Privacy-Preserving Multi-Receiver Certificateless Broadcast Encryption Scheme with De-Duplication

Abstract

Nowadays, the widely deployed and high performance Internet of Things (IoT) facilitates the communication between its terminal nodes. To enhance data sharing among terminal devices and ensure the recipients’ privacy protection, a few anonymous multi-recipient broadcast encryption (AMBE) proposals are recently given. Nevertheless, the majority of these AMBE proposals are only proven be securely against adaptively chosen plain-text attack (CPA) or selectively chosen ciphertext attack (CCA). Furthermore, all AMBE proposals are subjected to key escrow issue due to inherent characteristics of the ID-based public cryptography (ID-PKC), and cannot furnish secure de-duplication detection. However, for cloud storage, it is very important for expurgating duplicate copies of the identical message since de-duplication can save the bandwidth of network and storage space. To address the above problems, in the work, we present a privacy-preserving multi-receiver certificateless broadcast encryption scheme with de-duplication (PMCBED) in the cloud-computing setting based on certificateless cryptography and anonymous broadcast encryption. In comparison with the prior AMBE proposals, our scheme has the following three characteristics. First, it can fulfill semantic security notions of data-confidentiality and receiver identity anonymity, whereas the existing proposals only accomplish them by formalizing the weaker security models. Second, it achieves duplication detection of the ciphertext for the identical message encrypted with our broadcast encryption. Finally, it also avoids the key escrow problem of the AMBE schemes.

1. Introduction

With development of various Internet of Things (IoT) applications, the communication amongst smart IoT devices has become more and more frequent and convenient. As an important one-to-many communication model, broadcast encryption (BE, for short), which was first formally proposed by Amos Fiat and Moni Naor [1], allows for the broadcaster to deliver the encrypted data to the authorized subset S of the receivers that are monitoring the broadcast channel. In addition, only the receivers that belong to the subset S can recover the message by their private key, while the other receivers outside of S can obtain no information about the delivered data. In general, broadcast encryption is capable of saving more computational complexity and communication overhead than traditional encryption in the peer-to-peer model. Therefore, it has very important applications in communications field [2,3] and IoT [4], etc.

However, IoT devices have some non-negligible vulnerabilities during data sharing and anonymity protection [5,6,7]. At the same time, anonymity is also an important security property in BE schemes, which indicates that any receiver is unable to gain any information of the other receivers’ identity from the ciphertexts. Let us consider an example: a user wants to share some sensitive files with its friends in the cloud; for individual privacy, the user does not want its friends to learn about the others’ identity because they might be the opponent. This problem is very similar to blind carbon copy (BCC) in the email system. To solve this problem, many cryptographers have given many solutions, for instance, Bellare et al.’s public key encryption with key-privacy [8], ciphertext-policy attribute-based encryption with hidden-policy [9], anonymous identity-based encryption [10], anonymous broadcast encryption [11,12,13], and anonymous Certificate-Based Encryption [14,15], where anonymous broadcast encryption is the most efficient method in the multi-user setting. In the cloud environment, anonymity is more important due to its openness. Thus, many applications in keyword search and data retrieval [16,17,18] have considered how to achieve strong anonymity in their schemes. The existing anonymous broadcast encryption schemes are classified into two types, one type is based on public key certificate, and the other type is based on ID-based cryptography. Attribute-based encryption provides scalable encryption while supporting anonymity for users in the same group, that is, with the same attributes [19,20]. They have also been applied widely in cloud computing to support access control for data sharing [21]. However, because of the open problem of revocation in attribute-based encryption, it still suffers from the user revocation in practical application [22,23,24]. Some of the corresponding data could easily be recovered from IoT devices by using forensic techniques [25,26]. Fortunately, Antonis Michalas et al. recently proposed two hybrid encryption schemes [27,28] which can solve the open problem of revocation in attribute-based encryption.

Although cloud storage servers have abundant storage space, the identical data’s different encryption can result in multi-replica; this not only wastes space, but also brings a heavy burden on data maintenance. To save the storage space across multiple users in the cloud storage service, de-duplication is an important candidate technique. However, not all of the public encryption schemes can directly support the de-duplication of the ciphertext since random numbers are introduced in the encrypting process. The convergent encryption and the related security definition have been formalized for addressing the de-duplication of ciphertext [29]. Because random numbers are introduced in the encryption algorithm, it is very difficult that the existing anonymous multi-receiver ID-based broadcast encryption schemes (AMIBE) directly support the de-duplication of ciphertext. To overcome the above de-duplication problem, in this work, we propose a secure Privacy-preserving Multi-receiver Certificateless Broadcast Encryption Scheme with De-duplication. Our construction is characterised as follows: firstly, it is the first anonymous certificateless broadcast encryption scheme with de-duplication; secondly, it is capable of simultaneously achieving confidentiality and anonymity of the receivers’ identities under adaptive CCA security. Thirdly, the key escrow problem does not exist.

2. Related Works

In 2006, Barth et al. presented the first public key cryptography-based anonymous BE scheme with chosen-ciphertext security [11]. However, the complexity of decryption linearly grows with the size of the set of the receivers. In 2012, Libert et al. put forth a fully anonymous BE scheme with adaptive chosen-ciphertext security with the random oracle model [30]. Subsequently, Fazio et al. proposed two sublinear ciphertext-size anonymous broadcast encryption schemes in [31] which are proven to be securely against adaptive CPA and adaptive CCA in the standard security model, respectively. In 2007, Delerablee constructed a constant-size ciphertext BE scheme [32]; however, the receivers’ public keys need to be attached in the ciphertext. Until now, the PKC-based anonymous broadcast encryption scheme can achieve constant ciphertext and resist adaptive chosen-ciphertext attack (CCA) in the standard-security model.

ID-based BE (IBBE) is an extension of broadcast encryption in the ID-PKC system [33] in which the user’s public key is replaced with the user’s identity. It simplifies public key management and eliminates the public key certificate. To furnish anonymity protection of the receiver’s identity, the first anonymous multi-receiver identity-based broadcast encryption (AMIBE) scheme [12] was introduced. Nevertheless, their scheme was shown to be insecure by Wang et al. [34] and Chien [35] since it can not achieve anonymity protection of the receiver’s identity, whereafter, Wang et al. also presented a modified proposal to fulfill the anonymity of the receiver’s identity in [34]. Very regretfully, Wang et al.’s modified proposal was pointed to be insecure by Zhang et al. in [36]. In 2018, Tseng et al. presented an improved vision of Fan et al.’s AMIBE by revising receiver anonymity’s security definition in [37] and their scheme was shown to be secure in the random oracle model. In Asia-CCS16, based on the multilinear map, Xu et al. gave an AMIBE scheme which is against anonymity attacks and chosen-plaintext attacks in the standard model [38,39]. However, all multilinear map candidates are broken [40]; thus, their proposal is infeasible in reality. Recently, He et al. proposed an ID-based anonymous BE scheme that can concurrently achieve data indistinguishability and anonymity of the receiver identities under the adaptively chosen ciphertext attacks [41].

ID-based cryptographic protocols cut out complex maintenance of certificates; however, an inherent problem called “key escrow” exists. This problem can make the PKG be able to execute any cryptographic operation in the name of users since it knows all users’ private keys. Thus, the problem might result in potential security threats for the ID-based crypto-system. To avoid the key escrow problem, Al-Riyami and Paterson gave a variant of ID-based PKC: certificateless cryptography in [42]. Not only do the advantages of ID-based cryptography remain, but they also prevent the key escrow problem of ID-based PKC. In 2004, Yum et al. presented a general construction construction of certificateless encryption (CLE) [43]. Unfortunately, Yum et al.’s scheme was shown to be insecure by Libert et al. in [44] since it does not satisfy CCA security of CLE. In addition, therewith, Libert et al. put forward a novel construction of CLE achieving CCA security.

Recently, lIslam et al. put forward a pairing-free anonymous multi-receiver certificateless encryption scheme (AMCLE, for short) by combining AMIBE with CLE in [45]. Their scheme can achieve receivers’ anonymity and the ciphertext length is linear with the number of the authorized receivers. When more than one person sends the same data, it will bring a heavy burden to the receivers for data storage. Thus, de-duplication is a wise choice to address the growing demand for storage.

