Anonymous Multireceiver Identity-Based Encryption

Anonymous MultireceiverIdentity-Based Encryption

Chun-I Fan, Ling-Ying Huang, and Pei-Hsiu Ho

Abstract—Recently, many multireceiver identity-based encryption schemes have been proposed in the literature. However, none can

protect the privacy of message receivers among these schemes. In this paper, we present an anonymous multireceiver identity-based

encryption scheme where we adopt Lagrange interpolating polynomial mechanisms to cope with the above problem. Our scheme

makes it impossible for an attacker or any other message receiver to derive the identity of a message receiver such that the privacy of

every receiver can be guaranteed. Furthermore, the proposed scheme is quite receiver efficient since each of the receivers merely

needs to perform twice of pairing computation to decrypt the received ciphertext. We prove that our scheme is secure against adaptive

chosen plaintext attacks and adaptive chosen ciphertext attacks. Finally, we also formally show that every receiver in the proposed

scheme is anonymous to any other receiver.

Index Terms—Anonymity, multireceiver encryption, pairings, identity-based encryption.

Ç

1 INTRODUCTION

IN secure multireceiver communications, to prevent un-authorized accesses, messages are usually encrypted and

the encryption keys had better be changed for differentsessions. Whenever a new member joins a communicationgroup, the system assigns a key to the member for futuredecryption operations. If some member quits the group, thesystem should revoke her/his decryption key and disable thedecryption. The system must deal with the problem of keymanagement effectively such that the entire communicationprotocol is efficient. Recently, many researchers focused onthis topic and proposed many interesting protocols.

In 2001, Boneh and Franklin [4] proposed an identity-based encryption scheme with Weil pairing. In 2003, theypresented a fully functional identity-based encryptionscheme (BF-IBE) [4] with a technique which was proposedby Fujisaki and Okamoto [9] for improvement. Theirscheme only uses the identity (ID) of a receiver as her/hispublic key. A sender can encrypt a message and sends theciphertext to the receiver. Every user can select her/his IDfreely, where some meaningful or easily-memorized stringsare usually selected as IDs. Moreover, the problem of theauthentication for public keys can also be solved if we takeIDs to form the public keys. Thus, there are lots ofresearches [1], [7], [8], [19], [22] related to identity-basedpublic-key cryptosystems in recent years.

Du et al. [8] presented an identity-based broadcastencryption scheme for key distribution in 2005. Theyimproved BF-IBE by matrix operations for encryption and

decryption. In 2006, Lee et al. [13] proposed three public-keybroadcast encryptions with bilinear mapping. In the sameyear, Yang et al. [22] improved identity-based public keyencryption with bilinear mapping to be identity-basedbroadcast encryption. Nevertheless, there are some problemsabout key change and no scalability in joining new members.In 2005, Wang and Wu [19] proposed an identity-basedmulticast encryption scheme which has a key generationcenter and a group center. All users do not need anycomputation during the rekeying process. However, thesender must be the group center. Besides, the problems of keyupdating were discussed frequently, but no efficient solutionhas been proposed. Hence, we hope to solve the problems ofkey renewal and make anyone be able to act as a sender.

In a multireceiver encryption environment, a sender canrandomly choose receivers. Every multireceiver encryptionscheme can be transformed into a broadcast encryptionscheme or a multicast encryption scheme. Beak et al. [1]proposed a multireceiver identity-based key encryptionalong with a formal definition and security model for thekind of schemes. They proved the security in the selective-IDmodel using the random oracle technique [2]. Their secondscheme was employed in the REACT scheme proposed byOkamoto and Pointcheval [17]. In 2006, Lu and Hu [14]presented a multirecipient public key encryption withpairing. Their scheme can be applied to broadcast sensitiveinformation in an unsafe distributed environment. Chatterjeeand Sarkar [7] proposed the first protocol to achievesublinear ciphertext sizes in multireceiver identity-basedencryption setting.

All of the multireceiver identity-based encryptionschemes proposed in the literature [1], [7], [14] cannotprotect the privacy of receivers or do not contain anydiscussion on this issue. Nevertheless, more and more usersgradually pay attention to their privacy such that the issue ofprivacy protection is urgently desired to be addressed inmost cryptographic protocols, including multireceiver iden-tity-based encryption schemes. Although [1], [7], may be able

IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 9, SEPTEMBER 2010 1239

. The authors are with the Department of Computer Science andEngineering, National Sun Yat-sen University, Kaohsiung 804, Taiwan,ROC. E-mail: [email protected],{eegeegfish, peyhsiu}@gmail.com.

Manuscript received 7 Mar. 2008; revised 18 Dec. 2008; accepted 23 Nov.2009; published online 14 Jan. 2010.Recommended for acceptance by H. Shen.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log Number TC-2008-03-0104.Digital Object Identifier no. 10.1109/TC.2010.23.

0018-9340/10/$26.00 � 2010 IEEE Published by the IEEE Computer Society

to achieve receiver anonymity, which still needs to beformally proved, by covering the information about theidentities of the selected receivers in a ciphertext, it isinefficient since each receiver has to perform much computa-tion to decrypt the ciphertext. In this paper, we propose aprovably secure and efficient multireceiver identity-basedencryption scheme which can achieve the anonymity forevery receiver against any other receiver. Everyone canreceive a ciphertext broadcasted by a sender, but only thereceivers selected by the sender can decipher the ciphertextsuccessfully. Besides, one can examine whether herself/himself is a selected receiver or not. Nobody, except thesender, knows who the other receivers are. Lagrangeinterpolating polynomial theorem [11] has been widely usedin threshold schemes and traitor tracing, but the theorem israrely applied to encryption/decryption. In this paper, wepresent how to design an efficient anonymous multireceiveridentity-based encryption scheme based on Lagrange inter-polating polynomial theorem.

A traditional encryption protocol is that a sender encryptsand sends a message to a receiver by using the receiver’spublic key or a secret key shared between them. In this way,the sender generates an individual ciphertext for a receiver.Thus, for n receivers, where n is a positive integer, the sendermust produce n different ciphertexts for the same message.In a multireceiver encryption scheme, such as the schemes of[1], [7], [8], [13], [14], [19], [22], a sender only needs togenerate one ciphertext of a message for n receivers. Hence, itcan largely reduce the sender’s computation and commu-nication cost, but the receivers’ identities are known toeveryone. Our scheme makes it possible for a sender toproduce only one ciphertext of a message for n receiverswhere nobody, except the sender, knows any of the receivers’identities. Not only does the proposed scheme reduce thesender’s computation and communication cost but it protectsthe privacy of the receivers as well.

Using our scheme in pay-TV or streaming audio/videoservices, a service provider only generates one ciphertext fora TV program and sends the ciphertext to all of the receiverswho have ordered the program. Each receiver takes her/hispersonal private key to decrypt the ciphertext. In somesituations, such as ordering sensitive TV programs, areceiver or customer usually expects that any other receiveror customer does not know her/his identity when orderingthe TV programs. Our scheme can cope with the aboveproblem to provide anonymity such that none, except theservice provider, can derive the receivers’ identities. Inaddition, for sensitive video sharing, by using our scheme, asender chooses a set of receivers and produces oneciphertext of a video, and then the sender broadcasts theciphertext under the privacy protection for the receivers.Everyone gets the ciphertext, but only the receivers thesender chose are able to decrypt the ciphertext where eachreceiver does not know who the other receivers are.

