Anonymous Certificate-Based Inner Product Broadcast Encryption

Yao, Shuang; Zhang, Dawei

doi:https://doi.org/10.1155/2021/6639835

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Implementation and Evaluation Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 6639835 | https://doi.org/10.1155/2021/6639835

Anonymous Certificate-Based Inner Product Broadcast Encryption

Shuang Yao^1,2and Dawei Zhang^1,2

Academic Editor: Leandros Maglaras

Received08 Oct 2020

Revised20 May 2021

Accepted27 May 2021

Published31 Aug 2021

Abstract

Broadcast encryption scheme enables a sender distribute the confidential content to a certain set of intended recipients. It has been applied in cloud computing, TV broadcasts, and many other scenarios. Inner product broadcast encryption takes merits of both broadcast encryption and inner product encryption. However, it is crucial to reduce the computation cost and to take the recipient’s privacy into consideration in the inner product broadcast encryption scheme. In order to address these problems, we focus on constructing a secure and practical inner product broadcast encryption scheme in this paper. First, we build an anonymous certificate-based inner product broadcast encryption scheme. Especially, we give the concrete construction and security analysis. Second, compared with the existing inner product broadcast encryption schemes, the proposed scheme has an advantage of anonymity. Security proofs show that the proposed scheme achieves confidentiality and anonymity against adaptive chosen-ciphertext attacks. Finally, we implement the proposed anonymous inner product broadcast encryption scheme and evaluate its performance. Test results show that the proposed scheme supports faster decryption operations and has higher efficiency.

1. Introduction

Broadcast encryption is an efficient way to make secure group-oriented communication by distributing confidential information in an open channel to a certain set of intended recipients that are selected by the sender. In a broadcast encryption scheme, the sender sends a ciphertext containing secret messages, and the ciphertext is only readable by privileged users. Broadcast encryption has been applied to various scenarios such as GPS, TV broadcasts, and radio broadcasts and may be potentially applied to the blockchain to perform one-to-many information exchange in some scenarios.

There are two types of broadcast encryption schemes in the literature: one is symmetric key broadcast encryption [1] and the other is public key broadcast encryption [2]. In terms of symmetric key broadcast encryption, it generates private keys for all users through a trusted center which also broadcasts messages to the intended recipients. It is obvious that the symmetric key broadcast encryption is infeasible to most of broadcast scenarios due to its possibility of single-point failure. In contrast, any user can be a sender in the public key broadcast encryption scheme. It overcomes the shortcoming of single-point failure in the symmetric key scheme. However, there are certificate management problems in the public key broadcast encryption scheme.

Function encryption (FE) [3] is different from traditional encryption. Only owners of legitimated keys are able to learn the whole underlying data through the decryption of the ciphertext, while others obtain nothing in traditional encryption. Function encryption can control information amount in the ciphertext transmitted to recipients. Furthermore, the functional encryption for inner product (IPFE) enables the recipient to decrypt the ciphertext related to the vector with the private key related to the vector . It will only obtain inner product and nothing else. Inner product encryption is simple, but it can provide powerful function. IPFE has been suggested to be applied in many scenarios such as delegation of sensitive computation and biometric authentication [4–6]. In some application scenarios, besides focusing on the privacy of encrypted messages, it is also significant to consider the privacy of the function being computed. Function hiding is an essential property of function encryption which means that the secret key can also hide the function , and no one could learn any unnecessary information about [7].

In recent years, the notion of inner product broadcast encryption has been proposed [8]. One might think a trivial solution which encrypts the message under the inner product encryption first and then encrypts the ciphertext with a broadcast encryption. However, this trivial solution has a security threat that if a recipient exposes its result obtained from the decryption of broadcast encryption no matter on purpose or not, all users in the inner product encryption system would be able to calculate their inner product values with their private keys. The broadcast encryption for inner product avoids this security threat. It takes merits of both broadcast encryption and inner product encryption. In the inner product broadcast encryption scheme, the recipient can only obtain the inner product associated with the encrypted message by providing their secret keys in the decryption period. The sender determines who can obtain the corresponding inner product value.

With the rapid development of information technology and the continuous upgrading of new techniques such as the Internet of Things (IoTs) and blockchain, broadcast encryption has been applied to these new scenarios to provide data security and to guarantee user privacy. In smart communities, it has been used for the information management center to send the encrypted information to some units and individuals that guarantees the secure transmission of information within the community [9]. In the blockchain, it has been applied to achieve group communication and protect the privacy of transaction data in the system [10]. As for the inner product broadcast encryption, it can determine who is able to obtain the plaintext and can give further protection to the plaintext. We pay attention to a personal skill evaluation system which was introduced and described in [8]. For instance, a student gets grades of mathematics 90, communication 80, and programming 60 that are represented by private vector . If a company wants to know whether a student is suitable for an occupation, it can evaluate the student by computing the weighted average of the scores . represents weights to each of the above scores.

1.1. Motivation

Broadcast encryption for the inner product has quite huge application potential. There are some research works that have been undertaken to provide inner product broadcast encryption schemes, and there also exist some shortcomings in the present schemes. First, to the best of our knowledge, the existing schemes do not take the recipient’s identity privacy into consideration. Second, the existing scheme achieves selective CPA security. Third, the heavy decryption cost and large public parameters’ size in the present schemes can bring down the efficiency for those applications in that recipients’ computing ability is limited, and they do not implement their proposed schemes for performance evaluation. At last, the existing scheme constructed in the identity-based cryptosystem has key escrow problems that the key generation center has the ability to decrypt all the encrypted messages in the system compared to certificate-based schemes [11]. Certificate-based broadcast encryption has attracted more and more attention [12, 13]. It has the feature of decentralization which makes it more suitable to be applied in the blockchain, so we build our scheme in the certificate-based cryptosystem. The motivation of this paper is to build a more feasible inner product broadcast encryption scheme with anonymity property. This new construction is also more suitable to be applied to those scenarios whose broadcast plaintext needs further protection. The goals of our scheme can be summarized as the following: In terms of security, we aim to provide adaptive CCA security in the random oracle model In the aspect of recipient privacy, we aim to provide anonymity that an encrypted broadcast message should hide who can access its contents; even users in the intended recipient set are not able to recognize other users’ identities In terms of efficiency, we aim to have lower computational overhead in the proposed scheme

1.2. Contribution

To summarize, we make the following contributions in this paper: We design an efficient certificate-based inner product broadcast encryption (CBBE-IP) with anonymity property. Compared with the existing construction, the proposed anonymous scheme takes the recipient’s identity privacy into consideration. A user cannot obtain other recipients’ identities, even from each other in the set of authorized recipients in the proposed scheme. It achieves stronger privacy protection. We give the formal proofs under the random oracle model to claim that our construction is confidential and anonymous. It is secure under the adaptive chosen-ciphertext attack. We give the theoretical analysis of our proposed scheme’s efficiency. We also implement both our scheme and the IBBE-IP scheme in Python and evaluate their performance. Experimental and theoretical analysis results show that the proposed scheme has higher efficiency, which enables faster decryption. In addition, our scheme has no restriction that the recipient number has to be less than vector length .

