Anonymous Multireceiver Identity-Based Encryption against Chosen-Ciphertext Attacks with Tight Reduction in the Standard Model

Multireceiver identity-based encryption is a cryptographic primitive, which allows a sender to encrypt a message for multiple receivers efficiently and securely. In some applications, the receivers may not want their identities to be revealed. Motivated by this issue, in 2010, Fan et al. first proposed the concept of anonymous multireceiver identity-based encryption (AMRIBE). Since then, lots of literature studies in this field have been proposed. After surveying the existing works, however, we found that most of them fail to achieve provable anonymity with tight reduction. A security proof with tight reduction means better quality of security and better efficiency of implementation. In this paper, we focus on solving the open problem in this field that is to achieve the ANONIND-CCA security with tight reduction by giving an AMRIBE scheme.,e proposed scheme is proven to be IND-MID-CCA and ANON-MID-CCA secure with tight reduction under a variant of the DBDH assumption. To the best of our knowledge, this is the first scheme proven with tight reducible full CCA security in the standard model.


Introduction
Identity-based encryption (IBE) is a large class of public key encryption in modern cryptography. e concept of IBE was first proposed by Shamir [1] in 1984, and the first practical construction was independently proposed by Boneh and Franklin [2] and Cocks [3] in 2001. In an IBE scheme, a user can use any string as her/his public key, such as national identifier number and e-mail address.
It is a natural question to ask how to design a multireceiver IBE to encrypt a message with better efficiency compared with individually encrypting to each user in terms of either computation cost or communication cost. Such a cryptographic primitive is popular in advanced applications such as video conferencing, pay-per-view TV [4][5][6][7][8], and distance education. e notion of multireceiver identity-based encryption (MRIBE) was first considered by Beak et al. [9] in 2005. In an MRIBE scheme, the input of the encryption algorithm is a set of identities rather than a single identity. A user who is selected in the set is able to decrypt the ciphertext. MRIBE then drew the attention of the research community, and lots of results [10,11] have been proposed.
Another notion similar to MRIBE is identity-based broadcast encryption (IBBE) [12][13][14]. An IBBE scheme is usually designed in the sense of key encapsulation mechanism (KEM), where the encryption algorithm takes as input only a set of identities and outputs a header and an encryption key. To encrypt a message, one then uses the encryption key with a data encryption mechanism (DEM), such as DES and AES. A user whose identity is selected in the set can use her/his private key together with the header to recover the encryption key. On the other hand, an encryption scheme can be regarded as a key encapsulation mechanism by simply setting a ciphertext as the header and the corresponding plaintext as the encryption key. In this paper, we will treat MRIBE and IBBE as the identical notion.
In some situations, such as ordering sensitive TV programs, the customers may expect that their identities are not revealed. In consideration of privacy-preserving, Fan et al. [15] first introduced the concept of anonymous multireceiver ID-based encryption (AMRIBE) in 2010. Anonymity is defined as that no one should know the identities of the receivers except the encryptor. ey also proposed a multireceiver IDbased encryption scheme using Lagrange interpolating polynomials. Unfortunately, their scheme was pointed out to be flawed by Chien [16] in 2012. In Fan et al. scheme, anyone given a ciphertext is able to reveal the receivers. Chien further indicated that the security model defined in [15] does not cover all of the multireceiver scenarios. He also proposed an improved AMRIBE scheme in [16]. Since then, many results of AMRIBE have been proposed [17][18][19][20][21][22][23][24][25].
After examining these AMRIBE schemes, we found that there is no AMRIBE scheme achieving full-ID security with tight reduction against chosen-ciphertext attacks. Filling the gap is significant for the researches of AMRIBE in terms of both theoretical and practical aspects.
Most of the existing AMRIBEs are only proven to be secure in the weaker "selective-ID" model, where the attacker must commit a target receiver set that it will attack at the beginning of the security game. e selective-ID model might not be appropriate for the attack model in a realistic environment, since the attackers should be able to adaptively choose their target after learning some information of the system. is characteristic is captured by another stronger model called "full-ID" model, where the attacker chooses the target at the challenge phase rather than at the beginning. In [26,27], Boneh and Boyen show that a selective-ID secure IBE can also be proven to be full-ID secure. Roughly speaking, a challenger can make a guess on which identity, said ID * , will be targeted at the challenge phase before it starts the simulation. If the adversary makes a query with ID * or does not activate the challenge phase with ID * , then the simulation is aborted. However, the proof strategy makes the reduction "lossy," i.e., the reduction is not tight. Let N be the number of allowed identities, then the reduction will lose a factor of N. at is, if the adversary wins the security game with advantage ϵ, then the challenger only guarantees to solve the underlying hard problem with advantage ϵ ′ ≤ (ϵ/N) (actually the analysis should take the running times into consideration. Here, we simply assume that the running times of the adversary and the challenger are asymptotically equivalent). More details can be referred to [26,28].
A lossy reduction is not merely a theoretic problem; it also relates to the efficiency and efficacy of the entire system. We give a simple example for the (informal) analysis as follows. If we want to build an IBE system based on the DBDH assumption with 80-bit security level, and assume N � 2 160 , then we need to adopt a DBDH-hard group whose order is 2 240 due to the lossiness. is will make the entire system inefficient since we need a longer bit representation for the group of larger order [29]. erefore, achieving tight reduction is a significant goal for an encryption scheme, since it affects both security and efficiency. e tight reduction allows one to construct an encryption scheme with the same security level as the underlying hard assumption. We refer the readers to [30] for more detailed examples. e consequence of a lossy reduction will be much more worse when it comes to more complex primitives, such as AMRIBE. In the security game of AMRIBE, an adversary activates the challenge phase with t receivers, where t can be any positive number smaller than the number of the total possible identities. Assume that we set an identity to be an n-bits string, then a challenger needs to guess the target receiver set from 2 n t�1 2 n t � 2 2 n different combinations.
is makes the scheme impractical, since either the bit length of the representation for the underlying group will be exponentially large, or the reduction will be successful only with negligible advantage in the security proof.

