Anonymous identity-based broadcast encryption technology for smart city information system

Abstract

A smart city can utilize information and communication technologies to minimize energy, waste, and resource consumption and attain high-efficiency services, so it directly improves the life quality of all residents. However, it also brings about some security and privacy challenges. For instance, once the ubiquitous network in the smart city is attacked, all of the sensitive information and residents’ identities will be revealed. In many application scenarios, the anonymity of residents is a desirable security property. After all, nobody wants to be traced for his daily activity or personal habits. In this paper, we propose a generic identity-based broadcast encryption scheme which can satisfy information’s confidentiality and users’ anonymity simultaneously under chosen-ciphertext attacks. What is different from our previous work which was published in ACISP 2016 is that we present the proof of confidentiality and focus on the application environment. The generic IBBE construction has a desirable property that its public parameter size and private key size are constant as well as its decryption cost is independent of the number of receivers. Thus, no matter from which point of views, the construction is very appropriate for smart city information system.

Appendix A: Concrete instantiation

We shall present a concrete instantiation based on the generic IBBE construction, employing Boneh-Franklin IBE scheme [8], which is IND-CCA secure and ANO-CCA secure as noticed in [1] and WROB-CCA secure as noticed in [2] and a concrete signature scheme, e.g. [36] which is a strong one-time signature scheme Σ = (Gen, Sig, Ver).

• Setup (1 ^λ ): On input of a security parameter λ, it first chooses a bilinear group \(\mathbb {G},\mathbb {G}_{T}\) of prime order p with bilinear map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\) and a generator \(g {\leftarrow }_{R}\mathbb {G}\), and then picks \(\alpha ,\beta {\leftarrow }_{R}\mathbb {Z}_{p}\), computes g ₁ = g ^α and g ₂ = g ^β, chooses hash functions \(H_{1}:\{0,1\}^{*}\rightarrow \mathbb {G}\), \(H_{2}:\{0,1\}^{\ell }\times \{0,1\}^{n}\rightarrow \mathbb {Z}_{p}\), \(H_{3}:\mathbb {G}_{T} \rightarrow \{0,1\}^{\ell }\), \(H_{4}:\{0,1\}^{\ell }\rightarrow \{0,1\}^{(\lambda +\ell +n)}\), \(H_{5}:\{0,1\}^{\ell }\times \{0,1\}^{\lambda +\ell +n}\rightarrow \mathbb {Z}_{p}\) which are modeled as random oracles. The public parameters are \({params}=(\mathbb {G},\mathbb {G}_{T},\mathbb {Z}_{p},p,e,g,g_{1},g_{2},H_{1},H_{2},H_{3},H_{4}\), H ₅) and the master secret key is msk = (α, β).

• Extract ( m s k , I D ): On input of the master secret key msk and an identity ID, it computes \(sk^{0}_{ID}=H_{1}(ID)^{\alpha }\) and \(sk^{1}_{ID}=H_{1}(ID)^{\beta }\). The private key is \(sk_{ID}=(sk^{0}_{ID},sk^{1}_{ID})\).

• Enc ( p a r a m s , S , M ): On input of the public parameters params, a receiver set S = {ID ₁, ID ₂,⋯ , ID _t } and a message M ∈{0, 1}ⁿ, it first runs \((svk,ssk)\leftarrow \) Gen (1^λ), chooses \(\delta _{1},\delta _{2}\leftarrow _{R}\{0,1\}^{\ell }\), lets r ₁ = H ₂(δ ₁|| M) and \(r_{2}=H_{5}(\delta _{2}||svk||\delta _{1}||M)\), and then computes \(T_{1}=g^{r_{1}}\) and \(T_{2}=g^{r_{2}}\). For each ID ∈ S, computes \(c_{ID}^{0}=H_{3}(e(g_{1},H_{1}(ID))^{r_{1}})\) and \(c_{ID}^{1}=(c_{ID}^{10},c_{ID}^{11})=(H_{3}(e(g_{2},H_{1}(ID))^{r_{2}})\oplus {\delta _{2}},H_{4}(\delta _{2})\oplus (svk\) ||δ ₁||M)). Let \(C_{1}=(c_{ID_{1}}^{0},c_{ID_{1}}^{1})||\cdots ||(c_{ID_{t}}^{0},c_{ID_{t}}^{1})\). The ciphertext is CT = (svk, T ₁, T ₂, C ₁, σ), where σ = Sig (ssk, T ₁||T ₂||C ₁).

• Dec( s k _{I D} , C T ): On input of a private key sk _ID and a ciphertext CT, it parses CT as (svk, σ, T, C ₁), where \(C_{1}=(c_{ID_{1}}^{0},c_{ID_{1}}^{1})||\cdots ||(c_{ID_{t}}^{0},c_{ID_{t}}^{1})\). If Ver (svk, T ₁||T ₂||C ₁, σ)=0, returns ⊥; else computes \(c_{ID}^{0}\)= H ₃ (e(T ₁, \(sk^{0}_{ID}))\) and determines which ciphertext should be decrypted among \((c_{ID_{1}}^{0},c_{ID_{1}}^{1})||\cdots || (c_{ID_{t}}^{0},c_{ID_{t}}^{1})\). For each ID _j ∈ S, if \(c_{ID}^{0}\neq c_{ID_{j}}^{0}\), returns ⊥; else chooses the smallest index j such that \(c_{ID}^{0}=c_{ID_{j}}^{0}\) and \(c_{ID}^{1}=c_{ID_{j}}^{1}\). It computes \(\delta _{2}^{\prime }=H_{3}(e(T_{2},sk^{1}_{ID}))\oplus {c_{ID}^{10}}\), \(svk||\delta _{1}||M=H_{4}(\delta _{2}^{\prime })\oplus {c_{ID}^{11}}\). If \(T_{1}\neq {g^{H_{2}(\delta _{1}||M)}}\) or \(T_{2}\neq {g^{H_{5}(\delta _{2}||svk||\delta _{1}||M)}}\), returns ⊥; else returns M.