#### Abstract

Multireceiver identity-based encryption is a cryptographic primitive, which allows a sender to encrypt a message for multiple receivers efficiently and securely. In some applications, the receivers may not want their identities to be revealed. Motivated by this issue, in 2010, Fan et al. first proposed the concept of anonymous multireceiver identity-based encryption (AMRIBE). Since then, lots of literature studies in this field have been proposed. After surveying the existing works, however, we found that most of them fail to achieve provable anonymity with tight reduction. A security proof with tight reduction means better quality of security and better efficiency of implementation. In this paper, we focus on solving the open problem in this field that is to achieve the ANON-IND-CCA security with tight reduction by giving an AMRIBE scheme. The proposed scheme is proven to be IND-MID-CCA and ANON-MID-CCA secure with tight reduction under a variant of the DBDH assumption. To the best of our knowledge, this is the first scheme proven with tight reducible full CCA security in the standard model.

#### 1. Introduction

Identity-based encryption (IBE) is a large class of public key encryption in modern cryptography. The concept of IBE was first proposed by Shamir [1] in 1984, and the first practical construction was independently proposed by Boneh and Franklin [2] and Cocks [3] in 2001. In an IBE scheme, a user can use any string as her/his public key, such as national identifier number and e-mail address.

It is a natural question to ask how to design a multireceiver IBE to encrypt a message with better efficiency compared with individually encrypting to each user in terms of either computation cost or communication cost. Such a cryptographic primitive is popular in advanced applications such as video conferencing, pay-per-view TV [4–8], and distance education. The notion of multireceiver identity-based encryption (MRIBE) was first considered by Beak et al. [9] in 2005. In an MRIBE scheme, the input of the encryption algorithm is a set of identities rather than a single identity. A user who is selected in the set is able to decrypt the ciphertext. MRIBE then drew the attention of the research community, and lots of results [10, 11] have been proposed.

Another notion similar to MRIBE is identity-based broadcast encryption (IBBE) [12–14]. An IBBE scheme is usually designed in the sense of key encapsulation mechanism (KEM), where the encryption algorithm takes as input only a set of identities and outputs a header and an encryption key. To encrypt a message, one then uses the encryption key with a data encryption mechanism (DEM), such as DES and AES. A user whose identity is selected in the set can use her/his private key together with the header to recover the encryption key. On the other hand, an encryption scheme can be regarded as a key encapsulation mechanism by simply setting a ciphertext as the header and the corresponding plaintext as the encryption key. In this paper, we will treat MRIBE and IBBE as the identical notion.

In some situations, such as ordering sensitive TV programs, the customers may expect that their identities are not revealed. In consideration of privacy-preserving, Fan et al. [15] first introduced the concept of anonymous multireceiver ID-based encryption (AMRIBE) in 2010. Anonymity is defined as that no one should know the identities of the receivers except the encryptor. They also proposed a multireceiver ID-based encryption scheme using Lagrange interpolating polynomials. Unfortunately, their scheme was pointed out to be flawed by Chien [16] in 2012. In Fan et al. scheme, anyone given a ciphertext is able to reveal the receivers. Chien further indicated that the security model defined in [15] does not cover all of the multireceiver scenarios. He also proposed an improved AMRIBE scheme in [16]. Since then, many results of AMRIBE have been proposed [17–25].

After examining these AMRIBE schemes, we found that there is no AMRIBE scheme achieving full-ID security with tight reduction against chosen-ciphertext attacks. Filling the gap is significant for the researches of AMRIBE in terms of both theoretical and practical aspects.

Most of the existing AMRIBEs are only proven to be secure in the weaker “selective-ID” model, where the attacker must commit a target receiver set that it will attack at the beginning of the security game. The selective-ID model might not be appropriate for the attack model in a realistic environment, since the attackers should be able to adaptively choose their target after learning some information of the system. This characteristic is captured by another stronger model called “full-ID” model, where the attacker chooses the target at the challenge phase rather than at the beginning. In [26, 27], Boneh and Boyen show that a selective-ID secure IBE can also be proven to be full-ID secure. Roughly speaking, a challenger can make a guess on which identity, said , will be targeted at the challenge phase before it starts the simulation. If the adversary makes a query with or does not activate the challenge phase with , then the simulation is aborted. However, the proof strategy makes the reduction “lossy,” i.e., the reduction is not tight. Let be the number of allowed identities, then the reduction will lose a factor of . That is, if the adversary wins the security game with advantage , then the challenger only guarantees to solve the underlying hard problem with advantage (actually the analysis should take the running times into consideration. Here, we simply assume that the running times of the adversary and the challenger are asymptotically equivalent). More details can be referred to [26, 28].

