Efficient Certificateless Anonymous Multi-Receiver Encryption Scheme without Bilinear Parings

Gao, Ronghai; Zeng, Jiwen; Deng, Lunzhi

doi:https://doi.org/10.1155/2018/1486437

Mathematical Problems in Engineering

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2018 | Article ID 1486437 | https://doi.org/10.1155/2018/1486437

Efficient Certificateless Anonymous Multi-Receiver Encryption Scheme without Bilinear Parings

Ronghai Gao,¹Jiwen Zeng,¹and Lunzhi Deng²

Academic Editor: Giuseppe D’Aniello

Received09 May 2018

Accepted11 Jul 2018

Published24 Jul 2018

Abstract

With the growing development of Internet technology and popularization of mobile devices, we easily access the Internet anytime and anywhere by mobile devices. It has brought great convenience for our lives. But it brought more challenges than traditional wired communication, such as confidentiality and privacy. In order to improve security and privacy protection in using mobile network, numerous multi-receiver identity-based encryption schemes have been proposed with bilinear pairing and probabilistic hap-to-point (HTP) function. To address the troubles of private key escrow in multi-receiver encryption scheme based on ID-PKC, recently, some certificateless anonymous multi-receiver encryption (CLAMRE) schemes are introduced. But previous CLAMRE schemes using the bilinear pairing are not suitable to mobile device because the use of bilinear pairing and probabilistic hash-to-point (HTP) function results in expensive operation costs in encryption or decryption. In this paper, we propose an efficient CLAMRE scheme using elliptic curve cryptography (ECC) without bilinear pairing and HTP hash function. Since our scheme does not use bilinear pairing and HTP operation during the encryption and decryption process, the proposed CLAMRE scheme has much less computation cost than the latest CLAMRE schemes. Performance analysis shows that runtime of our scheme is much less when the sender generates ciphertext, compared with existing schemes. Security analysis shows proposed CLAMRE scheme provides confidentiality of message and receiver anonymity under the random oracle model with the difficulties of decision Diffie-Hellman problem and against the adversaries defined in CL-PKC system.

1. Introduction

With the rapid development of the Internet technology and wireless communications and the popularity of mobile devices, we can access the Internet freely anytime and anywhere using mobile devices. This brings great convenience to our lives by Internet services. But we have to face the security problems of the openness of the wireless network. How to protect the security and privacy of wireless communications using mobile devices has been extensively considered by scholars. In order to achieve this goal, many encryption schemes (Fu Z et al. [1, 2]; Xia Z et al. [3]; Huang X et al. [4]), authentication schemes (Guo P et al. [5]; Shen J et al. [6]; Huang X et al. [4, 7];) and signature schemes (Ren Y et al. [8]; Wang J et al. [9]; Lee C C et al. [10]) have been proposed in recent years.

The multi-receiver encryption (MRE) or broadcast encryption (BEN) scheme is an important cryptographic primitive, in which a sender produces an identical ciphertext by enciphering message and then sends to group of selected receivers, and anyone in the group can decrypt the received ciphertext using his/her private key, and any user outside the privileged set S should not be able to recover the message. In fact, the application of multi-receiver confidential communication is very extensive, such as pay TV, video on demand, software protect, distribution of copyrighted material, and online gaming. When transmitting encrypted information to a public channel, the confidentiality of the information and the anonymity of the receiver are greatly challenged. The confidentiality is that only the authorized receiver can decrypt ciphertext and message correctly. On the other hand, identity protection means that any receiver of the group cannot identify the identity of other receivers. MRE scheme is suitable for protecting the users' security and privacy. Therefore, it is necessary to consider how to design efficient and secure broadcast encryption and multiple receivers encryption scheme. In order to meet security requirements of the practical application, many MRE schemes (Kurosawa K [11]; Bellare M et al. [12]; Dodis Y et al. [13]; Kurosawa K [14]; Bellare M [15]) were proposed using the public key infrastructure (PKI).

In multi-receivers encryption schemes [11–15], existing management, distribution, and revocation of public key certificate need to bear huge storage space and high computing cost. To solve this problem, Beak et al. [16] constructed an efficient multi-receivers identity-based encryption (ID-based MRE); only one bilinear pair is required to encrypt a single message for receivers. In 2006, Chatterjee S et al. [17] proposed a multi-receiver identity-based key encapsulation mechanism with security in the full model and sublinear size ciphertext. In this scheme, a controllable trade-off is achieved between the ciphertext size and the private size. However, Park et al. gave a way to attack the scheme of Chatterjee S [17] and proved that it is not secure. In 2006, another IBBE scheme is designed by Yang et al. [18] using elliptic curve bilinear paring. However, they did not consider joining and departure of the recipient’s membership in the design process, so the scheme was not suitable for a dynamic set. In scheme [16–18], the application scenario is single domain environment; that is, receivers come from the same management domain. However, in realistic applications, usually receivers will come from different management domains and they need once the bilinear pairing computation for one message, so their scheme becomes inefficient. In 2014, Wang H et al. [19] proposed an efficient multiple domain multi-receiver identity-based encryption scheme that only requires one pairing computation to encrypt a single message for receivers from different administrative domains.

