anonymous communication via anonymous identity-based...

Research ArticleAnonymous Communication via Anonymous Identity-BasedEncryption and Its Application in IoT

Liaoliang Jiang1 Tong Li 1 Xuan Li2 Mohammed Atiquzzaman3

Haseeb Ahmad4 and Xianmin Wang 1

1 School of Computer Science Guangzhou University Guangzhou 510000 China2College of Mathematics and Informatics Fujian Normal University Fujian 350000 China3School of Computer Science The University of Oklahoma USA4Department of Computer Science National Textile University Faisalabad Pakistan

Correspondence should be addressed to Tong Li 1120140107mailnankaieducn

Received 30 June 2018 Accepted 24 September 2018 Published 21 November 2018

Guest Editor Karl Andersson

Copyright copy 2018 Liaoliang Jiang et alThis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Under the environment of the big data the correlation between the datamakes people have a greater demand for privacyMoreoverthe world has become more diversified and democratic than ever before Freedom of speech is considered to be very importantthus anonymity is also a very important security demand The research of our paper proposes a scheme which can ensure boththe privacy and the anonymity of a communication system that is the protection of message privacy while ensuring the usersrsquoanonymity It is based on anonymous identity-based encryption (IBE) by which the usersrsquo119898119890119905119886119889119886119905119886 are protected We implementour scheme in JAVA with Java pairing-based cryptography library (JPBC) the experiment shows that our scheme has significantadvantage in efficiency compared with other anonymous communication system Internet-of-Things (IoT) involves many devicesand privacy of devices is very significant Anonymous communication system provides a secure environment without leakingmetadata which has many application scenarios in IoT

1 Introduction

In the era of big data data privacy has become significantas more personal and organizational information is involvedMoreover the world has become more diversified and demo-cratic than ever before Following this trend researchershave unveiled various ways through which adversaries canaccess private or otherwise sensitive information by networkbreach such as a called telephone number [1] or the IPaddress [2] Therefore the ultimate objective of privacy isto protect not only the contents of the messages but alsothe identities of communication parties the actual time ofa communication and specific user participation duringcommunication For the above reasons the research onprivacy protection protocols such as anonymous commu-nication system is imperative In an anonymous commu-nication system the adversary must not know participantrsquosidentity at any time Further the adversary should not know

the sending and receiving entities and whether a messageis valuable Overall such pieces of information are called119898119890119905119886119889119886119905119886 The 119898119890119905119886119889119886119905119886 involves crucial private data in theanonymous communication system and it is also a criticalparameter of the monitoring for the government and otherstakeholders [3] Anonymous communication system is verypractical and it can be applied to many realistic scenariosCloud computing has received more and more attentionin recent years and privacy-preserving and security undercloud environment have become critical issues [4ndash7] so high-level anonymity is required In the neural network [8 9] andsecure deduplication [10] the anonymity is also critical

Some private messaging systems are built on previouswork [11ndash14] However such schemes do not provide efficientprotocols without leaking 119898119890119905119886119889119886119905119886 which breaches thepurpose of anonymous communication systems There existtwo categories of anonymous communication protocols Thefirst one is called Tor [15] which achieves the anonymity

HindawiWireless Communications and Mobile ComputingVolume 2018 Article ID 6809796 8 pageshttpsdoiorg10115520186809796

2 Wireless Communications and Mobile Computing

by encrypting the messages in layers under the public keycryptography Several servers are employed in Tor and themessage is encrypted into a data packet by all serversrsquo publickey in turns (the construction of an onion) The encrypteddata package is transmitted by the 119888ℎ119886119894119899 comprised of allservers As a server receives a data package it decryptsthe data package through its private key and sends thedecrypted data package to the next server each server carriesout the decryption operation until the data package is sentto the recipient Tor is secure as each server knows onlyits predecessor and successor rather than other serversrsquoposition in the chain therefore the servers do not know thespecific path of a messagersquos transmission which guaranteesthe anonymity of both the sender and recipient That is howit offers a practical scheme of identity protection Howeversome researchers showed that this scheme cannot defendagainst the traffic analysis attacks [16ndash18] Torrsquos hidden servicerequires that every server must be honest for instance thesecurity will be breached if the rdquofirst-serverrdquo and the rdquolast-serverrdquo make a collusion The second category is based onthe DC-net [19 20] for instance verdict [21] and dissent[22] Those schemes work on an N-member group who cancommunicate anonymously and only one group member isallowed to send a valid message in a given round Each mem-ber shares a value secretly with the other N-1members whichmeans that eachmember has N-1 secret values that are sharedwith the other N-1 members Then each member performsXORs operations with the N-1 shared secret values but thelegitimate sender performs the XORs with the N-1 sharedsecret values along with an additional message to generateciphertexts that are later broadcast to the other membersSubsequently each member receives all the ciphertexts andperforms XORs operation on the N ciphertexts together toreveal the message Because all the shared secret values hadbeen XORed twice they are cancelled out thus the messageis extracted but without leaking the identity of the senderIn this way the DC-net can prevent the traffic attack as theDC-net is built on 119886119899119910119905119903119906119904119905 model that remains secure untilat least one participating server remains honest Howeverthe recovery of messages must be computed by all the userswhich is unrealistic scenario as none of the users could be off-line during underlying process Hence the existing methodsare vulnerable to the internal dishonest member attackswhich can easily break the security Although the systemsmay trace the dishonest member they cannot exclude theinfluence of dishonest member during the communicationIn summary these two schemes above are of low-efficiencyand the cost of communication is high

