Anonymous multireceiver encryption scheme can not only protect the privacy of the receiver but also ensure the security of message. However, the computational cost of this scheme is very large. It is not suitable for the sender which has limited resources, such as mobile devices and sensor nodes. In this work, an anonymous multireceiver online/offline identity-based encryption is proposed based on offline/online and identity-based encryption (IBE). In identity-based encryption scheme, the sender can encrypt the message using the unique information of the user (such as identity number or e-mail address) as its public key. The receiver obtains the private key from a central authority. For mobile device with limited resource, the online/offline encryption scheme can reduce the computational cost. Compared to the previous anonymous multireceiver schemes, the proposed scheme can efficiently encrypt message with offline/online method and ensure the anonymity of receivers. The analysis results also show that our scheme is efficient in terms of computational cost by comparing to the previous works.

1. Introduction

Multireceiver communication [1] is a crucial way to send and receive message. It can effectively solve the problem of key management and data sending. Multireceiver encryption also is converted to broadcast encryption [2] in certain extent. In multireceiver encryption strategy, the sender/encryptor can select any receiver. In broadcast encryption scheme, the sender/encryptor sends message to a group of users; only the legal uses can decrypt the ciphertext. This scheme is widely used in pay-TV applications, the distribution of copyright materials, etc.

In [3], the authors use the idea of identity-based encryption (IBE for short) for reference. The identity information of the receiver is converted to a public key. The receiver’s private key which is distributed by a Key Generator Center (KGC) is connected with the identity information. The receiver can use the private key to decrypt the ciphertext. In [4], Lu and Hu addressed a pairing based multireceiver encryption scheme which can broadcast sensitive information in a complex environment, but it did not protect the privacy of the users. That is to say, this scheme cannot reach the anonymity of the users. A secure and efficient anonymous multireceiver IBE scheme was proposed in [5]. Based on [5], an anonymous multireceiver IBE scheme was improved by Wang et al. [6]. The proposed method cannot truly attain the anonymity of the receiver's information, and the receiver's privacy was not protected. In [5, 6], a legal receiver can easily verify whether a specific user is one of the legal receiver or not using only two bilinear pairing computational costs. Li et al. [7] analyzed the security vulnerabilities that exist in [6], but they did not give specific solutions. In order to deal with the privacy of the legal receivers, a really anonymous multireceiver IBE scheme was proposed in [8]. In the proposed scheme, all users can receive the broadcast ciphertext of the sender/encryptor, but only the receiver which was selected by the sender/encryptor can decrypt the ciphertext information. No one except the sender knows who the receiver is. The key issue of this scheme is how to design encryption scheme by using Lagrange interpolation function. Chien [9] proposed an improved scheme which can achieve the receiver’s anonymity and enhance the security of the message. However, in encryption phase, this scheme requires a number of bilinear pairing operations which is proportional to the number of receivers. He et al. [10] addressed an efficient certificateless anonymous multireceiver encryption scheme according to elliptic curve cryptography for devices with limited resources. The anonymous multirecipient IBE scheme can be used in pay per-view TV channel and sensitive program order. The receiver does not want any other receivers to know his or her identity information.

In IBE, the computational cost of multiplication and exponentiation operations in groups is larger. It takes much more time and battery power to execute exponential operations for the receiver with limited energy such as mobile phones or mobile devices. In IBE, data encryption needs bilinear pairing operation which can increase the runtime of encryption because the computational cost of bilinear pairing operation is very large. It is difficult to complete the encryption task in a short time for lightweight devices such as wireless sensor nodes or smart cards. Moreover, the anonymous multireceiver IBE takes more time compared to standard IBE.

