Adaptively Secure Anonymous Identity-based Broadcast Encryption for Data Access Control in Cloud Storage Service

Abstract

Cloud computing is now a widespread and economical option when data owners need to outsource or share their data. Designing secure and efficient data access control mechanism is one of the most challenging issues in cloud storage service. Anonymous broadcast encryption is a promising solution for its advantages in the respects of computation cost and communication overload. We bring forward an efficient anonymous identity-based broadcast encryption construction combined its application to the data access control mechanism in cloud storage service. The lengths for public parameters, user private key and ciphertext in the proposed scheme are all constant. Compared with the existing schemes, in terms of encrypting and decrypting computation cost, the construction of our scheme is more efficient. Furthermore, the proposed scheme is proved to achieve adaptive security against chosen-ciphertext attack adversaries in the standard model. Therefore, the proposed scheme is feasible for the system of data access control in cloud storage service.

1. Introduction

 Cloud computing has come into widespread adoption nowadays. Compared with the other traditional computing models, cloud computing has significant advantages in agility, scalability, flexibility, cost saving as well as energy efficiency [1,2]. Up to the present, cloud storage service is the most extensively utilized application in cloud computing. A data owner can store mass of data in cloud for saving the cost on local data management. In order to protect the data and avoid the data being compromised by cloud service provider, the data is usually encrypted by data owner before uploading to cloud service provider. However, this will bring the inconvenience of data sharing between the data owner and other designated users. Therefore, how to design both secure and efficient data access control mechanism is one of the most challenging issues in cloud storage service [3-16] and social networks [17,18].

 The primitive of broadcast encryption (BE) first appeared in the literature [19], and it has become a promising mechanism for data access control which can be deployed in cloud storage service. In short, BE is an efficient cryptographic primitive for supporting a broadcaster to deliver one or more messages to a group of target receivers specified in a set through an insecure channel. In virtue of BE, a broadcaster can encrypt messages for multiple receivers within a dynamic set S and any receiver within S can decrypt the ciphertexts utilizing his/her secret key. Nevertheless, any user outside S cannot decrypt the ciphertexts. For the advantages in communication overload and computation cost, BE has received considerable both research and practical interest. Over the past decades, there has been a surge in BE application scenarios including video conference, digital rights protection, distance learning, pay cable, online database, wireless sensor networks, etc.

 Two categories of BE are mainly investigated in previous studies, i.e., symmetric key BE [20] as well as public key BE (PKBE) [21]. In symmetric key BE, only the trusted authority is permitted to issue a broadcast process. Note that the trusted authority is also in charge of the distribution of users’ private keys. In PKBE, any user who obtains the public parameters is permitted to send messages to a group of intended receivers. Obviously, PKBE would be more flexible for BE applications. Therefore, when speaking of BE, it generally refers to PKBE.

 Shamir [22] first raised the conception of identity-based cryptosystem (IBC) in Crypto 1984. However, the first identity-based encryption (IBE) construction was put forward in the literature [23] until 2001. Subsequently, many IBE schemes were proposed [24,25]. By leveraging the idea of IBE, Delerablée [26] raised identity-based broadcast encryption (IBBE), which can be deemed as a special type of PKBE. Specifically, in IBBE, a user’s public key can be denoted by a unique identity of the user, e.g. identity card number, cell-phone number, etc.

 In most BE application scenarios, anonymity is a paramount security requirement, which means the identities of target receivers cannot be revealed by the receivers in the same group or by the unintended users who are not in the target group. Specifically, for achieving privacy preservation, the intended receivers’ identities also need to be protected in the broadcast process. In pay cable, for example, those subscribers who are watching sensitive or adult programs certainly do not wish to reveal their identities. More concretely, they may hope their identities are anonymous not only to the users outside the program channel but also even to the users who subscribe the same program channel. Another example is that the commercial websites or brokerage companies usually do not wish to reveal their customers’ identities when pushing information via broadcast. Otherwise, the competitors may take advantage of these revealed identities for precision advertising or attracting customers. However, in general PKBE/IBBE schemes [26-31], the set of intended receivers’ identities is usually deemed as a default part when outputting broadcast ciphertext. Then in the decryption phase, each user should first examine whether he/she is authorized to decrypt according to the target receiver set. Obviously, the user can naturally obtain the other target receivers’ identities in the same set. Meanwhile, as the transmission of ciphertext adopts public channel, the intended receivers’ identities are more easily intercepted. Hence, it is imperative that the receivers’ identities are kept anonymous for protecting privacy of receivers.

 Consequently, the PKBE (IBBE) schemes with anonymity or privacy preservation were proposed. To be specific, in privacy-preserving or anonymous PKBE, a user is restricted to only examine whether himself/herself is an intended receiver. In the whole broadcast process, however, the user obtains none information about the identities of the other intended receivers. Be different with general PKBE, for anonymous PKBE, the broadcast ciphertext does not involve the target receiver set. Furthermore, in anonymous PKBE, the target receiver set should not be as input of decryption algorithm. In fact, over the past decade, many studies concentrated on constructing both secure and efficient anonymous PKBE schemes.

1.1 Related Work

 Barth et al. [32] first considered the privacy preservation requirement in BE and proposed two concrete PKBE schemes with sublinear ciphertext length. For protecting the receivers’ identities, they introduced private broadcast encryption. The two PKBE schemes they presented can guarantee the anonymity of the target receivers in the broadcast process. Thereafter, an extensive body of literature related to privacy-preserving or anonymous PKBE existed. A receiver anonymous BE scheme with sublinear ciphertext length was proposed in the literature [33]. However, the scheme only achieved the anonymity to the outside users, but not to the intended receivers within the same set. In the literature [34], Libert et al. claimed that the property of anonymity given in [33] cannot satisfy the requirement of real-world applications. In consideration of the case that an adversary may corrupt adaptively, they gave a formal security definition for anonymous broadcast encryption. Their scheme was not efficient, because multiple ciphertext components were used as the broadcast body for achieving anonymity. The anonymous IBBE scheme raised by Hur et al. [35] achieved static security. In the decryption phase of their scheme, an intended receiver may need to try multiple times before decrypting successfully. In the literature [36], a privacy-preserving IBBE scheme was put forward while the scheme achieved adaptive security without random oracles. The anonymous IBBE scheme proposed in the literature [37] was constructed via asymmetric bilinear groups. Xie and Ren [38] proposed an IBBE scheme which only achieved anonymity to outsiders, and their scheme can resist chosen-plaintext attack (CPA) adversaries. For hiding the identities of intended receivers, the privacy-preserving PKBE scheme put forward in the literature [39] adopted Lagrange interpolation polynomial. Their scheme did not achieve security against adaptive chosen-ciphertext attack (CCA2) adversaries. More precisely, in the second phase of the security game defined in [39], the adversary is forbidden to issue decryption queries. He et al. [40] proposed an anonymous IBBE construction with CCA2 security. However, the security model defined in their paper was weak. In the same year, He et al. [41] provided a generic method for constructing anonymous IBBE schemes based on anonymous identity-based encryption (IBE). Similar with the scheme in [40], the security of generic construction was also proved under the foregoing weak security model. The security of the two privacy-preserving IBBE constructions given in the literature [42] was proved under the random oracle as well as standard model, respectively. The two schemes both achieved CPA security. Lai et al. [43] raised an anonymous IBBE construction with revocation. The decryption cost grew linearly with the amount of revoked users. Their scheme achieved CPA security. Recently, Li et al. [44] brought forward a privacy-preserving certificate-based BE construction. Their scheme is efficient for its constant decryption cost. Furthermore, their scheme achieved anonymity and confidentiality against CCA2 adversaries simultaneously under standard assumption.

