1 Introduction

With the majority of the population living in city environments nowadays, the cities face more and more challenges, such as economic growth, mobility, energy, safety, and governance. These challenges are difficult to tackle as they grow in size and complexity. There is an urgent need for cities to become smarter in how they manage their infrastructures and resources. Therefore, the concept of smart cities [18] comes into being. A smart city is an urban development vision to integrate multiple information and communication technology (ICT) solutions in a secure fashion to manage a city’s assets. Building a smart city is aimed to enhance economic competitiveness, social cohesion, and quality of life of its citizens. Smart city technologies are used to managing various city infrastructures such as transportation systems, hospitals, power plants, water supply networks, and other community services. In smart cities, every device and service are linked to an information network through the Internet. These devices include traditional static sensors and personal wearable devices. Data are collected from citizens and devices. These allow city officials to interact directly with the city infrastructures and to monitor the city.

The smart city will take advantage of communication and sensor capabilities sewn into the cities’ infrastructures to optimize electrical, transport, and other logistical operations supporting daily life, thereby improving the quality of life for everyone. Therefore, there must be many files to be produced, transmitted, and shared. For example, mobile phone files with traffic congestion condition can be sent to the traffic department of the city. The majority of the files that are used to communicate the city applications are as follows: user files for monitoring the public behavior, document files for better statistical and feasibility studies, industry files for monitoring the market demand, and business files for more commerce and financial analysis.

The smart city will require higher degrees of network connectivity to support sophisticated features. This has the potential to open up new vulnerabilities. For this reason, one of the biggest challenges facing smart city development is related to file security and user privacy. File confidentiality is needed to protect the privacy of citizens and valuable information of stakeholders in the city. File integrity protects file against modifications that can lead to harmful decisions [2]. In actuation requests, it confirms the authenticity of the request to avoid unauthorized changes in the city’s physical infrastructure. User’s sensitive information (privacy) can detail much about a person’s life they do not wish to be revealed as to medical, political, or social contexts. The priority must be to establish user confidence in the smart city, as otherwise users will hesitate to accept the services provided by smart cities.

1.1 Our contribution

Motivated by the above scenarios, we propose a new file sharing scheme for smart city with file confidentiality, file integrity, receiver privacy, and sender privacy, referred to as privacy-preserving identity-based file sharing (PIFS). We first contribute the model and framework of PIFS. Second, we construct a concrete PIFS scheme in a modular way. Then we prove its relevant security properties. Finally, we give a detailed efficiency analysis for our scheme.

The privacy-preserving identity-based file sharing framework involves nine entities: two group managers for sender and receiver, respectively; a group of senders; a group of receivers; a sender open authority; and four identity managers. It also involves six procedures: system initialization, community setup, user join, file upload, file access, and peer tracing. One procedure will have at least one participant. Note that the sender group manager and receiver group manager can be implemented as one manager in practice. Likewise, four identity managers can also be implemented as one manager.

We design a concrete PIFS scheme in a modular way. In order to get an efficient and practical scheme, we use four primitives, i.e., a public-key encryption scheme which satisfies CCA2 security, an identity-based encryption scheme which satisfies anonymity and semantic security, knowledge proofs which satisfy special properties, and an identity-based group signature scheme. Our proposal is a new identity-based file sharing scheme for smart city with receiver anonymity, sender anonymity, semantic security, peer traceability, and file integrity. Receiver anonymity and sender anonymity protect users from a hostile environment where the attacker may want to extract information about their identities. Semantic security protects files from being attacked. Peer traceability ensures the tracking is reliable and prevents collusion attacks. File integrity protects files against modifications.

We prove the security of our concrete PIFS scheme according to our security definitions. And we give the analysis of probability as well as time complexity. Our scheme has constant complexity in computation and communication. This means the scheme will be efficient in practice. Our PIFS scheme is a fully functional file sharing scheme for smart city.

1.2 Related work

Some experts have researched smart cities. Zanella characterized an urban Internet of Things system according to specific application domains [26]. Al-Hader et al. believed that a smart city provides interoperable, Internet-based government services that enable ubiquitous connectivity to transform key government processes, both internally across departments and employees and externally to citizens and businesses [1]. To close the gap in the literature about smart cities and in response to the increasing use of the concept, Chourabi et al. proposed a framework to understand the concept of smart cities [5]. Su, Li, and Fu mainly focused on recent research and the concept of “smart city,” summarizing the relationship between “smart city” and “digital city,” putting forward the main content of application systems in the smart city [21].

Efforts have been devoted to ensure the security and privacy in smart cities. Suciu proposed a new platform for using cloud computing capacities for provision and support of ubiquitous connectivity and real-time applications and services for smart cities’ needs [20]. Elmaghraby and Losavio examined two important and entangled challenges for smart city: security and privacy [7]. They also presented a model representing the interactions between person, servers, and things. Khan, Pervez, and Ghafoor presented a security and privacy framework for secure and privacy-aware service provisioning in smart cities [13]. Their framework aimed to provide end-to-end security and privacy features for trustable data acquisition, transmission, processing, and legitimate service provisioning. Bohli presented a data platform for management of a smart city and pointed out the main security and privacy threats [2]. They also presented use cases showing the benefits of such a platform for realizing typical smart city application. Wang looked into security issues in smart city infrastructure from both technical and business operation perspectives and proposed an approach to analyze threats and to improve data security of smart city systems [24]. Wu et al. proposed a privacy-preserving system that guarantees message trustworthiness between vehicles. This work offered the possibility of tracing the message generator and its endorsers [23]. Chen et al. proposed a new verifiable database framework from vector commitment based on the idea of commitment binding [6].

As for file sharing, a large amount of works have been proposed. Hoßfeld et al. examined the feasibility of the eDonkey file-sharing service in GPRS networks, detected problems of the interaction between P2P and the mobile network, and found solutions to overcome them. Furthermore, this work measured and analyzed the characteristics of mobile P2P and gave first empirical performance values [11]. Shen presented an efficient and adaptive decentralized file replication algorithm that achieves high query efficiency and high replica utilization at a significantly low cost [22]. In [17], Lu et al. proposed an EigenTrust evolutionary game model based on the renowned EigenTrust reputation model. In this model, they used evolutionary game theory to model strategic peers and their transaction behaviors, which is close to the realistic scenario. Iamnitchi et al. proposed a novel perspective in [12], for analyzing data access workloads that considers the implicit relationships that form among users based on the data they access. Huang et al. proposed a notion called forward secure ID-based ring signature, which is an essential tool for building cost-effective authentic and anonymous data sharing system [10].

Although there are many works for smart city and file sharing, none of them has taken into the consideration of file confidentiality, file integrity, receiver privacy, and sender privacy at the same time. We will construct a new group encryption (GE) and apply a group signature to achieve this goal. Kiayias, Tsiounis, and Yung provided the conception of group encryption [14] and a modular design including zero-knowledge proofs, digital signature schemes, public-key encryption schemes with CCA2 security, and key-privacy and commitment schemes. Cathalo, Libert, and Yung [4] proposed a group encryption with non-interactive realization in the standard model. Independently, Qin, Wu, Susilo, and Mu [19] considered a similar primitive called group decryption. The group decryption has non-interactive proofs and short ciphertexts. Libert, Yung, Joye, and Peters proposed a traceable GE [16] which can trace all the ciphertexts encrypted by a specific user without abolishing the anonymity of the others. In [15], Luo et al. presented an identity-based group encryption, but they did not protect the privacy of the senders or the integrity of the encrypted files.

1.3 Outline of paper

In Section 2, we formally describe the system model and security requirements of PIFS. In Section 3, we provide a overview of PIFS and a concrete PIFS scheme. In Section 4, we prove some related security properties. In Section 5, we give our conclusion of this work.

2 Modeling PIFS

In this section, we formalize the model of PIFS system and the security requirements of this system.

2.1 The PIFS system

PIFS system involves nine entities. There are two group managers (G M R , G M S ) in this system. G M R administers the receiver group and traces the receiver when it is necessary. Likewise, G M S administers the sender group. A sender open authority (O A S ) traces the sender’s identity when it is necessary. Due to the sender group manager, sender members, and sender open authority are identity based, we add three identity managers for sender group manager, sender members, and sender open authority, respectively. They are denoted as \(IM_{GM_{S}},IM_{S},\text {and } IM_{OA_{S}}\). A group of legitimate receivers receive messages from the senders anonymously. A group of legitimate senders have secret messages to be sent to the legitimate receivers anonymously. A receiver identity manager (I M R ) can issue the private keys to the users. For instance, as shown in Fig. 1, anonymous sender 2 sends a file to anonymous receiver 2.

Fig. 1
figure 1

System model

Full size image

We emphasize that the sender group manager and receiver group manager can be implemented as one manager in practice. Similarly, the identity managers for sender group manager, sender members, receiver members, and sender open authority can also be implemented as one manager. We here describe them separately so that one can realize our system in a flexible way.

PIFS consists of the following algorithms.

  • (P a r a m s, M S K R ) ← SysInit(λ). System initialization is a polynomial time algorithm which takes a security parameter λ as input. It outputs system parameter P a r a m s and a receiver master-key M S K R . For sender group manager, the identity manager \(IM_{GM_{S}}\) has a master-key pair \((MSK_{GM_{S}},MPK_{GM_{S}})\) and one-way NP-relation \(\langle \mathcal {R}_{GM_{S}}\rangle \) with trapdoor \(MSK_{GM_{S}}\). For sender members, the identity manager I M S has a master-key pair (M S K S , M P K S ) and one-way NP-relation \(\langle \mathcal {R}_{S}\rangle \) with trapdoor M S K S . For sender open authority, the identity manager \(IM_{OA_{S}}\) has a master-key pair \((MSK_{OA_{S}},MPK_{OA_{S}})\) and one-way NP-relation \(\langle \mathcal {R}_{OA_{S}}\rangle \) with trapdoor \(MSK_{OA_{S}}\). A samplable family of one-way NP-relation \(\mathcal {F}=\{\langle \mathcal {R}_{C,i}:i\rangle \}\) with trapdoor g s k i . It is used to issue certificate for senders. P a r a m s includes but is not limited to them: \((MPK_{GM_{S}},\) \(MPK_{OA_{S}}, MPK_{S},\mathcal {R}_{GM_{S}},\mathcal {R}_{S},\mathcal {R}_{OA_{S}},\mathcal {F})\).

  • \((\!P{\kern -.3pt}K_{{\kern -.3pt}G{\kern -.3pt}M_{{\kern -.3pt}R}},{\kern -.3pt}S{\kern -.3pt}K_{{\kern -.3pt}G{\kern -.3pt}M_{{\kern -.3pt}R}},S{\kern -.3pt}K_{OA_{S}},aux_{OA_{S}},SK_{GM_{S}},aux_{GM_{S}},\) \(\langle \mathcal {R}_{C,GM_{S}}\rangle ) \leftarrow \textbf {ComSetup} (Params,ID_{OA_{S}},ID_{GM_{S}},\) \(MSK_{OA_{S}},MSK_{GM_{S}})\). Community setup is a polynomial time algorithm which takes system parameter P a r a m s, sender OA identity \(ID_{OA_{S}}\), and sender group manager identity \(ID_{GM_{S}}\) as inputs. G M R computes receiver group public key and receiver group private key \((PK_{GM_{R}},SK_{GM_{R}})\). \(IM_{OA_{S}}\) uses his secret key \(MSK_{OA_{S}}\) to compute the secret key \(SK_{OA_{S}}\) and auxiliary information \(aux_{OA_{S}}\) for sender OA. \(IM_{GM_{S}}\) uses his secret key \(MSK_{GM_{S}}\) to compute the secret key \(SK_{GM_{S}}\) and auxiliary information \(aux_{GM_{S}}\) for G M S . \(IM_{GM_{S}}\) also samples \(\mathcal {F}\) to get a relation \(\langle \mathcal {R}_{C,GM_{S}}\rangle \).