1.3. Related Work

In recent years, great efforts have been devoted to construct inner product encryption and broadcast encryption.

As for inner product encryption, Boneh et al. [3] took the formal study of functional encryption and gave precise definitions of the concept and security about functional encryption. Abdalla et al. [4] showed how to efficiently construct function encryption for the inner product under the standard assumption. Chotard et al. [14] introduced a primitive decentralized multiclient functional encryption (DMCFE) which combined techniques from private stream aggregation (PSA) and functional encryption for the inner product. The scheme can be applied in situations where multiple parties noninteractively share and update data.

Considering the function privacy, the notion of predicate privacy was first proposed by Shen et al. [15]. Since then, function-hiding inner product encryption has been deeply researched in numerous proposed papers. Bishop et al. [7] gave us the construction of secret-key function-hiding inner product encryption under the symmetric external Diffie–Hellman (SXDH) assumption in a quite weak and unrealistic security model. Datta et al. [16] proposed a simple and efficient private key IPE that has the strongest indistinguishability-based notion based on the SXDH assumption. Benhamouda et al. [17] proposed a generic construction of IND-CCA inner-product functional encryption from projective hash functions with homomorphic properties. Zhang et al. [18] proposed a generic construction of functional encryption for inner products that is IND-CCA secure. Abdalla et al. [19] proposed a novel methodology which is surprisingly simple and efficient to convert single-input IPE schemes into multi-input functional encryption (MIFE) schemes with the same functionality. Datta et al. [20] developed two nongeneric and practically efficient private key inner product MIFE schemes that first simultaneously achieved message and function privacy. Wang et al. [21] proposed two adaptively CCA-secure functional encryptions in the PKE and SKE settings, respectively. Kim et al. [5] focused on the practical applications of the above schemes; they proposed a fully secure, function-hiding inner product encryption scheme which has obvious shorter secret key and ciphertext compared with the existing schemes.

As for broadcast encryption, Fiat and Naor [1] gave the primitive formal definition of broadcast encryption which was a kind of symmetric key broadcast encryption. Naor and Pinkas [2] proposed the first public key broadcast encryption. Gay et al. [22] constructed a new scheme which was the first public key broadcast encryption scheme with constant size of the ciphertext and secret keys.

There have been considerable efforts devoted to build broadcast encryption such as identity-based broadcast encryption (IBBE), attribute-based broadcast encryption (ABBE), and certificate-based broadcast encryption (CBBE) with various functions. Delerablee [23] gave the first constant size of private keys and ciphertext. It is an identity-based broadcast encryption scheme with selective CPA security. Jiang et al. [24] proposed a keyword search identity-based broadcast encryption against insider attacks for cloud database systems. Lubicz and Sirvent [25] put forward the concept of attribute-based broadcast encryption by describing the group of privileged users through attributes. It allows one to select or revoke users. Xiong et al. [26] proposed a ciphertext-policy attribute-based encryption (CP-ABE) that, for the first time, realized partial policy hiding, direct revocation, and secure delegation simultaneously in edge computing. There have also been many more recent studies considering the case of ABBE in many fields [27, 28]. Barth et al. [29] took the user anonymity into consideration in broadcast encryption and put forward the concept of privacy in the broadcast encryption scheme. There is no reveal of intended recipients’ identities in this scheme. Sur et al. [30] constructed the first certificate-based multireceiver encryption without formal definitions and proofs to the security. Then, Fan et al. [12] proposed an anonymous CBBE which defined the security models and offered formal proofs to all properties including anonymity. However, it only achieves CPA security and has expensive decryption cost. Zhu et al. [31] proposed adaptive security in the multichallenge setting with constant-size ciphertext header which is a strong security notion for broadcast encryption. Li et al. [32] put forward an anonymous CBBE scheme with constant decryption cost and adaptive CCA security. The CBBE construction avoids key escrow problems of identity-based broadcast encryption. Deng [9] constructed an anonymous certificateless multireceiver encryption scheme for smart community management systems.

Jin and Yu-pu [33] proposed the notion of broadcast encryption for inner product predicate encryption under the standard model in 2012. The intended recipients output the plaintext via decryption in the scheme. Then, Lai et al. [8] constructed the first broadcast encryption for inner product scheme (IBBE-IP) under the random oracle model in 2018. It combines the IBBE [23] scheme and the inner product encryption (IPE) [4] scheme which outputs the real value of the inner product via decryption to the user and is a special functional encryption that has potential practical applications. However, these existing inner product broadcast encryption scheme and the inner product predicate broadcast encryption scheme do not take users’ identity privacy into consideration. In this paper, we explore how to construct a more efficient and secure scheme of inner product broadcast encryption in order to extend its application scenarios.

1.4. Organization

We first recall some necessary preliminaries in Section 2, and then in Section 3, we describe the formal definitions and security model of our broadcast encryption scheme. In Section 4, we give the concrete construction of our scheme. We give the detailed security proof in Section 5. We then implement our broadcast encryption scheme and analyze its performance in Section 6. Conclusions are drawn in Section 7 where we also suggest further work.

2. Preliminaries

2.1. Notations

Notations in this paper are presented in Table 1.

Suppose that the sender distributes secret messages to a certain set of recipients. Let denote the number of intended recipients in set , and let vector length denote the length of vectors and .

2.2. Bilinear Groups

Let and be two cyclic groups with prime order . is the generator of group , and . The symmetric bilinear group has the following properties:(1)The map is bilinear: for all and , we have that (2)The map is nondegenerate:(3)There exists an efficient algorithm to compute , for any

We also briefly review the definition of vectors of group elements [34]. Let be a cyclic group of prime order , be an element of group , and vector , where is a natural number. Let denote the vector of group elements . For any scalar and , let

2.3. Security Assumption

Definition 1. (discrete logarithm (DL) problem). Given , the DL problem in is to find (if it exists) such that . The advantage of any probabilistic polynomial-time (PPT) algorithm in solving the DL problem in is defined as . The DL assumption is that, for any PPT algorithm is negligible.

Definition 2. (computational bilinear Diffie–Hellman (CBDH) problem). Given for unknown , the CBDH problem in is to compute . The advantage of any probabilistic polynomial-time (PPT) algorithm in solving the CBDH problem in is defined as . The CBDH assumption is that, for any PPT algorithm is negligible.