 For most of the existing anonymous or privacy-preserving PKBE/IBBE schemes, the lengths of user private key, public parameters as well as ciphertext either grew linearly with the maximal number of intended receivers in the system or grew linearly with the number of current intended receivers. Besides, for some existing schemes, the amount of user private keys in the system was also linear with the maximal number of intended receivers.

1.2 Motivation

 As mentioned previously, cloud computing is now a widespread and economical solution when data owners need to outsource or share their data. With the aid of cloud storage service, the data owners can expediently upload their data to the cloud or distribute their data to the designated authorized users. Benefit from the advantage of IBC, anonymous IBBE can be an efficient option for designing mechanism of data access control in cloud storage service.

 Fig. 1 illustrates the system framework of data access control adopting anonymous IBBE in cloud storage service. Four entities are involved in the system framework, including data owner (DO), data users (DUs), cloud storage server (CSS) and private key generator (PKG). The data owner encrypts his/her data with a session key and then stores the encrypting result on the cloud storage server. In virtue of anonymous IBBE, the session key is broadcasted to a target set of data users by the data owner. More specifically, the data users register at the private key generator with their identities and request for authorization of access. The private key generator generates private keys for all the data users on the basis of their identities and publishes the system public parameters to the data owner as well as data users simultaneously. Then the data owner takes the authorized data users as the receivers in a target set and encrypts the session key by anonymous IBBE. The target data users can successfully decrypt the broadcast ciphertext by their own secret keys and then obtain the session key. Finally, these target data users can access and further decrypt the encrypted data with the session key. It is worth noting that, in this procedure, a target data user is unable to obtain the identities of other target data users. In other words, the anonymity of target data users can be guaranteed.

Fig. 1. System framework of data access control adopting anonymous IBBE in cloud storage service

 However, in the aspect of the lengths for system public parameters, user private key as well as ciphertext, the existing anonymous PKBE/IBBE were infeasible for building data access control mechanism in cloud storage service. Besides, to achieve anonymity, most of the previous schemes adopted the technique of hiding the receivers’ identities into the ciphertext. This technique would lead to high cost of decryption, because the target receivers need to find the right part in the whole ciphertext when decrypting. In other words, the target receivers may need multiple times of decryption attempts to locate their corresponding part in the whole ciphertext and output the proper broadcast message. Furthermore, it is extremely challenging to achieve CCA2 security for anonymous IBBE schemes. Therefore, our motivation is to design an efficient CCA2-secure anonymous IBBE scheme which is more suitable for constructing data access control mechanism in cloud storage service.

1.3 Our Contribution

 With the aid of the composite order bilinear groups [45], we bring forward an efficient anonymous IBBE scheme which is feasible for implementing data access control mechanism in cloud storage service. In virtue of the conversion technique [46,47], the proposed scheme achieves CCA2 security under general subgroup decision assumption in the standard model. In the regard of efficiency, compared with existing anonymous PKBE/IBBE schemes, the lengths for public parameters, user private key as well as ciphertext in the proposed scheme are all constant. Further, our scheme has advantages for its low cost of encryption and decryption.

 The remainder of this paper is structured as follows. Section 2 first briefs the preliminaries on composite order bilinear groups as well as general subgroup decision assumption. Then, the formal definition and security model for anonymous IBBE are provided. Section 3 presents our scheme combined its application to construct data access control mechanism in cloud storage service. The scheme’s correctness is also analyzed. Section 4 discusses the scheme’s security. Subsequently, the scheme’s security is converted from CPA to CCA2 in Section 5. Section 6 analyzes our scheme’s performance and Section 7 concludes this paper.

2. Preliminaries

2.1 Composite Order Bilinear Groups

 Composite order bilinear groups first appeared in the literature [45]. Given the security parameter λ as input, the algorithm  generates composite order bilinear groups (, , ,) T p e   . Specifically, p denotes the product of three disparate and large primes 1 p , 2 p , and 3 p , namely = 123 p ppp . The two multiplicative cyclic groups  and T have the same order p . : T e   × → denotes a bilinear map while g denotes the group  ’s generator. For a bilinear map e , the following three properties should be satisfied:

 (1) Bilinearity: ( , ) ( , ) (,) a b b a ab eu v eu v euv = = , where u v, ∈ and * , ∈ p a b  .

 (2) Non-degeneracy: e(,) 1 g g ≠ .

 (3) Computability: euv (,) can be computed efficiently for all u v, ∈ .

 Orthogonality. Besides the above properties, the three subgroups 1 p , 2 p as well as 3 p in the group  , which has order 1 p , 2 p and 3 p , respectively, would satisfy the additional property called orthogonality: i i p ∀ ∈ u  , j j p ∀ ∈ v  , (, ) 1 i j eu v = , where i j ≠ . Note that, this property is crucial for constructing and proving security of our proposed scheme.

2.2 General Subgroup Decision Assumption

 The security of our scheme relies on the general subgroup decision (GSD) assumption [48], which consists of three static hardness assumptions. These assumptions hold based on the intractability for large integer factorization problem. Specifically, for a group order defined above, it is difficult to find its nontrivial factors. As previously mentioned, inputting the security parameter λ , the algorithm  generates composite order bilinear groups 123 ( , , ,) = T p ppp e   . Hereinafter, we use i j p p to represent the subgroup with order i j p p .

 Assumption 1. Let g be a randomly selected generator for the subgroup 1 p , X3 be a randomly chosen element in the subgroup 3 p , T0 be a randomly selected element in the subgroup 1 2 p p , and T1 be a randomly selected element in the subgroup 1 p . Given the tuple 3 = (, , ,,, ) D p eX  T g , it is difficult to distinguish T0 from T1 . An algorithm  ’s advantage could be defined as follows:

\(\operatorname{Advl}_{B}(\lambda)=| \operatorname{Pr}\left[\mathcal{B}\left(D, T_{0}\right)=1\right]-\operatorname{Pr}\left[\mathcal{B}\left(D, T_{1}\right)=1\right]|\).

 Definition 1. If for arbitrary probabilistic polynomial-time (PPT) algorithm  , Adv1 ( )  λ is negligible, Assumption 1 holds.

 Assumption 2. Let g be a randomly chosen generator for the subgroup 1 p , X1 be a randomly chosen element in the subgroup 1 p , 2 2 X Y, be two randomly chosen elements in the subgroup 2 p , 3 3 X Y, be two randomly chosen elements in the subgroup 3 p , T0 be a randomly selected element in the group  , and T1 be a randomly selected element in the subgroup 1 3 p p . Given the tuple 1 2 3 23 = (, , ,,, , , ) D p e X X X YY  T g , it is difficult to distinguish T0 from T1 . An algorithm  ’s advantage could be defined as follows:

\(\operatorname{Adv} 2_{B}(\lambda)=| \operatorname{Pr}\left[\mathcal{B}\left(D, T_{0}\right)=1\right]-\operatorname{Pr}\left[\mathcal{B}\left(D, T_{1}\right)=1\right]|\).