However, the above ID-based MRE schemes [16–19] cannot consider the receiver anonymity. To achieve preserving privacy of receivers, in 2010, Fan et al. [20] presented a new ID-based MRE scheme and claimed that it can protect receiver anonymity; the scheme is highly efficient for each receiver as it requires only two pairing operations. In 2012, Chien [21] found that the scheme of Fan et al. [20] failed to protect receiver anonymity and proposed an improved scheme which proves that the scheme enhances security and protects the anonymity of recipients. It is very unfortunate that Wang [22] pointed out the fact that Chien’s scheme does not satisfy the indiscernibility of encryption under selective multi-identity, chosen ciphertext attacks. In 2015, Zhang [23] proposed the most efficient anonymous MRIBE scheme in terms of computational cost and communication overhead, compared with schemes of [20–22].

Although the above ID-based MRE schemes have many advantages, all of them face the problem of the private key escrow, which means that key generator center (KGC) calculates private key for every user by user identity and master private key of KGC; KGC retains all users private key; thus the user’s privacy is easy to be leaked if KGC is not fully trusted. In order to address this security weakness, in 2003, Al-Riyami et al. [24] introduced the concept of the certificateless cryptography (CLC). In the CLC, the users' private key contains two parts: KGC and the user generate a partial private key and a secret value, respectively. Based on Al-Riyami et al.'s work, most certificateless signature (encryption) schemes [25–29] are proposed. In the existing research literature, certificateless multi-receiver encryption (CLMRE) scheme did not get more attention; Islam et al. [27] presented the concept of certificateless anonymous multi-receiver encryption (CLAMRE) and proposed the first CLAMRE scheme using the elliptic curve cryptography (ECC). Hung et al. [28] pointed out that scheme of [27] is less efficient and is not suitable in mobile devices environment, because the cost of encryption calculation is square of number of recipients, and proposed a new CLAMRE using the bilinear pairing. However, Hung et al.’s CLAMRE scheme still does not suit mobile devices because of using bilinear pairing. In encryption, the sender that needs to operate bilinear pairs grows linearly because of the increase in the receivers' number.

Our Contribution. In this paper, we propose an efficient CLAMRE scheme using elliptic curve cryptography (ECC) without bilinear pairing and MTP hash function. Since our scheme does not use bilinear pairing and HTP operation during the encryption process, the proposed CLAMRE scheme has much less computation cost than the latest CLAMRE schemes; runtime of our scheme is much less in both encryption and decryption, compared with existing scheme [28, 29]. Our scheme provides confidentiality of message and anonymity of receiver under the random oracle model with the difficulties of computational Diffie-Hellman problem and against the adversaries defined in CL-PKC system.

In this paper, we propose an efficient CLAMRE scheme using elliptic curve cryptography (ECC) without bilinear pairing and MTP hash function. Since our scheme does not use bilinear pairing and HTP operation during the encryption process, the proposed CLAMRE scheme has much less computation cost than the latest CLAMRE schemes; runtime of our scheme is much less in both encryption and decryption, compared with existing scheme [28, 29]. Our scheme provides confidentiality of message and anonymity of receiver under the random oracle model with the difficulties of computational Diffie-Hellman problem and against the adversaries defined in CL-PKC system.

Organization. The rest of the paper is organized as follows. Mathematical preliminaries are introduced in Section 2. Formal definition of our CLAMRE scheme is presented in Section 3. Our CLAMRE scheme is proposed in Section 4. In Section 5, we give some security analysis of our CLAMRE scheme. Some performance analysis of our CLAMRE scheme is given in Section 6. At last, some conclusions of the paper are presented.

The rest of the paper is organized as follows. Mathematical preliminaries are introduced in Section 2. Formal definition of our CLAMRE scheme is presented in Section 3. Our CLAMRE scheme is proposed in Section 4. In Section 5, we give some security analysis of our CLAMRE scheme. Some performance analysis of our CLAMRE scheme is given in Section 6. At last, some conclusions of the paper are presented.

2. Mathematical Preliminaries

Here, we introduced the basic theory about the elliptic curve and existing some intractable problems.

2.1. Elliptic Curve

Suppose that is a finite field determined by a prime number . The elliptic curve over is the set of solutions to the congruence , where are constants such that , together with a special point called the point at infinity or zero point.

The addition operation “+” on is defined as follows (where all arithmetic operations are performed in ): the point at infinity, , will be the identity element, so for arbitrary .

Suppose , if and reflection of the point with respect to the -axis is not the point ; let be the line through and ; otherwise ; we define to be the tangent line through the point . We denote as the third point in which intersects ; if we reflect in the -axis, then we get a point which we call . We define the following: . If reflection of the point with respect to the -axis is point , let ; we define the following: . The scalar point multiplication of the elliptic curve is defined as ( times). Point has order if is the smallest positive integer such that . So is an abelian group.

2.2. Computational Problems and Some Assumptions

Here, we mainly introduce the definitions of negligible function, decision Diffie-Hellman problem, and discrete logarithm (DL) problem, and assumptions are given.

Negligible Function. We call function negligible if, for every , there exists such that for every .

We call function negligible if, for every , there exists such that for every .

Discrete Logarithm (DL) Problem. Given a random instance , where , and , computation of is computationally hard by a polynomial time-bounded algorithm. The probability that a polynomial time-bounded algorithm can solve the DL problem is defined as .

Given a random instance , where , and , computation of is computationally hard by a polynomial time-bounded algorithm. The probability that a polynomial time-bounded algorithm can solve the DL problem is defined as .