In this paper we propose an efficient anonymous com-munication scheme that offers higher security while dis-posing the aforementioned attack The proposed schemeincorporates anonymous identity-based encryption (IBE) toachieve anonymous communication In our scenario morethan one message can be sent simultaneously in each roundMeanwhile each user uses its ID as the public key weassume that the ID of each user is unique and it must bewell known to other users We set up a bulletin board fromwhere every user could upload or download the ciphertextsdirectly at specific time during each round The recovery

of the message is based on the decryption by the recipientrather than the cooperations of all the users so the systemdoes not need the users to be on-line all the time during thecommunication which is a remarkable advantage comparedwith the verdict and dissent Since every user has to performthe same operation at the same time the adversary cannotanalyze who is the sender and who is the recipient in a givenround This characteristic ensures strong anonymity of theusers

The primary contributions of the paper are listed asfollows

(1) The user can send and receive the ciphertext duringthe same round whichmeans a user can be both a sender anda recipient at the same time This can improve the efficiencyof anonymous communication system

(2) Our scheme allows the users to send or receive morethan one valid ldquociphertextrdquo (because the message is extractedafter decrypting the ciphertext) in each round There is nolimit to the number of communication ciphertexts It is a hugeadvantage compared with other anonymous communicationsystemswhich are based onDC-net this characteristic greatlyimproves the efficiency of anonymous communication sys-tem and reduces the cost of communication

(3) In the proposed scheme some dishonest users aretolerable in the communication because a single user cansuccessfully recover the message by himself instead ofthrough the cooperation of all the other users

Section 3 introduces the basic concepts of bilinear pair-ing IBE and anonymous IBE Section 4 outlines the systemarchitecture and our security goals and Section 5 describesthe specific scheme and its two protocols Section 6 presentsa security analysis of the proposed system

2 Related Work

Anonymous communication system has a high-level demandfor security we may consider a mechanism for enteringinto the anonymous communication system before startingcommunication Users can do anonymous authenticationbefore joining the system [23] only a legal user can be amember of the system Anonymous authentication can applytomany areas [24ndash27] Besides we canmake an improvementof the storage pattern for usersrsquo messages We may combineoblivious RAM [28 29] with our anonymous communicationsystem oblivious RAM hides the access patterns of dataand it can prevent adversary from speculating sensitiveinformation through usersrsquo access patterns In the end wemay use other cryptographical techniques [30ndash33] to enhancethe security of our anonymous communication system

3 Preliminaries

This section outlines the anonymous IBE scheme [34]the difference between ordinary IBE and anonymous IBEAlthough the identity-based encryption was firstly proposedby Shamir [35] a practical IBE scheme was constructedby Boneh and Franklin in 2001 [36] and after that manyIBE schemes were proposed [37ndash40] The conception of

Wireless Communications and Mobile Computing 3

anonymous identity-based encryption was firstly proposedin [41] This section also introduces the basic knowledge ofbilinear pairings which are used to construct the scheme inthe following sections

31 Bilinear Map Let 1198661 be the additive cycle group gener-ated by 119892 and 1198662 be multiplicative cyclic group Prime 119901 isthe order of 1198661 and 1198662 The map 119890 1198661 times 1198661 997888rarr 1198662 is calledbilinear map if it satisfies the following properties

(1) Bilinearity For any 119875119876 isin 1198661 119886 119887 isin 119885 the followingformula holds 119890(119875119886 119876119887) = 119890(119875 119876)119886119887

(2) Nondegeneracy Themap 119890 does not map all the pairsin the 1198661 times 1198661 to the generator in 1198662 If 119875 is the generator of1198661 then 119890(119875 119875) is the generator of 1198662

(3)Computability For any 119875 and119876 there is an algorithmthat can compute 119890(119875 119876) efficiently

32 IBE In the IBE scheme the participating parties includethe users and the private key generator (PKG) The identityof the user is considered as the public key that makes IBEdifferent from the traditional public key cryptography ThePKG which is a trusted third party generates the private keybased on its master key and the userrsquos identity Subsequentlythe private key is distributed to the corresponding user by thePKG IBE is advantageous and is widely used for informationsecurity protection Firstly the key management is easy andefficient because it does not require distributing public keyor revoking the key Secondly IBE removes the certificaterequirement for the public key of user who participates inthe communication For instance when Alice wants to senda message to Bob she uses Bobrsquos public key 119868119863119861119900119887 that isknown to each user Alice encrypts the message with Bobrsquosidentity 119868119863119861119900119887 rather than querying Bobrsquos public key from thePKIThis characteristic highlights the purpose of anonymouscommunication Suppose that Alice queries Bobrsquos public keyfrom the PKI the adversary can easily get information aboutsenderrecipient through the operation of querying so thesecurity goals are breached After Bob gets the encryptedmessage he decrypts the message with his private key thathe gets from the PKG IBE consists of the following fourfunctions [42]

Setup inputting security parameter 119896 returning thepublic parameter 119901119886119903119886119898119904 and the master key 119898119904119896 of thesystemThe limited plaintext space 119872 the limited ciphertextspace 119862 and the 119901119886119903119886119898119904 are public and the master key 119898119904119896is secretly kept by the PKG

Extract inputting the master key119898119904119896 and a userrsquos identity119894119889 generating the corresponding private key 119904119896119894119889 for 119894119889

Encryption inputting the message 119898 isin 119872 and 119894119889returning the ciphertext 119888 isin 119862

Decryption inputting the ciphertext 119888 and the corre-sponding private key 119904119896119894119889 for 119894119889 returning the plaintext 119898