A lossy reduction is not merely a theoretic problem; it also relates to the efficiency and efficacy of the entire system. We give a simple example for the (informal) analysis as follows. If we want to build an IBE system based on the DBDH assumption with 80-bit security level, and assume , then we need to adopt a DBDH-hard group whose order is due to the lossiness. This will make the entire system inefficient since we need a longer bit representation for the group of larger order [29]. Therefore, achieving tight reduction is a significant goal for an encryption scheme, since it affects both security and efficiency. The tight reduction allows one to construct an encryption scheme with the same security level as the underlying hard assumption. We refer the readers to [30] for more detailed examples.

The consequence of a lossy reduction will be much more worse when it comes to more complex primitives, such as AMRIBE. In the security game of AMRIBE, an adversary activates the challenge phase with receivers, where can be any positive number smaller than the number of the total possible identities. Assume that we set an identity to be an -bits string, then a challenger needs to guess the target receiver set from different combinations. This makes the scheme impractical, since either the bit length of the representation for the underlying group will be exponentially large, or the reduction will be successful only with negligible advantage in the security proof.

##### 1.1. Contributions

For both practical and theoretical reasons mentioned above, in this paper, we propose the first AMRIBE scheme achieving full-ID security in confidentiality and anonymity with tight reduction. It is worth noting that the security of our scheme is proven in the standard model, i.e., without random oracles. The random oracle model [31] is a heuristic and idealized model used to help people to prove the security of cryptographic primitives. In the security proofs, one usually models a cryptographic hash function as a random oracle. However, there are schemes proven secure in the random oracle models while being insecure when implementing the random oracle with any hash function in the real world [32, 33]. To the best of our knowledge, our scheme is the first and only one to achieve IND-MID-CCA/ANON-MID-CCA security (the abbreviation of “Indistinguishability under full-multi-ID chosen-ciphertext attacks” and “Anonymity under full-multi-ID chosen-ciphertext attacks”) with tight reduction in the standard model. Besides, compared with other existing schemes, the encryption cost is low. Therefore, our scheme fits the scenario that a sender needs frequently to send messages for large amount of users, such as e-mail systems with receiver anonymity.

##### 1.2. Organization

The remainder of this paper is organized as follows. Section 2 presents some preliminaries, specifically our security notions and the complexity assumptions that will be used in the security proofs. In Section 3, we introduce our AMRIBE scheme. Section 4 provides security proofs for the confidentiality and anonymity of our proposed scheme. Next, we show the comparison between our scheme and the existing works in properties and performances in Section 5. Finally, Section 6 concludes our work and provides future research directions.

#### 2. Preliminaries

##### 2.1. Notations

In this paper, we use multiplicative group representation. For where , we mean the successive integer set from to , i.e., . Furthermore, for an integer , denotes the integer set . For a set , by “” we mean “choose uniformly from ”. For an algorithm , by “,” we denote “ is the output of ”. For a bit-string , we denote the -th bit of as .

##### 2.2. Bilinear Mapping

*Definition 1. *Let , and be three multiplicative cyclic groups of prime order . A bilinear map (pairing) satisfies the following properties in which is a generator of , respectively.(i)Bilinearity: .(ii)Nondegeneracy: if , the identity element of , then either is the identity of or is the identity of .(iii)Computability: there exists an efficient algorithm to compute the function .

In this paper, we use type 3 pairings [34, 35], where and no efficient computable isomorphisms between are known.

##### 2.3. Complexity Assumptions

The security of the proposed scheme is based on a variant of the decisional bilinear Diffie–Hellman (DBDH) problem, called DBDH-3 problem [36–39]. Let , and be three multiplicative cyclic groups of prime order , where is a generator of , respectively. Let be a type 3 pairing.

*Definition 2. *(a variant of DBDH problem in type 3 pairing groups—DBDH-3). Given , where decide whether or a random element in .

We say that an algorithm that outputs a bit has the advantage in solving the DBDH-3 problem if

*Definition 3. *(the DBDH-3 assumption). We say that the -DBDH-3 assumption holds if no -time algorithm has advantage at least in solving the DBDH-3 problem. We occasionally drop for simplicity.