To reconcile de-duplication, Douceur et al. presented a method convergent encryption (CE) [46], which is a deterministic symmetric encryption with secret key $H(m)$. If two users Alice and Bob encrypt the same plaintext m, they can obtain the same ciphertext $C=E_{H(m)}(m)$. Its attractive merit makes it be applied in some commercial system. However, it lacks the detailed security analysis and it is not explicit what its basic security goal precisely is. To solve de-duplication of the identical message which is encrypted under the different secret keys, Bellare et al. put forth a novel notion Message-Locked Encryption (MLE) [47]. However, MLE is only capable of providing security of unpredictable data. Recently, Bellare et al. proposed an Interactive message-locked encryption and secure de-duplication [48] which can solve the correlated message’s security problem. Until now, numerous secure de-duplication schemes have been presented for settling data de-duplication in cloud [49,50,51].

3. Preliminaries

3.1. Bilinear Groups

Throughout the paper, we only consider a Type 2 pairing since our scheme is based on such construction. In the following, we review some concepts of such bilinear group pair.

• ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ denote two additional groups of the same prime p; ${\mathbb{G}}_T$ denotes a multiplicative group. In addition, it is deemed to be hard for solving the discrete logarithm problem in group ${\mathbb{G}}_i,i\in \{1,2,T\}$.
• $P_i$ denotes the generator of group ${\mathbb{G}}_i$, for $i\in \{1,2\}$.
• Let $\phi :{\mathbb{G}}_2\to {\mathbb{G}}_1$ be a computable isomorphism map which satisfies $\phi (P_2)=P_1$; and
• Let $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ denote a computable bilinear map, which meets the following criteria:
  • Bilinearity: For arbitrary $a,b\in Z_p$ and all $Q\in {\mathbb{G}}_1$, $F\in {\mathbb{G}}_2$, we have $\widehat{e}(aQ,bF)=\widehat{e}{(Q,F)}^{ab}$;
  • Non-degeneracy: $\widehat{e}(P_1,P_2)\ne 1$.

3.2. Security Assumptions

In this subsection, we give several security assumptions [33,52] which are the security foundation to construct the proposed scheme.

$\mathbf{\epsilon }$-BDH-2 problem [33] in$({\mathbb{G}}_1,{\mathbb{G}}_2)$. Given group elements $a_1{P}_2,b_1{P}_2\in {\mathbb{G}}_2$ and $c_1{P}_1\in {\mathbb{G}}_1$, where $P_2\in {\mathbb{G}}_2$, $P_1\in {\mathbb{G}}_1$, and $a_1,b_1,c_1\in Z_p^{*}$; if there exists a PPT-algorithm $\mathcal{A}$ which takes $(P_1,P_2,a_1{P}_2,b_1{P}_2,c_1{P}_1)$ as inputs and outputs, the Type 2 pairing $X=e{(P_1,P_2)}^{a_1{b}_1{c}_1}\in {\mathbb{G}}_T$. $\mathcal{A}$’s advantage is defined as

$$\epsilon =Pr[e{(P_1,P_2)}^{a_1{b}_1{c}_1}\leftarrow A(P_1,P_2,a{P}_2,b{P}_2,c_1{P}_1)].$$

We think that $\epsilon$-bilinear Diffie–Hellman problem in ${\mathbb{G}}_2$ and ${\mathbb{G}}_1$ holds against $\mathcal{A}$ if the algorithm $\mathcal{A}$ is not capable of obtaining $\widehat{e}{(P_1,P_2)}^{a_1{b}_1{c}_1}$ with a non-negligible probability greater than $\epsilon$.

$\mathbf{\epsilon }$-BDDH-2 problem in $({\mathbb{G}}_{\mathbf{1}},{\mathbb{G}}_{\mathbf{2}})$ [33]. It is hard to distinguish the distributions $D_1=(P_1,P_2,a_1{P}_1,b_1{P}_1,c_1{P}_2,e{(P_1,P_2)}^{a_1{b}_1{c}_1})$ and $D_2=(P_1,P_2,a_1{P}_1,b_1{P}_1,c_1{P}_2,Z)$, where $Z\in {\mathbb{G}}_T$ and $a_1,b_1,c_1{\in }_R{Z}_p$. In general, $D_1$ is denoted as the BDDH tuple, and $D_2$ is called “random tuple”. For a PPT algorithm $\mathcal{B}$, $\mathcal{B}$’s advantage of breaking the BDDH-2 problem in $({\mathbb{G}}_2,{\mathbb{G}}_1)$ is defined as

$$\begin{array}{c}\epsilon =|Pr[B(P_1,P_2,a_1{P}_1,b_1{P}_1,c_1{P}_2,e{(P_1,P_2)}^{a_1{b}_1{c}_1})=1]\hfill \\ -Pr[B(P_1,P_2,a_1{P}_1,b_1{P}_1,c_1{P}_2,Z)=1]|.\hfill \end{array}$$

We think that $\epsilon$-decisional Bilinear Diffie–Hellman problem in $({\mathbb{G}}_2,{\mathbb{G}}_1)$ holds against $\mathcal{B}$ if the algorithm $\mathcal{B}$ is capable of distinguishing the difference of the above two distributions in a non-negligible probability $\epsilon >1/2$.

The Computational Diffie–Hellman problem (CDH) in ${\mathbb{G}}_1$. Let $(P_1,a_1{P}_1,b_1{P}_1)\in {\mathbb{G}}_1^3$ be a random 3-tuple where $a_1,b_1\in Z_p$; there does not exist an efficient algorithm $\mathcal{A}$ that can calculate $ab{P}_1$. A’s advantage of breaking the Computational Diffie–Hellman problem in ${\mathbb{G}}_1$ is defined as

$$\epsilon =Pr[A(P_1,a{P}_1,b{P}_2)=ab{P}_1].$$

We think that the CDH problem holds against $\mathcal{A}$ if the algorithm $\mathcal{A}$ is capable of outputting $a_1{b}_1{P}_1$ in a non-negligible probability $\epsilon$.

The Decisional Diffie–Hellman problem (DDH) in ${\mathbb{G}}_1$. Given a 4-tuple $(P_1,a_1{P}_1,b_1{P}_1,W)\in {\mathbb{G}}_1$ where $a_1,b_1\in Z_p$ and $W\in {\mathbb{G}}_1$, there does not exist an efficient algorithm $\mathcal{A}$ that determines $a_1{b}_1{P}_1=W$. A’s advantage of breaking the Decisional Diffie–Hellman problem in ${\mathbb{G}}_1$ is defined as

$$\begin{array}{ccc}\hfill \epsilon & =& |Pr[A(P_1,a_1{P}_1,b_1{P}_1,a_1{b}_1{P}_1)=1]-\hfill \\ & & Pr[A(P_1,a_1{P}_1,b_1{P}_1,W)=1]|.\hfill \end{array}$$

We think that the DDH problem holds against $\mathcal{A}$ if the algorithm $\mathcal{A}$ is capable of distinguishing the difference of $a_1{b}_1{P}_1$ and W in a non-negligible probability $\epsilon >1/2$.

4. Basic System Model and Security Model

4.1. System Model

According to the definitions of certificateless encryption and broadcast encryption, we give the basic system model of privacy-preserving multireceiver certificateless broadcast encryption with de-duplication (PMCBED) schemes. The PMCBED scheme mainly borrows the idea in [12,37,38] to achieve privacy protection of receiver identities in the certificateless broadcast encryption scheme and offer the ciphertext de-duplication function. Its framework is showed in Figure 1. It includes four entities: key generation center (KGC), the receivers, the broadcaster and the de-duplicator. Their detailed roles are shown as follows:

• KGC: it is a trustworthy entity that is responsible for producing a partial private key of the receiver.
• the Broadcaster: It is a sender of the message. It first selects a subset of the receivers and calculates the ciphertext of the transmitted message. Afterwards, it sends these ciphertexts to the de-duplicator.
• The de-duplicator: It is an honest-but-curious entity. It can be acted on by the cloud server. Its goal is to check whether the received ciphertext has its replica existing in the cloud.
• The Receiver: It is the receiver of the ciphertext, its goal is to decrypt the ciphertext. If and only if it is an authenticated receiver, then it can decrypt the ciphertext.

For a PMCBED scheme, it has eight algorithms: System-setup, Extract partial-private key, Set secret-value, Set-public-key, Set-private-key, Encryption, Decryption and Equality-test. For each algorithm, its detailed definition is given as follows:

• System-setup $(1^{\lambda })$. $\lambda$ is a security parameter, and this algorithm is run by a Key Generation Center (KGC) which takes as input $\lambda$, return the public parameters $PP$ and the master secret key $msk$ of KGC. The public parameters $PP$ should be published publicly.
• Extract partial-private key $(msk,ID)$. In general, this algorithm is run by KGC. It takes as inputs public parameters $PP$, master key $msk$ and a receiver’s identity $ID$, and outputs the partial-private key $d_{ID}$ of the receiver.
• Set secret-value $(ID)$. The algorithm is run by the receiver. It takes as inputs public parameters $PP$ and the identity $ID$ of the receiver, and returns $x_{ID}$ as the receiver’s secret value.
• Set private-key $(x_{ID},d_{ID})$: This algorithm is run by the receiver, it takes as inputs the partial-private key $d_{ID}$ and secret-value $x_{ID}$ of the receiver, and outputs private key $S{K}_{ID}=(d_{ID},x_{ID})$ of the receiver.
• Set public-key $(ID)$: The algorithm is used to produce the public key of the receiver. It takes as inputs secret value $x_{ID}$ of the receiver and public parameters $PP$, and outputs the corresponding public key $Y_{ID}$.
• Encrypt $(m,(I{D}_1,Y_{ID1}),\dots ,(I{D}_t,Y_{IDt}))$. The broadcaster runs this algorithm by inputting a plaintext m, public parameters $PP$, a set $S=(I{D}_1,Y_{ID1}),\dots ,(I{D}_t,Y_{IDt})$ of receivers’ identities/public keys, and outputs a ciphertext $C=Encrypt(m,params,S)$.
• Decrypt $(C)$: The algorithm is run by the receiver. It takes as inputs a ciphertext C, public parameters $PP$ and the private key $S{K}_{ID}$ of the receiver, returns a recovered message m or a symbol ⊥ that indicates decryption error.
• Equality-test $(s{k}_{TTP},CT,C{T}^{\prime })$: It is a deterministic algorithm, run by a de-duplicator which is an honest-but-curious entity, it takes public parameter $PP$, the de-duplicator’s secret key $s{k}_{TTP}$ and two ciphertexts $CT$ and $C{T}^{\prime }$ as inputs, and returns 1 if $CT$ and $C{T}^{\prime }$ are from the identical plaintext, otherwise, returns 0.

4.2. Security Models

For a secure public key encryption scheme, it should ensure the confidentiality of the encrypted message, this property is referred to as ciphertext-indistinguishability which can be defined in two security models of chosen-plaintext-attack (CPA) and chosen-ciphertext-attack (CCA) [53]. However, for IND-CPA and IND-CCA, indistinguishability does not hold in a secure de-duplication public key encryption in that it is easily breached by an IND-CPA adversary or an IND-CCA adversary in the game [53]. In the Challenge phase of the IND-CPA/CCA security game, the adversary is allowed to select two plaintexts $m{t}_0$ and $m{t}_1$, and then a challenge $C^{*}$ for a plaintext $m{t}_b$ with $b\in \{0,1\}$ is returned. By invoking the Equality-test algorithm, the adversary is able to output the corresponding b by computing a ciphertext $\widehat{C}$ for plaintext $m{t}_b$ and checking whether $\widehat{C}$ matches the challenge ciphertext $C^{*}$. The reason to produce such problem is that, given two ciphertexts, any one can run an Equality-test algorithm to check their matching-ability.

To provide IND-CCA security in the public key encryption with de-duplication, a trusted-third party (TTP) is introduced to execute an Equality-test algorithm by inputting its private key. Meanwhile, the adversary is not allowed to have access to TTP in the security game. Thus, the Equality-test query is not involved in the following security games. In the context of the rest of this paper, we let the de-duplicator act as the TTP.

Inspired by security models of certificateless encryption (CLE) and anonymous BE, the security model of our PMCBED schemes defines two security notations "confidentiality" and " anonymity of the receivers’ identities". For confidentiality, it indicates that an adversary is not capable of obtaining any information of the encrypted message from ciphertext. For anonymity of the receivers’ identities, it indicates that an adversary is not capable of obtaining any identity information of the other receivers from ciphertext.

In the following, we first define the IND-CCA security game for PMCBED. Let $Ad{v}_I,Ad{v}_{II}$ be Type I and Type II probabilistic polynomial time (PPT) adversaries, respectively. In the following, $Ad{v}_I/Ad{v}_{II}$ will make an interactive game with the challenger C.

Definition 1.

A PMCBED scheme is defined to be secure against adaptive-chosen-ciphertext attack (“IND-CCA security”) if there does not exist a Type I/II of adversaries having a non-ignorable superiority in the following game:

• Setup: Let λ be a security parameter, C be a Challenger. C invokes a $Setup(1^{\lambda })$ algorithm to return public parameters $PP$ and master secret key $msk$; afterwards, C transmits $PP$ to $Adv$. If $Adv$ is the Type II adversary $Ad{v}_{II}$, then $msk$ is also sent to $Adv$. Otherwise, $msk$ is secretly kept by the Challenger and then sends system public parameters $PP$ to adversary $Adv$ who also receives the master secret key $msk$ if it is of Type II. Otherwise, the master secret key $msk$ is kept secret.
• Phase 1: In this phase, $Adv$ can adaptively make a series of queries:

  −

  Public key query oracle: Upon receiving public key query of the receiver $ID$, if it is the first query of the receiver, then C invokes Set public-key algorithm to produce public key $P{K}_{ID}$ and return $P{K}_{ID}$ to $Adv$. Otherwise, it returns the matching public key in the list.

  −

  Extract partial-private key oracle: On receiving a partial private key query of the receiver $ID$, C inputs $msk$ to invoke the Extract partial-private key algorithm and return $d_{ID}$ if $Adv$ is the Type I $Ad{v}_I$; otherwise, the oracle is not required if A is of Type II.

  −

  Extract secret-key oracle: Upon receiving the secret key query of the receiver $ID$ from the adversary $Adv$, C invokes the Set secret-value algorithm to produce secret value $x_{ID}$ and return it to $Adv$.

  −

  Decrypt oracle: On receiving the decrypting query of $(CT,ID)$ from $Adv$, C invokes the Set secret-value algorithm and Extract partial-private key algorithm to obtain private key $S{K}_{ID}$ of the receiver $ID$; then, it runs a Decryption $(CT,S{K}_{ID})$ algorithm to recover the corresponding plaintext.

  Note that when $Adv$ is the Type I $Ad{v}_I$, it also needs to query Public-key-replace oracle in which the receiver’s public key $Y_{ID}$ is replaced with a new public key $Y_{ID}^{\prime }$ when inputting a receiver’s identity $ID$ and its corresponding public key $Y_{ID}$.
• Challenge: The adversary $Adv$ submits two distinct equivalent-length messages $m_0$ and $m_1$ as well as a set of the receivers’ identities/public-keys $S^{*}=(I{D}_1/Y_1,\dots ,I{D}_k/Y_k)$. It is required that $Adv$ cannot query Extract partial-private-key oracle with the identity $I{D}_i\in S^{*}$. The challenger C randomly samples a bit $b\in \{0,1\}$ to compute the challenge ciphertext $C^{*}=Encrypt(m_b,PP,S^{*})$ and returns it to adversary A.
• Phase 2: Adversary $Adv$ can continue to adaptively issue a new sequence of queries as in Phase 1. In addition, $(I{D}^{*}/Y^{*},C^{*})$ is not permitted to issue Decryption query, where $I{D}^{*}/Y^{*}\in S^{*}$.
  Meanwhile, in a Type I attack, $Adv$ is not allowed to issue Extract partial-private-key query and Public-key-replace query on identity $I{D}^{*}$, where $I{D}^{*}\in S^{*}$.
• Guess: At last, a guess bit $b^{\prime }\in \{0,1\}$ is returned by the adversary $Adv$. $Adv$ wins this game if $b^{\prime }=b$.

Definition 2.

A PMCBED scheme is defined as ANO-CCA security if there does not exist a Type I or II of adversary $Adv$ which has a non-ignorable superiority in the following games:

• Setup and Phase 1: In the two phases, they are the same as those in the above IND-CCA Game.
• Challenge: In this phase, $Adv$ produces two challenge sets ${\widehat{S}}_0$ and ${\widehat{S}}_1$, where $|{\widehat{S}}_1|=|{\widehat{S}}_0|$. In addition, it then submits a message $m^{*}$ and $({\widehat{S}}_0,{\widehat{S}}_1)$ to C. In addition, the constraint conditions are as follows: (1) $Adv$ is not permitted to issue Extract partial-private-key queries on $I{D}^{*}$ when $Adv$ is the Type I adversary $Ad{v}_I$,(2) a $Adv$ is not permitted to issue Extract secret-key queries on $I{D}^{*}$ when $Adv$ is the Type II adversary $Ad{v}_{II}$, where $I{D}^{*}\in {\widehat{S}}_1\oplus {\widehat{S}}_0$ and ${\widehat{S}}_1\oplus {\widehat{S}}_0={\widehat{S}}_1\cup {\widehat{S}}_0-{\widehat{S}}_0\cap {\widehat{S}}_1$. Then, C uniformly samples a bit $\alpha \in \{0,1\}$ to calculate the ciphertext $C^{*}=Encrypt(PP,{\widehat{S}}_{\alpha },m^{*})$ and returns it to $Adv$.
• Phase 2. In this phase, $Adv$ adaptively issues a new series of queries as in Phase 1 with the following constraint conditions :(1) $Adv$ is not permitted to issue Extract partial-private-key queries on $I{D}^{*}$, (2) Public-key-replace queries on $I{D}^{*}$ are not allowed when $Adv$ is the Type I adversary $Ad{v}_I$, (3) Extract secret-key queries on $I{D}^{*}$ are not allowed when $Adv$ is the Type II adversary $Ad{v}_{II}$, and (4) $Adv$ is not allowed to issue Decryption Query on $(I{D}^{*}/Y^{*};C^{*})$, where $I{D}^{*}\in {\widehat{S}}_1\oplus {\widehat{S}}_0$.
• Guess: At last, a guess bit ${\alpha }^{\prime }\in \{0,1\}$ is outputted by $Adv$. $Adv$ wins this game if $\alpha ={\alpha }^{\prime }$.

5. Our Scheme

Setup: Let $\lambda$ be a security parameter, Setup $(\lambda )$ algorithm takes as input $\lambda$, and outputs a bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, where ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ are two groups satisfying ${\mathbb{G}}_1=<P_1>$ and ${\mathbb{G}}_2=<P_2>$. In addition, they has the same order p. Note that $P_1=\phi (P_2)$ and $\phi :{\mathbb{G}}_2\to {\mathbb{G}}_1$ is an isomorphism. Let $H:{\{0,1\}}^{*}\to {\mathbb{G}}_1$,$H_1:{\mathbb{G}}_T\leftarrow {\mathbb{G}}_1$, $H_3:{\mathbb{G}}_T\leftarrow Z_p$ be three cryptographical hash function. $H_2()$ and $f()$ are two one-way functions. $H_0$ is a random generator of group ${\mathbb{G}}_2$. For the KGC, it picks a number $s\in Z_p$ at random to calculate its public key $P{K}_{pub}=s{P}_2$. Let $TPK=x_T{P}_1$ denote the public key of de-duplicator, $x_T\in Z_p$ be its private key. $(E(·),D(·))$ denotes the encryption/decryption algorithm of AES. Finally, the public parameters are $Param=$ $(P_1,P_2,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,p,\phi ,TPK,P{K}_{pub},e,$ $H(),H_1,H_2,H_3,$ $f,$ $H_0,(E,D)).$ $msk=s$ acts as a master secret key and is kept secretly.

Extract partial-private key: First, in all, a receiver submits its identity $ID$ to the KGC; then, the KGC utilizes its master secret key $msk$ to produce partial-private key $d_{ID}$ of the receiver, where $d_{ID}=sH(ID)$.

Set secret value: For a receiver with identifier $I{D}_i$, it uniformly samples a number $x{k}_i\in Z_p$ and returns $x{k}_i$ to act as its secret value.

Set private-key: For a receiver with identifier $I{D}_i$, let $d_{I{D}_i}$ be its partial-private key, and $x{k}_i$ be its secret value. Its private key $S{K}_{I{D}_i}$ is set to be $S{K}_{I{D}_i}=(x{k}_i,d_{I{D}_i})$.

Set public-key: In this algorithm, a receiver with identifier $I{D}_i$ takes an input secret value $x{k}_i$, and outputs its public key $Y_i=x{k}_i{P}_1$.

Encrypt: Given a transmitted message M and a group of the receivers with public keys and identifiers ${\{I{D}_i,Y_i\}}_{i=1,2,\dots ,n}$, a broadcaster computes as follows:

• For $i=1$ to n, it calculates $x_i=H_2(I{D}_i)$, and then it produces the polynomial

  $$C_i(x)=\prod _{j=1,j\ne i}^n\frac{x-x_j}{x_i-x_j}=\sum _{j=0}^{n-1}{b}_{i,j}{x}^{j}modp.$$

  Obviously, we find $C_i(x_i)=1$ and $C_i(x_j)=0$ for $i\ne j$.
• It randomly chooses $k\in Z_p$ to compute $C_1=k{P}_2.$
• Then, it selects $Q\in {\mathbb{G}}_T$ and $\tau \in Z_p$ to compute $K=H_3(Q)$ and $C_3=E(K,M||\tau )$.
• Next, choose a random number $r_1\in Z_p$, and then for $j\in \{1,2,\dots ,n\}$, it calculates

  $$R_j=H_1(e(H(I{D}_j),k·P{K}_{pub}))+r_1{Y}_j.$$
• In addition, it computes $C_2=e{(P_1,r_1{P}_2)}^k·Q$.
• In addition, for each $t\in \{1,2,\dots ,n\}$, it computes

  $$Q_t=\sum _{j=1}^n{b}_{j,t-1}{R}_j.$$
• Compute $C_0=(f(M)+f(\tau ))·TPK$ and $C_{-1}=e{(P_1,P_2)}^{f(\tau )}$.
• Finally, the resultant ciphertext is as below:

  $$CT=(C_{-1},C_0,C_1,C_2,C_3,Q_1,\dots ,Q_n).$$

Decrypt: For a given broadcast-ciphertext $CT=(C_{-1},C_0,C_1,C_2,C_3,Q_1,\dots ,Q_n)$, an authorized receiver with identity $I{D}_i$ inputs public parameters $Param$, system public key $P{K}_{pub}$ and its private key $S{K}_{I{D}_i}$ to decrypt broadcast–ciphertext $CT$ by the following steps:

• First, it computes $x_i=H(I{D}_i)$.
• Then, it calculates

  $${\widehat{R}}_i=Q_1+\sum _{j=2}^n(x_i^{j-1}{Q}_j).$$
• It computes $W=x{k}_i^{-1}·({\widehat{R}}_i-H_1(e(sH(I{D}_i),C_1)))$;
• In addition, it obtains the decryption key $K^{\prime }=H_1(C_2/$ $e(W,$ $C_2$ $))$.
• Finally, it obtains the plaintext $M=D(K^{\prime },C_3)$ and checks $C_0\stackrel{?}{=}(f(M)+f(\tau ))TPK$. If it holds, output TRUE.

Equality-test: Given two ciphertexts $CT$ and $C{T}^{\prime }$, where $C{T}^{\prime }=(C_{-1}^{\prime },C_0^{\prime },C_1^{\prime },C_2^{\prime },C_3^{\prime },Q_1^{\prime },\dots ,Q_n^{\prime })$ and $CT=(C_{-1},C_0,C_1,C_2,C_3,Q_1,\dots ,Q_n)$, the de-duplicator makes use of its private key $x_T$ to execute as follows:

$$\begin{array}{ccc}\hfill e{(C_0-C_0^{\prime },P_2)}^{x_T^{-1}}& \stackrel{?}{=}& C_{-1}/C_{-1}^{\prime }.\hfill \end{array}$$

(1)

Finally, it returns 1 if the above-mentioned Equation (1) holds; otherwise, output ⊥.

Discussion

For the above construction, we can know that, if the receiver’s identity $ID$ is involved in the set of the designated receivers, then this receiver can decrypt the corresponding ciphertext $CT$ since, when this receiver’s identifier satisfies $I{D}_i\in S$, where $S=\{I{D}_1/P{K}_1,\dots ,I{D}_n/P{K}_n\}$, let $x_i=H(I{D}_{t_i}),$ we have $C_j(x_i)=0$ for $j\ne i$ and

$$\begin{array}{ccc}\hfill {\widehat{R}}_i& =& Q_1+x_i{Q}_2+x_i^2{Q}_3+\dots +x_i^{n-1}{Q}_n\hfill \\ & =& (b_{1,0}{R}_1+b_{2,0}{R}_2+\dots +b_{n,0}{R}_n)+\hfill \\ & & x_i(b_{1,1}{R}_1+b_{2,1}{R}_2+\dots +b_{n,1}{R}_n)+\dots +\hfill \\ & & x_i^n(b_{1,n-1}{R}_1+b_{2,n-1}{R}_2+\dots +b_{n,n-1}{Q}_n)\hfill \\ & =& (b_{1,0}+b_{1,1}{x}_i+\dots +b_{1,n-1}{x}_i^{n-1})R_1+\hfill \\ & & (b_{2,0}+b_{2,1}{x}_i+\dots +b_{2,n-1}{x}_i^{n-1})R_2+\hfill \\ & & \dots +(b_{n,0}+b_{n,1}{x}_i+\dots +b_{n,n-1}{x}_i^{n-1})R_n\hfill \\ & & =C_i(x_i)R_i=R_i.\hfill \end{array}$$

Thus, the receiver with identifier $I{D}_i$ is capable of obtaining $r_1{P}_1$ by utilizing its partial-private key $d_{I{D}_i}$, namely,

$$r_1{P}_1={\widehat{R}}_i-H_1(e(d_{I{D}_i},C_1)).$$

It means that the receiver with identifier $I{D}_i$ is able to decrypt the message by the key $K=H_1(C_2/e(r_1{P}_1,C_1))$.

6. Security Analysis

In the following theorems, we will show that our aforementioned construction can achieve two security properties: anonymity of the receiver’s identity and confidentiality.

Theorem 1.

Let $H,H_1$ and $H_2$ denote random oracles. If the BDH-2 problem and the DDH problem in $({\mathbb{G}}_1,{\mathbb{G}}_2)$ are hard, then our proposed construction can be proven to be secure against the IND-PMCBED-CCA attack of the Type I adversary.

Proof. 

Suppose there exists a Type I of adversary $A_I$ in an IND-PMCBED-CCA game. If it can break our construction in a non-negligible probability $ϵ$, then we are capable of building an algorithm B which solves the BDH-2 problem and the DDH problem in $({\mathbb{G}}_1,{\mathbb{G}}_2$). □

Let $(P_2,a{P}_2,b{P}_2,c{P}_1)$ be a random instance of the BDH-2 problem, where $a,b$ and c are unknown random numbers from $Z_p$; the target is to compute $e{(P_1,P_2)}^{abc}$. In addition, let $(P_1,{\beta }_1{P}_1,{\beta }_2{P}_1,V)$ be a random instance of the DDH problem, its target is to determine $V\stackrel{?}{=}{\beta }_1{\beta }_2{P}_1$. Therefore, B simulates the following security game with the adversary $A_I$.

Setup. Let $PP=\{P_1,P_2,{\mathbb{G}}_1,{\mathbb{G}}_2,e,p,H,H_1,H_2,H_3,(E,D)\}$ be system parameters; they are built by B. In addition, B sets $PK=a{P}_1=\phi (a{P}_2)$ and $TPK={\beta }_1{P}_1$. Then, B sends public parameters $PP$ to the adversary $A_I$. In the following proof, $H_2$ acts as a one-way function. $H,H_1$ and $H_3$ are random oracles.

Phase 1. In this phase, ${\mathcal{A}}_I$ is capable of adaptively issuing a series of queries.

• H-Hash Query: When receiving the H-hash query on $I{D}_i$ from ${\mathcal{A}}_I$, B answers as below. If a record $I{D}_i$ have appeared in a tuple $(I{D}_i,Q_i,{\eta }_i,q_i)$ in the H-list which is originally empty, it sends back $Q_i$; otherwise, it generates ${\eta }_i\in \{0,1\}$, and randomly chooses $q_i\in Z_p$. If ${\eta }_i=0$, it sets $Q_i=q_i{P}_1$, else it sets $Q_i=q_{i}b{P}_1=q_i·\phi (b{P}_2)$ and adds $(I{D}_i,Q_i,{\eta }_i,q_i)$ in the H-list. It returns $Q_i$ to $A_I$
• $H_1$-Query: On input, an identity $X_i$, if $(X_i,T_i)$ exists in the $H_1$-list, then it returns $T_i$ to $A_I$; otherwise, it picks $T_i\in {\mathbb{G}}_1$ to return $A_I$ and adds $(I{D}_i,T_i)$ into the $H_1$-list. Note that $H_1$-list is originally empty.
• $H_3$-Query: On input, $D_i$, if $(D_i,k_i)$ is in the $H_3$-list which being originally empty, it sends back $k_i$ to $A_I$; otherwise, it picks $k_i\in Z_p$ to return $A_I$ and adds $(D_i,k_i)$ into the $H_3$-list.
• Public-key query: When $A_I$ makes a public key query with $I{D}_i$, if the 3-tuple $(I{D}_i,Y_i,x{k}_i)$ appears in the PK-list which is initially empty. $Y_i$ is returned to $A_I$; otherwise, B picks $x{k}_i\in Z_p$ to set $Y_i=x{k}_i{P}_1$, and adds $(I{D}_i,Y_i,x{k}_i)$ in the PK-list. Finally, it returns $Y_i$ to $A_I$.
• Extract partial-private key Query: Upon receiving a Partial-private key query of the identity $I{D}_i$, if the record $(I{D}_i,Q_i,{\eta }_i,q_i)$ had appeared in the H-list and ${\eta }_i=0$, then B computes $d_{I{D}_i}=q_i·a{P}_1=q_i·\phi (a{P}_2)$. Otherwise, abort it and output ⊥.
• Extract secret-value Query: When $A_i$ issues a query on an identity $I{D}_i$, if 3-tuple $(I{D}_i,Y_i,$ $x{k}_i)$ exists on the PK-list, then $x{k}_i$ is returned to $A_I$, otherwise, B randomly selects $x{k}_i\in Z_p$ to compute $Y_i=x{k}_i{P}_1$ and adds $(I{D}_i,Y_i,x{k}_i)$ in the PK-list.
• Public-key-replace Query: When $A_I$ makes a public key replace query with $(I{D}_i,Y_i^{\prime })$, the corresponding tuple $(I{D}_i,Y_i,x{k}_i)$ is replaced into a new tuple $(I{D}_i,Y_i^{\prime },\perp )$ in the PK-list.
• Decryption Queries: On input, a ciphertext $CT$ and an identity $I{D}_i$, where $CT=(C_1,C_2,C_3,Q_1^{\prime },\dots ,Q_n^{\prime })$, B first issues a H-query with $I{D}_i$ to obtain the tuple $(I{D}_i,Q_i,{\eta }_i,q_i)$, if ${\eta }_i=0$, it sets $d_{I{D}_i}=q_i·P_1$ and make a Extract-secret-value query with $I{D}_i$, if $x{k}_i\ne \perp$ is returned, B can make use of $(d_{I{D}_i},x{k}_i)$ to decrypt $CT$ and respond the Decryption Query. Otherwise, B does the following steps:
  • For $j=1$ to $q_{H_3}${
    it retrieves $k_i$ from $H_3$-list and decrypts $CT$ to recover $M||\tau =D(k_i,CT)$ with $k_i$ to parse it into M and $\tau$ which can recover $\tau TPK$. (Note that we assume that the $H_3$-query had been made before the adversary issues the decryption-query with $CT$).
    if $C_0=f(M)·TPK+f(\tau )TPK$
    break;
    }
  • If $j\le q_{H_3}$, B sends back M to $A_I$. Otherwise, it aborts it.

Challenge. In this phase [13], $A_I$ submits two equivalent-size plaintext $M_0$ and $M_1$, as well as a challenge set of identities/public-keys $S^{*}=(I{D}_1/Y_1,I{D}_2/Y_2,\dots ,I{D}_l/$$P{K}_l)$ with the restriction conditions which $A_I$ have not issued partial-private-key Oracle with $I{D}_i\in S^{*}$ in phase 1 and each ${\eta }_i=1$ in the tuple $(I{D}_i,Q_i,{\eta }_i,q_i)$ of $H_1$-list, where $Y_i$ is a public key which corresponds to the identity $I{D}_i$.

Then, B computes as follows:

• iIt sets $C_1^{*}=c{P}_2$.
• For $j=1$ to l, it computes $x_j^{*}=H_2(I{D}_j)$.
• Next, for $j=1$ to l, it constructs the polynomial

  $$f_j(x)=\prod _{i=1,j\ne i}^l\frac{x-x_i^{*}}{x_j^{*}-x_i^{*}}=\sum _{i=0}^l{a}_{ji}{x}^i.$$
• B randomly chooses $r_1\in Z_p$.
• For $j=1$ to l, it randomly chooses $T_i\in {\mathbb{G}}_1$ to compute $R_j=T_j+r_1{Y}_j$.
• For $j=1,2,\dots ,l$, B computes $Q_j={\sum }_{i=0}^l{a}_{i,j-1}{R}_i$
• B randomly chooses $Q\in {\mathbb{G}}_T$ and $\tau \in {\{0,1\}}^t$ to compute $C_2^{*}=e{(P_1,C_1^{*})}^{r_1}·Q$ and $C_3^{*}=E(K,M_{\beta }||\tau )$, where $K=H_3(Q)$, $\beta \in \{0,1\}$.
• It computes $C_0^{*}=f(M_{\beta })TPK+V$ and $C_{-1}^{*}=e({\alpha }_2{P}_1,P_2)$. Note that in fact $(TPK={\alpha }_1{P}_1,P_1,V,{\alpha }_2{P}_1)$ is also an instance of DDH problem when $(P_1,{\alpha }_1{P}_1,{\alpha }_{2}P,V)$ is an instance of DDH problem, since $P_1={\alpha }_1^{-1}·TPK,V={\alpha }_2·TPK$ and ${\alpha }_2{P}_1={\alpha }_1^{-1}{\alpha }_2·TPK$.
• The resultant ciphertext $C{T}^{*}=(C_{-1}^{*},C_0^{*},C_1^{*},C_2^{*},$ $C_3^{*},Q_1,\dots ,Q_l)$ is returned to $A_I$.

Phase 2.$A_I$ can adaptively make a new series of queries as in Phase 1 with the constraints:

• $C{T}^{*}$ can not be made into Decryption queries.
• All $I{D}_i\in S^{*}$ is not allowed to issue Extract partial-private-key queries.

Guess. Eventually, $A_I$ outputs its guess ${\beta }^{\prime }\in \{0,1\}$.

When $V={\beta }_1{\beta }_2{P}_1$, the challenge ciphertext $C{T}^{*}$ is a valid one. For the perspective of $A_I$, the challenger’s simulation is indistinguishable from the real game. When V is a random element of ${\mathbb{G}}_1$, the challenge ciphertext has the same distribution as the real ciphertext. Furthermore, we assume that $A_I$ must have previously issued $H_1$ query with $X_i=e{(H(I{D}_i),PK)}^c$ Because $C_1^{*}=c{P}_1$, $H(I{D}_i)=q_{i}b{P}_1$ and $PK=a{P}_1$, it means that B can compute $e{(P_1,P_2)}^{abc}={(X_i)}^{q_i^{-1}}$.

Therefore, it is impossible to have an IND-PMCBED-CCA adversary $A_I$ which breaks our PMCBED scheme. □

Theorem 2.

Under the DDH problem in ${\mathbb{G}}_1$, our proposed PMCBED scheme is provably secure against the IND-PMCBED-CCA attack of Type II adversary $A_{II}$.

Proof. 

Assume that there is a Type II of adversary $A_{II}$ in the IND-PMCBED-CCA game. If it breaks our construction, then we are capable of constructing an algorithm B to solve the DDH problem. Let $(P_1,a{P}_1,b{P}_1,Z)$ be an instance of DDH problem in group ${\mathbb{G}}_1$, where $a,b\in Z_p$ are unknown, its goal is to determine $Z=ab{P}_1$. □

Setup. Algorithm B randomly chooses $\alpha \in Z_p$ to compute $PK=\alpha P_1$ and let $TPK=a{P}_1$. Let $PP$ be public parameters, where $PP=(P_1,PK,TPK,e,{\mathbb{G}}_1,{\mathbb{G}}_2,P_2,H,H_1,H_2,H_3,E,D,f)$. Then, it delivers $PP$ and $\alpha$ to the adversary $A_{II}$. $H,H_1,H_3$ are three random oracles which are controlled by B.

Phase 1.$A_{II}$ can adaptively issue a series of queries.

H-Hash Queries. Upon receiving a receiver’s identifier $I{D}_j$, B first checks that $(I{D}_j,Q_j)$ has appeared in the H-list which is initially empty; if it is, then $Q_j$ is returned. Otherwise, B picks $q_j\in Z_p$ at random to calculate $Q_j=q_j{P}_1$ and adds $(I{D}_j,Q_j,q_j)$ in the $H_1$-list. Finally, $Q_j$ is returned.

${\mathbf{H}}_{\mathbf{1}}$-Hash Queries. It is the same as that of Theorem 1.

${\mathbf{H}}_{\mathbf{3}}$-Hash Queries. It is the same as that of Theorem 1.

Public-Key Queries. Upon receiving an identity $I{D}_i$, if the 3-tuple $(I{D}_i,Y_i,x{k}_i)$ has existed in the PK-list that was originally empty, then $Y_i$ is returned. Otherwise, it produces ${\eta }_i\in \{0,1\}$ and randomly chooses $a_i\in Z_p$. If ${\eta }_i=0$, it sets $Y_i=a_i{P}_1$, else it sets $Q_i=a_{i}b{P}_1$ and adds $(I{D}_i,Y_i,{\eta }_i,a_i)$ in the $PK$-list. It returns $Y_i$ to $A_{II}$.

Decryption Query. Upon receiving $(CT,I{D}_i)$, if $I{D}_i$ had existed in the PK-list and the corresponding ${\eta }_i=0$ holds, then B decrypts the ciphertext $CT$ by $(\alpha ·H(I{D}_i),a_i)$ and returns the decrypted message M to the adversary $A_{II}$. Otherwise, B does the following steps:

• For $j=1$ to $q_{H_3}${
  it retrieves $k_i$ from $H_3$-list and decrypts $CT$ to recover $M=D(k_i,CT)$ with $k_i$;
  if $C_0=f(M)·TPK+f(\tau )TPK$
  break;
  }
• If $j\le q_{H_3}$, B sends back M to $A_{II}$. If not, it aborts it.

Challenge Phase. Let $S^{*}=(I{D}_1/Y_1,I{D}_2/Y_2,\dots ,I{D}_l$/$Y_l)$. In this phase, the adversary $A_{II}$ outputs two equivalent length messages $M_0$ and $M_1$, and a set of identites/public-keys $S^{*}$ with the restriction conditions with each ${\eta }_i$ in the tuple $(I{D}_i,Y_i,{\eta }_i,a_i),$ where $I{D}_i\in S^{*}$ satisfies ${\eta }_i=1$.

Then, B is computed as below:

• It uniformly samples $k\in Z_p$ to compute $C_1^{*}=k{P}_2$ and $C_0^{*}=f(M_{\beta })TPK+Z$ as well as $C_{-1}^{*}=e(b{P}_1,P_2)$. Note that we have the relation $(D_0=a{P}_1,D_1=P_1=D_0^{a^{-1}},D_2=Z=D_0^b,D_4=b{P}_1=D_0^{a^{-1}b})$ which is the instance of the CDH problem if $Z=ab{P}_1$.
• For $j=1$ to l, it calculates $x_i^{*}=H_2(I{D}_i)$;
• Then, for $j=1$ to l, it builds the polynomial

  $$f_j(x)=\prod _{j\ne i}^l\frac{x-x_i^{*}}{x_j^{*}-x_i^{*}}=\sum _{i=0}^l{a}_{ji}{x}^i.$$
• For $j=1$ to l, B computes

  $$R_j=H_1(e(\alpha ·H(I{D}_i),C_1^{*}))+a_i·Z.$$

  Note that $r_1$ in the original encryption is set as $r_1=a$ but is unknown.
• For $i\in \{1,2\dots ,l\}$, it calculates

  $$Q_i=\sum _{j=1}^l{a}_{j,i-1}{R}_j.$$
• It randomly selects $Q\in {\mathbb{G}}_T$ to compute $K=H_3(Q)$ and $C_3^{*}=E(K,M_{\beta }||x_Z)$, $x_Z$ denotes the x-coordination of point Z.
• It computes $C_2^{*}=e{(a{P}_1,P_2)}^k·Q$.
• The ciphertext is $C{T}^{*}=(C_{-1}^{*},C_0^{*},C_1^{*},$ $C_2^{*},$ $C_3^{*},$ $Q_1,$ $\dots ,Q_l).$

Phase 2.$A_{II}$ may issue a new series of queries which is the same as what it did in Phase 1 with the restriction that $C{T}^{*}$ is not made in the Decryption query.

Guess. Finally, $A_{II}$ gives its guess ${\beta }^{\prime }$. If $\beta ={\beta }^{\prime }$, $A_{II}$ wins this game with non-ignorable advantage $\epsilon$. When $Z=ab{P}_1$, the ciphertext $C{T}^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},Q_1,\dots ,Q_l)$ is a valid one since

$$\begin{array}{ccc}\hfill R_j& =& H_1(e(\alpha ·H(I{D}_i),C_1^{*}))+a_i·Z\hfill \\ & =& H_1(e(\alpha ·H(I{D}_i),C_1^{*}))+a(a_i·b)P_1\hfill \\ & =& H_1(e(\alpha ·H(I{D}_i),C_1^{*}))+a·Y_i,\hfill \\ \hfill C_2^{*}& =& e{(a{P}_1,P_2)}^k·Q=e{(P_1,a{P}_2)}^k·Q,\hfill \\ \hfill C_0^{*}& =& f(M_{\beta })TPK+ab{P}_1=f(M_{\beta })TPK+bTPK,\hfill \\ \hfill C_{-1}^{*}& =& e{(P_1,P_2)}^b=e{(P_1,P_2)}^{\tau }.\hfill \end{array}$$

This means that $r_1=a$ and $\tau =b$ in the encryption. Thus, if $A_{II}$ breaks our scheme, then B is able to solve the DDH problem. □

Theorem 3.

Let hash functions $H,H_1,H_3$ be random oracles. If the decisional bilinear Diffie–Hellman problem (DBDH) is hard, then our construction is able to be proved to be secure against the Type I adversary in the ANON-ID-CCA attack game.

Proof. 

Let $A_I$ be an ANON-ID-CCA adversary. If it breaks the proposed AMCLE scheme in a non-ignorable advantage, then we are capable of building a new algorithm B to solve the DBDH problem. □

Setup. Firstly, let $PK=a{P}_1$ act as a master public key, and B builds the following parameters $PP=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,H,H_1,$ $H_2,H_3,e,p,f,E,D)$, and delivers $PP$ to the adversary $A_I$. $H,H_1,H_3$ are three hash functions that act as random oracles.

Phase 1.$A_I$ is capable of adaptively making a sequence of security queries which are the same as those in Theorem 1.

Challenge. After terminating Phase 1, $A_I$ submits a challenge message M and two disparate sets of identities/public-keys $S_0^{*}=(I{D}_0^{*}/Y_0^{*},I{D}_2/Y_2,$ $\dots ,$ $I{D}_l$/$Y_l)$ and $S_1^{*}=(I{D}_1^{*}/Y_1^{*},I{D}_2/$ $Y_2,$ $\dots ,$ $I{D}_l$/$Y_l)$ with the constraint in which $A_I$ can not issue Extract Partial-private-key queries with $I{D}_i$ for $I{D}_i\in \{S_0^{*},S_1^{*}\}$. B randomly selects $\beta \in \{0,1\}$ to compute as follows:

• It sets $C_1^{*}=c{P}_2$.
• B retrieves $(I{D}_{\beta }^{*},Q_{\beta }^{*},{\eta }_{\beta }^{*},q_{\beta }^{*})$ by issuing a H-query on $I{D}_{\beta }^{*}$, if ${\eta }_{\beta }^{*}=0$ holds, then it aborts it and outputs ⊥; if ${\eta }_{\beta }^{*}=1$, then let $Q_{\beta }^{*}=q_{\beta }^{*}·b{P}_1$ and $X_{\beta }^{*}=Z^{q_{\beta }^{*}}$. Next, it issues $H_2$-queries with $X_{\beta }^{*}$ to obtain $T_{\beta }^{*}$.
• Compute $x_{\beta }^{*}=H_2(I{D}_{\beta }^{*})$, and for $j=2$ to l, it computes $x_i^{*}=H_2(I{D}_i)$.
• Next, for $j\in \{2,3,\dots ,l\}$, it constructs the polynomial

  $$f_j(x)=\prod _{i\ne j,i=1}^l\frac{1}{x_j^{*}-x_i^{*}}·(x-x_i^{*})=\sum _{i=0}^l{a}_{ji}{x}^i.$$
• B randomly chooses $r_1\in Z_p$ and for $j\in \{2,3,\dots ,l\}$, it randomly chooses $T_i\in {\mathbb{G}}_1$ to compute $R_j=T_j+r_1{Y}_j$; and then it computes $R_{\beta }=T_{\beta }+r_1{Y}_{\beta }^{*}$.
• For $j\in \{\beta ,2,3,\dots ,l\}$, B computes $Q_j={\sum }_{i=0}^l{a}_{i,j-1}{R}_i.$
• B randomly chooses $Q\in {\mathbb{G}}_T$ and $\tau \in Z_p$ to compute $C_2^{*}=e{(P_1,C_1^{*})}^{r_1}$ and $C_3^{*}=E(K,M_{\beta }||x_{\tau })$, where $K=H_3(Q)$ and $x_{\tau }$ is the x-coordination of point $\tau ·TPK$.
• B computes $C_0^{*}=(f(M_{\beta })+\tau )TPK$ and $C_{-1}^{*}=e{(P_1,P_2)}^{\tau }$.
• The ciphertext is $C{T}^{*}=(C_{-1}^{*},C_0^{*},C_1^{*},$ $C_2^{*},$ $C_3^{*},$ $Q_1,$ $\dots ,Q_l)$ to the adversary $A_I$.

Phase 2.$A_I$ sequentially issues a new series of queries with the following restrictions:

• $A_I$ can not issue Extract Partial-Private-Key Queries with $ID$, where $ID\in \{I{D}_0^{*},I{D}_1^{*}\}$.
• $A_I$ can not issue Public-Key Replace with $ID$, where $ID\in \{I{D}_0^{*},I{D}_1^{*}\}$.
• $A_I$ can not issue Decryption Queries with $(ID,C{T}^{*})$, where $ID\in \{I{D}_0^{*},I{D}_1^{*}\}$.

Guess. Finally, $A_I$ outputs its guess ${\beta }^{\prime }$. B outputs 1 when $\beta ={\beta }^{\prime }$, it means that $Z=e{(P_1,P_2)}^{abc}$; if $\beta \ne {\beta }^{\prime }$, outputs 0, it means $Z\ne e{(P_1,P_2)}^{abc}$.

Analysis: In the above game, the simulation is indistinguishable from the scheme. If $Z=e{(P_1,P_2)}^{abc}$, then we let $k^{*}=c$. All this time, $C{T}^{*}$ has the same distribution as the ciphertext in the real game; If Z is a random element in ${\mathbb{G}}_T$, then the ciphtertext has the uniform distribution in the ciphertext space since $C_3^{*}=E(K,x_{\tau }||M_{\beta })$, where $K=H_3(Q)$ is a random element. Thus, in the adversary $A_I$’s view, $M_{\beta }$ is independent, and it cannot provide any information to $A_I$. □

Theorem 4.

Let hash functions $H,H_1$ and $H_3$ be a random oracle. If the DDH assumption in groups $({\mathbb{G}}_1,{\mathbb{G}}_2)$ is difficult, then our construction is proven to be secure against the Type II of adversary $A_{II}$ in the ANON-ID-CCA attack game.

Proof. 

Let $A_{II}$ be an adversary. If it breaks our construction, then we are capable of constructing a novel algorithm B which solves the DDH problem. Let $(P_1,a{P}_1,b{P}_1,Z)$ be a random instance of DDH problem in groups $({\mathbb{G}}_1,{\mathbb{G}}_2)$, where $a,b\in Z_p$ are unknown, its goal is to determine $Z=ab{P}_1$. □

Setup. Algorithm B randomly chooses $\alpha \in Z_p$ to set $PK=\alpha P_1$. Let $PP=(P_1,P_2,e,p,PK,f,{\mathbb{G}}_1,{\mathbb{G}}_2,H,H_1,H_2,H_3,(E,D))$ denote public parameters that are built by B. Then, it delivers $PP$ and $\alpha$ to the adversary $A_{II}$. Here $H,H_1,H_3$ are three random oracles that are controlled by B.

Phase 1.$A_{II}$ is capable of issuing a series of the same queries as those of Theorem 2.

Challenge.$A_{II}$ outputs a challenge plaintext $M^{*}$ and two different sets $S_0^{*}$ and $S_1^{*}$ of identities/public-keys, where $S_0^{*}=(I{D}_0^{*}/Y_0^{*},I{D}_2/Y_2,$$\dots ,$$I{D}_l$/$Y_l)$ and $S_1^{*}=(I{D}_1^{*}/$ $Y_1^{*},$ $I{D}_2/$$Y_2,$ $\dots ,$ $I{D}_l$/$Y_l)$. In addition, the following constraints need to be satisfied: $A_{II}$ cannot issue Extract partial-private-key queries on $I{D}_i$ in Phase 1, where $I{D}_i\in \{I{D}_0^{*},I{D}_1^{*}\}$. In addition, then B randomly selects $\beta \in \{0,1\}$ to compute as below:

• First, it makes a Public-key Query on $I{D}_{\beta }^{*}$ to obtain $(I{D}_{\beta }^{*},Y_{\beta }^{*},{\eta }_{\beta }^{*},a_{\beta }^{*})$. If ${\eta }_{\beta }^{*}=0$, output ⊥ and abort it. If ${\eta }_{\beta }^{*}=1$, it means that $Y_{\beta }^{*}=a_{\beta }^{*}·b{P}_1$.
• For $j\in \{\eta ,2,3,\dots ,l\}$, it calculates $x_i^{*}=H_2(I{D}_i)$;
• Then, for $j\in \{\beta ,2,3,\dots ,l\}$, it builds the polynomial

  $$f_j(x)=\prod _{i\ne i}^l\frac{x-x_i^{*}}{x_j^{*}-x_i^{*}}=\sum _{i=0}^l{a}_{ji}{x}^i.$$
• For $j\in \{\beta ,2,3,\dots ,l\}$, B issues Public-key Queries with $I{D}_j$ to obtain $(I{D}_j,Y_j,{\eta }_j,a_j)$. If ${\eta }_{\beta }^{*}=0$, B computes

  $$R_j=H_1(e(\alpha ·H(I{D}_j),C_1^{*}))+a_j·a{P}_1.$$

  If ${\eta }_{\beta }^{*}=1$, it computes $R_j=H_1(e(\alpha ·H(I{D}_j),C_1^{*}))+a_j·Z.$
• For $j\in \{\beta ,2,3,\dots ,l\}$, it computes $Q_i={\sum }_{j=1}^l{a}_{j,i-1}{R}_j.$
• It randomly selects $Q\in {\mathbb{G}}_T$ and $\tau \in Z_p$ to compute $K=H_3(Q)$ and $C_3^{*}=E(K,x_{\tau }||M_{\beta })$.
• It randomly chooses $k\in Z_p$ to compute $C_1^{*}=k{P}_2$ and $C_0^{*}=f(M_{\beta })+\tau ·TPK$ as well as $C_{-1}^{*}=e{(P_1,P_2)}^{\tau }$.
• It computes $C_2^{*}=e{(a{P}_1,P_2)}^k·Q$.
• The resultant ciphertext is $C{T}^{*}=(C_{-1}^{*},C_0^{*},$ $C_1^{*},$ $C_2^{*},$ $C_3^{*},$ $Q_1,$ $\dots ,$ $Q_l).$

Phase 2.$A_{II}$ can still adaptively issue the queries with the following constraints.

• $A_{II}$ is not capable of issuing Public-key Query with $ID$, where $ID\in \{I{D}_0^{*},I{D}_1^{*}\}$.
• $A_{II}$ is not capable of issuing Decryption Query with $(C{T}^{*},ID)$, where $ID\in \{I{D}_0^{*},I{D}_1^{*}\}$.

Guess. Finally, $A_{II}$ returns its guess bit ${\beta }^{\prime }$. B outputs 1 if $\beta ={\beta }^{\prime }$; it means that $Z=ab{P}_1$; otherwise, outputs 0 meaning $Z\ne ab{P}_1$.

Analysis: In the above game, the simulation is indistinguishable from the scheme. When $Z=ab{P}_1$, assume $r_1=a$. The challenge ciphertext has the same distribution as that in the real game, in addition to when Z is a random element of ${\mathbb{G}}_1$, $C_2^{*}$ and $C_3^{*}$ in the ciphtertext has the form $C_2^{*}=e{(a{P}_1,P_2)}^k·Q$ and $C_3^{*}=E(K,x_{\tau }||M_{\beta })$, where $K=H_3(Q)$ and Q are uniform and random. Thus, from the adversary $A_{II}$’s view, $M_{\beta }$ is independent; it provides no information to $A_{II}$. □

7. Performance Analysis

To evaluate the efficiency of the proposed scheme, we give the corresponding computational cost of the main algorithm by comparing with the Hung et al. scheme [37] and Islam et al. scheme [45]. For convenience, we define the following notations. Let $T_p,T_m,T_e$ and $T_h$ denote the time of executing a pairing operation, a scalar multiplication operation and an exponentiation operation as well as a map-to-point hash function, respectively. The computation cost of the main algorithms for the three schemes are shown in

Table 1. Comparison of computation costs in the three schemes.

	Islam et al. Scheme [45]	Hung et al. Scheme [37]	Our Scheme
Computational cost of encryption for n receivers	$(2n+1)T_p+(n^2+n)T_m$	$n{T}_p+n{T}_e+(n+1)T_m+n{T}_h$	$(n+1)T_p+(n+2)T_m+2T_e+n{T}_h$
Complexity of encryption	$O(n^2)$	$O(n)$	$O(n^2)$
Computational cost of decryption for each receiver	$T_m+n{T}_h$	$T_p+1T_M$	$3T_p+(n+3)T_M+T_e$
Complexity of decryption	$O(n)$	$O(1)$	$O(n)$
De-duplication	No	No	Yes
Security	selective-CCA security	selective-CCA security	CCA-security

.

From Table 1, we find that our proposed scheme has more computational costs than the other two schemes. However, our proposed scheme has better security and functionality.

8. Conclusions

The users are increasingly concerned about anonymity. To protect the identity anonymity of the receiver, we construct a privacy-preserving Multi-receiver Certificateless Broadcast Encryption Scheme with De-duplication scheme in this work. It can not only simultaneously achieve confidentiality and the receiver’s identity anonymity, but also achieve duplicate detection to determine whether two different ciphertexts are from the identical message. Thus, our proposal can efficiently reduce the cloud server’s storage burden. It is very significant for cloud storage. Nevertheless, the ciphertext size is linear to the number of the receivers. A very important challenge will be how to construct a PMCBED scheme with constant-size ciphertext.