Discrete Logarithm (DL) Assumption. For any probabilistic polynomial time-bounded algorithm , is negligible if , for negligible function .

For any probabilistic polynomial time-bounded algorithm , is negligible if , for negligible function .

Decision Diffie-Hellman (DDH) Problem. Suppose that is point with order on , and are random points on , where . Determining if holds is hard by a polynomial time-bounded algorithm. The probability that a polynomial time-bounded algorithm can solve the DDH problem is defined as

Suppose that is point with order on , and are random points on , where . Determining if holds is hard by a polynomial time-bounded algorithm. The probability that a polynomial time-bounded algorithm can solve the DDH problem is defined as

Decision Diffie-Hellman Assumption. For any probabilistic polynomial time-bounded algorithm , is negligible if , for negligible function .

For any probabilistic polynomial time-bounded algorithm , is negligible if , for negligible function .

3. Formal Definition of the CLAMRE Scheme

The CLAMRE scheme includes three categories of participants, that is, the sender of information, the private key generation center, and the group of selective receivers, respectively.

We denote as group of receivers selected by sender, are their group identities, are group public key, and are the full private key. In CLAMRE scheme, sender generates ciphertext for message using public key and identities of receivers . Ciphertext is conveyed to the receiver through the public channel. Every receiver in group can correctly decrypt ciphertext by using private key for . And arbitrary two receivers in selected receiver group do not disclose the identity with each other. Figure 1 demonstrates intuitively the process of CLAMRE scheme. In the following, we depict the definition of the CLAMRE scheme.

In generally, a certificateless anonymous multi-receiver encryption scheme consists of a tuple (i): selecting a security parameter as input, semitrusted private key generation center (KGC) executes this algorithm to generate the system’s public parameters and KGC’s the master public/private key pair . are published, and the master private is kept by KGC.(ii): this algorithm is executed by KGC, according to the identity of receiver ; the PKG computes the corresponding partial private key using the master private key and delivers it to receiver via an secure channel.(iii): this algorithm is executed by receiver with identity himself/herself to generate his/her secret value .(iv): this algorithm is executed by receiver with identity . It takes () as input and returns the full private key to as output.(v): this algorithm is executed by receiver himself/herself to generate his/her public key according to his/her secret value .(vi):this is PPT algorithm. Sender executes this algorithm to generate a ciphertext for message by identities and full public of selected receivers.(vii): a selected receiver runs this algorithm to decrypt the received ciphertext using the receivers full private key.

4. Description of the Proposed CLAMRE Scheme

In this section, we introduced our certificateless anonymous multi-receiver encryption (CLAMRE) scheme using elliptic curve cryptography (ECC) without bilinear pairings. The proposed scheme has three kinds of participants, i.e., a sender , set consisting of selected receivers , and a KGC. Sender generates ciphertext by encrypting message only for selected receivers ; then sender delivers the ciphertext to the receivers. Every receiver in can correctly decrypt ciphertext receive by using his/her full private key for . And arbitrary two receivers in selective receiver set do not disclose the identity with each other. The PKG generates the systems parameter and identity-based partial private keys of all the receivers for . The proposed scheme includes the following seven algorithms , , , , (i): With the given security parameter , this algorithm is executed KGC to generate the system’s parameters. The following steps will be implemented KGC in this algorithm.(1)Choose two -bits prime integers , two -bits integers , and an elliptic curve defined on . Let be additive group on elliptic curve , and be subgroup of with prime order .(2)Select randomly a generator .(3)Randomly choose as the master key and .(4)Select four secure one-way hash functions (; .(5)Publish system’s parameters and message space .(ii): A receiver with randomly selects as his or her secret value and computes as the corresponding public key, and sends to KGC.(iii): According to the identity of receiver , the KGC performs the following steps:(1)Randomly choose and compute .(2)Calculate and mod (3)The tuple is delivered to receiver by authenticated secure channel. Here, is receiver ’s partial private key. Partial private key is valid if verify that equation is true and vice versa. Since we have(iv): Receiver secret keeps as his or her the full private.(v): Reciever keeps as full public key.(vi): This algorithm is executed by sender to generate a ciphertext for given message and selected receivers with identity respectively. The following steps will be performed in this algorithm.(1)Choose randomly and given message . Calculate and .(2)Compute and , where .(3)Randomly select and compute a polynomial with degree as follows:(4)Compute (5)Generate ciphertext .(vii): This algorithm is executed by selected receiver to extract plaintext from the received ciphertext . performs following steps:(1)Compute and .(2)Calculate and (3)Compute (4)Verify if holds. If not, stops the process; otherwise, output the plaintext .

5. Security Analysis of the Proposed CLAMRE Scheme

5.1. Security Model

In order to prove the security of the CLAMRE scheme, we take into account of the malicious-but-passive KGC. The robust security model is proposed by Hung et al. [28] in the CLAMRE scheme. Two kinds of adversaries are defined as follows.

Type I adversary: is a malicious outside adversary who can replace the users public key with a value chosen by himself/herself. However, cannot access the master private key of KGC.

Type II adversary: behaves as a honest-but-curious KGC who owns the master key. However it does not allow him/her to replace public key of any user. Define the security of a CLAMRE scheme as a game played between an adversary and a challenger . During the game, can make the following queries to .

query: generates private key and public key for the user . sends the user ’s public key to .

query: returns the matching user s public key to .

query: replaces the associated users public key with new public key chosen by himself/herself.

query: sends the users partial private key to .

query: sends the users secret value to .

query: decrypts the received ciphertext and sends plaintext to .