2.4. IND-CCA Security of Inner Product Encryption

We review the IND-CCA security of inner product encryption [18]. The security against chosen-ciphertext attacks is defined via a game played by an adversary and a challenger . An inner product encryption scheme is indistinguishable under adaptive chosen-ciphertext attacks if is negligible for all adversary winning Game 1 in polynomial time. The advantage of winning Game 1 is . Game 1 is described as the following:(1)The challenger runs the Setup to generate public parameters and master secret key . Then, it sends to the adversary .(2)The adversary adaptively queries the key generation oracle for the functional secret key with the restriction that can only query the secret key in that , where and are the target plaintexts. can also ask to decrypt a ciphertext to obtain via the decryption oracle.(3)The adversary outputs two target plaintexts and .(4)The challenger randomly selects a bit and generates a target ciphertext . Then, passes to the adversary .(5)The adversary can continue to query the key generation oracle with the same restriction as before. can also query the decryption oracle with the restriction that cannot query the target ciphertext .(6)The adversary outputs a bit , and wins if .

2.5. Certificate-Based Broadcast Encryption

The certificate-based broadcast encryption scheme [12, 32] contains the following algorithms:(i)Setup : it inputs the security parameter and outputs the public parameters and the master secret key .(ii)KeyGen : it inputs the public parameters and identity information . This algorithm outputs a key pair .(iii)Certify : it inputs the public parameters , master secret key , identity information , and public key . The algorithm outputs a certificate .(iv)Encrypt : it inputs the public parameters , an intended recipient set , a public key , and a message . The algorithm outputs a ciphertext .(v)Decrypt : it inputs the public parameters , a secret key , a ciphertext , identity information , and a certificate . The user in the intended recipient set outputs the message .

2.6. Inner Product Encryption

We briefly recall the definition of the secret-key inner product encryption scheme [5]. It is shown as follows:(i)Setup : it inputs a security parameter and a set . Setup outputs the public parameters and the master secret key .(ii)KeyGen : it inputs the master secret key and a vector . KeyGen outputs the functional secret key .(iii)Encrypt : it inputs the secret key , a vector , and . Encrypt outputs a ciphertext .(iv)Decrypt : it inputs the public parameters , a secret key , and a ciphertext . Decrypt outputs a message or .

As we can see from the above definition of the inner product encryption scheme, secret keys are associated with the vector , and the encrypted message is associated with the vector . Given a secret key for and the ciphertext for , the recipient obtains the inner product value via decryption. Especially, the above inner product encryption used in our scheme is different from the inner product predicate encryption scheme proposed by Okamoto and Takashima [35]. In the inner product predicate encryption scheme, a message is encrypted with a tag , and the decryption key is associated with vector . The recipient can recover the message only if .

3. Formal Definition and Security Model

3.1. Formal Definition

The system model of our proposed scheme is shown in Figure 1. The formal definition of our scheme is shown as follows:(i)Setup : it inputs a security parameter and vector length . This algorithm outputs public parameters and master secret key . Certificate authority (CA) runs this algorithm. It publishes and keeps .(ii)KeyGen : it inputs public parameters , a vector , and an identity . is kept secretly, and it is not allowed to be known by others. It outputs secret keys in addition to public keys . This algorithm is executed by users.(iii)CertGen : it inputs public parameters , a master secret key , a user’s identity , and public keys and . It outputs certificate . This algorithm is executed by CA. Users obtain their certificates from the CA. The certificate is anonymous for the reason that no one is able to obtain the user identity by its certificate except the CA. The certificate plays a role as a portion of the user’s keys. Though the CA generates the certificate for each user, it is not able to decrypt the ciphertext.(iv)Encrypt : it inputs public parameters , a vector as the plaintext, the intended recipient set , and public keys and . It outputs ciphertext . This algorithm is executed by the sender.(v)Decrypt : it inputs public parameters , a ciphertext , a user identity , a certificate , and secret keys and . If is an intended recipient, it will obtain the corresponding inner product value of the related message. Otherwise, it outputs .

3.2. Security Model

The security of our proposed scheme requires confidentiality and anonymity. As for the confidentiality, it means that, for an encrypted message which is associated with , only the intended recipients in can obtain through the decryption using their secret keys that are associated with . We give the definition for confidentiality of our proposed scheme via IND-CBIP-CCA Game 1 and IND-CBIP-CCA Game 2. As for the anonymity, all users, even users in , are not able to recognize who is the intended recipient. In our scheme, the vector is kept secretly by users, and it cannot be known by others though it may have implied relationship with user identity information; we do not consider in anonymity games. On the contrary, the user identifier is public, so we considered the user identifier in anonymity games. We give the definition for anonymity of our proposed scheme via ANO-CBIP-CCA Game 1 and ANO-CBIP-CCA Game 2.

The security model of our proposed scheme contains two adversaries and . is an uncertified user with no access to the master key. It can replace any user’s public key and query any user’s secret key. can also query any user’s certificate except the target user’s certificate. can make the decryption query of any broadcast ciphertext except the target broadcast ciphertext. is a malicious certifier that has a master key. It can generate any user’s certificate. is not able to replace any user’s public key, but it can query any user’s secret key except the target user. can also perform the broadcast ciphertext’s decryption query except the target broadcast ciphertext.

IND-CBIP-CCA Game 1 is played by a challenger and an adversary . Setup: runs the Setup algorithm, gives the generated public parameters , and keeps the generated master secret key with itself. Phase 1: adaptively launches the following queries to . maintains a list in order to answer queries. We denote public key and secret key . If , it represents that has not been replaced by , while means that has made a replacement of . was empty when it was initialized. : public keys’ query: on inputting , retrieves . If there is an item related to in , returns corresponding to . Otherwise, runs and generates and for . It adds the new item to and returns to . : public keys’ replacing query: on inputting and a public key randomly chosen by , updates the item which is related to in . : secret keys’ query: on inputting , does the following things to answer the query. It searches the item related to in . If , returns . Otherwise, it returns to . : certificate query: on inputting , in order to make a response to the query, searches the item in . Then, it executes and returns the generated to . : decrypt query: on inputting and ciphertext , searches the item in . If , has made replacement of , and it should give corresponding of . executes and generates of . Then, executes to decrypt . It sends the decryption result to . Challenge: sends a challenge recipient set , two distinct messages and , and then . It sends to with the constraint that neither queried of in nor made replacement of for in in Phase 1. selects a bit at random. Then, it executes and returns the generated challenge ciphertext to . Phase 2: issues a set of queries adaptively as in Phase 1. However, it is forbidden to query of in or decryption of in . Guess: outputs a guess . It wins the game if . We define ’s advantage in attacking the scheme to win IND-CBIP-CCA Game 1 as .