  • \((SK_{ID_{R}},SK_{ID_{S}},aux_{ID_{S}},cert_{ID_{S}},reg)\leftarrow \textbf {UserJoin}(Params, ID_{R},MSK_{R},ID_{S},MSK_{S}).\) This is a polynomial time algorithm. For the receiver, it takes system parameter P a r a m s, receiver’s identity I D R , and M S K R as inputs. I M R computes the receiver’s corresponding private key \(SK_{ID_{R}}\). Each receiver can register his identity as a group member to G M R . G M R maintains the receivers’ ID list, denoted as I = {I D R1,..., I D R j }. For the sender, it takes system parameter P a r a m s, sender’s identity I D S , and M S K S as inputs. I M S computes the sender’s corresponding private key \(SK_{ID_{S}}\) and auxiliary information \(aus_{ID_{S}}\). There is a pair of interactive protocols (J o i n, I s s u) between the sender and G M S with common inputs \(ID_{GM_{S}}\) and I D S . I s s u’s additional inputs are \(SK_{GM_{S}}\) and \(aux_{GM_{S}}\). J o i n’s additional inputs are \(SK_{ID_{S}}\) and \(aux_{ID_{S}}\). J o i n obtains \(cert_{ID_{S}}\) satisfying \(((SK_{ID_{S}},aux_{ID_{S}},cert_{ID_{S}}),ID_{S})\in \mathcal {R}_{C,GM_{S}}\), and I s s u stores \((ID_{S},cert_{ID_{S}})\) in a registration table reg.

  • \((P)\leftarrow \textbf {FileUpload}(M,F,Params,ID_{R},PK_{GM_{R}},\) \(ID_{S},SK_{ID_{S}}, aux_{ID_{S}},ID_{GM_{S}},ID_{OA_{S}},cert_{ID_{S}}).\) This is a polynomial time algorithm which takes a session key M, system parameters \(Params,PK_{GM_{R}},ID_{S},SK_{ID_{S}},aux_{ID_{S}},ID_{GM_{S}},\) \(ID_{OA_{S}}, ID_{R},cert_{ID_{S}}\), and a file F as input. It outputs a package P.

  • \((\!F)\!\leftarrow \!\textbf {F{\kern -.3pt}i{\kern -.3pt}l{\kern -.3pt}e{\kern -.3pt}A{\kern -.3pt}c{\kern -.3pt}c{\kern -.3pt}e{\kern -.3pt}s{\kern -.3pt}s{\kern -.3pt}}(\!P{\kern -.5pt}a{\kern -.3pt}r{\kern -.3pt}a{\kern -.3pt}m{\kern -.3pt}s{\kern -.3pt},{\kern -.5pt}P{\kern -.5pt},S{\kern -.5pt}K{\kern -.3pt}_{I{\kern -.3pt}D_{{\kern -.3pt}R}},{\kern -.3pt}I{\kern -.5pt}D_{{\kern -.5pt}G{\kern -.5pt}M{\kern -.5pt}_{S}},{\kern -.5pt}I{\kern -.5pt}D_{{\kern -.3pt}O{\kern -.5pt}A{\kern -.3pt}_{{\kern -.3pt}S{\kern -.5pt}}})\). This is a polynomial time algorithm which takes \(Params,ID_{OA_{S}}, SK_{ID_{R}},ID_{GM_{S}},\text {and }P\) as inputs. It outputs 1 for valid verification or 0 for invalid verification. If it outputs 1, then it outputs the message F, else outputs “reject.”

  • \(({\kern -.5pt}I{\kern -.5pt}D_{{\kern -.5pt}R},{\kern -.5pt}I{\kern -.5pt}D_{{\kern -.5pt}S})\!\leftarrow \textbf {PeerTracing}(SK_{GM_{R}},ID_{GM_{S}},SK_{OA_{S}}\) \(,ID_{OA_{S}}, reg,F).\) For receiver tracing, G M R first verifies if the verifier outputs 1, then verifies the correctness of the encryption of I D R . If both of them are valid, G M R runs a polynomial time algorithm which takes F and \(SK_{GM_{R}}\) as inputs. It outputs I D R of the receiver. For sender tracing, the O A S with \(SK_{OA_{S}}\) has read access to reg and outputs identity I D S for the corresponding sender using an O p e n subprocedure. And ω is the proof of this claim. Then it checks if ω is a valid proof of the sender’s identity using a J u d g e subprocedure.

2.2 Security requirements

We focus on two important and entangled challenges, i.e., security and privacy. Files in a smart city must be protected in order to reduce the risk of files theft and fake that can lead to a series of damage. Since digital citizens are more and more instrumented with data available about their identity, location, and activities, privacy seems to disappear. We propose the PIFS system to deal with security and privacy problems and satisfy security requirements as follows:

  • File confidentiality. A file cannot be leaked to any unauthorized user, entity, or program. The characteristics of the file also cannot be utilized.

  • File integrity. File integrity means the file cannot be changed without authorization. In the PIFS system, we propose a method to verify the file and ensure the file integrity.

  • Receiver privacy. In the process of file transfer, identity of the receiver may be leaked. Any attacker should not get any useful identity information of the receiver from the file, even he colludes with others.

  • Sender privacy. It is similar to receiver privacy protection. But we focus on sender privacy, specially, sender’s identity protection.

3 The proposal

3.1 High-level description of the scheme

In this section, we provide a high-level description of our PIFS scheme in the smart city file sharing setting. We assume that our PIFS scheme works in end-to-end mode in a smart city. A peer (sender) shares a file with the other one (receiver). Since a file may be very large, it should be very inefficient using a public-key cryptography to encrypt a file directly. Instead, we can encrypt a session key and use a symmetrical encryption to encrypt the file. This is a relatively efficient solution.

The first question of a secure file sharing scheme in a smart city is the file security. The second question is how to protect identity of the receiver from being leaked, because the attacker may extract the receiver’s identity and then obtains the total constituent of the receiver group. Group encryption is a good method to achieve both of the two goals. The existing GE schemes are all realized in the public key infrastructure (PKI) setting, in which complicated certificate management is required to ensure security. It seems appealing to use identity-based encryption (IBE) schemes to replace the PKI-based public-key encryptions in GE. Therefore, we employ an identity-based encryption with ANO-IND-ID-CPA security [9] and a public-key encryption with CCA2 security [3] to propose a new cryptographic primitive called identity-based group encryption (IBGE) [15]. As a component of our PIFS, IBGE ensures message confidentiality and receiver anonymity.

File integrity is another essential element of the file sharing scheme. Just like the protection of receiver privacy, the sender privacy should also be protected in the smart city file sharing setting. Obviously, sender traceability is necessary, too. As we all know, digital signature ensures file integrity. And group signature has properties of sender anonymity and traceability. To achieve these goals in identity-based setting, we apply an identity-based group signature [25] scheme as a component of our PIFS.

In order to verify that if the encrypted receiver’s identity and the identity that forms IBE ciphertext are identical, we link the identity-based encryption with the public-key encryption using a zero-knowledge proof. This zero-knowledge proof indicates that the IBE ciphertext has not been tampered as well as the ciphertext is well formed. This means that the zero-knowledge proof makes our PIFS scheme achieve CCA2 security.

3.2 A concrete PIFS scheme

As illustrated in Fig. 1, nine entities are involved in our PIFS scheme: receiver group managers (G M R ), sender group managers (G M S ), a group of receiver, a group of sender, sender open authority (O A S ), four identity managers (I M S ,\(IM_{R},IM_{OA_{S}},IM_{GM_{S}})\) for sender members, receiver members, sender open authority, and sender group manager. Two group managers administrate receiver group and sender group, respectively. Receiver group manager is able to identify the receiver. Sender open authority specially identifies the sender. Four identity managers issue the secret keys to the four entities. A sender shares a file with a peer.

We use bilinear groups to construct our scheme. Let p be a large prime. \(\mathbb {G},\hat {\mathbb {G}},\mathbb {G}_{T}\) are three cyclic groups of prime order p. \(g,\hat {g}\) are generators of \(\mathbb {G},\hat {\mathbb {G}}\) respectively. We say that \(\mathbb {G}\), \(\mathbb {\hat {G}}\) are bilinear groups if there is a bilinear map \(e:\mathbb {G}\times \hat {\mathbb {G}}\rightarrow \mathbb {G}_{T}\) that satisfies the following properties. Bilinear: we say a map \(e:\mathbb {G}\times \hat {\mathbb {G}}\rightarrow \mathbb {G}_{T}\) is bilinear if \(e(u^{a},\hat {u}^{b})=e(u,\hat {u})^{ab}\) for all \(u\in \mathbb {G},\hat {u}\in \hat {\mathbb {G}}, a,b\in \mathbb {Z}_{p}\). Non-degenerate: if \(g,\hat {g}\) are generators of \(\mathbb {G},\hat {\mathbb {G}}\) respectively, then \(e(g,\hat {g})\) is a generator of \(\mathbb {G}_{T}\). We use bilinear groups as a black box. If \(\mathbb {G}=\hat {\mathbb {G}}\), the group is a symmetrical bilinear group. If \(\mathbb {G}\neq \hat {\mathbb {G}}\), the group is a asymmetric bilinear group.

Now we are ready to describe our PIFS scheme. It works as follows.

SysInit. Let a receiver’s identity be \(ID_{R}\in \mathbb {Z}_{p}\). Let \(\mathbb {G},\mathbb {G}_{T}\) be two groups of order p, and let \(\bar {e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\) be a bilinear map. Let \(\mathbb {\bar {G}}\) be an Abelian group of order p in which the DDH problem [3] is hard. I M R chooses random \(g,h\mathop {\leftarrow }\limits ^{R} \mathbb {G}\) and random \(\alpha \mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\). It sets \(g_{1}\leftarrow g^{\alpha }\in \mathbb {G}\). The program chooses random \(g_{2},g_{3},t\mathop {\leftarrow }\limits ^{R} \mathbb {\bar {G}}\) and universal one-way hash functions H. The M S K R = α.

Let a sender’s identity be \(ID_{S}\in \mathbb {Z}_{p}\). Another pairing \(\hat {e}:\mathbb {G}_{1}\times \mathbb {G}_{2}\rightarrow \mathbb {\hat {G}}_{T}\) where the above three cyclic groups are of order p. The \(IM_{GM_{S}},IM_{OA_{S}},IM_{S}\) secret keys are \(MSK_{GM_{S}}=x_{G},MSK_{OA_{S}}=x_{O},MSK_{S}=x_{S} \in \mathbb {Z}^{*}_{p}\) and the public keys are \(MPK_{GM_{S}}=g^{x_{G}}_{G},MPK_{OA_{S}}=g^{x_{O}}_{O},MPK_{S}=g^{x_{S}}_{S} \in \mathbb {G}_{2}\), where \(g_{G},g_{O},g_{S}\in \mathbb {G}_{2}\). Let u be a generator in \(\mathbb {G}_{1}\). Define hash functions \(H_{G}:\{0,1\}^{*}\rightarrow \mathbb {Z}^{*}_{p},H_{O}:\{0,1\}^{*}\rightarrow \mathbb {G}_{1},H_{S}:\{0,1\}^{*} \rightarrow \mathbb {G}_{1},\bar {H}:\{0,1\}^{*}\rightarrow \mathbb {Z}^{*}_{p}\).

