An Anonymous Multireceiver with Online / Offline Identity-Based Encryption

Anonymousmultireceiver encryption scheme cannot only protect the privacy of the receiver but also ensure the security ofmessage. However, the computational cost of this scheme is very large. It is not suitable for the sender which has limited resources, such as mobile devices and sensor nodes. In this work, an anonymous multireceiver online/offline identity-based encryption is proposed based on offline/online and identity-based encryption (IBE). In identity-based encryption scheme, the sender can encrypt the message using the unique information of the user (such as identity number or e-mail address) as its public key.The receiver obtains the private key from a central authority. For mobile device with limited resource, the online/offline encryption scheme can reduce the computational cost. Compared to the previous anonymous multireceiver schemes, the proposed scheme can efficiently encrypt messagewith offline/onlinemethod and ensure the anonymity of receivers.The analysis results also show that our scheme is efficient in terms of computational cost by comparing to the previous works.


Introduction
Multireceiver communication [1] is a crucial way to send and receive message.It can effectively solve the problem of key management and data sending.Multireceiver encryption also is converted to broadcast encryption [2] in certain extent.In multireceiver encryption strategy, the sender/encryptor can select any receiver.In broadcast encryption scheme, the sender/encryptor sends message to a group of users; only the legal uses can decrypt the ciphertext.This scheme is widely used in pay-TV applications, the distribution of copyright materials, etc.
In [3], the authors use the idea of identity-based encryption (IBE for short) for reference.The identity information of the receiver is converted to a public key.The receiver's private key which is distributed by a Key Generator Center (KGC) is connected with the identity information.The receiver can use the private key to decrypt the ciphertext.In [4], Lu and Hu addressed a pairing based multireceiver encryption scheme which can broadcast sensitive information in a complex environment, but it did not protect the privacy of the users.That is to say, this scheme cannot reach the anonymity of the users.A secure and efficient anonymous multireceiver IBE scheme was proposed in [5].Based on [5], an anonymous multireceiver IBE scheme was improved by Wang et al. [6].The proposed method cannot truly attain the anonymity of the receiver's information, and the receiver's privacy was not protected.In [5,6], a legal receiver can easily verify whether a specific user is one of the legal receiver or not using only two bilinear pairing computational costs.Li et al. [7] analyzed the security vulnerabilities that exist in [6], but they did not give specific solutions.In order to deal with the privacy of the legal receivers, a really anonymous multireceiver IBE scheme was proposed in [8].In the proposed scheme, all users can receive the broadcast ciphertext of the sender/encryptor, but only the receiver which was selected by the sender/encryptor can decrypt the ciphertext information.No one except the sender knows who the receiver is.The key issue of this scheme is how to design encryption scheme by using Lagrange interpolation function.

Wireless Communications and Mobile Computing
Chien [9] proposed an improved scheme which can achieve the receiver's anonymity and enhance the security of the message.However, in encryption phase, this scheme requires a number of bilinear pairing operations which is proportional to the number of receivers.He et al. [10] addressed an efficient certificateless anonymous multireceiver encryption scheme according to elliptic curve cryptography for devices with limited resources.The anonymous multirecipient IBE scheme can be used in pay per-view TV channel and sensitive program order.The receiver does not want any other receivers to know his or her identity information.
In IBE, the computational cost of multiplication and exponentiation operations in groups is larger.It takes much more time and battery power to execute exponential operations for the receiver with limited energy such as mobile phones or mobile devices.In IBE, data encryption needs bilinear pairing operation which can increase the runtime of encryption because the computational cost of bilinear pairing operation is very large.It is difficult to complete the encryption task in a short time for lightweight devices such as wireless sensor nodes or smart cards.Moreover, the anonymous multireceiver IBE takes more time compared to standard IBE.
One challenge in the anonymous multireceiver IBE is that the added functionality may increase the computation cost compared to standard public key cryptography.Online/offline technology can effectively reduce encryption time.The first online/offline IBE scheme was proposed by Guo et al. [11].The scheme divided the encryption process into two stages: online stage and offline stage.In offline stage, the complex operation is preprocessed.In online encryption stage, the sender performs simple operations and generates the ciphertext.The online phase would be very fast.Moreover, it requires little computational cost in this phase.The online/offline encryption strategy is more suitable for lightweight equipment such as wireless sensor nodes or smart cards [12,13].Online/offline identity-based encryption scheme has attracted extensive attention, and series of research results have emerged [14][15][16].Recently online/offline technology is also used in attribute-based encryption [17,18].However, previous literatures did not apply the online/offline scheme to the anonymous multireceiver IBE.
In this article, we concentrate on multireceiver IBE scheme that takes into consideration online/offline encryption.The offline information cannot be reused in previous work.In our proposed scheme, a few operations can be done in offline phase.The offline ciphertext which is computed in offline phase can be reused for the same receiver sets.This method can reduce the computation cost for the senders when they encrypt the message to the same receive sets.
Our motivating application for the work in this way is mobile device with limited resources.The preparation computation can be done while the mobile device is plugged into a power supply, and then when it is on the move without plugging, it performs the encryption operations with little computational cost.
The structure of this work is organized as follows.Section 2 reviews the cryptographic backgrounds and Section 3 describes an anonymous multireceiver online/offline identity-based encryption.The security proof and performance analysis are given in Section 4. Finally, Section 5 is the conclusions of this work.