Contributions.
For both practical and theoretical reasons mentioned above, in this paper, we propose the first AMRIBE scheme achieving full-ID security in confidentiality and anonymity with tight reduction. It is worth noting that the security of our scheme is proven in the standard model, i.e., without random oracles. e random oracle model [31] is a heuristic and idealized model used to help people to prove the security of cryptographic primitives. In the security proofs, one usually models a cryptographic hash function as a random oracle. However, there are schemes proven secure in the random oracle models while being insecure when implementing the random oracle with any hash function in the real world [32,33]. To the best of our knowledge, our scheme is the first and only one to achieve IND-MID-CCA/ANON-MID-CCA security (the abbreviation of "Indistinguishability under full-multi-ID chosen-ciphertext attacks" and "Anonymity under full-multi-ID chosen-ciphertext attacks") with tight reduction in the standard model. Besides, compared with other existing schemes, the encryption cost is low. erefore, our scheme fits the scenario that a sender needs frequently to send messages for large amount of users, such as e-mail systems with receiver anonymity.

Organization.
e remainder of this paper is organized as follows. Section 2 presents some preliminaries, specifically our security notions and the complexity assumptions that will be used in the security proofs. In Section 3, we introduce our AMRIBE scheme. Section 4 provides security proofs for the confidentiality and anonymity of our proposed scheme. Next, we show the comparison between our scheme and the existing works in properties and performances in Section 5. Finally, Section 6 concludes our work and provides future research directions.

Notations.
In this paper, we use multiplicative group representation. For [m, n] where m < n, we mean the successive integer set from m to n, i.e., m, m + 1, . . . , n { }. Furthermore, for an integer n, [n] denotes the integer set 1, 2, . . . , n { }. For a set S, by "x⟵ $ " we mean "choose x uniformly from S". For an algorithm A, by "x⟵A," we denote "x is the output of A". For a bit-string s, we denote the i-th bit of s as s[i].

Bilinear Mapping
Definition 1. Let G, G, and G T be three multiplicative cyclic groups of prime order p. A bilinear map (pairing) e: G × G ⟶ G T satisfies the following properties in which g, g is a generator of G, G, respectively.
(ii) Nondegeneracy: if e(g, g) � 1 G T , the identity element of G T , then either g is the identity of G or g is the identity of G. (iii) Computability: there exists an efficient algorithm to compute the function e.
In this paper, we use type 3 pairings [34,35], where G ≠ G and no efficient computable isomorphisms G between G are known.