For G M S , define \(\mathcal {R}_{GM_{S}}=\{((SK_{GM_{S}},R),ID_{GM_{S}}): g_{G}^{SK_{GM_{S}}}=R_{MPK_{GM_{S}}}^{H_{G}(R\parallel ID_{GM_{S}})}\}\). For O A S , define \(\mathcal {R}_{OA_{S}}=\{(SK_{OA_{S}},ID_{OA_{S}}): SK_{OA_{S}}=H_{O}(ID_{OA_{S}})^{x_{O}}\}\). For sender, define \(\mathcal {R}_{S}=\{(x,i): SK_{OA_{S}}=H_{S}(i)^{x_{S}}\}\). For certificate, define \(\mathcal {F}=\{\langle \mathcal {R}_{C,i}\rangle :i\}\) with trapdoor x i . And define the following:

$$\mathcal{R}_{C,ID_{GM_{s}}}=\{(ID_{S},(A^{\prime},e)):A^{\prime e+SK_{GM_{s}}}H_{S}(ID_{S})=u\}. $$

Let g 4, g 5, g 6, g 7, g 8, u are generators in \(\mathbb {G}_{1}\). Then the system parameter is as follows:

$$\begin{array}{@{}rcl@{}} Pramas=(g,g_{1},...,g_{8},u,h,t,\bar{e},\hat{e},g_{G},g_{O},g_{S},MPK_{GM_{S}},\\ MPK_{OA_{S}},MPK_{S},H,\bar{H},H_{G},H_{S},H_{O},\mathcal{R}_{GM_{S}},\mathcal{R}_{OA_{S}},\mathcal{R}_{S},\mathcal{F}). \end{array} $$

ComSetup

This procedure chooses random x 1, x 2, y 1, y 2,\(z\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\). Then it computes \(w=g_{2}^{x_{1}}g_{3}^{x_{2}},d=g_{2}^{y_{1}}g_{3}^{y_{2}},l={g_{2}^{z}}\). The receiver group public key and private key are \(PK_{GM_{R}}=(g_{2}, g_{3},w,d,l,H)\) and \(SK_{GM_{R}}=(x_{1},x_{2},y_{1},y_{2},z)\). On input O A S ’s identity \(ID_{OA_{S}}\), the procedure uses \(MSK_{OA_{S}}=x_{O}\) to compute O A S secret key \(SK_{OA_{S}}=H_{O}(ID_{OA_{S}})^{x_{O}}\). On input G M S ’s identity \(ID_{GM_{S}}\), the procedure defines \(\mathcal {R}_{C,ID_{GM_{s}}}=\{(ID_{S},(A^{\prime },e)):A^{\prime e+SK_{GM_{s}}}H_{S}(ID_{S})=u\}\). Then it randomly chooses \(r^{\prime }\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\) and computes the following:

$$aux_{ID_{GM_{s}}}=g_{G}^{r^{\prime}}, SK_{GM_{S}}=r^{\prime}+H_{G}(aux_{ID_{GM_{s}}}\parallel ID_{GM_{s}})x_{G}. $$

UserJoin

Let a receiver’s identity be \(ID_{R}\in \mathbb {Z}_{p}\). The procedure chooses random \(r\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\) and uses M S K R = α to calculate the receiver’s private key \(SK_{ID_{R}}=(r,h_{ID_{R}})\), where \(h_{ID_{R}}=(hg^{-r})^{1/(\alpha -ID_{R})}\).

Let a sender’s identity be \(ID_{S}\in \mathbb {Z}_{p}\). The procedure uses M S K S = x S to compute sender’s private key \(SK_{ID_{S}}=H_{S}(ID_{S})^{x_{S}}\). And there is a pair of interactive protocols (J o i n, I s s u) between the sender and the procedure.

J o i n runs a proof of knowledge of \(SK_{ID_{S}}\) for I D S . I s s u uses \(SK_{GM_{S}}\), \(aux_{GM_{S}}\) to compute \(cert_{ID_{S}}\) = (A′, e) satisfying \((ID_{S}, cert_{ID_{S}})\!\in \! \mathcal {R}_{C,ID_{S}}\). I s s u chooses random \(e\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\) and computes \(A^{\prime }=(u/H_{S}(ID_{S}))^{1/(e+SK_{GM_{S}})}\). I s s u sends \((A^{\prime },e, aux_{ID_{GM_{S}}})\) to J o i n. J o i n accepts the certificate if and only if \(\hat {e}(u,g_{G})=\hat {e}(A^{\prime },g_{G})^{e}\hat {e}(A^{\prime },S)\hat {e}(H_{S}(ID_{S}),g_{G}),\) where \(S=g_{G}^{SK_{GM_{S}}}=aux_{ID_{GM_{S}}}\cdot MPK_{GM_{S}}^{H_{G}(aux_{ID_{GM_{S}}}\parallel ID_{GM_{S}})}.\) J o i n gets \(cert_{ID_{S}}, aux_{GM_{S}}\). I s s u computes \(W=\hat {e}(H_{S}(ID_{S}),g_{G})\) and puts (I D S , A′, e, W) in the reg.

FileUpload

This procedure can be divided into two subprocedures. They are encryption procedure and signature procedure.

Encryption procedure:

  • Session key encryption. Given a session key \(M\in \mathbb {G}_{T}\), the receiver’s identity \(ID_{R}\in \mathbb {Z}_{p}\), the procedure chooses random \(s\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\). Then it computes a part of ciphertext:

    $$C_{1}=({g_{1}^{s}}g^{-s\cdot ID_{R}}, \bar{e}(g,g)^{s}, M\cdot \bar{e}(g,h)^{-s})=(C_{10},C_{11},C_{12}). $$

  • Receiver’s identity encryption. Given receiver’s identity \(ID_{R}\in \mathbb {Z}_{p}\), the procedure chooses random \(n\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\). Then it computes the following:

    $$k_{1}={g_{2}^{n}},k_{2}={g_{3}^{n}},\psi=l^{n}t^{ID_{R}},\epsilon=H(k_{1},k_{2},\psi),v=w^{n}d^{n\epsilon}. $$

    Another part of ciphertext is C 2 = (k 1, k 2, ψ, v).

  • We construct a zero-knowledge proof which can prove the encrypted receiver’s identity and the identity that forms the IBE ciphertext are identical. It proves the IBE ciphertext has not been tampered as well as the the ciphertext is well formed. This is a non-interactive zero-knowledge proof protocol. We denote the protocol by

    $$ZK\left\{ s,n,ID_{R}\left| \begin{array}{c} C_{10}={g_{1}^{s}}g^{-s\cdot ID_{R}},C_{11}=\bar{e}(g,g)^{s}, \\ k_{1}={g_{2}^{n}},k_{2}={g_{3}^{n}},\psi=l^{n}t^{ID_{R}},v=w^{n}d^{n\epsilon} \end{array}\right. \right\} $$

    This zero-knowledge proof is difficult to constructed directly. We convert this zero-knowledge proof into an equivalent one as follows.

    $$ZK\left\{s,n,ID_{R} \left| \begin{array}{l} C_{10}={g_{1}^{s}}g^{-s\cdot ID_{R}},C_{11}=\bar{e}(g,g)^{s},v=w^{n}d^{n\epsilon}\\ A=\psi^{s},A=A_{1}A_{2}, A_{1}=l^{ns},A_{2}^{-1}=t^{-s\cdot ID_{R}} \\ \psi=l^{n}t^{ID_{R}},k={k_{1}^{s}},k=g_{2}^{ns}, k_{1}={g_{2}^{n}},k_{2}={g_{3}^{n}}\\ \end{array} \right.\right\} $$

    Sender randomly chooses integers \(\bar {s}, \bar {ID}, \bar {n}\), and computes the following:

    $$\begin{array}{@{}rcl@{}} &&\bar{C_{10}}=g_{1}^{\bar{s}}g^{-\bar{s}\cdot \bar{ID_{R}}},\bar{C_{11}}=\bar{e}(g,g)^{\bar{s}},\bar{k_{1}}=g_{2}^{\bar{n}},\bar{k_{2}}=g_{3}^{\bar{n}},\\ &&\bar{\psi}=l^{\bar{n}}t^{\bar{ID_{R}}},\bar{v}=w^{\bar{n}}d^{\bar{n}\epsilon},\bar{A}=\psi^{\bar{s}},\bar{A}=\bar{A_{1}}\bar{A_{2}},\\ &&\bar{A_{1}}=l^{\bar{n}\bar{s}},\bar{A_{2}^{-1}}=t^{-\bar{s}\cdot \bar{ID_{R}}},\bar{k}=\bar{k}_{1}^{\bar{s}},\bar{k}=g_{2}^{\bar{n}\bar{s}} \end{array} $$

    Then it sends these to a verifier. The procedure uses a hash function \(\bar {H}\) to compute the following:

    $$\begin{array}{@{}rcl@{}} c={}&&\bar{H}(\bar{C}_{10},C_{10},\bar{C}_{11},C_{11},\bar{k_{1}},k_{1},\bar{k_{2}},k_{2},\bar{\psi},\psi,\\ &&\bar{v},v,\bar{A},A,\bar{A_{1}},A_{1},\bar{A_{2}},A_{2},\bar{A_{2}^{-1}},A_{2}^{-1},\bar{k},k). \end{array} $$

    The sender computes \(r_{1}=\bar {s}+cs, r_{2}=\bar {n}+cn, r_{3}=\bar {ID_{R}}+c\cdot ID_{R}, r_{4}= -\bar {s}\bar {ID_{R}}-c\cdot s\cdot ID_{R}, r_{5}= \bar {n}\bar {s}+c\cdot ns\). Then it sends r 1, r 2, r 3, r 4, r 5, c to a verifier. The verifier checks whether the equation holds the following:

    $$\begin{array}{@{}rcl@{}} &&c\overset{?}{=}\bar{H}(\psi^{r_{1}}A^{-c},A,k_{1}^{r_{1}}k^{-c},k,\bar{e}(g,g)^{r_{1}}C_{11}^{-c},C_{11},g_{2}^{r_{2}}k_{1}^{-c},k_{1},\\ &&g_{3}^{r_{2}}k_{2}^{-c},k_{2},(wd^{\epsilon})^{r_{2}}v^{-c},v,l^{r_{2}}t^{r_{3}}\psi^{-c},\psi,g_{1}^{r_{1}}g^{r_{4}}C_{10}^{-c},\\ &&C_{10},t^{r_{4}}(A_{2}^{-1})^{-c},A_{2}^{-1},l^{r_{5}}A_{1}^{-c},A_{1},g_{2}^{r_{5}}k^{-c},k). \end{array} $$

    The verifier outputs 1 if this equation holds; otherwise, it outputs 0. The ciphertext is C = (C 1, C 2, C 3), where the C 3 = (r 1, r 2, r 3, r 4, r 5, c).

  • We use a symmetric encryption algorithm to encrypt file F with session key M. The algorithm outputs E M (F).