The rest of this paper is organized as follows: In Sections 2and 3, we introduce some preliminaries about mathematicalbackgrounds and security definitions. In Section 4, wepresent and analyze the proposed scheme. The security ofour scheme is formally proved in Section 5. We evaluate theperformance of the proposed scheme in Section 6. In Section 7,we compare our scheme with the others in performance andother aspects. Finally, we give a concluding remark of thispaper in Section 8.

2 PRELIMINARIES

In this section, we review the polynomial interpolationmethod, the characteristics of bilinear groups, and somerelated hard problems.

2.1 Polynomial Interpolation

Lagrange Interpolating Polynomial Theorem. Let

Xti¼1

FiðxÞ ¼Xt�1

i¼0

aixi

be a polynomial of degree t� 1 � 0 that passes through thet points ðx1; y1Þ; ðx2; y2Þ; . . . ; ðxt; ytÞ where for each i,

FiðxÞ ¼ yiY

1�j 6¼i�t

x� xjxi � xj

¼yi; if x ¼ xi:0; if x 2 fx1; . . . ; xtg � fxig:

�

2.2 Bilinear Groups

Let GG1 and GG2 be two cyclic groups of prime order q and letP

be a generator of GG1. A bilinear mapping e : GG1 �GG1 ! GG2

has the following properties:

1. Bilinearity: eðaP; bQÞ ¼ eðP;QÞab, 8P , Q 2 GG1 and a,b 2 ZZq.

2. Nondegeneracy: There exist P , Q 2 GG1 such thateðP;QÞ 6¼ 1.

3. Computability: There exists an efficient algorithm tocompute eðP;QÞ for any P , Q 2 GG1.

The above properties also imply:

eðP þQ;RÞ ¼ eðP;RÞ � eðQ;RÞ; 8P;Q;R 2 GG1:

eðP;QþRÞ ¼ eðP;QÞ � eðP;RÞ; 8P;Q;R 2 GG1:

2.3 Hard Problems

Let GG1 and GG2 be two cyclic groups of the same order q. Lete : GG1 �GG1 ! GG2 be a bilinear mapping and let P be agenerator of GG1.

The Computational Diffie-Hellman (CDH) Problem.

Given <P; aP ; bP> for some a, b 2 ZZ�q , compute abP .

The Bilinear Diffie-Hellman (BDH) Problem. Given <P;

aP ; bP ; cP> for some a, b, c 2 ZZ�q , compute eðP; P Þabc 2 GG2.

The Co-Bilinear Diffie-Hellman (Co-BDH) Problem [23].

Given <P; aP; bP ;Q> for some a; b 2 ZZ�q and Q 2R GG1,compute eðP;QÞab.

The Co-Decisional Bilinear Diffie-Hellman (Co-DBDH)

Problem [20]. Given <P; aP ; bP;Q;Z> for some a; b 2 ZZ�q ,Q 2R GG1 and Z 2R GG2, decide if Z ¼ eðP;QÞab.

The Modified Decisional Bilinear Diffie-Hellman

(DBDH-M) Problem [6]. Given <P; aP ; bP ;U> for somea; b 2 ZZ�q and U 2R GG1, decide if U ¼ ab2P .

Definition 1 (The Co-DBDH Assumption). We define thatan algorithm B with an output � 2 f0; 1g has advantage " insolving the Co-DBDH problem if

jPr½BðP; aP; bP ;Q; eðP;QÞabÞ ¼ 1�� Pr½BðP; aP ; bP ;Q;ZÞ ¼ 1�j � "

1240 IEEE TRANSACTIONS ON COMPUTERS, VOL. 59, NO. 9, SEPTEMBER 2010

where the probability is over the random choice of a; b 2 ZZ�qand the random choice of Q 2 GG1 and Z 2 GG2. We say thatthe ð�; "Þ-Co-DBDH assumption holds if no polynomial-timealgorithm has advantage " within running time � in solvingthe Co-DBDH problem.

Definition 2 (The DBDH-M Assumption). We define that analgorithm B with an output � 2 f0; 1g has advantage " insolving the DBDH-M problem if

jPr½BðP; aP ; bP ; ab2P Þ ¼ 1�� Pr½BðP; aP; bP ;UÞ ¼ 1�j � "

where the probability is over the random choice of a; b 2 ZZ�q andthe random choice of U 2 GG1. We say that the ð�; "Þ-DBDH-Massumption holds if no polynomial-time algorithm has advan-tage "within running time � in solving the DBDH-M problem.

3 SECURITY DEFINITIONS

According to [1], [3], [5], [7], [10], we present a general modeland security notions for anonymous multireceiver IBE(Identity-Based Encryption) schemes. The security notionsare “Indistinguishability of encryptions under selectivemulti-ID, chosen plaintext attacks” (IND-sMID-CPA) [1],“Indistinguishability of encryptions under selective multi-ID, chosen ciphertext attacks” (IND-sMID-CCA) [1], “Anon-ymous indistinguishability of encryptions under selective-ID, chosen plaintext attacks” (ANON-sID-CPA) [3], and“Anonymous indistinguishability of encryptions underselective-ID, chosen ciphertext attacks” (ANON-sID-CCA)[3]. They are described as follows:

Definition 3 (Multireceiver IBE). A general multireceiver IBEscheme contains a set of four algorithms: Setup, Extract,Encrypt, and Decrypt.

. Setup: The Private Key Generator (PKG) runs thisalgorithm to generate a master key s and PKG’s publicparameters params which include a description of thegroups GG1, GG2, and the mapping e. Note that thePKG’s public parameters params are publicly knownwhile the master key s is kept secret.

. Extract: This is a private key extraction algorithm.Providing an identity IDi received from a user, thePKG’s master key s, and public parameters params asinputs, the PKG runs this algorithm to generate aprivate key di associated with IDi. We also denotedi ¼ Extractðparams; s; IDiÞ. The identity IDi isused as a public key while di is the correspondingprivate key.

. Encrypt: Providing multiple identities ðID1; . . . ;IDtÞ of the receivers, the PKG’s public parametersparams, and a plaintext message M as inputs, thesender runs this algorithm to generate a ciphertext Cwhich is an encryption of M. We denote C ¼Encryptðparams; ID1; . . . ; IDt;MÞ.

. Decrypt: Providing a ciphertext C, the PKG’s publicparameters params, an identity IDi, and the privatekey di as inputs, the receiver with identity IDi runsthis algorithm to obtain a decryption result D, which iseither a certain plaintext message or not. We denoteD ¼ Decryptðparams; C; IDi; diÞ.

Definition 4 (IND-sMID-CPA). Let A be a polynomial-timeattacker. Let

Qbe a general multireceiver IBE scheme. A

interacts with a Challenger in the following game:

. Setup: The Challenger runs the Setup algorithm. Itgives the attacker A the resulting public parametersparams. It keeps the master key secret.

