具有较短密文的可验证的安全匿名多接收者身份加密。.pdf

发布时间：2022-05-29 发布人：admin 分类：说明书资料大小：0.17M 资料格式：pdf 举报版权申诉

weixin_38693476-15955819-16359647241057115694.pdf-第1页.png

第1页 / 共6页

weixin_38693476-15955819-16359647241057115694.pdf-第2页.png

第2页 / 共6页

weixin_38693476-15955819-16359647241057115694.pdf-第3页.png

第3页 / 共6页

weixin_38693476-15955819-16359647241057115694.pdf-第4页.png

第4页 / 共6页

weixin_38693476-15955819-16359647241057115694.pdf-第5页.png

第5页 / 共6页

weixin_38693476-15955819-16359647241057115694.pdf-第6页.png

第6页 / 共6页

文本预览

2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing Provably Secure Anonymous Multi-Receiver Identity-Based Encryption with Shorter Ciphertext School of Information Engineering, Dalian Ocean University, Dalian, China Huaqun Wang wanghuaqun@aliyun.com Abstract—Anonymous multi-receiver identity-based encryp- tion (ID-MRE) can protect the receiver identity besides message conﬁdentiality. It can be applied in many ﬁelds, such as VoIP (Voice over Internet Protocol) and pay-TV systems. Based on the bilinear pairings, this paper proposes an anonymous ID-MRE scheme. The proposed scheme satisﬁes the indis- tinguishability of encryptions under selective multi-identity, adaptive chosen ciphertext attacks (IND-sMID- CCA2). On the other hand, it also satisﬁes the anonymous indistinguishability of encryptions under selective multi-identity, adaptive chosen ciphertext attacks (ANON-sMID-CCA2). The security analysis and performance analysis show that our scheme is provably secure and efﬁcient. Keywords-anonymity; multi-receiver; identity-based encryp- tion; provable security; I. INTRODUCTION Public key encryption scheme must satisfy two basic security requirements: security and efﬁciency. The standard security notion for a encryption scheme is indistinguisha- bility against adaptive chosen ciphertext attacks, i.e., IND- CCA2 for short. With respect to efﬁciency, there are two main aspects to consider: computational efﬁciency and com- munication efﬁciency. As a special public key encryption system, multi-receiver encryption can broadcasts a message with a high-level of computational efﬁciency while retaining security. This encryption system can be used in the real world where there are many users, each with a public key. The service provider sends them the encrypted data. Although multi-receiver encryption can solve some problems in the real world, it cannot protect the privacy of receivers. On the other hand, it is very important to protect receiver privacy in some ﬁelds, such as VoIP, pay-TV, et al. Thus, anonymous ID-MRE attracted attentions of some experts from different ﬁelds. It is meaningful to design the anony- mous ID-MRE security model and the concrete anonymous ID-MRE scheme. A. Motivation In the pay-TV or streaming audio/video services, the service provider will encrypt the audio/video and sends the ciphertext to all the receivers who have ordered the program. Upon receiving the ciphertext, the receiver decrypts the ciphertext by using his/her personal private key. When the client orders the sensitive program, he/she usually expects to hide his/her identity even to other receivers. Thus, it is important and necessary to study anonymous multi-receiver encryption scheme. B. Related works The concept of multi-receiver public key encryption was independently formalized by Bellare et al. [1] and Baudron, et al. [2]. It can be used in many ﬁelds, for example, underwater sensor networks [3], large-scale RFID system- s [4], etc. After that, many multi-receiver identity-based encryption schemes are designed [5], [6]. These schemes do not protect receivers privacy. Until 2012, Fan et al. presented an anonymous multi-receiver identity-based en- cryption scheme by taking use of Lagrange interpolating polynomial mechanisms [7]. It’s regretful that their scheme does not satisfy the property of anonymity [8], [9]. After that, Hur et al. proposed a novel privacy-preserving identity- based broadcast encryption scheme by taking use of key encapsulation mechanism [10]. In some situations, such as ordering sensitive TV programmes, a receiver or customer usually expects that any other receiver or customer does not know her/his ID when ordering the TV programmes. Anonymous multi-receiver IBE has a lot of applications. It is necessary to study this type of cryptographic system. In an identity-based public key cryptography system, every user has his/her own identity (ID). These ID may be some meaningful or easily memorized strings. ID-based cryptography has attracted a lot of researchers and has gained some results [11], [12], [13], [14]. Since elliptic curve public key cryptography is more secure than RSA based on the same security level, this cryptography system develops faster. After bilinear pairings were proposed, they are used to design public key cryptographic schemes [15], [16], [17], [18]. Bilinear pairings can also be used to study anonymous ID-MRE cryptographic system. C. Our contributions In this paper, we propose a provably secure anonymous multi-receiver identity-based encryption scheme. The secu- rity analysis and performance analysis show that our scheme is provably secure and highly efﬁcient. 978-1-4799-5079-9/14 $31.00 © 2014 IEEE DOI 10.1109/DASC.2014.24 85

