LacminCC: lightweight anonymous communication model in cloud computing

With increasing application of cloud computing and big data technologies, a large amount of personal information is stored on the Internet, which raises the issue of privacy leakage. To protect people’s data privacy, this paper firstly presents a new anonymous Identify-Based Encryption (IBE) scheme and gives the proof of its security under the Bilinear Diffie–Hellman Security Assumption. Then, by introducing the anonymous IBE scheme into anonymous communication fields, this paper introduces a new lightweight anonymous communication model for cloud computing, which guarantees the anonymity of system users and the security of messages in small groups. Our analysis shows that, the proposed communication model cannot only reduce memory consumption and improve message transmission efficiency, but also effectively resist traffic-analysis attacks, node eavesdropping, and finally achieve secure anonymous communication in cloud computing.

existing research on anonymous communication can be divided into three categories.Firstly, Reed [7] proposed an onion routing.The message is encrypted and transmitted through a series of network nodes called onion routers, each of which "peels" away a single layer, uncovering the data's next destination.When the final layer is decrypted, the message arrives at its destination, so each node cannot know the original and final message at the same time.The idea of onion routing has been extended to all directions.Hiller et al. used onion routing in the Internet of Things to protect the private sensitive information of data owners [8].Raza uses onion routing to implement a distributed search engine [9].On the basis of protecting data privacy, it provides more efficient search results with fewer search resources.In addition, onion routing is also used in the Internet of Vehicles to realize the anonymity of vehicles [10].Onion routing achieves the anonymity of the sender [11], but it cannot resist traffic attacks [12,13], exiting node vulnerability attacks [14], and other security problems [15].Another idea is an anonymous communication model based on DC-net proposed by Chaum et al. [16].The model defines an N-number group, and only one member is allowed to send messages in a given round.Messages are sent via broadcasting without the need for a trust centre [17].However, since the encryption process requires the cooperation of all members, it is vulnerable to internal dishonest members, and it is easy to break the security of the model [18].The last anonymous communication model based on a flooding algorithm, which uses flooding, epidemic and other algorithms for flooding [19,20].When the sender initiates an anonymous transmission, the path of the anonymous transmission is unclear [21].Therefore, the adversary cannot distinguish where the next hop of the node will be [22].This idea is widely applied to wireless sensors in the Internet of Things.But the main challenge for anonymous communication models based on the flooding algorithm is that the model will generate a large amount of network transmission traffic during the communication process [23] and has a great demand for network bandwidth.At the same time, the stability and reliability of system algorithms are not satisfactory.
Based on the above analysis, we find that the existing anonymous communication systems have demanding requirements for network bandwidth and memory and cannot guarantee stability and reliability.In this case, anonymous communication systems are used in small groups, which are not only inefficient and expensive, but also insecure.Therefore, the demand for lightweight anonymous communication systems for small groups is very immanent.For example, bidders need to hide their identities and whistleblowers need to protect their privacy.On the other hand, blockchain technology has made great progress in ensuring the integrity of data during transmission [24], extracting data [25], and detecting smart contract vulnerabilities [26].Blockchain, as a distributed database, creates conditions for the development of anonymous communication in the Internet of Things, cloud computing and other technologies.For example: the lightweight anonymous communication system can be applied to information transmission between sensors and servers [27], as well as proprietary security protection in cloud services [28].Nevertheless, there are few existing research studies on lightweight anonymous communication systems.For this purpose, the main contributions of this paper are as follows.
(1) We propose the anonymous IBE (Identify-Based Encryption) scheme to encrypt messages in the communication model, utilizing the advantages of the anonymous IBE scheme that has a high degree of ciphertext expansion and does not require certificate management.The anonymous IBE scheme can meet the conditions of anonymous communication on the basis of ensuring the security of the messages.
In this paper, we also verify the correctness of the proposed scheme and prove its security under the Bilinear Diffie-Hellman Security Assumption.(2) We manage users using a grouping strategy, and users are automatically grouped after registration and updated within a certain period of time.Combined with the anonymous IBE scheme, grouping realizes that on the basis of ensuring security, it reduces the communication overhead of users and saves bandwidth in the communication process.(3) We design a lightweight anonymous communication model based on the proposed IBE scheme and grouping strategy, simultaneously implementing anonymity, efficiency and security.Analysis shows that the model can resist traffic analysis attacks on the basis of ensuring security and anonymity of the user communications, the model is also able to reduce memory and resource consumption.
The roadmap of this paper is as follows.Section 2 introduces the preliminary work of this project, such as bilinear groups, complexity assumptions, IBE and security model, etc. Section 3 describes our anonymous IBE scheme and proves its correctness and security.In Sect.4, a lightweight anonymous communication model in cloud computing is proposed.We elaborate on the communication process of the entire model and how to achieve anonymous communication.Before summarising this paper in Sects.6 and 5 analyses the performance of the proposed model in this paper.

