Computer Communications 32 (2009) 1829–1836

Contents lists available at ScienceDirect

Computer Communications
journal homepage: www.elsevier.com/locate/comcom

An ID-based group-oriented decryption scheme secure against adaptive

chosen-ciphertext attacks q
Ting-Yi Chang *
Graduate Institute of e-Learning, National Changhua University of Education, No. 1, Jin-De Road, Changhua City, Taiwan, ROC

a r t i c l e i n f o a b s t r a c t

Article history: ID-based decryption allows a sender to encrypt a message to an identity without access to a public key
Received 8 August 2008 certificate. This paper proposes an ID-based group-oriented decryption scheme, secure against adaptive
Received in revised form 17 May 2009 chosen-ciphertext attacks, which allows the sender to determine an access structure and generate a valid
Accepted 4 July 2009
ciphertext on the chosen message. The correctness of decryption shares can be checked to detect when
Available online 14 July 2009
dishonest users in the access structure provide fake decryption shares. As a result, the message can be
cooperatively recovered by users in the determined access structure. The formal proof of security of
Keywords:
our scheme is based on the bilinear Diffie–Hellman problem in the random oracle model. Our proposed
ID-based cryptography
Bilinear Diffie–Hellman problem
scheme is more efficient and provides higher security confidence than those in Li et al.’s certificate-based
Group-oriented decryption group-oriented decryption scheme.
Chosen-ciphertext security Ó 2009 Elsevier B.V. All rights reserved.

1. Introduction saki and Okamoto [15] to achieve chosen-ciphertext security.

The concept of ID-based cryptosystem was first proposed by
Shamir [23] to simplify key management and remove public key
certificates. Unlike traditional certificate-based cryptosystems,
the public key of a user is derived from his or her identity informa-
tion (such as e-mail address, social security number, or IP address
combined with a user name). The corresponding private key is gen-
erated by a trusted third party known as the Private Key Generator
(PKG) in the ID-based cryptosystems. For example, in e-mail sys-
tems with an ID-based cryptosystem, when Alice sends mail to
Bob at Bob@company.com, she can encrypt her message using
the public key string ‘‘Bob@company.com.” That is, Alice does not
need to access Bob’s public key certificate before using the public
key. Obviously, ID-based cryptography significantly reduces sys-
tem complexity and the cost of establishing and managing a public
key authentication framework, known as Public Key Infrastructure
(PKI). As a result, some issues of key revocation in ID-based cryp-
tosystems are more efficient and facile than those in certificate-
based cryptosystems [2,3].
The first practical ID-based cryptosystem was proposed by
Boneh and Frankin [2], and was proven to be secure against adap-
tive chosen-ciphertext attacks in the random oracle model, assum-
ing that the bilinear Diffie–Hellman problem is computationally
difficult. Boneh and Frankin applied the padding technique of Fuji-
q
This research was partially supported by the National Science Council, Taiwan,
ROC, under Contract No. NSC97-2221-E-018-011.
* Fax: +886 4 7211290.
E-mail address: tychang@cc.ncue.edu.tw
Many kinds of ID-based cryptography were proposed such as
encryption schemes, signature schemes and key exchange schemes
[4,11,12,16,26,27] that use bilinear pairings for different crypto-
graphic functions.
Desmedt [13] first introduced the concept of a group-oriented
cryptosystem. A sender encrypts a message to a group, such that
the message can be recovered by the authorized subsets of users
in the group. The group-oriented concept distributes the power
of decryption, it requires multiple users to cooperatively recover
the message. An authorized subset of the group is represented as
an access instance f. The collection of access instances is called
the access structure F, which is presented in the disjunctive normal
form, i.e., F ¼ f1 þ f2 þ    þ fL . Let G ¼ fu1 ; u2 ;    ; ul g be the decryp-
tion group of users u1 ; u2 ;    ; ul , and the access instances
f1 ¼ u1 u2 u4 ; f 2 ¼ u3 u5 ; f 3 ¼ u7 . The access structure can be repre-
sented as F ¼ u1 u2 u4 þ u3 u5 þ u7 . The ciphertext can only be de-
crypted with the cooperation of either u1 ; u2 and u4 ; or u3 and
u5 ; or u7 alone. The access structure for ðt; lÞ threshold decryption
with the threshold value t 6 l can be represented as F ¼ u1 u2 . . .
ut þ u1 u2 . . . ut1 utþ1 þ    þ ultþ1 ultþ2 . . . ul . The number of access
l!
instances is L ¼ t!ðltÞ! . The sender must be in compliance with the
different access instances to encrypt the message. The number of
encrypting a message increases by L. Obviously, when the thresh-
old decryption scheme uses the above access structure to encrypt a
message, it becomes inefficient [25]. In regular threshold decryp-
tion schemes, the sender encrypts the message only by using the
group’s public key.
An ID-based ðt; lÞ threshold decryption scheme [1,5,20,22] com-
bines ID-based cryptography with ðt; lÞ threshold decryption. A