Signature procedure: Given the sender’s identity I D S with private key \(SK_{ID_{S}}\) and certificate (A′, e). The procedure computes a signature σ for ciphertext C, E M (F), and \(ID_{OA_{S}}\). The procedure randomly selects \(s_{1},d^{\prime }\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\) and computes s 2 = e s 1. Then it computes the following:

$$t_{0}=g_{4}^{s_{1}},t_{1}=SK_{ID_{S}}g_{5}^{s_{1}},t_{2}=H_{S}(ID_{S})g_{6}^{s_{1}},t_{3}=A^{\prime}g_{7}^{s_{1}},t_{5}={t_{3}^{e}}g_{8}^{s_{1}}. $$

And we have the following:

$$\begin{array}{@{}rcl@{}} &&ctxt=\hat{e}(H_{S}(ID_{S}),g_{G})\hat{e}(H_{O}(ID_{OA_{S}}),MPK_{OA_{S}}),\\ &&U=g_{O}^{d^{\prime}}, SK_{ID_{S}}=H_{S}(ID_{S})^{x_{S}}, A^{\prime e+SK_{GM_{s}}}H_{S}(ID_{S})=u,\\ &&S=g_{G}^{SK_{GM_{S}}}=aux_{ID_{GM_{S}}}\cdot MPK_{GM_{S}}^{H_{G}(aux_{ID_{GM_{S}}}\parallel ID_{GM_{S}})}. \end{array} $$

  • The procedure randomly selects \(r^{\prime }_{1},r^{\prime }_{2},r^{\prime }_{3},r^{\prime }_{4}\in \mathbb {Z}_{p},R_{1},R_{2},\)

    \(R_{3}\in \mathbb {G}_{1}\) and computes the following:

    $$\begin{array}{@{}rcl@{}} \tau_{0} &=& g_{4}^{r^{\prime}_{1}},\tau_{1}=R_{1}g_{5}^{r^{\prime}_{1}},\tau_{2}=R_{2}g_{6}^{r^{\prime}_{1}},\tau_{3}=R_{3}g_{7}^{r^{\prime}_{1}},\\ \tau_{4} &=& [\hat{e}(g_{5},g_{S})^{-1}\hat{e}(g_{6},MPK_{S})]^{r^{\prime}_{1}},\tau_{5}=t_{3}^{r^{\prime}_{3}}g_{8}^{r^{\prime}_{1}},\\ \tau_{6} &=& \hat{e}(g_{7},g_{G})^{r^{\prime}_{2}}[\hat{e}(g_{7},S)\hat{e}(g_{6}g_{8},g_{G})]^{r^{\prime}_{1}},\tau_{7}=g_{G}^{r^{\prime}_{4}},\\ \tau_{8} &=& \hat{e}(H_{O}(ID_{OA_{S}}),MPK_{OA_{S}})^{r^{\prime}_{4}}\hat{e}(g^{\prime}_{6},g_{G})^{-r^{\prime}_{1}}.\\ \end{array} $$

  • Then the procedure uses a hash function \(\bar {H}\) to compute the following:

    $$c^{\prime}=\bar{H}(t_{0},...,t_{3},t_{5},\tau_{0},...,\tau_{8},aux_{GM_{S}},ctxt,U,C,E_{M}(F)). $$

    And the procedure computes the following:

    $$\begin{array}{@{}rcl@{}} &&z_{0}=r^{\prime}_{1}-c^{\prime}s_{1},z_{1}=R_{1}SK_{ID_{S}}^{-c^{\prime}},z_{2}=R_{2}H_{S}(i)^{-c^{\prime}},z_{3}=R_{3}A^{\prime -c^{\prime}},\\ &&\quad z_{4}=r^{\prime}_{3}-c^{\prime}e,z_{5}=r^{\prime}_{2}-c^{\prime}s_{2},z_{6}=r^{\prime}_{4}-c^{\prime}d. \end{array} $$

  • The signature is σ = (t 0,..., t 3, t 5, c′, z 0,..., z 6,\(aux_{GM_{S}},ctxt,U)\).

Packaging procedure: Finally, the package is P = (C, σ, E M (F)), where (C, σ) is the header. The anonymous sender uploads the package.

FileAccess

This procedure can be divided into signature verification procedure and decryption procedure.

Signature verification procedure: Given the package P = (C, σ, E M (F)), the procedure computes the following:

$$\begin{array}{@{}rcl@{}} &&t_{4}=\hat{e}(t_{1},g_{S})^{-1}\hat{e}(t_{2},g_{S})^{-1},t_{6}=\hat{e}(u,g_{G})^{-1}\hat{e}(t_{2}t_{5},g_{G})\hat{e}(t_{3},S),\\ &&t_{8}=ctxt\cdot\hat{e}(t_{2},g_{G})^{-1},\tau_{0}=g_{4}^{z_{0}}t_{0}^{c^{\prime}},\tau_{1}=z_{1}g_{5}^{z_{0}}t_{1}^{c^{\prime}},\tau_{2}=z_{2}g_{6}^{z_{0}}t_{2}^{c^{\prime}},\\ &&\tau_{3}=z_{3}g_{7}^{z_{0}}t_{3}^{c^{\prime}},\tau_{4}=[\hat{e}(g_{5},g_{S})^{-1}\hat{e}(g_{6},MPK_{S})]^{z_{0}}t_{4}^{c^{\prime}},\\ &&\tau_{5}=t_{3}^{z_{4}}g_{8}^{z_{0}}t_{5}^{c^{\prime}},\tau_{6}=\hat{e}(g_{7},g_{G})^{z_{5}}[\hat{e}(g_{7},S)\hat{e}(g_{6}g_{8},g_{G})]^{z_{0}}t_{6}^{c^{\prime}},\\ &&\tau_{7}=g_{G}^{z_{6}}U^{c^{\prime}},\tau_{8}=\hat{e}(H_{O}(ID_{OA_{S}}),MPK_{OA_{S}})^{z_{6}}\hat{e}(g^{\prime}_{6},g_{G})^{-z_{0}}t_{8}^{c^{\prime}},\\ &&S=aux_{ID_{GM_{S}}}\cdot MPK_{GM_{S}}^{H_{G}(aux_{ID_{GM_{S}}}\parallel ID_{GM_{S}})}. \end{array} $$

Then it computes \(\hat {c}\) in the same way of c′ and compares it to c′ received in the signature. If they are equal, the procedure outputs 1 for valid signature, else outputs 0.

Decryption procedure: If signature verification procedure outputs 1, execute the following steps, else return “reject.”

Given P = (C, σ, E M (F)) = (C 1, C 2, σ, E M (F)), where C 1 = (C 10, C 11, C 12). The receiver’s private key is \(SK_{ID_{R}}=(r,h_{ID_{R}})\). Output the session key \(M=C_{12}\cdot \bar {e}(C_{10},h_{ID_{R}})C_{11}^{r}\). Then the receiver uses the session key M to decrypt E M (F) and obtains file F.

PeerTracing

This scheme can trace both receiver and sender if needs arise.

Receiver tracing:

  • If ZK proof’s verifier outputs 1, then the procedure executes the next step, else returns “reject.”

  • The procedure computes \(t^{ID_{R}}=\psi /{k_{1}^{z}}\). For all I D R j I, compute \(t^{ID_{Rj}}\) and test \(t^{ID_{Rj}}\overset {?}{=}t^{ID}\). If \(t^{ID_{Rj}}=t^{ID_{R}}\) holds, the procedure outputs receiver’s identity I D R , else returns “reject.”

Sender tracing:

  • O p e n subprocedure. The sender open authority uses his secret key \(SK_{OA_{S}}\) to trace the sender’s identity I D S encrypted in the signature. Denote \(Q_{OA_{S}}=H_{O}(ID_{OA_{S}})\). The procedure computes the following:

    $$m=\hat{e}(H_{S}(ID_{S}),g_{G})=ctxt/\hat{e}(SK_{OA_{S}},U). $$

    The open authority compares W with the registration table reg. If no such entry is found, returns “reject.” If it is found to be sender I D S , the sender open authority computes a proof of knowledge of \(SK_{OA_{S}}\) such that \(\hat {e}(SK_{OA_{S}},U)=ctxt/m\):

    1. 1.

      Randomly picks \(s^{\prime }_{0}\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\). Computes \(t^{\prime }_{0}=SK_{OA_{S}}h^{\prime s^{\prime }_{0}},t^{\prime }_{1}=\hat {e}(h^{\prime },U)^{s^{\prime }_{0}},t^{\prime }_{2}=\hat {e}(h^{\prime },g_{O})^{s^{\prime }_{0}}.\)

    2. 2.

      Randomly picks \(r^{\prime \prime }_{0},r^{\prime \prime }_{1}\mathop {\leftarrow }\limits ^{R} \mathbb {Z}_{p}\). Computes \(\tau ^{\prime }_{0}=Q_{OA_{S}}^{r^{\prime \prime }_{1}}h^{\prime r^{\prime \prime }_{0}},\tau ^{\prime }_{1}=\hat {e}(h^{\prime },U)^{r^{\prime \prime }_{0}},\tau ^{\prime }_{2}=\hat {e}(h^{\prime },g_{O})^{r^{\prime \prime }_{0}}.\)

    3. 3.

      Computes \(c^{\prime \prime }=\bar {H}(t^{\prime }_{0},t^{\prime }_{1},t^{\prime }_{2},\tau ^{\prime }_{0},\tau ^{\prime }_{1},\tau ^{\prime }_{2},ctxt,U,m)\).

    4. 4.

      Computes \(z^{\prime }_{0}=r^{\prime \prime }_{0}-c^{\prime \prime }s^{\prime }_{0},z^{\prime }_{1}=Q_{OA_{S}}^{r^{\prime \prime }_{1}}SK_{OA_{S}}^{c^{\prime \prime }}\).

    Outputs the proof \(\omega =(t^{\prime }_{0},c^{\prime \prime },z^{\prime }_{0},z^{\prime }_{1})\) to judge as follows.

  • J u d g e subprocedure. On input \(ID_{S},ID_{GM_{S}},ID_{OA_{S}},\) σ, ω, it computes the following:

    $$\begin{array}{@{}rcl@{}} &&m=\hat{e}(H_{S}(ID_{S}),g_{G}),m^{\prime}=ctxt/m,t^{\prime}_{1}=\hat{e}(t^{\prime}_{0},U)/m^{\prime},\\ &&t^{\prime}_{2}=\hat{e}(t^{\prime}_{0},g_{O})\hat{e}(Q_{OA_{S}},MPK_{OA_{S}}),\tau^{\prime}_{0}=z^{\prime}_{1}t^{\prime c^{\prime\prime}}_{0}h^{\prime z^{\prime}_{0}},\\ &&\tau^{\prime}_{1}=\hat{e}(h^{\prime},U)^{z^{\prime}_{0}}t^{\prime c^{\prime\prime}}_{1},\tau^{\prime}_{2}=\hat{e}(h^{\prime},g_{0})^{z^{\prime}_{0}}t^{\prime c^{\prime\prime}}_{2}. \end{array} $$

    Then it compares if \(c^{\prime \prime }=\bar {H}(t^{\prime }_{0},t^{\prime }_{1},t^{\prime }_{2},\tau ^{\prime }_{0},\tau ^{\prime }_{1},\tau ^{\prime }_{2},ctxt,\) U, m). If the equation holds, output 1, else output 0.

We show that the above scheme is correct. For the signature, the correctness is obvious. For the encryption, we first verify that the ciphertext can be decrypted correctly. \(\bar {e}(C_{10},h_{ID_{R}})C_{11}^{r}=\bar {e}(g^{s(\alpha -ID_{R})},h^{1/(\alpha -ID_{R})}\) \(g^{-r/(\alpha -ID_{R})})\bar {e}(g,g)^{sr} =\bar {e}(g,h)^{s}.\) The receiver can decrypt because it possess an (αI D R )-th root of h. When this is paired with an (αI D R )-th root of g s, the receiver obtains \(\bar {e}(g,h)^{s}\). We then verify that the receiver can be traced correctly. Since \(k_{1}={g^{n}_{2}},k_{2}={g^{n}_{3}}\), we have \(k_{1}^{x_{1}}k_{2}^{x_{2}}=g_{2}^{nx_{1}}g_{3}^{nx_{2}}=w^{n}\). Similarly, we have \(k_{1}^{y_{1}}k_{2}^{y_{2}}=d^{n}\) and \({k_{1}^{z}}=l^{n}\). The equation \(k_{1}^{x_{1}+y_{1}\epsilon }k_{2}^{x_{2}+y_{2}\epsilon }=v\) will hold. The output is \(t^{ID_{R}}=\psi /l^{n}\).