We define the confidentiality of a CLAMRE scheme as the indistinguishability against selective multi-identity chosen ciphertext attack (IND-sMID-CCA). The IND-sMID-CCA game is defined as follows.

Game I. This game is to prove the confidentiality of the CLAMRE scheme.

This game is to prove the confidentiality of the CLAMRE scheme.

Phase 1. In this phase, adversary selects target users with identities and delivers them to . performs setup to generate system parameters and master key.

In this phase, adversary selects target users with identities and delivers them to . performs setup to generate system parameters and master key.

Phase 2. could adaptively make the aforementioned oracle query but does not allow him/her to make query with if he/she is .

could adaptively make the aforementioned oracle query but does not allow him/her to make query with if he/she is .

Challenge. chooses two plaintexts with the same length, then delivers to . randomly selects and uses and the corresponding public key to encrypt the message for generation the ciphertext . Then sends to .

chooses two plaintexts with the same length, then delivers to . randomly selects and uses and the corresponding public key to encrypt the message for generation the ciphertext . Then sends to .

Phase 3. In this phase, can make the same queries as he/she does in Phase 2 except that he/she cannot make query with and .

In this phase, can make the same queries as he/she does in Phase 2 except that he/she cannot make query with and .

Guess. Finally, outputs , that is, his/her guess value about . We say that wins the game if . The advantage is that against the CLAMRE scheme is defined by .

Finally, outputs , that is, his/her guess value about . We say that wins the game if . The advantage is that against the CLAMRE scheme is defined by .

Definition 1. We say a CLAMRE scheme is IND-sMID-CCA secure if is negligible for any polynomial-time-bounded adversary .

The receiver anonymity of a CLAMRE scheme is defined by the anonymous indistinguishability against selective identity chosen ciphertext attack (ANON-IND-sID-CCA). The ANON-IND-sID-CCA game is defined as follows.

Game II. This game is to prove the anonymity of the CLAMRE scheme

This game is to prove the anonymity of the CLAMRE scheme

Phase 1. In this phase, selects two target users with identities and sends them to . Then runs setup to generate system parameters and the master key.

In this phase, selects two target users with identities and sends them to . Then runs setup to generate system parameters and the master key.

Phase 2. In this phase, could adaptively make the aforementioned the oracle query. However he/she cannot make query with if he/she is .

In this phase, could adaptively make the aforementioned the oracle query. However he/she cannot make query with if he/she is .

Challenge. picks message together with identities and sends them to ; randomly selects and uses and the corresponding public keys to generate a ciphertext of a message . Then delivers to .

picks message together with identities and sends them to ; randomly selects and uses and the corresponding public keys to generate a ciphertext of a message . Then delivers to .

Phase 3. In this phase, can make the same queries as he/she does in Phase 2 except that he/she cannot make query with and .

In this phase, can make the same queries as he/she does in Phase 2 except that he/she cannot make query with and .

Guess. Finally, returns as his/her guess value about . We say that wins the game if . The advantage is that against the game is defined by .

Finally, returns as his/her guess value about . We say that wins the game if . The advantage is that against the game is defined by .

Definition 2. We say a CLAMRE scheme is ANON-IND-sID-CCA secure if is negligible for any polynomial-time-bounded adversary .

5.2. Security Theorems

In this subsection, we will analyze in detail security of the proposed CLAMRE scheme. Through the analysis, it is shown that the proposed CLAMRE scheme is IND-sMID-CCA secure and ANON-IND-sID-CCA secure against two types of adversaries .

Theorem 3. The proposed CLMRE scheme correctly generates the ciphertext , where and receiver decrypts it appropriately.

Proof. Due to the fact that = = = , receiver computes the following: and ., and is true.
So we proposed that CLAMRE scheme is correct and consistent.

Theorem 4. In the random oracle model, our CLAMRE scheme satisfies the IND-sMID-CCA against the adversary with the hardness assumption of DDH problem.