 Definition 2. If for arbitrary PPT algorithm  , Adv2 ( )  λ is negligible, Assumption 2 holds.

 Assumption 3. Let g be a randomly chosen generator for the subgroup 1 p , 22 2 XYZ , , be three randomly chosen elements from the subgroup 2 p , X3 be a randomly chosen element from the subgroup 3 p , α,s be two randomly chosen elements in * p , 0 (,) s T e α = g g , and T1 be a randomly selected element in the group T . Given the tuple 3 = (, , ,,, ) D p eX  T g , it is difficult to distinguish T0 from T1 . An algorithm  ’s advantage could be defined as follows:

\(\operatorname{Adv} 3_{B}(\lambda)=| \operatorname{Pr}\left[\mathcal{B}\left(D, T_{0}\right)=1\right]-\operatorname{Pr}\left[\mathcal{B}\left(D, T_{1}\right)=1\right]|\).

 Definition 3. If for arbitrary PPT algorithm  , Adv3 ( )  λ is negligible, Assumption 3 holds.

2.3 Formal Definition

 Let N be the maximum size of target receiver set. An anonymous IBBE scheme includes four algorithms as follows. (1 ) λ

 Setup(1). After inputting the security parameter λ , the algorithm generates the public parameters params and system master key MK . The system master key MK is secretly held by the PKG while the system public parameters params are publicly released.

 KeyGen( , ,)i params MK ID . After inputting params , MK and a user identity i ID , where i N ∈[1, ] , the PKG outputs the user i ID ’s private key i SK .

 Encrypt( ,, ) params S M . After inputting params as well as an intended receiver set 1 2 ⊆ { , ,..., }N S ID ID ID , the algorithm produces ( ,) Hdr K , in which Hdr is often called as broadcast header while K is a session key used in a symmetric encryption algorithm. For broadcasting a certain message M to the receivers within the set S , the broadcaster first generates ( ,) Hdr K , then calculates the ciphertext CM on M with K , and lastly, outputs the pair ( ,) Hdr CM . CM is usually called as broadcast body. The algorithm outputs final broadcast ciphertext ( ,) CT Hdr C = M . It is worth noting that, unlike the final broadcast ciphertext in general IBBE, the set of intended receiver cannot be taken as a default part.

 Decrypt( ,,, ) i i params CT ID SK . The input of this algorithm includes params , a ciphertext CT , a user’s identity i ID as well as secret key i SK . The algorithm outputs the session key K if the user i ID is an intended receiver. Then the message M could be recovered by decrypting the broadcast body CM with session key K . Otherwise, the algorithm produces ⊥ .

 Correctness. For arbitrary ( , ) (1 ) ← λ params MK Setup , ← KeyGen( , ,) i i SK params MK ID , i N ∈[1, ] , 1 2 ⊆ { , ,..., }N S ID ID ID , CT ← Encrypt( ,, ) params S M , if i ID S ∈ , then Decrypt( ,,, ) params CT ID SK M i i = . Otherwise, Decrypt( ,,, ) params CT ID SK i i =⊥ .

2.4 Security Model

 For the security model of anonymous IBBE against CCA2 adversaries (ANON-CCA2), it is defined by a game which is played between a challenger  and an adversary  . Both the challenger  and the adversary  are provided with the maximum size of target receiver set N as well as the security parameter λ .

 Setup . For obtaining params and MK ,  runs the aforementioned (1 ) λ Setup algorithm. Then  holds MK secretly and sends params to  .

 Phase 1.  adaptively issues the following two types of queries during this phase.

 (1) Key generation query for user i ID .  executes KeyGen algorithm to obtain the user i ID ’s private key, then returns the user private key to  .

 (2) Decryption query for tuple (,) CT IDi where i ID S ∈ and 1 2 ⊂ { , ,..., }N S ID ID ID . The challenger  executes the algorithm Decrypt and then returns the result to the adversary  .

 Challenge . If  ascertains the above Phase 1 is finished, the adversary  submits two equal-size receiver sets * * 0 1 (,) S S ( * * 01 1 2 , { , ,..., } ⊂ N S S ID ID ID , * * 0 1 S S = ), as well as two equal-length broadcast messages 0 1 (,) M M for challenging. The restriction is that, in Phase 1, no user ** * * * * 01 0 1 1 0 (\)(\) i ID S S S S S S ∈∆ = ∪ had been queried the user secret key.  tosses a coin b on {0,1} randomly, and then encrypts Mb on * b S . Finally, the adversary  obtains the challenge ciphertext * * = ( ,, ) CT b b Encrypt params S M returned from  .

 Phase 2 . As similar in Phase 1 ,  continues to adaptively launch the following two types of queries.

 (1) Key generation query for user i ID . As similar in Phase 1,  responds the query, but with the constraint that the user * * i 0 1 ID S S ∉ ∆ .

 (2) Decryption query for tuple (,) CT IDi with i ID S ∈ and 1 2 ⊂ { , ,..., }N S ID ID ID . As similar in Phase 1 ,  responds the query, but with the constraint that the ciphertext * CT CT ≠ and the user * * i 0 1 ID S S ∉ ∆ .

 Guess . Finally,  produces a guess b′∈{0,1}. If b b ′ = ,  wins the game.

 As shown below, we define  ’s advantage for winning the above game:

\(\operatorname{Ad} v_{\mathcal{A}}^{A N O N-C C A 2}(\lambda)=\left|\operatorname{Pr}\left[b^{\prime}=b\right]-\frac{1}{2}\right|\).

 Definition 4. Suppose the amount of key generation queries is K q , and the amount of decryption queries is D q . An anonymous IBBE scheme achieves ( , ,) K D q q ε -ANON-CCA2 security, if for arbitrary PPT adversary  ,  ’s advantage is negligible, that is 2 Adv ( ) ε − λ < ANON CCA  .

 If no decryption query is permitted in the above game, then the anonymous IBBE scheme only achieves the CPA security (ANON-CPA). Similarly, the ANON-CPA security for anonymous IBBE could be defined as below.

 Definition 5. Suppose the amount of key generation queries is K q . An anonymous IBBE scheme achieves ( ,) K q ε -ANON-CPA security, if for arbitrary PPT adversary  ,  ’s advantage is negligible, that is Adv ( ) ε − λ < ANON CPA  .

 It is extremely challenging to achieve CCA2 security directly in an anonymous IBBE scheme. Fortunately, Canetti et al. [46,47] proposed an approach to convert a scheme’s security from CPA to CCA2. Therefore, the strategy we take is, we first construct an anonymous CPA-secure IBBE scheme, and then promote the scheme’s secure level from CPA to CCA2 by using the conversion approach.

3. Proposed Scheme and Its Application

 We describe our scheme combined with its application to the data access control mechanism in cloud storage service. As illustrated in Fig. 1, four entities are involved in the system framework, namely data owner (DO), data users (DUs), cloud storage server (CSS) and private key generator (PKG). The access control procedure includes the following three steps.

 Step 1 . The DO applies a symmetric encryption algorithm (e.g. Advanced Encryption Standard) to encrypt his/her data with a randomly generated session key and stores the encrypted data on the CSS. Let SE denote the symmetric encryption scheme which includes two algorithms, SE.Enc and SE.Dec . Let K denote the session key and F denote the data to be encrypted. The final encrypted data stored on the CSS is F FK ′ = SE.Enc(, ) .