3.3 Efficiency

In Tables 1 and 2, we denote τ m as one multiplication operation time in \(\mathbb {G}\) and \(\mathbb {G}_{T}\), τ e as one exponent operation time in \(\mathbb {G}\) and \(\mathbb {G}_{T}\), τ p as one pairing operation time in \(\mathbb {G}\) and \(\mathbb {G}_{T}\), \(\bar {\tau }_{m}\) as one multiplication operation time in \(\mathbb {\bar {G}}\), \(\bar {\tau }_{e}\) as one exponent operation time in \(\mathbb {\bar {G}}\), \(\bar {\tau }_{p}\) as one pairing operation time in \(\mathbb {\bar {G}}\), \(\hat {\tau }_{m}\) as one multiplication operation time in \(\mathbb {G}_{1},\mathbb {G}_{2}\), and \(\mathbb {\hat {G}}_{T}\), \(\hat {\tau }_{e}\) as one exponent operation time in \(\mathbb {G}_{1},\mathbb {G}_{2}\), and \(\mathbb {\hat {G}}_{T}\), and \(\hat {\tau }_{p}\) as one pairing operation time in \(\mathbb {G}_{1},\mathbb {G}_{2}\), and \(\mathbb {\hat {G}}_{T}\). A number of pre-computations can be done to improve the efficiency of our PIFS scheme.

Table 1 Storage complexity of our PIFS scheme
Full size table
Table 2 Computational complexity of our PIFS scheme
Full size table

The storage complexity and computational complexity of our scheme are constant and unrelated to the number of users.

4 Security analysis

4.1 Formal security definition

File confidentiality and receiver privacy are protected by applying an identity-based encryption [9] scheme with ANO-IND-ID-CPA security and a public-key encryption [3] with CCA2 security. If a file cannot reveal information of the message, we say that the file is semantic secure. If a file cannot reveal information of the identity of the receiver, we say that the file receiver is anonymous. We consider the combination of these two definitions: receiver anonymity and semantic security. This definition will ensure file confidentiality and receiver privacy for our PIFS scheme in smart city. Receiver traceability is also a necessary definition for our scheme.

File integrity and sender privacy are protected by applying an identity-based group signature [25]. An identity-based group signature scheme implies message integrity and anonymous sender. Since integrity is inherent, we propose sender anonymity to ensure the sender privacy for our PIFS scheme. Likewise, sender traceability is required.

Formally, security definitions are defined through games between an adversary \(\mathcal {A}\) and a challenger as follows.

Receiver anonymity and semantic security

We have the following game for receiver anonymity and semantic security:

  • Setup. The challenger builds the system. It takes security parameter λ as input and runs the algorithm SysInit which outputs system parameter P a r a m s and M S K R . It gives the adversary P a r a m s but keeps M S K R .

  • Phase 1. The adversary can adaptively issue extraction query of 〈I D R j 〉. Then it obtains the receiver’s private key \(SK_{ID_{Rj}}\).

  • Challenge. After phase 1, adversary chooses two receiver identities I D R0, I D R1 and two equal length plaintexts M 0, M 1. The only restriction is that the two identities did not appear in any private key extraction query in phase 1. Challenger chooses a random bit b ∈{0,1} and a random bit c ∈{0,1}. It computes the package P using algorithm FileUpload and (I D R b , M c ). Then it sends P to adversary.

  • Phase 2. It is similar to phase 1. The only constraint is I D R i I D R .

  • Guess. The adversary outputs b′∈{0,1} and c′ ∈ {0, 1}. The adversary wins the game if b = b′∧ c = c′.

We define adversary \(\mathcal {A}\)’s advantage with security parameter λ in ANO-IND-CIA-CPA game as follows:

$$Adv\mathcal{_{A}}(\lambda)=\mid Pr[b=b^{\prime}\wedge c=c^{\prime}]-\frac{1}{4}\mid. $$

Definition 1

We say that our PIFS scheme has receiver anonymity and semantic security against chosen-identity attacks and chosen-plaintext attacks (ANO-IND-CIA-CPA) if no polynomially bounded adversary \(\mathcal {A}\) has non-negligible advantage in the above game.

Receiver traceability

We have the following game for receiver traceability:

  • Setup. The challenger builds the system. It takes security parameter λ as input and runs the algorithm SysInit which outputs system parameter P a r a m s and M S K R . It gives the adversary P a r a m s but keeps M S K R .

  • Inspect phase. The adversary can adaptively issue community setup query, user join query, file upload query, file access query and even colludes with the prover in the zero-knowledge proof.

  • Output. The adversary outputs a valid package P . The adversary wins in the game if the receiver group manager outputs a wrong identity of the receiver. The adversary’s advantage is its probability of winning.

Definition 2

We say our PIFS scheme is receiver traceable if no polynomially bounded adversary has non-negligible probability to win in the above game.

Sender anonymity

We have the following oracles for the adversary to query:

  • The Random Oracle \(\mathcal {RO}\). Simulate the random oracle.

  • The Key Extraction Oracle- G M S \(\mathcal {KEO_{G}}\). Upon input \(ID_{GM_{S}}\), outputs his secret key \(SK_{GM_{S}}\).

  • The Key Extraction Oracle- O A S \(\mathcal {KEO_{O}}\). Upon input \(ID_{OA_{S}}\), outputs his secret key \(SK_{OA_{S}}\).

  • The Key Extraction Oracle-Sender \(\mathcal {KEO_{S}}\). Upon input I D S , outputs his secret key \(SK_{ID_{S}}\).

  • The Join Oracle \(\mathcal {JO}\). Upon input I D S of \(ID_{GM_{S}}\), outputs cert corresponding to an honest I s s u-executing G M S .

  • The Issue Oracle \(\mathcal {IO}\). Upon input I D S of \(ID_{GM_{S}}\), outputs cert corresponding to an honest J o i n-executing sender.

  • The Corruption Oracle \(\mathcal {CO}\). Upon input I D S of group \(ID_{GM_{S}}\), outputs the secret keys \((SK_{ID_{S}},\) \(aux_{ID_{S}},cert)\).

  • The Signing Oracle \(\mathcal {SO}\). Upon input \(ID_{S},ID_{GM_{S}},\) \(ID_{OA_{S}}\) and ciphertext C, outputs a valid signature.

  • The Open Oracle \(\mathcal {OO}\). Upon input a valid signature σ for C under \(ID_{GM_{S}}, ID_{OA_{S}}\), outputs the sender I D S and the proof ω.

We have the following game for sender anonymity:

  • Setup. The challenger builds the system. It takes security parameter λ as input and runs the algorithm SysInit. Then it invokes UserJoin q u times to generate a set of honest senders (HS) with secret keys and certificates.

  • Phase 1. Adversary adaptively queries \(\mathcal {RO},\mathcal {CO},\mathcal {OO},\)

    \(\mathcal {IO},\mathcal {KEO_{G}},\mathcal {KEO_{O}},\mathcal {KEO_{S}}\).

  • Challenge. After phase 1, adversary chooses two sender identities I D S0, I D S1 ∈HS, \(ID_{GM_{S}},ID_{OA_{S}}\), and a package P. The only restriction is that \(ID_{OA_{S}}\) should not be input to \(\mathcal {OO},\mathcal {KEO_{O}}\) before. Challenger chooses a random bit \(\bar {b}\in \{0,1\}\). It computes the signature \(\sigma =\mathcal {SO}(ID_{S\bar {b}}, ID_{GM_{S}},ID_{OA_{S}},P)\) and sends the signature to adversary.

  • Phase 2. It is similar to phase 1. The only restriction is that \(ID_{OA_{S}}\) should not be input to \(\mathcal {OO},\mathcal {KEO_{O}}\).

  • Guess. The adversary also has write access to registration table reg. It outputs its guess \(\bar {b}^{\prime }\in \{0,1\}\). The adversary wins the game if \(\bar {b}=\bar {b}^{\prime }\).

We define adversary \(\mathcal {A}\)’s advantage with security parameter λ in sender anonymity game as follows:

$$Adv\mathcal{_{A}}(\lambda)=\mid Pr[\bar{b}=\bar{b}^{\prime}]-\frac{1}{2}\mid. $$

Definition 3

We say our PIFS scheme has sender anonymity if no polynomially bounded adversary \(\mathcal {A}\) has non-negligible advantage in the above game.

Sender traceability

We have the following game for sender traceability:

  • Setup. The challenger builds the system. It takes security parameter λ as input and runs the algorithm SysInit. Then it invokes UserJoin q u times to generate a set of honest senders (HS) with secret keys and certificates.

  • Inspect phase. Adversary adaptively queries \(\mathcal {RO},\mathcal {CO}, \mathcal {JO},\mathcal {KEO_{G}},\mathcal {KEO_{O}},\mathcal {KEO_{S}}\).

  • Output. The adversary also has read access to reg. It outputs a valid signature σ. The adversary wins in the game if \(\textbf {PeerTracing}(ID_{GM_{S}}),ID_{OA_{S}},C,\sigma )=1\), either i =⊥ or \(Judge(ID_{GM_{S}},ID_{OA_{S}},i,m,\sigma ,\omega )=0\), where \((i,\omega ) \leftarrow Open(ID_{GM_{S}},MSK_{OA_{S}},reg,C,\sigma )\). \(ID_{GM_{S}}\) has never been queried to \(\mathcal {KEO_{G}}\), and \((i,ID_{GM_{S}})\) has never been queried to \(\mathcal {CO}\). The adversary’s advantage is its probability of winning.

Definition 4

We say our PIFS scheme is sender traceable if no polynomially bounded adversary has non-negligible probability to win in the above game.

4.2 Complexity assumptions

Receiver anonymity and semantic security of our PIFS scheme rely on decisional augmented bilinear Diffie-Hellman exponent (decisional ABDHE) problem [8]. Let \(\mathbb {G},\mathbb {G}_{T}\) are two (multiplicative) cyclic groups of prime order p. g is a generator of \(\mathbb {G}\). \(\bar {e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\) is a bilinear map.

First, we review the q-BDHE problem: given a vector of 2q + 1 elements

$$(g^{\prime},g,g^{\alpha},g^{\alpha^{2}},...,g^{\alpha^{q}},g^{\alpha^{q+2}},...,g^{\alpha^{2q}})\in \mathbb{G}^{2q+1} $$

as input, output \(\bar {e}(g,g^{\prime })^{\alpha ^{q+1}}\in \mathbb {G}_{T}\). Since the term \(g^{\alpha ^{q+1}}\) is missing in the input, it is intractable to compute \(\bar {e}(g,g^{\prime })^{\alpha ^{q+1}}\).

The definition of the q-ABDHE problem is almost identical: given a vector of 2q + 2 elements

$$(g^{\prime},g^{\prime \alpha^{q+2}},g,g^{\alpha},g^{\alpha^{2}},...,g^{\alpha^{q}},g^{\alpha^{q+2}},...,g^{\alpha^{2q}})\in \mathbb{G}^{2q+2} $$

as input, output \(\bar {e}(g,g^{\prime })^{\alpha ^{q+1}}\in \mathbb {G}_{T}\). Since the term \(g^{\alpha ^{-1}}\) is missing in the input, it is intractable to compute \(\bar {e}(g,g^{\prime })^{\alpha ^{q+1}}\), even though the term \(g^{\prime \alpha ^{q+2}}\) is added.

We will use a truncated version of the q-ABDHE problem, in which the terms \((g^{\alpha ^{q+2}},...,g^{\alpha ^{2q}})\) are omitted from the input, because of this version of q-ABDHE problem is more useful for our concrete IBGE scheme.