Proof. is the polynomial time-bounded adversary, if has the ability to break the security of the proposed CLAMRE scheme. Then we can construct a probabilistic polynomial time-bounded challenger to solve the DDH problem by interacting with the adversary ; that is, given an instance of the DDH problem, challenger is able to determine if holds. Challenger maintains the following initial-empty lists in order to achieve the consistency between queries made by the adversary :
Phase 1
In this phase, selects target identities; we denote these identities as .
sets , and executes setup algorithm to generate other parameters. Then delivers to . To achieve the random oracles, maintains four lists , where is initialized empty . The four random oracles make the following answer for s queries.
(i) checks if exists in . If so, sends to . Otherwise, randomly chooses value , inserts into , and sends .
(ii) : checks if exists in . If so, returns to . Otherwise, randomly chooses value , inserts into , and returns .
(iii) : checks if exists in . If so, returns to . Otherwise, randomly chooses value , inserts into , and returns .
(iv) : checks if exists in . If so, returns to . Otherwise, randomly selects an element , inserts into , and returns .
Phase 2
can adaptively make queries to maintains a list , which is initialized empty. Challenger responded to these queries made by adversary as follows.
(i) query: checks if exists in . If so, returns to . Otherwise, executes the following processes.
(ii) If holds, without losing generality, we suppose , randomly picks , computes , and sets . inserts and into and , respectively. At last, returns to .
(iii) Otherwise ; randomly picks and computes . inserts and into and , respectively. At last, returns to .
(iv) -Retrieve: checks if exists in . If not, makes the Create-User query with first. Then, returns to .
(v) : checks if exists in . If not, makes the Create-User query with first. Then, replaces with
(vi) : checks if exists in . If not, makes the Create-User query with first. Then, returns to .
(vii) : checks if exists in . If not, makes the Create-User query with first. Then, returns to .
(viii) : checks if holds, where . If not, looks up for and uses to decrypt the ciphertext. Otherwise responds according to the following steps.
(ix) looks up for . If not, outputs failure and stops.
(x) searches the tuple from and checks if holds. If so, keeps ; if not, outputs failure and stops.
(xi) checks if holds. If not, outputs failure and stops. Otherwise return to
Challenge. After making the above queries, picks two messages and with length and sends them to challenger chooses at random and performs the following steps.
(i) sets .
(ii) Let , and compute
(iii) chooses at random and computes a polynomial with degree as follows:(iv) chooses and at random and computes .
Final, sends the ciphertext .
Phase 3
In this phase, can make the same queries in Phase 2 except that it cannot make decryption queries with and .
Guess
outputs as his/her guess value about . If , then outputs 1; otherwise, outputs 0. wins the game if and only if holds.
Based on the above oracle queries, the simulation of is perfect. Next, we consider the probability that challenger fails in Game I. Combined with the previous description, we know that fails in query if is not in . The probability that can correctly guess the output of is . Therefore, the probability of failure in game I is less than , where denote the decryption query times in the game.
If holds, then is valid ciphertext. Thus, is able to distinguish with nonnegligible advantage .If , then the ciphertext distribution is random and uniform when or , so cannot distinguish with any advantage.Therefore, if can break the IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage , then challenger can solve the DDH problem with a nonnegligible advantage , because the DDH problem is difficult. Therefore, the proposed CLAMRE scheme is IND-sMID-CCA secure against .

Theorem 5. Our CLAMRE scheme is IND-sMID-CCA secure against type II adversary under random oracle model with the difficulties of computational Diffie-Hellman problem.

Proof. is the polynomial time-bounded adversary, if has the ability to break the security of the proposed CLAMRE scheme. Then we can construct a probabilistic polynomial time-bounded challenger to solve the DDH problem by interacting with the adversary ; that is, for given an instance of the DDH problem, challenger is able to determine if holds. Challenger maintains the following initial-empty lists in order to achieve the consistency between queries made by adversary .
Phase 1
In this phase, selects target identities; we denote these identities as .
picks at random as system private key and computes corresponding public key . performs algorithm to construct other parameters. At last, delivers to and master private key to . To achieve the random oracles, maintains four lists , where initial is empty . The four random oracles make the following answer for queries.
(i) : checks if exists in . If so, returns to . Otherwise, randomly selects an element , inserts into , and returns .
(ii) : checks if exists in . If so, returns to . Otherwise, randomly selects an element , inserts into , and returns .
(iii) : checks if exists in . If so, returns to . Otherwise, randomly selects an element , inserts into , and returns .
(iv) : checks if exists in . If so, returns to . Otherwise, randomly selects an element , inserts into , and returns .
Phase 2
In this phase, can adaptively make a lot of queries to . maintains a list , which is initialized empty. These queries are responded as follows.
(i) query: checks if exists in . If so, returns to . Otherwise, performs the following steps.
(ii) If holds, without losing generality, we suppose randomly chooses and calculates mod . inserts and into and , respectively. At last, returns to .
(iii) Otherwise ; randomly picks and computes mod , . inserts and into and , respectively. At last, returns to .
(iv) -Retrieve: checks if exists in . If not, makes the Create-User query with first. Then, returns to .
(v) : checks if exists in . If not, makes the Create-User query with first. Then, returns to .
(vi) : checks if exists in . If not, makes the Create-User query with first. Then, returns to .
(vii) : checks if holds, where . If not, looks up for and uses to decrypt the ciphertext. Otherwise responds according to the following steps.
(viii) looks up for . If not, outputs failure and stops.
(ix) searches the tuple from and checks if holds. If so, keeps ; if not, outputs failure and stops.
(x) checks if holds. If not, outputs failure and stops. Otherwise, return to
Challenge
After making the above queries, picks two messages and with length and sends them to challenger ; chooses at random and implements the following process.
(i) sets .
(ii) Let , and compute
(iii) chooses at random and computes a polynomial with degree as follows:(iv) chooses and at random and computes .
Final, sends the ciphertext .
Phase 3
In this phase, can make the same queries in Phase 2 except that he cannot make decryption queries with and .
Guess
outputs as his/her guess value about . If , then outputs 1; otherwise, outputs 0. wins the game if and only if holds.
According to the above oracle queries, we know that the simulation of is perfect. Now, we analyze the probability that fails in Game I. Based on the above description, we know that fails in decryption query if is not in . The probability that can correctly guess the output of is . Therefore, the probability that fails in the game is less than , where denotes the decryption queries involved in the game.
If holds, then is valid ciphertext. Thus, is able to distinguish with nonnegligible advantage .If , then the ciphertext distribution is random and uniform when . So cannot distinguish with any advantage.Therefore, if can break the IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage , then challenger can solve the DDH problem with a nonnegligible advantage . If can break the IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage , then we know can solve the CDH problem with a nonnegligible advantage . Due to the fact that the CDH problem is hard, we know that the proposed CLAMRE scheme is IND-sMID-CCA secure against adversary .