Complexity Assumptions.
e security of the proposed scheme is based on a variant of the decisional bilinear Diffie-Hellman (DBDH) problem, called DBDH-3 problem [36][37][38][39]. Let G, G, and G T be three multiplicative cyclic groups of prime order p, where g, g is a generator of G, G, respectively. Let e: G × G ⟶ G T be a type 3 pairing.
Definition 2 (a variant of DBDH problem in type 3 pairing groups-DBDH-3). Given (g, g, g a , g b , g b , g c , g c , Z), where a, b, c⟵ $ decide whether Z � e(g, g) abc or a random element in G T .
We say that an algorithm B that outputs a bit has the advantage ϵ in solving the DBDH-3 problem if Pr B g, g, g a , g b , g b , g c , g c , e(g, g) abc � 1 − Pr B g, g, g a , g b , g b , g c , g c , Z⟵G T � 1 ≥ ϵ. (1) Definition 3 (the DBDH-3 assumption). We say that the (τ, ϵ)-DBDH-3 assumption holds if no τ-time algorithm has advantage at least ϵ in solving the DBDH-3 problem. We occasionally drop (τ, ϵ) for simplicity.

Anonymous Multireceiver Identity-Based Encryption.
An AMRIBE scheme consists of the following algorithms: (i) Setup(1 λ ): this algorithm takes as input a security parameter λ and outputs the master secret key msk and the system parameter param. Note that all algorithms except Setup will implicitly take param as one of the inputs, and thus, we will omit the term param for simplicity. (ii) KeyExtract(msk, ID): this algorithm takes as inputs the master secret key msk and an identity ID and then outputs the private key d ID for user ID. Correctness. For all C ⟵ Ecrypt(S, M), d ID ⟵ KeyExtract (msk, ID): Confidentiality. Next, we will give the security definition for confidentiality. Consider the following game played between a challenger C and an adversary A. e security game consists of four phases as follows: Setup: C generates the system parameter params and sends it to A. Phase 1: A is allowed to make queries from the following oracles: KeyExtract: A makes a KeyExtract query with an identity ID, and C returns the private key d ID to A Decrypt: A makes a Decrypt query with a ciphertext C and an identity ID, and C returns the result of Decrypt(C, d ID ) Challenge: the adversary submits two messages M 0 , M 1 with the same length and a target identity set ID * � ID * 1 , . . . , ID * t for any positive integer t, with the restriction that all identities in ID * should not be submitted to KeyExtract oracle in Phase 1. C then randomly chooses β ∈ 0, 1 { } and generates C * ⟵Encrypt(ID * , M β ). Finally, C * is returned to A. Phase 2: A is allowed to make queries as in Phase 1, except for KeyExtract queries with ID ∈ ID * and Decrypt queries with (C * , ID ∈ ID * ). Guess: finally, A outputs a bit β ′ and wins the game if β ′ � β.
One can observe that the above game is modelled for the security notion IND-MID-CCA. e security games for IND-sMID-CCA and IND-MID-CPA can be obtained by forcing A to commit ID * before Setup and disallowing A to query Decrypt oracle, respectively. e advantage of A winning the game is defined as

Security and Communication Networks
We say that an AMRIBE scheme is (τ, ϵ)-IND-MID-CCA secure if all τ-time adversaries have at most advantage ϵ in winning the above IND-MID-CCA game.

2.4.2.
Anonymity. Next, we define the anonymity for an AMRIBE. Consider the following game played between a challenger C and an adversary A. e security game consists of four phases as follows: Setup: C generates the system parameter params and sends it to A. Phase 1: A is allowed to make queries from the following oracles: KeyExtract: A makes a KeyExtract query with an identity ID, and C returns the private key d ID to A Decrypt: A makes a Decrypt query with a ciphertext C and an identity ID, and C returns the result of Decrypt(C, d ID ) Challenge: the adversary submits a message M, a target identity set ID * � ID * 0 , ID * 1 , and an identity set ID * 2 , . . . , ID * t for any positive integer t, with the restriction that all identities in ID * should not be submitted to KeyExtract oracle in Phase 1. C then randomly chooses Phase 2: A is allowed to make queries as in Phase 1, except for KeyExtract queries with ID ∈ ID * and Decrypt queries with (C * , ID ∈ ID * ). Guess: finally, A outputs a bit β ′ and wins the game if β ′ � β. e above game is modelled for the security notion ANON-MID-CCA (the security games for ANON-sMID-CCA and ANON-MID-CPA can be obtained by forcing A to commit ID * before Setup and disallowing A to query Decrypt oracle, respectively). e advantage of A winning the game is defined as follows: We say that an AMRIBE scheme is (τ, ϵ)-ANON-MID-CCA secure if all τ-time adversaries have at most advantage ϵ in winning the above ANON-MID-CCA game.

Remark 1.
Note that this definition is actually modelled against insider adversaries, since A is allowed to query the private key for ID * 2 , . . . , ID * t , and the encrypted message M is chosen by A.

Remark 2.
e ANON-MID-CCA game defined above is slightly different from some existing works, such as [19,20,22]. In their definition, A submits two different identity sets have not been queried to KeyExtract oracle. In our model, one can image that and thus, Actually, our model may be a stronger model since we allow an adversary to query as much private keys as possible, as long as the trivial way to win the game is prevented from the adversary.

Tight Security Reduction.
In this section, we introduce the notion of tight security reduction. To prove the security of a cryptographic primitive, we usually construct a reduction between the security of the primitive and a wellstudied hard assumption. at is, if there is an algorithm A breaks the security of the primitive, then there exists an algorithm C that makes black-box use of A to solve the hard problem. Assume that the algorithm A breaks the primitive with advantage ϵ A in time τ A , and the algorithm C breaks the assumption with advantage ϵ C in time τ C . In a conventional sense [40], a reduction is said to be tight if ϵ C ≈ ϵ A and τ C ≈ τ A . Another weaker notion of tight reduction is defined in [30,41]. e quality of a reduction can also be measured by the ratio between (τ A /ϵ A ) and (τ C /ϵ C ). Let In the above equation, "ℓ" is the "loss" for the reduction. A reduction is efficient if the loss ℓ is polynomially bounded. If ℓ is constant, then the reduction is said to be weakly tight. From this definition, we can see why an efficient (or ideally, tight) reduction is important. We briefly explain the reason. Assume that τ C ≈ τ A , then we have If ℓ is exponentially large, then ϵ C may be negligible; even if the adversary's advantage ϵ A is nonnegligible, we cannot base the security of our protocol on the underlying complexity assumptions.

Anonymous Multireceiver Identity-Based Encryption with Tight Reduction
In this section, we demonstrate a novel AMRIBE scheme with tight reduction. e proposed AMRIBE scheme is, to the best of our knowledge, the first such scheme with full security under tight reduction in the standard model.

e Proposed AMRIBE with Tight Reduction.
Let G, G, and G T be three cyclic multiplicative groups with prime order p and g, g be the generators of G, G, respectively. In this scheme, we adopt type 3 pairing, i.e., e: G × G ⟶ G T . e proposed scheme consists of the following algorithms: Setup(1 λ ): taking as input a security parameter 1 λ , KGC performs as follows: (1) Choose α, β⟵ $ .
and keep secret the master secret key msk � (g, g α , I i i∈ [n] ).
KeyExtract(msk, ID): taking as input the master secret key msk � (g, g α , I i i∈ [n] ) and an identity ID, KGC computes the private key for ID as follows. For convenience, given an identity ID, where the corresponding hash value Encrypt(S, M): taking as input an identity set S � ID 1 , . . . , ID t for a positive integer t and a message M ∈ G T , the sender performs as follows. For convenience, given an identity ID, where the corresponding hash value Decrypt(C, d ID ): taking as input a ciphertext C � (C 0 , C 1 , C 2 , C 3,i i∈ [t] , Γ) and a private key d ID , a user ID performs as follows. For i ∈ [t], compute K ′ � (e(C 3,i , d ID,1 )/e(C 2 , d ID,0 )) and M ′ � (C 0 /C 1 ) · K ′ . en the user computes h � H 1 (C 0 , C 1 , C 2 , C 3,1 , . . . , C 3,t , K ′ , M ′ ) and checks whether e(C 2 , Φ · Ψ h′ ) � e(g, Γ). If the equality holds, then output M ′ . If the equality does not hold for all i ∈ [t], then output ⊥.
Correctness. Assume that ID ∈ S (say ID � ID i ) and h ID � H(ID). Note that e(F(ID), g) � e(g, F(ID)) since the discrete logarithms of both sides are equal. We have and thus Besides, the integrity of the ciphertext and the message can be verified by whether e(C 2 , Φ · Ψ h′ ) � e(g, Γ).

Remark 3. In the computations of F(ID) � i∈[n] I h[i]
, it seems that lots of scalar operations for G (G) must be performed. However, we can construct an index set erefore, we can compute F(ID) (F(ID)) using only at most n cheap group operations. Proof. Given (g, g, g a , g b , g b , g c , g c , Z), the challenger C simulates the following game for the adversary A:
(5) Set the master secret key msk � (g, g a , I i i∈ [n] ).
Phase 1: in this phase, A is allowed to make queries from KeyExtract and Decrypt oracles. Since C knows the master secret key msk, it can easily answer KeyExtract and Decrypt queries as the same way as the proposed scheme.
Challenge: A sends (M 0 , M 1 ) and a set of receivers ID * � ID * 1 , . . . , ID * t for a positive integer t to C, where M 0 , M 1 are two distinct messages with the same length, and Security and Communication Networks 5 KeyExtract(ID * i ) has not been queried in Phase 1 for i ∈ [t]. en C performs as follows: (1) Choose β⟵ $ compute C 0 � M β · Z (2) Compute C 1 � (Z/e(g c , g a )), K � (1/e(g c , g a )) Phase 2: A makes the same queries as Phase 1. However, A is unable to query Decrypt(C * , ID) and KeyExtract(ID) for ID ∈ ID * .
Guess: finally, A outputs a bit β ′ and wins the game if β ′ � β. en, C outputs 1 if A wins the game; otherwise, outputs 0.
Perfect simulation: since C has full control on the master secret key msk, KeyExtract oracle and Decrypt oracle can be simulated perfectly. As for the challenge ciphertext C * , we implicitly set s � c. If Z � e(g, g) abc , then we have that (g c , g a )) � (e(g, g) abc /e(g, g) ac ) � (e(g, erefore, the challenge ciphertext C * is well formed. If Z is a random element in G T , then the distribution of β is independent from A's view, and thus, the advantage will be 0. Probability analysis: we then analyse the advantage that C breaks the DBDH-3 assumption. If Z � e(g, g) abc , we Time complexity: let q D be the maximum numbers of the Decrypt queries. Since in each Decrypt query, C needs to perform at most 4u pairings, where u is the size of the receiver set, we have that τ ′ � τ + O(q D · T P ), where T P is the time required for a paring.
Tightness analysis: according to the definition given in Section 2.5, a reduction is said to be tight if ϵ ′ ≈ ϵ and τ ′ ≈ τ. From the above analysis, we have that ϵ � ϵ ′ and τ � τ ′ − O(q D · T P ). Since the DBDH-3 problem is an assume-to-be-hard problem, we have τ ′ � O(exp(λ)), where λ is the security parameter and exp(λ) is an exponential function in λ. On the other hand, q D � O(poly(λ)) and T p � O(poly ′ (λ)), where poly(λ) and poly(λ) are polynomials of λ. erefore, we know that τ ≈ τ ′ .

□
One may wonder that, since the reduction algorithm is able to generate a private key for any ID and accept any IDs for the challenge ciphertext, whether it is possible that the reduction algorithm generates a private key for ID ∈ ID * and decrypt C * to check if Z � (g, g) abc . Note that our proof strategy is slightly similar to that of [28]. e challenge ciphertext is structured such that, if we decrypt C * with the private key for ID ∈ ID * , the decryption procedure will succeed no matter the value of Z is. In the decryption algorithm, we recover the message M � (C 0 /C 1 ) · K. In the reduction algorithm, we can see that both C 2 , C 3,i are valid no matter the value of Z is. us, if we compute K � (e(C 3,i , d ID,1 )/e(C 2 , d ID,0 )), then we will have K � (1/e(g, g) ac ). It leads that Theorem 2. e proposed AMRIBE scheme is (τ, ϵ)-ANON-MID-CCA secure in the standard model if the (τ ′ , ϵ ′ )-DBDH-3 assumption holds, where ϵ � ϵ ′ and τ � τ ′ − O(q D · T P ) (q D is the maximum number of Decrypt queries and T P is the time required for a pairing).
Proof. Given (g, g, g a , g b , g b , g c , g c , Z), the challenger C simulates the following game for the adversary A: Setup: C performs as follows.
(5) Set the master secret key msk � (g, g a , I i i∈ [n] ).
Phase 1: in this phase, A is allowed to make queries from KeyExtract and Decrypt oracles. Since C knows the master secret key msk, it can easily answer KeyExtract and Decrypt queries as the same way as the proposed scheme.
Challenge: A sends M, ID * � ID * 0 , ID * 1 , and a set of identities ID * 2 , . . . , ID * t for a positive integer t to C, where KeyExtract(ID * i ) has not been queried in Phase 1 for ID * i ∈ ID * . en C performs as follows: (g c , g a )), K � (1/e(g c , g a )) Phase 2: A makes the same queries as Phase 1. However, A is unable to query Decrypt(C * , ID) and KeyExtract(ID) for ID ∈ ID * .
Guess: finally A outputs a bit β ′ and wins the game if β ′ � β. en C outputs 1 if A wins the game; otherwise outputs 0.
Perfect simulation: since C has full control on the master secret key msk, KeyExtract oracle and Decrypt oracle can be simulated perfectly. As for the challenge ciphertext C * , we implicitly set s � c. If Z � e(g, g) abc , then we have that (g c , g a )) � (e(g, g) abc /e(g, g) ac ) � (e(g, erefore, the challenge ciphertext C * is well formed. If Z is a random element in G T , then the distribution of β is independent from A's view, and thus, the advantage will be 0. Probability analysis: we then analyse the advantage that C breaks the DBDH-3 assumption. If Z � e(g, g) abc , we erefore, we have Pr C g, g, g a , g b , g b , g c , g c , Z � e(g, g) abc � 1 − Pr C g, g, g a , g b , g b , g c , g c , Z⟵G T � 1 Time complexity: let q D be the maximum numbers of the Decrypt queries. Since in each Decrypt query, C needs to perform at most 4u pairings, where u is the size of the receiver set, we have that τ ′ � τ + O(q D · T P ), where T P is the time required for a paring.
Tightness analysis: according to the definition given in Section 2.5, a reduction is said to be tight if ϵ ′ ≈ ϵ and τ ′ ≈ τ. From the above analysis, we have that ϵ � ϵ ′ and τ � τ ′ − O(q D · T P ). Since the DBDH-3 problem is an assume-to-be-hard problem, we have τ ′ � O(exp(λ)), where λ is the security parameter and exp(λ) is an exponential function in λ. On the other hand, q D � O(poly(λ)) and T p � O(poly ′ (λ)), where poly(λ) and poly ′ (λ) are polynomials of λ. erefore, we know that τ ≈ τ ′ .

Comparisons
In this section, we give comparisons of our schemes with the existing schemes in both properties and efficiency. e notations used in this section are shown in Table 1, and the comparisons for the properties and performances between our scheme and the existing works are shown in Tables 2 and  3, respectively. For convenience, we set the following scenario to quantize the efficiency. When a sender wants to share a file with t receivers, she/he first encrypts a symmetric key using the Encrypt algorithm of an AMRIBE scheme and then encrypts the file with this symmetric key. e "Encryption cost" means the computation cost to generate the ciphertext for the symmetric key, and the "Ciphertext Length" is the bit length of the ciphertext for the symmetric key. When a receiver wants to recover the shared file, she/he first recovers the symmetric key using the Decrypt algorithm of the AMRIBE scheme and then recovers the shared file. e "Decryption Cost" in the following tables means the computation cost to recover the symmetric key. In the comparison of computation cost, we mainly consider the costs of some heavy operations, such as scalar operation in G, G, G T and pairing, and omit some lightweight operations, such as hash function and symmetric encryption. e reason is that the former is much more costly than the latter. To better evaluate the efficiency, we may assume that the number of receivers for a ciphertext to be t � 100 and an identity is a string with n � 80 bits. From [42], we have that (T s , T G , T P ) � (0.55 ms, 5.16 ms, 5.05 ms) and |G| � |G| � |G T | � 256 bits in prime order groups of 128bit security level. Besides, we consider the implementation of a Map-To-Point function given in [2] as the Map-To-Point function used in these papers, and we have T MTP ≈ 6T s ≈ 3.3 ms. Some of the existing schemes use a symmetric encryption function to encrypt the message. For convenience, we assume that the message length and the symmetric key length are 256 bits. Also we assume that the lengths of the outputs of hash functions and symmetric encryption function in these schemes are 256 bits.
at is, a receiver must try all t ciphertext components for successful decryption if necessary.
From Table 2, one can observe that our scheme is the first one achieving full security against chosen-ciphertext attacks with tight reduction in the standard model. As we mentioned in the Introduction, those properties are significant in both theoretic and practical points of view. Besides, from Table 3, we can see that, compared with other existing schemes, the encryption cost is low. erefore, our scheme fits the scenario that a sender needs frequently to send messages for large amount of users, such as e-mail systems with receiver anonymity. However, the efficiency of the proposed scheme can be further improved in decryption cost, i.e., the decryption is almost the slowest among the existing schemes. Another disadvantage is that ours can only be implemented in groups supporting type 3 pairings, which is an additional requirement compared to other schemes. e symbol "◇" in Table 2 means that the scheme is claimed to achieve CCA security, but some problem is found. All the cryptanalysis for these schemes can be found in [17,49,51,52], except for [18,19]. We will give the cryptanalysis for [18,19] in Section 5.1.
Although the authors of [53] have claimed that their scheme achieves IND-CCA security, they did not prove the anonymity. erefore, their work is not included in Tables 2 and 3.
Note that we do not list the schemes of [54,55] in our comparison table because their schemes do not meet the basic requirement of identity-based encryption. In [54], Chen et al. proposed two schemes, and in both of their schemes, KeyGen algorithm needs a receiver set as one of the inputs. However, it is impossible for a user to know the receiver set which will be decided in the future. ere are two possibilities: one is that the KGC must be online to generate private keys when a user needs to decrypt and the other is that all the ciphertext must be encrypted for a fixed group. Both assumptions are not practical and against the basic requirements of IBE. e problems of schemes in [55] are the same as that of [54].
Some of the existing schemes [25,56] are claimed to be CCA secure; however, they actually achieve only CPA security. e reason is that, in their proofs, the partitioning paradigm is used. at is, all the identities will be separated into two disjoint groups, say group A and group B. e challenger can only generate private keys for IDs of group A, while generate challenge ciphertexts for IDs of group B. When an adversary queries private keys with IDs of group B or challenge ciphertexts with IDs of group A, the challenger aborts the simulation. erefore, if an adversary is only allowed to make decryption queries with IDs of group A, then that is actually equivalent to CPA security only.

Anonymity Analysis on He et al.'s AMRIBE Scheme.
In 2016, He et al. proposed generic construction of AMRIBE [18], which is the preliminary version of [19]. e generic constructions given in the two papers are the same. Due to the page limitation, we give only a high-level overview on the cryptanalysis of He et al.'s AMRIBE scheme. We refer the readers to [18,19] for more details. e idea of our cryptanalysis is similar to that in [49], where Zhang et al. presented an algorithm for an insider adversary to break the anonymity of the scheme of Zhang and Takagi [50].
In He et al.'s scheme, the component associated with the encrypted message in a ciphertext is with the form e message M is encrypted in C 1 ID i with the encryption algorithm of an IND-CPA secure IBE scheme, i.e., C 1 ID i ⟵IBE. Enc(Param ⌢ , ID, svk‖δ‖M), and C 0 ID i � H 2 (e(g 1 , H(ID i )) r ) is used for a selected receiver to confirm whether herself is one of the receivers. However, in order to prove the IND-MID-CCA   , M), which means an insider adversary is able to recover r after successful decryption. erefore, given an identity ID * , an insider adversary can easily check whether ID * is also one of the receivers by checking if there exists j ∈ [t], such that C 1 ID j � H 2 (e(g 1 , H(ID * )) r ).

Conclusion
Multireceiver identity-based encryption is a one-to-many encryption mechanism which encrypts a message to multiple receivers at the same time efficiently and securely. Such encryption is useful in many applications, e.g., pay-per-view TV, video conferencing, and distance education. Under certain circumstances, users may wish to protect their identities from revealing. To deal with this issue, Fan et al. first proposed the notion of anonymous multireceiver identity-based encryption and gave a concrete AMRIBE scheme. Since then, lots of research studies on these topics have been proposed.
In this paper, we give a novel fully secure AMRIBE scheme. To the best of our knowledge, it is the first and only scheme that achieves the IND-MID-CCA and the ANON-MID-CCA security in the standard model with tight reduction. Moreover, compared with other existing schemes, the encryption cost is low. erefore, our scheme fits the scenario that a sender needs frequently to send messages for large amount of users, such as e-mail systems with receiver anonymity. ere are still some improvements that can be made to our schemes in the future. For instance, the efficiency of the proposed AMRIBE with tight reduction may be further improved, especially in the decryption cost. Besides, due to the thread of the supreme computing power of quantum computers, the researches of postquantum cryptographic primitives are becoming significant. Lots of postquantum ID-based schemes [57][58][59] are proposed in the literature as well. Hence, another direction for our future research could be figuring out an AMRIBE scheme achieving tight security and CCA security in postquantum setting.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.