Preliminary
Some fundamental backgrounds related to this work are given in this section.
According to the bilinearity, the bilinear mapping  has the following specific property:

Hard Problems.
The following security assumptions are used in many encryption schemes.We will use them to deal with some problems in our scheme.In our paper,  denotes the generator of  1 . (

Security Definition.
According to the works [3,5,6], a general model and security formalization problem is given.Security formalization problem is indistinguishability encryptions of chosen ciphertext attacks, under selective multi-ID (IND-CCA-sMID for short) [5,6].The notion of IND-CCA-sMID is given as follows.
Setup.The challenger executes the setup algorithm.Attacker  attains the resulting public parameters from challenger.The attacker does not know any information about private key.The challenger keeps the master key secret.Guess.To the end,  outputs the result of conjecture   ∈ {0, 1}.We can say that  wins the game if   = .   conjecture advantage is defined as follows: Our scheme ∏ is said to be (, )-IND-CCA-sMID secure if the conjecture advantage Adv

The Proposed Encryption Scheme
In this section, we introduce a novel anonymous multireceiver IBE on the basis of offline/online encryption.Our scheme ensures both the confidentiality of the information and the anonymity of the receiver.The process of our encryption scheme is given in Figure 1.As shown in Figure 1, the system framework comprises three types of participants: Sender, Receiver, and KGC.
Sender.The sender encrypts the information and sends the ciphertext message to the designed receivers.
Receiver.The receiver can decrypt the ciphertext message according to the private key.KGC.It is responsible for the generation of receivers' private keys.
In this section, an anonymous multireceiver online/ offline IBE is proposed according to literature [6,20].Our encryption scheme usually consists of six algorithms as follows: Setup, Key extract, Offline encryption, Online encryption, and Decryption.In the following, we will describe the processes of our encryption scheme in detail.
Setup Phase.The algorithm works in setup phase as follows: (1) Pick a random value  ∈ Z *  ,   1 ∈  1 .
(3) Select six one-way hash functions.Private Key Extract Phase.Input public parameters and the identity information   of the receiver, and the PKC executes the algorithm as follows: (1) Compute   =  1 (  ).

Online Encryption Phase
(1) According to the identity information, compute each potential receiver's   and   .
(2)   (x) can be calculated, respectively, as follows: For  = 1 to , compute Inputting message  and selecting  identities of the receivers, the sender performs the following steps. Compute , where (⋅) denotes the symmetric encryption function.
Decryption.Given ciphertext information C, the legal receiver uses the private key to perform the tasks as follows: (1) Compute   = (  ). ( ( , where (⋅) denotes the symmetric decryption function.Test whether

Security and Performance Analysis
In Section 4, we first give the correctness analysis of our scheme, and then we compare security and computational cost with the previous literatures [5,6,8,9].

Security Analysis.
In Section 4.1, the correctness and security of our encryption scheme are analyzed.
That is to say,  is a valid ciphertext message.Otherwise,  is a randomized element of  2 and  is invalid.According to the above constructions, B simulates the random oracles hash function {,  )) = ( 1 (  ),   )  holds, the receiver with identity   also is an authorized receiver.Random number  can be recovered by symmetric key and message .Unfortunately, their encryption scheme cannot protect the privacy of the receiver.That is to say, it did not satisfy the anonymity of the receiver.In our proposed scheme, the above problems are solved.Only the authorized receiver can decrypt ciphertext information.Each receiver does not know whether others are authorized receivers or not.Thus, the privacy of the user can be protected.

Theorem 3. Our scheme satisfies the anonymity of receiver if the Co-DBDH problem is hard.
In this work, we do not give the proofs of Theorem 3. We can refer to literature [9] and literature [8] for details.

Theorem 4.
In the random oracle model, our scheme is IND-CCA2 secure under the q-BDHI and mBIDH assumptions.
This proof is similar to the proof of literature [21,22].Please refer to literature [21,22] for details.

