parameter , KGC performs as follows:(1)Choose .(2)Choose two cryptographic hash functions and , where is a positive integer.(3)Compute .(4)For , choose and compute .(5)Choose , and compute .(6)Publish the system parameter

and keep secret the master secret key .

: taking as input the master secret key and an identity , KGC computes the private key for as follows. For convenience, given an identity , where the corresponding hash value is , we define a function .(1)Choose (2)Compute (3)Set the private key

: taking as input an identity set for a positive integer and a message , the sender performs as follows. For convenience, given an identity , where the corresponding hash value is , we define a function .(1)Choose .(2)For , compute .(3)Compute for , and .(4)Compute , and .(5)The ciphertext is .

: taking as input a ciphertext and a private key , a user performs as follows. For , compute and . Then the user computes and checks whether . If the equality holds, then output . If the equality does not hold for all , then output .

Correctness. Assume that (say ) and . Note that since the discrete logarithms of both sides are equal. We haveand thus

Besides, the integrity of the ciphertext and the message can be verified by whether .

Remark 3. In the computations of (), it seems that lots of scalar operations for () must be performed. However, we can construct an index set , where before computing (). We then compute (). Therefore, we can compute () using only at most cheap group operations.

4. Security Proofs

Theorem 1. The proposed AMRIBE scheme is -IND-MID-CCA secure in the standard model if the -DBDH-3 assumption holds, where and ( is the maximum number of queries and is the time required for a pairing).

Proof. Given , the challenger simulates the following game for the adversary :
Setup: performs as follows:(1)Choose two cryptographic hash functions and , where is the length of an identity.(2)Set .(3)For , choose and compute .(4)Choose , and compute .(5)Set the master secret key .(6)Send the system parameterPhase 1: in this phase, is allowed to make queries from and oracles. Since knows the master secret key , it can easily answer and queries as the same way as the proposed scheme.
Challenge: sends and a set of receivers for a positive integer to , where are two distinct messages with the same length, and has not been queried in Phase 1 for . Then performs as follows:(1)Choose compute (2)Compute (3)Set (4)For , let , compute (5)Compute , and (6)Output the challenge ciphertext Phase 2: makes the same queries as Phase 1. However, is unable to query and for .
Guess: finally, outputs a bit and wins the game if . Then, outputs 1 if wins the game; otherwise, outputs 0.
Perfect simulation: since has full control on the master secret key , oracle and oracle can be simulated perfectly. As for the challenge ciphertext , we implicitly set . If , then we have that(i)(ii)(iii)(iv)For (v)Therefore, the challenge ciphertext is well formed. If is a random element in , then the distribution of is independent from ’s view, and thus, the advantage will be 0.
Probability analysis: we then analyse the advantage that breaks the DBDH-3 assumption. If , we have . If is a random element in , we have . Therefore, we haveTime complexity: let be the maximum numbers of the queries. Since in each query, needs to perform at most pairings, where is the size of the receiver set, we have that , where is the time required for a paring.
Tightness analysis: according to the definition given in Section 2.5, a reduction is said to be tight if and . From the above analysis, we have that and . Since the DBDH-3 problem is an assume-to-be-hard problem, we have , where is the security parameter and is an exponential function in . On the other hand, and , where and are polynomials of . Therefore, we know that .

One may wonder that, since the reduction algorithm is able to generate a private key for any ID and accept any IDs for the challenge ciphertext, whether it is possible that the reduction algorithm generates a private key for and decrypt to check if . Note that our proof strategy is slightly similar to that of [28]. The challenge ciphertext is structured such that, if we decrypt with the private key for , the decryption procedure will succeed no matter the value of is. In the decryption algorithm, we recover the message . In the reduction algorithm, we can see that both are valid no matter the value of is. Thus, if we compute , then we will have . It leads that

Theorem 2. The proposed AMRIBE scheme is -ANON-MID-CCA secure in the standard model if the -DBDH-3 assumption holds, where and ( is the maximum number of queries and is the time required for a pairing).