D. Organization The rest of the paper is organized as follows. Section II introduces preliminaries and Section III gives our proposed anonymous ID-MRE scheme. In Section IV, we give formal security proof and efﬁciency analysis on our scheme. Finally, Section V gives the conclusions. II. PRELIMINARIES Anonymous ID-MRE system model and security model are given in this section. At the same time, bilinear pairings and some corresponding difﬁcult problems are also depicted as follows. A. System model and security model In anonymous ID-MRE protocol, there must exist three different entities: KGC (key generation center), Sender and Decrypter. We start with the precise deﬁnition of anonymous ID-MRE scheme, then we give the corresponding security model. Deﬁnition 1 (Anonymous ID-MRE): An anonymous multi-receiver identity-based encryption (anonymous ID- MRE) scheme is a collection of four polynomial time algorithms: Setup, Extract, Encrypt, and Decrypt. 1) Setup: KGC generates the master key s and the other public parameters which include the corresponding master public key Ppub and we denote the public parameter set as params. The parameter set params are publicly known and s is kept secret. 2) Extract: When KGC receives a private key query from a client IDi, KGC runs this algorithm to generate the private key di, i.e., di = Extract(params, s, IDi). Finally, KGC sends di to the client IDi. 3) Encrypt: The encrypter chooses multiple identities S = (ID1, · · · , IDt) of the receivers. Input the system public parameters params and a plaintext message M, the encrypter runs this algorithm to gen- erate the ciphertext C = Encrypt(params, S, M ). 4) Decrypt: When the decrypter IDi receives a cipher- text C, it decrypts C by using the public parameters params and its private key di. Finally, it gets the plaintext M = Decrypt(params, C, di). A secure anonymous ID-MRE scheme must satisfy the two properties: ANON-sMID-CCA2 and IND-sMID-CCA2. ANON-sMID-CCA2 is the abbreviation of selective identity receiver anonymity under the condition of adaptive chosen ciphertext attack. Deﬁnition 2 (ANON-sMID-CCA2): Let A be a polynomial-time adversary and C be a challenger. Let be an anonymous ID-MRE scheme. A interacts with C in the following game: 1) Setup: C runs (params, mpk, msk) ← KeyGen(1ˆk), sends (params, mpk) to the adversary A and keeps conﬁdential the master secret key msk. A outputs the target identity set S = {ID0, ID1}. 2) First-Phase Queries: A adaptively makes a number of different queries to C. Each query can be one of the following. • Extract can adversary queries. The the private key of ask any identity ID. for the private key skID by running C gets Extract(params, mpk, msk, ID) and forwards it to the adversary. Denote the extracted identity set by S1. The restriction is S S1 = φ. • Hash queries. The adversary makes Hash func- tion queries adaptively. C responds the Hash val- ues to the adversary. • Decrypt queries. The adversary makes decrypt queries adaptively. For a query (C ∗, IDi) queried by the adversary, C returns the plaintext M. 3) Challenge: These queries may be asked adaptively, that is, each query may depend on the answers obtained to the previous queries. A set {IDi1, · · · , IDir} and message M. Upon receiving {IDi1, · · · , IDir} and M, C randomly chooses {0, 1} and creates a target ciphertext β ∈R C ∗ = Encrypt(params, IDi1, · · · , IDir, IDβ, M ). Then C returns C ∗ to A. identity outputs the 4) Second-Phase Queries: A issues Extract queries, Hash queries and Decrypt queries similar to First- Phase Queries. In Extract queries, denote the extracted identity set by S2, the restriction is S S2) = φ. In Decrypt queries, the restriction is C = C ∗. (S1 Guess: Finally, A outputs its guess β ∈ {0, 1} and wins the game if β = β. Such an adversary A is referred to an ANON-sMID- CCA2 adversary. We deﬁne A’s guessing advantage as the following: 1 2 | AN ON −sM ID−CCA2 Adv (A) = |P r[β = β] − The scheme is said to be (τ, )-ANON-sMID-CCA2 secure if for any ANON-sMID-CCA2 adversary A, with- in polynomial running time τ, A’s guessing advantage Adv (A) is less than . AN ON −sM ID−CCA2 Deﬁnition 3 (IND-sMID-CCA2): Let a polynomial-time adversary and C be a Challenger. Let be an anonymous ID-MRE scheme. A interacts with C be A in the following game: 1) Setup: C runs (params, mpk, msk) ← KeyGen(1ˆk), sends (params, mpk) to the adversary and keeps conﬁ- dential the master secret key msk. A outputs the target multiple identity set S = {ID1, · · · , IDt} where t is a positive integer. 2) First-Phase Queries: The adversary adaptively makes a number of different queries to C. Each query can be one of the following. 86