. Phase 1: A outputs target multiple identitiesðID1; . . . ; IDtÞ where t is a positive integer.

. Phase 2: A issues private key extraction queries. Uponreceiving a private key extraction query, denoted byIDj, the Challenger runs the private key extractionalgorithm to get dj ¼ Extractðparams; s; IDjÞ. Theonly constraint is that IDj 6¼ IDi for i ¼ 1; . . . ; t.

. Challenge:A outputs a target plaintext pair ðM0;M1Þ.Upon receiving ðM0;M1Þ, the Challenger randomlychooses � 2 f0; 1g and creates a target ciphertextC ¼ Encryptðparams; ID1; . . . ; IDt;M�Þ. Then theChallenger returns C to A.

. Phase 3: A issues private key extraction queries asthose in Phase 2.

. Guess: Finally, A outputs its guess �0 2 f0; 1g andwins the game if �0 ¼ �.

Such an attacker A is referred to as an IND-sMID-CPA

attacker. As we did above, we defineA’s guessing advantage

AdvIND-sMID-CPAQ ðAÞ ¼ jPr½� ¼ �0� � 1

2j:

The schemeQ

is said to be ð�; "Þ-IND-sMID-CPA secure if

for any IND-sMID-CPA attacker A, within polynomial

running time � , the guessing advantage AdvIND-sMID-CPAQ ðAÞis less than ".

Definition 5 (IND-sMID-CCA). Let A be a polynomial-time

attacker. LetQ

be a general multireceiver IBE scheme. Ainteracts with a Challenger in the following game:


. Phase 1: A outputs target multiple identitiesðID1; . . . ; IDtÞ where t is a positive integer.

. Phase 2: A issues private key extraction queries. Uponreceiving a private key extraction query, denoted byIDj, the Challenger runs the private key extractionalgorithm to get dj ¼ Extractðparams; s; IDjÞ. Theonly constraint is that IDj 6¼ IDi for i ¼ 1; . . . ; t.

. Phase 3: A issues decryption queries for targetidentities. Upon receiving a decryption query,denoted by ðC�; IDiÞ for some i 2 f1; . . . ; tg, theChallenger generates a private key associated withIDi, which is denoted by di. The Challenger returnsD ¼ Decryptðparams;C�; IDi; diÞ to A.

. Challenge: A outputs a target plaintext pair ðM0;M1Þ. Upon receiving ðM0;M1Þ, the Challenger ran-domly chooses � 2 f0; 1g and creates a target cipher-t e x t C ¼ Encryptðparams; ID1; . . . ; IDt;M�Þ.Then the Challenger returns C to A.

. Phase 4: A issues private key extraction queries asthose in Phase 2 and decryption queries for targetidentities as those in Phase 3 where a restriction hereis that C� 6¼ C.

FAN ET AL.: ANONYMOUS MULTIRECEIVER IDENTITY-BASED ENCRYPTION 1241


Such an attacker A is referred to as an IND-sMID-CCAattacker. As we did above, we defineA’s guessing advantage

AdvIND-sMID-CCAQ ðAÞ ¼ jPr½� ¼ �0� � 1

2j:

The schemeQ

is said to be ð�; "Þ-IND-sMID-CCA secure iffor any IND-sMID-CCA attacker A, within polynomialrunning time � , the guessing advantage

AdvIND-sMID-CCAQ ðAÞ

is less than ".

Definition 6 (ANON-sID-CPA). Let A be a polynomial-timeattacker. Let

Qbe a general multireceiver IBE scheme. A

interacts with a Challenger in the following game:


. Phase 1: A outputs a target identity pair ðID1; ID2Þ.Upon receiving ðID1; ID2Þ, the Challenger randomlychooses � 2 f1; 2g.

. Phase 2:A issues private key extraction queries. Uponreceiving a private key extraction query, denoted byIDj, the Challenger runs the private key extractionalgorithm to get dj ¼ Extractðparams; s; IDjÞ. Theonly constraint is that IDj 6¼ IDi for i ¼ 1; 2.

. Challenge: A outputs a target plaintext M. TheChallenger creates a target ciphertext C ¼ Encryptðparams; ID�;MÞ and then returns C to A.

. Phase 3: A issues private key extraction queries asthose in Phase 2.


Such an attacker A is referred to as an ANON-sID-CPAattacker. As we did above, we defineA’s guessing advantage

AdvANON-sID-CPAQ ðAÞ ¼ jPr½� ¼ �0� � 1

2j:

The schemeQ

is said to be ð�; "Þ-ANON-sID-CPA secure iffor any ANON-sID-CPA attacker A, within polynomialrunning time � , the guessing advantage

AdvANON-sID-CPAQ ðAÞ

is less than ".

Definition 7 (ANON-sID-CCA). Let A be a polynomial-time

attacker. LetQ

be a general multireceiver IBE scheme. Ainteracts with a Challenger in the following game:


. Phase 1: A outputs a target identity pair ðID1; ID2Þ.Upon receiving ðID1; ID2Þ, the Challenger randomlychooses � 2 f1; 2g.

. Phase 2:A issues private key extraction queries. Uponreceiving a private key extraction query, denoted by

IDj, the Challenger runs the private key extractionalgorithm to get dj ¼ Extractðparams; s; IDjÞ. Theonly constraint is that IDj 6¼ IDi for i ¼ 1; 2.

. Phase 3: A issues decryption queries for targetidentities. Upon receiving a decryption query,denoted by ðC�; IDiÞ for some i 2 f1; 2g, theChallenger generates a private key associated withIDi, which is denoted by di. The Challenger returnsD ¼ Decryptðparams;C�; IDi; diÞ to A.

. Challenge: A outputs a target plaintext M. TheChallenger creates a target ciphertext C ¼Encryptðparams; ID�;MÞ and then returns C to A.

. Phase 4: A issues private key extraction queries asthose in Phase 2 and decryption queries for targetidentities as those in Phase 3 where a restriction hereis that C� 6¼ C.

. Guess: Finally, A outputs its guesses �0 2 f1; 2g andwins the game if �0 ¼ �.

Such an attacker A is referred to as an ANON-sID-CCAattacker. As we did above, we defineA’s guessing advantage

AdvANON-sID-CCAQ ðAÞ ¼ jPr½� ¼ �0� � 1

2j:

The schemeQ

is said to be ð�; "Þ-ANON-sID-CCA secure iffor any ANON-sID-CCA attacker A, within polynomialrunning time � , the guessing advantage

AdvANON-sID-CCAQ ðAÞ

is less than ".

4 OUR PROPOSAL

In this section, based on BF-IBE scheme [4], we present ananonymous multireceiver identity-based encryption scheme.Our scheme adopts bilinear pairings on elliptic curves. LetGG1 be an additive group and GG2 be a multiplicative groupwhere both of them are cyclic and each of them is with primeorder q. Let P be a randomly chosen generator of GG1 and e bea bilinear mapping such that e : GG1 �GG1 ! GG2.