Definition 3. We say that our proposed scheme is IND-CBIP-CCA secure if is satisfied for any PPT adversary .
IND-CBIP-CCA Game 2 is played by a challenger and an adversary . Setup: runs the Setup algorithm and gives the generated public parameters and the generated master secret key . Phase 1: adaptively launches the following queries to . maintains list for answering queries. We denote and . was empty when it was initialized. :public keys’ query: on inputting , retrieves . If there is an item related to in , returns corresponding to . Else, it runs and generates and for . Then, it adds the new item to and returns to . : secret keys’ query: on inputting , in order to make a response to the query, searches item related to in and returns to . : decrypt query: on inputting and ciphertext , does the following things to answer the query. It searches the item in , executes , and generates of . Then, executes to decrypt . It sends the decryption result to . Challenge: sends a challenge recipient set , two distinct messages and , and then . It sends to with the constraint that has not queried of in in Phase 1. selects a bit at random. Then, it executes and returns the generated challenge ciphertext to . Phase 2: issues a set of queries adaptively as in Phase 1. However, it is forbidden to query of in or decryption of in . Guess: outputs a guess . It wins the game if . We define ’s advantage in attacking the scheme to win IND-CBIP-CCA Game 2 as .

Definition 4. We say that our proposed scheme is IND-CBIP-CCA secure if is satisfied for any PPT adversary .
ANO-CBIP-CCA Game 1 is played by a challenger and an adversary . Setup: runs the Setup algorithm, gives the generated public parameters , and keeps the generated master secret key with itself. Phase 1: adaptively launches the following queries to . maintains a list in order to answer queries. We denote public key and secret key . If , it represents that has not been replaced by , while means that has made replacement of . was empty when it was initialized. : public keys’ query: on inputting , retrieves . If there is an item related to in , returns the corresponding public key to . Otherwise, runs and generates and for . It adds the new item to and returns to . : public keys’ replacing query: on inputting and a public key randomly chosen by , updates the item which is related to in . : secret keys’ query: on inputting , does the following things to answer the query. It searches the item related to in . If , returns . Otherwise, it returns to . : certificate query: on inputting , searches the item in . Then, it executes and returns the generated certificate to . : decrypt query: on inputting and ciphertext , searches the item in . If , has made replacement of , and it should give corresponding of to . executes and generates of . Then, it runs to decrypt and sends the decryption result to . Challenge: sends a challenge recipient set , two user identities , and a message to with the constraint that neither queried of in nor replaced of in in Phase 1. selects a bit and set at random. Then, it executes and returns the generated challenge ciphertext to . Phase 2: issues a set of queries adaptively as in Phase 1 with the constraint that it is not able to query of in or decryption of in . Guess: outputs a guess . It wins the game if . We define ’s advantage in attacking the scheme to win ANO-CBIP-CCA Game 1 as .

Definition 5. We say that our proposed scheme is ANO-CBIP-CCA secure if is satisfied for any PPT adversary .
ANO-CBIP-CCA Game 2 is played by a challenger and an adversary . Setup: runs the Setup algorithm and gives the generated public parameters and the generated master secret key . Phase 1: adaptively launches the following queries to . maintains list for answering queries. We denote and . was empty when it was initialized. : public keys’ query: on inputting , retrieves . If there is an item related to in , returns corresponding to . Otherwise, runs and generates and for . It adds the new item to and returns to . : secret keys’ query: on inputting , searches the item related to in and returns to . : decrypt query: on inputting and ciphertext , searches the item in . It executes and generates for . Then, executes to decrypt . It sends the decryption result to . Challenge: sends a challenge recipient set , two user identities , and a message to with the constraint that has not queried of in in Phase 1. selects a bit at random and set . Then, it executes and returns the generated challenge ciphertext to . Phase 2: issues a set of queries adaptively as in Phase 1 with the constraint that it is not able to query of in or decryption of in . Guess: outputs a guess . It wins the game if . We define ’s advantage in attacking the scheme to win ANO-CBIP-CCA Game 2 as .

Definition 6. We say that our proposed scheme is ANO-CBIP-CCA secure if is satisfied for any PPT adversary .

4. Our Certificate-Based Inner Product Broadcast Encryption Scheme

In this section, we present the concrete construction of our proposed scheme as follows.

Setup : taking the security parameter and vector length as the input, the CA performs the following tasks:(1)Generate symmetric cyclic bilinear groups and with order . The large prime is bits. is a generator of group is a bilinear map, and .(2)Choose randomly. Calculate .(3)Select four cryptographic hash functions with forms as , , , and .(4)Keep the secretly and publish the public parameters .

KeyGen : taking the public parameters , a vector , and an identity as the input, the user randomly chooses . It has . It generates secret keys and public keys by the following steps:(1)Calculate and as secret keys(2)Compute and as public keys

CertGen : taking public parameters , a master secret key MSK, a user’s identity , and public keys and as the input, the CA computes and . The user checks whether its Cert_i is valid. If eg,Cert_i = eg₁, Q_i, is valid.

Encrypt : taking the public parameters , a vector , the intended recipient set , and public keys and as the input, the sender executes the algorithm to output a ciphertext . We suppose S = {ID₁, ID₂,..., ID_n}.

First, the sender computes Q_i = H₁ (ID_i, K_1i, K_2i) and R_i = H₂ (ID_i, K_1i, K_2i, ) for every intended recipient .

Next, the sender chooses and at random. It selects at random and computes .

Then, the sender computes ciphertext as shown in equations:

Decrypt : taking the public parameters , a ciphertext , a user’s identity , a certificate , and secret keys and as the input, the user performs the following steps.

First, the user calculates

Next, the user computes . If the user is not an intended recipient, it is not able to find the same value in and is not able to determine the corresponding and of . Then, it outputs . Otherwise, the user utilizes to locate its associated by relationships among , , and in .

Then, the user computes and .

Then, the user calculates as the following:

Finally, if , the user calculates which satisfies . Let be a polynomial-sized subset of . If there exists , the algorithm outputs . Otherwise, it outputs .

Correctness: our proposed scheme is said to satisfy the correct condition if the following equation holds:

Meanwhile, it requires the plaintext vectors to satisfy , for polynomially sized .

For any and , we have

If , the decryption algorithm outputs inner product value by the baby-step giant-step algorithm. It is efficient since .

5. Security Analysis

Now, we prove the confidentiality and anonymity of our scheme through the security models defined in Section 3. Our proof strategy draws inspiration from the CBBE scheme [32]. First, the confidentiality of our scheme will be proved through IND-CBIP-CCA Game 1 and IND-CBIP-CCA Game 2 defined in Section 3.

Theorem 1. Suppose that hash functions are random oracles and is able to launch queries to , queries to , and queries to , respectively. It has advantage over our proposed scheme in IND-CBIP-CCA Game 1. Then, there exists an algorithm to solve the CBDH problem with the advantage at least .