Theorem 6. In the random oracle model, our proposed CLAMRE scheme is ANON-IND-sID-CCA secure against adversary with the difficulty assumption of DDH problem.

Proof. Assume that the adversary can breach our CLAMRE scheme, then we will be able to design a challenger for solving an instance of DDH problem; that is, for given an instance of DDH problem, challenger can determine if holds by interacting with adversary . Similar to Theorem 4, let lists and be maintained by challenger .

Phase 1. Assume that adversary selects two target users with identities . Challenger randomly selects

Assume that adversary selects two target users with identities . Challenger randomly selects

sets , and implements algorithm to construct other parameters. At last, delivers to . Challenger returns answers to the adversary s queries in the following ways.

Hash queries to : these queries are the same as those performed in Theorem 4.

Phase 2. Now, challenger will respond to the queries made by the adversary in the following ways.

Now, challenger will respond to the queries made by the adversary in the following ways.

(i) query: checks if exists in . If so, returns to . Otherwise, executes the following processes.

(ii) If for holds, randomly chooses , computes , and sets . inserts and into and , respectively. At last, returns to .

(iii) Otherwise ; randomly picks and computes . inserts and into and , respectively. At last, returns to .

(iv) -Retrieve: checks if exists in . If not, makes the Create-User query with first. Then, returns to .

(v) : checks if exists in . If not, makes the Create-User query with first. Then, replaces with .

(vi) : checks if exists in . If not, makes the Create-User query with first. Then, returns to .

(vii) : checks if exists in . If not, makes the Create-User query with first. Then, returns to .

(viii) : checks if holds, where . If not, looks up for and uses full private key to decrypt the ciphertext. Otherwise , responds as follows.

(ix) looks up for . If not, outputs failure and stops.

(x) searches the tuple from and checks if holds. If so, keeps ; if not, outputs failure and stops.

(xi) checks if holds. If not, outputs failure and stops. Otherwise return to

Challenge. After making the above queries, picks plaintext together with identities on which he wants to be challenged. chooses at random and implements the following process.

After making the above queries, picks plaintext together with identities on which he wants to be challenged. chooses at random and implements the following process.

(i) sets .

(ii) Let , and compute .

(iii) chooses at random and computes a polynomial with degree as follows:

(iv) chooses and at random and computes .

Final, sends the ciphertext .

Phase 3. In this phase, can make the same queries in Phase 2 except that he cannot make decryption queries with and .

In this phase, can make the same queries in Phase 2 except that he cannot make decryption queries with and .

Guess. outputs as his/her guess value about . If , then outputs 1; otherwise, outputs 0. wins the game if and only if holds.

outputs as his/her guess value about . If , then outputs 1; otherwise, outputs 0. wins the game if and only if holds.

Based on the above oracle queries, the simulation of is perfect. Next, we consider the probability that challenger fails in Game I. Combined with the previous description, we know that fails in query if is not in . The probability that can correctly guess the output of is . Therefore, the probability of failure in Game I is less than , where denotes the decryption query times in the game.

If holds, then is valid ciphertext. Thus, is able to distinguish with nonnegligible advantage .

If , then the ciphertext distribution is random and uniform when or , so cannot distinguish with any advantage.

Therefore, if can break the ANON-IND-sMID-CCA security of the proposed CLAMRE scheme with nonnegligible advantage , then challenger can solve the DDH problem with a nonnegligible advantage . Because the DDH problem is difficult, the proposed CLAMRE scheme is ANON-IND-sMID-CCA secure against .

Theorem 7. In the random oracle model, our proposed CLAMRE scheme is ANON-IND-sID-CCA secure against the adversary with the hardness assumption of CDH problem.

Proof. The proof of this theorem is similar to that of Theorem 5. To save space, we will not give the details here.

6. Performance Analysis

In this section, we mainly analyzed computational cost of the proposed CLAMRE scheme. The proposed CLAMRE scheme is compared with Hung et al.'s CLAMRE scheme (Hung et al. 2015) and He et al.'s CLAMRE scheme (He et al. 2017) to calculate cost.

Let be an additive group defined on a super singular elliptic curve over a prime field with the prime order , and the lengths of and are 512 bits and 160 bits, respectively. The Tate bilinear pairing , in order to achieve the same security. For the CLAME scheme based on the elliptic curve cryptography, we also think about an additive group defined on a nonsingular elliptic curve over a prime field with the prime order ; lengths of and are 160 bits. For convenience, the concept of runtime for some cryptographic operations is defined as follows.

(i) is the runtime required for computing a bilinear pairing.

(ii) is the runtime required for finishing a hash-to-point operation.

(iii) is the runtime required for computing a scale multiplication in .

(iv) is the runtime required for computing an addition in .

(v) is the runtime required for computing a multiplication in .

(vi) is the runtime required for executing an exponentiation operation in .

(vii) is the runtime required for computing a scale multiplication in .

(viii) is the runtime required for computing an addition in .

(ix) is the runtime required for executing a general hash operation.

(x) is the runtime required for executing a symmetric cryptography operation.