Performance Analysis.
In this section, the computational consumption of our scheme is given.In order to analyze the computational performance, some notations of the symbols are summarized in Table 1.
The implementation environment is on a mobile phone (Samsung Galaxy S5 with a Quad-core 2.45G processor, 2G bytes memory, and the Google Android 4.4.2operating system) [10].The implementation runtime results of main operations are listed in Table 2 [10,23].The efficiency comparison is summarized in Tables 3 and 4. The computational cost in our scheme is compared to literature [5,6,8,9].In addition, the mentioned five schemes contain encryption and decryption computational cost.From Table 5, we can see that our scheme is nearly identical to the ciphertext length of other schemes in [5,6,8,9].As shown from Table 6, our offline/online encryption scheme is the same as literature [8,9], and encryption schemes of them are anonymous.However, literature [8] and literature [9] do not use the offline/online encryption scheme.
From Tables 3 and 4, we can see that our scheme needs one bilinear pairing operation and three bilinear pairing operations in encryption phase and decryption phase.The number of bilinear pairing operation increases linearly with the number of recipients in encryption and decryption phase in literature [9].Bilinear pairing operation requires a lot of calculation consumption.It is not suitable for mobile devices with limited energy.From Table 6, we know that only our scheme uses offline/online encryption.
In order to give an intuitive knowledge, Figures 2 and 3 also describe the computational cost in encryption and decryption schemes, respectively.Symbol  denotes the number of authorized receivers in Figures 2 and 3.According to Tables 2 and 3, we can easily compute the runtime of encryption and decryption scheme at different literatures [5,6,8,9].The computational cost on encryption and decryption is summarized in Figures 2 and 3, respectively.From Figure 2, we can see that the computational cost in [9] is the least, and our proposed scheme consumes little computation time in encryption.Literature [9] does not use offline/online encryption, and computational cost in our proposed scheme contains runtime of offline encryption and online encryption.When receivers decrypt the ciphertext, our scheme consumes the minimum computation time.As legal receiver  increases, the computational cost increases gradually in Figures 2 and 3.

Conclusion
Finally, conclusion and future work are summarized.An anonymous multireceiver online/offline identity-based encryption was proposed in our work.We developed an efficient offline/online encryption scheme which can ensure the anonymity of the receiver.Our scheme divided encryption into two phases: offline and online.A sender can do a lot of preparatory calculations on offline phases, and a receiver can encrypt the message with little computational cost on online phases.The computational cost of the receivers was improved in the proposed scheme.The analysis results demonstrated that our scheme is secure and efficient, and it is suitable for mobile devices.The preparation computation can be done while mobile device is plugged into a power supply.When it is on the move without plugging, it performs the encryption operations with little computational cost.
An interesting future work is that we will pay more attention to anonymous attribute-based encryption using offline/online scheme for mobile devices.

Figure 1 :
Figure 1: The process of our encryption scheme.

( 8 )
Return  to attacker .Phase 4.  publishes private key extraction and decryption queries, and they are the same as phases 2 and 3.The constraint condition of decryption queries is that  * ̸ = .Guess.To the end,  outputs the guessing result   ∈ {0, 1}.If   =  then B outputs 1; else it outputs 0. If I = (, )  then

Figure 2 :
Figure 2: Computational cost of different scheme in encryption.

Figure 3 :
Figure 3: Computational cost of different scheme in decryption.
Phase 1.  outputs multiple targets identities ( 1 , . . .,   ) where  denotes a positive integer.Phase 2.  publishes private key extraction queries.When a private key extraction query with identity   is received, the challenger obtains private key   = (, ,   ) by running the private key extraction algorithm.The only constraint is that   ̸ =   for  = 1, . . ., .Phase 4.  publishes the private key extraction queries and decryption queries for target identities, and query methods are the same as in phase 2 and phase 3, respectively.Restrictive condition is that Phase 3.  publishes decryption queries for target identity information.When a decryption query denoted by ( * ,   ) for some  ∈ {1, 2, . .., } is received, the challenger creates a private key which is denoted by   associated with identity information   .The challenger returns the information  = (,  * ,   ,   ) to .Challenge. outputs a target plaintext message pair ( 0 ,  1 ); the challenger randomly selects  ∈ {0, 1} and creates a target ciphertext information  = (,  1 , . . .,   ,   ).Ciphertext  is given to  by the challenger.* ̸ = .
−− ∏ () of any attacker  with polynomial running time  is less than . breaks IND-CCA-sMID of ∏ with (,  1 ,  2 , ) if and only if the conjecture advantage of the attack  is not less than  with the running time . 1 and  2 denote the number of private of key extraction queries and decryption queries, respectively.Scheme ∏ is said to be (,  1 ,  2 , )-IND-CCA-sMID secure if there is no polynomial-time algorithm attacker  with (,  1 ,  2 , ) that can break IND-CCA-sMID of scheme ∏.

Table 2 :
Computational cost of main operations.