0140-3664/$ - see front matter Ó 2009 Elsevier B.V. All rights reserved.
doi:10.1016/j.comcom.2009.07.005
1830 T.-Y. Chang / Computer Communications 32 (2009) 1829–1836
sender can generate a ciphertext on the chosen message to a group
with l users, via the group’s public key string. Only t or more par-
ticipants in the group have the ability to collaboratively recover the
message. Schemes in [5,22] satisfy adaptive chosen-ciphertext
security, which provides a higher security level than schemes in
[1,20], which satisfy chosen-plaintext security.
According to practical business requirements, a contract or
message sometimes must be encrypted, and the corresponding
ciphertext should be decrypted by more than one specified man-
ager in an enterprise or organization [8]. The major difference
between threshold and group-oriented decryption schemes is that
in a threshold scheme, a sender does not know with whom they
can cooperatively recover the message. However, both methods
for distributing the power of decryption with multiple users have
different applications in many real-life situations.
Lin and Chang [21] realized Desmedt’s concept to propose a
group-oriented decryption scheme based on the Diffie–Hellman
key distribution [14]. Later, Tsai et al. [24] proposed a more effi-
cient scheme than Lin and Chang’s scheme, which is also based
on the Diffie–Hellman key distribution. Yang et al. [25] proposed
a new scheme to further reduce the computational complexity
on the sender’s side. Yang et al.’s scheme has better performance
than previously proposed schemes [6,7,21,24]. Recently, Li et al.
[18] showed that if the authorized access instances of users are
not properly predetermined in Yang et al.’s scheme, an unautho-
rized access instance of users can recover the message. They also
repaired the security flaw by replacing a modular multiplication
operation of generating ciphertext to a XOR operation in Yang
et al.’s scheme. Because the XOR operation has a low computa-
tional cost, Li et al.’s improvement is still more efficient than those
schemes [6,7,21,24].
So far, those group-oriented decryption schemes [6,7,18,21,
24,25] are based on a certificate-based PKI. In the certificate-based
public key cryptographic systems, a user should obtain a certificate
of a long-lived public key from the Certification Authority (CA) and
verify it before a user’s public key is utilized. Therefore, those cer-
tificate-based group-oriented decryption schemes lead to the prob-
lems of certificates management, including revocation, storage,
distribution and the computation cost of certificate verification.
On the other hand, those group-oriented decryption schemes face
only a passive attacker and have no formal proofs. Such an attacker
may break those cryptosystems only in the ‘‘all-or-nothing sense”.
That is, for a given ciphertext output from a given encryption algo-
rithm, the attacker either succeeds by obtaining the whole plain-
text or fails with nothing. In reality, attackers are likely active so
that they may modify a ciphertext in some unspecified ways and
send it to an unwitting access instance. Thus, adaptive chosen-
ciphertext security is necessary for real applications. Those
schemes cannot detect fake decryption shares given by dishonest
users during the decryption phase.
This paper proposes an ID-based group-oriented decryption
scheme. A sender can determine an access structure, and then en-
crypt a message according to the access instances by ‘‘adding” the
users’ public keys. Just like other ID-based systems, the public key
is obtained by feeding a hash function with the identity. The cor-
rectness of decryption shares can be checked to indicate which dis-
honest users in the access structure provided fake decryption
shares. Then, the users in an access instance of the access structure
can cooperatively recover the message. The proposed scheme is se-
cure against adaptive chosen-ciphertext attacks in the random ora-
cle model, assuming the bilinear Diffie–Hellman problem and uses
the technique from provable security [2] to analyze its security.
Compared with the most efficient Li et al.’s certificate-based
group-oriented decryption scheme, our scheme is more efficient
and provides higher security confidence.
The remainder of this paper is organized as follows. In Section 2,
bilinear maps with certain properties are reviewed. Then, we give
the bilinear Diffie–Hellman problem and its variation, which our
scheme is based on. The proposed ID-based group-oriented
decryption scheme is presented in Section 3. Section 4 defines
the security model and analyzes the security of the proposed
scheme. Section 5 compares the computational complexity perfor-
mance in the proposed scheme with Li et al.’s scheme. Section 6
shows a practical application of combining ID-based group-ori-
ented decryption and threshold decryption schemes. Finally, con-
clusions are presented.
2. Preliminaries
2.1. Admissible bilinear pairings
Let G1 be a cyclic additive group and G2 be a cyclic multiplica-
tive group of the same order q for some large prime q. An admissi-
ble bilinear pairing is a map ^e : G1  G1 ! G2 , which satisfies the
following properties:
 Bilinear: A map ^ e : G1  G1 ! G2 is bilinear if ^eðaP; bQ Þ ¼
^eðP; Q Þab for all P; Q 2 G1 and a; b 2 Zq . This can also be stated
as ^eðP þ Q ; TÞ ¼ ^eðP; TÞ^eðQ ; TÞ and ^eðP; Q þ TÞ ¼ ^eðP; Q Þ^eðP; TÞ for
all P; Q ; T 2 G1 .
 Non-degenerate: There exists P; Q 2 G1 such that ^eðP; Q Þ–1.
 Computable: There is an efficient algorithm to compute ^eðP; Q Þ
for all P; Q 2 G1 .
2.2. Bilinear Diffie–Hellman assumption
The security of our scheme relies on the hardness of the follow-
ing problems.
Bilinear Diffie–Hellman parameter generator G: A randomized
algorithm G is a bilinear Diffie–Hellman parameter generator if
(1) G takes a security parameter j 2 Zþ , (2) G runs in polynomial
time in j, and (3) G outputs a j-bit prime number q, the descrip-
tion of groups G1 ; G2 of order q, and the description of an admissi-
ble bilinear map ^e : G1  G1 ! G2 . The output of G is denoted as
Gð1j Þ ¼ hq; G1 ; G2 ; ^
ei.
BilinearDiffie–Hellman problem (BDH): Let G be a bilinear Diffie–
Hellman parameter generator to generate hq; G1 ; G2 ; ^ ei. An algo-
rithm A has advantage ðjÞ in solving the BDH problem for G
and a random generator P of G1 if for sufficiently large j:
AdvG;A ðjÞ ¼ Pr½Aðq; G1 ; G2 ; ^e; P; aP; bP; cPÞ ¼ ^eðP; PÞabc  P ðjÞ;
where the probability is over the random choice of a; b; c 2 Zq ;
P 2 G1 , and the random bits of A. We say that G satisfies the
BDH assumption if there is no randomized algorithm A that can
solve the BDH problem with a non-negligible advantage ðjÞ.
Here, we introduce a variance of the BDH problem, called the
VBDH problem. It is used in the security proof and proven to be
equal to the BDH problem.
Variant bilinear Diffie–Hellman problem (VBDH): Let G be a bilin-
ear Diffie–Hellman parameter generator to generate hq; G1 ; G2 ; ^ei.
An algorithm A has advantage ðjÞ in solving the VBDH problem
for G and a random generator P of G1 if for sufficiently large j:
AdvG;A ðjÞ ¼ Pr½Aðq; G1 ; G2 ; ^e; P; aP; b1 P; b2 P; . . . ; bl P; cPÞ
¼ ^eðP; PÞaðb1 þb2 þþbl Þc  P ðjÞ;
where the probability is over the random choice of a; b1 ; b2 ;    ;
bl ; c 2 Zq ; P 2 G1 , and the random bits of A. We say that G satisfies
the VBDH assumption if there is no randomized algorithm A that
can solve the VBDH problem with a non-negligible advantage
 T.-Y. Chang / Computer Communications 32 (2009) 1829–1836 1831

ðjÞ. Obviously, when l ¼ 1, the VBDH problem is equal to the BDH U ¼ rP;
problem.
W ¼ tP;