• Extract can adversary queries. The the private key of ask any identity ID. for the private key skID by running C gets Extract(params, mpk, msk, ID) and forwards it to the adversary. Denote the extracted identity set by S1. The constraint is S S1 = φ. • Hash queries. The adversary makes Hash func- tion queries adaptively. C responds the Hash val- ues to the adversary. • Decrypt queries. The adversary makes decrypt queries adaptively. For a query (C ∗, IDi) queried by the adversary, C returns the plaintext M. These queries may be asked adaptively, that is, each query may depend on the answers obtained to the previous queries. 3) Challenge: A outputs a target plaintext pair (M0, M1). Upon receiving (M0, M1), C randomly chooses β ∈R {0, 1} and creates a target ciphertext C ∗ = Encrypt(params, ID1, · · · , IDt, Mβ). Then C re- turns C ∗ to A. 4) Second-Phase Queries: A issues Extract queries, Hash queries and Decrypt queries similar to First- Phase Queries. In Extract queries, denote the extracted identity set by S2, the restriction is S S2) = φ. In Decrypt queries, the restriction is C = C ∗. (S1 Guess: Finally, A outputs its guess β ∈ {0, 1} and wins the game if β = β. Such an adversary A is referred to an IND-sMID-CCA2 adversary. We deﬁne A’s guessing advantage as the follow- ing: 1 2 | IN D−sM ID−CCA2 Adv (A) = |P r[β = β] − The scheme is said to be (τ, )-IND-sMID-CCA2 se- cure if for any IND-sMID- CCA2 adversary A, with- in polynomial running time τ, A’s guessing advantage Adv (A) is less than . IN D−sM ID−CCA2 Thus, we present the three deﬁnitions which characterize the concept of anonymous ID-MRE, ANON-sMID-CCA2 and IND-sMID-CCA2. B. Bilinear Pairings and Difﬁcult Problems The pairing-based cryptographic scheme can offer lower transmission cost compared with the RSA-based schemes due to the smaller security parameter ˆk . We brieﬂy introduce the bilinear pairings as follows. Let G1 and G2 be two cyclic groups with the same prime order q, i.e., |G1| = |G2| = q. G1 is an additive group and G2 is a multiplicative group. Let P be a generator of G1. Let e : G1 × G1 → G2 be a bilinear map which satisﬁes the following properties: 1) Bilinearity: ∀Q, R, S ∈ G1 and a, b ∈ Z ∗ q , e(aR, bQ) = e(R, Q)ab 87 2) Non-degeneracy: ∃Q, R ∈ G1 such that e(Q, R) = 1G2. 3) Computability: ∀Q, R ∈ G1, algorithm to calculate e(Q, R). there is an efﬁcient Such a bilinear map e can be constructed by the modiﬁed Weil [19] or Tate pairings [20] on elliptic curves. Then, we give the difﬁcult problems on G1 and G2 as follows [18]. Computational BDH. We say that an algorithm A has = in solving the computational the advantage AdvCBDH BDH problem in (G1, G2) if A P r[A(P, aP, bP, cP ) = e(P, P )abc] ≥ where the probability is over the random choice of exponents a, b, c in Zq, the random choice of generator P of G1, and the random bits used by A. Decisional BDH. We say that an algorithm A has the = in solving the decisional BDH advantage AdvDBDH problem (DBDHP) in (G1, G2) if A |P r[A(P, aP, bP, cP, e(P, P )abc ) = 0]− A(P, aP, bP, cP, T ) = 0]| ≥ where the probability is over the random choice of generator P of G1, the random choice of exponents a, b, c in Zq, the random choice T ∈R G2 and the random bits used by A. Deﬁnition 4: We say that the (t, )-Computational BDH assumption holds in (G1, G2) if no t-time algorithm has advantage at least in solving Computational BDH problem in (G1, G2). Deﬁnition 5: We say that the (t, )-Decisional BDH as- sumption holds in (G1, G2) if no t-time algorithm has advantage at least in solving Decisional BDH problem in (G1, G2). III. OUR PROPOSED ANONYMOUS ID-MRE SCHEME Our proposed CCA2-secure anonymous multi-receiver identity-based encryption scheme consists of four algorithm- s: Setup, Extract, Encrypt and Decrypt. Setup: The system initializes the global parameters as follows. 1) Pick up an integer s ∈R Z ∗ 2) Choose ﬁve cryptographic hash functions q and set Ppub = sP . H : {0, 1}∗ → Z ∗ q H1 : {0, 1}∗ → G∗ 1 H2 : G2 → {0, 1}ω, H3 : {0, 1}z × {0, 1}ω∗ × G2 H4 : {0, 1}∗ × {0, 1}z × G2 1 → {0, 1}ω 1 → {0, 1}ω−z where ω, z are integers satisfying that H4 is collision- resilient and ˆk ≤ z ≤ ω. The symmetric encryption algorithm and decryption algorithm using a key k are denoted as Ek() and Dk(), respectively. 3) Publish the system parameters params = {G1, G2, q, e, n, P, Ppub, H, H1, H2, H3, H4}