##### 2.4. Anonymous Multireceiver Identity-Based Encryption

An AMRIBE scheme consists of the following algorithms:(i): this algorithm takes as input a security parameter and outputs the master secret key and the system parameter . Note that all algorithms except Setup will implicitly take param as one of the inputs, and thus, we will omit the term param for simplicity.(ii): this algorithm takes as inputs the master secret key and an identity and then outputs the private key for user .(iii): this algorithm takes as inputs an identity set for any positive and a message and then outputs a ciphertext .(iv): this algorithm takes as inputs a ciphertext and a private key for and then outputs a message or a dedicated error symbol .

*Correctness*. For all :(i)If , then (ii)If , then

###### 2.4.1. Confidentiality

Next, we will give the security definition for confidentiality. Consider the following game played between a challenger and an adversary . The security game consists of four phases as follows: Setup: generates the system parameter and sends it to . Phase 1: is allowed to make queries from the following oracles: : makes a query with an identity , and returns the private key to : makes a query with a ciphertext and an identity , and returns the result of Challenge: the adversary submits two messages with the same length and a target identity set for any positive integer , with the restriction that all identities in should not be submitted to oracle in Phase 1. then randomly chooses and generates . Finally, is returned to . Phase 2: is allowed to make queries as in Phase 1, except for queries with and queries with . Guess: finally, outputs a bit and wins the game if .

One can observe that the above game is modelled for the security notion IND-MID-CCA. The security games for IND-sMID-CCA and IND-MID-CPA can be obtained by forcing to commit before Setup and disallowing to query oracle, respectively. The advantage of winning the game is defined as

We say that an AMRIBE scheme is -IND-MID-CCA secure if all -time adversaries have at most advantage in winning the above IND-MID-CCA game.

###### 2.4.2. Anonymity

Next, we define the anonymity for an AMRIBE. Consider the following game played between a challenger and an adversary . The security game consists of four phases as follows: Setup: generates the system parameter and sends it to . Phase 1: is allowed to make queries from the following oracles: : makes a query with an identity , and returns the private key to : makes a query with a ciphertext and an identity , and returns the result of Challenge: the adversary submits a message , a target identity set , and an identity set for any positive integer , with the restriction that all identities in should not be submitted to oracle in Phase 1. then randomly chooses , sets , and generates . Finally, is returned to . Phase 2: is allowed to make queries as in Phase 1, except for queries with and queries with . Guess: finally, outputs a bit and wins the game if .

The above game is modelled for the security notion ANON-MID-CCA (the security games for ANON-sMID-CCA and ANON-MID-CPA can be obtained by forcing to commit ID^{∗} before Setup and disallowing to query Decrypt oracle, respectively). The advantage of winning the game is defined as follows:

We say that an AMRIBE scheme is -ANON-MID-CCA secure if all -time adversaries have at most advantage in winning the above ANON-MID-CCA game.

*Remark 1. *Note that this definition is actually modelled against insider adversaries, since is allowed to query the private key for , and the encrypted message is chosen by .

*Remark 2. *The ANON-MID-CCA game defined above is slightly different from some existing works, such as [19, 20, 22]. In their definition, submits two different identity sets , where , with the restriction that all have not been queried to oracle. In our model, one can image that and , and thus, , where is minimal. Actually, our model may be a stronger model since we allow an adversary to query as much private keys as possible, as long as the trivial way to win the game is prevented from the adversary.

##### 2.5. Tight Security Reduction

In this section, we introduce the notion of tight security reduction. To prove the security of a cryptographic primitive, we usually construct a reduction between the security of the primitive and a well-studied hard assumption. That is, if there is an algorithm breaks the security of the primitive, then there exists an algorithm that makes black-box use of to solve the hard problem. Assume that the algorithm breaks the primitive with advantage in time , and the algorithm breaks the assumption with advantage in time . In a conventional sense [40], a reduction is said to be tight if and . Another weaker notion of tight reduction is defined in [30, 41]. The quality of a reduction can also be measured by the ratio between and . Let

In the above equation, “” is the “loss” for the reduction. A reduction is efficient if the loss is polynomially bounded. If is constant, then the reduction is said to be weakly tight. From this definition, we can see why an efficient (or ideally, tight) reduction is important. We briefly explain the reason. Assume that , then we have

If is exponentially large, then may be negligible; even if the adversary’s advantage is nonnegligible, we cannot base the security of our protocol on the underlying complexity assumptions.

#### 3. Anonymous Multireceiver Identity-Based Encryption with Tight Reduction

In this section, we demonstrate a novel AMRIBE scheme with tight reduction. The proposed AMRIBE scheme is, to the best of our knowledge, the first such scheme with full security under tight reduction in the standard model.