 Step 2 . The DO adopts anonymous IBBE scheme to send the session key K to the authorized set of DUs. Given the maximum amount of intended receivers N and the security parameter λ , the four algorithms of our scheme are described as follows.

 Setup . First, the PKG runs the algorithm (1 ) λ  to produce composite order bilinear groups (, , ,) T p e   . In specific, as mentioned previously, p is the product of three disparate large primes 1 p , 2 p and 3 p , i.e., = 123 p ppp .  and T are two multiplicative cyclic groups with the same order p , while e is a bilinear map with the form : T e   × → . Then the PKG randomly selects 1 ∈p g as the subgroup 1 p ’s generator. Besides, the PKG randomly chooses 1p h∈ and * α ∈p . Next, the PKG computes v e(,)α = g g . Let 1 * 1 :{0,1} H → p denote a collision-resistant cryptographic hash function. Finally, the system public parameters are defined as 1 = {, , ,,,,, } T params p e h v H   g and the system master key MK =α .

 KeyGen . Suppose the target set of DUs is 1 2 { , ,..., }n ss s S ID ID ID = , n N≤ . The PKG computes 1 ( ) i i s s u H ID = for all i n ∈[1, ] . For a target DU, is ID S ∈ , i n ∈[1, ] , the PKG randomly selects * ∈is p r  , 3 0 0 , ,{ } i i ij RR R s s st p ′ ∈ for 12 1 1 , ,..., , ,..., j ii n t ss s s s = − + . Then the PKG computes secret key is SK as follows:

\(S K_{s_{i}}=\left(S K_{s_i, 0}, S K_{s_i, 1}, S K_{s_i, 2}\right)=\left(g^{\alpha}\left(h u_{s_{i}}^{I D_{s_i}}\right)^{r_{s_i}} R_{s_{i}, 0}, g^{r_{s_i}} R_{s_i, 0}^{\prime}, \prod_{j=1,t_j \not= s_i}^{n}\left(u_{t_{j}}^{I D_{t_j}}\right)^{r_{s_i}} R_{s_i{t_j}}\right)\)

 Encrypt . Given params , the intended set of DUs 1 2 { , ,..., }n ss s S ID ID ID = and session key K , the broadcaster computes 1 ( ) i i s s u H ID = for all i n ∈[1, ] , randomly selects * ∈ p t  , 2 1 2 , p h h ∈ . Then it computes the ciphertext as below:

\(C T=\left(C_{0}, C_{1}, C_{2}\right)=\left(\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t} h_{1}, g^{t} h_{2}, v^{t} K\right)\).

 The header 0 1 Hdr C C = (,) and C C M = 2 . Note that, v is in the system public parameters and si i ID s u could be pre-computed.

 Decrypt . Given params and 012 CT C C C = (,,) , an intended data user is ID decrypts with is SK to obtain K as below:

\(K=C_{2} \cdot \frac{e\left(S K_{s_{i}, 1}, C_{0}\right)}{e\left(S K_{s_{i}, 0} S K_{s_{i}, 2}, C_{1}\right)}\).

 Step 3 . The target DU access the encrypted data F′ which is stored on the CSS, and then decrypt it with the session key K . Finally, the target DU get the original data F FK = SE.Dec(,) ′ .

 Correctness. We primarily concern the correctness of our anonymous IBBE construction. For a target data user in the set S , all the random elements chosen in the subgroups 2 p and 3 p would be eliminated in the process of pairing operation according to the orthogonality property. As long as the ciphertext 012 CT C C C = (,,) is well-formed, the following equation must hold.

\(\begin{aligned} & \frac{e\left(S K_{s_{i}, 1}, C_{0}\right)}{e\left(S K_{s_{i}, 0} S K_{s_{i, 2}}, C_{1}\right)} \\ &=\frac{e\left(g^{r_{s_{i}}} R_{s_{i} 0}^{\prime},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_{i}}}\right)^{t} h_{1}\right)}{e\left(\left(g^{\alpha}\left(h u_{s_{i}}^{I D_{s_{i}}}\right)^{r_{s_{i}}} R_{s_{i} 0}\right)\left(\prod_{j=1, t_{j} \neq s_{i}}^{n}\left(u_{t_{j}}^{ID_{t_{j}}}\right)^{r_{s_{i}}} R_{s_{i} t_{j}}\right), g^{t} h_{2}\right)} \\ &=\frac{e\left(g^{r_{s_i}} R_{s_i 0}^{\prime},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t} h_{1}\right)}{e\left(\left(g^{\alpha}\left(h u_{s_{i}}^{I D_{s_i}}\right)^{r_{s_ i}} R_{s_{i} 0}\right)\left(\prod_{j=1, t_{j} \neq s_{i}}^{n}\left(u_{t_{j}}^{ID_{t_j}}\right)^{r_{s_{i}}}\right)\left(\prod_{j=1, t_{j} \neq s_{i}}^{n} R_{s_it_j}\right), g^{t} h_{2}\right)}\\ &=\frac{e\left(g^{r_{s_i}},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t} h_{1}\right) e\left(R_{s_i 0}^{\prime},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t} h_{1}\right)}{e\left(\left(g^{\alpha} R_{s_{i} 0}\right)\left(h \prod_{j=1}^{n} u_{t_{j}}^{I D_{t_j}}\right)^{r_{s_i}}\left(\prod_{j=1, t_j \neq s_{i}}^{n} R_{s_{i}, t_{j}}\right), g^{t} h_{2}\right)}\\ &=\frac{e\left(g^{r_{s_i}},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t}\right) e\left(g^{r_{s_i}}, h_{1}\right) e\left(R_{s_i 0}^{\prime},\left(h \prod_{i=1}^{n} u_{s_{i}}^{ID_{s_i}}\right)^{t}\right) e\left(R_{s_i 0}^{\prime}, h_{1}\right)}{e\left(g^{\alpha}, g^{t} h_{2}\right) e\left(R_{s_{i} 0}, g^{t} h_{2}\right) e\left(\left(h \prod_{j=1}^{n} u_{t_{j}}^{ID_{t_j}}\right)^{r_{s_i}}, g^{t} h_{2}\right) e\left(\prod_{j=1, t_{j} \neq s_{i}}^{n} R_{s_{i} t_j}, g^{t} h_{2}\right)}\\ &=\frac{e\left(g^{r_{s_i}},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t}\right) e\left(g^{r_{s_i}}, h_{1}\right) e\left(R_{s_{i}0}^{\prime},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t}\right) e\left(R_{s_{i} 0}^{\prime}, h_{1}\right)}{e\left(g^{\alpha}, g^{t}\right) e\left(g^{\alpha}, h_{2}\right) e\left(R_{s_{i}0}, g^{t}\right) e\left(R_{s_{i}0}, h_{2}\right)}\\ &\frac{1}{e\left(\left(h \prod_{j=1}^{n} u_{t_{j}}^{\left(ID_{t_j}\right)}\right)^{r_{s_i}}, g^{t}\right) e\left(\left(h \prod_{j=1}^{n} u_{t_{j}}^{\left(ID_{t_j}\right)}\right)^{r_{s_i}}, h_{2}\right) e\left(\prod_{j=1, t_j\neq s_{i}}^{n} R_{s_{i},t_ j}, g^{\prime}\right) e\left(\prod_{j=1, t_j\neq s_{i}}^{n} R_{s_{i}t_j}, h_{2}\right)}\\ &=\frac{1}{e\left(g^{\alpha}, g^{t}\right)}\\ &=\frac{1}{v^{t}} \end{aligned}\)

 According to the orthogonality property, the following terms in the above expansion could be eliminated.