In our scheme, a sender chooses t receivers and preparest points ðx1; y1Þ, ðx2; y2Þ; . . . ; ðxt; ytÞ for them. For everyreceiver i, the sender sets xi as the root of FiðxÞ ¼ yi wherethe receiver’s identity, IDi, is mapped into xi in ZZ�q , andthen computes yi ¼ yQi as the personal private key of thereceiver where y is randomly chosen in ZZ�q and IDi is alsomapped into Qi in GG�1. GG�1 denotes the set GG1=fOOg, and OOis the identity element in the additive group GG1.

The polynomial

fiðxÞ ¼ FiðxÞ=yi ¼Y

1�j 6¼i�t

x� xjxi � xj

¼1; if x ¼ xi0; if x 2 fx1; . . . ; xtg � fxig

�

is used for achieving receiver anonymity. In the Encryptphase of our scheme, the sender computes a parameterRi foreach receiver i by using the above polynomial. The sendertakes all Ri’s and the other parameters to form a ciphertextencrypted by a secret key � and then broadcasts it. To decryptthe ciphertext, receiver i takes all Ri’s and her/his xi to


reconstruct � ¼ FiðxiÞ, which is yi. Then, the receiver

computes the secret key � via her/his private key and �.

Finally, the receiver can decrypt the ciphertext by using �.

4.1 The Proposed Scheme

Setup: The algorithm works as follows:

1. Pick an integer s 2 ZZ�q and an element P1 2 GG1 atrandom.

2. Set Ppub ¼ sP .3. Choose five cryptographic one-way hash functions

H : f0; 1g� ! ZZ�q ; H1 : f0; 1g� ! GG�1;

H2 : GG2 ! f0; 1gw;H3 : f0; 1gw � f0; 1g� ! ZZ�q ;

H4 : f0; 1gw ! f0; 1gw

for some positive integer w. The symmetric encryp-

tion and decryption functions with a key k are

represented by Ek and Dk, respectively.4. Publish the system parameters params ¼ <q;GG1;

GG2; e; n; P ; P1; Ppub;H;H1; H2; H3; H4> and keep themaster key s secret.

Extract: Input params, s, and an identity IDi 2 f0; 1g�

for i 2 ½1; n�. The algorithm performs the following tasks:

1. Compute Qi ¼ H1ðIDiÞ 2 GG�1.2. Set the private key di ¼ sðP1 þQiÞ.Encrypt: Input params, a plaintext message M, and select

t, 1 � t � n, identities ðID1; . . . ; IDtÞ of the receivers whom

the sender wants to send the ciphertext of M to. The

algorithm performs the following tasks:

1. Pick a string � 2 f0; 1gw at random and set r ¼H3ð�;MÞ.

2. Pick an integer � 2 ZZ�q at random and set y ¼ ��1rmod q.

3. For i ¼ 1; . . . ; t, compute xi ¼ HðIDiÞ and Qi ¼H1ðIDiÞ.

4. For i ¼ 1; . . . ; t, compute

fiðxÞ ¼Y

1�j6¼i�t

x� xjxi � xj

¼ ai;1 þ ai;2xþ � � � þ ai;txt�1

where ai;1; . . . ; ai;t 2 ZZq.5. For i ¼ 1; . . . ; t, compute

Ri ¼Xtj¼1

aj;iyQj ¼Xtj¼1

bjQj

where bj ¼ aj;iy 2 ZZq.6. Set the ciphertext C ¼ <R1; . . . ; Rt; rP ; �Ppub; �

H2ðeðPpub; P1ÞrÞ; EH4ð�ÞðMÞ>.

Decrypt: Input the ciphertext C ¼ <R1; . . . ; Rt; U1; U2; V ;

W>, params, an identity IDi, and the private key di of the

receiver with identity IDi. To decrypt C, the algorithm

performs the following tasks:

1. Compute xi ¼ HðIDiÞ.2. Set � ¼ R1 þ xiR2 þ � � � þ ðxit�1 mod qÞRt.3. Compute

�0 ¼ V H2eðU1; diÞeðU2; �Þ

� �:

4. Compute M 0 ¼ DH4ð�0ÞðWÞ.5. Set r0 ¼ H3ð�0;M 0Þ. Test whether U1 ¼ r0P or not. If

true, accept the plaintext message M 0, i.e., M 0 ¼M;otherwise, reject the ciphertext.

A PKG is established to run Setup. When a user givesher/his identity to the PKG, the PKG inputs its publicsystem parameters, the master key, and the user’s identityto Extract and returns a private key to the user. Users whohave obtained their private keys from the PKG are calledmembers. A user who sends out a message is said to be asender. A sender can input the PKG’s system parameters,the identities of selected members, and a plaintext messageto Encrypt to get a ciphertext and then broadcasts it. Themembers the sender designated are called the receivers.When receiving a ciphertext, every member can input thePKG’s system parameters, the ciphertext, her/his identity,and her/his own private key to Decrypt. If the member isa receiver, then Decrypt returns the plaintext message; elseit returns “reject”. The proposed scheme is also illustratedin Fig. 1.

4.2 Correctness

The decryption of our scheme is justified by the following:For each i with 1 � i � t, we have that


Fig. 1. The proposed anonymous multireceiver identity-based encryptionscheme.

� ¼ R1 þ xiR2 þ � � � þ xi�1i Ri þ � � � þ xt�1

i Rt

¼ ða1;1yQ1 þ � � � þ at;1yQtÞþ ðxia1;2yQ1 þ � � � þ xiat;2yQtÞ þ � � �þ ðxi�1

i a1;iyQ1 þ � � � þ xi�1i at;iyQtÞ þ � � �

þ ðxt�1i a1;tyQ1 þ � � � þ xt�1

i at;tyQtÞ¼ ða1;1 þ a1;2xi þ � � � þ a1;tx

t�1i ÞyQ1

þ ða2;1 þ a2;2xi þ � � � þ a2;txt�1i ÞyQ2 þ � � �

þ ðai;1 þ ai;2xi þ � � � þ ai;txt�1i ÞyQi þ � � �

þ ðat;1 þ at;2xi þ � � � þ at;txt�1i ÞyQt

¼ yQiðby Lagrange interplating polynomial theoremÞ

eðU1; diÞeðU2; �Þ

¼ eðrP ; sðQi þ P1ÞÞeð�Ppub; yQiÞ

¼ eðrP ; sQiÞeðrP ; sP1ÞeðPpub; QiÞ�y

¼ eðPpub; QiÞreðPpub; P1Þr

eðPpub; QiÞr¼ eðPpub; P1Þr:

Thus,

�0 ¼ V H2eðU1; diÞeðU2; �Þ

� �¼ V H2ðeðPpub; P1ÞrÞ ¼ � and

M 0 ¼ DH4ð�0ÞðWÞ ¼ DH4ð�ÞðEH4ð�ÞðMÞÞ ¼M:

4.3 Discussions

The proposed scheme is based on some hard problems suchthat it satisfies forward security, backward security, andanonymity. The details are described as follows:

Forward secrecy [16]. The members who have quit thegroup should not be able to know the later session keys. Inour scheme, the session key � is randomly chosen in everysession. If the members of the group are different frombefore, the sender will compute fiðxÞ0s again such that themembers who have quit the group cannot obtain any usefulinformation to compute new session keys.

