Next Article in Journal
Neural Crypto-Coding Based Approach to Enhance the Security of Images over the Untrusted Cloud Environment
Next Article in Special Issue
Applications of Neural Network-Based AI in Cryptography
Previous Article in Journal
A Multi-Party Functional Signatures Scheme for Private Blockchain
Previous Article in Special Issue
Algebraic Cryptanalysis with MRHS Equations
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Anonymous Homomorphic IBE with Application to Anonymous Aggregation

School of Computer Science and Statistics, Trinity College Dublin, D02 PN40 Dublin, Ireland
*
Author to whom correspondence should be addressed.
Cryptography 2023, 7(2), 22; https://doi.org/10.3390/cryptography7020022
Submission received: 6 February 2023 / Revised: 8 March 2023 / Accepted: 10 March 2023 / Published: 17 April 2023
(This article belongs to the Collection Survey of Cryptographic Topics)

Abstract

:
All anonymous identity-based encryption (IBE) schemes that are group homomorphic (to the best of our knowledge) require knowledge of the identity to compute the homomorphic operation. This paper is motivated by this open problem, namely to construct an anonymous group-homomorphic IBE scheme that does not sacrifice anonymity to perform homomorphic operations. Note that even when strong assumptions, such as indistinguishability obfuscation (iO), are permitted, no schemes are known. We succeed in solving this open problem by assuming iO and the hardness of the DBDH problem over rings (specifically, Z N 2 for RSA modulus N). We then use the existence of such a scheme to construct an IBE scheme with re-randomizable anonymous encryption keys, which we prove to be IND-ID-RCCA secure. Finally, we use our results to construct identity-based anonymous aggregation protocols.

1. Introduction

The problem we tackle in this paper relates to a primitive known as identity-based group homomorphic encryption (IBGHE), which is defined in [1]. Basically, IBGHE is identity-based encryption that is homomorphic for some group operation, and the ciphertext space for every identity forms a group. Moreover, the decryption function is a group homomorphism between the ciphertext group and the plaintext group. GHE has several applications, discussed in [1], and an IBGHE facilitates those applications in an identity-based infrastructure.
It is an open problem to construct an IBGHE that is simultaneously anonymous and homomorphic for addition. There are only two IBGHE schemes that support modular addition to the best of our knowledge, namely the XOR-homomorphic variant of the Cocks IBE scheme in [1] and the more recent IBGHE scheme from [2] that is homomorphic for addition modulo smooth square-free integers. Now, Joye has discovered that the Cocks IBE scheme itself is XOR-homomorphic [3], but the scheme is not an IBGHE since the ciphertext space with the homomorphic operation forms a quasigroup and not a group. Some readers might wonder about schemes that are considered multiplicatively homomorphic, which allow addition in the exponent, and question why we do not classify them as IBGHE schemes for addition. The reason is that the corresponding additive group has exponential order, and decryption can only recover messages using Pollard’s lambda algorithm that are less than some polynomial bound, so the valid message space does not form an additive group. Now the two IBGHE schemes supporting modular addition that we are aware of are not anonymous, but there are variants of these schemes that achieve anonymity. However, although such schemes gain anonymity, they lose the homomorphic property. Most usually, we need to know the identity associated with a ciphertext in order to correctly compute the homomorphic operation, and so when the identity is hidden from us, as it is when the scheme is anonymous, we cannot compute the homomorphic operation. Therefore, in a nutshell, the open problem we address in this paper is to construct an IBGHE for addition that is anonymous while retaining the homomorphic operation. Note that while we have concentrated on GHE, it is important to point out that there are no other additively homomorphic schemes (such as quasigroup homomorphic schemes, such as Cocks, as observed by Joye) that achieve simultaneous anonymity and the ability to carry out the homomorphic operation without knowing the identity associated with a ciphertext. Of course, our focus is not on bounded homomorphisms, such as LWE-based schemes that incorporate noise, but instead on those with an algebraic structure and support for a theoretically unbounded number of operations. One of the reasons we opt for GHE over linearly homomorphic LWE-based schemes is that the former enjoy the desired property of strong unlinkability; that is, an evaluated ciphertext is distributed the same as a fresh ciphertext in the view of the key holder (recipient), whereas LWE-based schemes achieve this only by requiring an expensive bootstrapping operation and making a circular security assumption.