33 Anonymous IBE In traditional IBE since the recipientrsquosidentity is used as the public key this property may leakthe recipientrsquos identity through the adversaryrsquos analysis of theciphertexts In other words if the userrsquos identity is leaked the

anonymous communication system is no longer secure Ananonymous IBE scheme must obey two properties

(1) The adversary cannot get any information about thecommunication parties

(2) The userrsquos identity cannot be unveiled by the cipher-texts

In this paper we use the anonymous IBE scheme whichis based on bilinear map [34] Let 1198661 and 1198662 be the group oforder 119901 the map 119890 1198661times1198661 997888rarr 1198662 is the bilinear map and 119892is the generator of group 1198661 120590 isin 119885119901lowast 1198922 isin 1198661 are randomlyselected and let 1198921 = 119892120590 The scheme includes four functionsas follows

Initialization choose the public parameters 119892 1198921 1198922 andthe master key of PKG denoted as 120590

Private key generation the PKG randomly selects 119903 isin 119885119901lowastand computes the private key for the corresponding recipienthere 119868119863 is the recipientrsquos ID and 119868119863 isin 119885119901lowast

119889 = (1198891 1198892 1198893) = (1198921205902119892119868119863sdot1199031 119892119903 119892119868119863sdot119903) (1)

Encryption suppose amessage119898 isin 1198662 needs to be encryptedThe sender randomly selects 119905 119904 isin 119885119901lowast and computes theciphertext

119888 = (1198881 1198882 1198883 1198884) = (119890 (1198921 1198922)119905 sdot 119898 119892119868119863(119905+119904)1 1198921199041 119892

119905) (2)

Decryption the recipient uses his own private key 119889 =(1198891 1198892 1198893) to decrypt the ciphertext to obtain the plaintextas follows

119898 = 1198881 sdot119890 (1198892 1198882)

119890 (1198891 1198884) 119890 (1198893 1198883)(3)

Suppose that an adversary wants to extract the recipientrsquosidentity 119868119863 from the ciphertext it is obvious from thestructure of the ciphertext that the ID can only be extractedthrough 1198882 = 119892119868119863(119905+119904)1 by using 119888 = (1198881 1198882 1198883 1198884) Although 1198921is a public parameter but the 119905 119904 are randomly selected fromthe 119885119901lowast and it is impossible for the adversary to obtain theseparameters Meanwhile 119868119863(119905 + 119904) is the exponent of 1198882 thecomputation is complicated

4 Architecture of the System

We describe the details of system entities and system archi-tecture in this section furthermore we present the securitygoals of anonymous communication

41 Entities (i) The users The users are an imperative partof the system whose privacy must be assured while the userscan communicate with any user in the system The systemcan satisfy two kinds of usersThe first kind is those who justwant to disclose some message anonymously however theusers of this kind do not want to disclose the identity of thesender even to the recipient for instance a journalist wants todisclose a scandal about a politician who has participated inthe presidential campaign The second kind of users want tocommunicate with someone secretly the users of this kinddo not want anyone to know who is communicating with


them or whether he is involved in this communication Forinstance two executives from a tendering company want tonegotiate about the final bidding price though geographicaldifferences

(ii) Bulletin boardThe bulletin is provided to the usersfor uploading and downloading ciphertexts More preciselythe sender uploads the encrypted message to the bulletinboard and the recipient downloads the message from thebulletin board But as wementioned above the bulletin boardis an intermediate source for communication and there isno need for an interaction between users Because there isno interaction between users the adversary cannot know theidentities of the communicating parties

(iii) Private key generator (PKG) In the system the roleof PKG is to generate private keys of users against their IDsand we assume that PKG is honest

42 Architecture This section describes the architecture ofthe system Each user has a unique identity The systemconsist of two components

(1)The Private Key Protocol This is a protocol for distributingthe private keys among the users according to their identitythis part works between the users and PKG In order tocarry out the decryption operation later the user shouldobtain its private key before initiating a communication ThePKG generates the private key through usersrsquo identity andits master key for the corresponding users For instanceAlicersquos identity is 119868119863119860119897119894119888119890 and Bobrsquos identity is 119868119863119861119900119887 the PKGgenerates private key 119904119896119860119897119894119888119890 for Alice and 119904119896119861119900119887 for Bob Onlyby obtaining the private key the later protocol can proceedAll the users should get their private key in specific time1199051

(2) Communicating Protocol It is the most important partof the system and it contains four operations The useruses the recipientrsquos identity as the public key to encrypt themessage For instance Alice wants to send a message to BobAlice uses Bobrsquos identity 119868119863119861119900119887 to encrypt the message Theencryption operation should be done in specific time 1199052 Forconsideration of sendersrsquo anonymity every user is requiredto send at least one message whether the user wants to havea communication or not After the encryption operation allthe ciphertexts should be uploaded to the bulletin boardTheuploading operation should be done in specific time 1199053 Inspecific time 1199054 each user downloads all the ciphertexts on thebulletin board Since the users did not interact before and alsothe users donot knowwhether there is anymessage belongingto them in this round all the messages in the bulletin boardmust be downloaded by each user in order not to miss themessage

All the users decrypt all the ciphertexts through itsprivate key in specific time 1199055 After time 1199055 one round ofcommunication during all the users is finished and thenthe next round of communication can start The subsequentcommunication rounds are scheduled as shown in Figure 1In this paper we have distinct advantage over the previousworks The advantage is that there is no limit to the numberof messages sent by the user in each round whichmeans that

t1 t2 t3 t4 t5 t1 t2 t3 t4 t5Round 1 Round n

Time

middot middot middot middot middot middot

Figure 1 Scheduling of n rounds of communication

one user can communicate with one or more users at a givenround

43 Security Goal The system ensures anonymous commu-nication in three aspects

(1)Themessagersquos securityThe contents of usersrsquo messageneed to be protected it is the basic requirement of a securesystem