Backward secrecy [16]. New members should not be ableto know the session keys generated before they join thegroup. The discussions of this case are similar to those offorward secrecy.

Receiver anonymity. Everyone can receive transmittedmessages because they are broadcasted. Only the designatedreceivers can decrypt them successfully. Every receiverknows whether herself/himself is one of the designatedreceivers, but she/he cannot determine the others.

5 SECURITY PROOFS

We now prove that our scheme is IND-sMID-CPA secure,IND-sMID-CCA secure, ANON-sID-CPA secure, andANON-sID-CCA secure under the Co-DBDH assumptionand the DBDH-M assumption.

5.1 Confidentiality

Semantic security is a necessary security requirement foridentity-based encryptions. It means that no usefulinformation about a plaintext message can be gleanedfrom the corresponding ciphertext.

Theorem 1. The proposed multireceiver IBE scheme is

ð�; qH; qH1; qH2

; qH3; qH4

; q1; q2; "Þ-IND-sMID-CCA secure

under the ð� 0; "0Þ-Co-DBDH assumption, where "0 � " and

� 0 � þ ðqH1þ qH3

þ q1ÞOð�1Þ þ q2Oð�1 þ �2Þ þ ðqH þqH2þ qH4

ÞOð1Þ. (q1; q2; qH; qH1; qH2

; qH3, and qH4

denote the

number of private key extraction queries, decryption queries,

and queries to the hash functions H;H1; H2; H3; H4, respec-

tively. �1 and �2 denote the computing time for a multiplication

in GG1 and a pairing e, respectively.)

Proof. Assume that an IND-sMID-CCA attacker A hasadvantage

AdvIND-sMID-CCAQ ðAÞ � "

within running time � whereQ

is the proposedscheme. Suppose that A makes at most q1 private keyextraction queries, at most q2 decryption queries, andat most qH; qH1

; qH2; qH3

; qH4queries to the hash func-

tions H;H1; H2; H3; H4, respectively. We will showhow an algorithm B can solve the Co-DBDH problemwith advantage "0 within running time � 0, where"0 � " and � 0 � þ ðqH1

þ qH3þ q1ÞOð�1Þ þq2Oð�1 þ �2Þ þ

ðqH þ qH2þ qH4

ÞOð1Þ, by utilizing A.First, B is given <q;GG1;GG2; e; P ; aP ; bP ;Q;Z> as an

instance of the Co-DBDH problem. B can simulate theChallenger to execute each phase of the IND-sMID-CCAgame (Definition 5) for A as follows:

Phase 1: Suppose that A outputs target multipleidentities ðID1; . . . ; IDtÞ where t is a positive integer.

Setup: B sets P1 ¼ Q and Ppub ¼ bP , and gives theattacker A <q;GG1;GG2; e; n; P ; P1; Ppub;H;H1; H2; H3; H4>as the public parameters of the proposed scheme whereH;H1; H2; H3, and H4 are random oracles controlled by Bas follows:

Let HList, H1List, H2List, H3List, and H4List beused for storing the results of querying H, H1, H2, H3,and H4, respectively.H-query. Input an identity IDj to H where j 2 ½1; n�: If

there exists ðIDj; xjÞ in HList, return xj. Otherwise, dothe following:

1. Pick an integer xj 2 ZZ�q at random.2. Put ðIDj; xjÞ in HList.3. Return xj.

H1-query. Input an identity IDj to H1 where j 2 ½1; n�:If there exists ðIDj; lj; QjÞ in H1List, return Qj. Other-wise, do the following:

1. Pick an integer lj 2 ZZ�q at random.2. If IDj ¼ IDi for some i 2 f1; . . . ; tg, then compute

Qj ¼ ljP ; else compute Qj ¼ ljP � P1.3. Put ðIDj; lj; QjÞ in H1List.4. Return Qj.

H2-query. Input an element Zj in GG2 to H2 wherej 2 ½1; qH2

�: If there exists ðZj; �jÞ in H2List, return �j.Otherwise, do the following:

1. Pick a string �j 2 f0; 1gw at random.2. Put ðZj; �jÞ in H2List.3. Return �j.

H3-query. Input a pair ð�j;MjÞ to H3 wherej 2 ½1; qH3

�: If there exists ð�j;Mj; �j;�jÞ in H3List, return�j. Otherwise, do the following:


1. Pick an integer �j 2 ZZ�q at random and compute�j ¼ �jP .

2. Put ð�j;Mj; �j;�jÞ in H3List.3. Return �j.

H4-query. Input a string �j to H4 where j 2 ½1; qH4�: If

there exists ð�j; jÞ in H4List, return j. Otherwise, dothe following:

1. Pick a string j 2 f0; 1gw at random.2. Put ð�j; jÞ in H4List.3. Return j.

Phase 2: A issues private key extraction queries. Uponreceiving a private key extraction query, denoted by IDj

with IDj 6¼ IDi for i 2 f1; . . . ; tg, B does the following:

1. If there exists ðIDj; lj; QjÞ in H1List, then compute

dj ¼ ljPpubð¼ ljbP ¼ bljP ¼ bðljP � P1 þ P1Þ¼ bðQj þ P1ÞÞ;

else randomly choose lj 2 ZZ�q , compute dj ¼ ljPpub,Qj ¼ ljP � P1, and put ðIDj; lj; QjÞ in H1List.

2. Return dj to A.

Phase 3: A issues decryption queries for targetidentities. Upon receiving a decryption query, denotedby ðC�; IDiÞ where i 2 f1; . . . ; tg and C� ¼ <R1; . . . ; Rt;U1; U2; V ;W>, B does the following:

1. Search H3List to get ðMj; �jÞ when �j ¼ U1. If notfound, return “reject” to A.

2. Compute xi ¼ HðIDiÞ.3. Compute � ¼ R1 þ xiR2 þ � � � þ ðxit�1 mod qÞRt.4. Compute

�0 ¼ V H2

eðPpub; �jP1ÞeðU1; liPpubÞeðU2; �Þ

� �;

where

eðPpub; �jP1ÞeðU1; liPpubÞ ¼ eðbP ; �jP1ÞeðU1; libP Þ¼ eð�jP ; bP1ÞeðU1; bliP Þ ¼ eðU1; bðP1 þQiÞÞ¼ eðU1; diÞ:

5. Test whether Mj ¼ DH4ð�0ÞðWÞ or not. If not,return “reject” to A; else return Mj to A.

Challenge: A outputs a target plaintext pair ðM0;M1Þ.Upon receiving ðM0;M1Þ, B does the following:

1. Randomly choose � 2 f0; 1g.2. For i ¼ 1; . . . ; t, search H1List to get li that

corresponds to IDi.3. Pick an integer � 2 ZZ�q and a string � 2 f0; 1gw

at random.4. Set U1 ¼ aP ¼ rP and K ¼ Z.5. For i ¼ 1; . . . ; t, compute

fiðxÞ ¼Y

1�j6¼i�t

x� xjxi � xj

¼ ai;1 þ ai;2xþ � � � þ ai;txt�1

where ai;1; . . . ; ai;t 2 ZZq.6. For i ¼ 1; . . . ; t, compute

Ri ¼Xtj¼1

aj;i��1ljU1

�¼Xtj¼1

aj;i��1rljP ¼

Xtj¼1

aj;iyQj

¼Xtj¼1

bjQj

�:

7. Create a target ciphertext C ¼ <R1; . . . ; Rt, U1,�Ppub, �H2ðKÞ, EH4ð�ÞðM�Þ>.

8. Return C to A.

Phase 4: A issues private key extraction queries asthose in Phase 2 and decryption queries for targetidentities as those in Phase 3 where a restriction here isthat C� 6¼ C.