1.1. Motivation and Applications

Beyond theoretical interest, there are applications that motivate consideration of this open problem. We construct an anonymous IBE using an anonymous IBGHE as a building block. We prove this scheme IND - ID - RCCA secure (note that RCCA is a slight relaxation of CCA2). Our anonymous IBE scheme has two interesting properties. First, it allows one to generate anonymous keys associated with a particular identity. Therefore, an encryptor can encrypt a message using an anonymous key for some unknown recipient. Secondly, such keys can be rerandomized such that the resulting anonymous key is computationally unlinkable to the original anonymous key. This finds an immediate application in anonymous aggregation, as we describe below.
Consider the following application scenario. Suppose we have a collection of sensor nodes that collect data and send it to a central server. Suppose the data are numerical measurements, and there are different recipients depending on external factors. Each sensor data encrypts a measurement with the recipient’s identity and sends it en route to the central server. It is desirable that ciphertexts that are seen by potential adversaries do not reveal the associated recipient’s identity. Along the route there are nodes that function as aggregators that can be authorized independently by each sensor node to aggregate the data coming from that sensor node. If a sensor node give authorization to the aggregator, then the aggregator should be able to aggregate data for the same recipient coming from any of the sensor nodes that have given authorization. Addition (summation) is a common type of aggregation since perhaps only an average measurement is needed by the recipient. To fulfill this application scenario, we need an IBE scheme that is anonymous and homomorphic for addition, where the homomorphic operation can be computed without knowing the recipient’s identity.
Consider two senders that produce ciphertexts for the recipient id . Both of them send their respective authorization keys to an aggregator whose identity is id ¯ , they perform aggregation on the two ciphertexts and send the result on to a second aggregator. The second aggregator should not be able to perform aggregation with the result unless they are given an authorization key from id ¯ . However, the recipient should be able to decrypt all such ciphertexts intended for them, including the result of the aggregation. Now the issue is that the recipient’s identity is hidden from the aggregators. However, the result of their aggregation needs to be decryptable by the recipient id and also “fresh”, such that the second aggregator, who may be authorized by the original senders, but not authorized by the first aggregator, should not be able to perform aggregation on the result. We describe our approach to solving this problem below.

1.2. Our Results

We present a feasibility result in this work of an additively homomorphic IBGHE that is both anonymous and supports the evaluation of the homomorphic operation without knowing a user’s identity. Our construction is based on iO and the hardness of DDH in elliptic curves over Z N 2 where N is an RSA modulus. These are strong assumptions but we make headway on this open problem. Elliptic curves over rings have been less widely studied; Pailler [4] introduced the types of curves we use in this paper, which are over the ring Z N 2 , while Peter et al. [5] describe a specific class of curves that are suitable to instantiate our construction. Furthermore, iO has not been realized from standard assumptions, although there have been several recent advances in constructing iO from quite different approaches under different assumptions, which gives us more confidence that iO exists. To obtain our feasibility result, we first borrow an idea from [6] to leverage obfuscation to map an identity string to a freshly generated public key of some encryption scheme. In fact, abstracting for a moment from the specific construction, we will describe the high-level paradigm. As part of the public parameters, we have an obfuscated program that maps an identity to a public key in some multi-user system with public parameters. The public keys in a multi-user system share the same set of common public parameters—think of the generator g and modulus p in ElGamal [7] as the common public parameters, except ElGamal is of no use here since it is only multiplicatively homomorphic. Nevertheless, ElGamal serves to illustrate another property that this paradigm requires, namely that the multi-user system supports key privacy where key privacy can be viewed as the analog to anonymity in the identity-based setting; that is, the ciphertexts in the multi-user system do not reveal the public key they are associated with, which is the case in ElGamal. We are using the term multi-user system in a broad sense here, permitting both the case where we have a trusted authority and the case where we do not. In the former, the public parameters are generated by a trusted authority with a backdoor (master secret key) such that the trusted authority can decrypt any ciphertext. In our paradigm, the public parameters of the multi-user system will be generated by the trusted authority of the IBE scheme and published as part of the IBE scheme’s public parameters. Therefore, we need the multi-user system to be both key-private and additively homomorphic, where the homomorphic operation can be computed without knowing the public key associated with a ciphertext. The fundamental question is: can we concretely realize a multi-user system that has both key privacy and an additive homomorphism. We can answer this question in the affirmative by using a variant of the Paillier scheme based on elliptic curves over rings that is presented in [5], which is a multi-user system supporting homomorphic addition modulo a large semiprime N and for which we can easily show that key privacy holds assuming the hardness of DDH in elliptic curves over Z N 2 .