(2) The senderrsquos anonymity Unauthorized users couldnot determine the identity of sender so the adversary cannotjudge which user sent a message in a given round In otherwords the identity of sender should not be leaked

(3) The recipientrsquos anonymity The recipientrsquos anonymityis to ensure that others cannot judge whether the message isreceived by a definite recipient Furthermore the system isrequired to guarantee that the adversary cannot extract therecipientrsquos ID which is used during the process of encryptionSimilar to senderrsquos anonymity the identity of recipient shouldnot be leaked

The senderrsquos anonymity and the recipientrsquos anonymity arethe key security goals which are different from the traditionalcommunication system as the system should not reveal any119898119890119905119886119889119886119905119886 about users

5 Anonymous Communication viaAnonymous IBE

The scheme consists of two major components private keygeneration and anonymous communication In the presentedsolution we construct a general scheme based on anonymousIBEwhich is provided in Section 331198661 and1198662 are the groupsof order 119901 and 119892 is the generator of group 1198661 The map 119890 isbilinear map which satisfies 1198661 times 1198661 997888rarr 1198662 120590 isin 119885119901lowast is themaster key of PKG 1198922 isin 1198661 are randomly selected and let1198921 = 119892120590 This section describes the construction of these twoprotocols

51 PrivateKeyGeneration Protocol Theprivate keys are gen-erated through the usersrsquo ID by PKG then PKG distributesthose private keys to corresponding users

The details of private key generation protocol aredescribed in Algorithm 1 where PKG randomly chooses aninteger 119903 isin Zlowast119901 and uses 119903 to compute the private key 119896 Afterthe computation the PKG distributes the private key to thecorresponding users

52 Anonymous Communication Protocol In our schemethe anonymous communication protocol contains four stepsas presented in Figure 2 The steps include encryption


Upload

User 1

middotmiddot

middot

User n

Eenid1 (m1)

Eenidi (mi)

Eenidn (mn)

Bulletin board

Download

c1cn

c1cn

User1 Usern

Decsk1(c1)

Decskn(cn)

Decskn(c1)

Decskn(cn)

Decski (c1)

Decski (ci )

Decski (cn)

middotmiddot

middot

middotmiddot

middotmiddotmiddot

middotmiddot

middot

Figure 2 The four steps of anonymous communication protocolA EncryptionB UploadCDownload DDecryption

Input A userrsquos identity 119894119889 the public parameters 119892 1198921 1198922 and the master key 120590OutputThe userrsquos private key 119896 = (1198961 1198962 1198963)

The PKG performs the followingsrandomly chooses 119903 isin Zlowast119901 computes the private key 119896 = (1198961 1198962 1198963) = (1198921205902119892

119894119889sdot1199031 119892119903 119892119894119889sdot119903)

sends the private key to the corresponding users at specific time 1199051

Algorithm 1 Private key protocol

(1) Encryption If the sender just wants to disclose the message anonymously rather than anyone knows where is messagefrom even the recipient he computes the ciphertext 119888 = (1198881 1198882 1198883 1198884) = (119890(1198921 1198922)

119905 sdot 119898 119892119894119889(119905+119904)1 1198921199041 119892119905) If the sender wants the

recipient to know about its identity the signature 119878119894119892119899119878119890119899119889119890119903119894119889 should be attached with the message 119898 compute the ciphertext119888 = (1198881 1198882 1198883 1198884) = (119890(1198921 1198922)

119905 sdot (119898||119878119894119892119899119878119890119899119889119890119903119894119889) 119892119894119889(119905+119904)1 1198921199041 119892

119905) The Encryption operation should done in specific time 1199052(2) Upload All the users uploads their ciphertexts 119888 to the bulletin board at the specific time 1199053 Each userrsquos ciphertexts 119888 arestored in the bulletin board after this operation(3) Download Each involved users are required to download all the ciphertexts which stored in the bulletin board eachuser does the Download operation at the specific time 1199054(4) Decryption The user decrypts the ciphertexts 119888 which obtained from the bulletin board in Download operation one byone through the private key 119896 in specific time 1199055 The plaintext is computed as 119898 = 1198881 sdot 119890(1198892 1198882)119890(1198891 1198884)119890(1198893 1198883) If there is asignature 119878119894119892119899119878119890119899119889119890119903119894119889 attached with the message 119898 then the user can get 119898||119878119894119892119899119878119890119899119889119890119903119894119889

Algorithm 2 Anonymous communication protocol

uploading downloading and decryption The protocol isperformed collaboratively by the users and the bulletin board

In the anonymous communication protocol each user119906 needs to encrypt his message to generate the ciphertext119888 = (1198881 1198882 1198883 1198884) He first randomly selects 119905 119904 isin 119885119901lowast Here119898 is the message which needs to be encrypted 119894119889 is therecipientrsquos ID 119878119894119892119899119878119890119899119889119890119903119894119889 is the signature of senderrsquos identityAs we mentioned in Section 41 our system can satisfy twokinds of users If the sender wants the recipient to knowwhere the message is from the signature can be attachedtogether with the message 119898 Otherwise the signature isnot necessary to be transmitted Subsequently the encryptedmessage 119888 can be uploaded to the bulletin board At thisstep each user is required to upload at least one encryptedmessagewhether hewants to initiate a communication or notHowever if a user wants to communicate with more than one

user it is permitted to upload more than one ciphertext at thesame time When a user wants to get a message he needs todownload all the ciphertexts from the bulletin board withoutany interaction with the uploaders Then the user just needsto use his private key to decrypt the ciphertexts one by one Ifthe decryption is successfully performed it means that themessage belongs to the user It should be noted that eachuser is required to download all the messages on the bulletinboard Since there are no interactions between the users andthe bulletin board before the communication each user hasno idea whether the message belongs to him in the process ofa communication In this way all the users have to participatein the uploading and downloading operations while theadversary does not know which parties are really involvedin a given round The details of anonymous communicationprotocol are shown in Algorithm 2