##### 3.1. The Proposed AMRIBE with Tight Reduction

Let , and be three cyclic multiplicative groups with prime order and be the generators of , respectively. In this scheme, we adopt type 3 pairing, i.e., . The proposed scheme consists of the following algorithms:

: taking as input a security parameter , KGC performs as follows:(1)Choose .(2)Choose two cryptographic hash functions and , where is a positive integer.(3)Compute .(4)For , choose and compute .(5)Choose , and compute .(6)Publish the system parameter

and keep secret the master secret key .

: taking as input the master secret key and an identity , KGC computes the private key for as follows. For convenience, given an identity , where the corresponding hash value is , we define a function .(1)Choose (2)Compute (3)Set the private key

: taking as input an identity set for a positive integer and a message , the sender performs as follows. For convenience, given an identity , where the corresponding hash value is , we define a function .(1)Choose .(2)For , compute .(3)Compute for , and .(4)Compute , and .(5)The ciphertext is .

: taking as input a ciphertext and a private key , a user performs as follows. For , compute and . Then the user computes and checks whether . If the equality holds, then output . If the equality does not hold for all , then output .

*Correctness*. Assume that (say ) and . Note that since the discrete logarithms of both sides are equal. We haveand thus

Besides, the integrity of the ciphertext and the message can be verified by whether .

*Remark 3. *In the computations of (), it seems that lots of scalar operations for () must be performed. However, we can construct an index set , where before computing (). We then compute (). Therefore, we can compute () using only at most cheap group operations.

#### 4. Security Proofs

Theorem 1. *The proposed AMRIBE scheme is -IND-MID-CCA secure in the standard model if the -DBDH-3 assumption holds, where and ( is the maximum number of queries and is the time required for a pairing).*

*Proof. *Given , the challenger simulates the following game for the adversary :

Setup: performs as follows:(1)Choose two cryptographic hash functions and , where is the length of an identity.(2)Set .(3)For , choose and compute .(4)Choose , and compute .(5)Set the master secret key .(6)Send the system parameterPhase 1: in this phase, is allowed to make queries from and oracles. Since knows the master secret key , it can easily answer and queries as the same way as the proposed scheme.

Challenge: sends and a set of receivers for a positive integer to , where are two distinct messages with the same length, and has not been queried in Phase 1 for . Then performs as follows:(1)Choose compute (2)Compute (3)Set (4)For , let , compute (5)Compute , and (6)Output the challenge ciphertext Phase 2: makes the same queries as Phase 1. However, is unable to query and for .

Guess: finally, outputs a bit and wins the game if . Then, outputs 1 if wins the game; otherwise, outputs 0.

Perfect simulation: since has full control on the master secret key , oracle and oracle can be simulated perfectly. As for the challenge ciphertext , we implicitly set . If , then we have that(i)(ii)(iii)(iv)For (v)Therefore, the challenge ciphertext is well formed. If is a random element in , then the distribution of is independent from ’s view, and thus, the advantage will be 0.

Probability analysis: we then analyse the advantage that breaks the DBDH-3 assumption. If , we have . If is a random element in , we have . Therefore, we haveTime complexity: let be the maximum numbers of the queries. Since in each query, needs to perform at most pairings, where is the size of the receiver set, we have that , where is the time required for a paring.

Tightness analysis: according to the definition given in Section 2.5, a reduction is said to be tight if and . From the above analysis, we have that and . Since the DBDH-3 problem is an assume-to-be-hard problem, we have , where is the security parameter and is an exponential function in . On the other hand, and , where and are polynomials of . Therefore, we know that .

One may wonder that, since the reduction algorithm is able to generate a private key for any ID and accept any IDs for the challenge ciphertext, whether it is possible that the reduction algorithm generates a private key for and decrypt to check if . Note that our proof strategy is slightly similar to that of [28]. The challenge ciphertext is structured such that, if we decrypt with the private key for , the decryption procedure will succeed no matter the value of is. In the decryption algorithm, we recover the message . In the reduction algorithm, we can see that both are valid no matter the value of is. Thus, if we compute , then we will have . It leads that

Theorem 2. *The proposed AMRIBE scheme is -ANON-MID-CCA secure in the standard model if the -DBDH-3 assumption holds, where and ( is the maximum number of queries and is the time required for a pairing).*

*Proof. *Given , the challenger simulates the following game for the adversary :

Setup: performs as follows.(1)Choose two cryptographic hash functions and , where is a positive integer.(2)Set .(3)For , choose and compute .(4)Choose , and compute .(5)Set the master secret key .(6)Send the system parameterPhase 1: in this phase, is allowed to make queries from and oracles. Since knows the master secret key , it can easily answer and queries as the same way as the proposed scheme.