One challenge in the anonymous multireceiver IBE is that the added functionality may increase the computation cost compared to standard public key cryptography. Online/offline technology can effectively reduce encryption time. The first online/offline IBE scheme was proposed by Guo et al. [11]. The scheme divided the encryption process into two stages: online stage and offline stage. In offline stage, the complex operation is preprocessed. In online encryption stage, the sender performs simple operations and generates the ciphertext. The online phase would be very fast. Moreover, it requires little computational cost in this phase. The online/offline encryption strategy is more suitable for lightweight equipment such as wireless sensor nodes or smart cards [12, 13]. Online/offline identity-based encryption scheme has attracted extensive attention, and series of research results have emerged [1416]. Recently online/offline technology is also used in attribute-based encryption [17, 18]. However, previous literatures did not apply the online/offline scheme to the anonymous multireceiver IBE.

In this article, we concentrate on multireceiver IBE scheme that takes into consideration online/offline encryption. The offline information cannot be reused in previous work. In our proposed scheme, a few operations can be done in offline phase. The offline ciphertext which is computed in offline phase can be reused for the same receiver sets. This method can reduce the computation cost for the senders when they encrypt the message to the same receive sets.

Our motivating application for the work in this way is mobile device with limited resources. The preparation computation can be done while the mobile device is plugged into a power supply, and then when it is on the move without plugging, it performs the encryption operations with little computational cost.

The structure of this work is organized as follows. Section 2 reviews the cryptographic backgrounds and Section 3 describes an anonymous multireceiver online/offline identity-based encryption. The security proof and performance analysis are given in Section 4. Finally, Section 5 is the conclusions of this work.

2. Preliminary

Some fundamental backgrounds related to this work are given in this section.

2.1. Lagrange Interpolation Theorem

Fitting the curve through these points can be expressed as follows [6]:where for each is mapped by identity information of the receiver.

2.2. Bilinear Maps

Let and be two multiplicative cyclic groups with the same prime order . Let be a generator of . Let be a bilinear map which has the following properties [19]:(1)Bilinearity: and ,  (2)Nondegeneracy: , such that . 1 denotes the identity element of .(3)Computability: ; there is an efficient polynomial algorithm to calculate

According to the bilinearity, the bilinear mapping has the following specific property:

2.3. Hard Problems

The following security assumptions are used in many encryption schemes. We will use them to deal with some problems in our scheme. In our paper, denotes the generator of .(1)Computational Diffie-Hellman problem: given for any , compute (2)Bilinear Diffie-Hellman (BDH) problem: given for some compute .(3)Cobilinear Diffie-Hellman (Co-BDH) problem [6]: given for any and , compute .(4)Codecision bilinear Diffie-Hellman (Co-DBDH) problem [6]: given for any , and , decide whether .(5)Codecision bilinear Diffie-Hellman (Co-DBDH) assumption [5]: an algorithm with an output has advantage in solving the Co-DBDH problem if (6)Given two groups and of the same prime order , , , a generator of , and a bilinear map -bilinear Diffie-Hellman inversion (-BDHI) problem is to compute .(7)Given two groups and of the same prime order , , , , a generator of , and a bilinear map the modified bilinear inverse Diffie-Hellman (mBIDH) problem is to compute .

2.4. Security Definition

According to the works [3, 5, 6], a general model and security formalization problem is given. Security formalization problem is indistinguishability encryptions of chosen ciphertext attacks, under selective multi-ID (IND-CCA-sMID for short) [5, 6]. The notion of IND-CCA-sMID is given as follows.