1.2.1. Anonymous IBE with Rerandomizable Anonymous Keys

Next, we present an anonymous IBE scheme based on the Boneh–Franklin scheme, which we prove IND - ID - RCCA secure. Our scheme requires an additively homomorphic anonymous IBE scheme as a building block (as described above and which we realize in Section 3). Our anonymous IBE scheme has two interesting properties. First, it allows one to generate anonymous keys associated with a particular identity. Therefore, an encryptor can encrypt a message using an anonymous key for some unknown recipient. Secondly, such keys can be rerandomized such that the resulting anonymous key is computationally unlinkable to the original anonymous key. One of the applications for this scheme is in realizing identity-based anonymous aggregation in Section 5. This is the first IBE scheme that is both anonymous and IND - ID - RCCA  secure.

1.2.2. Identity-Based Anonymous Aggregation

In an identity-based anonymous aggregation (IBAA) protocol, every identity has an associated secret key derivable by the Trusted Authority with their master secret key. Every identity can issue an authorization key to an aggregator that allows the aggregator to perform aggregation on ciphertexts created by that identity, but for any recipient identity. We envisage that, in practice, more complex policies may be used to control authorization, which is beyond the scope of this work. Here we simply model authorization with symmetric keys. Therefore, a symmetric key functions as an authorization key that can be issued to aggregators. For every ciphertext, the encryptor generates a fresh symmetric key κ (effectively a session or transport key) and uses it to encrypt the IBE ciphertext that encrypts the message. This symmetric key κ is encrypted with the authorization key for the sender so that any party who is given this key can recover the IBE ciphertext that encrypts the message. However, the recipient must always be able to decrypt a ciphertext intended for them, irrespective of whether it has been given an authorization key (for aggregation) by the encryptor. To solve this problem, the ciphertext also incorporates an IBE encryption of κ so that the recipient can recover the IBE ciphertext that encrypts the message. One of the main challenges is in relation to aggregation. It is straightforward for the aggregator to evaluate the homomorphic operation on both IBE ciphertexts without knowing the recipient’s identity (anonymous group-homomorphic IBE enables this). However, we must use a fresh symmetric key to encrypt this evaluated IBE ciphertext in order to ensure unlinkability. However, how do we encrypt this fresh key with the recipient’s identity without knowledge of the identity so that they can decrypt the result of the aggregation? One solution to this is to use FHE and then rely on bootstrapping for unlinkability, but this requires us to make a circular security assumption, and, furthermore, bootstrapping in the identity-based settings requires strong assumptions, such as iO. Our solution is to use our anonymous IBE scheme with its rerandomizable anonymous keys (described above), and this solves all our problems (including strong unlinkability) while being more efficient than FHE and without the need for a circular security assumption. Furthermore, we rely on the IND - ID - RCCA security to prove a desirable property of aggregation validity whereby no party who has not been granted authorization as an aggregator can perform a pre-determined transformation of the plaintext.

2. Preliminaries

2.1. Notation

A quantity is said to be negligible with respect to some parameter λ , written negl ( λ ) , if it is asymptotically bounded from above by the reciprocal of all polynomials in λ .
For a probability distribution D, we denote by x $ D that x is sampled according to D. If S is a set, y $ S denotes that y is sampled from x according to the uniform distribution on S.
The support of a predicate f : A { 0 , 1 } for some domain A is denoted by supp ( f ) , and is defined by the set { a A : f ( a ) = 1 } .
The set of contiguous integers { 1 , , k } for some k > 1 is denoted by [ k ] .