Guess: Finally, A outputs its guess �0 2 f0; 1g. If�0 ¼ �, then B outputs 1. Otherwise, B outputs 0.

IfK ¼ eðP;QÞab, then �H2ðKÞ ¼ �H2ðeðbP ;QÞaÞ ¼�H2ðeðPpub; P1ÞrÞ. Hence, C is a valid ciphertext.

Otherwise, K is a randomly chosen element of GG2. As

the construction above, B successfully simulates the

random oracles {H;H1; H2; H3; H4}, the private keyextraction, and the decryption oracles in Phase 2, Phase 3,

and Phase 4. Hence, we get Pr½BðP; aP ; bP ;Q; eðP;QÞabÞ ¼1� ¼ Pr½�0 ¼ �� w h e r e jPr½�0 ¼ �� 1

2 j � ", a n d

Pr½BðP; aP ; bP ;Q;ZÞ ¼ 1� ¼ Pr½�0 ¼ �� ¼ 12 when Z is

randomly chosen from GG2. Therefore, we have

jPr½BðP; aP ; bP ;Q; eðP;QÞabÞ ¼ 1�

� Pr½BðP; aP; bP ;Q;ZÞ ¼ 1�j � 1

2� "

� �� 1

2

�� ¼ ":

Thus , "0 � " and � 0 � þ ðqH1þ qH3

þ q1ÞOð�1Þ þq2Oð�1 þ �2Þ þ ðqH þ qH2

þ qH4ÞOð1Þ, where �1 and �2

denote the computing time for a multiplication in GG1

and a pairing e, respectively. tuTheorem 2. The proposed multireceiver IBE scheme is ð�; qH;qH1

; qH2; qH3

; qH4; q1; "Þ-IND-sMID-CPA secure under the

ð� 0; "0Þ-Co-DBDH assumption, where "0 � " and � 0 � þðqH1þ qH3

þ q1ÞOð�1Þ þ ðqH þ qH2þ qH4

ÞOð1Þ.Proof. Since the ð�; qH; qH1

; qH2; qH3

; qH4; q1; "Þ-IND-sMID-

CPA security is a special case of the ð�; qH; qH1; qH2

,qH3

; qH4; q1; q2; "Þ-IND-sMID-CCA security with q2 ¼ 0,

Theorem 2 holds. tu

5.2 Receiver Anonymity

Receiver anonymity means that every user only knowswhether she/he is one of the exact receivers of a ciphertext,while she/he cannot determine whether any other user isan exact receiver or not.

Theorem 3. The proposed multireceiver IBE scheme is ð�; qH;qH1

; qH2; qH3

; qH4; q1; q2; "Þ-ANON-sID-CCA secure under the

ð� 0; "0Þ-DBDH-M assumption, where "0 � " and


þ q1ÞOð�1Þ þ q2Oð�1 þ �2Þþ ðqH þ qH2

þ qH4ÞOð1Þ:

Proof. Assume that an ANON-sID-CCA attacker A has

advantage AdvANON-sID-CCAQ ðAÞ � "within running time �


whereQ

is the proposed scheme. Suppose that Amakes

at most q1 private key extraction queries, at most q2

decryption queries, and at most qH , qH1, qH2

, qH3, qH4

queries to the hash functions H, H1, H2, H3, H4,

respectively. We can show how an algorithm B can solve

the DBDH-M problem with advantage "0 within running

time � 0, where "0 � " and � 0 � þ ðqH1þ qH3

þ q1ÞOð�1Þ þq2Oð�1 þ �2Þ þ ðqH þ qH2

þ qH4ÞOð1Þ, by utilizing A.

First, B is given <q;GG1; P ; aP ; bP ;U> as an instance of

the DBDH-M problem. B can simulate the Challenger to

execute each phase of the ANON-sID-CCA game

(Definition 7) for A as follows:

Phase 1: Suppose that A outputs a target identity pair

ðID1; ID2Þ.Setup: B randomly chooses � 2 f1; 2g and !1; !2 2 ZZ�q .

B sets Ppub ¼ !1bP and P1 ¼ !2P , and gives the

attacker A <q;GG1;GG2; e; n; P ; P1; Ppub;H;H1; H2; H3; H4>

as the public parameters of the proposed scheme where

H, H1, H2, H3, and H4 are random oracles controlled by

B as follows:

H1-query. Input an identity IDj to H1 where j 2 ½1; n�:If there exists ðIDj; lj; QjÞ in H1List, return Qj. Other-

wise, do the following:

1. Pick an integer lj 2 ZZ�q at random.2. If IDj ¼ ID�, then Qj ¼ aP ; else if IDj 6¼ IDi for

each i 2 f1; 2g, then compute Qj ¼ ljP � P1; else

compute Qj ¼ ljP .3. Put ðIDj; lj; QjÞ in H1List.4. Return Qj.

The other parts are the same as those in the proof ofTheorem 1.

Phase 2: Upon receiving a private key extractionquery IDj with IDj 6¼ IDi for each i 2 f1; 2g, B performs

the same operations as those in the proof of Theorem 1.

Phase 3: Upon receiving a decryption query ðC�; IDiÞwhere i 2 f1; 2g and C� ¼ <R1; U1; U2; V ;W>, B per-

forms the following:

1. Search H3List to get ðMj; �jÞ when �j ¼ U1. If notfound, return “reject” to A.

2. Compute � ¼ R1.3. Compute

�0 ¼ V H2eð�jbP ; !1ðP1 þQiÞÞ

eðU2; �Þ

� �:

4. Test whether Mj ¼ DH4ð�0ÞðWÞ or not. If not,

return “reject” to A; else return Mj to A.

Challenge: A outputs a target plaintext M. Uponreceiving M, B does the following:

1. Pick a string � 2 f0; 1gw at random.2. Set U1 ¼ bP ¼ rP , U2 ¼ !1P , and R1 ¼ U.3. Compute K ¼ eðU1; PpubÞ!2 .4. Create a target ciphertext C ¼ <R1; U1; U2; �

H2ðKÞ; EH4ð�ÞðMÞ>.5. Return C to A.

Phase 4:A issues private key extraction queries as thosein Phase 2 and decryption queries for target identities asthose in Phase 3 where C� 6¼ C is a restriction here.