Definition 1 ((IND-CCA-sMID) [5, 6]). Let be a polynomial-time algorithm attacker. Symbol denotes a general multireceiver IBE scheme. Attacker interacts with the challenger in the following steps.
Setup. The challenger executes the setup algorithm. Attacker attains the resulting public parameters from challenger. The attacker does not know any information about private key. The challenger keeps the master key secret.
Phase 1. outputs multiple targets identities where denotes a positive integer.
Phase 2. publishes private key extraction queries. When a private key extraction query with identity is received, the challenger obtains private key by running the private key extraction algorithm. The only constraint is that for
Phase 3. publishes decryption queries for target identity information. When a decryption query denoted by for some is received, the challenger creates a private key which is denoted by associated with identity information The challenger returns the information to .
Challenge. outputs a target plaintext message pair ; the challenger randomly selects and creates a target ciphertext information Ciphertext is given to by the challenger.
Phase 4. publishes the private key extraction queries and decryption queries for target identities, and query methods are the same as in phase 2 and phase 3, respectively. Restrictive condition is that
Guess. To the end, outputs the result of conjecture We can say that wins the game if . conjecture advantage is defined as follows:Our scheme is said to be -IND-CCA-sMID secure if the conjecture advantage of any attacker with polynomial running time is less than .

breaks IND-CCA-sMID of with if and only if the conjecture advantage of the attack is not less than with the running time . and denote the number of private of key extraction queries and decryption queries, respectively. Scheme is said to be - IND-CCA-sMID secure if there is no polynomial-time algorithm attacker with that can break IND-CCA-sMID of scheme .

3. The Proposed Encryption Scheme

In this section, we introduce a novel anonymous multireceiver IBE on the basis of offline/online encryption. Our scheme ensures both the confidentiality of the information and the anonymity of the receiver. The process of our encryption scheme is given in Figure 1. As shown in Figure 1, the system framework comprises three types of participants: Sender, Receiver, and KGC.

Sender. The sender encrypts the information and sends the ciphertext message to the designed receivers.

Receiver. The receiver can decrypt the ciphertext message according to the private key.

KGC. It is responsible for the generation of receivers’ private keys.

In this section, an anonymous multireceiver online/offline IBE is proposed according to literature [6, 20]. Our encryption scheme usually consists of six algorithms as follows: Setup, Key extract, Offline encryption, Online encryption, and Decryption. In the following, we will describe the processes of our encryption scheme in detail.

Setup Phase. The algorithm works in setup phase as follows:(1)Pick a random value (2)Compute .(3)Select six one-way hash functions.

,  ,  ,  , ,  , ,  ,   The symbols , and are some positive integers. They denote the length of binary data.(4)Issue the public parameters and make the private key secret.

Private Key Extract Phase. Input public parameters and the identity information of the receiver, and the PKC executes the algorithm as follows:(1)Compute .(2)Compute the secret key for the identity of the receiver as

Offline Encryption Phase. In this phase, the sender computes the following steps:(1)Randomly choose and compute ;(2)For , randomly choose , and computer .(3)Pick a random ; compute .(4)For , randomly choose ; compute .(5)For , compute(6)For , compute

Online Encryption Phase(1)According to the identity information, compute each potential receiver’s and .For to , compute and .(2) can be calculated, respectively, as follows:For to , compute

Inputting message and selecting identities of the receivers, the sender performs the following steps.

Compute , where denotes the symmetric encryption function.

For to , computeThe result ciphertext is .

Decryption. Given ciphertext information , the legal receiver uses the private key to perform the tasks as follows:(1)Compute .(2)Compute .(3)Compute .(4)Compute and separate to obtain .(5)Compute , where denotes the symmetric decryption function. Test whether or not. Decrypted message is message if equality holds.

4. Security and Performance Analysis

In Section 4, we first give the correctness analysis of our scheme, and then we compare security and computational cost with the previous literatures [5, 6, 8, 9].

4.1. Security Analysis

In Section 4.1, the correctness and security of our encryption scheme are analyzed.

4.1.1. Correctness

For each authorized receiver, it can decrypt the ciphertext by the following way. First, it can compute and then recover the message in the following way:

For each authorized receiver with identity , the receiver can compute and structure function . It can obtain using Lagrange interpolating polynomial theorem.The receiver can obtainThus, the authorized receiver can perform the following steps:(1).(2)Separate to obtain .(3)Finally, the authorized receiver decrypts the ciphertext .

4.1.2. The Confidentiality of Message

In order to decrypt the ciphertext information, the decryptor should know the symmetric secret key .

From , we can know that the only way to obtain the symmetric secret key is to calculate . If decryptor is not an authorized receiver, he/she would deal with the Co-BDH problem to compute . In order to make our paper rigorous and complete, Theorem 2 is given in detail according to the proving process of papers [5, 6].

Theorem 2. Our proposed scheme is - IND-CCA-sMID secure under the -codecision bilinear Diffie-Hellman assumption, where and . , and denote the number of queries of hash functions ,, and

Proof. Assume that is a attacker that can break our scheme . The challenger can resolve the Co-DBDH problem with advantage in runtime time by using . According to the Co-DBDH assumption, the confidentiality of the proposed scheme can be guaranteed.
Assume that is given the tuple as an instance of the Co-DBDH problem. simulates the challenging environment in IND-CCA-sMID game for as follows.
Phase 1. Assume that output is the target identity information where is a positive integer.
Setup. sets and . gives the public parameters to the attacker where and is a positive integer and denotes the number of all users. Let store the results of querying hash functions , respectively.
-Query. Input identity information to . checks If there exists in return Otherwise, do the following steps:(1)Pick a randomly integer (2)Put to (3)Return -Query. Input identity information to . checks the If there exists in return Otherwise, do the following steps:(1)Pick a randomly integer (2)If compute else compute (3)Put to (4)Return -Query. Input to . checks the If there exists in , return Otherwise, do the following steps:(1)Pick a randomly string (2)Put to and return -Query. Input to . checks If there exists in return . Otherwise, do the following steps:(1)Pick a randomly string (2)Put to and return -Query. Input to . checks . If there exists in where ,  ,   return . Otherwise, do the following steps:(1)Pick a randomly sting and compute (2)Put to and return -Query. Input to . checks . If there exists in return Otherwise, do the following steps:(1)Pick a randomly string (2)Put to and return Phase 2. issues private key extraction queries for where . does the following steps:(1)If there exists in , then compute ; otherwise, pick a randomly integer and compute , (2)Put to and return to .Phase 3. issues decryption query for identity information where and . does the following steps:(1)Search to obtain when If not found, return “reject” to (2)Compute (3)Compute (4)Computewhere(5)Set and separate from (6)Test whether or not. If not, return “reject” to ; else return to Challenge. outputs a plaintext information pair When receiving , does the following steps:(1)Randomly pick (2)For search to obtain according to .(3)Set and .(4)For computewhere .(5)Pick a randomly integer . For compute(6)Compute .(7)Set , where and create a target ciphertext information , where (8)Return to attacker Phase 4. publishes private key extraction and decryption queries, and they are the same as phases 2 and 3. The constraint condition of decryption queries is that
Guess. To the end, outputs the guessing result If then outputs 1; else it outputs 0. If thenThat is to say, is a valid ciphertext message. Otherwise, is a randomized element of and is invalid. According to the above constructions, simulates the random oracles hash function , the private key extraction, and the decryption queries in phases 2, 3, and 4 successfully. So, we havewhere , and , is a random element in Hence, we obtainThus, and . , and denote the number of queries to hash function, , and

4.1.3. The Anonymity of Receivers

Fan et al.’s encryption strategy [5] cannot satisfy the anonymity of multireceiver. Every legal receiver can easily verify whether anyone is a legal receiver or not. A legal receiver with identity can compute, where denotes the identity information of the receiver. If equation holds, the receiver with identity is an authorized receiver. In order to achieve multireceiver anonymously, Wang et al. [6] improved the multireceiver anonymous encryption scheme. For a ciphertext, are fixed 9 in their scheme. The authorized receiver with identity information can obtain value from decryption process, although the numerical value of symbol is randomly generated in encryption stage. If the equation holds, the receiver with identity also is an authorized receiver. Random number can be recovered by symmetric key and message . Unfortunately, their encryption scheme cannot protect the privacy of the receiver. That is to say, it did not satisfy the anonymity of the receiver.

In our proposed scheme, the above problems are solved. Only the authorized receiver can decrypt ciphertext information. Each receiver does not know whether others are authorized receivers or not. Thus, the privacy of the user can be protected.

Theorem 3. Our scheme satisfies the anonymity of receiver if the Co-DBDH problem is hard.

In this work, we do not give the proofs of Theorem 3. We can refer to literature [9] and literature [8] for details.

Theorem 4. In the random oracle model, our scheme is IND-CCA2 secure under the q-BDHI and mBIDH assumptions.

This proof is similar to the proof of literature [21, 22]. Please refer to literature [21, 22] for details.

4.2. Performance Analysis

In this section, the computational consumption of our scheme is given. In order to analyze the computational performance, some notations of the symbols are summarized in Table 1.

The implementation environment is on a mobile phone (Samsung Galaxy S5 with a Quad-core 2.45G processor, 2G bytes memory, and the Google Android 4.4.2 operating system) [10]. The implementation runtime results of main operations are listed in Table 2 [10, 23]. The efficiency comparison is summarized in Tables 3 and 4. The computational cost in our scheme is compared to literature [5, 6, 8, 9]. In addition, the mentioned five schemes contain encryption and decryption computational cost. From Table 5, we can see that our scheme is nearly identical to the ciphertext length of other schemes in [5, 6, 8, 9]. As shown from Table 6, our offline/online encryption scheme is the same as literature [8, 9], and encryption schemes of them are anonymous. However, literature [8] and literature [9] do not use the offline/online encryption scheme.

From Tables 3 and 4, we can see that our scheme needs one bilinear pairing operation and three bilinear pairing operations in encryption phase and decryption phase. The number of bilinear pairing operation increases linearly with the number of recipients in encryption and decryption phase in literature [9]. Bilinear pairing operation requires a lot of calculation consumption. It is not suitable for mobile devices with limited energy. From Table 6, we know that only our scheme uses offline/online encryption.

In order to give an intuitive knowledge, Figures 2 and 3 also describe the computational cost in encryption and decryption schemes, respectively. Symbol denotes the number of authorized receivers in Figures 2 and 3. According to Tables 2 and 3, we can easily compute the runtime of encryption and decryption scheme at different literatures [5, 6, 8, 9]. The computational cost on encryption and decryption is summarized in Figures 2 and 3, respectively. From Figure 2, we can see that the computational cost in [9] is the least, and our proposed scheme consumes little computation time in encryption. Literature [9] does not use offline/online encryption, and computational cost in our proposed scheme contains runtime of offline encryption and online encryption. When receivers decrypt the ciphertext, our scheme consumes the minimum computation time. As legal receiver increases, the computational cost increases gradually in Figures 2 and 3.

5. Conclusion

Finally, conclusion and future work are summarized. An anonymous multireceiver online/offline identity-based encryption was proposed in our work. We developed an efficient offline/online encryption scheme which can ensure the anonymity of the receiver. Our scheme divided encryption into two phases: offline and online. A sender can do a lot of preparatory calculations on offline phases, and a receiver can encrypt the message with little computational cost on online phases. The computational cost of the receivers was improved in the proposed scheme. The analysis results demonstrated that our scheme is secure and efficient, and it is suitable for mobile devices. The preparation computation can be done while mobile device is plugged into a power supply. When it is on the move without plugging, it performs the encryption operations with little computational cost.

An interesting future work is that we will pay more attention to anonymous attribute-based encryption using offline/online scheme for mobile devices.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare no conflicts of Interest.


The work is supported by the Supporting Fund for Teachers’ Research of Jining Medical University (no. JY2017KJ053), Qing Lan Project of Jiangsu Province, 1311 Talent Plan Foundation of Nanjing University of Posts and Telecommunications, and Doctoral Research Fund of Jining Medical University.