Challenge: sends , , and a set of identities for a positive integer to , where has not been queried in Phase 1 for . Then performs as follows:(1)Choose compute (2)Compute (3)Set (4)For , let , compute (5)Compute , where (6)Output the challenge ciphertext Phase 2: makes the same queries as Phase 1. However, is unable to query and for .

Guess: finally outputs a bit and wins the game if . Then outputs 1 if wins the game; otherwise outputs 0.

Perfect simulation: since has full control on the master secret key , oracle and oracle can be simulated perfectly. As for the challenge ciphertext , we implicitly set . If , then we have that(i)(ii)(iii)(iv)For (v)Therefore, the challenge ciphertext is well formed. If is a random element in , then the distribution of is independent from ’s view, and thus, the advantage will be 0.

Probability analysis: we then analyse the advantage that breaks the DBDH-3 assumption. If , we have . If is a random element in , we have . Therefore, we haveTime complexity: let be the maximum numbers of the queries. Since in each query, needs to perform at most pairings, where is the size of the receiver set, we have that , where is the time required for a paring.

Tightness analysis: according to the definition given in Section 2.5, a reduction is said to be tight if and . From the above analysis, we have that and . Since the DBDH-3 problem is an assume-to-be-hard problem, we have , where is the security parameter and is an exponential function in . On the other hand, and , where and are polynomials of . Therefore, we know that .

#### 5. Comparisons

In this section, we give comparisons of our schemes with the existing schemes in both properties and efficiency. The notations used in this section are shown in Table 1, and the comparisons for the properties and performances between our scheme and the existing works are shown in Tables 2 and 3, respectively. For convenience, we set the following scenario to quantize the efficiency. When a sender wants to share a file with receivers, she/he first encrypts a symmetric key using the algorithm of an AMRIBE scheme and then encrypts the file with this symmetric key. The “Encryption cost” means the computation cost to generate the ciphertext for the symmetric key, and the “Ciphertext Length” is the bit length of the ciphertext for the symmetric key. When a receiver wants to recover the shared file, she/he first recovers the symmetric key using the algorithm of the AMRIBE scheme and then recovers the shared file. The “Decryption Cost” in the following tables means the computation cost to recover the symmetric key. In the comparison of computation cost, we mainly consider the costs of some heavy operations, such as scalar operation in and pairing, and omit some lightweight operations, such as hash function and symmetric encryption. The reason is that the former is much more costly than the latter. To better evaluate the efficiency, we may assume that the number of receivers for a ciphertext to be and an identity is a string with bits. From [42], we have that and bits in prime order groups of 128-bit security level. Besides, we consider the implementation of a Map-To-Point function given in [2] as the Map-To-Point function used in these papers, and we have . Some of the existing schemes use a symmetric encryption function to encrypt the message. For convenience, we assume that the message length and the symmetric key length are 256 bits. Also we assume that the lengths of the outputs of hash functions and symmetric encryption function in these schemes are 256 bits.

Here, we compare the proposed AMRIBE schemes with the existing AMRIBE schemes [15, 18, 43–50], whose CCA security has been claimed by their authors. The results are shown in Tables 2 and 3. The computation costs for decryption shown in Table 3 are evaluated in the worst case. That is, a receiver must try all ciphertext components for successful decryption if necessary.

From Table 2, one can observe that our scheme is the first one achieving full security against chosen-ciphertext attacks with tight reduction in the standard model. As we mentioned in the Introduction, those properties are significant in both theoretic and practical points of view. Besides, from Table 3, we can see that, compared with other existing schemes, the encryption cost is low. Therefore, our scheme fits the scenario that a sender needs frequently to send messages for large amount of users, such as e-mail systems with receiver anonymity. However, the efficiency of the proposed scheme can be further improved in decryption cost, i.e., the decryption is almost the slowest among the existing schemes. Another disadvantage is that ours can only be implemented in groups supporting type 3 pairings, which is an additional requirement compared to other schemes.

The symbol “” in Table 2 means that the scheme is claimed to achieve CCA security, but some problem is found. All the cryptanalysis for these schemes can be found in [17, 49, 51, 52], except for [18, 19]. We will give the cryptanalysis for [18, 19] in Section 5.1.