and keep the master key s secret. IV. SECURITY ANALYSIS AND EFFICIENCY ANALYSIS Extract. Input the system parameters params and an entity identity IDi ∈ {0, 1}∗ for i ∈ [1, n], the system returns the entity’s private key di = sQi, where Qi = H1(IDi). Encrypt. The sender chooses the receivers set (ID 1, i, · · · , ID t) from the whole client set (ID1, · · · , · · · , ID IDi, · · · , IDn). The sender performs the following proce- dures. 1) Pick an integer r ∈R Z ∗ q and a random string σ ∈R {0, 1}z, and set U1 = rP, U2 = H(σ)P . 2) For i = 1, · · · , t, compute Ri = σ||H4(M, σ, U1, U2) V = EH3(σ,R1,··· ,Rt,U1,U2)(M ) H2(e(Ppub, Q i)r) where Q i = H1(ID i). 3) Prepare the ciphertext C and broadcast it where C = (R1, · · · , Rt, U1, U2, V ) Decrypt. Input C, params and one private key d i , an i decrypts the ciphertext authorized receiver with identity ID C as follows. 1) For j = 1, · · · , t, compute Rj Then, it assigns its ﬁrst z bits to σ bits to h∗ 4. H2(e(U1, d i)) . j and the last ω − z ?= H(σ 2) Verify whether U2 j )P holds or not. If there ¨k that satisﬁes the equation for some ¨k, 1 ≤ i is not exists a σ ¨k ≤ t, then go to the next step; otherwise, ID an authorized receiver. 3) Derive M = DH3(σ 4) Verify whether h∗ 4 ,R1,··· ,Rt,U1,U2)(V ). ?= H4(M , σ ¨k ¨k, U1, U2) holds or i accepts the message M ; not. If so, the receiver ID otherwise, he rejects the ciphertext. Correctness of the proposed scheme can be proved as follows. Proof: Without an authorized let IDi be ciphertext C = (R1, · · · , Rt, U1, U2, V ), where 1 ≤ i ≤ t. We can get generality, in the loss of receiver = σ holds Since h∗ because of the collision-resilient hash function H4. Thus, we can get ¨k, U1, U2) holds, then σ ¨k M = DH3(σ ,R1,··· ,Rt,U1,U2)(V ) = DH3(σ,R1,··· ,Rt,U1,U2)(V ) = M ¨k i)) = σ||H4(M, σ, U1, U2) H2(e(U1, d Ri H2(e(U1, d i)) = σ||H4(M, σ, U1, U2) H2(e(U1, d i)) = σ||H4(M, σ, U1, U2) 4 = H4(M , σ H2(e(Ppub, Q i)r) H2(e(rP, sQ i)) A. Security analysis We now prove that our anonymous ID-MRE scheme is ANON-sMID-CCA2 secure and IND-sMID-CCA2 secure under the DBDH assumption. 