3. ID-based group-oriented decryption scheme

h ¼ H4 ðP; U; WÞ;
k ¼ t þ hr:
The notation G ¼ fu1 ; u2 ; . . . ; ul g is defined as the decryption
group of l users. Each user ui has an unambiguous identity IDi ,
The is a well-known non-interactive zero-knowledge proof of
which is the public key string. PKG is responsible for generating
membership to make the ciphertext is publicly checkable.
the corresponding private key and sending it to a user in group
(4) Ciphertext validity verification: A designated clerk is respon-
G, via a secure channel. The IDGODec scheme is composed of seven
sible for verifying the ciphertext. There is no secret value kept by
algorithms: Setup, Extract, Encrypt, Ciphertext-Verify,
the clerk, so the clerk can be a general computer [8–10,19]. The
Decryption-Share, Decryption-Share-Verify, Combine-
ciphertext can be checked by the algorithm Ciphertext-
Decrypt. Let j be a security parameter and G be a BDH parameter
VerifyðC; paramsÞ.
generator.
?
(1) System setup: PKG initializes the system parameters through h ¼ H4 ðP; U; WÞ;
the algorithm Setup ð1j Þ.
where W ¼ kP  hU; P ¼ H3 ðU; V; WÞ; W ¼ kP  hU. If the equation
(1) Run G on input j to generate a prime q, two groups G1 and can not hold, then outputs ‘‘invalid-ciphertext”.
G2 of order q, and an admissible bilinear map (5) Decryption share generation: The user with IDi computes a
^e : G1  G1 ! G2 . Choose a random generator P 2 G1 . decryption share di of the ciphertext C using its private key dIDi
(2) Pick a master-key s 2 Zq at random and set and verify key vi through the algorithm Decryption-
ShareðC; dIDi ; vi ; paramsÞ.
Ppub ¼ sP: ð1Þ
(1) Compute v~i ¼ ^eðdIDi ; UÞ.
(3) Choose five cryptographic hash functions:
8 (2) Choose a random point T i 2 G1 and compute
>
> H1 : f0; 1g ! G1
>
> Ri ¼ ^eðT i ; PÞ;
>
< H2
> : G2 ! f0; 1gn
H3 : G1  G1  G1 ! G1 Ri ¼ ^eðT i ; UÞ;
>
> ~ ¼ H5 ðv
>
> H4 : G1  G1  G1 ! Zq h i ~i ; vi ; Ri ; Ri Þ;
>
>
: e ~ dID :
H5 : G2  G2  G2  G2 ! Zq K i ¼ Ti þ h i i

~ ;K
~i ; h
(3) Output a decryption share di ¼ fv ~ i g.
i
The message space M ¼ f0; 1gn . The ciphertext space is
C ¼ G1  f0; 1gn  G1  Zq  Zq . The system parameters are A non-interactive zero-knowledge proof is also used in
params ¼ hq; G1 ; G2 ; ^
e; n; P; P pub ; H1 ; H2 ; H3 ; H4 ; H5 i. Decryption-Share to generate the decryption share, to prove
(2) Key generation: PKG generates a private key and the corre- that the bilinear map v ~i ¼ ^eðdIDi ; UÞ is indeed constructed by dIDi .
sponding verify key to each user. For a given string IDi 2 f0; 1g , (6) Decryption share validity verification: The clerk checks valid-
the PKG performs the algorithm ExtractðIDi ; s; paramsÞ as follows: ity of di by the algorithm Decryption-Share-Verify
ðdi ; vi ; paramsÞ
(1) Compute Q IDi ¼ H1 ðIDi Þ 2 G1 .
~ ¼
h
?
~i ; vi ; Ri ; Ri Þ;
H5 ðv
(2) Set the private key i

e i ; PÞ=vh~i and Ri ¼ ^eð K

where Ri ¼ ^eð K e i ; UÞ=v ~
~ihi . If di cannot pass the
dIDi ¼ sQ IDi : ð2Þ i
equation, then outputs ðIDi ,‘‘invalid-share”).
(3) Compute and publish vi ¼ ^ eðdIDi ; PÞ, which is called verify (7) Decryption: If the ciphertext C and the decryption shares
key. It is used for verifying the decryption share in the fdi g 2 f are valid, then the user can combine those decryption
Decryption-Share-Verify algorithm. shares to recover the message by the algorithm Combine-
(3) Encryption: According to the decryption group, one deter- DecryptðC; fdi g 2 f ; paramsÞ.
0 1
mines an access instance f, without loss of generality, assume that Y
F ¼ f ¼ u1 u2    ul . That is, all users in the decryption group must M ¼ V  H2 @ ~i A:
v ð5Þ
cooperate to recover the message. To encrypt M 2 M under the IDi 2f
public keys fIDi g 2 f (Here, we simplify the notation, which means
that the set of users’ identities who are in the access instance f.), The following theorem shows that the users in the access in-
the algorithm Encryptðf ; M; paramsÞ performs the following: stance f can cooperate to recover the message M.
Theorem 1. The message M encrypted in Eqs. (3) and (4) can be
(1) Compute Q IDi ¼ H1 ðIDi Þ where IDi 2 f . decrypted by Eq. (5).
(2) Pick two random numbers r; t 2 Zq .
(3) Set the ciphertext C ¼ hU; V; U; h; ki 2 C to be Proof. From Eq. (4), we have:
U ¼ rP; ð3Þ 0 0 1r 1
0 0 1r 1 X
X V ¼ M  H2 @^e@ Q IDi ; P pub A A;
V ¼ M  H2 @^e@ Q IDi ; P pub A A; ð4Þ IDi 2f
IDi 2f 0 0 1r 1
X
W ¼ tP; ¼ M  H2 @^e@ Q IDi ; sP A A; by Eq:ð1Þ
P ¼ H3 ðU; V; WÞ; IDi 2f
1832 T.-Y. Chang / Computer Communications 32 (2009) 1829–1836