He et al.[30] have implemented related operations on a mobile phone (Samsung Galaxy S5 with a Quad-core 2.45G processor, 2G bytes memory, and the Google Android 4.4.2 operating system) using a famous cryptographic library (MIRACL). The implementation results are shown in Table 1.

We denote the number of the receivers. In order to encrypt a given message , in Hung et al.'s CLAMRE scheme, the sender needs to perform scale multiplication operations in , bilinear pairing operations, exponentiation operations in , hash-to-point operations, general hash operations, and one symmetric cryptography operation. Therefore, in Hung et al.'s CLAMRE scheme, the runtime of the sender is ms. For decrypting the received ciphertext, receiver needs to implement following operations: one scale multiplication in , one bilinear pairing, five general hash, and one symmetric cryptography operations. Therefore, the runtime of the receiver in Hung et al.'s CLAMRE scheme is ms.

In He et al.’s [29] scheme, to encrypt a given message , the sender needs to perform the following operations: times addition in , times scale multiplication in , times general hash, and one symmetric encryption operation and times exclusive or operation (here, exclusive or operation is approximately equal to symmetric encryption operation). Therefore, the runtime of encryption is ms. In order to get plaintext from the received ciphertext, the receiver needs to finish seven general hash operations, two scale multiplication operations in , one symmetric encryption operation, and one exclusive or operation. Therefore, the runtime of the receiver in our scheme is ms.

In the proposed CLAMRE scheme, to encrypt a given message , the sender needs to perform the following operations: times addition in , times scale multiplication in , times general hash, and one exclusive or operation. Therefore, in our CLAMRE scheme, the runtime of the sender is ms. In order to get plaintext from the received ciphertext, the receiver needs to finish three general hash operations, two scale multiplication operations in , and one exclusive or operation. Therefore, the runtime of the receiver in our scheme is ms.

We list the runtime of encryption and decryption in Huang et al.’s scheme, He et al.’s scheme, and our scheme in Table 2. For a more intuitive understanding, we also present the runtime of multiencryption algorithms in Figure 2. According to comparisons in Table 2 and Figure 2, we can conclude that the proposed CLAMRE scheme has much less runtime in both encryption and decryption than the recent scheme. Therefore, our proposed CLAMRE scheme has better performance.

7. Conclusion

In order to keep up with the rapid development of mobile Internet, in this study, we proposed an efficient CLAMRE scheme using the elliptic curve cryptography. By comparing with recent literature, it shows that our scheme has better performance. We also demonstrate that the proposed CLAMRE scheme provides message confidentiality and protects the privacy of receiver under the random oracle model with the difficulties of decision Diffie-Hellman problem and against the adversaries defined in CL-PKC system.

In summary, our CL-MRE scheme has the following merits: (1) in encryption and decryption process, not using bilinear pairing and probabilistic HTP hash function; (2) achieving confidentiality of message and protecting the privacy of receiver; (3) resisting all known security attacks; (4) low computation and communication costs; (5) avoidance of private key escrow problem and public key certificate management; (6) provable security against IND-sMID-CAA and ANON-IND-sID-CAA under the random oracle.

Data Availability

The data used in our manuscript was the runtime of some cryptographic operations. He et al. have implemented the runtime of the relevant operations on a mobile phone (Samsung Galaxy S5 with a Quad-core2.45G processor, 2G bytes memory, and the Google Android 4.4.2 operating system) using a famous cryptographic library (MIRACL) in literature [30]. The data (the runtime of some cryptographic operations) used to support the findings of this study is derived from literature [29, 30].

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research is supported by the National Natural Science Foundation of China under Grant no. 61562012; the Innovation Group Major Research Projects of Department of Education of Guizhou Province under Grant no. KY2016]026.