The truncated q-ABDHE problem: given a vector of q elements

$$(g^{\prime},g^{\prime \alpha^{q+2}},g,g^{\alpha},g^{\alpha^{2}},...,g^{\alpha^{q}})\in \mathbb{G}^{q} $$

as input, output \(\bar {e}(g,g^{\prime })^{\alpha ^{q+1}}\in \mathbb {G}_{T}\). The truncated q-ABDHE problem is hard if the q-ABDHE problem is hard, since the input vector of truncated q-ABDHE is less than q-ABDHE. \(\mathcal {A}\) has advantage 𝜖 in solving truncated q-ABDHE if

$$Pr[\mathcal{A}(g^{\prime},g^{\prime \alpha^{q+2}},g,g^{\alpha},g^{\alpha^{2}},...,g^{\alpha^{q}})=\bar{e} (g^{\alpha^{q+1}},g^{\prime})]\geqslant\epsilon $$

where the probability is over the randomly chosen \(g,g^{\prime }\overset {R}{\leftarrow } \mathbb {G}\), the randomly chosen \(\alpha \overset {R}{\leftarrow } \mathbb {Z}_{p}\) and the randomly chosen bits by \(\mathcal {A}\).

For ease of description, we use g i and \(g^{\prime }_{i}\) to denote \(g^{\alpha ^{i}}\) and \(g^{\prime \alpha ^{i}}\). Now, it is easy to define the decisional version of truncated q-ABDHE. An algorithm \(\mathcal {B}\) that outputs b ∈{0,1} has advantage 𝜖 in solving truncated decision q-ABDHE if

$$\begin{array}{@{}rcl@{}} &&\mid Pr[\mathcal{B}(g^{\prime},g^{\prime}_{q+2},g,g_{1},...,g_{q},\bar{e}(g_{q+1},g^{\prime}))=0]\\ &&-Pr[\mathcal{B}(g^{\prime},g^{\prime}_{q+2},g,g_{1},...,g_{q},Z)=0]\mid \geqslant \epsilon \end{array} $$

where the probability is over the randomly chosen \(g,g^{\prime }\overset {R}{\leftarrow } \mathbb {G}\), the randomly chosen \(\alpha \overset {R}{\leftarrow } \mathbb {Z}_{p}\), the randomly chosen \(Z \overset {R}{\leftarrow } \mathbb {G}_{T}\), and the randomly chosen bits of \(\mathcal {B}\). We refer to the distribution on the left as P A B D H E and the distribution on the right as R A B D H E .

Definition 5

We say that the decisional version of truncated (t, 𝜖, q)-ABDHE assumption holds in \(\mathbb {G}\) if no t-time algorithm has advantage at least 𝜖 in solving the decisional version of truncated q-ABDHE problem in \(\mathbb {G}\).

Sender anonymity of our PIFS scheme relies on coDBDH problem and Lockstep DDH+coDBDH problem. Let \(\mathbb {G}_{1},\mathbb {G}_{2}\) are two (multiplicative) cyclic groups of prime order p. g 1 is a generator of \(\mathbb {G}_{1}\) and g 2 is a generator of \(\mathbb {G}_{2}\). Let ψ is a computable isomorphism from \(\mathbb {G}_{1}\) to \(\mathbb {G}_{2}\), with ψ(g 2) = g 1. \(\hat {e}:\mathbb {G}_{1}\times \mathbb {G}_{2}\rightarrow \mathbb {G}_{T}\) is a bilinear map.

Definition 6

The co-decisional Bilinear Diffie-Hellman problem (coDBDH problem) in \((\mathbb {G}_{1},\mathbb {G}_{2})\) is as follows: given \(P,P^{\alpha },P^{\beta }\in \mathbb {G}_{1}, Q\in \mathbb {G}_{2}, R\in \mathbb {G}_{T}\) for unknown \(\alpha ,\beta \in \mathbb {Z}_{p}\) to decide if \(R=\hat {e}(P,Q)^{\alpha \beta }\).

Definition 7

Let \(\hat {e}:\mathbb {G}_{1}\times \mathbb {G}_{2}\rightarrow \mathbb {G}_{T}\) be a bilinear map. Given:

  1. 1.

    \(g_{1},g^{\alpha }_{1},g^{\beta _{i}}_{1},g^{\gamma _{i}}_{1},\in \mathbb {G}_{1}\) for 1 ≤ ik.

  2. 2.

    \(g_{2},g^{\delta _{1}}_{2},g^{\delta _{2}}_{2}, R\in \mathbb {G}_{T}\).

  3. 3.

    \(Pr\{\gamma _{i}=\alpha \beta _{i}, all\ i, 1\leqslant i\leqslant k\ AND\ R=\hat {e}(g_{1},g_{2})^{\delta _{1},\delta _{2}}\}=Pr\{\gamma _{i}\neq \alpha \beta _{i}, all i, 1\leqslant i\leqslant k\ AND\ R\neq \hat {e}(g_{1},g_{2})^{\delta _{1},\delta _{2}}\}=1/2\).

The Lockstep DDH+coDBDH Problem to distinguish between the two non-zero probability events in (3) above with non-negligible probability over 1/2. The Lockstep DDH+coDBDH Assumption is that no polynomial time algorithm can solve the Lockstep DDH+coDBDH Problem. The proof can be seen in [25].

Sender traceability of our PIFS scheme relies on k-CAA2 problem.

Definition 8

The k-CAA2 problem in \((\mathbb {G}_{1},\mathbb {G}_{2})\) is as follows: given \(u,v\in \mathbb {G}_{1}, g_{2},g_{2}^{\gamma }\in \mathbb {G}_{2}\) and pair (A i , e i , λ i ) with distinct and non-zero \(e_{i}^{\prime }s\) satisfying \(A_{i}^{\gamma +e_{i}}v^{\lambda _{i}}=u\) for 1 ⩽ ik as input, outputs a pair (A k+1, e k+1, λ k+1) satisfying \(A_{k+1}^{\lambda +e_{k}+1}\cdot v^{\lambda _{k+1}}=u\), with e k+1e i for all 1 ⩽ ik.

4.3 Formal security results

We give the formal security results of our PIFS scheme according to the security definitions.

Theorem 1

Our PIFS scheme satisfies (t′, ε′, q I D ) ANO-IND-CIA-CPA receiver anonymity and semantic security assuming the truncated decision (t, 𝜖, q) − A B D H E assumption holds for \((\mathbb {G},\mathbb {G}_{T},\bar {e})\), where \(q=q_{ID_{R}}+1, t^{\prime }=t-O(t_{exp}\cdot q^{2}), \epsilon ^{\prime }=\epsilon +2/q\) , t e x p is the time required to exponentiate in \(\mathbb {G}\).

Proof

Suppose \(\mathcal {A}\) is an (t′, ε′, q I D ) ANO-IND-CIA-CPA adversary against our scheme. We construct a simulator \(\mathcal {B}\) solves the truncated decision q-ABDHE problem. \(\mathcal {B}\) takes as input \((g^{\prime },g^{\prime }_{q+2},g,g_{1},...g_{q},Z)\), where \(Z=\bar {e}(g_{q+1},g^{\prime })\) or a random element of \(\mathbb {G}_{T}\).

Setup. \(\mathcal {B}\) generates a random polynomial \(f(x)\in \mathbb {Z}_{p}[x]\) of degree q. It let h = g f(α) and computes h from (g, g 1,..., g q ). It sends public parameters (g, g 1, h) to \(\mathcal {A}\).

Phase 1. \(\mathcal {A}\) adaptively issues receiver identity extraction query. \(\mathcal {B}\) responds as follows. If I D R = α, \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, let \(F_{ID_{R}}(x)=(f(x)-f(ID_{R}))/(x-ID_{R})\) be the (q − 1)-degree polynomial. \(\mathcal {B}\) let \((f(ID_{R}), g^{F_{ID_{R}}(\alpha )})\) be the user’s secret key \((r,h_{ID_{R}})\). Since \(g^{F_{ID_{R}}(\alpha )}=g^{(f(\alpha )-f(ID_{R})/(\alpha -ID_{R}))}=(hg^{-f(ID_{R})})^{1/(\alpha -ID_{R})}\), secret key \((r,h_{ID_{R}})\) is valid of I D R .

Challenge. \(\mathcal {A}\) outputs two identities I D R0, I D R1 and two M 0, M 1. The restriction is that the two identities did not appear in any secret key extraction query. Note that if α ∈{I D R0, I D R1}, \(\mathcal {B}\) can solve the truncated decision q-ABDHE immediately. Otherwise, \(\mathcal {B}\) chooses bits b, c ∈{0,1} and computes secret key \((r_{b},h_{ID_{Rb}})\) for I D b same to phase 1.

Let f 2(x) = x q+2 and let \(F_{2,ID_{b}(x)}=(f_{2}(x)-f_{2}(ID_{Rb}))/(x-ID_{Rb})\), which is a polynomial of degree of q + 1. \(\mathcal {B}\) sets

$$\begin{array}{@{}rcl@{}} C_{10} &=& g^{\prime f_{2}(\alpha)-f_{2}(ID_{Rb})}, C_{11}=Z\cdot \bar{e}(g^{\prime}, \mathop{\prod}\limits^{q}_{i=0}g^{F_{2,ID_{Rb}},i^{\alpha^{i}}}),\\ C_{12} &=& M_{c}/\bar{e}(C_{10},h_{ID_{Rb}})C_{11}^{r_{b}} \end{array} $$

where \(F_{2,ID_{Rb},i}\) is the coefficient of x i in \(F_{2,ID_{Rb}}(x)\). It sends C 1 = (C 10, C 11, C 12) as the ciphertext to be challenged.

Let \(s=(\log _{g}g^{\prime })F_{2,ID_{Rb}}(\alpha )\). If \(Z=\bar {e}(g_{q+1},g^{\prime })\), then \(C_{10}=g^{s(\alpha -ID_{Rb})}, C_{11}=\bar {e}(g,g)^{s}\), and \(M_{c}/C_{12}=\bar {e}(C_{10},h_{ID_{Rb}})C_{11}^{r_{b}}=\bar {e}(g,h)^{s}\). Let C 1 = (C 10, C 11, C 12) be an effective ciphertext of identity I D R b and message M c under random value s.

Phase 2. \(\mathcal {A}\) adaptively issues receiver identity extraction query as in phase 1. The restriction is that the two identities did not appear in any identity extraction query.

Guess. Finally, adversary \(\mathcal {A}\) outputs guesses b′, c′∈{0,1} of b, c. If b′ = bc′ = c, \(\mathcal {B}\) outputs 1 else 0. □

The analysis of probability and time complexity is as follows.

Analysis of probability. If \(Z=\bar {e}(g_{q+1},g^{\prime })\), the simulation is perfect. Adversary \(\mathcal {A}\) can guess the bits (b, c) correctly with probability \(\frac {1}{4}+\epsilon ^{\prime }\). Otherwise, Z is uniformly random, so (C 10, C 11) is a uniformly random and independent element of \((\mathbb {G},\mathbb {G}_{T})\). When this happens, the inequalities

$$C_{11}\neq \bar{e}(C_{10},g)^{1/(\alpha-ID_{R0})},C_{11}\neq \bar{e}(C_{10},g)^{1/(\alpha-ID_{R1})} $$

both hold in the same time with probability 1 − 2/p. When the two inequalities hold,

$$\begin{array}{@{}rcl@{}} &&\bar{e}(C_{10},h_{ID_{Rb}})C_{11}^{r_{b}}=\bar{e}(C_{10},(hg^{-r_{b}})^{1/(\alpha-ID_{Rb})})C_{11}^{r_{b}}\\ &&=\bar{e}(C_{10},h)^{\alpha-ID_{Rb}}(C_{11}/\bar{e}(C_{10},g)^{1/(\alpha-ID_{Rb})})^{r_{b}} \end{array} $$

is a uniformly random and independent value from the view of adversary \(\mathcal {A}\), because r b is a uniformly random and independent value from the view of adversary \(\mathcal {A}\). So, C 12 is uniformly random and independent. C 1 will not reveal any information of the bits (b, c). Assuming that no queried identity equals α, it is easy to see that \(\mid Pr[\mathcal {B}(g^{\prime },g^{\prime }_{q+2},g,g_{1},...,g_{q}, Z)=0]-\frac {1}{4}\mid \leqslant \frac {2}{p}\) when \((g^{\prime },g^{\prime }_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from R A B D H E . To the contrary, we can see that \(\mid Pr[\mathcal {B}(g^{\prime },g^{\prime }_{q+2}, g,g_{1},...,g_{q},Z)=0]-\frac {1}{4}\mid \geqslant \epsilon ^{\prime }\) when \((g^{\prime },g^{\prime }_{q+2},g,g_{1},...,g_{q},Z)\) is sampled from P A B D H E . Thus, we have that

$$\begin{array}{@{}rcl@{}} &&\mid Pr[\mathcal{B}(g^{\prime},g^{\prime}_{q+2},g,g_{1},...,g_{q},\bar{e}(g_{q+1},g^{\prime}))=0]\\ &&-Pr[\mathcal{B}(g^{\prime},g^{\prime}_{q+2},g,g_{1},...,g_{q},Z)=0]\mid\geqslant \epsilon^{\prime}-\frac{2}{p}. \end{array} $$

Analysis of time complexity. In the simulation procedure, the overhead of \(\mathcal {B}\) is computing \(g^{F_{ID_{R}}(\alpha )}\) in order to response \(\mathcal {A}\)’s extraction query for the I D R , where \(F_{ID_{R}}(x)\) is polynomial of q − 1 degree. Every computation requires O(q) exponentiation in \(\mathbb {G}\). \(\mathcal {A}\) makes at most q − 1 queries, thus, t = t′ + O(t e x p q 2).

Theorem 2

Our PIFS scheme satisfies receiver traceability.

Proof

Setup is same as the above proof. In inspect phase adversary can adaptability issue queries. The challenger will respond adversary. The adversary will choose a receiver group public key \(PK^{\prime }_{GM_{R}}=(g_{2},g_{3},w^{\prime },d^{\prime },l^{\prime },H)\) and obtain secret key are \(SK^{\prime }_{GM_{R}}=(x^{\prime }_{1},x^{\prime }_{2},y^{\prime }_{1},y^{\prime }_{2},z^{\prime })\). Adversary will choose a receiver identity I D R and obtain his private key \(SK_{ID_{R}}\), as well as an other \(ID^{\prime }_{R}\). Adversary computes \(C^{\prime }_{1}\) using I D R and computes \(C^{\prime }_{2}\) using I D′.

Let \(C_{10}={g_{1}^{s}}g^{-s\cdot ID_{R}}, A_{2}^{-1}=t^{-s\cdot ID^{\prime }_{R}}, ID_{R}\neq ID^{\prime }_{R}\). Prover chooses \(-\bar {s}\cdot \bar {ID_{R1}},-\bar {s}\cdot \bar {ID_{R2}},\bar {ID_{R1}}\neq \bar {ID_{R2}}\) (if \(\bar {ID_{R1}}=\bar {ID_{R2}}\), since \(g_{1}^{r_{1}}g^{r_{4}}=\bar {C_{10}}C_{10}^{c},t^{r_{4}}=\bar {A_{2}^{-1}}(A_{2}^{-1})^{c}\), we obtain \(r_{4}\equiv -\bar {s}\bar {ID_{1}} +(-s\cdot ID_{R})c\ \text {mod}\ p, r_{4}\equiv -\bar {s}\bar {ID_{R2}}+(-s\cdot ID^{\prime }_{R})c\ \text {mod}\ p, ID_{R}=ID^{\prime }_{R}\) ), then computes \(\bar {C}_{10}=g_{1}^{\bar {s}}g^{-\bar {s}\cdot \bar {ID_{R1}}}, \bar {A}_{2}^{-1}=t^{-\bar {s}\cdot \bar {ID_{R2}}}\) . \(g_{1}^{r_{1}}g^{r_{4}} =\bar {C_{10}}C_{10}^{c}\) and \(t^{r_{4}}=\bar {A_{2}^{-1}}(A_{2}^{-1})^{c}\) both hold, if and only if \(-\bar {s}\bar {ID_{R1}} +(-s\cdot ID_{R})c\equiv -\bar {s}\bar {ID_{R2}}+(-s\cdot ID^{\prime }_{R})c\ \text {mod}\ p\) holds. This means that \(c\equiv \frac {\bar {s}(\bar {ID_{R1}}-\bar {ID_{R2}})}{s(ID^{\prime }_{R}-ID_{R})}\). This equation holds if and only if the verifier chooses this c exactly. We get \(C^{\prime }_{3}=(r_{1},r_{2},r_{3},r_{4}, r_{5},c)\) and a valid ciphertext \(C^{\prime }=(C^{\prime }_{1},C^{\prime }_{2},C^{\prime }_{3})\). Thus, the adversary gets a valid file P which the G M R cannot trace correctly. But the probability is negligible. □

Theorem 3

Our PIFS scheme is sender anonymous if and only if the DDH assumption in \(\mathbb {G}_{1}\) and the coDBDH assumption in \((\mathbb {G}_{1},\mathbb {G}_{2})\) both hold.

Proof

Suppose \(\mathcal {A}\) is a polynomial time algorithm that breaks the sender anonymity of our scheme. Then we show how to construct a polynomial time algorithm \(\mathcal {S}\) that solves the Lockstep DDH+coDBDH problem in \((\mathbb {G}_{1},\mathbb {G}_{2})\), which is equivalent to the coDBDH problem in \((\mathbb {G}_{1},\mathbb {G}_{2})\) and the DDH problem in \(\mathbb {G}_{1}\).

\(\mathcal {S}\) is given \(g^{\prime }_{1},g^{\prime \alpha }_{1},g^{\prime \beta _{i}}_{1},g^{\prime \gamma _{i}}_{1}\in \mathbb {G}_{1}\) for 1 ⩽ i ⩽ 4; \(g^{\prime }_{2},g^{\prime \delta _{i}}_{2},g^{\prime \delta _{i}}_{2} \in \mathbb {G}_{1}\) and \(R\in \mathbb {G}_{T}\) for unknown \(\alpha _{i},\beta _{i},\delta _{1},\delta _{2}\in \mathbb {Z}_{p}\) . \(\mathcal {S}\) sets the public parameter \(g_{O}=g^{\prime }_{2},MSK_{OA_{S}}=g^{\prime \delta _{1}}_{2},g_{4}=g^{\prime }_{1},g_{5}=g^{\prime \beta _{1}}_{1},g_{6}=g^{\prime \beta _{2}}_{1},g_{7}=g^{\prime \beta _{3}}_{1},g_{8}=g^{\prime \beta _{4}}_{1}\). \(\mathcal {S}\) generates \(g_{G},x_{G}, MPK_{GM_{S}}=g_{G}^{x_{G}},g_{S},x_{S},MPK_{S}=g_{S}^{x_{S}}\) and u = g G . \(\mathcal {S}\) randomly picks ∈{1,..., q H }, where q H is the number of query to H O . \(\mathcal {S}\) provides \(\mathcal {A}\) the parameters.

The oracles are simulated as follows:

  • H is random oracle.

  • H G (a u x i i): On input new a u x i , i, randomly pick \(\lambda \in \mathbb {Z}_{p}\) and return λ. Store (a u x i , i, λ) in tape \(\mathcal {L}_{G}\).

  • H S (i): On input new i, randomly pick \(\lambda \in \mathbb {Z}_{p}\) and return \(g_{S}^{\lambda }\). Store (i, λ) in tape \(\mathcal {L}_{S}\).

  • H O (i): On input new i, randomly pick \(\lambda \in \mathbb {Z}_{p}\) and return \(g_{O}^{\lambda }\). Store (i, λ) in tape \(\mathcal {L}_{O}\). For the -th query, return \(Q=g^{\prime }_{1}\) and back patch (i, Q) in \(\mathcal {L}_{O}\). Denote this identity as i g .

  • \(\mathcal {KEO_{S}}(i)\): Computes H S (i). Then \(SK_{ID_{Si}}=MPK_{S}^{\lambda }\), where \((i,\lambda )\in \mathcal {L}_{S}\).

  • \(\mathcal {KEO_{G}}(ID_{GM_{S}})\): On input \(ID_{GM_{S}}\), randomly pick \(h,SK_{GM_{S}} \in \mathbb {Z}_{p}\) and computes \(aux_{GM_{S}}=g_{G}^{SK_{GM_{S}}}MPK^{-h}_{GM_{S}}\). \(\mathcal {S}\) back patches \(H_{G}(aux_{GM_{S}}\parallel ID_{GM_{S}})=h\). Store \((aux_{GM_{S}},ID_{GM_{S}},h)\) in tape \(\mathcal {L}_{O}\). Return \((SK_{GM_{S}},aux_{GM_{S}})\).

  • \(\mathcal {KEO_{G}}(ID_{OA_{S}})\): Computes \(H_{O}(ID_{OA_{S}})\). Then \(SK_{OA_{S}}=MPK_{OA_{S}}^{\lambda }\), where \((ID_{OA_{S}},\lambda )\in \mathcal {L}_{O}\). If \(ID_{OA_{S}}=i_{g}\), declare failure and exit.

  • \(\mathcal {IO}(i,ID_{GM_{S}})\): It interacts with the honest sender i. Computes \((SK_{GM_{S}},aux_{GM_{S}})\) as in \(\mathcal {KEO_{G}}(ID_{GM_{S}})\). Randomly selects \(e\in \mathbb {Z}_{p}\), and computes

    $$ID_{OA_{S}}=i_{g}, A^{\prime}=(u/H_{S}(i))^{1/(e+SK_{GM_{S}})}, W=\hat{e}(H_{S}(i)),g_{G}). $$

    Store (i, A′, e, W) in reg. Returns \((A^{\prime },e,aux_{GM_{S}})\) to honest sender i.

  • \(\mathcal {CO}(i,ID_{GM_{S}})\): On input the identity, this oracle outputs the sender’s secret keys. Computes \(H_{1}(ID_{OA_{S}})\). Computes H S (i) as in \(\mathcal {KEO_{S}}(i)\). Computes c e r t i as in \(\mathcal {IO}(i,ID_{GM_{S}})\). Returns (I D S i , c e r t i ).

  • \(\mathcal {OO}(ID_{GM_{S}},ID_{OA_{S}},m,\sigma )\): Computes \(H_{1}(ID_{OA_{S}})\). Then \((SK_{OA_{S}},\lambda )\in \mathcal {L}_{1}\). Return\((i,\omega )\leftarrow Open(ID_{GM_{S}},SK_{OA_{S}}, reg,m,\sigma )\). If \(ID_{OA_{S}}=i_{g}\), declare failure and exit.

Anytime \(\mathcal {A}\) can query the oracles above. At some point, it sends the sender identity \(i_{0},i_{1},ID_{GM_{S}},ID_{OA_{S}}\) and C to the \(\mathcal {S}\). \(\mathcal {S}\) flips a coin \(\bar {b}\in \{0,1\}\) and computes \((SK_{ID_{S\bar {b}}},A^{\prime }_{\bar {b}},e_{\bar {b}})\leftarrow \mathcal {CO}(i_{\bar {b}},ID_{GM_{S}}\). \(\mathcal {S}\) sets \(t_{0}=g^{\prime \alpha }_{1},t_{1}=SK_{ID_{S\bar {b}}}g^{\prime \gamma _{1}}_{1},t_{2}=H_{S}(i_{\bar {b}})g^{\prime \gamma _{2}}_{1}, t_{3}=A^{\prime }_{\bar {b}}g^{\prime \gamma _{3}}_{1}m,t_{5}=t_{3}^{e_{\bar {b}}}g^{\prime \gamma _{4}}_{1}\). \(\mathcal {S}\) randomly chooses a c′ and z 0,..., z 6. It computes τ 0,..., τ 8. It sets \(U=g_{2}^{\prime \delta _{2}}\) and computes \(ctxt=\hat {e}(H_{S}(i_{\bar {b}}),g_{G})R\). Then back patch c′ to H. \(\mathcal {S}\) returns signature σ g as the gauntlet to \(\mathcal {A}\).

Finally, \(\mathcal {A}\) outputs a bit \(\bar {b^{\prime }}\). If \(\bar {b}^{\prime }=\bar {b}\), \(\mathcal {S}\) returns “yes” for the Lockstep DDH+coDBDH problem. Otherwise, \(\mathcal {S}\) returns “no.” By the back patch above, if \(\mathcal {A}\) has a non-negligible advantage ε in winning the game, \(\mathcal {S}\) has advantage ε/q H in solving the Lockstep DDH+coDBDH problem. □

Theorem 4

Our PIFS scheme is sender traceable if and only if the k-CAA2 assumption holds.

Proof

Let \(\mathcal {A}\) be a polynomial time adversary attacking the sender traceability. We show that given a colluding group of k senders, with the knowledge of the opening key and access to some oracles, we can use \(\mathcal {A}\) to solve the k-CAA2 problem.

\(\mathcal {S}\) is given the tuple \(u,v\in \mathbb {G},g_{2},g^{\gamma }_{2}\in \mathbb {G}_{2}\) and pair \((A^{\prime }_{i},e_{i},\lambda _{i})\) with distinct and non-zero e i ’s satisfying \(A^{\prime \lambda +e_{i}}_{i}v^{\lambda _{i}}=u\) for 1 ⩽ ik as input. The value s = log u(v) is also given to it.

\(\mathcal {S}\) sets g G = g 6, g S = v and g O . It randomly selects \(x_{G}, MPK_{GM_{S}}=g^{x_{G}}_{G},x_{S},MPK_{S}=g^{x_{S}}_{S},x_{O},MPK_{OA_{S}}=g^{x_{O}}_{O}\). It randomly selects μ and sets g 7 = v μ. It sets up the rest of the parameters and provides to \(\mathcal {A}\). It randomly selects ∈{1,..., q c }, where q c is the number of query to \(\mathcal {CO}\).

The oracles are simulated as follows:

  • H S (i): On input new i, randomly pick λ j from the given k-CAA2 tuple and return \(v^{\lambda _{j}}\). Store (i, λ j ) in tape \(\mathcal {L}_{S}\).

  • \(\mathcal {JO}(i,ID_{GM_{S}})\): It interacts with honest issuer \(ID_{GM_{S}}\). Computes I D S i as in \(\mathcal {KEO_{S}}(i)\). Then interacts with \(ID_{GM_{S}}\) with I D S i . Finally, it returns c e r t i .

  • \(\mathcal {CO}(i,ID_{GM_{S}})\): On input the sender identity, this oracle outputs the sender’s secret keys. Computes I D S i as in \(\mathcal {KEO_{S}}(i)\). Randomly selects \(e\in \mathbb {Z}_{p}\), and computes \(A^{\prime }=(u/H_{S}(i))^{1/(e+SK_{GM_{S}})}, W=\hat {e}(H_{S}(i)),g_{G})\). Store (i, A′,

    e, W) in reg. Returns \((A^{\prime },e,aux_{GM_{S}})\) to honest sender i. For the −th query, randomly selects \(h\in \mathbb {Z}_{p}\) and computes \(aux_{GM_{S}}=g_{2}^{\lambda }MPK_{GM_{S}}^{-h}\). \(\mathcal {S}\) back patch \(H_{G}(aux_{GM_{S}}\parallel ID_{OA_{S}})=h\). Pick a pair of \((A^{\prime }_{i},e_{i},\lambda _{i})\) from the k-CCA2 tuple. Back patches (i, λ i ) to \(\mathcal {L}_{S}\). Then we have \(ID_{Si}=MPK_{S}^{\lambda _{i}}\). Returns \((ID_{Si},A^{\prime }_{i},e_{i},aux_{GM_{S}})\). Computes \(W=\hat {e}(H_{S}(i),g_{G})\). Stores \((i,A^{\prime }_{i},e_{i,W})\) in reg. Denote this identity as \(ID_{GM_{Sg}}\). If \(ID_{GM_{S}}=ID_{GM_{Sg}}\) in future queries, also runs the above steps.

Other oracles are similar to the proof of theorem 3. Suppose \(\mathcal {A}\) can output a valid signature σ such that the sender open authority cannot trace the identity of the sender, or the sender open authority can find the identity but cannot prove that to J u d g e. Below we proof the soundness of the proof system between O p e n and J u d g e. Rewind the simulation to obtain the following:

$$\begin{array}{@{}rcl@{}} &&1={\Delta} z^{\prime}h^{z^{\prime}_{0}}_{1}t^{\prime {\Delta} c^{\prime\prime}}_{0}, 1=\hat{e}(h,U)^{z^{\prime}_{0}}_{1}t^{\prime {\Delta} c^{\prime\prime}}_{1}, 1=\hat{e}(h,g_{O})^{z^{\prime}_{0}}_{1}t^{\prime {\Delta} c^{\prime\prime}}_{2}\\ &&t^{\prime}_{0}={\Delta} z^{\prime 1/{\Delta} c^{\prime\prime}}_{1}h^{z^{\prime}_{0}/{\Delta} c^{\prime\prime}}, t^{\prime}_{1}=\hat{e}(h,U)^{z^{\prime}_{0}/{\Delta} c^{\prime\prime}}, t^{\prime}_{2}=\hat{e}(h,g_{O})^{z^{\prime}_{0}/{\Delta} c^{\prime\prime}}. \end{array} $$

Notice that we have the following:

$$t^{\prime}_{1}=\hat{e}(h,U)^{s^{\prime}_{0}}=\hat{e}(t^{\prime}_{0},U)m^{\prime -1}, t^{\prime}_{1}=\hat{e}(h,U)^{s^{\prime}_{0}}=\hat{e}(t^{\prime}_{0}SK_{OA}^{-1},g_{O}). $$

Let \(\tilde {s^{\prime }_{0}}=-{\Delta } z^{\prime }_{0}/{\Delta } c^{\prime \prime }\). Hence, \(m^{\prime }=\hat {e}(t^{\prime }_{0},U)t^{\prime -1}_{1}=\hat {e}(h^{\tilde {s^{\prime }_{0}}}t^{\prime }_{0},U)\). Since we have \(t^{\prime }_{0}SK_{OA}^{-1}=h^{-\tilde {s^{\prime }_{0}}}\), then \(m^{\prime }=\hat {e}(SK_{OA_{S}},U)\). Therefore, we extract the witness \(SK_{OA_{S}}=t^{\prime }_{0}h^{\tilde {s^{\prime }_{0}}}\). Hence, for a open authority with secret key \(SK_{OA_{S}}\), he can always output a valid proof to the J u d g e if he knows the identity of the sender.

If finally \(\mathcal {A}\) returns a signature with \(ID_{GM_{S}}=ID_{GM_{Sg}}\), then we rewind the simulation to the point where c′ is computed. We get the following: \(g_{4}^{\Delta z_{0}}t_{0}^{\Delta c^{\prime }}=1, {\Delta } z_{1}g_{5}^{\Delta z_{0}}t_{1}^{\Delta c^{\prime }}=1, {\Delta } z_{2}g_{6}^{\Delta z_{0}}t_{2}^{\Delta c^{\prime }}=1,t_{3}^{\Delta z_{4}}t_{5}^{\Delta c^{\prime }}=1, g_{G}^{\Delta z_{6}}U{\Delta } c^{\prime }=1\). Let \(\tilde {s}_{1}=-{\Delta } z_{0}/{\Delta } c^{\prime }, \tilde {ID_{S}}={\Delta } z_{1}^{-1/{\Delta } c^{\prime }}, \tilde {H}={\Delta } z_{2}^{-1/{\Delta } c^{\prime }}=H_{1}(i), \tilde {A^{\prime }}={\Delta } z_{3}^{-1/{\Delta } c^{\prime }}, \tilde {e}=-{\Delta } z_{4}/{\Delta } c^{\prime }, \tilde {s}_{2}=-{\Delta } z_{5}/{\Delta } c^{\prime },d^{\prime }=-{\Delta } z_{6}/{\Delta } c^{\prime }\). We have the following:

$$\begin{array}{@{}rcl@{}} &&\hat{e}(g_{7},g_{G})^{\Delta z_{5}}[\hat{e}(g_{7},S)\hat{e}(g_{6},g_{G})]^{\Delta z_{1}}t_{6}^{\Delta c^{\prime}}=1\\ &&\hat{e}(g_{7},g_{G})^{\tilde{s_{2}}}[\hat{e}(g_{7},S)\hat{e}(g_{6},g_{G})]^{\tilde{s_{1}}}=t_{6}\\ &&=\hat{e}(u,g_{G})^{-1}\hat{e}(t_{2}t_{3},g_{G})\hat{e}(t_{3},S). \end{array} $$

After rearranging, we have the following:

$$\hat{e}(u,g_{G})=\hat{e}(\tilde{A^{\prime}},g_{G})^{\tilde{e}}\hat{e}(\tilde{A^{\prime}},S)\hat{e}(\tilde{H},g_{G})\hat{e}(g_{7},g_{G})^{\tilde{e}\tilde{s_{1}}-\tilde{s_{2}}}. $$

If \(\tilde {e}\tilde {s_{1}}=\tilde {s_{2}}\), then we get a pair of \((\tilde {A^{\prime }},\tilde {e},\tilde {H})\) which satisfy \(\tilde {A^{\prime }}^{\tilde {e}+\lambda }\tilde {H}=u\). Then we have \((\tilde {A^{\prime }},\tilde {e},\lambda )\), where \((i,\lambda )\in \mathcal {L}_{1}\) that solves the k-CAA2 problem. If \(\tilde {e}\tilde {s_{1}}\neq \tilde {s_{2}}\), we have \(\tilde {A^{\prime }}^{\tilde {e}+\lambda }\tilde {H}g_{7}^{\tilde {e}\tilde {s_{1}}-\tilde {s_{2}}} =u\). Then we have \(\lambda ^{*}=\lambda +\mu (\tilde {e}\tilde {s_{1}}-\tilde {s_{2}})\), where \((i,\lambda )\in \mathcal {L}_{1}\) , such that \((\tilde {A^{\prime }},\tilde {e},\lambda ^{*})\) solves the k-CAA2 problem.

Hence, if \(\mathcal {A}\) has a non-negligible advantage ε in winning the game, \(\mathcal {S}\) has advantage ε/q c in solving the k-CAA2 problem. □

5 Conclusion

We formalized a new file sharing scheme for smart cities, referred to as privacy-preserving identity-based file sharing which embraces file confidentiality, file integrity, receiver privacy, and sender privacy. It allows an anonymous sender to share a file with any group member. The receiver of the ciphertext also remains anonymous. Identities of the sender and receiver can be traced if the need arises. We propose a concrete construction of our PIFS scheme and prove the security properties formally. Our scheme has constant complexity in computation and communication.