6 Security Analysis

As we mentioned in Section 43 there are three aspects ofsecurity goals needed to be achieved the messagersquos securitythe senderrsquos anonymity and the recipientrsquos anonymity and wewill analyze the system security as follows

Every message is encrypted before uploading and theencryption schemewe used can ensure themessagersquos securityThe security of encryption scheme we used in our construc-tion had been proved in [34] this encryption scheme candefend against an arbitrary CPA adversary while maintaininganonymity

In traditional public key cryptography there is usuallya public key infrastructure (PKI) and the sender needs toquery the recipientrsquos public key before initiating a commu-nication In this process the user who does the operationof querying is likely to be the sender who wants to initiatea communication and the public key to be queried likelybelongs to the recipient In our scheme the sender no moreneeds to query the recipientrsquos public key (because the publickey is recipientrsquos identity which is known to each user) Onthe other hand although the recipientrsquos identity is used as thepublic key the anonymous IBE ensures that the adversarycannot extract the recipientrsquos identity from the ciphertextSince all the users perform the operation of uploading attime 1199053 and download the same amount of ciphertexts at time1199054 the adversary cannot know which user has the intentionto participate in a communication through the operationsof uploading and downloading Obviously our scheme canguarantee the anonymity of both the sender and recipient

7 Evaluation

In this section we evaluate the performance of our schemewhich has been implemented in JAVA with Java pairing-based cryptography library (JPBC) All experiments wereconducted on a PC with a CPU 213GHz 6GB of RAM Inour implementation a messagersquos length was set as 128 bytesand the time consumption of uploading and downloadingwas ignored

71 Computational Consumption We implemented ourscheme in one message and executed 1000 rounds Thecomputational consumption includes three operationsprivate key generation encryption and decryption Underthe fiber configuration of 100Mpbs the cost of uploading anddownloading is negligible We calculate the time cost as inFigure 3 It takes approximately 36 times 104 ms to perform theprivate key generation operation for 1000 rounds 112 times 105ms to perform the encryption operation for 1000 roundsand 162 times 102 ms to perform the decryption operation for1000 rounds

72 Communication Consumption Our scheme has no limitfor the number of messages in a round it is a significantadvantage compared with other anonymous communicationsystems which can send only one message in a round Thereare common scenarios for example a user wants to commu-nicate with more than one person or more than one user

105

104

103

102

Tim

e (m

s)

0 200 400 600 800 1000

The total number of messages

Private Key GenerationEncryptionDecryption

Figure 3 Computational consumption

105

104

103

Tim

e (m

s)


Only send one message at a roundOur scheme No limit for the number of messages

0 100 200 300 400 500 600 700 800 900 1000

Figure 4 Communication consumption

wants to send message In the anonymous communicationsystem which limits the number of messages users haveto wait for several rounds But in our scheme all userscan send an arbitrary number of messages in a roundThis property enhances the efficiency of communicationand reduces the cost of communication Figure 4 showsthe communication consumption of our scheme and theanonymous communication system which limits the numberof messages

8 Conclusions

In this paper we address a communication system whichaims to protect the usersrsquo 119898119890119905119886119889119886119905119886 To solve this problemwe propose an anonymous communication system based onanonymous IBE Our scheme has significant advantage inefficiency compared with previous work and can also offerstrong anonymity In the future we will consider the user


authentication and the application scenario in the smartenvironment

Data Availability

The library used to support the findings of this study areincluded within the article

Conflicts of Interest

The authors declare that they have no conflicts interests

Authorsrsquo Contributions

Thefirst author conducted the experiments andwrote the firstdraft of the paperThe other coauthors helped in revising thepaper and polished it All authors read and approved the finalmanuscript

Acknowledgments

This work was supported by National Natural Science Foun-dation of China (No 61472091) Natural Science Foundationof Guangdong Province for Distinguished Young Scholars(2014A030306020) Guangzhou Scholars Project for Uni-versities of Guangzhou (No 1201561613) and Science andTechnology Planning Project of Guangdong Province China(2015B010129015)

References

[1] J Mayer P Mutchler and J C Mitchell ldquoEvaluating the privacyproperties of telephone metadatardquo Proceedings of the NationalAcadamy of Sciences of the United States of America vol 113 no20 pp 5536ndash5541 2016

[2] Y-A de Montjoye Computational PRIvacy Towards PRIvacy-Conscientious Uses of Metadata ProQuest LLC AnnArborMI2015

[3] A Rusbridger ldquoThe snowden leaks and the publicrdquo New YorkReview of Books vol 60 no 18 2013

[4] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017

[5] C Gao Q Cheng X Li and S Xia ldquoCloud-assisted privacy-preserving profile-matching scheme under multiple keys inmobile social networkrdquo Cluster Computing pp 1ndash9 2018

[6] P Li J Li Z Huang C-Z Gao W-B Chen and K ChenldquoPrivacy-preserving outsourced classification in cloud comput-ingrdquo Cluster Computing pp 1ndash10 2017

[7] J Li Y Zhang X Chen and Y Xiang ldquoSecure attribute-baseddata sharing for resource-limited users in cloud computingrdquoComputers amp Security vol 72 pp 1ndash12 2018