Guess: Finally, A outputs its guess �0 2 f1; 2g. If�0 ¼ �, then B outputs 1. Otherwise, B outputs 0. IfR1 ¼ ab2P , then

K ¼ eðU1; PpubÞ!2 ¼ eðbP ; !1bP Þ!2 ¼ eðbP ; !1!2bP

þ !1abP � !1abP Þ

¼ eðbP ; !1bðaP þ !2P þ aP � aP ÞÞeð!1P; ab2P Þ

¼ eðbP ; !1bðQ� þ P1ÞÞeð!1P;R1Þ

¼ eðU1; d�ÞeðU2; �Þ

:

Thus,

�H2ðKÞ ¼ �H2eðU1; d�ÞeðU2; �Þ

� �:

Hence, C is a valid ciphertext. Otherwise, R1 is a

randomly chosen element of GG1. As the construction

above, B successfully simulates the random oracles

{H;H1; H2; H3; H4}, the private key extraction, and the

decryption oracles in Phase 2, Phase 3, and Phase 4. Hence,

we get

Pr½BðP; aP ; bP ; ab2P Þ ¼ 1� ¼ Pr½�0 ¼ ��

where

Pr½�0 ¼ �� 1

2

�� ";

and Pr½BðP; aP ; bP;UÞ ¼ 1� ¼ Pr½�0 ¼ �� ¼ 12 when U is

randomly chosen from GG1. Therefore, we have

jPr½BðP; aP ; bP ; ab2P Þ ¼ 1� � Pr½BðP; aP; bP ;UÞ ¼ 1�j

� 1

2� "

� �� 1

2

�� ¼ ":

Thus, "0 � " and


þ q1ÞOð�1Þ þ q2Oð�1 þ �2Þþ ðqH þ qH2

þ qH4ÞOð1Þ;

where �1 and �2 denote the computing time for a

multiplication in GG1 and a pairing e, respectively. tu

Theorem 4. The proposed multireceiver IBE scheme is

ð�; qH; qH1; qH2

; qH3; qH4

; q1; "Þ-ANON-sID-CPA secure under

the ð� 0; "0Þ-DBDH-M assumption, where "0 � " and � 0 � þðqH1þ qH3

þ q1ÞOð�1Þ þ ðqH þ qH2þ qH4

ÞOð1Þ.Proof. Since the ð�; qH; qH1

; qH2; qH3

; qH4; q1; "Þ-ANON-sID-

CPA security is a special case of the ð�; qH; qH1; qH2

,

qH3; qH4

; q1; q2; "Þ-ANON-sID-CCA security with q2 ¼ 0,

Theorem 4 holds. tu



TABLE 1Performance Comparisons among [1], [7], [8], [13], [14], [19], [22] and Our Scheme

6 PERFORMANCE EVALUATION

As to the computation cost for the sender, some steps inEncrypt, shown below, can be precomputed by the sender aslong as the receivers have been selected:

1. Pick an integer � 2 ZZ�q at random.2. For i ¼ 1; . . . ; t, compute xi ¼ HðIDiÞ and Qi ¼

H1ðIDiÞ.3. For i ¼ 1; . . . ; t, compute

fiðxÞ ¼Y

1�j6¼i�t

x� xjxi � xj

¼ ai;1 þ ai;2xþ � � � þ ai;txt�1:

4. For i ¼ 1; . . . ; t, compute Yi ¼Pt

j¼1 bjQj, where bj ¼aj;i�

�1 mod q.5. Keep ðfYi; 8i ¼ 1; . . . ; tg; �Þ.If the sender wants to encrypt a message M, then

1. Pick a string � 2 f0; 1gw at random and setr ¼ H3ð�;MÞ.

2. For i ¼ 1; . . . ; t, compute Ri ¼ rYi.3. Set the ciphertext C ¼ <R1; . . . ; Rt; rP ; �Ppub; �

H2ðeðPpub; P1ÞrÞ; EH4ð�ÞðMÞ>.

Therefore, the computation cost for the sender can bereduced to one pairing, one exponentiation computation inGG2, ðtþ 2Þ multiplications in GG1, and a symmetric encryp-tion. In [7], the PKG computes each user’s personal privatekey by using polynomial interpolation in theKey Generation(Extract) phase, and in the Encapsulation (Encrypt) phase, asender computes the message encryption/decryption keyvia polynomial interpolation, too. In our scheme, when asender wants to send a message to a set of receivers, she/hecomputes the message encryption/decryption key and hidestheir identities by using polynomial interpolation in theEncrypt phase only. Thus, each user in [7] stores more secretparameters than ours, but the computation cost of ourscheme is higher than that of [7]. Considering precomputa-tion in both [7] and ours, by the method shown in Section 6,

the computation cost of our scheme for encryption is less thanthat of [7] and each user’s secret parameters of our scheme arestill fewer than those of [7], too.

The performance comparsions among [1], [7], [8], [13],[14], [19], [22] and our scheme are summarized in Table 1.

7 COMPARISONS AND REMARKS

Finally, we compare our scheme with the other encryptionschemes proposed in the literature [1], [7], [8], [13], [14],[19], [22]. The comparisons are summarized in Table 2.

The scheme [1] may be able to achieve receiveranonymity if a ciphertext is not accompanied with a labelthat contains information about how the byte-order of theciphertext is associated with each selected receiver. Byusing this way, each selected receiver must decrypt eachpart of the ciphertext until she/he can decrypt theciphertext successfully. Thus, every selected receiver hasto compute ðtþ 1Þ, in average, bilinear pairings for thedecryption, and every nonselected receiver must perform2t bilinear pairing computations to ensure that she/he is nota selected receiver of the ciphertext, where t is the numberof the selected receivers of the ciphertext. By applying theabove way to [7], the scheme may also be able to satisfyreceiver anonymity with the same decryption cost as theabove. Note that the security of receiver anonymity in thetwo solutions derived from [1], [7] still needs to be provedformally. In our proposed scheme, it only requires twobilinear pairing computations for each selected or non-selected receiver to perform the decryption. The decryptioncost is much lower than that of the solutions derived from[1], [7]. This is because that our scheme is tailored forreceiver anonymity. Furthermore, the security of receiveranonymity has been formally proved in Theorems 3 and 4.

8 CONCLUSIONS

In this paper, we have proposed an efficient and secureanonymous multireceiver identity-based encryption scheme.


TABLE 2Properties Comparisons

The scheme makes it impossible for an attacker or any otherreceiver to derive the identity of a message receiver such thatthe privacy of every receiver can be guaranteed. Our schemeis much more efficient for receivers than two straightforwardsolutions. Furthermore, we have also formally demonstratedthat the proposed scheme can meet the indistinguishability ofencryptions under the selective multi-ID, chosen plaintextattacks (IND-sMID-CPA), the indistinguishability of encryp-tions under the selective multi-ID, chosen ciphertext attacks(IND-sMID-CCA), the anonymous indistinguishability ofencryptions under selective-ID, chosen plaintext attacks(ANON-sID-CPA), and the anonymous indistinguishabilityof encryptions under selective-ID, chosen ciphertext attacks(ANON-sID-CCA).

ACKNOWLEDGMENTS

The authors would like to thank the anonymousreviewers for their valuable comments on their paper. Apartial result of this work has been presented at NationalInformation Security Conference, Taiwan, ROC, 2007 andwon the Best Student Paper Award. This work wassupported in part by the National Science Council of theROC (Taiwan) under grants NSC98-2219-E-110-001 andNSC96-2221-E-110-071-MY3.