0 0 1r 1
X Guess phase: Eventually A outputs a guess h for h. A wins the
¼ M  H2 @^e@ dIDi ; P A A; by Eq:ð2Þ game if h ¼ h.
IDi 2f Such an adversary A is called an IND-IDGO-CCA adversary. The
0 0 11
advantage of A in attacking IDGODec is defined:
X
¼ M  H2 @^e@ dIDi ; U AA; by Eq:ð3Þ  
 1
¼ Pr½h ¼ h  ;
INDIDGOCCA
IDi 2f AdvIDGODec;A
0 1 2
Y
¼ M  H2 @ ^eðdIDi ; UÞA; where the probability is taken over the random bits used by A and
IDi 2f the challenger.
0 1
Y
¼ M  H2 @ v i A:
e Theorem 2. In the random oracle model, the IDGODec with l users in
IDi 2f an access instance f ¼ u1 u2    ul is a an IND-IDGO-CCA secure assum-
ing BDH is hard in groups generated by G. Concretely, suppose there is
an IND-IDGO-CCA adversary A that has advantage ðjÞ against the
The above equality can be further rewritten as
IDGODec with l users in f, and A makes at most qE > 0 private key
0 1 and verify key extraction queries and qH2 > 0 hash queries to H2 . Then
Y
M ¼ V  H2 @ ~i A;
v there is an algorithm B that solves BDH in groups generated by G with
IDi 2f advantage at least:
2ðjÞ
which leads to Eq. (5). AdvG;B ðjÞ P ;
 eðqE þ lÞqH2
where e 2:71 is the base of the natural logarithm. The running time
4. Security analysis of B is OðtimeðAÞÞ.
To prove the main Theorem 2, a related non-identity based group-
4.1. Security model oriented decryption scheme is defined, called BasicGODec. BasicGO-
Dec is described by five algorithms: Setup, Extract, Encrypt,
In this section, the security model is defined. Boneh and Frank- Decryption-Share, Combine-Decrypt.
lin [2] strengthened the IND-CCA to deal with an adversary who (1) System setup: PKG initializes the system parameters through
possesses private keys corresponding to identities of its choice, the algorithm Setupð1j Þ.
and attacks an identity in an ID-based encryption scheme. We call
this notation in our ID-based group-oriented decryption scheme as (1) Run G on input j to generate a prime q, two groups G1 and
a selective identity, chosen-ciphertext secure group-oriented G2 of order q, and an admissible bilinear map ^ e : G1  G1 !
decryption scheme (IND-IDGO-CCA). To define the notation, let us G2 . Choose a random generator P 2 G1 .
consider a game in the following definition. (2) Pick a master-key s 2 Zq at random and set P pub ¼ sP.
Definition 1. An ID-based group-oriented decryption (IDGODec) (3) Choose a cryptographic hash functions H2 : G2 ! f0; 1gn .
scheme with l users in an access instance f ¼ u1 u2    ul is secure (4) The system parameters are params ¼ hq; G1 ; G2 ; ^e; n; P;
against IND-IDGO-CCA, if no polynomial bound adversary A has P pub ; H2 i.
non-negligible advantage in the following game.
Init phase: A outputs a target access instance f  it wants to (2) Key generation: PKG generates a private key by the algorithm
attack. Extractðui ; s; paramsÞ. In the non-identity based systems, the pub-
Setup phase: The challenger runs Setup algorithm and gives the lic key should be generated by the PKG. Afterward, a CA sets its
resulting common parameters params to A and keeps master-key public key certificate. Assume that the public keys generated in
secret. this algorithm have been certificated by a CA.
Cryptanalysis training phase 1: A adaptively issues a number of
private key extraction and verify key queries, and decryption (1) Pick a random Q IDi 2 G1 as the public key for the user ui .
queries. (2) Compute dIDi ¼ sQ IDi 2 G1 as the corresponding private key
and then transfer it to the user ui via a secure channel.
 Private key and verify key extraction query: Given an identity
IDi R f  , the challenger runs Extract algorithm to return the (3) Encryption: To encrypt M 2 M under the public keys
private key and verify key. fQ IDi g 2 f in the algorithm Encryptðf ; M; paramsÞ, one chooses a
 Decryption query: Given a ciphertext under an access instance, random r 2 Zq , and sets the ciphertext C ¼ hU; Vi ¼ hrP; M  H2
the challenger runs Decryption-Share algorithm to generate  P r 
^
e Q ID 2f Q IDi ; P pub i.
decryption shares and gives them to A. And then feed them i

together into Combine-Decrypt algorithm to output the corre-
sponding plaintext to A.
Challenge phase: Once A decides that the cryptanalysis training
phase 1 is over, it outputs two equal length plaintexts ðM 0 ; M 1 Þ on
which it wishes to be challenged. The challenger responds with a
 
IDGODec ciphertext C  ¼ hU  ; V  ; U  ; h ; k i 2 C such that C  is the
encryption of M h under f  for a random h 2 f0; 1g.
Cryptanalysis training phase 2: A adaptively issues a number of
private key and verify key extraction queries, and decryption
queries as in the cryptanalysis training phase 1, except the
decryption queries on C  .
(4) Decryption share generation: To compute the decryption
share di ¼ ^ eðdIDi ; UÞ by the algorithm Decryption-ShareðC; dIDi ;
paramsÞ.
Q(5) Decryption:
 Combining fdi g 2 f to recover M ¼ V  H2
di 2f di by the algorithm Combine-DecryptðC; fdi g 2 f ; paramsÞ.
Definition 2. An non-identity based group-oriented decryption
(BasicGODec) scheme with l users in an access instance
f ¼ u1 u2    ul is secure against chosen-plaintext attack (denoted
as IND-GO-CPA), if no polynomial bound adversary A has non-
negligible advantage in the following game.
Setup phase: The challenger runs Setup algorithm and gives the
resulting common parameters params and keeps master-key secret.
 T.-Y. Chang / Computer Communications 32 (2009) 1829–1836
Public key extraction query: At any time A adaptively issues a
number of public key extraction queries, and then the challenger
returns the associated public keys. It seems that this query is
unnecessary, since anyone can obtain the public keys published
and certificated by a CA. However, we use this query in BasicGODec,
it can easily be shown that an IND-GO-CCA attack on IDGODec can
be converted to an IND-GO-CPA attack on BasicGODec. This query
does not help the adversary in attacking BasicGODec since it only
assumes that everyone has a public key.
Challenge phase: A outputs two equal length plaintexts ðM 0 ; M 1 Þ
on which it wishes to be challenged. The challenger responds with
a BasicGODec ciphertext C y ¼ hU y ; V y i such that C y is the encryption
of M h under f y for a random h 2 f0; 1g.
Guess phase: Eventually A outputs a guess hy for h. A wins the
game if hy ¼ h.
Such an adversary A is called an IND-GO-CPA adversary. The
advantage of A in attacking BasicGODec is defined:
 
 1
INDGOCPA
AdvBasicGODec;A ¼ Pr½hy ¼ h  ;
2 ented decryption scheme. Here, we compare our scheme to the
where the probability is taken over the random bits used by A and
the challenger.
Now, Theorem 2 is proven through the following Lemmas. Lem-
ma 4.1 shows that an IND-GO-CCA attack on IDGODec can be con-
verted to an IND-GO-CPA attack on BasicGODec. The result implies
that private key and verify key queries, and decryption queries do
not help the adversary. Lemma 4.2 shows that BasicGODec is IND-
GO-CPA secure if the VBDH assumption holds. Finally, Lemma 4.3
shows that the VBDH problem is at least as difficult as the BDH
problem.
Lemma 4.1. Let H1 ; H2 ; H3 ; H4 be random oracles. Let A be an IND-
GO-CCA adversary that has advantage ðjÞ against IDGODec with l
users in an access instance f ¼ u1 u2    ul . Suppose A makes at most
qE private key and verify key extraction queries. Then there is an IND-
GO-CPA adversary B1 that has advantage 1 ðjÞ at least
ðjÞ=eðqE þ lÞ against BasicGODec with l users in an access instance
f ¼ u1 u2    ul and in a running time OðtimeðAÞÞ.
Lemma 4.2. Let H2 be a random oracle from G2 to f0; 1gn . Let B1 be
an IND-GO-CPA adversary that has advantage 1 ðjÞ in attacking Bas-
icGODec for an access instance f ¼ u1 u2    ul . Suppose B1 makes a
total of qH2 > 0 queries to H2 . Then there is an algorithm B2 that
solves the VBDH problem for G with an advantage 2 ðjÞ at least
21 ðjÞ=qH2 and a running time OðtimeðB1 ÞÞ.
The proofs of Lemmas 4.1 and 4.2 appear in Appendix A.1. To
complete the proof of Theorem 2, we must show that the VBDH
problem is at least as difficult as the BDH problem. The following
lemma shows that the reduction holds.
Lemma 4.3. Let B2 be an algorithm that has advantage 2 ðjÞ to solve
the VBDH problem for G. Then there is an algorithm B that solves the
BDH problem for G with advantage ðjÞ ¼ 2 ðjÞ.
Proof. B is given as input the BDH parameters hq; G1 ; G2 ; ^ei gener-
ated by G and a random instance hP; aP; bP; cPi ¼ hP; P1 ; P2 ; P3 i of
the BDH problem for these parameters, P is random in G1 and
a; b; c are random in Zq where q is the order of G1 ; G2 . B finds
the solution E ¼ ^eðP; PÞabc by using B2 as a subroutine as follows.
B chooses b2 ; b3 ;    ; bl 2 Zq at random and makes ðq; G1 ; G2 ; ^e; P;
P 1 ; P2 ; b2 P; b3 P;    ; bl P; P 3 Þ as input to B2 . Eventually, B2 outputs
D ¼ ^eðP; PÞaðbþb2 þb3 þþbl Þc . B computes E ¼ D=^ eðP1 ; P3 Þb2 þb3 þþbl as
the solution to the given instance of BDH. It follows produces the
correct answer with advantage ðjÞ ¼ 2 ðjÞ. It is simple to prove
reduction from the VBDH problem to the BDH problem, and then
find results in the equality of two problems. h
1833
Theorem 2 comes directly from Lemmas 4.1, 4.2 and 4.3. Putting
all the bounds that are shown above, an IND-ID-CCA adversary has
advantage ðjÞ on IDGODec with l users in an access instance gives
an BDH attacker for G with advantage at least 2ðjÞ=eðqE þ lÞ as
required.
Lemma 4.3 is unnecessary if we can directly show that the
reduction from a BDH attacker for G to an IND-ID-CCA adversary
on IDGODec with l users in an access instance. Concretely, we
can offer the adversary the opportunity to corrupt l  1 out of l
users in the games of Definitions 1 and 2. The method results in
succinct reduction. However, the proof procedure in this paper is
organized by our intuitive idea. The reduction is still tight since
Lemma 4.3 shows that the BDH problem and the VBDH problem
are equal.
5. Performance evaluation
As far as we know, our scheme is the first ID-based group-ori-
most efficient Li et al.’s certificate-based group-oriented decryp-
tion scheme [18], which is also based on ElGamal cryptosystem.
To evaluate computational complexity, the following notations
are used:
TP the time for computing one pairing operation.
TH the time for mapping an identity to an element in G1 (map-to-
point operation).
TM the time for computing one ordinary scalar multiplication in G1 .
TE the time for computing one exponentiation operation in G2 .
TA the time for computing point addition on G1 .
T SIG the time for producing a public key certificate.
T VER the time for verifying a certificate.
T KEY the time for generating a public/private key pair in the PKI.
T EXP the time for computing one modular exponentiation.
T MUL the time for computing one modular multiplication.
To compare at approximately the same security as a standard
1024-bit ElGamal cryptosystem in Li et al.’s certificate-based
group-oriented decryption scheme, two groups G1 and G2 of order
q should be a 160-bit prime in the proposed ID-based group-ori-
ented decryption scheme. According to the paper [17], the time
complexities in T EXP ; T MUL , and T M have the following relationships:
T EXP 240T MUL and T M 29T MUL . We obtained time costs of pairing
operations by the experiment [27] took place on a desktop with an
Intel P4 2.4 GHz processor and 1 GB memory. The time complexi-
ties in T P ; T H ; T E , and T M have the following relationships:
T P 3:34T M ; T H 1:27T M , and T E 0:73T M . Summarizing the
above time complexities and converting them into the same unit
T MUL , we have: T EXP 240T MUL ; T M 29T MUL ; T P 97T MUL ; T H
37T MUL , and T E 21T MUL . T SIG and T VER at least separately require
1T EXP in Li et al.’s certificate-based scheme. We ignore the time ta-
ken by modular inversion operations, XOR operations, and conven-
tional hash operations (H2 ; H3 ; H4 , and H5 ) in Table 1 as they are
much more efficient when compared with pairings, scalar multipli-
cations, and map-to-point hash operations. Note that T H needs at
least one quadratic or cubic equation over finite field to be solved
[4]. Though the time taken by point addition operations T A is neg-
ligible, compared to other operations, algorithm Combine-De-
crypt in our scheme solely requires it. Therefore, T A will be
counted in Table 1.
Assume that all verifiers in an access instance f ¼ u1 u2    ul
must cooperatively decrypt the ciphertext, which is the worst case
scenario of an access instance for generating a group-oriented
ciphertext by the sender. As shown in Table 1, since the operations
T P ; T H , and T E in bilinear pairings are the very light operations to
T EXP , our scheme performs better than Li et al’s scheme from the
1834 T.-Y. Chang / Computer Communications 32 (2009) 1829–1836

Table 1 tion of public keys Q IDG þ Q IDM , where Q IDG ¼ H1 ðIDG Þ and
Computational costs for the proposed scheme and Li et al.’s scheme. Q IDM ¼ H1 ðIDM Þ. Two decryption shares can be separately con-
Our proposed scheme Li et al.’s scheme structed by t or more users in the group and derived from the man-
Security level IND-GO-CCA All-or-nothing ager. Finally, the message can be recovered by combining two
visible decryption shares.
Security property Formal proof No formal proof
In this paper, we have proposed an ID-based group-oriented
Setup PKG: lT M l  29T MUL CA: lðT KEY þ T SIG Þ

decryption scheme. Concerning the BDH problem, this study dem-

lðT EXP þ T SIG Þ
l  480T MUL
onstrated that the proposed scheme is provably secure against
adaptive chosen-ciphertext attacks in the random oracle model.
Extract PKG: lðT H þ T M Þ l  66T MUL –
Compared with Li et al.’s certificate-based group-oriented decryp-
Encrypt Sender: lT H þ 4T M þ lT A þ T P Sender: lT VER þ 2T EXP tion scheme, the proposed scheme is more efficient and provides
þT E ðl  37 þ 234ÞT MUL þ lT A þlT MUL ðl  241 þ 480ÞT MUL
higher security confidence compared to Li et al.’s scheme. Applying
Ciphertext- Clerk: 4T M 116T MUL – the concept of ID-based group-oriented decryption scheme, we can
Verify
simply and efficiently combine it with an ID-based threshold
Decryption- User in f: 3T P 291T MUL User in f: 1T EXP 240T MUL decryption scheme in the situation as described above.
Share
Decryption- Clerk: l  2ðT P þ T E Þ –
Appendix A
Share-Verify l  236T MUL
Combine- User in f : lT A User in f : lT MUL
A.1. Proof of Lemma 4.1
Decrypt
Total PKG: l  95T MUL CA: l  480T MUL
Sender: Sender: ðl  241 þ 480ÞT MUL Proof. We construct an IND-GO-CPA adversary B1 that uses A as a
ðl  37 þ 234ÞT MUL þ lT A subroutine and simulates A’s challenger to gain advantage
User in f: 291T MUL þ lT A User in f: ðl þ 240ÞT MUL
Clerk: ðl  236 þ 116ÞT MUL
ðjÞ=eðqE þ lÞ against BasicGODec. Here, B1 ’s challenger and A’s
challenger are denoted as BC C
1 and A , respectively.
Init phase: B1 sets the same target access instance f y ¼ f  as A’s
choice.
Setup phase: B1 starts with BC 1 and then receives the BasicGODec
view of CA/PKG, the sender and a user in f. Furthermore, by taking
params ¼ hq; G1 ; G2 ; ^ e; n; P; P pub ; H2 i. B1 simulates AC to give the
advantage of the ID-based cryptographic systems, the proposed
IDGODec params ¼ hq; G1 ; G2 ; ^e; n; P; P pub ; H1 ; H2 ; H3 ; H4 ; H5 i, where
scheme simplifies key management procedures in Li et al.’s certif-
q; G1 ; G2 ; ^
e; n; P; P pub are taken from the BasicGODec params, H5 is a
icate-based public key setting. In their scheme, CA requires lT KEY
one-way hash function, and H1 ; H2 ; H3 ; H4 are controlled by B1 . In
and lT SIG to generate public keys and their corresponding certifi-
the random oracle model, B1 will maintain a list Hlist for the oracle
cates for l users, respectively. Note that T KEY is much larger than
H, which is initially set to empty. At any time A can query the
T EXP .
random oracle. When A issues a query to H, B1 will return the
The proposed scheme is demonstrated to be secure against
same output for identical inputs in hash queries by checking the
adaptive chosen-ciphertext attacks, which provides higher security
list Hlist before creating a new output. In the following hash
confidence than that the ‘‘all-or-nothing” sense in Li et al.’s
queries, we omit the above descriptions of random oracles.
scheme. The clerk in algorithm Ciphertext-Verify costs the
time 116T MUL to check the correctness of the ciphertext in our
 H1 -queries: To respond to these queries, B1 maintains a list Hlist 1
scheme. To avoid dishonest users in the access instance f to provide
of tuples hIDi ; ci ; ; Q i i. When A queries the oracle H1 at a dis-
fake decryption shares, the clerk can use the algorithm Decrypt-
tinct point IDi ; B1 responses as follows:
Share-Verify to check the correctness of l decryption shares,
which costs l  236T MUL . The clerk may be seen as a trade off be-
tween efficiency and security. 1. B1 generates a random ci 2 f0; 1g so that Pr½ci ¼ 0 ¼ q for some
q that will be analyzed and determined later.
(a) If ci ¼ 0; B1 picks a random Zq and computes
6. Discussions and conclusions
Q i ¼ bi P 2 Gast 1 .
(b) If ci ¼ 1; B1 issues a public key extraction query to BC1
As shown in [25], when the IDGODec scheme is converted to the
and obtains Q IDi 2 G1 , and sets Q i ¼ Q IDi . Since A can issue
ID-based ðt; lÞ threshold decryption scheme by determining such
H1 -queries on any IDi 2 f0; 1g with the restriction IDi 2 f  ,
an access structure F ¼ u1 u2 . . . ut þ u1 u2 . . . ut1 utþ1 þ    þ ultþ1
public key extraction queries is used for obtaining the asso-
ultþ2 . . . ul , it becomes inefficient in terms of computation com-
ciated public keys in BasicGODec.
plexity and ciphertext expansion. The sender only encrypts the
2. B1 responds H1 ðIDi Þ ¼ Q i to A and adds the tuple hIDi ; ci ; bi ; Q i i
message by using group’s public key string in the regular ID-based
or hIDi ; ci ; ?; Q i i to the Hlist
1 .
threshold decryption scheme schemes [1,5,20,22] (called IDTHDec)
and needs not know the public key strings of users in the group.
Let us consider a practical application of combining the IDTH-  H2 -queries: When A makes a distinct query on X i 2 G2 , it gener-
Dec and IDGODec schemes. A sender wants to encrypt a document ates a random Hi 2 f0; 1gn , responds H2 ðX i Þ ¼ Hi to A, and adds
to the group with the threshold t, and he wants to ensure that a the tuple hX i ; Hi i to the Hlist 2 .

manager uM should participate in the decrypting process. Assume  H3 -queries: When A makes a distinct query on ðU i ; V i ; W i Þ to
that the group’s public key string and the manager’s public key H3 ; B1 chooses t i 2 Zq uniquely at random, responds to A with
string are IDG ¼ Group@company:com and IDM ¼ manager@company: H3 ðU i ; V i ; W i Þ ¼ ti P pub ¼ P i and adds the tuple hðU i ; V i ; W i Þ; t i ; Pi i
com, respectively. This can be constructed by setting an IDTHDec to the Hlist 3 .

system for the group. The sender can determine an access instance  H4 -queries: When A makes a distinct query on ðP i ; U i ; W i Þ to
consisting of the group and the manager, and run the IDGODec En- H4 ; B1 chooses hi 2 Zq uniquely at random, responds to A with
crypt algorithm, so that the message is encrypted with the addi- H4 ðP i ; U i ; W i Þ ¼ hi and adds the tuple hðPi ; U i ; W i Þ; hi i to the Hlist 4 .
 T.-Y. Chang / Computer Communications 32 (2009) 1829–1836 1835

Cryptanalysis training phase 1: For the following queries asked 1. B1 gives BC1 the plaintexts ðM 0 ; M 1 Þ. BC1 responds with a Basi-
by A to AC ; B1 replies: cGODec ciphertext C y ¼ hU y ; V y i such that C y is the encryption
of Mh for a random h 2 f0; 1g.
 Private key and verify key extraction queries: A adaptively issues 2. B1 runs the algorithm for responding to H1 -queries to obtain
the number of private key and verify key extraction queries on fQ j g 2 G1 such that H1 ðIDj Þ ¼ Q j where fIDj g 2 f y .
IDi R f  . Since the private key is constructed after feeding IDi to (a) For any IDi 2 f  , if a tuple hIDi ; ci ; ; Q i i has ci ¼ 0, then B1
H1 , it assumes that A asked for H1 ðIDi Þ before issuing private reports failure and terminates. The attack on BasicGODec
key extraction queries on IDi . Let hIDi ; ci ; ; Q i i be the correspond- failed.
 
ing tuple on the Hlist (b) Else, B1 randomly chooses t  ; h ; k 2 Zq and sets
1 .    
1. If ci ¼ 0; B1 outputs the private key as dIDi ¼ bi P pub and ver- U  ¼U y ;V  ¼V y ;P  ¼t  P;U  ¼t P;W  ¼k Ph U  ;W  ¼k P  h U  .
       
ify key as vi ¼ ^ eðQ i ; P pub Þ. Give the private key dIDi and verify It defines H3 ðU ; V ; W Þ ¼ P and H4 ðP ; U ; W Þ ¼ h . Then it
key vi to A. Observe that dIDi ¼ bi Ppub ¼ bi sP ¼ sQ i and backpatches the tuples hðU  ; V  ; W  Þ; t ; P  i and hðP  ; U  ;

vi ¼ ^ eðQ i ; Ppub Þ ¼ ^eðQ i ; sPÞ ¼ ^eðdIDi ; PÞ, they are the private W  Þ; h i to the Hlist list
3 and H4 , respectively. B1 responds to A
 
key and verify key associated to the public key IDi , with the challenge ciphertext C  ¼ hU  ; V  ; U  ; h ; k i. Since

respectively. H1 ðIDj Þ ¼ Q j ¼ Q IDj ; C is a proper IDGODec encryption of
2. If ci ¼ 1; B1 reports failure and terminates. The attack on Mh under the public keys fIDj g 2 f  as required.
BasicGODec failed. Cryptanalysis training phase 2: B1 responds to private key and
verify key extraction queries, and decryption queries as in the
 Decryption queries: Given a ciphertext C i ¼ hU i ; V i ; U i ; hi ; ki i 2 C is cryptanalysis training phase 1, except the decryption queries on C  .
encrypted by M i under f ; B1 simulates the decryption oracle as Guess phase: Eventually, A outputs a guess h for h. B1 sets
follows: hy ¼ h as its guess for h.
1. B1 computes W i ¼ ki P  hi U i and uses ðU i ; V i ; W i Þ as an index Analysis: If B1 does not abort during the simulation, then A’s
to search the Hlist view is identical to its view in the real attack. For all hash queries,
3 for a tuple hðU i ; V i ; W i Þ; t i ; P i i. If it there is no
such tuple, B1 returns ‘‘invalid-ciphertext”. B1 ’s responses are uniformly and independently distributed as in
2. Else, B1 computes P i ¼ t i Ppub ; W i ¼ ki P  hi U i and uses the real attack. For all private key and verify key queries, and
ðPi ; U i ; W i Þ as an index to search the Hlist for a tuple decryption queries, B1 ’s responses are valid. Finally, the challenge
4
hðP i ; U i ; W i Þ; hi i. If it does not appear in the Hlist ciphertext C  given to A is the IDGODec encryption of M h for some
4 ; B1 returns
‘‘invalid-ciphertext”. random h 2 f0; 1g. Thus, by the definition of A, we have
3. Else, B1 checks whether ^
?
eðP; UÞ ¼ ^eðP; UÞ. If it does not hold, jPr½h ¼ h  1=2j ¼ ðjÞ.
B1 returns ‘‘invalid-ciphertext”. Now we calculate the probability that B1 does not abort during
4. Otherwise, according to f, the decryption shares dj and the the simulation. Let qE be the number of private key and verify key
plaintext M i can be computed: queries made by A and l be the number of users in the access
(a) If cj ¼ 0; B1 has dIDj ¼ bj Ppub ¼ sQ j and then computes instance. Then the probability that B1 does not abort in Phase 1 or
~j ¼ ^
v eðdIDj ; U i Þ. Phase 2 is qqE and the probability that it does not abort in Challenge
(b) If cj ¼ 1; B1 can not get ri from U i ¼ ri P but it knows is ð1  qÞl . Thus, the probability that B1 does not abort during the
U i ¼ r i Pi checked by the above step. It computes v ~j ¼ simulation is qqE ð1  qÞl . The value is maximized at qopt ¼ 1  l=
^eðQ j ; t1 U i Þ. We can see that ðqE þ lÞ as follows:
i
  q
dqopt
E
ð1  qopt Þl
1 1 ¼ 0;
^e Q j ; U i ¼ ^eðQ j ; r i Pi Þ;
ti ti dqopt
  q 1 q
1 qE qopt
E
ð1  qÞl ¼ qopt
E
lð1  qopt Þl1 ;
¼ ^e Q j ; r i t i Ppub ;
ti qE ðq 1
 1Þ ¼ l;
opt
1
¼ ^eðQ j ; r i ti sPÞ; qopt ¼ 1  l=ðqE þ lÞ:
ti
1 1 Using qopt , the probability that B1 does not abort is at least
¼ ^eðdIDj ; ri t i s PÞ;
ti s 1=eðqE þ lÞ. It shows that B1 ’s advantage 1 ðjÞ is at least
¼ ^eðdIDj ; r i PÞ; ðjÞ=eðqE þ lÞ as required. h
¼ ^eðdIDj ; U i Þ: A.2. Proof of Lemma 4.2

Observe that, A must have queries H3 at the point ðU i ; V i ; W i Þ

and U i ¼ ri P i . Hence, B1 has P i ¼ H3 ðU i ; V i ; W i Þ ¼ t i P pub and Proof. B2 is given as input the VBDH parameters hq; G1 ; G2 ; ^ei
it can exactly compute v ~j as described above. generated by G and a random instance hP; aP; b1 P; b2 P;    ; bl P; cPi
After (a) or (b), B1 can readily run non-interactive zero- of the VBDH problem for these parameters, P is random in G1 and
knowledge protocol to generate h e j and outputs
~j ; K a; b1 ; b2 ;    ; bl ; c are random in Zq where q is the order of G1 ; G2 . B
dj ¼ fv ~;K
~j ; h e g to A.
j j
Q finds the solution D ¼ ^ eðP; PÞaðb1 þb2 þþbl Þc 2 G2 to this VBDH prob-
(c) B1 computes X i ¼ IDj 2f v ~j and uses it to search the Hlist 2 lem by interacting with B1 as follows:
for a tuple hX i ; Hi i. If it does not appear in the Hlist 2 ; B1 Setup phase: B2 gives the system parameters hq; G1 ; G2 ;
returns ‘‘invalid-ciphertext”; otherwise, it outputs ^e; n; P; Ppub ; H2 i and public keys Q IDi by setting Ppub ¼ aP and
Q
M i ¼ V i  Hi to A, where Hi ¼H2 ðX i Þ¼H2 ð IDj 2f ^eðdIDj ;U i ÞÞ. Q IDi ¼ bi P for i ¼ 1 to l.
If B1 does not output ‘‘invalid-ciphertext” for the ciphertext H2 -queries: When B1 makes a distinct query on X i 2 G2 , it
C i , no matter what cj is, B1 can exactly decrypt C i in Step (c). generates a random Hi 2 f0; 1gn , responds H2 ðX i Þ ¼ Hi to A, and
adds the tuple hX i ; Hi i to the Hlist2 .
Challenge phase: Once A decides that the cryptanalysis training Challenge phase: B1 outputs two plaintexts ðM0 ; M 1 Þ on which it
phase 1 is over, it outputs two equal length plaintexts ðM0 ; M 1 Þ on wishes to be challenged. B2 picks a random strings R 2 f0; 1gn and
which it wishes to be challenged. B1 responds as follows: returns C y ¼ ðU y ; V y Þ ¼ ðcP; RÞ to be the challenge ciphertext.
1836 T.-Y. Chang / Computer Communications 32 (2009) 1829–1836
Guess phase: B1 outputs its guess hy 2 f0; 1g. B2 picks a random
tuple hX i ; Hi i from the Hlist
2 and outputs X i as the solution to the
given instance of VBDH.
Analysis: Let H be the event that B2 issues a query for H2 ðDÞ at
some point during the simulation above. The public keys and the
challenge are distributed as in the real attack and all responses to
H2 -queries are uniform and independent in f0; 1gn . Therefore, the
probability Pr½H in the simulation is equal to Pr½H in the real
attack. If the event H never occurs, then the decryption of C y is
uniform in B1 ’s view. That is, Pr½hy ¼ hj:H ¼ 1=2. By the defini-
tion of B1 , we have jPr½hy ¼ h  1=2j ¼ 1 ðjÞ. The upper and lower
bounds on Pr½hy ¼ h are as follows:
Pr½hy ¼ h ¼ Pr½hy ¼ hjHPr½H þ Pr½hy ¼ hj:HPr½:H
6 Pr½H þ Pr½hy ¼ hj:HPr½:H
1 at minimum cost, in: PKC’99, Lecture Notes in Computer Science, vol. 1560, pp.
¼ Pr½H þ Pr½:H
2
1 1
¼ Pr½H þ
2 2
Pr½hy ¼ h P Pr½hy ¼ hj:HPr½:H
1 1
¼  Pr½H:
2 2
It follows that in the real attack 1 ðjÞ ¼ jPr½hy ¼ h  1=2j 6
1=2Pr½H. Therefore, Pr½H P 21 ðjÞ. At the end of the game, the
probability that D appear in some tuple on the Hlist
2 and picked by
B2 is at least 21 ðjÞ=qH2 . B2 that solves the VBDH problem for G
with an advantage 2 ðjÞ at least 21 ðjÞ=qH2 . h
References
[1] J. Baek, Y. Zheng, Identity-based threshold decryption, in: Proceedings of
Pkc’04, Lecture Notes in Computer Science, vol. 2947, pp. 262–276, 2004.
[2] D. Boneh, M. Franklin, Identity-based encryption from the weil pairing, in:
Advances in Cryptology, Crypto’01, Lecture Notes in Computer Science, vol.
2193, pp. 213–229, 2001.
[3] D. Boneh, X. Franklin, Efficient selective-id secure identity based encryption
without random oracles, in: Advances in Cryptology, Eurocrypt’04, Lecture
Notes in Computer Science, vol. 2260, pp. 360–363, 2004.
[4] D. Boneh, B. Lynn, H. Shacham, Short signatures from the weil pairings, in:
Advances in Cryptology, Asiacrypt’01, Lecture Notes in Computer Science, vol.
2248, pp. 514–532, 2002.
[5] Z. Chai, Z. Cao, R. Lu, ID-based threshold decryption without random oracles
and its applications in key escrow, in: Proceedings of International Conference
on Information Security, ACM, pp. 119–124, 2004.
[6] C.C. Chang, H.C. Lee, A solution to generalized group oriented cryptography, in:
IFIP/Sec’92-Singapore Day2/Track2-Cryptography, pp. 289–299, 1992.
[7] C.C. Chang, H.C. Lee, A new generalized group-oriented cryptoscheme without
trusted centers, IEEE Journal on Selected Area in Communications 11 (5)
(1993) 725–729.
[8] T.Y. Chang, A convertible multi-authenticated encryption scheme for group
communications, Information Sciences 178 (17) (2008) 3426–3434.
[9] T.Y. Chang, C.C. Yang, M.S. Hwang, Threshold signature for group
communications without shared distribution center, Future Generation
Computer Systems 20 (6) (2004) 1013–1021.
[10] T.Y. Chang, C.C. Yang, M.S. Hwang, Threshold untraceable signature for
group communications, IEE Proceedings – Communications 151 (2) (2004)
179–184.
[11] X. Chen, F. Zhang, S. Liu, ID-based restrictive partially blind signatures and
applications, The Journal of Systems and Software 80 (2) (2007) 164–171.
[12] H.Y. Chien, Comments on an efficient ID-based broadcast encryption scheme,
IEEE Transactions on Broadcasting 53 (4) (2007) 809–810.
[13] Y. Desmedt, Society and group oriented cryptography: a new concept, in:
Advances in Cryptology, CRYPTO’87, pp. 120–127, 1987.
[14] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Transactions on
Information Theory IT-22 (1976) 644–654.
[15] E. Fujisaki, T. Okamoto, How to enhance the security of public-key encryption
53–68, 1999.
[16] S. Kalkan, K. Kaya, A.A. Selçuk, Generalized ID-based elgamal signatures, in:
International Symposium on Computer and Information Sciences, ISCIS 2007,
pp. 1–6, 2007.
[17] N. Koblitz, A. Menezes, S.A. Vanstone, The state of elliptic curve cryptography,
Designs, Codes and Cryptography 9 (2/3) (2000) 173–193.
[18] C.M. Li, T. Hwang, N.Y. Lee, Security flaw in simple generalized group-oriented
cryptosystems using ElGamal cryptosystem, International Journal of
Informatics 18 (1) (2007) 61–62.
[19] Z.C. Li, J.M. Zhang, J. Luo, W. Song, Y.Q. Dai, Group-oriented ðt; nÞ threshold
digital signature schemes with traceable signers, in: Electronic Commerce
Techniques, the Second International Symposium, ISEC 2001, pp. 57–59, 2001.
[20] J.B. Libert, Efficient revocation and threshold pairing based cryptosystems, in:
Proceedings of the 21 Annual Symposium on Principles of Distributed
Computing, ACM, pp. 163–171, 2003.
[21] C.H. Lin, C.C. Chang, Method for constructing a group-oriented cipher system,
Computer Communications 17 (11) (1994) 805–808.
[22] Y. Long, K. Chen, S. Liu, ID-based threshold decryption secure against adaptive
chosen-ciphertext attack, Computers and Electrical Engineering 33 (3) (2007)
166–176.
[23] A. Shamir, Identity-based cryptosystems and signature schemes, in: Advances
in Cryptology, Crypto’84, Lecture Notes in Computer Science, vol. 196, pp. 47–
53, 1984.
[24] J.J. Tsai, T. Hwang, C.H. Wang, New generalized group-oriented cryptosystem
based on Diffie–Hellman scheme, Computer Communications 22 (8) (1999)
727–729.
[25] C.C. Yang, T.Y. Chang, J.W. Li, M.S. Hwang, Simple generalized group-oriented
cryptosystems using ElGamal cryptosystem, International Journal of
Informatica 14 (1) (2003) 111–120.
[26] F. Zhang, K. Lim, ID-based blind signature and ring signature from pairings, in:
Advances in Cryptology, Asiacrypt’02, Lecture Notes in Computer Science, vol.
2501, pp. 533–547, 2002.
[27] Y. Zhang, W. Liu, W. Lou, Y. Fang, Securing mobile ad hoc networks with
certificateless public keys, IEEE Transactions on Dependable and Secure
Computing 3 (4) (2006) 386–399.