Proof. Suppose that there exists an adversary that can break the proposed scheme in IND-CBIP-CCA Game 1 with advantage . We build an algorithm to solve the CBDH problem by running . Given as the input a problem instance , needs to simulate a challenger and all oracles. It works as follows.
Setup: executes the algorithm and outputs . We note that is the generator of , and . Then, computes and picks index at random. controls random oracles . It also publishes system public parameters and keeps master secret key .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , it returns corresponding to . Otherwise, if the query is on , sets , returns to , and adds to . Note that . Otherwise, does the following things:(1)Select at random. Let and .(2)Add the tuple to and respond with to . query: makes query adaptively. makes a response to ’s query on as shown below. maintains the list . If the query appears on in an item , it returns corresponding to . Else, picks at random and calculates , and then adds to and responds to with .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to , and responds to with .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to , and returns to .
query: makes the query adaptively. responds to ’s query on as shown below. If the query is already on in an item , returns corresponding to . Otherwise, randomly picks and , and then it computes and as secret keys. It computes and as public keys, and then it adds to and responds to with .
query: makes the query adaptively. On receiving the query on , retrieves items related to in and updates the item to .
query: makes the query adaptively. On receiving the query on , searches the entry of . If , returns to . Otherwise, aborts.
query: makes the query adaptively. On receiving the query on , if , aborts. Otherwise, searches the item of and responds to with .
query: makes the query adaptively by submitting and to . We note that and . responds to the query from on as shown in the following:(1) searches item of list . If the user of is not an intended recipient, it rejects the query.(2)If is in the intended recipient set and , searches the list to find the entry that satisfies and . If there is no item that satisfies the condition, discards and aborts. Else, responds to with .(3)If is not in the intended recipient set and , should give corresponding to of . Then, checks whether and hold. If not so, aborts. Otherwise, searches to find the entry that satisfies and . If there is no item that satisfies the condition, rejects the query. Otherwise, it returns to the adversary .(4)Otherwise, obtains and which are related to , and then executes and responds to with the result.Phase 1: during this phase, issues the above queries launched by adaptively. For responding to the queries, maintains a list . This list was initially empty. represents that has not been replaced by . Otherwise, means that has made replacement of .
Challenge: submits the intended recipient set , two distinct messages and , and then . It sends to the challenger , with the requirement that, in Phase 1, it neither obtained certificates of users in nor made replacement of for in . Then, randomly selects a value . If is not in , aborts. Else, sets and chooses , , , and at random. Then, the challenge broadcast ciphertext is returned to .
Phase 2: issues a serious of queries adaptively. However, it cannot issue queries for certificates or decryption of in .
Guess: outputs a guess for . It wins the game if . For , the description of is shown as follows. To produce the result, should calculate and correctly. chooses an item from at random and searches from the item . To solve the CBDH problem, computes as the solution.
If and , then and . can extract the solution .
Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger .
If does not abort during the game, then ’s view is identical to its view in the real scheme. Furthermore, we have . The game may be aborted before it finishes. Let Abort denote the game is aborted before it finishes. Then, event Abort occurs under any of the following occasions. is not in during the Challenge phase. We have . aborts in the period that is given to . We have . issues query on . We have . issues query on , and has made replacement of for . If occurs, then also occurs. So, .
Let Oca denote . So, we have and . By the definition of the probability for in IND-CBIP-CCA Game 1, we have . So, we have . Finally, selects the correct item from with probability . Consequently, ’s advantage is at least as required.

Theorem 2. Suppose that hash functions are random oracles and is able to launch queries to , queries to , queries to , and to functions , respectively. It has advantage over our proposed scheme in IND-CBIP-CCA Game 2. Then, there exists a algorithm to solve the CBDH problem with the advantage at least .

Proof. Suppose that there exists an adversary that can break the proposed scheme in IND-CBIP-CCA Game 2 with advantage . We build an algorithm to solve the CBDH problem by running . Given as the input a problem instance , needs to simulate a challenger and all oracles. It works as follows.
Setup: executes the algorithm and outputs . We note that is the generator of and . Then, computes and picks index at random. controls random oracles . It also publishes system public parameters and gives master secret key to . Random oracles are controlled by .
query: makes the query adaptively. makes a response to ’s query on as shown below. It maintains the list . If the query appears on in an item , it returns corresponding to . Else, chooses at random. Then, it adds to and responds with to .
query: makes the query adaptively. makes a response to ’s query on as shown below. maintains the list . If the query appears on in an item , it returns corresponding to . Else, if , it sets , returns to , and adds to . Note that . Otherwise, randomly selects . It adds to the list and responds with to .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to , and responds to with .
query: makes the query adaptively. makes a response to ’s query on as shown below. has the list . If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to , and returns to .
query: makes the query adaptively. makes a response to ’s query on as shown below. If the query appears on in an item , returns related to . Otherwise, if the query is on , randomly selects . Then, it returns and to and adds to , while . The secret key is unknown to . Else, randomly picks and , and then computes and as secret keys. It computes and as public keys, and then it adds to and returns to .
query: makes the query adaptively. On receiving the query on , if , aborts. Otherwise, searches the entry of in and returns to .
query: makes the query adaptively by submitting and to . We note that and . makes a response to the query from on as shown in the following:(1) searches item of list . If the user of is not an intended recipient, it rejects the query.(2)If is in the intended recipient set, searches to find the entry that satisfies and . If there is no item that satisfies the condition, rejects the query. Otherwise, it returns to the adversary .(3)Otherwise, obtains and which are related to , and then executes and responds to with the result.Phase 1: during this phase, issues the above queries launched by adaptively. For responding to the queries, maintains a list . This list was initially empty.
Challenge: when decides that Phase 1 is over, it submits the intended recipient set , two distinct messages and , and then . It sends to the challenger , with the requirement that, in Phase 1, it has not obtained of in . Then, selects a random value . If is not in , aborts. Else, it sets and chooses , , , and at random. Then, the challenge broadcast ciphertext is returned to the adversary .
Phase 2: issues a set of queries adaptively. However, it cannot issue queries for of in or decryption of in .
Guess: outputs a guess for . It wins the game if . For , the description of is shown as follows. To produce the result, should calculate and correctly. chooses an item from at random and searches from the item . To solve the CBDH problem, computes as the solution.
If and , then and . can extract the solution .
Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger .
If does not abort during the game, then ’s view is identical to its view in the real scheme. Furthermore, we have . The game may be aborted before it finishes. Let Abort denote the game is aborted before it finishes. Then, event Abort occurs under any of the following occasions. the adversary queries the oracle on the user . We have . aborts in the period that is given to . We have . is not in during the Challenge phase. We have . So, we have that .
Let Oca denote . So, we have and . By the definition of the advantage for in IND-CBIP-CCA Game 2, we have . So, we have . Finally, selects the correct item from with probability . Consequently, ’s advantage is at least as required.

Next, the anonymity of our scheme will be proved through ANO-CBIP-CCA Game 1 and ANO-CBIP-CCA Game 2 defined in Section 3.

Theorem 3. Suppose that hash functions are random oracles and is able to launch queries to and queries to functions , respectively. It has advantage over our proposed scheme in ANO-CBIP-CCA Game 1. Then, there exists a algorithm to solve the CBDH problem with the advantage at least .