REFERENCES

[1] J. Baek, R. Safavi-Naini, and W. Susilo, “Efficient Multi-ReceiverIdentity-Based Encryption and Its Application to BroadcastEncryption,” Public Key Cryptography—PKC 2005, pp. 380-397,Springer, 2005.

[2] M. Bellare and P. Rogaway, “Random Oracles are Practical: AParadigm for Designing Efficient Protocols,” Proc. ACM CCCS ’93,pp. 62-73, 1993.

[3] J. Bethencourt, H. Chan, A. Perrig, E. Shi, and D. Song,“Anonymous Multi-Attribute Encryption with Range Query andConditional Decryption,” technical report, Carnegie Mellon Univ.,CMU-CS-06-135, 2006.

[4] D. Boneh and M. Franklin, “Identity-Based Encryption from theWeil Pairing,” SIAM J. Computing, vol. 32, no. 3, pp. 586-615, 2003.

[5] X. Boyen and B. Waters, “Anonymous Hierarchical Identity-BasedEncryption (without Random Oracles),” Advances in Cryptology—-CRYPTO 2006, Springer, Cryptology ePrint Archive, Report 2006/085, http://eprint.iacr.org/2006/085.pdf, 2006.

[6] H. Chabanne, D.H. Phan, and D. Pointcheval, “Public Trace-ability in Traitor Tracing Schemes,” Advances in Cryptology—EUROCRYPT 2005, pp. 542-558, Springer, 2005.

[7] S. Chatterjee and P. Sarkar, “Multi-Receiver Identity-Based KeyEncapsulation with Shortened Ciphertext,” Progress in Cryptology—INDOCRYPT 2006, pp. 394-408, Springer , 2006.

[8] X. Du, Y. Wang, J. Ge, and Y. Wang, “An ID-Based BroadcastEncryption Scheme for Key Distribution,” IEEE Trans. Broad-casting, vol. 51, no. 2, pp. 264-266, June 2005.

[9] E. Fujisaki and T. Okamoto, “Secure Integration of Asymmetric andSymmetric Encryption Schemes,” Proc. Advances in Cryptology—-CRYPTO ’99, pp. 537-554, 1999.

[10] C. Gentry, “Practical Identity-Based Encryption without RandomOracles,” Advances in Cryptology—EUROCRYPT 2006, pp. 445-464,Springer, 2006.

[11] F.B. Hildebrand, Introduction to Numerical Analysis, second ed.Dover, 1974.

[12] L. Hu, D.G. Feng, and T.H. Wen, “Fast Multiplication on a Familyof Koblitz Elliptic Curves,” J. Software, vol. 14, no. 11, pp. 1907-1910, 2003.

[13] J.W. Lee, Y.H. Hwang, and P.J. Lee, “Efficient Pubic Key BroadcastEncryption Using Identifier of Receivers,” Information SecurityPractice and Experience, pp. 153-164, Springer, 2006.

[14] L. Lu and L. Hu, “Pairing-Based Multi-Recipient Public KeyEncryption,” Proc. 2006 Int’l Conf. Security Management, pp. 159-165, 2006.

[15] V.S. Miller, “The Weil Pairing, and Its Efficient Calculation,” J.Cryptology, vol. 17, pp. 235-261, 2004.

[16] R. Molva and A. Pannetrat, “Network Security in the MulticastFramework,” Advanced Lectures in Networking, pp. 59-82, Springer,2002.

[17] T. Okamoto and D. Pointcheval, “REACT: Rapid Enhanced-Security Asymmetric Cryptosystem Transform,” Topics in Cryptol-ogy CT-RSA 2001, pp. 159-174, Springer-Verlag, 2001.

[18] M. Scott, N. Costigan, and W. Abdulwahab, “ImplementingCryptographic Pairings on Smartcards,” Cryptology ePrintArchive, Report 2006/144, http://eprint.iacr.org/2006/144.pdf,2006.

[19] L. Wang and C.-K. Wu, “Efficient Identity-Based MulticastScheme from Bilinear Pairing,” IEE Proc. Comm., vol. 152, no. 6,pp. 877-882, 2005.

[20] V.K. Wei, T.H. Yuen, and F. Zhang, “Group Signature whereGroup Manager Members Open Authority are Identity-Based,”Information Security and Privacy, pp. 468-480, Springer, 2005.

[21] E.D. Win, S. Mister, B. Prennel, and M. Wiener, “On thePerformance of Signature Based on Elliptic Curves,” AlgorithmicNumber Theory, pp. 252-266, Springer, 1998.

[22] C. Yang, X. Cheng, W. Ma, and X. Wang, “A New ID-BasedBraodcast Encryption Scheme,” Autonomic and Trusted Computing2006, pp. 487-492, Springer-Verlag, 2006.

[23] T.H. Yuen and V.K. Wei, “Fast and Proven Secure Blind Identity-Based Signcryption from Pairings,” Topics in Cryptology CT-RSA2005, pp. 305-322, Springer, 2005.

Chun-I Fan received the MS degree in com-puter science and information engineering fromNational Chiao Tung University, Taiwan, in1993, and the PhD degree in electrical en-gineering at National Taiwan University in 1998.From 1999 to 2003, he was an associateresearcher and project leader of Telecommuni-cation Laboratories, Chunghwa Telecom Co.,Ltd, Taiwan. In 2003, he joined the faculty ofthe department of computer science and

engineering, National Sun Yat-sen University, Kaohsiung, Taiwan,and is a full professor now. He won the Dragon Thesis Award fromAcer Foundation and Best Thesis Award from Institute of Information &Computing Machinery in 1999, Best Student Paper Awards in NationalConference on Information Security 1998 and 2007. He also was theeditor-in-chief of Information Security Newsletter, Chinese Cryptologyand Information Security Association. He was a program co-chair ofACM International Workshop on Cross Layer Design 2008, aninternational advisor of the International Congress on PervasiveComputing and Management 2008, and program committeeman ofseveral international conferences. His current research interestsinclude information security, cryptographic protocols, wireless security,and electronic commerce, and he has published over 80 papers injournals, books, and conference proceedings. He is a member of theIEEE and the IEEE Computer Society.

Ling-Ying Huang received the BS degree inapplied mathematics from Fu Jen CatholicUniversity, Taipei, Taiwan, and the MS degreein computer science and engineering at NationalSun Yat-sen University, Kaohsiung, Taiwan. Hercurrent research interests include cryptography,identity authentication, and information security.

Pei-Hsiu Ho received the MS degree in informa-tion management from Southern Taiwan Uni-versity of Technology in 2003. She is nowworking toward the PhD degree in computerscience and engineering at National Sun Yat-senUniversity. From 2003 to 2005, she was asoftware engineer in Asia Pacific Telecom Co.,Ltd, Taiwan. Her current research interestsinclude information security and cryptographicprotocols about electronic cash and digitalsignatures.


Documents

Anonymous Multireceiver Identity-Based Encryption