Bilinear map
Let G 1 and G 2 be multiplicative cyclic groups of prime order p and g be a generator of G 1 .

Bilinear Diffie-Hellman assumption
The BDH Bilinear Diffie-Hellman problem [30,31] in G 1 is as follows: Given a tuple g, g α , g b , g c ∈ G 1 as input, output e(g, g) αbc ∈ G 2 .An algorithm A has advantage ε in solving BDH in G 1 if (1) Pr A g, g α , g b , g c = e g, g αbc ≥ ε where the probability is over the random choice of α, b, c in Z * p and the random bits used by A .Similarly, an algorithm B that outputs b ∈ {0, 1} has advantage ε in solving the decision BDH problem in G 1 if where the probability is over the random choice of α, b, c in Z * p , the random choice of T ∈ G * 2 , and the random bits of B.

Definition 1
The (Decision) (t, ε)-BDH assumption holds in G 1 if no t-time algorithm has advantage ε at least in solving the (Decision) BDH problem in G 1 .
Occasionally, we drop t and ε and refer to the BDH and Decision BDH assumptions in G 1 .

IBE scheme
In the IBE scheme, participants include users and private key generators (PKG).PKG is a trusted third party, which generates a private key based on the system master key and user identity.Subsequently, PKG distributes the private key to the corresponding users.Furthermore, the identity of the user makes IBE different from the public key of the traditional public key crypto-system.Therefore, IBE is widely used for information security protection.An Identity-Based Encryption (IBE) scheme is a tuple of PPT (Probabilistic Polynomial-time) algorithms defined with respect to a message space M , an identity space I , and a ciphertext space C as follows: Setup On input (in unary) a security parameter k, generate public parameters params and a master secret key MSK.And M, C, params is public.MSK is kept by PKG.
Key generation On input a master secret key MSK and an identity ID ∈ I , derive and output a secret key d ID for identity ID.
Encryption On input public parameters params, an identity ID ∈ I , and a message m ∈ M , output a ciphertext C ∈ C that encrypts m under identity ID.
Decryption On input a secret key d ID for identity ID ∈ I and a ciphertext C ∈ C , out- put m ′ if C is a valid encryption under identity ID, output a failure symbol ⊥ otherwise.

Security model
Boneh and Franklin define chosen ciphertext security for IBE systems under a chosen identity attack [32,33].In their model, the adversary is allowed to adaptively choose the public key it wishes to attack (the public key on which it will be challenged).Informally, if the adversary cannot obtain the public key ID in the ciphertext and has the characteristics of indistinguishability under the chosen ciphertext attack, we believe that the scheme has ANON-IND-ID-CCA (Anonymity and indistinguishability of identities under chosen ciphertext attack) security.More precisely, the security of anonymous IBE scheme is defined using the following game [34].
We define A as an adversary and B as a challenger.Setup B runs setup, and forwards parameters to A.
(2) Pr B g, g α , g b , g c , e g, g αbc = 0 − Pr B g, g α , g b , g c , T = 0 ≥ ε Phase 1 Proceeding adaptively, A issues queries q 1 , . . ., q m where q i is one of the following: Key generation query ID i : B runs Key generation on ID i and forwards the resulting private key to A.
Decryption query ID i , C i : B runs Key generation on ID i , decrypts C i with the result- ing private key, and sends the result to A.
Challenge A submits two plaintexts m 0 , m 1 and two identities ID 0 , ID 1 .ID 0 , ID 1 or their prefix cannot appear in any key generation query in Phase 1. B selects a random bit k, l ∈ {0, 1} , sets C * = Encrypt(params, ID k , m l ) , and sends C * to A as its challenge ciphertext.
Phase 2 This is identical to Phase 1, except that A may not request the private key for ID 0 , ID 1 or the decryption of �ID 0 , We call an adversary A in the above game as an ANON-IND-ID-CCA adversary.The advantage ε of an adversary A in this game is defined as Definition 2 An anonymous IBE system is (t, q, ε)-ANON-IND-ID-CCA secure if all t-time ANON-IND-ID-CCA adversaries making at most q queries have advantage at most ε in winning the above game.

Anonymous IBE scheme
Anonymous IBE scheme has a high degree of ciphertext expansion and does not require certificate management.In lightweight anonymous communication model based on the bulletin board, the improved anonymous IBE scheme can effectively guarantee that it will not disclose any identity information about the recipient in the ciphertexts and has ANON-IND-ID-CCA security.In this section, we construct an efficient anonymous IBE scheme, compared with scheme [35], our scheme ciphertext is shorter, reduces the use of random numbers and has better communication overhead under the same security.At the end of the section, we prove its correctness and security.

Construction
Let G 1 and G 2 be multiplicative cyclic groups of prime order p and g be a generator of

Proof of correctness
If C is a valid ciphertext encrypted with identity ID to message m, then the following expression can be verified:

Proof of security
Theorem 1 Assume that the DBDH (Decision Bilinear Diffie-Hellman) problem is hard, the proposed anonymous IBE scheme is (t, q, ε)-ANON-IND-ID-CCA secure.

Proof
Assume A is an ANON-IND-ID-CCA adversary, B is a challenger.At the beginning of the game, B is given a tuple g, g α , g b , g c , T ∈ G 5  1 to decide whether or not T = e g, g αbc .
Setup: B randomly generates security parameters.Let g 1 = g α , g 2 = g b , the public parameters are (g, g 1 , g 2 ) which are assigned to A.

Phase 1:
Key generation query: A assigns identity ID ∈ Z * p to B .B randomly chooses r ∈ Z * p and computes (4) ( B first executes the key generation query to identity ID, then decrypts C with the private key of identity ID.

Challenge:
A chooses two messages m 0 , m 1 of the same length and two identities ID 0 , ID 1 to B , where ID 0 , ID 1 or their prefix have not appeared in any key generation query in Phase 1.
B randomly selects k ′ , l ′ ∈ {0, 1}, c ∈ Z * p , and construct m l as follows: . If T = e g, g αbc , we can obtain: Therefore, C is a valid ciphertext.
Phase 2 : A executes key generation queries and decryption queries to B as in phase 1, except that the adversary may not request a private key for ID 0 , ID 1 or message m 0 , m 1 .
When T = e g, g αbc , then A must satisfy Pr ( Pr B g, g α , g b , g c , e g, g αbc = 0 − Pr B g, g α , g b , g c , T = 0

Lightweight anonymous communication model in cloud computing
In this section, we construct a lightweight anonymous communication model based on anonymous IBE scheme, which is introduced in Sect.3.1.According to the IBE scheme, the sender uses the identity of the receiver to encrypt the message.After encryption, the user uploads the message to the bulletin board, and the user downloads the ciphertext on the bulletin board in groups.Only the real receiver can decrypt and obtain the message.
Before formally introducing the anonymous communication model, we first give the definition of the symbols used in the model.G 1 and G 2 are multiplicative cyclic groups of prime order p and g is a generator of G 1 .The map e is a bilinear map which satisfies e : p is the master key of PKG, g 2 ∈ G 1 is randomly selected, and g 1 = g α (Table 1).

Model initialization (A) Entities
(1) The users.Users are very important to the system, and their privacy must be guaranteed.In order to meet the different needs of users, we have designed two encryption methods, which can meet two types of users: (a) Users who need to send information anonymously and are unwilling to disclose their identity to the recipient.For example, in tip-offs, the whistleblower does not want anyone to know his identity.(b) Users who need to disclose their identity to the recipient but do not want to inform other users of their identity.For example, in the bidding, the successful bidder needs to inform the bidding company of its identity so that it can continue to communicate after the bid, but it is not allowed to be known by other users in the system to prevent malicious competition.(2) Bulletin board.The bulletin board is provided for users to upload and download ciphertexts.More precisely, the sender uploads the ciphertext to the bulletin board, and the receiver downloads the ciphertexts from the bulletin board.The bulletin Randomly selected in G 1 r, t Randomly selected in Z * p board is an intermediate source for communication, and there is no direct interaction between the users.Because there is no interaction between the users, the adversary cannot directly know the identities of the two communicating parties.(3) Private key generator (PKG).In this model, PKG generates the system's master secret key, generates the user's private key based on the user's identity, and is also responsible for grouping users.In addition, PKG is credible in this model.(B) Grouping of users (1) Initialization.When a user enters the system, the system automatically distributes a unique and fixed identity ID(ID ∈ Z * p ) to the user.(2) Grouping.PKG is responsible for grouping all the users and dividing the users into M groups, where each group is of N members.To prevent traffic analysis attacks, the number of N should be large enough.An ID corresponds to a unique group number i and a serial number j in the group (i, j are randomly selected, and 0 < i ≤ M, 0 < j ≤ N ).We notate the user as ID ij , and every trusted user knows the identities and group numbers of other users in the system.Users need to obtain their own private keys before starting communication.PKG generates the system's secret master key and the private key corresponding to each user.More specifically, PKG generates a random number r ∈ Z * p , a public parameter of the system params = g, g 1 , g 2 .The private key d ij corresponding to the user ID ij is as follows: After the private key is generated, PKG distributes the private key to the corresponding users.
(3) Update users' group.In consideration of the security of the model, when the number of the rounds of message delivery reaches a certain value, the private key's update and the group's update of the model are triggered.The process is as follows: When the entire system transmits 1000 rounds of messages, PKG regenerates private keys for all the users to strengthen the security of the system and prevent it from being cracked by the adversary.When the entire system delivers 100 rounds of messages, PKG regroups all the users to strengthen the security of the system and prevent it from being cracked by the adversary.

Anonymous communication model
In this section, we introduce how the anonymous communication model implements the communication process.At this stage, users divide time slices to encrypt messages, upload ciphertext, download ciphertext, and decrypt ciphertext.During time T 1 , the sender encrypts the message to be sent.During time T 2 , all the users upload the ciphertext to the bulletin board.During time T 3 , users download the ciphertext and decrypt the downloaded ciphertext during time T 4 .The following includes the entire process.
(1) During time T 1 , the sender encrypts message m using the recipient's identity ID ij as the public key. ( All the users, who want to transfer information in the system, will encrypt messages m according to the identity of receiver ID ij at T 1 time.At the same time, the sender also knows the group number of the receiver.In order to save memory costs, we design C 1 as the group number i where the receiver is located.This is conducive to uploading the ciphertext to the bulletin board, and the receiver can quickly filter out the ciphertext that needs to be downloaded.If the sender wants the receiver to know his/her identity, he/she can encrypt the message m as follows: Where t ∈ Z * p is randomly selected by the sender, ID ij is the identity of the recipient, Sign send ID ij is the signature of the sender's identity and C 1 = i , i is the group number of the receiver.
If the sender's identity needs to be kept secret from the receiver, we use the following encryption: (2) During time T 2 , all the users in the system must send ciphertext C to the bulletin board.All users, whether they wish to communicate or not, must send the ciphertexts to the bulletin board, and the upload process is completed in time T 2 .For users who want to send information, upload the ciphertexts within time T 2 .For security reasons, other users who need not communicate also complete the upload of a pseudo-ciphertext within time T 2 .
(3) During time T 3 , the users download the ciphertext C accordingly from the bulletin board.
After the ciphertexts have been uploaded to the bulletin board, all the users evaluate whether or not the C 1 part of the ciphertexts is equal to their group number i, to deter- mine whether to download the ciphertext.If C i = i , then the recipient must download this ciphertext to avoid missing the messages.The above process is completed during time T 3 .
(4) During time T 4 , the user decrypts the downloaded ciphertext C with his/her private key d ij .
All the users use their private keys to decrypt the downloaded ciphertexts one by one.If the decryption is successful, then the real receiver can receive the message sent by the sender.The decryption process is as follows: ( Figure 1 shows the process for the users and bulletin boards to transfer specific ciphertexts.During time T 2 , all the users upload messages to the bulletin board.The red line indicates this process.During time T 3 , the C 1 part of the ciphertexts is equal to a group number in the model.As shown in Fig. 1, we assume C 1 = 2, then all the users in the second group must download the ciphertexts to the local host, other groups will not (17)

Experiments and results
In this section, we evaluate the performance of our model, which has been implemented in Python.All experiments are conducted on a PC with a CPU 2.30 GHz, 8 GB of RAM.We compare the anonymous performance of our lightweight anonymous communication model with several existing anonymous models [8,19,36] in Table 2.It can be seen from Table 2 that only our model achieves all the anonymities, whereas the other models cannot.
We evaluate the performance of our lightweight anonymous communication model, including the storage and communication costs.Table 3 shows that DCARPS has the smallest storage cost.However, it has the worst anonymity and security performance.
We assume that the communication cost of the whole network for message exchange is N.In addition, establishing pairwise keys for any two users has extra communication cost P, γ is the communication cost of ACK messages ( γ is the com- munication cost to confirm the start of the message delivery).
Our communication model uses the user's ID as the public key, so there is no need for paired secret key exchange.Similarly, according to our message delivery process, the sender does not need to send a confirmation message to the recipient before sending a message.So the communication cost of lightweight anonymous communication model is N (Table 4).
Through the above three tables, we find that our model achieves all three anonymities with low storage and computation costs.Our model N Our model has no limit for the number of messages in a round, it is a significant advantage compared with other anonymous communication models which can send only one message in a round.For example, a user wants to communicate with more than one person, or more than one user wants to send message.In other anonymous communication models which limit the number of messages, users have to wait for several rounds.But, in our model, all users can send an arbitrary number of messages in a round.This property enhances the efficiency of communication and reduces the cost of communication. Figure 2 shows the communication consumption of our model and other anonymous communication model which limits the number of messages.

Security analysis
(1) Security of messages.The content of the message delivered by the user needs to be protected, which is the basic requirement of the security model.In our model, the information uploaded by users to the bulletin board is encrypted using an anonymous encryption scheme.We have verified its security in Sect.3.1.3,this scheme cannot disclose any content about the user's identity in the ciphertexts, and at the same time, it can also resist any CCA adversary.(2) Anonymity of messages.(a) Sender anonymity.In traditional public key cryptography, there is usually a public key infrastructure (PKI), and the sender needs to query the receiver's public key before initiating the communication.In this process, the user performing the query operation may be the sender who wishes to initiate communication, and the public key to be queried may belong to the receiver.
In our model, the sender no longer needs to query the receiver's public key, because the public key is the identity of the receiver that every user knows.We consider that all the users perform upload operations in time T 2 .The adversary cannot determine which users are the real senders through the traffic analysis attack, which can ensure the sender's anonymity.
(b) Recipient anonymity.The recipient anonymity is to ensure that others cannot evaluate whether or not the message has been received by a certain receiver.In addition, the model also needs to guarantee that during the encryption process, the adversary cannot extract the identity of the receiver.
In our model, the receiver's identity is used as the public key, and the anonymous IBE scheme ensures that the adversary cannot extract the receiver's identity from the ciphertexts.During time T 3 , all the members of the real receiver's group download the ciphertexts.On the other hand, there are relatively many members in the group, and the adversary does not know which member of the group is the real receiver, thus ensuring the receiver's anonymity.

Efficiency analysis
Our scheme has no limit on the number of ciphertexts that need to be sent in each round.Compared with the communication model that can only send one message in each round [16], the more messages we send in each round, the more efficient our model is.Similarly, compared to the anonymous communication model designed by Jiang et al. [27], our model manages users in groups.Before users download the ciphertexts, they need to be screened, which greatly reduces the number of ciphertexts that users download and need to decrypt.When delivering the same amount of messages, our solution saves time and memory on the basis of security.

Conclusion
In the past, the anonymous communication model had large requirements on network bandwidth and memory and could not guarantee stability and reliability.It is inefficient, costly, and insecure when an anonymous communication model is used in small groups.
In this paper, we design a lightweight anonymous communication model in cloud computing, which is suitable for small and medium-sized groups.In the proposed model, we design an anonymous IBE scheme, modify the ciphertext structure, and simplify the encryption process while ensuring security.Furthermore, all the users are organised in groups and all the ciphertexts are filtered before the downloading practice.The operations reduce the workload of users to download the ciphertexts and the number of the decrypted ciphertexts.Analysis results show that the communication model has better performance while ensuring security and anonymity.The proposed anonymous communication model has good application prospects in cloud computing.For the future work, we will continue to optimize the proposed anonymous communication model and further apply it into cloud computing to solve the problem of privacy leakage.

( 3 )
params = g, g 1 , g 2 , MSK = α.Encryption To encrypt a message m ∈ G 2 under public key ID, pick a random t ∈ Z * p and we output Decryption To decrypt a ciphertext C = (C 1 , C 2 , C 3 ) using private key d ID = (d 1 , d 2 ) , output

g α 2 e g r , g ID•t 1 e g −r , g ID•t 1 = e g t , g α 2 = e g, g 2 αt
Let r ′ = r − b ID , which is a valid private key, where Decryption query: A assigns ID, C to B.

1 4 .
Therefore, when α, b, c, T are uniform, we have This completes the proof of Theorem 1.

Fig. 1
Fig. 1 Lightweight anonymous communication model.This represents the process of uploading and downloading ciphertexts

Fig. 2
Fig. 2 Communication consumption.This shows the communication consumption of our model and other anonymous communication model which limits the number of messages the bilinear map.Setup In order to generate security parameters, we randomly select α ∈ Z * p and set g 1 = g α , g 2 ∈ G 1 .The public parameters params and the secret master key MSK are given by Key generation To generate private key d ID , we randomly select r ∈ Z * p , input master secret key MSK and an identity ID ∈ Z * p and output

Table 2 Comparison of model performance Anonymous communication model Sender anonymity Receiver anonymity Communication relationship anonymity
This downloading process is indicated by the green line, and the black line indicates the available communication path in the model.

Table 3
Performance comparison on storage cost

Table 4
Performance comparison on communication cost