Proof. Given , the challenger simulates the following game for the adversary :
Setup: performs as follows.(1)Choose two cryptographic hash functions and , where is a positive integer.(2)Set .(3)For , choose and compute .(4)Choose , and compute .(5)Set the master secret key .(6)Send the system parameterPhase 1: in this phase, is allowed to make queries from and oracles. Since knows the master secret key , it can easily answer and queries as the same way as the proposed scheme.
Challenge: sends , , and a set of identities for a positive integer to , where has not been queried in Phase 1 for . Then performs as follows:(1)Choose compute (2)Compute (3)Set (4)For , let , compute (5)Compute , where (6)Output the challenge ciphertext Phase 2: makes the same queries as Phase 1. However, is unable to query and for .
Guess: finally outputs a bit and wins the game if . Then outputs 1 if wins the game; otherwise outputs 0.
Perfect simulation: since has full control on the master secret key , oracle and oracle can be simulated perfectly. As for the challenge ciphertext , we implicitly set . If , then we have that(i)(ii)(iii)(iv)For (v)Therefore, the challenge ciphertext is well formed. If is a random element in , then the distribution of is independent from ’s view, and thus, the advantage will be 0.
Probability analysis: we then analyse the advantage that breaks the DBDH-3 assumption. If , we have . If is a random element in , we have . Therefore, we haveTime complexity: let be the maximum numbers of the queries. Since in each query, needs to perform at most pairings, where is the size of the receiver set, we have that , where is the time required for a paring.
Tightness analysis: according to the definition given in Section 2.5, a reduction is said to be tight if and . From the above analysis, we have that and . Since the DBDH-3 problem is an assume-to-be-hard problem, we have , where is the security parameter and is an exponential function in . On the other hand, and , where and are polynomials of . Therefore, we know that .

5. Comparisons

In this section, we give comparisons of our schemes with the existing schemes in both properties and efficiency. The notations used in this section are shown in Table 1, and the comparisons for the properties and performances between our scheme and the existing works are shown in Tables 2 and 3, respectively. For convenience, we set the following scenario to quantize the efficiency. When a sender wants to share a file with receivers, she/he first encrypts a symmetric key using the algorithm of an AMRIBE scheme and then encrypts the file with this symmetric key. The “Encryption cost” means the computation cost to generate the ciphertext for the symmetric key, and the “Ciphertext Length” is the bit length of the ciphertext for the symmetric key. When a receiver wants to recover the shared file, she/he first recovers the symmetric key using the algorithm of the AMRIBE scheme and then recovers the shared file. The “Decryption Cost” in the following tables means the computation cost to recover the symmetric key. In the comparison of computation cost, we mainly consider the costs of some heavy operations, such as scalar operation in and pairing, and omit some lightweight operations, such as hash function and symmetric encryption. The reason is that the former is much more costly than the latter. To better evaluate the efficiency, we may assume that the number of receivers for a ciphertext to be and an identity is a string with bits. From [42], we have that and bits in prime order groups of 128-bit security level. Besides, we consider the implementation of a Map-To-Point function given in [2] as the Map-To-Point function used in these papers, and we have . Some of the existing schemes use a symmetric encryption function to encrypt the message. For convenience, we assume that the message length and the symmetric key length are 256 bits. Also we assume that the lengths of the outputs of hash functions and symmetric encryption function in these schemes are 256 bits.


The cost of a scalar operation in
The cost of a scalar operation in
The cost of a pairing operation
The cost of a Map-To-Point function
bitsThe length of a symmetric key/symmetric ciphertext
bitsThe length of the output of a hash function
bitsThe length of an element in
bitsThe length of an element in
bitsThe length of an element in
bitsThe length of an identity
ROM/STDThe random oracle model/the standard model
Ful/SelThe full-ID model/The selective-ID model
OursThe proposed AMRIBE


ConfidentialityAnonymitySecurityTightnessFul/Sel
OutsiderInsiderModel

[15]CCAROMYesSel
[18]CCACCAROMYesFul
[43]ROMNoSel
[44]ROMYesSel
[45]ROMYesSel
[46]ROMNoSel
[47]CCACCAROMYesSel
[48]ROMYesSel
[49]ROMNoFul
[50]CCACCAROMNoSel
[17]CCACCACCAROMYesSel
OursCCACCACCASTDYesFul


Ciphertext lengthEncryption costDecryption cost

[15] bits  ms  ms
[18] bits  ms  ms
[43] bits  ms  ms
[44] bits  ms  ms
[45] bits