[8] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018

[9] C Yuan LiXinting J Q M Wu j Li and X Sun ldquoFingerprintliveness detection from different fingerprint materials using

convolutional neural network and principal component analy-sisrdquoComputersMaterialsampContinua vol 53 no 3 pp 357ndash3712017

[10] J Li X Chen M Li J Li P P C Lee and W LouldquoSecure deduplication with efficient and reliable convergent keymanagementrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 6 pp 1615ndash1625 2014

[11] N Borisov G Danezis and I Goldberg ldquoDP5 A Private Pres-ence Servicerdquo Proceedings on Privacy Enhancing Technologiesvol 2015 no 2 pp 4ndash24 2015

[12] D Chaum D Das F Javani et al ldquocMix Mixing with MinimalReal-Time Asymmetric Cryptographic Operationsrdquo in AppliedCryptography and Network Security vol 10355 of Lecture Notesin Computer Science pp 557ndash578 Springer International Pub-lishing Cham 2017

[13] A Kwon D Lazar S Devadas and B Ford ldquoRiffle An efficientcommunication system with strong anonymityrdquo Proceedings onPrivacy Enhancing Technologies vol 2016 no 2 pp 115ndash1342016

[14] J Van Den Hooff D Lazar M Zaharia and N ZeldovichldquoVuvuzela Scalable private messaging resistant to traffic anal-ysisrdquo in Proceedings of the 25th ACM Symposium on OperatingSystems Principles SOSP 2015 pp 137ndash152 USA October 2015

[15] R Dingledine N Mathewson and P Syverson ldquoTor TheSecond-Generation Onion Routerrdquo Defense Technical Infor-mation Center 2004

[16] K Bauer D McCoy D Grunwald T Kohno and D SickerldquoLow-resource routing attacks against Torrdquo in Proceedings ofthe 6th ACM Workshop on Privacy in the Electronic SocietyWPESrsquo07 Held in Association with the 14th ACM Computer andCommunications Security Conference pp 11ndash20 USA October2007

[17] S Chakravarty A Stavrou and A D Keromytis ldquoIdentifyingproxy nodes in a tor anonymization circuitrdquo in Proceedings ofthe 4th International Conference on Signal Image Technologyand Internet Based Systems SITIS 2008 pp 633ndash639 IndonesiaDecember 2008

[18] N Hopper E Y Vasserman and E Chan-Tin ldquoHow muchanonymity does network latency leakrdquo ACM Transactions onInformation and System Security vol 13 no 2 2010

[19] D Chaum ldquoThedining cryptographers problem unconditionalsender and recipient untraceabilityrdquo Journal of Cryptology TheJournal of the International Association for Cryptologic Researchvol 1 no 1 pp 65ndash75 1988

[20] P Golle and A Juels ldquoDining cryptographers revisitedrdquo inAdvances in cryptologymdashEUROCRYPT 2004 vol 3027 of Lec-ture Notes in Comput Sci pp 456ndash473 Springer Berlin 2004

[21] H Corrigan-Gibbs D I Wolinsky and B Ford ldquoProactivelyaccountable anonymous messaging in verdictrdquo in Proceedingsof the USENIX Security Symposium pp 147ndash162 2013

[22] E Syta A Johnson H Corrigan-Gibbs S Weng D Wolinskyand B Ford ldquoSecurity Analysis of Accountable AnonymousGroup Communication in Dissentrdquo Defense Technical Infor-mation Center 2013

[23] J Shen T Zhou X Chen J Li and W Susilo ldquoAnonymousand Traceable Group Data Sharing in Cloud Computingrdquo IEEETransactions on Information Forensics and Security vol 13 no4 pp 912ndash925 2018

[24] J Shen C Wang T Li X Chen X Huang and Z-H ZhanldquoSecure data uploading scheme for a smart home systemrdquoInformation Sciences vol 453 pp 186ndash197 2018


[25] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018

[26] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018

[27] Y Zhang J Li D Zheng P Li and Y Tian ldquoPrivacy-preservingcommunication and power injection over vehicle networksand 5 g smart grid slicerdquo Journal of Network and ComputerApplications vol 122 pp 50ndash60 2018

[28] B Li Y Huang Z Liu J Li Z Tian and S-M YiuldquoHybridORAM Practical oblivious cloud storage with constantbandwidthrdquo Information Sciences 2018

[29] Z Liu Y Huang J Li X Cheng and C Shen ldquoDivORAMTowards a practical oblivious RAM with variable block sizerdquoInformation Sciences vol 447 pp 1ndash11 2018

[30] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018

[31] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access 2018

[32] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018

[33] Y Zhang D Zheng and R H Deng ldquoSecurity and Privacy inSmart Health Efficient Policy-Hiding Attribute-Based AccessControlrdquo IEEE Internet of Things Journal vol 5 no 3 pp 2130ndash2145 2018

[34] B Wang and X Hong ldquoAn anonymous signature schemein the standard modelrdquo Journal of Information Science andEngineering vol 30 no 6 pp 2003ndash2017 2014

[35] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology Proceedings of (CRYPTOrsquo84) vol 196 of Lecture Notes in Computer Science pp 47ndash53Springer Berlin Germany 1985

[36] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo SIAM Journal on Computing vol 32 no 3 pp586ndash615 2003

[37] BWaters ldquoEfficient identity-based encryption without randomoraclesrdquoAdvances inCryptology ndash EUROCRYPT2005 vol 3494pp 114ndash127 2005

