Completely anonymous multi-recipient signcryption scheme with public verification.

Most of the existing multi-recipient signcryption schemes do not take the anonymity of recipients into consideration because the list of the identities of all recipients must be included in the ciphertext as a necessary element for decryption. Although the signer's anonymity has been taken into account in several alternative schemes, these schemes often suffer from the cross-comparison attack and joint conspiracy attack. That is to say, there are few schemes that can achieve complete anonymity for both the signer and the recipient. However, in many practical applications, such as network conference, both the signer's and the recipient's anonymity should be considered carefully. Motivated by these concerns, we propose a novel multi-recipient signcryption scheme with complete anonymity. The new scheme can achieve both the signer's and the recipient's anonymity at the same time. Each recipient can easily judge whether the received ciphertext is from an authorized source, but cannot determine the real identity of the sender, and at the same time, each participant can easily check decryption permission, but cannot determine the identity of any other recipient. The scheme also provides a public verification method which enables anyone to publicly verify the validity of the ciphertext. Analyses show that the proposed scheme is more efficient in terms of computation complexity and ciphertext length and possesses more advantages than existing schemes, which makes it suitable for practical applications. The proposed scheme could be used for network conferences, paid-TV or DVD broadcasting applications to solve the secure communication problem without violating the privacy of each participant.