\(\begin{array}{c} e\left(g^{r_{s_i}}, h_{1}\right)=1, e\left(R_{s_i 0}^{\prime},\left(h \prod_{i=1}^{n} u_{s_{i}}^{I D_{s_i}}\right)^{t}\right)=1, e\left(R_{s_{i} 0}^{\prime}, h_{1}\right)=1 \\ e\left(g^{\alpha}, h_{2}\right)=1, e\left(R_{s_{i} 0}, g^{t}\right)=1, e\left(R_{s_{i} 0}, h_{2}\right)=1 \\ e\left(\left(h \prod_{j=1}^{n} u_{t_{j}}^{I D_{t_j}}\right)^{r_{s_i}}, h_{2}\right)=1, e\left(\prod_{j=1, t_j\neq s_{i}}^{n} R_{s_i t_j}, g^{t}\right)=1, e\left(\prod_{j=1, t_j\neq s_{i}}^{n} R_{s_i t_j}, h_{2}\right)=1 \end{array}\)

 Then the session key K in the ciphertext could be decrypted as follows:

\(K=C_{2} \cdot \frac{e\left(S K_{s_i, 1}, C_{0}\right)}{e\left(S K_{s_i, 0} S K_{s_i, 2}, C_{1}\right)}=C_{2} \cdot \frac{1}{v^{t}}=v^{t} K \cdot \frac{1}{v^{t}}=K\).

 Remark 1. The non-linkability (or unlinkability) is an important security property when discussing anonymity [49]. In anonymous IBBE, the non-linkability means that, for unauthorized users outside the target receiver set and the target DUs, 1) none of them could ascribe any broadcast ciphertext to a particular data user, and 2) none of them could link two different broadcast ciphertexts to the same data user. As for our scheme, the non-linkability can be assured with respect to both unauthorized users outside the target receiver set and the target DUs. Firstly, the identities of the target DUs are never transmitted in a plaintext form. Specifically, the identities of the target DUs are always embedded and combined with fresh nonce in the broadcast ciphertext. Hence, for an unauthorized user outside the target receiver set, he/she can neither associate a broadcast ciphertext with a particular data user, nor ascribe two broadcast ciphertexts to the same data user. Secondly, for a target data user, he/she can only decrypt the broadcast ciphertext successfully, thereby knowing himself/herself is in the intended receiver set. However, as mentioned previously, the identities of the target DUs are hidden in the broadcast ciphertext, a target data user cannot associate a broadcast ciphertext with another data user except himself/herself. Furthermore, the identities of the target DUs are always encrypted with fresh nonce and session key in each broadcast process, a target data user cannot ascribe two broadcast ciphertexts to the same data user except himself/herself.

 Remark 2. For the data access control mechanism in cloud storage service based on the proposed anonymous IBBE scheme, the anonymity mainly refers a target data user in cloud storage service is unable to obtain the identities of other target DUs who are accessing the same cloud storage service. Specifically, the anonymity is guaranteed in virtue of the orthogonality of the bilinear map for composite order bilinear groups in the phases of secret key generation and encryption. Then in the decryption phase, any data user is only allowed to ascertain whether himself/herself is in the intended set of DUs by decrypting the ciphertext. If he/she can decrypt successfully and obtain the session key, then it means he/she is a target data user. Otherwise, it means he/she is not a target data user. However, he/she would never know the identities of the other target DUs whether he/she is in the target set of DUs or not. The collusion resistance is another important security property to be focused when designing anonymous IBBE schemes. For the proposed scheme, it also achieves collusion resistance. As mentioned previously, a data user is constrained to test whether himself/herself is a target receiver according to the decryption result, but he/she would never know the identities of the other target receivers. As a matter of fact, even a group of data users collude, who have confirmed they are all target receivers after the decryption phase, they still cannot ascertain whether they constitute the complete set of all target receivers. In other words, they cannot figure out the identities of the other data users involved in the complete target receiver set. Because the full identities of the complete set of all target receivers are hidden in the first part of ciphertext, i.e., C0 . Moreover, it is a computationally hard problem for a group of data users if they collude and try to extract the identities of the other target receivers hidden in C0 . Therefore, the anonymity of our scheme can also be guaranteed under the attack of collusion.

 Remark 3. When there are DUs leaving the system, the revoked DUs should be excluded in the target set of DUs in the encryption phase, while the immediate updating of secret keys of current DUs is not necessary. Specifically, the process of updating can be postponed to the event of new data users’ join. When there is a new data user joins, the PKG needs to regenerate the secret keys for all current DUs in the secret key generation phase. The PKG bears the main computation overhead involved in the process. It is worth mentioning that, for our scheme, the trusted PKG is assumed with powerful computing ability and sufficient storage space. Hence the computation cost of lightweight DUs, whose computation ability is usually limited, can be reduced significantly. However, in the extreme case, if the number of secret key updating operations is at the same level of the broadcasting operations, the PKG who is responsible for distributing secret keys to current DUs may become the bottleneck of the system. The reason is that, in our scheme, there exists a positive correlation between the computation cost for generating a data user’s private key and the amount of current data users. Therefore, it is necessary but also challenging to improve the secret key generation algorithm and reduce the computation cost of the PKG in our future work. Concretely, the computation cost for generating a data user’s secret key should be independent of the amount of current data users. Ideally, the computation cost for generating a data user’s secret key should be constant. In terms of communication overhead, when a data user leaves the system, as mentioned previously, there is no need to update the secret keys of current DUs immediately. Hence there is no extra communication overhead when a data user leaves the system. For the scenario of new join, we assume that, the number of current DUs including the new data user is n . Then the communication overhead when a new data user joins consists of n unicasts, in which the length of each unicast message is equal to the length of secret key for a data user.

4. Security Analysis

 We prove that our scheme achieves adaptive CPA security in the aspects of confidentiality as well as anonymity without random oracles. The confidentiality means the broadcast message (for our scheme, the broadcast message refers to the session key designated by the broadcaster) should be protected, more specifically, the corresponding ciphertext of broadcast message cannot be decrypted by the unauthorized users outside the target receiver set. While the anonymity means the identities of target receivers should be protected, more specifically, the identities of target receivers cannot be revealed by the users in the same intended receiver set or by the users outside the set of intended receivers.

 The security of our scheme is proved by utilizing the dual system encryption [50] methodology. Before presenting our security proof, we first provide the definitions for semi-functional secret key as well as ciphertext, which are merely used for security proof and would not exist in the real system. Let 2 g be the subgroup 2 p ’s generator. Then, the semi-functional secret key and ciphertext are defined as below.