[38] D Boneh and X Boyen ldquoSecure identity based encryptionwithout random oraclesrdquo in Advances in cryptologymdashCRYPTO2004 vol 3152 of Lecture Notes in Comput Sci pp 443ndash459Springer Berlin 2004

[39] D Boneh and X Boyen ldquoEfficient selective identity-basedencryption without random oraclesrdquo Journal of Cryptology TheJournal of the International Association for Cryptologic Researchvol 24 no 4 pp 659ndash693 2011

[40] J Li X Chen C Jia and W Lou ldquoIdentity-based encryptionwith outsourced revocation in cloud computingrdquo IEEE Trans-actions on Computers 2013

[41] D Boneh G Di Crescenzo R Ostrovsky and G PersianoldquoPublic key encryption with keyword searchrdquo in Advances inCryptologymdashEUROCRYPT 2004 vol 3027 of Lecture Notesin Computer Science pp 506ndash522 Springer Berlin Germany2004

[42] D Boneh and X Boyen ldquoSecure identity based encryptionwithout random oraclesrdquo Lecture Notes in Computer Science(including subseries Lecture Notes in Artificial Intelligence andLecture Notes in Bioinformatics) Preface vol 3152 pp 443ndash4592004

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


by encrypting the messages in layers under the public keycryptography Several servers are employed in Tor and themessage is encrypted into a data packet by all serversrsquo publickey in turns (the construction of an onion) The encrypteddata package is transmitted by the 119888ℎ119886119894119899 comprised of allservers As a server receives a data package it decryptsthe data package through its private key and sends thedecrypted data package to the next server each server carriesout the decryption operation until the data package is sentto the recipient Tor is secure as each server knows onlyits predecessor and successor rather than other serversrsquoposition in the chain therefore the servers do not know thespecific path of a messagersquos transmission which guaranteesthe anonymity of both the sender and recipient That is howit offers a practical scheme of identity protection Howeversome researchers showed that this scheme cannot defendagainst the traffic analysis attacks [16ndash18] Torrsquos hidden servicerequires that every server must be honest for instance thesecurity will be breached if the rdquofirst-serverrdquo and the rdquolast-serverrdquo make a collusion The second category is based onthe DC-net [19 20] for instance verdict [21] and dissent[22] Those schemes work on an N-member group who cancommunicate anonymously and only one group member isallowed to send a valid message in a given round Each mem-ber shares a value secretly with the other N-1members whichmeans that eachmember has N-1 secret values that are sharedwith the other N-1 members Then each member performsXORs operations with the N-1 shared secret values but thelegitimate sender performs the XORs with the N-1 sharedsecret values along with an additional message to generateciphertexts that are later broadcast to the other membersSubsequently each member receives all the ciphertexts andperforms XORs operation on the N ciphertexts together toreveal the message Because all the shared secret values hadbeen XORed twice they are cancelled out thus the messageis extracted but without leaking the identity of the senderIn this way the DC-net can prevent the traffic attack as theDC-net is built on 119886119899119910119905119903119906119904119905 model that remains secure untilat least one participating server remains honest Howeverthe recovery of messages must be computed by all the userswhich is unrealistic scenario as none of the users could be off-line during underlying process Hence the existing methodsare vulnerable to the internal dishonest member attackswhich can easily break the security Although the systemsmay trace the dishonest member they cannot exclude theinfluence of dishonest member during the communicationIn summary these two schemes above are of low-efficiencyand the cost of communication is high

In this paper we propose an efficient anonymous com-munication scheme that offers higher security while dis-posing the aforementioned attack The proposed schemeincorporates anonymous identity-based encryption (IBE) toachieve anonymous communication In our scenario morethan one message can be sent simultaneously in each roundMeanwhile each user uses its ID as the public key weassume that the ID of each user is unique and it must bewell known to other users We set up a bulletin board fromwhere every user could upload or download the ciphertextsdirectly at specific time during each round The recovery

of the message is based on the decryption by the recipientrather than the cooperations of all the users so the systemdoes not need the users to be on-line all the time during thecommunication which is a remarkable advantage comparedwith the verdict and dissent Since every user has to performthe same operation at the same time the adversary cannotanalyze who is the sender and who is the recipient in a givenround This characteristic ensures strong anonymity of theusers

The primary contributions of the paper are listed asfollows

(1) The user can send and receive the ciphertext duringthe same round whichmeans a user can be both a sender anda recipient at the same time This can improve the efficiencyof anonymous communication system

(2) Our scheme allows the users to send or receive morethan one valid ldquociphertextrdquo (because the message is extractedafter decrypting the ciphertext) in each round There is nolimit to the number of communication ciphertexts It is a hugeadvantage compared with other anonymous communicationsystemswhich are based onDC-net this characteristic greatlyimproves the efficiency of anonymous communication sys-tem and reduces the cost of communication

(3) In the proposed scheme some dishonest users aretolerable in the communication because a single user cansuccessfully recover the message by himself instead ofthrough the cooperation of all the other users

Section 3 introduces the basic concepts of bilinear pair-ing IBE and anonymous IBE Section 4 outlines the systemarchitecture and our security goals and Section 5 describesthe specific scheme and its two protocols Section 6 presentsa security analysis of the proposed system

2 Related Work

Anonymous communication system has a high-level demandfor security we may consider a mechanism for enteringinto the anonymous communication system before startingcommunication Users can do anonymous authenticationbefore joining the system [23] only a legal user can be amember of the system Anonymous authentication can applytomany areas [24ndash27] Besides we canmake an improvementof the storage pattern for usersrsquo messages We may combineoblivious RAM [28 29] with our anonymous communicationsystem oblivious RAM hides the access patterns of dataand it can prevent adversary from speculating sensitiveinformation through usersrsquo access patterns In the end wemay use other cryptographical techniques [30ndash33] to enhancethe security of our anonymous communication system