2ω )) and τ = T + (qH1 Theorem 1: Our proposed anonymous ID-MRE scheme is (τ, qH , qH1 , qH2 , qH3 , qH4 , qe, qd, )-ANON-sMID-CCA2 secure under the (T, )-DBDHP assumption, where ≥ (1 − (1 − 1 2ω−z )(1 − 1 + qe + qd)τ1 + + qe + qd)O(1). (t + 1)τ2 + (qH + qH1 (qH , qH1 , qH2 , qH3 , qH4 , qe, qd denote the number of queries to the hash functions H, H1, H2, H3, H4, Extract queries, Decryption queries. τ1 and τ2 denote the computing time for the scalar multiplica- tion in G1 and a pairing e, respectively.) + qH3 + qH4 + qH2 AN ON −sM ID−CCA2 Proof: Let the ANON-sMID-CCA2 adversary A have (A) ≥ within the the advantage Adv running time τ where is the our anonymous ID-MRE scheme. Suppose that A makes at most qe Extract queries, at most qd Decrypt queries, and at most qH , qH1 , qH2 , qH3 , qH4 queries to the hash functions H, H1, H2, H3, H4, respective- ly. Let the tables TH, TH1, TH2, TH3, and TH4 store the results of querying H, H1, H2, H3, and H4, respectively. Let the challenger be C. Algorithm C works by interacting with A in the following game : Setup: C is given as input a tuple (P, P1, P2, P3, T ) that is either sampled from PBDH (where T = e(g, g)abc) or from RBDH (where T is uniform and independent in G2), where P1 = aP, P2 = bP, P3 = cP and a, b, c are unknown. C sets Ppub = P1 as the system public key. The corresponding system master key is unknown. A selects two challenged identities IDd1 and IDd2. We denote the identity set as Sa = {IDd1, IDd2}. First-Phase Queries H query: C is given the input σj ∈ {0, 1}z. C looks for the table TH for the record (σj, ∗). If there exists such a record, C retrieves the record (σj, sj) and returns sj to A as the response. Otherwise, C chooses sj ∈R Z ∗ q and sets H(σj) = sj. At the same time, C adds the record (σj , sj) into the table TH and returns sj to A as the response. H1 query: C is given the input IDi. C looks for the table TH1 for the record (∗, IDi, ∗). If there exists such a record, C retrieves the record (ci, IDi, ri) and returns riP to A if ci = 0 or returns riP3 to A if ci = 1 as the response. Otherwise, if IDi ∈ Sa, C denotes ci = 0 and chooses ri ∈R q . C sets H1(IDi) = riP and returns riP as the response. Z ∗ If IDi ∈ Sa, C denotes ci = 1 and chooses ri ∈R Z ∗ q . C sets H1(IDi) = riP3 and returns riP3 as the response. C adds the record (ci, IDi, ri) into the table TH1. H2 query: C is given the input ei ∈ G2. C looks for the table TH2 for the record (ei, ∗). If there exists such a record, C retrieves the record (ei, ti) and returns ti to A as the response. Otherwise, C chooses ti ∈R {0, 1}ω and sets 88