 Semi-functional key. For the user is ID S ∈ , i n ∈[1, ], let ,0 ,1 ,2 (,,) i ii s ss SK SK SK be a normal secret key generated by executing KeyGen algorithm, we randomly choose some elements * 0 0 γγ γ , ,{ } ′ ∈j t p  for 12 1 1 , ,..., , ,..., j ii n t ss s s s = − + . Then we define the semi-functional private key  0 ,0 i ,0 2 i s s SK SK γ = g ,  0 ,1i ,1 2 i s s SK SK γ ′ = g ,  ,2 ,2 2 1, t j i i j i n s s jts SK SK γ = ≠ = ∏ g , which is used in the proof.

 Semi-functional ciphertext. Let 012 (,,) CCC denote a normal ciphertext generated via executing Encrypt algorithm. Subsequently, we randomly choose two elements * 1 2 λ λ, ∈p . Then we define the semi-functional ciphertext used in the proof as below:

\(\tilde{C}_{0}=C_{0} g_{2}^{\lambda, \lambda_{2}}, \tilde{C}_{1}=C_{1} g_{2}^{\lambda_{2}}, \tilde{C}_{2}=C_{2}\).

 Next, we will prove that, for the following security games, no PPT adversary could distinguish them with advantage which is non-negligible under GSD assumption.

 GameReal . This game is a real one, and it follows the adaptive security model for anonymous IBBE. All of the private keys and the challenge ciphertext are normal.

 Gamek . Assume that in Phase 1 as well as Phase 2 , the adversary could launch at most q key generation queries. Then in ANON IBBE − Gamek ( 0 ≤ ≤ k q ), the challenge ciphertext is semi-functional, while the first k secret keys and the remainder ( ) q k − secret keys are semi-functional and normal, respectively.

 Particularly, for 0 ANON IBBE − Game , only the ciphertext for challenging is semi-functional. As for ANON IBBE − Gameq , all of the private keys and the challenge ciphertext are semi-functional.

 GameFinal . For this game, all of the private keys are semi-functional. Meanwhile, the challenge ciphertext is also semi-functional, but it is an encryption on a randomly chosen element in T , not the message submitted by the adversary.  

 Denote AdvGame  as the PPT adversary  ’s advantage in a certain game. Then, we will demonstrate that the above games are indistinguishable for any PPT adversaries with a series of lemmas.

 Lemma 1. Assume there exists a PPT adversary  which achieves Adv Adv 0 ε − − − = ANON IBBE ANON IBBE GameReal Game   . Then we can build a PPT algorithm  to break through Assumption 1 with advantage ε .

 Proof. As mentioned before,  and T represent two multiplicative cyclic groups with the same order = 123 p ppp , in which 1 p , 2 p as well as 3 p are three disparate large primes, while : T e   × → is a bilinear map. In addition, 1 ∈p g , 2 1 2 , L L ∈p , 3 X3 ∈p . The algorithm  is provided with the instantiation tuple 12 3 (, , , , ) g LL X T . The algorithm  will simulate ANON IBBE − GameReal or 0 ANON IBBE − Game with the adversary  . Then, the interaction process between  and  is described as below.

 Setup .  selects two arbitrary elements * , ∈ p a b  . Let b h = g and (,)a v e = g g . The cryptographic hash function * * 2 H :{0,1} → p is collision-resistant. Then  publishes the public parameters 2 = {, , ,,,,, } T params p e h v H   g .

 Phase 1. Suppose the receiver set is 1 2 { , ,..., }n ss s S ID ID ID = .  launches a key generation query for user is ID S ∈ .  first computes 2 ( ) si i H ID s u = g for i n ∈[1, ], and randomly chooses some elements * 0 0 , , ,{ } ′ ∈j t p rw w w  for 12 1 1 , ,..., , ,..., j ii n t ss s s s = − + . Then the algorithm  answers the adversary  with the following secret key:

\(SK_{s_i}=\left(S K_{s_i, 0}, S K_{s_i, 1}, S K_{s_i, 2}\right)=\left(g^{a}\left(h u_{s_i}^{I D_{s_i}}\right)^{r} X_{3}^{w_{0}}, g^{r} X_{3}^{w'_{0}}, \prod_{j=1, t_j\neq s_{i}}^{n} u_{t_{j}}^{r{ID}_{t_j}} X_{3}^{w_{t_j}}\right)\).

 The above well-formed secret key looks like a normal secret key generated by KeyGen algorithm. Therefore, it is a proper simulation for the secret key.

 Challenge .  presents two messages 0 1 (,) M M with equal length, together with two equal-size receiver sets 01 02 0 * ** * 0 { , ,..., }n ss s S ID ID ID = and 11 12 1 * ** * 1 { , ,..., }n ss s S ID ID ID = to the algorithm  for challenging. The restriction is that, in Phase 1 , no user ** * * * * 01 0 1 1 0 (\)(\) is ID S S S S S S ∈∆ = ∪ had been queried its secret key. The algorithm  chooses σ ∈{0,1} , then computes * 2 ( ) i i s s a H ID σ σ = for i n ∈[1, ] , and sets up challenging ciphertext * 1 012 1 2 ( , , ) ( , ,(, ) ) n s s i i i b a ID a CT C C C T L TL e T M σ σ σ = +∑ = = g .

 Phase 2 . Be similar to Phase 1,  goes on issuing key generation query for any user is ID , but with the constraint that the user * * 0 1 is ID S S ∉ ∆ .

 Guess .  finally submits a guess b′ from {0,1}. If b b ′ = ,  wins the game.

 Observe the structure of CT , it is easy to see that, if 1 T ∈p , CT is a normal ciphertext, which means  simulates ANON IBBE − GameReal properly. If 1 2 T ∈p p , on the other hand, CT is a semi-functional ciphertext, which means  simulates 0 ANON IBBE − Game properly. Therefore,  can utilize the guess of  to break through Assumption 1 while  ’s advantage is ε .

 Lemma 2. Assume there exists a PPT adversary  which launches at most q key generation queries and achieves Adv Adv 1 ε − − − − = ANON IBBE ANON IBBE Gamek k Game   , k q ∈[1, ]. Then we can build a PPT algorithm  to break through Assumption 2 with advantage ε .

 Proof. As mentioned before,  and T represent two multiplicative cyclic groups with the same order = 123 p ppp , in which 1 p , 2 p as well as 3 p are three disparate large primes, while : T e   × → is a bilinear map. In addition, 1 1 , X ∈p g , 2 2212 ,,, X YLL ∈p , 3 3 3 , X Y ∈p . The algorithm  is provided with the instantiation tuple 1 2 3 23 1 2 (, , , , , , ) g X X X YY L L T . The algorithm  will simulate 1 − − ANON IBBE Gamek or ANON IBBE − Gamek with the adversary  . Then, the interaction process between the algorithm  and the adversary  is described as below.

 Setup . The algorithm  selects two arbitrary elements * , ∈ p a b  . Let b h = g and (,)a v e = g g . The cryptographic hash function * * 2 H :{0,1} → p is collision-resistant. Then  publishes the public parameters 2 = {, , ,,,,, } T params p e h v H   g .

 Phase 1. Suppose the receiver set is 1 2 { , ,..., }n ss s S ID ID ID = . The adversary  launches a key generation query for user is ID S ∈ . According to the relationship between i s and k , the algorithm  answers the adversary  with one of the three cases as follows.

