1. Introduction
With the rapid growth of the world population, a series of problems have appeared in urban governance. Providing some public services by the government is necessary to enhance the quality of life of citizens. A practical and safe monitoring network must be established to ensure sensitive information, such as water, electricity, and transportation. Traditional techniques and management methods are difficult to address effectively. Therefore, utilizing emerging information and communication technologies is essential to address the management of urbanization. In this context, some outstanding scholars have proposed the concept of smart cities [1,2]. For example, Zhang et al. [3] introduced the deficiencies in applying the internet of things (IoT) to smart homes, smart communities, smart grids, and public infrastructure scenarios. Ejaz et al. [4] used two practical examples to summarize the current energy management problems of IoT universities in smart cities. Specifically, the scheme in [4] considers how to effectively reduce energy consumption in the smart home, smart education, smart health, intelligent traffic systems (ITS) and smart industry application fields.
Smart grid is one of the application areas of smart cities, and it is a favorable trend for the development of power grid technology. At present, traditional power grids must rely on smart technology to achieve security information defense capabilities and self-healing capabilities to realize the development and transmission of clean energy while resisting natural disasters and external interference. What is more, smart technology can reduce costs and is costeffective [5]. However, conventional research has shown that information cannot be transmitted effectively due to the backwardness of many devices and technical deficiencies [6,7].
A possible scheme requires the smart power control center to encrypt and broadcast the ciphertext to the user for transmitting user electricity information efficiently and securely. Broadcast encryption technology allows broadcast servers to share messages with a group of receivers. However, many existing broadcast encryption schemes still have problems and challenges with smart grid data transmission. For instance, they are unable to achieve receiver anonymity. Furthermore, if the receivers leave the power system or malicious users, we must guarantee that direct revocation is implemented under data access control to adapt to the characteristics of the smart grid for transmitting lightweight files in the Internet of Things environment. Therefore, we also consider how to revoke the receivers of the specified set from the ciphertext generated. Our scheme’s main contributions are summarized as follows:
• We propose an efficient and privacy-preserving broadcast encryption scheme. Broadcast encryption is employed to guarantee transmission efficiency among broadcasters and users; Lagrange interpolation technology realizes the properties of receiver anonymity.
• The proposed scheme model combines smart grid application scenarios in smart cities for power data sharing. From the perspective of smart city users, leaving the system will cause information updates and other issues. We use the direct revocation method, which allows the user’s access privileges to be dynamically adjusted.
• We reduced expensive bilinear pairing operations to achieve more lightweight broadcasts and provided a comprehensive security proof and performance analysis of our scheme. The results showed that the efficiency and security of our scheme surpass that of existing schemes, and it is more suitable for practical applications.
In the following two sections, we will briefly review related works and the preliminaries, respectively. The proposed scheme and security proof are respectively presented in sections 4 and 5. In section 6, we present the performance evaluation. The paper is summarized in the last section.
2. Related works
At present, the emergence of sensor technology has a tremendous impact on conventional the grid, which collects detailed power information through sensor devices. Fortunately, sensor networks also provide technical support for power grid state analysis, making the traditional power grid smart. To ensure the security and privacy of information, Yasir Saleem et al. Saleem et al, 2019 [8] discussed power energy waste and data transmission security, and integrated internet of things devices to achieve the generation, distribution, transmission, and use of power data.
However, electricity consumption data may be tampered with or illegally accessed during transmission, which brings huge security risks to the smart grid environment. Only if the ciphertext and user identity satisfy the privacy-preserving properties, can the corresponding power information be safely transmitted. Therefore, smart grid access control schemes are emerging one after another nowadays. Fiat et al. [9] proposed the broadcast encryption technology in 1993, which allows the central broadcasting station to broadcast the ciphertext to any set of receivers while minimizing the transmission associated with key management. Privacy is a crucial issue in the broadcast environment. To satisfy the security and anonymity requirements of the broadcaster and receiver’s communication, the schemes in [10, 11, 12] use broadcast encryption technology to protect the privacy and confidentiality of information in a multi-receiver environment. However, the aforesaid scheme cannot achieve the complication of malevolent and revoked receiver’s adjustment access privileges. Significations, the schemes in [10] introduced Lagrange interpolation and embed user identity in ciphertext to realize receiver anonymity.
Direct revocation is an essential technique for standard broadcast encryption scheme. It is used to adjust authorization between multiple receivers such that only receivers within a receiver set specified by the smart power control center can decrypt the ciphertext. A quantity of work with direct revocation for the area has been proposed. For instance, Jia et al. [13] applied the constant-size ciphertext and private key property of revocation to a broadcast encryption scheme. To improve efficiency, Zhu et al. [14] constructed a mechanism to support designation and revocation and introduced dual-modes. In [15], Li et al. present a new broadcast encryption scheme for prime-order bilinear groups which achieves revocation. However, these works are not aimed at solving receiver anonymity.
To the best of our investigation, Lai et al. [16, 17, 18, 19] proposed broadcast encryption based on anonymous identities in 2016 and 2017, allowing the data owner to effectively broadcast ciphertext to a multi-receiver. These schemes support the direct revocation of the user’s identity, focusing on data access control, where the data owner sends ciphertexts to authorize users to realize the sharing of ciphertexts. However, these three schemes achieve identity anonymity between receivers, but a large amount of transmission and computation results in low computation efficiency. Nonetheless, in 2019, Wang et al. [20] presented an IBDE broadcast scheme and devised a secure economic data sharing protocol. The scheme is semi-adaptively semantically secure, but it does not guarantee the construction of public-key broadcast encryption by Guo et al [21]. Constructing public-key broadcast encryption could not realize privacy-preserving and authorization revocation.
3. Preliminaries
In this section, we give the smart grid solution and security goals. Table 1 provides the descriptions of the key symbols used in the proposed scheme.
Table 1. Notations and Descriptions
3.1 Smart grid solution
We consider the smart grid solution, as shown in Fig. 1. Following the smart grid solution in the IoT environment, the primary technologies for each layer are as follows:
perception layer. The perception layer is at the bottom. It mainly includes smart meters, RFID readers, sensors, monitors, M2M and other smart devices for sensing and identifying objects. Collect power consumption data of the users in the system.
Fig. 1. Example application domains in a smart city
network layer. The middle layer uses wired and wireless networks as the nerve center. This layer, called the network layer, realizes the broadcast communication transmission of events on the Internet. It mainly uses WLAN, 3G/4G network, LMDS and other internet technologies to achieve interconnection communication between the smart power control center and users.
platform layer. The middle platform layer has an aggregation switch that inherits user information gathered by the perception layer and supports the IoT infrastructure. In the integrated operating environment of the IoT, the aggregation switch can not only store, calculate, and distribute user data but also manage the user registration privileges in the system.
application layer. The top-layer in the entire architecture of information processing is the application layer. The smart power control center at the application layer can perform internal power dispatch, comprehensive evaluation, and regular maintenance of internal service equipment. For external services, whether government agencies, residential areas, schools, industrial areas or other users, it can provide a smart, accurate and secure power supply.
In many smart grid scenes, each smart meter in the perception layer is equipped with implanted sensor chips. The smart power control center could do real-time remote monitoring of the user’s power conditions by collecting the power data (i.e., power consumption, power use time and instantaneous peak power) through wireless sensor nodes.
The information gathered by the Internet is aggregated to the sink node in the platform layer directly. Then, the control devices distribute, store, and compute the power information in the integrated operating environment, respectively. Finally, apply the encapsulated information to internal services for users to access.
3.2 Security Notions
Based on the scheme in [22], our scheme defines four security models, respectively: identitybased chosen plaintext attack (IND-ID-CPA) security, anonymous identity-based chosen plaintext attack (ANON-ID-CPA) security, revocable identity-based chosen plaintext attack(IND-rID-CPA) security, and revocable anonymous identity-based chosen plaintext attack (selective ANON-rID-CPA) security. The four security goals by probability polynomial-time between adversary A and challenger Cgame to define.
Game 1. IND-ID-CPA security.
This game, under the IND-ID-CPA security model, is played between adversary A and challenger C. The security model is defined as follows:
Setup: Challenger C establishes the algorithm, inputs the security parameter λ , outputs mpk , and keeps msk .
Phase 1: Adversary A can issue private key queries. When receiving private queries about the identity setIDi , the challenger Cgenerates \(d_{I D_{i}}\) and returns it.
Challenge: Adversary A after the decision Phase 1 is over. Without the restriction of initiating a private key query for any \(I D_{i} \in S^{*}\) , adversary A outputs two messages of different lengths; M0 , M1 and the challenge set \(S^{*}=\left(I D_{1}, I D_{2}, L, I D_{n}\right)\). Challenger Cpicks a bit \(b \in\{0,1\}\) , and outputs the challenge ciphertextCT∗ for Mb under S∗.
Phase 2: Subject to the above Challenge, A issues more private key queries.
Guess: If \(b = b^{\prime}\), and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game IND-ID-CPA adversary and wins the game with probability adversary \(A d v_{I N D-I D-C P A}^{A}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\).
Definition 1. If the IND-ID-CPA adversary’s advantage \(A d v_{I N D-I D-C P A}^{A, M}(\lambda)\) in Game 1 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is IND-ID-CPA security.
Game 2. ANON-ID-CPA security.
The working principle of this security model is as follows: Setup, Phase 1, and Phase 2 are the same as in Game 1.
Challenge: Adversary A generates M∗ , two different sets \(S_{0}=\left\{I D_{0,1}, I D_{0,2}, L, I D_{0, n}\right\}\) and \(S_{1}=\left\{I D_{1,1}, I D_{1,2}, L, I D_{1, n}\right\}\) for any IDi ∈ S0VS1 = (S0\S1)∪(S1\S0). Challenger C outputs CT∗ for M∗ under Sb.
Guess: If \(b = b^{\prime}\) , and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game ANON-rID-CPA adversary and wins the game with probability \(A d v_{A N O N-I D-C P A}^{A, M}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\).
Definition 2. If the ANON-ID-CPA adversary’s advantage \(A d v_{A N O N-I D-C P A}^{A}(\lambda)\) in Game 2 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is ANON-ID-CPA security.
Game 3. IND-rID-CPA security.
The IND-rID-CPA security model is defined as follows: Setup, Phase 1, and Phase 2 are the same as in Game 1.
Challenge: Without the restriction of issuing private key queries, adversary A generates \(R^{*}=\left\{I D_{l_{1}}, I D_{l_{2}}, L, I D_{l_{t}}\right\}\) for any \(I D_{i} \in S^{*} \backslash R^{*}\) . Challenger C executes Encrypt and Revoke algorithms, generates CT∗ for message Mb under S∗ and R∗
Guess: If b = b′ , and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game IND-rID-CPA adversary and wins the game with probability \(A d v_{I N D-r I D-C P A}^{A, M}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\) .
Definition 3. If the IND-rID-CPA adversary’s advantage \(A d v_{I N D-r I D-C P A}^{A, M}(\lambda)\), in Game 3 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is IND-rID-CPA security.
Game 4. Selective ANON-rID-CPA security.
Given two revocation sets of different lengths, Setup and Phase 1 are the same as in Game 1.
Init: Adversary A outputs \(R_{0}=\left\{I D_{0,1}, I D_{0,2}, \mathrm{~L}, I D_{0, t}\right\}\) and \(R_{1}=\left\{I D_{1,1}, I D_{1,2}, L, I D_{1, t}\right\}\) .
Challenge: A outputs M∗ and broadcasts set \(S^{*}=\left(I D_{1}, I D_{2}, \mathrm{~L}, I D_{n}\right)\) . Challenger C outputs CT∗ for M∗ under S∗ and Rb .
Phase 2: Adversary A initiates more private key queries to \(I D_{i} \notin R_{0} \vee R_{1}\) .
Guess: If b = b′ , and adversary A outputs b′∈{0,1} and wins the game, we call the adversary game ANON-rID-CPA adversary and wins the game with probability \(A d v_{A N O N-r I D-C P A}^{A, M}(\lambda)=\left|\operatorname{Pr}\left[b=b^{\prime}\right]-\frac{1}{2}\right|\).
Definition 4. If the ANON-rID-CPA adversary’s advantage \(A d v_{A N O N-r I D-C P A}^{A}(\lambda)\) in Game 3 is negligible in any polynomial time, the proposed ID-based broadcast encryption scheme for cloud network integration is selective ANON-rID-CPA security.
4. System construction
In this section, we introduce the application scenarios and basic construction of our scheme. The purpose of our scheme is to achieve the security of data transmission between smart grid and residential users in the cloud-network integration environment.
4.1 Basic construction of the scheme
The smart grid is a typical application scenario for broadcast encryption schemes in smart cities. In the smart grid, the data in transit (that is, between smart devices and the smart power control center) is encrypted to ensure the users’ privacy.
As shown in Fig. 2, our scheme is suitable for one-to-many ciphertext broadcast scenarios. The cloud-network model mainly includes five entities: private key generator (PKG), smart power control center, cloud server, smart device (smart meter), and data user. We assume the PKG is fully trusted and the cloud server is semi-trusted, which signifies that the cloud server follows the scheme, but is curious about the ciphertext. The PKG generates private keys for the smart power control center and receivers. Then, the smart power control center encrypts messages and transmits the original ciphertext to the cloud server. The cloud server transmits the ciphertext to the power plant and performs power transmission and computation through the network. Finally, it distributes the power ciphertext to users in residential areas. In the entire power transmission process, however, the user who can receive the key has the privileges to use the smart power service and access the ciphertext. The scheme includes the following five algorithms:
Setup(1λ) mpk msk → : It is executed by the PKG that inputs security parameter λ :
• The PKG randomly selects a bilinear group BG = (G, GT, e, p), with generator P ∈ G . Then, it chooses a random integer s ∈ Zp , and computes public key Psub = sP;
• It picks four collision-resistant hash functions:
\(H:\{0,1\}^{*} \rightarrow Z_{p}, H_{1}:\{0,1\}^{*} \rightarrow G, H_{2}: G_{T} \times\{0,1\}^{*} \rightarrow G \text { and } H_{3}: G_{T} \times\{0,1\}^{*} \rightarrow G\)
• Finally, the PKG outputs mpk = (BG, P, Ppub, H, H1, H2, H3) and msk = s .
Fig. 2. A typical application scenario in smart grid
Keygen(mpk, msk, ID) → dID : On receiving (mpk,msk) and user identity ID ∈ {0,1}∗ , the PKG executes the algorithm to compute dID sH1(ID) for the user.
Encrypt(mpk, M, ,S) → CT : The broadcaster, also known as the smart power control center, inputs mpk , receiver set S = (ID1, ID2, L, IDn ) and M ∈ G to be shared with the user message. It executes the following steps to generate broadcast ciphertextCT . The encryption phase model is shown in Fig. 3.
Fig. 3. Data encrypt
• It first extracts the function H from the mpk , computes Xi = H(IDi) for i(i = 1, 2, L, n) and constructs a polynomial function \(f_{i}(x)=\sum_{j=0}^{n-1} a_{i, j} x^{j} \bmod p\);
• It then randomly chooses two secret integers r1 ∈ Zp and k1 ∈ G to compute
\(A_{i}=k_{1}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}}, I D_{i}\right), i \in[1, n] \text {, we have } f_{i}\left(x_{i}\right)=1 \text { and } f_{i}\left(x_{j}\right)=0 \text { for } i \neq j \text {; }\)
• It computes C0 = k1 + M, C1 = r1P and \(u_{i}=\sum_{j=1}^{n} a_{j, i-1} A_{j}, i=1,2, \mathrm{~L}, n\);
• It then sets \(H d r=\left(\left\{u_{i}: 1 \leq i \leq n\right\}, C_{1}\right)\) as broadcast-header;
• It generates the broadcast body ciphertext \(C_{M}=\left(C_{0}, A_{i}: 1 \leq n \leq i\right)\) ;
• Finally, it broadcastsCT Hdr CT = (Hdr, CM ) to the cloud server to be stored in the smart meter.
Revoke (mpk, R, CT) → CT′ : Takes the mpk revocation identity set R and broadcasts the ciphertext CT = ( Hdr, M ) as input. The received original ciphertext CT is re-encrypted according to the identity of the revoked user to obtain the revoked ciphertext CT′ . In this process, the cloud server performs the algorithm and uses Lagrange interpolation to hide the receiver’s identity, but it cannot obtain any user identity or sensitive information from the ciphertext.
• If revocation identity set R = ∅ , then the cloud server sets CT′ = CT. Otherwise, it randomly selects an integer k2 ∈ G to compute \(C_{0}^{\prime}=k_{2}+C_{0}\) and xi = H(IDi) for IDi ∈ R. It then constructs polynomial the function \(\mathrm{g}(x)=\prod_{i=1}^{t}\left(x-x_{i}\right)=\sum_{i=1}^{t} b_{i} x^{i-1} \bmod p\);
• For any i = 1,2,L ,n, it computes Ti = g(xi)-1bik2 ,bi = 0, where i = t+1, t+2, L, n-1;
• It sets Hdr = ({Ti : 1 ≤ i ≤ n}) as broadcast-header after revocation;
• It then generates the broadcast body ciphertext \(C_{M}^{\prime}=\left(R, C_{0}^{\prime}\right)\);
• Finally, it broadcasts the ciphertext \(C T^{\prime}=\left(H d r, C_{M}^{\prime}\right)\) to the user and stores it in the smart meter.
Decrypt(mpk, CT', IDi, dID) → M : Taking the mpk , ciphertext after revocationCT′ , receiver’s identity i ID , and privacy key dID as input, the user executes the decryption algorithm to obtain the plaintext M . The revocation phase and the decryption phase model are shown in Fig. 4.
Fig. 4. ID revoke and Data decrypt
• It extracts the functions H from the mpk , computes xi = H(IDi), i=1,2,L,n ;
• It parses out \(u=u_{1}+x_{i} u_{2}+x_{i}^{2} u_{3}+\mathrm{L}+x_{i}^{n-1} u_{n}\) from \(\left\{u_{i}: 1 \leq i \leq n\right\}\);
• It then obtains \(k_{1}^{\prime}=u-H_{3}\left(e\left(C_{1}, d_{I D_{i}}\right), I D_{i}\right)\) and \(k_{2}^{\prime}=T_{1}+x_{i} T_{2}+x_{i}^{2} T_{3}+\mathrm{L}+x_{i}^{t-1} T_{t}\) ;
Finally, it recovers message \(M=C_{0}^{\prime}-k_{1}^{\prime}-k_{2}^{\prime}\). If the identity satisfies IDi ∈ S and IDi ∉ R , where \(k_{1}^{\prime}=k_{1}, k_{2}^{\prime}=k_{2}\) , the ciphertext is decrypted to obtain the correct plaintext.
In the definition of an encryption algorithm, the size of the revocation number t < n depends on the real situation of the application. If t = 0 , the data owner does not allow the server to revoke any user's identity. t n = indicates that the data owner allows the server to revoke any identity status in the set.
Correctness: We give the correctness of our proposed scheme as follows:
For each IDi ∈ S , after obtaining xi by using its private key, we compute
\(\begin{aligned} u=& u_{1}+x_{i} u_{2}+x_{i}^{2} u_{3}+\mathrm{L}+x_{i}^{n-1} u_{n} \\ =&\left(a_{1,0}+a_{1,1} x_{i}+a_{1,2} x_{i}^{2}+\mathrm{L}+a_{1, n-1} x_{i}^{n-1}\right) A_{1} \\ &+\left(a_{2,0}+a_{2,1} x_{i}+a_{2,2} x_{i}^{2}+\mathrm{L}+a_{2, n-1} x_{i}^{n-1}\right) A_{2}+, \\ & \mathrm{L}+\left(a_{n, 0}+a_{n, 1} x_{i}+a_{n, 2} x_{i}^{2} \mathrm{~L}+a_{n, n-1} x_{i}^{n-1}\right) A_{n} \\ &=f_{1}\left(x_{i}\right) A_{1}+f_{2}\left(x_{i}\right) A_{2}+\mathrm{L}+f_{n}\left(x_{i}\right) A_{n}=A_{i} \end{aligned}\)
Then, we compute \(k_{1}^{\prime}\) as
\(k_{1}^{\prime}=u-H_{3}\left(e\left(C_{1}, d_{I D_{i}}\right), I D_{i}\right)=k_{1}+H_{3}\left(e\left(s H_{1}\left(I D_{i}\right), P\right)^{r_{1}}, I D_{i}\right)-H_{3}\left(e\left(P, s H_{1}\left(I D_{i}\right)^{r_{1}}, I D_{i}\right)\right)=k_{1},\)
For any IDi ∈ S and IDi ∉ R , g(xi) ≠ 0 and we obtain \(k_{2}^{\prime}\) as
\(k_{2}^{\prime}=T_{1}+x_{i} T_{2}+x_{i}^{2} T_{3}+\mathrm{L}+x_{i}^{t-1} T_{t}=g\left(x_{i}\right)^{-1} k_{2} g\left(x_{i}\right)=k_{2}\)
After recovering \(k_{1}^{\prime}\) and \(k_{2}^{\prime}\) , we obtain the message as
\(C_{0}^{\prime}-k_{1}^{\prime}-k_{2}^{\prime}=k_{2}^{\prime}+C_{0}-k_{1}^{\prime}-k_{2}^{\prime}=k_{1}+M-k_{1}^{\prime}=M\)
5. Security proof
In this section, we give the security proof of the proposed scheme.
Definition 5. BDH [23] . Let G and GT be multiplicative cyclic groups of prime order p and P be the generators of G and the bilinear map e: G × G → GT . Given (P,aP,bP,cP) for unknown a,b,c ∈ Zp , we compute e(P,P)abc ∈ GT . Adversary A has advantage ε, in solving the BDH problem if \(\operatorname{Pr}\left[A(P, a P, b P, c P)=e(P, P)^{a b c}\right] \geq \varepsilon\).
Theorem 1. Defines functions H and H3 . If the BDH assumption holds, A attacks our scheme with advantage ε , the algorithm B solves the BDH problem with advantage \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{3}}\right)^{-1}\) is the number of broadcast identities, qE is the number of queries to the private key and \(q_{H_{3}}\) is the number of queries to the hash function H3 .
Proof. If there is IND-ID-CPA adversary, it will attack our scheme with non-negligible advantage ε . AlgorithmB is defined to solve the BDH problem with advantage ε′ . B inputs a random instance of the BDH problem (P, aP, bP, cP) and computes e(P,P)abc . In Game 1, the interaction between simulator B and adversary A is as follows:
Setup: Simulator B sets Ppub = aP and mpk = (P, Ppub, H1, H2) . The response of B to the identity IDi query is as follows:
H -query: Creates L and initializes it to be null. If the identity IDi queried in (IDi, ci, ti, li) already appears in L , it returns H(IDi)=hi , otherwise, B randomly chooses ati ∈ ZP* and uses Pr[ci = 0] = δ to choose ci ∈{0,1} . If ci = 0 , B computes hi=tibP , otherwise, it computes hi = tiP , adds(IDi, ci, ti, hi) to L , and uses i h response to adversary A .
H3 -query: The response of simulator B to the (Yi, IDi) query is as follows: It creates L3(Yi, IDi, γi) and initializes it to null. If the (Yi, IDi) queried in (Yi, IDi, γi) appears in L3 , it returns H3(Yi, IDi)=γi , adds(Yi, IDi, γi)to L3 , and uses γi to respond to adversary A .
Phase 1: Simulator B obtains the corresponding ci and ti from L . If ci and ti do not exist, it executes H -query to obtain the corresponding ci and ti . If ci = 0 , B terminates the operation, otherwise, it computes \(d_{I D_{i}}=s H_{1}\left(I D_{i}\right)=a t_{i} P=t_{i} P_{p u b}\).
Challenge: Once adversary A decides that Phase 1 is over, it outputs messages Μ0 and Μ1 of different lengths and broadcasts identity set S* = (ID1, ID2, L, IDn) . Simulator B performs the following steps:
• It randomly selects ID0 ∈ S* , \(B_{i}^{*} \in G\) and \(C_{0}{ }^{*} \in G\);
• It computes \(C_{1}^{*}=r_{1}^{*} P, r_{1}^{*} \in Z_{p}\);
• It obtains the value of H(IDi) from L , and computes
\(A_{i}^{*}=k_{1}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}{ }^{*}}, I D_{i}\right) \text { and } x_{i}^{*}=H\left(I D_{i}\right) ;\)
It then creates the polynomial function \(f_{i}(x)=\sum_{j=0}^{n-1} a_{i, j} x^{j}\) and computes \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}^{*}\) and defines challenge ciphertext \(C T^{*}=\left(C_{0}{ }^{*}, C_{1}{ }^{*}, r_{1}{ }^{*}, u_{i}{ }^{*}, i=0,1, \mathrm{~L}, n\right)\).
Phase 2: Adversary A cannot query the private key of IDi , IDi ∈ S∗ . The response of B is the same as that of Phase 1.
Guess: Simulator B simulates the real attack environment of adversary A . If cj = 0, H(IDj) = tjbP and , it checks \(e\left(d_{I D_{j}}, C_{1}^{*}\right)=e(P, P)^{t_{j} a b r_{1}^{*}}\) and simulator randomly selects (Yj, IDj, γj) from \(d_{I D_{j}}=t_{j} a b P\) L3 , parses the corresponding tj from L and outputs \(Y_{j}^{t_{j}^{-1}}\) . It then defines \(W_{i}=\left(e\left(H\left(I D_{i}\right), P_{p u b}\right)^{r_{1}}, I D_{i}\right)\) . Simulator B randomly selects H3(Wi) and i u ∉ W , and computes \(A_{i}^{*}=u+H_{3}\left(W_{i}\right)\) . In accordance with this assumption, adversary A must query H3 on at least one Wi . We define four events as follows:
E1 : Cannot terminate private key query;
E2 : At least one of the identities challenging the H value contains BDH problem;
E3 : Adversary A chooses ci = 0 to distinguish the challenge information;
E4 : Simulator B accurately selects the solution from L3 .
Only when all events occur at the same time, can simulator B successfully solve the BDH problem. Then, it analyzes the probability of all events. The simulation B will not terminate when each ci = 1 is queried based on the private key. Therefore, \(\operatorname{Pr}[E r]=\operatorname{Pr}\left[c_{i}=1\right]=(1-\delta)^{q_{E}}\) where i = 1,2,L,qE.
For event 2, it computes Pr[E2] = δ . The probabilities of ci = 0 and ci = 1 are unknown to adversary A ,because the ci is a secret value selected by the simulator B . Therefore, \(\operatorname{Pr}\left[E_{3}\right]=\frac{1}{n} \operatorname{Pr}\left[c_{i}=0\right]+\frac{1}{n} \operatorname{Pr}\left[c_{i}=1\right]=\frac{1}{n}\). However, the simulator B knows that the solution to the BDH problem is in L3 , therefore can obtain the probability \(\operatorname{Pr}\left[E_{4}\right] \geq\left(q_{H_{3}}\right)^{-1}\). We can obtain \(\varepsilon^{\prime} \geq \operatorname{Pr}\left[E_{1} \wedge E_{2} \wedge E_{3} \wedge E_{4}\right] \cdot \varepsilon \geq(1-\delta)^{q_{E}} \cdot \delta \cdot \varepsilon \cdot\left(n \cdot q_{H_{3}}\right)^{-1}\). The function \((1-\delta)^{q_{E}} \cdot \delta\) is largest at \(\delta_{o p t}=\left(q_{E}+1\right)^{-1} \cdot \varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{3}}\right)^{-1}\) is based on δopt .
Theorem 2. Three hash functions H , H2 and H3 are defined. If an adversary of ANON-ID-CPA attacks our scheme with advantage ε , simulator B solves the BDH problem with the advantage of \(\text { of } \varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot\left(q_{E} \cdot q_{H_{2}}+q_{E} \cdot q_{H_{3}}\right)\right)^{-1}\).
Proof. Compute e(P, P)abc in Game 2. H -query, H3 -query, and Phase 1 are the same as Theorem 1.
Setup: Simulator B creates mpk = (P, Ppub, H1).
H2 -query: B 's response to the query of (Xi, IDi) is as follows:
L2(Xi, IDi, λi) is initialized to be null. Simulator B checks L2 . If (Xi, IDi) ∈ L2 , it returns H2(Xi,IDi) = λi . If not, B picks a λi ∈ G and sets H2(Xi,IDi) = λi. Then, it adds(Xi, IDi, λi) to L1 and responds with λi .
Challenge: Adversary A outputs M∗ , broadcasts identity sets \(S_{0}=\left(I D_{0,1}, I D_{0,2}, \mathrm{~L}, I D_{0, n}\right)\) and \(S_{1}=\left(I D_{1,1}, I D_{1,2}, L, I D_{1, n}\right)\) without issuing private key queries to any \(I D_{i} \in S_{0} \vee S_{1}\) in Phase 1. Simulator B executes the following steps:
• It computes \(C_{0}^{*}=k_{1}^{*}+M^{*}\) and \(C_{1}^{*}=r_{1}^{*} P, B_{0}^{*} \in G, r_{1}^{*} \in Z_{p}, k_{1}^{*} \in G\) and \(I D_{i} \in S_{0} \vee S_{1}\) ;
• If IDi does not exist in L , it executes H oracle, B obtains the values of H(IDi) from L , computes \(x_{i}^{*}=H\left(I D_{i}\right)\) and creates the polynomial function \(f_{i}(x)=\sum_{j=0}^{n} a_{i, j} x^{j}\) ;
• It randomly selects \(A_{i}^{*} \in G\) for each \(I D_{i} \in S_{b} \backslash S_{1-b}\). Simulator B obtains ci and ti from L for each \(I D_{i} \in S_{0} \mid S_{1} \text {. If } c_{i}=0\) . If ci = 0 , it computes \(X_{i}=e(a P, c P)^{r_{1}^{*} t_{i}}\). If c1 = 1 and \(\left(X_{i}, I D_{i}\right) \in L_{2}\) , it obtains λi and sets it as \(A_{i}^{*}=\lambda_{i}\) otherwise, it randomly selects \(A_{i}^{*} \in G\) and adds a new tuple \(\left(X_{i}, I D_{i}, A_{i}^{*}\right)\) to L2 ;
• It computes \(Y_{i}=e(a P, c P)^{t_{i}}\) . If \(\left(Y_{i}, I D_{i}\right) \in L_{3}\) , it obtains the γi and sets \(\omega_{i}^{*}=\gamma_{i}\) , otherwise, it picks \(\omega_{i}^{*} \in G\) and adds a new \(\left(Y_{i}, I D_{i}, \omega_{i}^{*}\right)\) to L3 and compute \(A_{i}^{*}=k_{1}^{*}+\omega_{i}^{*}\) ;
• It then computes \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}^{*}\) , and the ciphertext after revocation is defined as \(C T^{*}=\left(C_{0}{ }^{*}, C_{1}{ }^{*}, r_{1}{ }^{*}, u_{i}{ }^{*}, i=[0, n]\right) \text { for } i=[0, n]\).
Phase 2: Adversary A issues private key queries but cannot issue the private key on \(I D_{i} \in S_{0} \vee S_{1}\) .
Guess: Simulator B ignores the adversary's guess and randomly selects(Xi, IDi, λi ) from L2 or randomly chooses(Yi, IDi, γi) from L3 . If adversary A chooses L2 , it outputs \(X_{j}{ }^{\left(r_{2}{ }^{*} t_{j}\right)^{-1}}\) as the solution to the BDH instance, but it outputs \(Y_{j}^{t_{j}^{-1}}\) , if it selects L3 as analyzed by Theorem 1, exiting \(\varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot\left(q_{H_{2}}+q_{H_{3}}\right)\right)^{-1}\).
Theorem 3. Defines functions H and H2 . If there is an IND-rID-CPA adversary A that can attack our scheme with advantage ε , the algorithm B solves the BDH problem with the advantage of \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{2}}\right)^{-1}\).
Proof. We compute e(P,P)abc in Game 3. H -query and Phase 1 are the same as in Theorem 1, and H2 -query is the same as in Theorem 2.
Setup: Simulator B defines mpk = (P, Ppub, H1, H3).
Challenge: If adversary A did not initiate private key query to any IDi ∈ S* \ Q*, it outputs S*=(ID1, ID2, L, IDn) , non-null revocation set \(R^{*}=\left(I D_{l_{1}}, I D_{l_{2}}, L, I D_{l_{t}}\right)\) and two messages Μ0 and Μ 1 of different lengths. Simulator B performs the following operations:
• It computes\(C_{0}{ }^{\prime *}=C_{0}{ }^{*}+k_{2}{ }^{*}=k_{1}{ }^{*}+M_{b}+k_{2}{ }^{*}, C_{1}{ }^{*}=r_{1}{ }^{*} P, I D_{0} \notin S^{*} \cup R^{*}, A_{0}{ }^{*}, k_{1}{ }^{*}, k_{2}{ }^{*} \in G\) and \(r_{1}^{*} \in Z_{p}\) ;
• It parses (ci, ti, hi) from L for IDi ∈ S* | R* . If ci = 0 , algorithm terminates, otherwise, it computes \(X_{i}=e(a P, c P)^{t_{i}}\) . If \(\left(X_{i}, I D_{i}\right) \in L_{2}\), it returns λi , otherwise, it randomly selects λi ∈G . It defines \(A_{i}^{*}=\lambda_{i}\) and a new tuple (Xi, IDi, λi) is added to L2 . IDi ∈ S* \ R* will exist for every i . It then randomly selects \(A_{i}^{*} \in G\);
• It computes \(x_{i}^{*}=H_{1}\left(I D_{i}\right) \quad, \quad f_{i}(x)=\sum_{j=0}^{n} a_{i, j} x^{j} \quad, \quad A_{i}^{*}=k_{1}^{*}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}^{*}}, I D_{i}\right)\) and \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}\) . If there is IDi ∈ R∗ for each i , it computes \(x_{i}^{*}=H_{1}\left(I D_{i}\right)\) and creates the polynomial function \(g(x)=\prod_{i=1}^{t}\left(x-x_{i}^{*}\right)=\sum_{i=1}^{t} b_{i} x^{i-1} \bmod p\) ;
• It computes \(T_{i}^{*}=g\left(x_{i}\right)^{-1} b_{i} k_{2}^{*}\) for i = 0,1,2,L,t. It then defines the ciphertext after revocation as \(C T^{\prime *}=\left(R, C_{0}^{\prime *}, C_{1}^{*},\left[u_{i}^{*}, T_{i}^{*}\right]_{i=1}^{n}\right)\)
Phase 2: Adversary A cannot query the private key on IDi ∈ S* \ R* .
Guess: Simulator B neglects the adversary's guess and randomly selects(Xi, IDi, λi) from list L2 , obtains tj from L , and outputs \(X_{j}^{t_{j}^{-1}}\) . Adversary A cannot distinguish between information in security reduction. Therefore, once A outputs a terminator with a probability greater than \(\frac{1}{2}\) , and suppose we only consider the case that A chooses IDi(HIDi(=tibP). Just like Theorem 1, it exists in \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(e \cdot n \cdot q_{E} \cdot q_{H_{2}}\right)^{-1}\).
Theorem 4. Defines two functions H and H1 . If selective ANON-rID-CPA adversary A can attack our scheme with advantage ε , B can solve the BDH problem with the advantage of \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(t \cdot q_{H_{1}}\right)^{-1}\ .\ t\) is the number of revoked identities.
Proof. We compute e(P,P)abc in Game 4. The interactive working process between simulator B and adversary A is as follows:
Init: A generates revoke sets \(R_{0}=\left(I D_{0,1}, I D_{0,2}, L, I D_{0, t}\right)\) and \(R_{1}=\left(I D_{1,1}, I D_{1,2}, L, I D_{1, t}\right)\).
Setup: B defines \(m p k=\left(P, P_{p u b}, H_{2}, H_{3}\right)\) , randomly selects b∈{0,1} and \( I D^{*} \in R_{b} \backslash R_{1-b}\) .
H -query: Adversary A issues H -query. Simulator B responds to i ID query as follows and creates \(L\left(I D_{i}, \mathrm{k}_{i}, h_{i}\right)\) , which is initialized to be null:
If \(I D_{i} \in L\left(I D_{i}, \mathrm{k}_{i}, h_{i}\right)\) , A returns H(IDi)=hi , otherwise, it randomly selects ki ∈ ZP. Simulator B sets hi = kibP when IDi = ID*.
H1 -query: Adversary A issues H1 -query. Simulator B responds to the query of (Ti, IDi) as follows and creates L1(Ti, IDi, ηi) and the list is initialized to be null:
If (Ti, IDi) ∈ L1 , B returns H1(Ti, IDi) = ηi , otherwise, it selects H1(Ti, IDi)=ηi , ηi ∈ G1 and adds (Ti, IDi, ηi) to list L1 .
Phase 1: Adversary A issues a private key query to IDi ∉ R0VR1 . The simulator obtains ki from L and computes \(d_{I D_{i}}=s H_{1}\left(I D_{i}\right)=a k_{i} P=k_{i} P_{p u b}\).
Challenge: Adversary A outputs M∗ and \(S^{*}=\left(I D_{1}, I D_{2}, L, I D_{n}\right)\). Simulator B executes the following steps:
• It selects \(I D_{0} \notin S^{*} \cup R_{0} \cup R_{1}, k_{1}^{*} \in G, k_{2}^{*} \in G\) computes \(C_{0}^{*}=k_{1}^{*}+k_{2}^{*}+M_{b} \text { and } C_{1}^{*}=c^{*} P\) ;
• If there is IDi = ID∗ for each \(I D_{i} \in S^{*}\) and ID0 , it picks \(x^{*} \in Z_{p}\) , sets \(x_{i}^{*}=x^{*}\) , obtains (ki, hi) from L , and computes \(T_{i}=e(a P, c P)^{k_{i}}\) . If \(\left(T_{i}, I D_{i}\right) \in L_{1}\) , it returns ηi , otherwise, it randomly selects ηi , sets \(x_{i}^{*}=\eta_{i}\) , and adds to L1 ;
• It computes \(f_{i}(x)=\sum_{j=0}^{n} a_{i, j} x^{j}\) and \(A_{i}^{*}=k_{1}^{*}+H_{3}\left(e\left(H_{1}\left(I D_{i}\right), P_{p u b}\right)^{r_{1}^{*}}, I D_{i}\right)\) , where \(i=0,1, \mathrm{~K} n\) , and also computes \(u_{i}^{*}=\sum_{j=1}^{n} a_{j, i-1} A_{j}^{*}\);
• For every i there is \(I D_{i} \in R_{0} \mid R_{1}\) . It obtains (ki, hi) from L , and computes \(T_{i}=e(a P, c P)^{k_{i}}\) . It then sets \(x_{i}^{*}=\eta_{i}\) and adds \(\left(T_{i}, I D_{i}, \eta_{i}\right)\) to L1 . It randomly selects \(x_{i}^{*} \in Z_{p}\) for \(I D^{*} \in R_{b} \backslash R_{1-b}\) and computes \(\mathrm{g}(x)=\prod_{i=1}^{t}\left(x-x_{i}^{*}\right)=\sum_{i=1}^{t} b_{i} x^{i-1} \bmod p\) ;
• It computes \(T_{i}^{*}=g\left(x_{i}\right)^{-1} b_{i} k_{2}^{*}\) for any i = 0,1,2,L, t and defines the ciphertext revocation \(C T^{\prime *}=\left(R, C_{0}{ }^{\prime*}, C_{1}{ }^{*},\left[u_{i}{ }^{*}, T_{i}^{*}\right]_{i=1}^{n}\right)\) .
Phase 2: Adversary A issues a private key query on \(I D_{i} \notin R_{0} \mathrm{~V} R_{1}\) . The responses of the simulator are the same as that of Phase 1.
Guess: If adversary A chooses ID∗ to distinguish revocation set, B can successfully solve the BDH problem by computing \(T^{* \frac{1}{k^*}}\) . It is not difficult to compute within the scope of Theorem 4. Finally, the probability of choosing ID∗ to break the proposed scheme is \((t-k)^{-1} \geq t^{-1}\left(k=\left|R_{0}\right| R_{1} \mid\right)\) and we have \(\varepsilon^{\prime} \geq \varepsilon \cdot\left(t q_{H_{1}}\right)^{-1}\).
6. Performance evaluation
6.1 Comparison of functions
We analyzed the functional differences between our scheme and the other six broadcast encryption schemes. From Table 2, the schemes in [10, 12, 15] are consistent with the schemes in this paper, all of which are identity-based broadcast encryption. Combined with the changes in user privileges in smart cities, the user revocation property is used to adjust authorization identities dynamically. The schemes in [14, 15, 16] achieve the user revocation property. The schemes in [10, 11, 16] achieve receiver anonymity. The proposed scheme has certain advantages in functions when compared with the broadcast encryption schemes in Table 2.
Table 2. Functional comparison
6.2 Theoretical analysis
The computation overhead of our scheme is compared with those of schemes [17], [18] and [19], as shown in Table 3. The comparison between our scheme and other schemes in terms of storage costs is shown in Table 4.
Table 3. Computation overhead comparison
Table 4. Storage overhead comparison
1) Computation overhead comparison
In Table 3, Tp indicates the time of bilinear pairing operation, Te indicates the time of exponential operation, Tm indicates the time of multiplication operation, Th indicates the time of hash operation, and TInv indicates the time of multiplication inverse operation. The operation time sequence of standard cryptographic algorithms is \(T_{p}>T_{e}>T_{m}>T_{h}>T_{I n v}\) , and the pairing operation Tp is longer than that of other cryptographic operations. n indicates the number of user identities in the system. From Table 3, the computation overheads of the four schemes grow with the increase in the number of user identities, but our scheme is the most efficient, with computation overheads \(2 T_{h}+T_{p}+(n+1) T_{m}+T_{e}, T_{m}+T_{I n v}\) and \(T_{h}+T_{p}\) respectively.
2) Storage overhead comparison
In Table 4, we use |G1| , |GT| and |ZP| to represent the lengths of elements in G1 , GT and Zp respectively. In terms of storage overhead, our scheme (|G1|+|GT|+ZP|) is the smallest compared with the three functions of our scheme and those of other schemes in Table 4. In the Encrypt phase, the storage overhead of the scheme in [18] is greater than that of our scheme. The storage overheads of the two other schemes are mostly the same but still larger than that of our scheme.
6.3 Numerical experiment
The accuracy and efficiency of the runtime depends on the CPU. We implemented the numerical simulation experiment using a pair-based cryptographic library under the Linux operating system. Programming was based on the C language, running on a 2.60 GHz CPU and an 8 GB RAM PC.
We analyzed the computation cost of the schemes in [17], [18], [19] and the proposed scheme in terms of Encrypt, Revoke, and Decrypt algorithms. The users’ access privileges of the other three schemes and our scheme will change. Therefore, we set the number of user identities as a variable which takes 10, 20, 30, 40, 50, and 60. In this paper, we used an average of 60 running results as the experimental results. The experimental results are shown in Fig. 5.
Fig. 5. (a). Comparisons of time in Encrypt phase; (b). Comparisons of time in Revoke phase; (c). Comparisons of time in Decrypt phase.
When there are n identities for a single identity requesting a service from the smart grid, in the Encrypt phase, the total computation overhead is \(2 T_{h}+T_{p}+(n+1) T_{m}+T_{e}\) . It can be seen from Fig. 5(a) that our scheme is more efficient than other schemes and has practical application significance.
In Fig. 5(b), the computation costs increase with the number of user identities, and the scheme’s growth [19] is particularly notable. When the number of user identities is 60, the running time of the scheme in [19] reaches 129.5ms. As shown in Fig. 5(b), the computation time of the proposed scheme is less than that of the other schemes.
As shown in Fig. 5(c), we compare the computation costs of the decryption algorithm. Obviously, the decryption time of the other schemes increases with the number of users’ identities. However, the time of our scheme is still a relatively small value because we only used some lightweight operations in this algorithm. In conclusion, our scheme has relative advantages compared with each phase of other schemes.
7. Conclusion
In this paper, we studied a fully privacy-preserving broadcast communication scheme and introduced how to apply cloud-network integration to the privacy-sensitive smart grid. Our proposed broadcast encryption scheme combines direct revocation and Lagrange interpolation technology. The scheme can dynamically adjust the receiver set and achieve identity anonymity. Compared with the existing schemes in terms of performance evaluation, security and other functionalities in detail, our scheme has made significant progress in performance. In future work, the proposed scheme will be used in biometric-based broadcast proxy reencryption scenarios to obtain practical significance.
8. Acknowledgements
This work was supported by the National Natural Science Foundation of China (Grants No. 61662071, No. 61662069, No. 61772022).
References
- Clohessy T, Acton T, Morgan L, et al, "Smart City as a Service (SCaaS): A Future Roadmap for E-Government Smart City Cloud Computing Initiatives," in Proc. of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing, pp. 836-841, 2014.
- Monzon A, "Smart cities concept and challenges: Bases for the assessment of smart city projects," in Proc. of SMARTGREENS 2015-4th International Conference on Smart Cities and Green ICT Systems, pp. 17-31, 2015.
- Zhang Yuqing, Zhouwei, Peng Anni, "Survey of Internet of Things Security," Journal of Research and Development, vol. 54, no. 10, pp. 2130-2143, 2017.
- Ejaz, Waleed, Naeem, Muhammad, Shahid, Adnan, et al, "Efficient Energy Management for the Internet of Things in Smart Cities," IEEE Communications Magazine: Articles, News, and Events of Interest to Communications Engineers, vol. 55, no. 1, pp. 84-91, 2017. https://doi.org/10.1109/MCOM.2017.1600218CM
- Maseleno A, Hashim W, Alicia Y C T, et al, "A Review on Smart Grid Internet of Things," Journal of Computational and Theoretical Nanoscience, vol. 17, no.6, pp. 2770-2775, 2020. https://doi.org/10.1166/jctn.2020.8941
- B. C. Choi, S. H. Lee, J. C. Na, and J. H. Lee, "Secure firmware validation and update for consumer devices in home networking," IEEE Transactions on Consumer Electronics, vol. 62, no.1, pp. 39-44, Feb 2016. https://doi.org/10.1109/TCE.2016.7448561
- N. Komninos, E. Philippou, and A. Pitsillides, "Survey in smart grid and smart home security: Issues, challenges and countermeasures," IEEE Communications Surveys and Tutorials, vol. 16, no. 4, pp. 1933-1954, Nov 2014. https://doi.org/10.1109/COMST.2014.2320093
- Saleem Y, Crespi N, Rehmani M H, et al, "Internet of Things-aided Smart Grid: Technologies, Architectures, Applications, Prototypes, and Future Research Directions," IEEE Access, vol. 7, pp. 62962-63003, 2019. https://doi.org/10.1109/access.2019.2913984
- Fiat A, Naor M, "Broadcast encryption," in Proc. of International cryptology conference, pp. 480-491, 1993.
- Zhang J, Mao J, "Anonymous multi-receiver broadcast encryption scheme with strong security," International Journal of Embedded Systems, vol. 9, no. 2, pp. 177-187, 2017. https://doi.org/10.1504/IJES.2017.083737
- Cui Yilei, Zhang Leyou, "Privacy preserving ciphertext-policy attribute-based broadcast encryption in smart city," The Journal of China Universities of Posts and Telecommunications, vol. 26, no. 1, pp. 21-31, 2019.
- Li, Jiguo, Yu, Qihong, Zhang, Yichen, "Identity-based broadcast encryption with continuous leakage resilience," Information Sciences: An International Journal, vol. 429, pp. 177-193, 2018. https://doi.org/10.1016/j.ins.2017.11.008
- JIA Hongyong, CHEN Yue, YANG Kuiwu, et al, "Revocable Broadcast Encryption with Constant Ciphertext and Private Key Size," Chinese Journal of Electronics, vol. 28, no. 4, pp. 690-697, 2019. https://doi.org/10.1049/cje.2019.04.003
- ZHU Yan, YU Ruyun, CHEN E, et al, "An Efficient Broadcast Encryption Supporting Designation and Revocation Mechanisms," Chinese Journal of Electronics, vol. 28, no. 3, pp. 445-456, 2019. https://doi.org/10.1049/cje.2019.02.005
- Dawei Li, Jianwei Liu, Zongyang Zhang, et al, "Revocable Hierarchical Identity-Based Broadcast Encryption," Tsinghua Science and Technology, vol. 23, no. 5, pp. 539-549, 2018. https://doi.org/10.26599/tst.2018.9010023
- Yi X, Paulet R, Bertino E, et al, "Practical Anonymous Subscription with Revocation Based on Broadcast Encryption," in Proc. of 2020 IEEE 36th International Conference on Data Engineering (ICDE), pp. 241-252, 2020.
- Lai J, Mu Y, Guo F, et al, "Anonymous Identity-Based Broadcast Encryption with Revocation for File Sharing," in Proc. of Australasian conference on information security and privacy, pp. 223-239, 2016.
- Lai J, Mu Y, Guo F, et al, "Fully privacy-preserving and revocable ID-based broadcast encryption for data access control in smart city," Personal and Ubiquitous computing, vol. 21, no. 5, pp. 855- 868, 2017. https://doi.org/10.1007/s00779-017-1045-x
- Lai, Jianchang, Guo, Fuchun, Mu, Yi, et al, "Fully Privacy-Preserving ID-Based Broadcast Encryption with Authorization," The Computer journal, vol. 60, no. 12, pp. 1809-1821, 2017. https://doi.org/10.1093/comjnl/bxx060
- Wang X, Dai H, Zhang K, et al, "Secure and flexible economic data sharing protocol based on ID-based dynamic exclusive broadcast encryption in economic system," Future Generation Computer Systems, vol. 99, pp. 177-185, 2019. https://doi.org/10.1016/j.future.2018.11.013
- Guo D, Wen Q, Jin Z, et al, "Authenticated public key broadcast encryption with short ciphertexts," Multimedia Tools and Applications, vol. 78, pp. 23399-23414, 2019. https://doi.org/10.1007/s11042-019-7598-0
- Leyou Zhang, Qing Wu, Yi Mu, "Anonymous Identity-Based Broadcast Encryption with Adaptive Security," Cyberspace safety and security, pp. 258-271, 2013.
- Waters B, "Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization," Public key cryptography, vol. 6571, pp. 53-70, 2011.