Proof. Suppose that there exists an adversary that can break the proposed scheme in ANO-CBIP-CCA Game 1 with advantage . We build an algorithm to solve the CBDH problem by running . Given as the input a problem instance , needs to simulate a challenger and all oracles. It works as follows.
Setup: executes the algorithm and outputs . We note that is the generator of and . Then, computes and picks index at random. controls random oracles . It also publishes system public parameters and keeps master secret key .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , it returns corresponding to . Otherwise, if the query is on , sets , returns to , and adds to . Note that . Otherwise, does the following things:(1)Select at random. Let and .(2)Add the tuple to and respond with to . query: makes the query adaptively. makes a response to ’s query on as shown below. maintains the list . If the query appears on in an item , it returns corresponding to . Else, picks at random and calculates , and then adds to and responds to with .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to , and responds to with .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to , and returns to .
query: makes the query adaptively. responds to ’s query on as shown below. If the query is already on in an item , returns corresponding to . Otherwise, randomly picks and , and then it computes and as secret keys. It computes and as public keys, and then it adds to and responds to with .
query: makes the query adaptively. On receiving the query on , retrieves items related to in and updates the item to .
query: makes the query adaptively. On receiving the query on , searches the entry of . If , returns to . Otherwise, aborts.
query: makes the query adaptively. On receiving the query on , if , aborts. Otherwise, searches the item of and responds to with .
query:makes thequery adaptively by submittingandto. We note thatand.responds to the query fromonas shown in the following:(1) searches item of list . If the user of is not an intended recipient, it rejects the query.(2)If is in the intended recipient set and , searches list to find the entry that satisfies and . If there is no item that satisfies the condition, discards and aborts. Else, responds to with .(3)If is not in the intended recipient set and ,should give corresponding to of . Then, checks whether and hold. If not so, aborts. Otherwise, searches to find the entry that satisfies and . If there is no item that satisfies the condition, rejects the query. Otherwise, it returns to the adversary .(4)Otherwise, obtains and which are related to , and then executes and responds to with the result.Phase 1: during this phase, issues the above queries launched by adaptively. For responding to the queries, maintains a list . This list was initially empty. represents that has not been replaced by . Otherwise, means that has made replacement of .
Challenge: submits the intended recipient set , message , and two user identities to the challenger , with the requirement that, in Phase 1, it neither obtained certificates of users in nor made replacement of for in . Then, randomly selects a value and sets . If is not in , aborts. Else, sets and chooses , , , and at random. Then, the challenge broadcast ciphertext is returned to .
Phase 2: issues a serious of queries adaptively. However, it cannot issue queries for certificates or decryption of in .
Guess: outputs a guess for . It wins the game if . For , the description of is shown as follows. To produce the result, should calculate and correctly. chooses an item from at random and searches from the item . To solve the CBDH problem, computes as the solution.
If and , then and . can extract the solution .
Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger .
If does not abort during the game, then ’s view is identical to its view in the real scheme. Furthermore, we have . The game may be aborted before it finishes. Let Abort denote the game is aborted before it finishes. Then, event Abort occurs under any of the following occasions. is not in during the Challenge phase. We have . aborts in the period that is given to . We have . issues query on . We have . issues query on , and has made replacement of K_i for ID_i. If occurs, then also occurs. So, .
Let Oca denote . So, we have and . By the definition of the probability for in ANO-CBIP-CCA Game 1, we have . So, we have . Finally, selects the correct item from with probability . Consequently, ’s advantage is at least as required.

Theorem 4. Suppose that hash functions are random oracles and is able to launch queries to , queries to , queries to , and to functions , respectively. It has advantage ε over our proposed scheme in ANO-CBIP-CCA Game 2. Then, there exists a PPT algorithm to solve the CBDH problem with the advantage at least .

Proof. Suppose that there exists an adversary that can break the proposed scheme in ANO-CBIP-CCA Game 2 with advantage . We build an algorithm to solve the CBDH problem by running . Given as the input a problem instance , needs to simulate a challenger and all oracles. It works as follows.
Setup: executes the algorithm and outputs . We note that is the generator of and . Then, computes and picks index at random. controls random oracles . It also publishes system public parameters and gives master secret key to . Random oracles are controlled by .
query: makes the query adaptively. makes a response to ’s query on as shown below. It maintains the list . If the query appears on in an item , it returns corresponding to . Else, chooses at random. Then, it adds to and responds with to .
query: makes the query adaptively. makes a response to ’s query on as shown below. maintains the list . If the query appears on in an item , it returns corresponding to . Else, if , it sets , returns to , and adds to . Note that . Otherwise, randomly selects . It adds to the list and responds with to .
query: makes the query adaptively. responds to ’s query on as shown below. maintains the list . If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to LH3 and responds to with .
query: makes thequery adaptively.makes a response to’s query onas shown below.has the list. If the query appears on in an item , returns corresponding to . Otherwise, picks at random, adds to , and returns to .
query: makes the query adaptively. makes a response to ’s query on as shown below. If the query appears on in an item , returns related to . Otherwise, if the query is on , randomly selects . Then, it returns and to and adds to while . The secret key is unknown to . Else, randomly picks and , and then computes and as secret keys. It computes and as public keys, and then it adds to and returns to .
query: makes the query adaptively. On receiving the query on , if , aborts. Otherwise, searches the entry of in and returns to .
query: makes the query adaptively by submitting and to . We note that and . makes a response to the query from on as shown in the following:(1) searches item of list . If the user of is not an intended recipient, it rejects the query.(2)If is in the intended recipient set, searches to find the entry that satisfies and . If there is no item that satisfies the condition, rejects the query. Otherwise, it returns to the adversary .(3)Otherwise, obtains and which are related to , and then executes and responds to with the result.Phase 1: during this phase, issues the above queries launched by adaptively. For responding to the queries, maintains a list . This list was initially empty.
Challenge: when decides that Phase 1 is over, it submits the intended recipient set , two distinct messages and , and then . It sends to the challenger , with the requirement that, in Phase 1, it has not obtained of in . Then, selects a random value . If is not in , aborts. Else, it sets and chooses , , and at random. Then, the challenge broadcast ciphertext is returned to the adversary .
Phase 2: issues a set of queries adaptively. However, it cannot issue queries for of in or decryption of in .
Guess: outputs a guess for . It wins the game if . For , the description of is shown as follows. To produce the result, should calculate and correctly. chooses an item from at random and searches from the item . To solve the CBDH problem, computes as the solution.
If and , then and . can extract the solution .
Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger .
If does not abort during the game, then ’s view is identical to its view in the real scheme. Furthermore, we have . The game may be aborted before it finishes. Let Abort denote the game is aborted before it finishes. Then, event Abort occurs under any of the following occasions. the adversary queries the oracle on the user . We have . aborts in the period that is given to . We have . is not in during the Challenge phase. We have . So, we have that .
Let Oca denote . So, we have and . By the definition of the advantage for in ANO-CBIP-CCA Game 2, we have . So, we have . Finally, selects the correct item from with probability . Consequently, ’s advantage is at least as required.

6. Implementation and Evaluation

6.1. Theoretical Analysis

In Table 2, we give analytical measurements for public parameters’ size, user secret keys’ size, ciphertext size, encryption cost, and decryption cost of the IBBE-IP scheme [8] and the proposed scheme.