References

Z. Fu, K. Ren, J. Shu, X. Sun, and F. Huang, “Enabling personalized search over encrypted outsourced data with efficiency improvement,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 9, pp. 2546–2559, 2016.
View at: Publisher Site | Google Scholar
Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving efficient cloud search services: multi-keyword ranked search over encrypted cloud data supporting parallel computing,” IEICE Transactions on Communications, vol. E98B, no. 1, pp. 190–200, 2015.
View at: Publisher Site | Google Scholar
Z. Xia, X. Wang, X. Sun, Q. Liu, and Q. Wang, “A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data,” IEEE Transactions on Parallel and Distributed Systems, vol. 27, no. 2, pp. 340–352, 2016.
View at: Publisher Site | Google Scholar
X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, “Robust multi-factor authentication for fragile communications,” IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 6, pp. 568–581, 2014.
View at: Publisher Site | Google Scholar
P. Guo, J. Wang, B. Li, and S. Lee, “A variable threshold-value authentication architecture for wireless mesh networks,” Journal of Internet Technology, vol. 15, no. 6, pp. 929–935, 2014.
View at: Google Scholar
J. Shen, H. Tan, J. Wang, J. Wang, and S. Lee, “A novel routing protocol providing good transmission reliability in underwater sensor networks,” Journal of Internet Technology, vol. 16, no. 1, pp. 171–178, 2015.
View at: Publisher Site | Google Scholar
X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, “A generic framework for three-factor authentication: Preserving security and privacy in distributed systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 8, pp. 1390–1397, 2011.
View at: Publisher Site | Google Scholar
Y. Ren, J. Shen, J. Wang, J. Han, and S. Lee, “Mutual verifiable provable data auditing in public cloud storage,” Journal of Internet Technology, vol. 16, no. 2, pp. 317–323, 2015.
View at: Publisher Site | Google Scholar
J. Wang, X. Chen, X. Huang, I. You, and Y. Xiang, “Verifiable auditing for outsourced database in cloud computing,” Institute of Electrical and Electronics Engineers. Transactions on Computers, vol. 64, no. 11, pp. 3293–3303, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
C.-C. Lee, Y.-M. Lai, C.-L. Chen, and L. A. Chen, “A novel designated verifier signature scheme based on bilinear pairing,” Information Technology and Control, vol. 42, no. 3, pp. 247–252, 2013.
View at: Google Scholar
K. Kurosawa, “Multi-recipient Public-Key Encryption with Shortened Ciphertext,” in Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pp. 48–63, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar
M. Bellare, A. Boldyreva, and S. Micali, “Public-key encryption in a multi-user setting: security proofs and improvements,” in Advances in Cryptology—(EUROCRYPT '2000), B. Preneel, Ed., vol. 1807 of Lecture Notes in Computer Science, pp. 259–274, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar
Y. Dodis and N. Fazio, “Public key broadcast encryption for stateless receivers,” in Security and Privacy in Digital Rights Management, ACM CCS-9 Workshop, J. Feigenbaum, Ed., vol. 2696 of Lecture Notes in Computer Science, pp. 61–80, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar
K. Kurosawa, “Multi-recipient Public-Key Encryption with Shortened Ciphertext,” in Public Key Cryptography, vol. 2274 of Lecture Notes in Computer Science, pp. 48–63, Springer Berlin Heidelberg, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar
M. Bellare, A. Boldyreva, and D. Pointcheval, “Multirecipient encryption schemes: security notions and randomness re-use,” in Proceedings of the Advances in Cryptology (PKC 03, LNCS 2567, pp. 85–99, Miami, Florida, USA, 2003.
View at: Google Scholar
J. Baek, R. Safavi-Naini, and W. Susilo, “Efficient multi-receiver identity-based encryption and its application to broadcast encryption,” in Public key cryptography---PKC 2005, vol. 3386 of Lecture Notes in Computer Science, pp. 380–397, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
S. Chatterjee and P. Sarkar, “Multi-receiver identity-based key encapsulation with shortened ciphertext,” in Progress in cryptology---INDOCRYPT 2006, vol. 4329 of Lecture Notes in Computer Science, pp. 394–408, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar | MathSciNet
J. H. Park and D. H. Lee, “Security analysis of a multi-receiver identity-based key encapsulation mechanism,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E92-A, no. 1, pp. 329–331, 2009.
View at: Publisher Site | Google Scholar
H. Wang, P. Zeng, and K.-K. R. Choo, “MDMR-IBE: Efficient multiple domain multi-receiver identity-based encryption,” Security and Communication Networks, vol. 7, no. 11, pp. 1641–1651, 2014.
View at: Publisher Site | Google Scholar
C. Fan I, L. Huang Y, and H. Ho P, “Anonymous multireceiver identity-based encryption,” IEEE Transactions on Computers, vol. 59, no. 9, pp. 1239–1249, 2010.
View at: Google Scholar
H.-Y. Chien, “Improved anonymous multi-receiver identity-based encryption,” The Computer Journal, vol. 55, no. 4, pp. 439–446, 2012.
View at: Publisher Site | Google Scholar
H. Wang, “Insecurity of improved anonymous multi-receiver identity-based encryption,” The Computer Journal, vol. 57, no. 4, pp. 636–638, 2014.
View at: Publisher Site | Google Scholar
J. Zhang and J. Mao, “An improved anonymous multi-receiver identity-based encryption scheme,” International Journal of Communication Systems, vol. 28, no. 4, pp. 645–658, 2015.
View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology-ASIACRYPT, vol. 2894 of Lecture Notes in Computer Science, pp. 452–473, Springer, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Chen, W. Xu, and H. Xiong, “Strongly secure certificateless key-insulated signature secure in the standard model,” Annals of Telecommunications-Annales des Télécommunications, vol. 70, no. 9-10, pp. 395–405, 2015.
View at: Publisher Site | Google Scholar
H. Du and Q. Wen, “Certificateless proxy multi-signature,” Information Sciences, vol. 276, pp. 21–30, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
S. H. Islam, M. K. Khan, and A. M. Al-Khouri, “Anonymous and provably secure certificateless multireceiver encryption without bilinear pairing,” Security and Communication Networks, vol. 8, no. 13, pp. 2214–2231, 2015.
View at: Publisher Site | Google Scholar
Y. Hung, S. Huang, Y. Tseng, and T. Tsai, “Efficient Anonymous Multireceiver Certificateless Encryption,” IEEE Systems Journal, vol. 11, no. 4, pp. 2602–2613, 2017.
View at: Publisher Site | Google Scholar
D. He, H. Wang, L. Wang, J. Shen, and X. Yang, “Efficient certificateless anonymous multi-receiver encryption scheme for mobile devices,” Soft Computing, vol. 21, no. 22, pp. 6801–6810, 2017.
View at: Publisher Site | Google Scholar
D. He, S. Zeadally, N. Kumar, and W. Wu, “Efficient and Anonymous Mobile User Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server Architectures,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 2052–2064, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2018 Ronghai Gao et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies