Most of the existing multi-recipient signcryption schemes do not take the anonymity of recipients into consideration because the list of the identities of all recipients must be included in the ciphertext as a necessary element for decryption. Although the signer’s anonymity has been taken into account in several alternative schemes, these schemes often suffer from the cross-comparison attack and joint conspiracy attack. That is to say, there are few schemes that can achieve complete anonymity for both the signer and the recipient. However, in many practical applications, such as network conference, both the signer’s and the recipient’s anonymity should be considered carefully. Motivated by these concerns, we propose a novel multi-recipient signcryption scheme with complete anonymity. The new scheme can achieve both the signer’s and the recipient’s anonymity at the same time. Each recipient can easily judge whether the received ciphertext is from an authorized source, but cannot determine the real identity of the sender, and at the same time, each participant can easily check decryption permission, but cannot determine the identity of any other recipient. The scheme also provides a public verification method which enables anyone to publicly verify the validity of the ciphertext. Analyses show that the proposed scheme is more efficient in terms of computation complexity and ciphertext length and possesses more advantages than existing schemes, which makes it suitable for practical applications. The proposed scheme could be used for network conferences, paid-TV or DVD broadcasting applications to solve the secure communication problem without violating the privacy of each participant.

Introduction

With development of network technology and its applications, a lot of group-oriented network services such as network multicasting or broadcasting have been proposed. Usually, in these services, a message sender is required to securely send the same messages to a group of recipients, such that only a certain number of recipients can read the messages while unauthorized recipients can extract nothing useful from these messages [1]. Therefore, the concept of multi-recipient encryption was put forward [2]–[6], and it has been considered as one of most promising solutions to solve the security problem of securing multicasting or broadcasting. Later, combining the concept of multi-recipient encryption with the idea of Zheng’s signcryption [7], Duan et al. [8] proposed the first multi-recipient signcryption scheme. In their scheme, to achieve the goal of sending the same message to all authorized recipients confidentially, the sender only needs to execute one signcryption operation, and at the same time, each recipient can verify the validity of messages. Since then, many excellent multi-recipient signcryption schemes [9]–[11] were proposed, which take more security properties into consideration than Duan et al.’s scheme. In general, multi-recipient signcryption can be used in many important applications, such as paid-TV or DVD broadcasting systems [10], where only authorized or paying users should be able to access such services.

Nevertheless, today, more and more people are concerned regarding personal privacy, thus participant anonymity should be taken into account when designing multi-recipient signcryption [12]. For example, in paid-TV and DVD broadcasting application systems, service providers do not want others to obtain the real identities from the ciphertext messages. Therefore, multi-recipient signcryption with the sender (or called the signer) anonymity had been introduced. In literature, there have been several multi-recipient signcryption schemes [13]–[17] which try to assure anonymity of the sender. The concept of anonymous signature was firstly proposed by Rivest et al. [18]. In 2005, Huang et al. [19] proposed the first anonymous signcryption scheme, which used an ID-based ring signature to assure anonymity of the signer. However, their scheme is only a single-recipient scheme. Later, based on similar thoughts, Lal et al. [13] extended this method for multi-recipient environments. Furthermore, a multi-recipient scheme with anonymity of the sender [14]–[17] was proposed. Although these schemes [13]–[17] provide solutions for assuring signer anonymity, there are still some unsolved issues. For example, they suffer from two new attacks known as the cross-comparison attack [20] and the joint conspiracy attack [21]. Based on the ring signature, schemes [13]–[17] construct a list which includes the real signer and several valid participants which are chosen randomly by the signer hiding the real signer in this list. Although this perfectly works to some extent, an attacker can obtain a number of different ciphertexts from the same message source by closely monitoring network traffic, thus by comparing the signers’ identities from different lists an attacker can narrow down the scope of the target signer. Using this scheme, an attacker can directly obtain the identity of the real signer. Even if the attacker does not directly obtain the real signer’s identity, he/she has narrowed down the scope of the attacker’s guess. In addition, it is still possible for such an attacker to retrieve a list which includes the real signer. Then, he/she can cooperate with some participants in the list to narrow down the scope and guess the real signer with a larger probability. In addition, the list of chosen participants can increase the length of the ciphertext quite significantly, potentially reducing the transmission efficiency. More important, the identities of all the authorized recipients are usually included in the ciphertext of these anonymous schemes in plaintext [13]–[19], which is not always wanted.

Generally speaking, anonymity of participants includes both the sender’s and the recipient’s anonymity. Besides the anonymity of the sender, the anonymity of the recipient is often equally important so that designers of multi-recipient signcryption schemes should pay attention. For example, in paid-TV and DVD broadcasting application systems, no user should accept that his/her subscription of these services is publicly viewable to others especially when the service is quite sensitive. However, unfortunately, almost none of the existing schemes take the anonymity of recipients into consideration because the identity of each recipient must be included in the ciphertext as a necessary element for decryption. The list of the authorized recipients’ identities in the ciphertext is used to show who are the authorized recipients and how each authorized recipient gets his/her person-specific data for encryption from the ciphertext during the decryption process. Thus, schemes [9]–[11] directly expose the recipient’s identity and therefore violate their privacy. Also, the fact that different recipients have different person-specific data for decryption can lead to decryption unfairness. This means that if some recipient’s person-specific data are damaged due to communication errors, he/she cannot decrypt the ciphertext but the others can still decrypt the ciphertext correctly [12]. Therefore, it is urgent and challenging for researchers to solve the recipient anonymity issue of multi-recipient signcryption.

Following the arguments above, it is known that almost none of the existing multi-recipient signcryption schemes take the full anonymity of recipients and senders into account. Although there are several schemes that provide a solution for anonymity of the signer, they are not perfect, that is, they suffer from the cross-comparison attack and the joint conspiracy attack. Therefore, existing schemes cannot deal with the anonymity of the sender or the recipient properly. Furthermore, these schemes are not suitable for applications that need complete anonymity for the sender and the recipient. For example, in a network conference application, every conference participant often wants to be kept anonymous when he/she is taking part in the conference discussion. Furthermore, if a participant (i.e. sender) wants to publish criticism or objections, he/she hopes that others (i.e. recipients) do not know his/her identity. At the same time, the recipient cannot want the other recipients to reveal that he/she is an authorized recipient. In fact, today, anonymity is one of the most important prerequisites for people to talk freely and make objective decisions.

Motivated by the above, this paper proposes a completely anonymous multi-recipient signcryption scheme which meets: (1) The identity of the sender is kept secret; (2) The identities of all the recipients are kept secret; (3) Each recipient can easily judge whether the received message is from an authorized source, but he/she cannot determine the real identity of the sender; (4) Each recipient can easily judge whether he/she is an authorized recipient, but he/she cannot determine the identity of any other authorized recipient; (5) The validity of ciphertext can be verified publicly. Speaking of practical applications, the proposed scheme can be in principle used for network conference, paid-TV or DVD broadcasting application systems to assure secure communication among authorized participants, while at the same time, providing complete anonymity for all participants.

To facilitate the description of our scheme, notations used throughout the document are summarized in Table 1.