 Case 1: i s k < . The algorithm  first computes 2 ( ) si i H ID s u = g for i n ∈[1, ], and randomly selects some elements * 0 0 , , ,{ } ′ ∈j t p rw w w  for 12 1 1 , ,..., , ,..., j ii n t ss s s s = − + . Then it sets user is ID ’s secret key 0 0 ,0 ,1 ,2 23 23 2 3 1, ( , , ) ( ( )( ) , ( ) , ( ) ) ′ = ≠ = = ∏ t t s j j i i i ii i j j i n ID rID w ar r w w s s ss s t jts SK SK SK SK hu Y Y Y Y u Y Y g g .

 The above well-formed secret key looks like a normal secret key generated by KeyGen algorithm. Therefore, it is a proper simulation for the secret key.

 Case 2: i s k = . The algorithm  first randomly selects some elements * 0 ,{ }∈j w wt p  for 12 1 1 , ,..., , ,..., j ii n t ss s s s = − + . The algorithm  computes 2 ( ) k k a H ID = and 2 ( ) j j t t a H ID = for 12 1 1 , ,..., , ,..., j ii n t ss s s s = − + . Then it sets user is ID ’s secret key as follows:

\(S K_{s_{i}}=\left(S K_{s_{i}, 0}, S K_{s_{i}, 1}, S K_{s_{i, 2}}\right)=\left(g^{a} T^{b+a_{k}ID_{k}} X_{3}^{w_{0}}, T, \prod_{j=1, t_{j}\neq s_{i}}^{n} T^{a_{t_j}, I D_{t_j}} X_{3}^{w_{t_j}}\right)\).

 Observe the structure of is SK , it is easy to see that, if 1 3 T ∈p p , is SK is a normal private key for the user is ID . If T ∈ , is SK is a semi-functional private key for the user is ID .

 Case 3: i s k > . The algorithm  runs the algorithm KeyGen to generate the normal private key for the user is ID .

 Challenge .  presents two messages 0 1 (,) M M with equal length, together with two equal-size receiver sets 01 02 0 * ** * 0 { , ,..., }n ss s S ID ID ID = and 11 12 1 * ** * 1 { , ,..., }n ss s S ID ID ID = to the algorithm  for challenging. The restriction is that, in Phase 1 , no user ** * * * * 01 0 1 1 0 (\)(\) is ID S S S S S S ∈∆ = ∪ had been queried its secret key. The algorithm  chooses σ ∈{0,1} , then computes * 2 ( ) i i s s a H ID σ σ = for i n ∈[1, ], and sets up the challenging ciphertext * 1 0 1 2 12 1 1 22 1 2 ( , , ) (( ) , , ( , ) ) n s s i i i b a ID a CT C C C X X L X X L e X X M σ σ σ = +∑ = = g .

 Phase 2 . As similar in in Phase 1,  goes on launching key generation query for any user is ID , but with the constraint that the user * * 0 1 is ID S S ∉ ∆ .

 Guess .  finally submits a guess b′ from {0,1}. If b b ′ = ,  wins the game.

 We can easily see that, if 1 3 T ∈p p , which means  simulates 1 − − ANON IBBE Gamek properly. If T ∈ , on the other hand, which means  simulates ANON IBBE − Gamek properly. Therefore,  can utilize the guess of  to break through Assumption 2 while  ’s advantage is ε . □ Lemma 3. Assume there exists a PPT adversary  which achieves Adv Adv ε − − − = ANON IBBE ANON IBBE q Final Game Game   . Then a PPT algorithm  can be built, which can break through Assumption 3 with advantage ε .

 Proof. As mentioned before,  and T represent two multiplicative cyclic groups with the same order = 123 p ppp , in which 1 p , 2 p as well as 3 p are three disparate large primes, while : T e   × → is a bilinear map. In addition, 1 ∈p g , 2 22 212 ,, ,, X YZ LL ∈p , 3 X3 ∈p , * , ∈ p a s  . The algorithm  is given the instantiation tuple 2 3 2 212 (, , , , , , , ) a s gg g X X YZ LLT . The algorithm  will simulate ANON IBBE − Gameq or ANON IBBE − GameFinal with the adversary  . Then, the interaction process between the algorithm  and the adversary  is as below.

 Setup . The algorithm  selects a random element * ∈ p b  . Let b h = g and 2 ( ,) a ve X = g g . The cryptographic hash function * * 2 H :{0,1} → p is collision-resistant. Then  publishes the public parameters 2 = {, , ,,,,, } T params p e h v H   g .

 Phase 1. Suppose the receiver set is 1 2 { , ,..., }n ss s S ID ID ID = . The adversary  issues a key generation query for user is ID S ∈ . The algorithm  first computes 2 ( ) si i H ID s u = g for i n ∈[1, ], and randomly chooses some elements * 0 0 00 , , ,{ }, , ,{ } ′ ′ ∈ j j t tp rw w w y y y  for 12 1 1 , ,..., , ,..., j ii n t ss s s s = − + . Then the algorithm  answers the adversary  with the secret key 0 0 00 ,0 ,1 ,2 2 2 3 2 3 2 3 1, ( , , )( ( ) , , ) ′ ′ = ≠ = = ∏ tt t s jj j i i i ii i j j i n ID rID y w a rr y w yw s s ss s t jts SK SK SK SK X Z hu X Z X u Z X g g .

 The above well-formed secret key looks like a normal secret key generated by KeyGen algorithm. Therefore, it is a proper simulation for the secret key.

 Challenge .  presents two messages 0 1 (,) M M with equal length, together with two equal-size receiver sets 01 02 0 * ** * 0 { , ,..., }n ss s S ID ID ID = and 11 12 1 * ** * 1 { , ,..., }n ss s S ID ID ID = to  for challenging. The restriction is that, in Phase 1, no user ** * * * * 01 0 1 1 0 (\)(\) is ID S S S S S S ∈∆ = ∪ had been queried its secret key. The algorithm  chooses σ ∈{0,1} , then computes * 2 ( ) i i s s a H ID σ σ = for i n ∈[1, ], and further sets up the final ciphertext for challenging as below:

\(C T=\left(C_{0}, C_{1}, C_{2}\right)=\left(\left(g^{s} Y_{2}\right)^{b+\sum_{i=1}^{n} a_{s _{\sigma i}}{I D^*_{s _{\sigma i}}}} L_{1}, g^{s} Y_{2} L_{2}, T M_{\sigma}\right)\).

 Phase 2 . Be similar to Phase 1,  goes on launching key generation query for any user is ID , but with the constraint that the user * * 0 1 is ID S S ∉ ∆ .

 Guess .  finally submits a guess b′ from {0,1}. If b b ′ = ,  wins the game.

 Observe the structure of CT , it is easy to see that, if (,)as T egg = , CT is a proper semi-functional ciphertext, which means the algorithm  simulates ANON IBBE − Gameq properly. But if T is a randomly chosen element in T , then CT is a proper semi-functional ciphertext for a randomly chosen element, which means  simulates ANON IBBE − GameFinal properly. Therefore,  can utilize  ’s guess to break through Assumption 3 with the advantage ε .

 Theorem 1. Denote  as a group with composite order p . There exists an efficient bilinear map on  . If Assumption 1, Assumption 2 as well as Assumption 3 are all valid in  , the proposed anonymous IBBE scheme is ANON-CPA secure.