Table 2 shows that our scheme has a significant advantage over the IBBE-IP scheme on decryption cost. The decryption cost of our scheme is which is constant, while the decryption cost of the IBBE-IP scheme is which grows multiplicatively in and d. Our scheme also optimizes the public parameters’ size for the reason that our public parameters’ size is constant, while the IBBE-IP scheme is linear with n.

As for the ciphertext size, the ciphertext size of our scheme is linear with the number of recipients n, while the ciphertext size of the IBBE-IP scheme is linear with the vector length d. However, there is a restriction in IBBE-IP that the recipient number has to be less than vector length (n < d). So, the increasing recipient number will lead to the growth of vector length, and the ciphertext size is also increasing as a result.

It is obvious that our scheme achieves better performance than the existing scheme in the aspects of public parameters’ size and decryption time according to the analytical measurements.

6.2. Experimental Implementation

To evaluate the performance of the proposed scheme in practice, we give a reference implementation of our scheme and IBBE-IP scheme in Python language. We use the Charm library [36] to implement the pairing group operations and Flint library [37] for the finite field arithmetic in Z_q. Our experiments are performed on a Linux desktop with 8 GB of RAM and an 8-core Intel Core i7-8550U 2.00 GHz processor to evaluate the above theoretical analysis illustration. In our implementation, we use the SS512 curve in the Charm library. We get the average result over ten runs.

Figure 2(a) shows that the encryption and key generation time of our scheme increase with the growing vector length given the certain number of recipients, while the decryption time remains constant at the same time. Figure 2(b) shows that encryption time is linear with the number of recipients in our scheme. Decryption time remains constant regardless of the number of recipients. Figure 3(a) shows that the ciphertext size of our scheme remains constant with the growing vector length given the certain number of recipients. Figure 3(b) shows that the ciphertext size is linear with the number of recipients given a certain vector length in our scheme.

(a)

(b)

(a)

(b)

In Table 3, we give a more detailed computation time and ciphertext size of our scheme with the change of vector length and the intended recipient number. In order to achieve higher efficiency, we have precomputed and have stored them in lists. We see that the ciphertext size rises from 1.0 KB to 5.8 KB when the recipient number grows from 3 to 19. Key generation time and encryption time grow from 3.3 ms to 48.2 ms and from 50.9 ms to 696.8 ms, respectively, as the recipient number and vector length grow. Decryption time is approximately 3.9 ms.

Figure 4(a) shows the ciphertext size difference between our scheme and IBBE-IP scheme. The ciphertext size of the IBBE-IP scheme is linear with the vector length with the restriction that the number of recipients is less than the vector length , while our scheme has no restriction. Especially, as we can see from Figure 4(a), with the growing of recipient number n, the vector length d has to grow, and the ciphertext size is also increasing in the IBBE-IP scheme. As it is also shown in Table 3, the ciphertext size of our scheme is independent of the vector length. CT is linear with the number of recipients in our scheme because our scheme enables that different intended users in S obtain their corresponding inner product via the decryption of CT, and it achieves stronger plaintext protection. It avoids a security threat existing in a trivial solution that the sender encrypts a message under an inner product encryption first and then encrypts the ciphertext with a broadcast encryption. The threat is that once the decryption result of broadcast encryption is made public, all users in the inner product encryption system obtain the inner product ciphertext and are able to calculate their own inner product value. In our scheme, we avoid this threat. If there are users that maliciously expose the decryption result of broadcast encryption, others will not be able to obtain their corresponding inner product by the result. This leads to further protection to the plaintext.

(a)

(b)

Figure 4(b) shows our scheme’s significant advantage in decryption cost. In our implementation, this decryption time of IBBE-IP does not include the Pollard kangaroo algorithm runtime, while our scheme’s decryption time includes the baby-step giant-step algorithm runtime. Besides, the number of recipients needs to be less than the vector length (n < d) in IBBE-IP, so we let d = n + 1 in the measurement of decryption time. As we can see from Figure 4(b), the decryption time of IBBE-IP is linear with the recipient number and the vector length, while the decryption time of our scheme is constant. In our scheme, it is about 4.0 ms, and it is independent on the vector length and the recipient number.

Obviously, our scheme is efficient according to the above analytical measurements and experimental evaluation because of its constant decryption cost. In addition, differing from our scheme, IBBE-IP scheme has the restriction that the number of recipients is less than the vector length [8]. Therefore, our scheme is applicable to those scenarios in that a number of recipients with limited computation capacity need to obtain the inner product values through decryption regularly.

7. Conclusion and Future Work

In this paper, we propose a certificate-based inner product broadcast encryption with anonymity due to the limitation in efficiency and recipient privacy in the present broadcast encryption for inner product scheme. Concrete construction and formal security definitions are given in this paper. We show that our scheme is adaptively secure under the IND-CCA security model which is different from the previous inner product broadcast encryption under the IND-CPA security model. In addition, the identity of a user is anonymous to others in our scheme. Furthermore, analytical and experimental results show that our scheme enables faster decryption. Because of these good properties, our scheme may have some significant value in some practical applications such as enabling secure group communication in the consortium blockchain. However, the size of the ciphertext is linear with the number of recipients, and how to further reduce ciphertext size is still a challenging problem.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This paper was supported by the National Natural Science Foundation of China (Grant no. U1736114) and National Key R&D Program of China (Grant no. 2020YFB2103802).