H2(ei) = ti. C returns ti to A as the response. C adds the record (ei, ti) into the table TH2. H3 query: C is given the input (σi, R1i, · · · , Rli, U1i, for for the the table TH3 U2i). C looks record (σi, R1i, · · · , Rli, U1i, U2i, ∗). If there exists such a record, C retrieves the record (σi, R1i, · · · , Rli, U1i, U2i, li) and to A as the response. Otherwise, C chooses returns li li ∈R {0, 1}ω and sets H3(σi, R1i, · · · , Rli, U1i, U2i) = li. to A as the response. C adds the record C returns li (σi, R1i, · · · , Rli, U1i, U2i, li) into the table TH3. H4: C is given the input (Mi, σi, U1i, U2i). C looks for the table TH4 for the record (Mi, σi, U1i, U2i, ∗). If there exists such a record, C retrieves the record (Mi, σi, U1i, U2i, zi) and returns zi to A as the response. Otherwise, C chooses zi ∈R {0, 1}ω−z and sets H4(Mi, σi, U1i, U2i) = zi. to A as the response. C adds the record C returns zi (Mi, σi, U1i, U2i, zi) into the table TH4. Extract: C is given the input IDi ∈ Sa. C queries H1 oracle for IDi and gets the αi. Then, C compute di = αiP1 as the response. Since di = αiP1 = αiaP = aH(IDi) di is the secret key of the user IDi. When IDi ∈ Sa, C fails. In this phase, A can adaptively query the challenger C to extract the users’ secret keys. Decrypt: C is given the ciphertext-receiver pair (C, IDj ) where C = (R1i, · · · , Rti, U1i, U2i). If IDj ∈ Sa, C can get di and decrypt C to get the plaintext M. If IDj ∈ Sa, C looks for the table TH3. If there exist the records (∗, R1i, · · · , Rti, U1i, U2i, l∗), where ∗, l∗ are default. If ∗ = ?= U2i holds or not. If it σj, C checks whether H(σj)P holds, go to the next step. Otherwise, C checks the next record until it holds. Suppose the satisﬁed record is ∗ = σ∗ and the corresponding hash value is ˆl∗. Taking use of ˆl∗ to decrypt V and get M ∗ = Dˆl∗ (V ). Then C looks for the table TH4. If there exists the record (M ∗, σ, U1i, U2i, z∗), where z∗ is default, C returns M ∗ as the palintext. Otherwise, fail. According to the process of encryption, the probability of failure is at most 1 − (1 − 1 The Challenge sends {IDj1 , IDj2 , · · · , IDjt , M } and Sa to the challenger. C chooses β ∈R {d1, d2}. Suppose that the multi-receiver identity set is S = {IDj1 , IDj2 , · · · , IDjt , IDβ}. By using the phase Extract, C can get all the secret keys }. We denote of the identities {IDj1 , IDj2 , · · · , IDjt }. these corresponding secret keys as {dj1 , dj2 , · · · , djt C queries H1 and gets the record (cβ, IDβ, rβ), where cβ = 1. C chooses a random string σ ∈R {0, 1}z and sets U1 = P2, U2 = H(σ)P . For i = j1, j2, · · · , jt, compute 2ω−z )(1 − 1 adversary 2ω ). A Ri = σ||H4(M, σ, U1, U2) Rβ = σ||H4(M, σ, U1, U2) V = EH3(σ,R1,··· ,Rt,Rβ ,U1,U2)(M ) H2(e(U1, di)) H2(T rβ ) Table I EFFICIENCY COMPARISONS FHH [7] 1Cpair 2Cpair Chien [8] tCpair 1Cpair Ours tCpair 1Cpair Yes Yes (2t + 2)|G1| +ω+CE (t + 2)|G1|+ω +CE+1Z ∗ q (t + 2)|G1| +ω+CE No No Yes No Sender Receiver Comm. Anon Ind Finally, C sends the ciphertext C = (R1, · · · , Rt, Rβ, U1, U2, V ) to the adversary A. Second-Phase Queries The queries and responses of H, H1, H2, H3, H4, Extract and Decrypt are the same as in the ﬁrst phase query. Finally, the adversary A outputs β. If β = β, A wins. Otherwise, A fails. If T = e(P, P )abc, then T rβ = e(bP, acP )rβ = e(U1, aH1(IDβ)) = e(U1, dβ) Hence, C is a valid ciphertext. Otherwise, T is a randomly- chosen element of G2. Thus, C successfully simulates the random oracles {H, H1, H2, H3, H4}, the secret key extrac- tion, and the decryption oracles. Hence, we get P r[A(P, aP, bP, cP, e(P, P )abc) = 1] = P r[β = β] Since A can attack the anonymity with the probability within the time T , the challenger C can break the decisional BDH problem with the probability ≥ (1 − (1 − 1 2ω−z )(1 − 2ω )) within the time τ = T + (qH1 1 + qe + qd)τ1 + (t + + qe + qd)O(1). 1)τ2 + (qH + qH1 + qH4 + qH3 + qH2 Based on the difﬁculty assumption of decisional BDH problem, our anonymous ID-MRE scheme satisﬁes the prop- erty of ANON-sMID-CCA2. Theorem 2: Our proposed anonymous ID-MRE scheme (τ, qH , qH1 , qH2 , qH3 , qH4 , qe, qd, )-IND-sMID-CCA2 is (T, )-DBDHP assumption, where the secure ≥ (1 − (1 − 1 2ω−z )(1 − 1 + qe + +qe+qd)O(1). qd)τ1+(t+1)τ2+(qH +qH1 (qH , qH1 , qH2 , qH3 , qH4 , qe, qd denote the number of queries to the hash functions H, H1, H2, H3, H4, Extract queries, Decryption queries. τ1 and τ2 denote the computing time for a scalar multiplication in G1 and a pairing e, respectively.) 2ω )) and τ = T + (qH1 +qH2 under +qH3 +qH4 Due to the page limits, we omit the detailed proof. B. Efﬁciency analysis Compared with many previous anonymous multi-receiver identity-based encryption schemes, our proposed anonymous ID-MRE scheme has several advantages, e.g., anonymity, se- mantic security, and efﬁciency. Suppose there are t receivers in the comparison. We list them in Table I. Table I lists the comparisons among FHH [7], Chien [8] and ours. Sender denotes Computational cost in the process 89

[7] Fan C., Huang L., Ho P. (2010) Anonymous multi-receiver IEEE Transactions on Computers, identity-based encryption. 59(9), pp. 1239-1249. [8] Chien H. (2012) Improved anonymous multi-receiver identity- based encryption. The Computer Journal. 55(4), pp.439-446. [9] Wang H., Zhang Y., Xiong H., Qin B. (2012) Cryptanalysis and improvements of an anonymous multi-receiver identity-based encryption scheme. IET Inf. Secur.. 6(1), pp. 20-27. [10] Hur J., Park C., Hwang S. identity-based broadcast doi:10.1016/j.inffus.2011.03.003. encryption. (2012) Privacy-preserving Informat Fusion, [11] Shamir A. (1984) Identity-based cryptosystems and signature schemes. Proc. CRYPTO 84. Santa Barbara, California, USA. Lecture Notes in Computer Science 196, pp. 47-53. Springer. [12] Boneh D., and Franklin M. (2003) Identity-based encryption from the weil pairing. SIAM J. Comput.. 32(3), pp. 586-615. [13] Boyen X., and Waters B. (2006) Anonymous hierarchical identity-based encryption (without random oracles). Proc. CRYPTO 2006. Santa Barbara, California, USA. Lecture Notes in Computer Science 4117, pp. 290-307. Springer. [14] Abdalla M., Kiltz E., and Neven G. (2008) Generalised key IET Inf. delegation for hierarchical identity-based encryption. Secur.. 2(3), pp. 67-78. [15] Boneh D., and Hamburg M. (2008) Generalized identity based and broadcast encryption schemes. Asiacrypt 2008. Melbourne, Australia. Lecture Notes in Computer Science 5350, pp. 455-470. Springer. [16] Boneh D., Boyen X., and Halevi S., Chosen ciphertext secure public key threshold encryption without random oracles. RSA- CT’06. San Jose, CA, USA. Lecture Notes in Computer Science 3860, pp. 226-243. Springer. [17] Boneh D., and Boyen X. (2008) Short signatures without random oracles. Journal of Cryptology. 21(2), pp. 149-177. [18] Boneh D., and Boyen X. (2004) Efﬁcient selective-id secure i- dentity based encryption without random oracles. EUROCRYP- T 2004. Interlaken, Switzerland. Lecture Notes in Computer Science 3027, pp.223-238. Springer. [19] Boneh D., and Franklin M. (2001) Identity-based encryption from the weil pairing. Advances in Cryptology-CRYPTO 2001. Santa Barbara, California, USA. Lecture Notes in Computer Science 2139, pp. 213-229. Springer. [20] Miyaji A., Nakabayashi M., and Takano S., (2001) New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions Fundamentals, 5, pp. 1234-1243. of encryption. Receiver denotes Computational cost in the process of decryption. Comm. denotes Communication cost. Anon denotes ANON-sMID-CCA2. Ind denotes IND-sMID- CCA2. Cpair denotes Computation cost of pairings. |G1| denotes “the bit length of a point on G1”. CE denotes “the bit length of a cipher by the symmetric encryption E”. From the comparisons, we know that FHH [7], Chien [8] do not satisfy IND-sMID-CCA2 (i.e., Ind) although they claimed their schemes are secure. At the same time, FHH [7] can not also satisfy ANON-sMID-CCA2 (i.e., Anon). Our scheme is provably secure in the random oracle model. From the performance comparison, our scheme is also efﬁcient. V. CONCLUSIONS In this paper, by taking use of the bilinear pairings, we propose a provably secure anonymous multi-receiver identity-based encryption scheme with shorter ciphertext. Our scheme is provably secure and efﬁcient in the random oracle model. ACKNOWLEDGMENT The author sincerely thanks the Editor for allocating qual- iﬁed and valu- able referees. The author sincerely thanks the anonymous referees for their very valuable comments. This work was partly supported by the Nation- al Natural Science Foundation of China (No. 61272522), by the Natural Science Foundation of Liaoning Province (No. 2014020147), and by the Open Project of Shanghai Key Laboratory of Trustwor- thy Computing (No. 07dz22304201306). REFERENCES [1] Bellare M., Boldyreva A., and Micali S. (2000) Public-key encryption in a multi-user setting: security proofs and improve- ments. Advances in Cryptology-EUROCRYPT2000, Bruges (Brugge), Belgium. Lecture Notes in Computer Science 1807, pp. 259-274. Springer. [2] Baudron O., Pointcheval D., and Stern J. (2000) Extended notions of security for multicast public key cryptosystems. ICALP 2000. Geneva, Switzerland. Lecture Notes in Computer Science 1853, pp. 499-511. Springer. [3] Xu J., Li K., and Min G.(2012) Reliable and energy-efﬁcient multipath communications in underwater sensor networks. IEEE Trans. Parallel Distrib. Syst.. 23(7), pp.1326-1335. [4] Liu X., Li K., Min G., Lin K., Xiao B., Shen Y., and Qu W.(2013) Efﬁcient unknown tag identiﬁcation protocols in large-scale rﬁd systems, IEEE Trans. Parallel Distrib. Syst.. Accepted, to appear. [5] Chatterjee S., and Sarkar P. , Multi-receiver identity-based Progress in key encapsulation with shortened ciphertext. Cryptology-INDOCRYPT 2006. Kolkata, India. Lecture Notes in Computer Science 4329, pp. 394-408. Springer. [6] Lu L., and Hu L. (2006) Pairing-based multi-recipient public key encryption. Proceedings of the 2006 International Con- ference on Security & Management. Las Vegas, Nevada, USA. pp. 159-165. 2006. CSREA. 90

分享到：

赞收藏

资料库

具有较短密文的可验证的安全匿名多接收者身份加密。.pdf

相关推荐

开发技术

热门标签

最新资料