 Proof. If Assumption 1, Assumption 2 as well as Assumption 3 are all valid in  , an adversary’s advantage in the real game is negligible according to Lemma 1, Lemma 2 and Lemma 3. Therefore, the proposed anonymous IBBE scheme is ANON-CPA secure.

 Remark 4. It’s worth noting that, on the basis of the security model for anonymous IBBE presented in Section 2.4, the security requirement of confidentiality and anonymity is combined in one game by submitting two equal-size receiver sets and two equal-length broadcast messages for challenging at the same time. Therefore, the above security

5. Conversion from CPA to CCA2

 In this section, we promote our scheme’s security from CPA to CCA2 by using the conversion approach in [46,47]. For simplicity, we only give the construction sketch for the new scheme. The algorithms of Setup , KeyGen , Encrypt as well as Decrypt have been described previously (cf. Section 2.3).

 Let Sig = (Gen, Sign, Verify) denote a one-time signature scheme with strong unforgeability, which means it is impossible for an adversary to fabricate a new and valid signature on the message which is signed previously. The construction process is as below.

 Step 1 . The PKG runs (1 ) λ Setup algorithm to produce the system master key MK as well as the public parameters params .

 Step 2 . The PKG runs the algorithm KeyGen( , ,)i params MK ID to produce the user private key i SK for the user i ID .

 Step 3 . Given the message M and the receiver set S , firstly, the broadcaster executes (1 ) λ Gen algorithm to get vk and sk , which are two keys used for verification and signing, respectively. vk is regarded as a dummy receiver in S . Let S S vk ′ = ∪{ } . Then the broadcaster runs the algorithm Encrypt( ,, ) params S M′ to get ciphertext CT′ , and executes ( ) Signsk CT′ algorithm to get signature ϕ . The final outputted ciphertext is CT vk CT = ( , ,) ′ ϕ .

 Step 4 . For decrypting CT , the user i ID first tests whether ? ( ,)1 Verifyvk CT′ ϕ = holds. If it does not hold, the user outputs ⊥ directly. Otherwise, the user i ID executes the algorithm Decrypt( , ,, ) ′ i i params CT ID SK to recover the message M.

 The reader may refer the proof of correctness and effectiveness for the above conversion in [46]. With the conversion, the security level of our scheme is enhanced from CPA to CCA2.

6. Performance Analysis

 Table 1 and Table 2 show the efficiency comparison of our scheme with the existing representative (anonymous) PKBE/IBBE schemes. As defined above, N represents the maximum size of set for intended receivers, while n represents the size of current set for intended receivers, n N≤ . The PKBE/IBBE schemes in [26,28-30,35] adopted prime order bilinear groups. For prime order bilinear groups, P1 denotes bilinear pairing operation, E1 and M1 respectively denote exponentiation and multiplication operation in  , while E2 and M2 respectively denote exponentiation and multiplication operation in T . Similarly, for composite order bilinear groups, P2 denotes bilinear pairing operation, E3 and M3 respectively denote exponentiation and multiplication operation in  , while E4 and M4 respectively denote exponentiation and multiplication operation in T . Note that, for ease of description, in composite order bilinear groups, we do not distinguish between the operations in the group  and in the subgroups 1 p , 2 p and 3 p . Namely, the operations in  are substituted for the operations in 1 p , 2 p and 3 p . Prime+Bilinear and Composite+Bilinear respectively represent the prime order and composite order bilinear map.

Table 1. Efficiency comparison between our and other (anonymous) PKBE/IBBE schemes (I)

Table 2. Efficiency comparison between our and other (anonymous) PKBE/IBBE schemes (II)

 Table 1 shows that, the sizes of public parameters, user secret key as well as ciphertext in our scheme and the scheme in [30] are all constant. However, the scheme in [30] did not consider the anonymity of target receivers. Table 2 shows that, the scheme in [26], the second scheme in [28] and our scheme all need only one decryption attempt, support arbitrary broadcaster as well as dynamic membership, and are identity-based. However, neither the scheme in [26] nor the second scheme in [28] achieved anonymity.

 cheme in [26] nor the second scheme in [28] achieved anonymity. Furthermore, we implement our scheme and other three existing anonymous PKBE/IBBE schemes [35,36,39] utilizing the well-known PBC (Pairing-Based Cryptography) Library¹ (version 0.5.14). For simplicity, the operations for exponentiation, multiplication as well as bilinear pairing in the phased of encryption and decryption are emphasized. We choose type-A and type-A1 as the elliptic curve parameter for prime order and composite order bilinear groups, respectively. The orders of groups are all 160-bit. As for the experiment environment the host configuration of includes 2.3 GHz Intel i7 CPU, 8 GB RAM and 64-bit Windows 10, while the configuration of virtual machine (VMware 10.0.1) includes single CPU, 4 GB RAM and Ubuntukylin-15.10-desktop-i386.

 Fig. 2 and Fig. 3 illustrate the efficiency comparison between our scheme and other three anonymous PKBE/IBBE schemes. It is easy to see that, for our scheme, both the encryption and decryption time are the lowest. As a matter of fact, though added the security of anonymity, our scheme still has advantages over encryption and decryption costs, compared with those general PKBE/IBBE schemes, e.g., the scheme in [31] which was also constructed from composite order bilinear groups (cf. Table 1). Therefore, the proposed scheme is feasible for constructing data access control mechanism in cloud storage service. The security of our scheme and existing (anonymous) PKBE/IBBE schemes are compared in Table 3. The related hardness assumptions are explained as follows.

Fig. 2. Encryption time comparison between our and other three anonymous PKBE/IBBE schemes

Fig. 3. Decryption time comparison between our and other three anonymous PKBE/IBBE schemes

 GDDHE: general decisional Diffie-Hellman exponent. q-BDHE: decision q-bilinear Diffie-Hellman exponent. q-TBDHE: decisional truncated q-bilinear Diffie-Hellman exponent. q-ABDHE: truncated decisional q-augmented bilinear Diffie-Hellman exponent. GSD: general subgroup decision. BDH: bilinear Diffie-Hellman. SDA: subgroup decisional assumption. Composite DBDH: composite decisional bilinear Diffie-Hellman

Table 3. Security comparison between our and other (anonymous) PKBE/IBBE schemes

 As shown in Table 3, only our scheme achieves CCA2 security as well as anonymity in the standard model simultaneously. Furthermore, the security of our scheme is built on GSD assumption, which is static and simple.

7. Conclusion

 We bring forward an efficient anonymous IBBE scheme with CCA2 security. Compared with the previous anonymous PKBE/IBBE schemes, our scheme is more feasible for constructing data access control mechanism in cloud storage service, as the lengths of public parameters, user private key and ciphertext are all constant. In terms of computation cost, our scheme also has advantage. Furthermore, based on general subgroup decision assumption, the security of our scheme is proved in the standard model.

 Generally, compared with the more commonly used prime order bilinear groups, the computation efficiency of composite order bilinear groups is not satisfactory. Besides, the CCA2 security in our scheme is not obtained directly. Therefore, it is challenging for us in the future to design more efficient anonymous IBBE schemes in virtue of prime order bilinear groups, which can achieve CCA2 security directly. Besides, the construction of anonymous IBBE schemes with leakage resilience [51,52] is another interesting issue.