3 Preliminaries

This section outlines the anonymous IBE scheme [34]the difference between ordinary IBE and anonymous IBEAlthough the identity-based encryption was firstly proposedby Shamir [35] a practical IBE scheme was constructedby Boneh and Franklin in 2001 [36] and after that manyIBE schemes were proposed [37ndash40] The conception of



















119889 = (1198891 1198892 1198893) = (1198921205902119892119868119863sdot1199031 119892119903 119892119868119863sdot119903) (1)


119888 = (1198881 1198882 1198883 1198884) = (119890 (1198921 1198922)119905 sdot 119898 119892119868119863(119905+119904)1 1198921199041 119892

119905) (2)


119898 = 1198881 sdot119890 (1198892 1198882)

119890 (1198891 1198884) 119890 (1198893 1198883)(3)














Time















Upload

User 1

middotmiddot

middot

User n

Eenid1 (m1)

Eenidi (mi)

Eenidn (mn)

Bulletin board

Download

c1cn

c1cn

User1 Usern

Decsk1(c1)

Decskn(cn)

Decskn(c1)

Decskn(cn)

Decski (c1)

Decski (ci )

Decski (cn)

middotmiddot

middot

middotmiddot

middotmiddotmiddot

middotmiddot

middot




119894119889sdot1199031 119892119903 119892119894119889sdot119903)






119905 sdot (119898||119878119894119892119899119878119890119899119889119890119903119894119889) 119892119894119889(119905+119904)1 1198921199041 119892







6 Security Analysis




7 Evaluation




105

104

103

102

Tim

e (m

s)

0 200 400 600 800 1000




105

104

103

Tim

e (m

s)



0 100 200 300 400 500 600 700 800 900 1000



8 Conclusions




Data Availability






Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




















119889 = (1198891 1198892 1198893) = (1198921205902119892119868119863sdot1199031 119892119903 119892119868119863sdot119903) (1)


119888 = (1198881 1198882 1198883 1198884) = (119890 (1198921 1198922)119905 sdot 119898 119892119868119863(119905+119904)1 1198921199041 119892

119905) (2)


119898 = 1198881 sdot119890 (1198892 1198882)

119890 (1198891 1198884) 119890 (1198893 1198883)(3)














Time















Upload

User 1

middotmiddot

middot

User n

Eenid1 (m1)

Eenidi (mi)

Eenidn (mn)

Bulletin board

Download

c1cn

c1cn

User1 Usern

Decsk1(c1)

Decskn(cn)

Decskn(c1)

Decskn(cn)

Decski (c1)

Decski (ci )

Decski (cn)

middotmiddot

middot

middotmiddot

middotmiddotmiddot

middotmiddot

middot




119894119889sdot1199031 119892119903 119892119894119889sdot119903)






119905 sdot (119898||119878119894119892119899119878119890119899119889119890119903119894119889) 119892119894119889(119905+119904)1 1198921199041 119892







6 Security Analysis




7 Evaluation




105

104

103

102

Tim

e (m

s)

0 200 400 600 800 1000




105

104

103

Tim

e (m

s)



0 100 200 300 400 500 600 700 800 900 1000



8 Conclusions




Data Availability






Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia











Time















Upload

User 1

middotmiddot

middot

User n

Eenid1 (m1)

Eenidi (mi)

Eenidn (mn)

Bulletin board

Download

c1cn

c1cn

User1 Usern

Decsk1(c1)

Decskn(cn)

Decskn(c1)

Decskn(cn)

Decski (c1)

Decski (ci )

Decski (cn)

middotmiddot

middot

middotmiddot

middotmiddotmiddot

middotmiddot

middot




119894119889sdot1199031 119892119903 119892119894119889sdot119903)






119905 sdot (119898||119878119894119892119899119878119890119899119889119890119903119894119889) 119892119894119889(119905+119904)1 1198921199041 119892







6 Security Analysis




7 Evaluation




105

104

103

102

Tim

e (m

s)

0 200 400 600 800 1000




105

104

103

Tim

e (m

s)



0 100 200 300 400 500 600 700 800 900 1000



8 Conclusions




Data Availability






Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Upload

User 1

middotmiddot

middot

User n

Eenid1 (m1)

Eenidi (mi)

Eenidn (mn)

Bulletin board

Download

c1cn

c1cn

User1 Usern

Decsk1(c1)

Decskn(cn)

Decskn(c1)

Decskn(cn)

Decski (c1)

Decski (ci )

Decski (cn)

middotmiddot

middot

middotmiddot

middotmiddotmiddot

middotmiddot

middot




119894119889sdot1199031 119892119903 119892119894119889sdot119903)






119905 sdot (119898||119878119894119892119899119878119890119899119889119890119903119894119889) 119892119894119889(119905+119904)1 1198921199041 119892







6 Security Analysis




7 Evaluation




105

104

103

102

Tim

e (m

s)

0 200 400 600 800 1000




105

104

103

Tim

e (m

s)



0 100 200 300 400 500 600 700 800 900 1000



8 Conclusions




Data Availability






Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



6 Security Analysis




7 Evaluation




105

104

103

102

Tim

e (m

s)

0 200 400 600 800 1000




105

104

103

Tim

e (m

s)



0 100 200 300 400 500 600 700 800 900 1000



8 Conclusions




Data Availability






Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




Data Availability






Acknowledgments


References















































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia























RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


anonymous communication via anonymous identity-based...

Documents