References

A. Fiat and M. Naor, “Broadcast encryption,” in Proceedings of the Annual International Cryptology Conference, pp. 480–491, Springer, Santa Barbara, CA, USA, August 1993.
View at: Google Scholar
M. Naor and B. Pinkas, “Efficient trace and revoke schemes,” in Proceedings of the International Conference on Financial Cryptography, pp. 1–20, Springer, Kota Kinabalu, Malaysia, February 2000.
View at: Google Scholar
D. Boneh, A. Sahai, and B. Waters, “Functional encryption: Definitions and challenges,” in Proceedings of the Theory of Cryptography Conference, pp. 253–273, Springer, Providence, RI, USA, March 2011.
View at: Publisher Site | Google Scholar
M. Abdalla, F. Bourse, A. De Caro, and D. Pointcheval, “Simple functional encryption schemes for inner products,” in Lecture Notes in Computer Science, pp. 733–751, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
S. Kim, K. Lewi, A. Mandal, H. Montgomery, A. Roy, and D. J. Wu, “Function-hiding inner product encryption is practical,” in Lecture Notes in Computer Science, pp. 544–562, Springer, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
Z. Brakerski and G. Segev, “Function-private functional encryption in the private-key setting,” Journal of Cryptology, vol. 31, no. 1, pp. 202–225, 2018.
View at: Publisher Site | Google Scholar
A. Bishop, A. Jain, and L. Kowalczyk, “Function-hiding inner product encryption,” Advances in Cryptology -- ASIACRYPT 2015., Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
J. Lai, Y. Mu, F. Guo, P. Jiang, and S. Ma, “Identity-based broadcast encryption for inner products,” The Computer Journal, vol. 61, no. 8, pp. 1240–1251, 2018.
View at: Publisher Site | Google Scholar
L. Deng, “Anonymous certificateless multi-receiver encryption scheme for smart community management systems,” Soft Computing, vol. 24, no. 1, pp. 281–292, 2020.
View at: Publisher Site | Google Scholar
C. Lin, D. He, X. Huang, X. Xie, and K.-K. R. Choo, “Ppchain: A privacy-preserving permissioned blockchain architecture for cryptocurrency and other regulated applications,” IEEE Systems Journal, pp. 1–12, 2020.
View at: Publisher Site | Google Scholar
C. Gentry, “Certificate-based encryption and the certificate revocation problem,” Lecture Notes in Computer Science, vol. 2656, pp. 272–293, 2003.
View at: Publisher Site | Google Scholar
C.-I. Fan, P.-J. Tsai, J.-J. Huang, and W.-T. Chen, “Anonymous multi-receiver certificate-based encryption,” in Proceedings of the 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 19–26, IEEE, Beijing, China, October 2013.
View at: Publisher Site | Google Scholar
L. Chen, J. Li, and Y. Zhang, “Anonymous certificate-based broadcast encryption with personalized messages,” IEEE Transactions on Broadcasting, pp. 1–15, 2020.
View at: Publisher Site | Google Scholar
J. Chotard, E. Dufour Sans, R. Gay, D. H. Phan, and D. Pointcheval, “Decentralized multi-client functional encryption for inner product,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
E. Shen, E. Shi, and B. Waters, “Predicate Privacy in Encryption Systems,” Theory of Cryptography, Springer, 2009.
View at: Publisher Site | Google Scholar
P. Datta, R. Dutta, and S. Mukhopadhyay, “Functional encryption for inner product with full function privacy,” Public-Key Cryptography - PKC 2016, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
F. Benhamouda, F. Bourse, and H. Lipmaa, “Cca-secure inner-product functional encryption from projective hash functions,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2017.
View at: Publisher Site | Google Scholar
S. Zhang, Y. Mu, and G. Yang, “Achieving IND-CCA Security for Functional Encryption for Inner Products,” Information Security and Cryptology, Springer, Berlin, Germany, 2017.
View at: Publisher Site | Google Scholar
M. Abdalla, D. Catalano, D. Fiore, R. Gay, and B. Ursu, “Multi-input functional encryption for inner products: function-hiding realizations and constructions without pairings,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
P. Datta, T. Okamoto, and J. Tomida, “Full-hiding (unbounded) multi-input inner product functional encryption from the k-linear assumption,” in Proceedings of the IACR International Workshop on Public Key Cryptography, pp. 245–277, Springer, Edinburgh, UK, May 2018.
View at: Publisher Site | Google Scholar
H. Wang, K. Chen, T. Pan, and Y. Zhao, “Practical cca-secure functional encryptions for deterministic functions,” Security and Communication Networks, vol. 2020, Article ID 8823788, 14 pages, 2020.
View at: Publisher Site | Google Scholar
R. Gay, L. Kowalczyk, and H. Wee, “Tight adaptively secure broadcast encryption with short ciphertexts and keys,” Lecture Notes in Computer Science, Springer, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
C. Delerablée, “Identity-based broadcast encryption with constant size ciphertexts and private keys,” Advances in Cryptology - ASIACRYPT 2007, Springer, Berlin, Germany, 2007.
View at: Publisher Site | Google Scholar
P. Jiang, F. Guo, and Y. Mu, “Efficient identity-based broadcast encryption with keyword search against insider attacks for database systems,” Theoretical Computer Science, vol. 767, pp. 51–72, 2019.
View at: Publisher Site | Google Scholar
D. Lubicz and T. Sirvent, “Attribute-based broadcast encryption scheme made efficient,” in Proceedings of the International Conference on Cryptology in Africa, pp. 325–342, Springer, Cairo, Egypt, July 2008.
View at: Google Scholar
H. Xiong, Y. Zhao, L. Peng, H. Zhang, and K.-H. Yeh, “Partially policy-hidden attribute-based broadcast encryption with secure delegation in edge computing,” Future Generation Computer Systems, vol. 97, pp. 453–461, 2019.
View at: Publisher Site | Google Scholar
S. Canard, D.-H. Phan, and V. C. Trinh, “Attribute-based broadcast encryption scheme for lightweight devices,” IET Information Security, vol. 12, pp. 52–59, 2017.
View at: Google Scholar
G. Sravan Kumar and A. Sri Krishna, “Privacy sustaining constant length ciphertext-policy attribute-based broadcast encryption,” Advances in Intelligent Systems and Computing, Springer, Berlin, Germany, 2019.
View at: Publisher Site | Google Scholar
A. Barth, D. Boneh, and B. Waters, “Privacy in encrypted content distribution using private broadcast encryption,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 52–64, Springer, Kota Kinabalu, Malaysia, February 2006.
View at: Publisher Site | Google Scholar
C. Sur, C. D. Jung, and K. H. Rhee, “Multi-receiver certificate-based encryption and application to public key broadcast encryption,” in Proceedings of the 2007 ECSIS Symposium on Bio-inspired, Learning, and Intelligent Systems for Security (BLISS 2007), pp. 35–40, IEEE, Edinburgh, UK, August 2007.
View at: Google Scholar
B. Zhu, P. Wei, and M. Wang, “Adaptive security of broadcast encryption, revisited,” Security and Communication Networks, vol. 2017, Article ID 1404279, 16 pages, 2017.
View at: Publisher Site | Google Scholar
J. Li, L. Chen, Y. Lu, and Y. Zhang, “Anonymous certificate-based broadcast encryption with constant decryption cost,” Information Sciences, vol. 454-455, pp. 110–127, 2018.
View at: Publisher Site | Google Scholar
S. Jin and H. Yu-pu, “Fully secure broadcast encryption for inner-product predicates,” Procedia Engineering, vol. 29, pp. 316–320, 2012.
View at: Publisher Site | Google Scholar
V. S. Miller, “The weil pairing, and its efficient calculation,” Journal of cryptology, vol. 17, no. 4, pp. 235–261, 2004.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Fully secure unbounded inner-product and attribute-based encryption,” in Procedings of the International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 2012.
View at: Publisher Site | Google Scholar
J. A. Akinyele, C. Garman, I. Miers et al., “Charm: a framework for rapidly prototyping cryptosystems,” Journal of Cryptographic Engineering, vol. 3, no. 2, pp. 111–128, 2013.
View at: Publisher Site | Google Scholar
W. B. Hart, “Fast library for number theory: an introduction,” Mathematical Software - ICMS 2010, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Shuang Yao and Dawei Zhang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies