Anonymous Certificate-Based Inner Product Broadcast Encryption

Broadcast encryption scheme enables a sender distribute the confidential content to a certain set of intended recipients. It has been applied in cloud computing, TV broadcasts, and many other scenarios. Inner product broadcast encryption takes merits of both broadcast encryption and inner product encryption. However, it is crucial to reduce the computation cost and to take the recipient’s privacy into consideration in the inner product broadcast encryption scheme. In order to address these problems, we focus on constructing a secure and practical inner product broadcast encryption scheme in this paper. First, we build an anonymous certificate-based inner product broadcast encryption scheme. Especially, we give the concrete construction and security analysis. Second, compared with the existing inner product broadcast encryption schemes, the proposed scheme has an advantage of anonymity. Security proofs show that the proposed scheme achieves confidentiality and anonymity against adaptive chosen-ciphertext attacks. Finally, we implement the proposed anonymous inner product broadcast encryption scheme and evaluate its performance. Test results show that the proposed scheme supports faster decryption operations and has higher efficiency.


Introduction
Broadcast encryption is an efficient way to make secure group-oriented communication by distributing confidential information in an open channel to a certain set of intended recipients that are selected by the sender. In a broadcast encryption scheme, the sender sends a ciphertext containing secret messages, and the ciphertext is only readable by privileged users. Broadcast encryption has been applied to various scenarios such as GPS, TV broadcasts, and radio broadcasts and may be potentially applied to the blockchain to perform one-to-many information exchange in some scenarios.
ere are two types of broadcast encryption schemes in the literature: one is symmetric key broadcast encryption [1] and the other is public key broadcast encryption [2]. In terms of symmetric key broadcast encryption, it generates private keys for all users through a trusted center which also broadcasts messages to the intended recipients. It is obvious that the symmetric key broadcast encryption is infeasible to most of broadcast scenarios due to its possibility of singlepoint failure. In contrast, any user can be a sender in the public key broadcast encryption scheme. It overcomes the shortcoming of single-point failure in the symmetric key scheme. However, there are certificate management problems in the public key broadcast encryption scheme.
Function encryption (FE) [3] is different from traditional encryption. Only owners of legitimated keys are able to learn the whole underlying data through the decryption of the ciphertext, while others obtain nothing in traditional encryption. Function encryption can control information amount in the ciphertext transmitted to recipients. Furthermore, the functional encryption for inner product (IPFE) enables the recipient to decrypt the ciphertext related to the vector x → with the private key related to the vector y → . It will only obtain inner product 〈 x → , y → 〉 and nothing else.
Inner product encryption is simple, but it can provide powerful function. IPFE has been suggested to be applied in many scenarios such as delegation of sensitive computation and biometric authentication [4][5][6]. In some application scenarios, besides focusing on the privacy of encrypted messages, it is also significant to consider the privacy of the function being computed. Function hiding is an essential property of function encryption which means that the secret key can also hide the function f, and no one could learn any unnecessary information about f [7]. In recent years, the notion of inner product broadcast encryption has been proposed [8]. One might think a trivial solution which encrypts the message under the inner product encryption first and then encrypts the ciphertext with a broadcast encryption. However, this trivial solution has a security threat that if a recipient exposes its result obtained from the decryption of broadcast encryption no matter on purpose or not, all users in the inner product encryption system would be able to calculate their inner product values with their private keys. e broadcast encryption for inner product avoids this security threat. It takes merits of both broadcast encryption and inner product encryption. In the inner product broadcast encryption scheme, the recipient can only obtain the inner product associated with the encrypted message by providing their secret keys in the decryption period. e sender determines who can obtain the corresponding inner product value.
With the rapid development of information technology and the continuous upgrading of new techniques such as the Internet of ings (IoTs) and blockchain, broadcast encryption has been applied to these new scenarios to provide data security and to guarantee user privacy. In smart communities, it has been used for the information management center to send the encrypted information to some units and individuals that guarantees the secure transmission of information within the community [9]. In the blockchain, it has been applied to achieve group communication and protect the privacy of transaction data in the system [10]. As for the inner product broadcast encryption, it can determine who is able to obtain the plaintext and can give further protection to the plaintext. We pay attention to a personal skill evaluation system which was introduced and described in [8]. For instance, a student gets grades of mathematics 90, communication 80, and programming 60 that are represented by private vector y → � (90, 80, 60). If a company wants to know whether a student is suitable for an occupation, it can evaluate the student by computing the weighted average of the scores 〈 y → , x → 〉 � 90 * 50% + 80 * 30% +60 * 20% � 81. x → � (50%, 30%, 20%) represents weights to each of the above scores.

Motivation.
Broadcast encryption for the inner product has quite huge application potential. ere are some research works that have been undertaken to provide inner product broadcast encryption schemes, and there also exist some shortcomings in the present schemes. First, to the best of our knowledge, the existing schemes do not take the recipient's identity privacy into consideration. Second, the existing scheme achieves selective CPA security. ird, the heavy decryption cost and large public parameters' size in the present schemes can bring down the efficiency for those applications in that recipients' computing ability is limited, and they do not implement their proposed schemes for performance evaluation. At last, the existing scheme constructed in the identity-based cryptosystem has key escrow problems that the key generation center has the ability to decrypt all the encrypted messages in the system compared to certificate-based schemes [11]. Certificate-based broadcast encryption has attracted more and more attention [12,13]. It has the feature of decentralization which makes it more suitable to be applied in the blockchain, so we build our scheme in the certificate-based cryptosystem. e motivation of this paper is to build a more feasible inner product broadcast encryption scheme with anonymity property. is new construction is also more suitable to be applied to those scenarios whose broadcast plaintext needs further protection. e goals of our scheme can be summarized as the following: In terms of security, we aim to provide adaptive CCA security in the random oracle model In the aspect of recipient privacy, we aim to provide anonymity that an encrypted broadcast message should hide who can access its contents; even users in the intended recipient set are not able to recognize other users' identities In terms of efficiency, we aim to have lower computational overhead in the proposed scheme 1.2. Contribution. To summarize, we make the following contributions in this paper: We design an efficient certificate-based inner product broadcast encryption (CBBE-IP) with anonymity property. Compared with the existing construction, the proposed anonymous scheme takes the recipient's identity privacy into consideration. A user cannot obtain other recipients' identities, even from each other in the set of authorized recipients in the proposed scheme. It achieves stronger privacy protection. We give the formal proofs under the random oracle model to claim that our construction is confidential and anonymous. It is secure under the adaptive chosenciphertext attack. We give the theoretical analysis of our proposed scheme's efficiency. We also implement both our scheme and the IBBE-IP scheme in Python and evaluate their performance. Experimental and theoretical analysis results show that the proposed scheme has higher efficiency, which enables faster decryption. In addition, our scheme has no restriction that the recipient number has to be less than vector length (n < d).

Related Work.
In recent years, great efforts have been devoted to construct inner product encryption and broadcast encryption.
As for inner product encryption, Boneh et al. [3] took the formal study of functional encryption and gave precise definitions of the concept and security about functional encryption. Abdalla et al. [4] showed how to efficiently construct function encryption for the inner product under the standard assumption. Chotard et al. [14] introduced a primitive decentralized multiclient functional encryption (DMCFE) which combined techniques from private stream aggregation (PSA) and functional encryption for the inner product.
e scheme can be applied in situations where multiple parties noninteractively share and update data.
Considering the function privacy, the notion of predicate privacy was first proposed by Shen et al. [15]. Since then, function-hiding inner product encryption has been deeply researched in numerous proposed papers. Bishop et al. [7] gave us the construction of secret-key function-hiding inner product encryption under the symmetric external Diffie-Hellman (SXDH) assumption in a quite weak and unrealistic security model. Datta et al. [16] proposed a simple and efficient private key IPE that has the strongest indistinguishability-based notion based on the SXDH assumption. Benhamouda et al. [17] proposed a generic construction of IND-CCA inner-product functional encryption from projective hash functions with homomorphic properties. Zhang et al. [18] proposed a generic construction of functional encryption for inner products that is IND-CCA secure. Abdalla et al. [19] proposed a novel methodology which is surprisingly simple and efficient to convert singleinput IPE schemes into multi-input functional encryption (MIFE) schemes with the same functionality. Datta et al. [20] developed two nongeneric and practically efficient private key inner product MIFE schemes that first simultaneously achieved message and function privacy. Wang et al. [21] proposed two adaptively CCA-secure functional encryptions in the PKE and SKE settings, respectively. Kim et al. [5] focused on the practical applications of the above schemes; they proposed a fully secure, function-hiding inner product encryption scheme which has obvious shorter secret key and ciphertext compared with the existing schemes.
As for broadcast encryption, Fiat and Naor [1] gave the primitive formal definition of broadcast encryption which was a kind of symmetric key broadcast encryption. Naor and Pinkas [2] proposed the first public key broadcast encryption. Gay et al. [22] constructed a new scheme which was the first public key broadcast encryption scheme with constant size of the ciphertext and secret keys.
ere have been considerable efforts devoted to build broadcast encryption such as identity-based broadcast encryption (IBBE), attribute-based broadcast encryption (ABBE), and certificate-based broadcast encryption (CBBE) with various functions. Delerablee [23] gave the first constant size of private keys and ciphertext. It is an identity-based broadcast encryption scheme with selective CPA security. Jiang et al. [24] proposed a keyword search identity-based broadcast encryption against insider attacks for cloud database systems. Lubicz and Sirvent [25] put forward the concept of attribute-based broadcast encryption by describing the group of privileged users through attributes. It allows one to select or revoke users.
Xiong et al. [26] proposed a ciphertext-policy attributebased encryption (CP-ABE) that, for the first time, realized partial policy hiding, direct revocation, and secure delegation simultaneously in edge computing. ere have also been many more recent studies considering the case of ABBE in many fields [27,28]. Barth et al. [29] took the user anonymity into consideration in broadcast encryption and put forward the concept of privacy in the broadcast encryption scheme.
ere is no reveal of intended recipients' identities in this scheme. Sur et al. [30] constructed the first certificate-based multireceiver encryption without formal definitions and proofs to the security.
en, Fan et al. [12] proposed an anonymous CBBE which defined the security models and offered formal proofs to all properties including anonymity. However, it only achieves CPA security and has expensive decryption cost. Zhu et al. [31] proposed adaptive security in the multichallenge setting with constant-size ciphertext header which is a strong security notion for broadcast encryption. Li et al. [32] put forward an anonymous CBBE scheme with constant decryption cost and adaptive CCA security.
e CBBE construction avoids key escrow problems of identity-based broadcast encryption. Deng [9] constructed an anonymous certificateless multireceiver encryption scheme for smart community management systems.
Jin and Yu-pu [33] proposed the notion of broadcast encryption for inner product predicate encryption under the standard model in 2012. e intended recipients output the plaintext via decryption in the scheme. en, Lai et al. [8] constructed the first broadcast encryption for inner product scheme (IBBE-IP) under the random oracle model in 2018. It combines the IBBE [23] scheme and the inner product encryption (IPE) [4] scheme which outputs the real value of the inner product via decryption to the user and is a special functional encryption that has potential practical applications. However, these existing inner product broadcast encryption scheme and the inner product predicate broadcast encryption scheme do not take users' identity privacy into consideration. In this paper, we explore how to construct a more efficient and secure scheme of inner product broadcast encryption in order to extend its application scenarios.

Organization.
We first recall some necessary preliminaries in Section 2, and then in Section 3, we describe the formal definitions and security model of our broadcast encryption scheme. In Section 4, we give the concrete construction of our scheme. We give the detailed security proof in Section 5. We then implement our broadcast encryption scheme and analyze its performance in Section 6. Conclusions are drawn in Section 7 where we also suggest further work.

Preliminaries
2.1. Notations. Notations in this paper are presented in Table 1.

Security and Communication Networks 3
Suppose that the sender distributes secret messages to a certain set of recipients. Let n denote the number of intended recipients in set S, and let vector length d denote the length of vectors x → and y → .

Bilinear Groups.
Let G and G T be two cyclic groups with prime order q. g ∈ G is the generator of group G, and e: G × G ⟶ G T . e symmetric bilinear group (G, G T , q, e) has the following properties: (1) e map e is bilinear: for all a, b ∈ Z q and u, v ∈ G, we have that e(u a , v b ) � e(u, v) ab (2) e map e is nondegenerate:e(g, g) ≠ 1 (3) ere exists an efficient algorithm to compute e(u, v), for any u, v ∈ G We also briefly review the definition of vectors of group elements [34]. Let G be a cyclic group of prime order q, g ∈ G be an element of group G, and vector where d is a natural number. Let g x → denote the vector of group elements (g x 1 , . . . , g x d ). For any scalar t ∈ N and x → , y → , let (1)

Security Assumption
Definition 1 (discrete logarithm (DL) problem). Given g, h ∈ G, the DL problem in G is to find x (if it exists) such that g x � h. e advantage of any probabilistic polynomialtime (PPT) algorithm B in solving the DL problem in G is defined as Adv DL B . e DL assumption is that, for any PPT algorithm B, Adv DL B is negligible.
Definition 2 (computational bilinear Diffie-Hellman (CBDH) problem). Given g, g a , g b , g c ∈ G for unknown a, b, c ∈ Z * p , the CBDH problem in (G, G T ) is to compute e(g, g) abc ∈ G T . e advantage of any probabilistic polynomial-time (PPT) algorithm B in solving the CBDH problem in (G, G T ) is defined as Adv CBDH B � Pr [B(g, g a , g b , g c ) � e(g, g) abc |a, b, c ∈ Z * p ]. e CBDH assumption is that, for any PPT algorithm B, Adv CBDH B is negligible.

IND-CCA Security of Inner Product Encryption.
We review the IND-CCA security of inner product encryption [18]. e security against chosen-ciphertext attacks is defined via a game played by an adversary A and a challenger C. An inner product encryption scheme is indistinguishable under adaptive chosen-ciphertext attacks if Adv IND− CCA A is negligible for all adversary A winning Game 1 in polynomial time.
e advantage of A winning Game 1 is 1 is described as the following: (1) e challenger C runs the Setup (1 λ , S) to generate public parameters pp and master secret key MSK. en, it sends pp to the adversary A.
(2) e adversary A adaptively queries the key generation oracle for the functional secret key sk x → with the restriction that A can only query the secret key in where y 0 �→ and y 1 �→ are the target plaintexts. A can also ask C to decrypt a ciphertext ct y → ′ to obtain 〈 x → , y → 〉 via the decryption oracle.
(3) e adversary A outputs two target plaintexts y → 0 and y → 1 . (4) e challenger C randomly selects a bit b ∈ 0, 1 { } and generates a target ciphertext ct. en, C passes ct to the adversary A. (5) e adversary A can continue to query the key generation oracle with the same restriction as before.
A can also query the decryption oracle with the restriction that A cannot query the target ciphertext ct. (6) e adversary A outputs a bit b ′ , and A wins if b � b ′ .

Certificate-Based Broadcast
Encryption. e certificatebased broadcast encryption scheme [12,32] contains the following algorithms: (i) Setup (1 λ ): it inputs the security parameter λ and outputs the public parameters params and the master secret key msk. (ii) KeyGen (params, ID i ): it inputs the public parameters params and identity information ID i . is algorithm outputs a key pair (pk i , sk i ). (iii) Certify (params, msk, ID i , pk i ): it inputs the public parameters params, master secret key msk, identity information ID i , and public key pk i . e algorithm outputs a certificate Cert i . 2.6. Inner Product Encryption. We briefly recall the definition of the secret-key inner product encryption scheme [5]. It is shown as follows: As we can see from the above definition of the inner product encryption scheme, secret keys are associated with the vector x → , and the encrypted message is associated with the vector y → . Given a secret key for x → and the ciphertext for y → , the recipient obtains the inner product value 〈 x → , y → 〉 via decryption. Especially, the above inner product encryption used in our scheme is different from the inner product predicate encryption scheme proposed by Okamoto and Takashima [35]. In the inner product predicate encryption scheme, a message m is encrypted with a tag y → , and the decryption key is associated with vector x → . e recipient can recover the message m only if 〈 x → , y → 〉 � 0.

Formal Definition.
e system model of our proposed scheme is shown in Figure 1. e formal definition of our scheme is shown as follows: it inputs a security parameter λ and vector length d. is algorithm outputs public parameters pp and master secret key MSK. Certificate authority (CA) runs this algorithm. It publishes pp and keeps MSK.
it inputs public parameters pp, a vector x → i , and an identity ID i . x → i is kept secretly, and it is not allowed to be known by others. It outputs secret keys SK i � SK 1i , SK 2i in addition to public keys is algorithm is executed by users.
(iii) CertGen (pp, MSK, ID i , K i ): it inputs public parameters pp, a master secret key MSK, a user's identity ID i , and public keys K 1i and K 2i . It outputs certificate Cert i . is algorithm is executed by CA. Users obtain their certificates from the CA. e certificate is anonymous for the reason that no one is able to obtain the user identity by its certificate except the CA.
e certificate plays a role as a portion of the user's keys. ough the CA generates the certificate for each user, it is not able to decrypt the ciphertext. (iv) Encrypt (pp, y → , S, K i ): it inputs public parameters pp, a vector y → ∈ Z d q as the plaintext, the intended recipient set S, and public keys K 1i and K 2i . It outputs ciphertext CT.
is algorithm is executed by the sender.
(v) Decrypt (pp, CT, ID i , SK i , Cert i ): it inputs public parameters pp, a ciphertext CT, a user identity ID i , a certificate Cert i , and secret keys SK 1i and SK 2i . If ID i is an intended recipient, it will obtain the corresponding inner product value of the related message. Otherwise, it outputs ⊥.

Security
Model. e security of our proposed scheme requires confidentiality and anonymity. As for the confidentiality, it means that, for an encrypted message which is associated with y → , only the intended recipients in S can obtain 〈 x → , y → 〉 through the decryption using their secret keys that are associated with x → . We give the definition for confidentiality of our proposed scheme via IND-CBIP-CCA Game 1 and IND-CBIP-CCA Game 2. As for the anonymity, all users, even users in S, are not able to recognize who is the intended recipient. In our scheme, the vector x → i is kept secretly by users, and it cannot be known by others though it may have implied relationship with user identity information; we do not consider x → i in anonymity games. On the contrary, the user identifier ID i is public, so we considered the user identifier ID i in anonymity games. We give the definition for anonymity of our proposed scheme via ANO-CBIP-CCA Game 1 and ANO-CBIP-CCA Game 2.
e security model of our proposed scheme contains two adversaries A 1 and A 2 . A 1 is an uncertified user with no access to the master key. It can replace any user's public key Security and Communication Networks and query any user's secret key. A 1 can also query any user's certificate except the target user's certificate. A 1 can make the decryption query of any broadcast ciphertext except the target broadcast ciphertext. A 2 is a malicious certifier that has a master key. It can generate any user's certificate. A 2 is not able to replace any user's public key, but it can query any user's secret key except the target user. A 2 can also perform the broadcast ciphertext's decryption query except the target broadcast ciphertext. IND-CBIP-CCA Game 1 is played by a challenger C and an adversary A 1 .
Setup: C runs the Setup (1 λ , d) algorithm, gives A 1 the generated public parameters pp, and keeps the generated master secret key MSK with itself. Phase 1: A 1 adaptively launches the following queries to C. C maintains a list L 1 � (ID i , K i , SK i , T i ) in order to answer queries. We denote public key : public keys' replacing query: on inputting ID i and a public key K i ′ randomly chosen by A 1 , C updates the item (ID i , K i ′ , ⊥, 1) which is related to ID i in L 1 . O SecretKey (ID i ): secret keys' query: on inputting ID i , C does the following things to answer the query. It searches the item ( certificate query: on inputting ID i , in order to make a response to the query, C searches the item en, it executes CertGen(pp, MSK, ID i , K i ) and returns the generated { } at random. en, it executes Encrypt(pp, M μ , S * , K i ) and returns the generated challenge ciphertext CT * to A 1 . Phase 2: A 1 issues a set of queries adaptively as in Phase 1. However, it is forbidden to query Cert i of ID i in S * or decryption of ID i in S * .
Guess: A 1 outputs a guess μ ∈ 0, 1 { }. It wins the game if μ ′ � μ. We define A 1 's advantage in attacking the scheme to win IND-CBIP-CCA Game 1 as IND-CBIP-CCA Game 2 is played by a challenger C and an adversary A 2 .
Setup: C runs the Setup (1 λ , d) algorithm and gives A 2 the generated public parameters pp and the generated master secret key MSK.
Phase 1: A 2 adaptively launches the following queries to C. C maintains list L 2 � (ID i , K i , SK i ) for answering queries. We denote K i � (K 1i , K 2i ) and SK i � (SK 1i , SK 2i ). L 2 was empty when it was initialized.
O SecretKey (ID i ): secret keys' query: on inputting ID i , in order to make a response to the query, C searches item O Decrypt (ID i , CT): decrypt query: on inputting ID i and ciphertext CT, C does the following things to answer the query. It searches the item (ID i , K i , SK i ) in L 2 , executes CertGen(pp, MSK, ID i , K i ), and generates Cert i of ID i . en, C executes Decrypt(pp, CT, ID i , SK i , Cert i ) to decrypt CT. It sends the decryption result to A 2 .
Challenge: A 2 sends a challenge recipient set { } at random. en, it executes Encrypt(pp, M μ , S * , K i ) and returns the generated challenge ciphertext CT * to A 2 .
Phase 2: A 2 issues a set of queries adaptively as in Phase 1. However, it is forbidden to query SK i of ID i in S * or decryption of ID i in S * .
Guess: A 2 outputs a guess μ ∈ 0, 1 { }. It wins the game if μ ′ � μ. We define A 2 's advantage in attacking the scheme to win IND-CBIP-CCA Game 2 as

Definition 4. We say that our proposed scheme is IND-
ANO-CBIP-CCA Game 1 is played by a challenger C and an adversary A 1 .
Setup: C runs the Setup (1 λ , d) algorithm, gives A 1 the generated public parameters pp, and keeps the generated master secret key MSK with itself. Phase 1: A 1 adaptively launches the following queries to C. C maintains a list L 1 � (ID i , K i , SK i , T i ) in order to answer queries. We denote public key K i � (K 1i , K 2i ) and secret key SK i � (SK 1i , SK 2i ). If T i � 0, it represents that K i has not been replaced by A 1 , while T i � 1 means that A 1 has made replacement of K i . L 1 was empty when it was initialized.
: public keys' replacing query: on inputting ID i and a public key K i ′ randomly chosen by secret keys' query: on inputting ID i , C does the following things to answer the query. It searches the item ( en, it executes CertGen(pp, MSK, ID i , K i ) and returns the generated certificate Cert i to A 1 . O Decrypt (ID i , CT): decrypt query: on inputting ID i and ciphertext CT, C searches the item (ID i , K i , SK i , T i ) in L 1 . If T i � 1, A 1 has made replacement of K i , and it should give corresponding SK i of K i to C. C executes CertGen(pp, MSK, ID i , K i ) and generates Cert i of ID i . en, it runs Decrypt(pp, CT, ID i , SK i , Cert i ) to decrypt CT and sends the decryption result to A 1 .
and returns the generated challenge ciphertext CT * to A 1 . Phase 2: A 1 issues a set of queries adaptively as in Phase 1 with the constraint that it is not able to query Cert i of It wins the game if μ ′ � μ. We define A 1 's advantage in attacking the scheme to win ANO-CBIP-CCA Game 1 as ANO-CBIP-CCA Game 2 is played by a challenger C and an adversary A 2 .
Setup: C runs the Setup (1 λ , d) algorithm and gives A 2 the generated public parameters pp and the generated master secret key MSK.
Phase 1: A 2 adaptively launches the following queries to C. C maintains list L 2 � (ID i , K i , SK i ) for answering queries. We denote K i � (K 1i , K 2i ) and SK i � (SK 1i , SK 2i ). L 2 was empty when it was initialized.
It executes CertGen(pp, MSK, ID i , K i ) and generates Cert i for ID i . en, C executes Decrypt(pp, CT, ID i , SK i , Cert i ) to decrypt CT. It sends the decryption result to A 2 . Challenge: A 2 sends a challenge recipient set S � ID 1 , . . . , ID n , two user identities (ID * 0 , ID * 1 ), and a message M � y → to C with the constraint that A 2 has not queried SK i of ID i in S ∪ (ID * 0 , ID * 1 ) in Phase 1. C selects a bit μ ∈ 0, 1 { } at random and set S * μ � ID * μ ∪ S. en, it executes Encrypt(pp, M, S * μ , K i ) and returns the generated challenge ciphertext CT * to A 2 . Phase 2: A 2 issues a set of queries adaptively as in Phase 1 with the constraint that it is not able to query SK i of ID i in S ∪ (ID * 0 , ID * 1 ) or decryption of ID i in S ∪ (ID * 0 , ID * 1 ). Guess: A 2 outputs a guess μ ′ ∈ 0, 1 { }. It wins the game if μ ′ � μ. We define A 2 's advantage in attacking the scheme to win ANO-CBIP-CCA Game 2 as Adv ANO− CBIP− CCA

Our Certificate-Based Inner Product Broadcast Encryption Scheme
In this section, we present the concrete construction of our proposed scheme as follows. Setup (1 λ , d): taking the security parameter λ and vector length d as the input, the CA performs the following tasks: Security and Communication Networks 7 (1) Generate symmetric cyclic bilinear groups G and G T with order q. e large prime q is λ bits. g is a generator of group G e: G × G ⟶ G T is a bilinear map, and g T � e(g, g).
(2) Choose c ∈ Z * q randomly. Calculate g 1 � g c . (3) Select four cryptographic hash functions with forms as It generates secret keys SK i � SK 1i , SK 2i and public keys K i � K 1i , K 2i by the following steps: (1) Calculate SK 1i � α i and SK 2i � α i x → i as secret keys (2) Compute K 1i � g SK 1i and K 2i � g SK 2i as public keys CertGen (pp, MSK, ID i , K i ): taking public parameters pp, a master secret key MSK, a user's identity ID i , and public keys K 1i and K 2i as the input, the CA computes Encrypt (pp, y → , S, K): taking the public parameters pp, a vector y → ∈ Z d q , the intended recipient set S, and public keys K 1i and K 2i as the input, the sender executes the algorithm to output a ciphertext CT. We suppose S � {ID 1 , ID 2 ,..., ID n }.
First, the sender computes Q i � H 1 (ID i , K 1i , K 2i ) and R i � H 2 (ID i , K 1i , K 2i , g 1 ) for every intended recipient ID i .
Next, the sender chooses k ∈ G T and β ∈ Z * q at random. It selects r i ∈ Z * q at random and computes χ i � eg, Q − r i i · e(K 1i , R i ) − r i . en, the sender computes ciphertext CT as shown in equations: CT � C 1 , C 2 , . . . , C n .
Decrypt (pp, CT, ID i , SK i Cert i ): taking the public parameters pp, a ciphertext CT, a user's identity ID i , a certificate Cert i , and secret keys SK 1i and SK 2i as the input, the user performs the following steps.
First, the user calculates Next, the user computes H 4 (χ i ′ ). If the user is not an intended recipient, it is not able to find the same value H 4 (χ i ) in CT and is not able to determine the corresponding C i 1 and C i 2 of H 4 (χ i ′ ). en, it outputs ⊥. Otherwise, the user utilizes H 4 (χ i ′ ) to locate its associated C i by relationships among H 4 (χ i ′ ), C i 1 , and C i 2 in C i . en, the user computes D i 1 � C i 1 · e(C i 0 , Cert i ) and en, the user calculates C i 0 ′ as the following: Finally, if C i 0 ′ � C i 0 , the user calculates z ∈ T which satisfies (D i 1 ) z � D i 2 . Let T be a polynomial-sized subset of Z q . If there exists z ∈ T, the algorithm outputs z. Otherwise, it outputs ⊥.
Correctness: our proposed scheme is said to satisfy the correct condition if the following equation holds: Meanwhile, it requires the plaintext vectors to satisfy < x → i , y → > ∈ T, for polynomially sized T.
For any SK 1i , SK 2i and K 1i , K 2i , we have If 〈 x → i , y → 〉 ∈ T, the decryption algorithm outputs inner product value 〈 x → i , y → 〉 by the baby-step giant-step algorithm. It is efficient since |T| � poly(λ).

Security Analysis
Now, we prove the confidentiality and anonymity of our scheme through the security models defined in Section 3. Our proof strategy draws inspiration from the CBBE scheme [32]. First, the confidentiality of our scheme will be proved through IND-CBIP-CCA Game 1 and IND-CBIP-CCA Game 2 defined in Section 3.
Proof. Suppose that there exists an adversary A 1 that can break the proposed scheme in IND-CBIP-CCA Game 1 with advantage ε. We build an algorithm B to solve the CBDH problem by running A 1 . Given as the input a problem instance (g, g a , g b , g c ), B needs to simulate a challenger C and all oracles. It works as follows.
Setup: B executes the Setup(1 λ , d) algorithm and outputs (q, G, G T , e). We note that g is the generator of G, and g 1 � g c . en, B computes g T � e(g, g) and picks index ℓ ∈ 1, 2, . . . , q H 1 at random. B controls random oracles H i (i � 1, 2, 3, 4). It also publishes system public parameters pp � G, G T , d, q, g, e, g T , g 1 , H 1 , H 2 , H 3 , H 4 and keeps master secret key MSK � c.
H 1 query: A 1 makes the H 1 query adaptively. B responds to A 1 's query on (ID i , K i ) as shown below. B maintains the list L H 1 � (ID i , K i , Q i , Cert i ). If the query ID i appears on L H 1 in an item (ID i , K i , Q i , Cert i ), it returns corresponding Q i to A 1 . Otherwise, if the query is on ID ℓ , B sets Q ℓ � g b , returns Q ℓ to A 1 , and adds (ID ℓ , K ℓ , Q ℓ , ⊥) to L H 1 . Note that K ℓ � K 1ℓ , K 2ℓ . Otherwise, B does the following things: (1) Select t i ∈ Z * p at random. Let Q i � g t i and Cert i � (g a ) t i .
(2) Add the tuple (ID i , K i , Q i , Cert i ) to L H 1 and respond with Q i to A 1 .
H 2 query: A 1 makes H 2 query adaptively. B makes a response to A 1 's query on (ID i , K i , g 1 ) as shown below. B maintains the list L H 2 � (ID i , K i , v i , R i ). If the query (ID i , K i ) appears on L H 2 in an item (ID i , K i , v i , R i ), it returns corresponding R i to A 1 . Else, B picks v i ∈ Z * p at random and calculates R i � g v i , and then B adds (ID i , K i , v i , R i ) to L H 2 and responds to A 1 with R i . H 3 query: A 1 makes the H 3 query adaptively. B responds to A 1 's query on (D i 1 , D i 2 ) as shown below. B maintains the list L H 3 � (D i 1 , D i 2 , h 3 ) . If the query (D i 1 , D i 2 ) appears on L H 3 in an item (D i 1 , D i 2 , h 3 ) O Decrypt query: A 1 makes the O Decrypt query adaptively by submitting CT and ID i to B. We note that CT � (C 1 , C 2 , . . . , C n ) and n ≤ N. B responds to the query from A 1 on (ID i , CT) as shown in the following: (1) B searches item (ID i , K i , SK i , T i ) of list L 1 . If the user of ID i is not an intended recipient, it rejects the query. (2) If ID ℓ is in the intended recipient set and T i � 0, B searches the list L H 3 to find the entry If there is no item that satisfies the condition, B discards CT and aborts. Else, B responds to A 1 with D i 1 , D i 2 . (3) If ID ℓ is not in the intended recipient set and T i � 1, A 1 should give SK i corresponding to K i of ID i . en, B checks whether K 1i � g SK 1i and K 2i � g SK 2i hold. If not so, B aborts. Otherwise, B searches L H 3 to find the entry (D i 1 , D i 2 , h 3 ) that satisfies C i 0 � g r i and C i 3 � r i ⊕ H 3 (D i 1 , D i 2 ). If there is no item that satisfies the condition, B rejects the query. Otherwise, it returns D i 1 , D i 2 to the adversary A 1 . (4) Otherwise, B obtains SK i and Cert i which are related to ID i , and then B executes Decrypt(pp, CT, ID i , SK i , Cert i ) and responds to A 1 with the result.
Phase 1: during this phase, B issues the above queries launched by A 1 adaptively. For responding to the queries, B maintains a list L 1 � ID i , K i , SK i , T i . is list was initially empty. T i � 0 represents that K i has not been replaced by A 1 . Otherwise, T i � 1 means that A 1 has made replacement of K i .
Challenge: A 1 submits the intended recipient set S * � ID 1 , ID 2 , ID 3 , . . . , ID n , (n ≤ N), two distinct messages (M 0 , M 1 ) and M 0 � y → 0 and M 1 � y to the challenger C, with the requirement that, in Phase 1, it neither obtained certificates of users in S * nor made replacement of K i for ID i in S * . en, B randomly selects a value M μ , μ ∈ 0, 1 { }. If ID ℓ is not in S * , B aborts. Else, B sets C * i 0 � g c and chooses Security and Communication Networks 9 random.
en, the challenge broadcast ciphertext CT * � (C * 1 , C * 2 , . . . , C * n ) is returned to A 1 . Phase 2: A 1 issues a serious of queries adaptively. However, it cannot issue queries for certificates or decryption of ID i in S * .
Guess: A 1 outputs a guess μ ′ ∈ 0, 1 { } for μ. It wins the game if μ ′ � μ. For ID ℓ , the description of CT * is shown as follows. To produce the result, B should calculate D i 1 and D i 2 correctly. B chooses an item from L H 3 at random and searches v ℓ from the item ( Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger C. If B does not abort during the game, then A 1 's view is identical to its view in the real scheme. Furthermore, we have |Pr[μ ′ � μ] − 1/2| ≥ ϵ. e game may be aborted before it finishes. Let Abort denote the game is aborted before it finishes. en, event Abort occurs under any of the following occasions. (1)Ab 1 : ID ℓ is not in S * during the Challenge phase. We have Pr[Ab 1 ] � N − n/N. (2)Ab 2 : B aborts in the period that CT is given to O Decrypt . We have  1, 2, 3, 4), respectively. It has advantage ε over our proposed scheme in IND-CBIP-CCA Game 2. en, there exists a PPT algorithm B to solve the CBDH problem with the advantage at least nε/q H 3 N(1 − q dec /2 λ )(q pubkey − 1/q pubkey ) q seckey .
Proof. Suppose that there exists an adversary A 2 that can break the proposed scheme in IND-CBIP-CCA Game 2 with advantage ε. We build an algorithm B to solve the CBDH problem by running A 2 . Given as the input a problem instance (g, g a , g b , g c ), B needs to simulate a challenger C and all oracles. It works as follows.
Setup: B executes the Setup(1 λ , d) algorithm and outputs (q, G, G T , e). We note that g is the generator of G and g 1 � g c . en, B computes g T � e(g, g) and picks index ℓ ∈ 1, 2, . . . , q at random. B controls random oracles H i (i � 1, 2, 3, 4). It also publishes system public parameters pp � G, G T , d, q, g, e, g T , g 1 , H 1 , H 2 , H 3 , H 4 and gives master secret key MSK � c to A 2 . Random oracles H i (i � 1, 2, 3, 4) are controlled by B.
H 1 query: A 2 makes the H 1 query adaptively. B makes a response to A 2 's query on (ID i , K i ) as shown below. It maintains the list L H 1 � (ID i , K i , Q i ) . If the query ID i appears on L H 1 in an item (ID i , K i , Q i ), it returns corresponding Q i to A 2 . Else, B chooses Q i ∈ G at random. en, it adds (ID i , K i , Q i ) to L H 1 and responds with Q i to A 2 .
H 2 query: A 2 makes the H 2 query adaptively. B makes a response to A 2 's query on (ID i , K i , g 1 ) as shown below. B maintains the list  O Decrypt query: A 2 makes the O Decrypt query adaptively by submitting CT and ID i to B. We note that CT � (C 1 , C 2 , . . . , C n ) and n ≤ N. B makes a response to the query from A 2 on (ID i , CT) as shown in the following: (1) B searches item (ID i , K i , SK i ) of list L 2 . If the user of ID i is not an intended recipient, it rejects the query.
(2) If ID ℓ is in the intended recipient set, B searches L H 3 to find the entry is list was initially empty.
Challenge: when A 2 decides that Phase 1 is over, it submits the intended recipient set S * � ID 1 , ID 2 , ID 3 , . . . , ID n }, (n ≤ N), two distinct messages (M 0 , M 1 ) and M 0 � y → 0 and M 1 � y Phase 2: A 2 issues a set of queries adaptively. However, it cannot issue queries for SK i of ID i in S * or decryption of ID i in S * .
Guess: A 2 outputs a guess μ ′ ∈ 0, 1 { } for μ. It wins the game if μ ′ � μ. For ID ℓ , the description of CT * is shown as follows. To produce the result, B should calculate D i 1 and D i 2 correctly. B chooses an item from L H 3 at random and searches v ℓ from the item (ID ℓ , K ℓ , v ℓ , R ℓ ). To solve the CBDH problem, Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger C.
If B does not abort during the game, then A 2 's view is identical to its view in the real scheme. Furthermore, we have |Pr[μ ′ � μ] − 1/2| ≥ ϵ. e game may be aborted before it finishes. Let Abort denote the game is aborted before it finishes. en, event Abort occurs under any of the following occasions. (1)Ab 1 : the adversary A 2 queries the oracle O SecretKey on the user ID ℓ . We have Pr[Ab 1 ] � (q pubkey − 1/q pubkey ) q seckey . (2)Ab 2 : B aborts in the period that CT is given to O Decrypt . We have Pr[Ab 2 ] � q dec /2 λ . ≥ nε/N(1 − q dec /2 λ )(q pubkey − 1/q pubkey ) q seckey . Finally, B selects the correct item from L H 3 with probability 1/q H 3 .
Consequently, B's advantage is at least nε/q H 3 N(1 − q dec /2 λ )(q pubkey − 1/q pubkey ) q seckey as required. □ Next, the anonymity of our scheme will be proved through ANO-CBIP-CCA Game 1 and ANO-CBIP-CCA Game 2 defined in Section 3. H i (i � 1, 2, 3, 4) are random oracles and A 1 is able to launch q cert queries to O Certificate and q H i (i � 1, 2, 3, 4) queries to functions H i (i � 1, 2, 3, 4), respectively. It has advantage ε over our proposed scheme in ANO-CBIP-CCA Game 1. en, there exists aPPT algorithm B to solve the CBDH problem with the advantage at least nε/q

Theorem 3. Suppose that hash functions
Proof. Suppose that there exists an adversary A 1 that can break the proposed scheme in ANO-CBIP-CCA Game 1 with advantage ε. We build an algorithm B to solve the CBDH problem by running A 1 . Given as the input a problem instance (g, g a , g b , g c ), B needs to simulate a challenger C and all oracles. It works as follows.
Setup: B executes the Setup(1 λ , d) algorithm and outputs (q, G, G T , e). We note that g is the generator of G and g 1 � g c . en, B computes g T � e(g, g) and picks index ℓ ∈ 1, 2, . . . , q H 1 at random. B controls random oracles H i (i � 1, 2, 3, 4). It also publishes system public parameters pp � G, G T , d, q, g, e, g T , g 1 , H 1 , H 2 , H 3 , H 4 and keeps master secret key MSK � c. H 1 query: A 1 makes the H 1 query adaptively. B responds to A 1 's query on B as shown below. B maintains the list L H 1 � (ID i , K i , Q i , Cert i ). If the query ID i appears on L H 1 in an item (ID i , K i , Q i , Cert i ), it returns corresponding Q i to A 1 . Otherwise, if the query is on ID ℓ , B sets Q ℓ � g b , returns Q ℓ to A 1 , and adds (ID ℓ , K ℓ , Q ℓ , ⊥) to L H 1 . Note that K ℓ � K 1ℓ , K 2ℓ . Otherwise, B does the following things: (1) Select t i ∈ Z * p at random. Let Q i � g t i and Cert i � (g a ) t i .
(2) Add the tuple (ID i , K i , Q i , Cert i ) to L H 1 and respond with Q i to A 1 .
H 2 query: A 1 makes the H 2 query adaptively. B makes a response to A 1 's query on (ID i , K i , g 1 ) as shown below. B maintains the list p at random and calculates R i � g v i , and then B adds (ID i , K i , v i , R i ) to L H 2 and responds to A 1 with R i . H 3 query: A 1 makes the H 3 query adaptively. B responds to A 1 's query on (D i 1 , D i 2 ) as shown below. B maintains the list L H 3 � (D i 1 , D i 2 , h 3 ) . If the query (D i 1 , D i 2 ) appears on L H 3 in an item (D i 1 , D i 2 , h 3 ), B returns corresponding h 3 to A 1 . Otherwise, B picks h 3 ∈ Z * p at random, adds (D i 1 , D i 2 , h 3 ) to L H 3 , and responds to A 1 with h 3 . H 4 query: A 1 makes the H 4 query adaptively. B responds to A 1 's query on ID i as shown below. B maintains the list L H 4 � (ID i , h 4 ) . If the query ID i appears on L H 4 in an item (ID i , h 4 ), B returns corresponding h 4 to A 1 .
Otherwise, B picks h 4 ∈ Z * p at random, adds (ID i , h 4 ) to L H 4 , and returns h 4 to A 1 .
O PublicKey query: A 1 makes the O PublicKey query adaptively. B responds to A 1 's query on ID i as shown below. If the query ID i is already on L 1 in an item (ID i , K i , SK i , T i ), B returns corresponding K i to A 1 . Otherwise, B randomly picks α i ′ ∈ Z p and x → i ′ ∈ Z d q , and then it computes SK 1i � α i ′ and SK 2i � α i x , i as secret keys. It computes K 1i � g SK 1i and K 2i � g SK 2i as public keys, and then it adds (ID i , K i , SK i , T i ) to L 1 and responds to A 1 with K i . O PublicKeyReplace query: A 1 makes the O PublicKeyReplace query adaptively. On receiving the query on (ID i , K i ′ , SK i , T i ), B retrieves items related to ID i in L 1 and updates the item . O SecretKey query: A 1 makes the O SecretKey query adaptively. On receiving the query on ID i , B searches the entry O Certificate query: A 1 makes the O Certificate query adaptively. On receiving the query on ID i , if ID i � ID l , B aborts. Otherwise, B searches the item (ID i , K i , Q i , Cert i ) of ID i and responds to A 1 with Cert i . O Decrypt query: A 1 makes the O Decrypt query adaptively by submitting CT and ID i to B. We note that CT � (C 1 , C 2 , . . . , C n ) and n ≤ N. B responds to the query from A 1 on (ID i , CT) as shown in the following: (3) If ID ℓ is not in the intended recipient set and T i � 1, A 1 should give SK i corresponding to K i of ID i . en, B checks whether K 1i � g SK 1i and K 2i � g SK 2i hold.
If not so, B aborts. Otherwise, B searches L H 3 to find the entry If there is no item that satisfies the condition, B rejects the query. Otherwise, it returns D i 1 , D i 2 to the adversary A 1 . (4) Otherwise, B obtains SK i and Cert i which are related to ID i , and then B executes Decrypt(pp, CT, ID i , SK i , Cert i ) and responds to A 1 with the result.
Phase 1: during this phase, B issues the above queries launched by A 1 adaptively. For responding to the queries, B maintains a list L 1 � ID i , K i , SK i , T i . is list was initially empty. T i � 0 represents that K i has not been replaced by A 1 . Otherwise, T i � 1 means that A 1 has made replacement of K i .
Challenge: A 1 submits the intended recipient set S � ID 1 , ID 2 , ID 3 , . . . , ID n , (n ≤ N), message M � y → , and two user identities (ID * 0 , ID * 1 ) to the challenger C, with the requirement that, in Phase 1, it neither obtained certificates of users in S ∪ (ID * 0 , ID * 1 ) nor made replacement of K i for ID i in S ∪ (ID * 0 , ID * 1 ). en, B randomly selects a value μ ∈ 0, 1 { } and sets S * μ � S ∪ ID * μ . If ID ℓ is not in S * , B aborts. Else, B sets C * i 0 � g c and chooses H 4 (χ i ) * ∈ Z * p , C * i 1 ∈ G T , C * i 2 ∈ G T , and C * i 3 ∈ G T at random. en, the challenge broadcast ciphertext CT * � (C * 1 , C * 2 , . . . , C * n ) is returned to A 1 .
Phase 2: A 1 issues a serious of queries adaptively. However, it cannot issue queries for certificates or decryption of ID i in S * ∪ (ID * 0 , ID * 1 ). Guess: A 1 outputs a guess μ ′ ∈ 0, 1 { } for μ. It wins the game if μ ′ � μ. For ID ℓ , the description of CT * is shown as follows. To produce the result, B should calculate D i 1 and D i 2 correctly.B chooses an item from L H 3 at random and searches v ℓ from the item ( Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger C. If B does not abort during the game, then A 1 's view is identical to its view in the real scheme. Furthermore, we have |Pr[μ ′ � μ] − 1/2| ≥ ϵ. e game may be aborted before it finishes. Let Abort denote the game is aborted before it finishes. en, event Abort occurs under any of the following occasions. (1)Ab 1 : ID ℓ is not in S * during the Challenge phase. We have Pr[Ab 1 ] � N − n/N. (2) 1, 2, 3, 4), respectively. It has advantage ε over our proposed scheme in ANO-CBIP-CCA Game 2. en, there exists a PPT algorithm B to solve the CBDH problem with the advantage at least nε/q H 3 N(1 − q dec /2 λ )(q pubkey − 1/q pubkey ) q seckey .
Proof. Suppose that there exists an adversary A 2 that can break the proposed scheme in ANO-CBIP-CCA Game 2 with advantage ε. We build an algorithm B to solve the CBDH problem by running A 2 . Given as the input a problem instance (g, g a , g b , g c ), A 2 needs to simulate a challenger C and all oracles. It works as follows.
Setup: B executes the Setup(1 λ , d) algorithm and outputs (q, G, G T , e). We note that g is the generator of G and g 1 � g c . en, B computes g T � e(g, g) and picks index ℓ ∈ 1, 2, . . . , q at random. B controls random oracles H i (i � 1, 2, 3, 4). It also publishes system public parameters pp � G, G T , d, q, g, e, g T , g 1   O PublicKey query: A 2 makes the O PublicKey query adaptively. B makes a response to A 2 's query on ID i as shown below. If the query ID i appears on L H 2 in an item O Decrypt query: A 2 makes the O Decrypt query adaptively by submitting CT and ID i to B. We note that CT � (C 1 , C 2 , . . . , C n ) and n ≤ N. B makes a response to the query from A 2 on (ID i , CT) as shown in the following: (1) B searches item (ID i , K i , SK i ) of list L 2 . If the user of ID i is not an intended recipient, it rejects the query. (2) If ID ℓ is in the intended recipient set, B searches L H 3 to find the entry is list was initially empty.
Challenge: when A 2 decides that Phase 1 is over, it submits the intended recipient set S * � ID 1 , ID 2 , ID 3 , . . . , ID n }, (n ≤ N), two distinct messages (M 0 , M 1 ) and to the challenger C, with the requirement that, in Phase 1, it has not obtained SK i of ID i in S * . en, B selects a random value M μ , μ ∈ 0, 1 Phase 2: A 2 issues a set of queries adaptively. However, it cannot issue queries for SK i of ID i in S * or decryption of ID i in S * .
Guess: A 2 outputs a guess μ ′ ∈ 0, 1 { } for μ. It wins the game if μ ′ � μ. For ID ℓ , the description of CT * is shown as follows. To produce the result, B should calculate D i 1 and D i 2 correctly. B chooses an item from L H 3 at random and searches v ℓ from the item (ID ℓ , K ℓ , v ℓ , R ℓ ). To solve the CBDH problem, Analysis: then, we analyze the probability that the given CBDH problem can be solved by the challenger C.
If B does not abort during the game, then A 2 's view is identical to its view in the real scheme. Furthermore, we have Finally, B selects the correct item from L H 3 with probability 1/q H 3 . Consequently, B's advantage is at least nε/q H 3 N(1 − q dec /2 λ )(q pubkey − 1/q pubkey ) q seckey as required. □ 6. Implementation and Evaluation 6.1. eoretical Analysis. In Table 2, we give analytical measurements for public parameters' size, user secret keys' size, ciphertext size, encryption cost, and decryption cost of the IBBE-IP scheme [8] and the proposed scheme. Table 2 shows that our scheme has a significant advantage over the IBBE-IP scheme on decryption cost. e decryption cost of our scheme is 3P + 3E + 3E T + 5M T which is constant, while the decryption cost of the IBBE-IP scheme is 3P + (2n + d + 3)E + (2n + d)E T + 4M T which grows multiplicatively in n and d. Our scheme also optimizes the public parameters' size for the reason that our public parameters' size is constant, while the IBBE-IP scheme is linear with n.
As for the ciphertext size, the ciphertext size of our scheme is linear with the number of recipients n, while the ciphertext size of the IBBE-IP scheme is linear with the vector length d. However, there is a restriction in IBBE-IP that the recipient number has to be less than vector length (n < d). So, the increasing recipient number will lead to the growth of vector length, and the ciphertext size is also increasing as a result.
It is obvious that our scheme achieves better performance than the existing scheme in the aspects of public parameters' size and decryption time according to the analytical measurements.

Experimental Implementation.
To evaluate the performance of the proposed scheme in practice, we give a reference implementation of our scheme and IBBE-IP scheme in Python language. We use the Charm library [36] to implement the pairing group operations and Flint library [37] for the finite field arithmetic in Z q . Our experiments are performed on a Linux desktop with 8 GB of RAM and an 8core Intel Core i7-8550U 2.00 GHz processor to evaluate the above theoretical analysis illustration. In our implementation, we use the SS512 curve in the Charm library. We get the average result over ten runs. Figure 2(a) shows that the encryption and key generation time of our scheme increase with the growing vector length given the certain number of recipients, while the decryption time remains constant at the same time. Figure 2(b) shows that encryption time is linear with the number of recipients in our scheme. Decryption time remains constant regardless of the number of recipients. Figure 3(a) shows that the ciphertext size of our scheme remains constant with the growing vector length given the certain number of recipients. Figure 3(b) shows that the ciphertext size is linear with the number of recipients given a certain vector length in our scheme.
In Table 3, we give a more detailed computation time and ciphertext size of our scheme with the change of vector length and the intended recipient number. In order to achieve higher efficiency, we have precomputed e(g 1 , Q i ), e(K 1i , R i ), e(K 2i , R i ) and have stored them in lists. We see that the ciphertext size rises from 1.0 KB to 5.8 KB when the recipient number grows from 3 to 19. Key generation time and encryption time grow from 3.3 ms to 48.2 ms and from 50.9 ms to 696.8 ms, respectively, as the recipient number and vector length grow. Decryption time is approximately 3.9 ms. Figure 4(a) shows the ciphertext size difference between our scheme and IBBE-IP scheme. e ciphertext size of the IBBE-IP scheme is linear with the vector length with the restriction that the number of recipients is less than the vector length (n < d), while our scheme has no restriction. Especially, as we can see from Figure 4(a), with the growing of recipient number n, the vector length d has to grow, and the ciphertext size is also increasing in the IBBE-IP scheme.
As it is also shown in Table 3, the ciphertext size of our scheme is independent of the vector length. CT is linear with the number of recipients in our scheme because our scheme enables that different intended users in S obtain their corresponding inner product via the decryption of CT, and it achieves stronger plaintext protection. It avoids a security threat existing in a trivial solution that the sender encrypts a message under an inner product encryption first and then encrypts the ciphertext with a broadcast encryption. e threat is that once the decryption result of broadcast encryption is made public, all users in the inner product encryption system obtain the inner product ciphertext and are able to calculate their own inner product value. In our scheme, we avoid this threat. If there are users that maliciously expose the decryption result of broadcast encryption, others will not be able to obtain their corresponding inner product by the result. is leads to further protection to the plaintext. Figure 4(b) shows our scheme's significant advantage in decryption cost. In our implementation, this decryption time of IBBE-IP does not include the Pollard kangaroo algorithm runtime, while our scheme's decryption time includes the baby-step giant-step algorithm runtime. Besides, the number of recipients needs to be less than the vector length (n < d) in IBBE-IP, so we let d � n + 1 in the measurement of decryption time. As we can see from Figure 4(b), the decryption time of IBBE-IP is linear with the recipient number and the vector length, while the decryption time of our scheme is constant. In our scheme, it is about 4.0 ms, and it is independent on the vector length and the recipient number.
Obviously, our scheme is efficient according to the above analytical measurements and experimental evaluation because of its constant decryption cost. In addition, differing from our scheme, IBBE-IP scheme has the restriction that the number of recipients is less than the vector length [8].
erefore, our scheme is applicable to those scenarios in that a number of recipients with limited computation capacity need to obtain the inner product values through decryption regularly.

Conclusion and Future Work
In this paper, we propose a certificate-based inner product broadcast encryption with anonymity due to the limitation in efficiency and recipient privacy in the present broadcast encryption for inner product scheme. Concrete construction and formal security definitions are given in this paper. We show that our scheme is adaptively secure under the IND-CCA security model which is different from the previous inner product broadcast encryption under the IND-CPA security model. In addition, the identity of a user is anonymous to others in our scheme. Furthermore, analytical and experimental results show that our scheme enables faster decryption. Because of these good properties, our scheme may have some significant value in some practical applications such as enabling secure group communication in the consortium blockchain. However, the size of the ciphertext is linear with the number of recipients, and how to further reduce ciphertext size is still a challenging problem.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.