Although the authors of [53] have claimed that their scheme achieves IND-CCA security, they did not prove the anonymity. Therefore, their work is not included in Tables 2 and 3.

Note that we do not list the schemes of [54, 55] in our comparison table because their schemes do not meet the basic requirement of identity-based encryption. In [54], Chen et al. proposed two schemes, and in both of their schemes, KeyGen algorithm needs a receiver set as one of the inputs. However, it is impossible for a user to know the receiver set which will be decided in the future. There are two possibilities: one is that the KGC must be online to generate private keys when a user needs to decrypt and the other is that all the ciphertext must be encrypted for a fixed group. Both assumptions are not practical and against the basic requirements of IBE. The problems of schemes in [55] are the same as that of [54].

Some of the existing schemes [25, 56] are claimed to be CCA secure; however, they actually achieve only CPA security. The reason is that, in their proofs, the partitioning paradigm is used. That is, all the identities will be separated into two disjoint groups, say group A and group B. The challenger can only generate private keys for IDs of group A, while generate challenge ciphertexts for IDs of group B. When an adversary queries private keys with IDs of group B or challenge ciphertexts with IDs of group A, the challenger aborts the simulation. Therefore, if an adversary is only allowed to make decryption queries with IDs of group A, then that is actually equivalent to CPA security only.

##### 5.1. Anonymity Analysis on He et al.’s AMRIBE Scheme

In 2016, He et al. proposed generic construction of AMRIBE [18], which is the preliminary version of [19]. The generic constructions given in the two papers are the same. Due to the page limitation, we give only a high-level overview on the cryptanalysis of He et al.’s AMRIBE scheme. We refer the readers to [18, 19] for more details. The idea of our cryptanalysis is similar to that in [49], where Zhang et al. presented an algorithm for an insider adversary to break the anonymity of the scheme of Zhang and Takagi [50].

In He et al.’s scheme, the component associated with the encrypted message in a ciphertext is with the form . The message is encrypted in with the encryption algorithm of an IND-CPA secure IBE scheme, i.e., , and is used for a selected receiver to confirm whether herself is one of the receivers. However, in order to prove the IND-MID-CCA security, the scheme is designed such that , which means an insider adversary is able to recover after successful decryption. Therefore, given an identity , an insider adversary can easily check whether is also one of the receivers by checking if there exists , such that .

#### 6. Conclusion

Multireceiver identity-based encryption is a one-to-many encryption mechanism which encrypts a message to multiple receivers at the same time efficiently and securely. Such encryption is useful in many applications, e.g., pay-per-view TV, video conferencing, and distance education. Under certain circumstances, users may wish to protect their identities from revealing. To deal with this issue, Fan et al. first proposed the notion of anonymous multireceiver identity-based encryption and gave a concrete AMRIBE scheme. Since then, lots of research studies on these topics have been proposed.

In this paper, we give a novel fully secure AMRIBE scheme. To the best of our knowledge, it is the first and only scheme that achieves the IND-MID-CCA and the ANON-MID-CCA security in the standard model with tight reduction. Moreover, compared with other existing schemes, the encryption cost is low. Therefore, our scheme fits the scenario that a sender needs frequently to send messages for large amount of users, such as e-mail systems with receiver anonymity. There are still some improvements that can be made to our schemes in the future. For instance, the efficiency of the proposed AMRIBE with tight reduction may be further improved, especially in the decryption cost. Besides, due to the thread of the supreme computing power of quantum computers, the researches of postquantum cryptographic primitives are becoming significant. Lots of postquantum ID-based schemes [57–59] are proposed in the literature as well. Hence, another direction for our future research could be figuring out an AMRIBE scheme achieving tight security and CCA security in postquantum setting.

#### Data Availability

No data were used to support this study.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was partially supported by the Ministry of Science and Technology of Taiwan under grants MOST 110-2218-E-110-007-MBK, MOST 109-2221-E-110-044-MY2, MOST 110-2923-E-110-001-MY3, MOST 108-2218-E-004-002-MY2, MOST 109-2221-E-004-011-MY3, and MOST 109-3111-8-004-001. It also was financially supported by the Information Security Research Center at National Sun Yat-sen University in Taiwan and the Intelligent Electronic Commerce Research Center from The Featured Areas Research Center Program within the framework of the Higher Education Sprout Project by the Ministry of Education (MOE) in Taiwan.