2.2. Identity-Based Encryption

Definition 1. 
An Identity-Based Encryption (IBE) scheme is a tuple of PPT algorithms ( G , K , E , D ) defined with respect to a message space M , an identity space I and a ciphertext space C ^ as follows:
  • G ( 1 λ ) :
    On input (in unary) of a security parameter λ, generates public parameters PP and a master secret key MSK . Output ( PP , MSK ) .
  • K ( MSK , id ) :
    On input of the master secret key MSK and an identity id I : a secret key sk id for identity id is derived and output.
  • E ( PP , id , m ) :
    On input of public parameters PP , an identity id I , and a message m M , a ciphertext c C C ^ that encrypts m under identity id is output.
  • D ( sk id , c ) :
    On input of a secret key sk id for identity id I and a ciphertext c C ^ , a m is output if c is a valid encryption under identity id ; otherwise, a failure symbolis output.

2.3. Public-Key GHE

An important subclass of partial homomorphic encryption is the class of public-key encryption schemes that admit a group homomorphism between their ciphertext space and plaintext space. This class corresponds to what is considered “classical” HE [8], where a single group operation is supported, most usually, addition. Gjøsteen [9] examined the abstract structure of these cryptosystems in terms of groups and characterized their security as relying on the hardness of a subgroup membership problem. Armknecht, Katzenbeisser and Peter [8] rigorously formalized the notion and called it group homomorphic encryption (GHE). We recap with the formal definition of GHE by Armknecht, Katzenbeisser and Peter [8].
Definition 2 
(GHE, Definition 1 in [8]). A public-key encryption scheme E = ( G , E , D ) is called group homomorphic, if for every  ( pk , sk ) G ( 1 λ ) , the plaintext space M and the ciphertext space C ^ (written in multiplicative notation) are non-trivial groups such that
  • the set of all encryptions C : = { c C ^ c E pk ( m ) , m M } is a non-trivial subgroup of C ^
  • the restricted decryption D sk * : = D sk | C is a group epimorphism (surjective homomorphism) i.e.,
    D sk * is surjective and c , c C : D sk ( c · c ) = D sk ( c ) · D sk ( c )
  • sk  contains an efficient decision function  δ : C ^ { 0 , 1 } such that
    δ ( c ) = 1 c C
  • the decryption on C ^ \ C returns the symbol ⊥.

2.4. Identity-Based Group Homomorphic Encryption (IBGHE)

Definition 3 
(Identity-Based Group Homomorphic Encryption (IBGHE), Based on [1]). Let E = ( G , K , E , D ) be an IBE scheme with message space M , identity space I and ciphertext space C ^ . The scheme E is group homomorphic if, for every ( PP , MSK ) G ( 1 λ ) , every id I , and every sk id K ( MSK , id ) , the message space ( M , · ) is a non-trivial group, and there is a binary operation * : C ^ 2 C ^ such that the following properties are satisfied for the restricted ciphertext space C id ^ = { c C ^ : D sk id ( c ) } :
GH.1: 
The set of all encryptions C id = { c c E ( PP , id , m ) , m M } C id ^ is a non-trivial group with respect to the operation *.
GH.2: 
The restricted decryption D sk id * : = D sk id | C id is surjective
and c , c C id D sk id ( c * c ) = D sk id ( c ) · D sk id ( c ) .
We are interested in schemes whose plaintext space forms a group and which allow the operation to be homomorphically applied an unbounded number of times. There exist schemes, however, that do not satisfy all the requirements of GHE, namely their ciphertext space does not form a group but instead forms a quasigroup (a group without associativity), such as the Cocks’ IBE [10], which was shown to be inherently XOR-homomorphic by Joye [3].

2.5. Multi-User Encryption

A multi-user encryption (MUE) scheme is an abstraction from a class of public-key encryption schemes where the public keys of users share common public parameters, whose generation may or may not include a trusted setup, in which case a Trusted Authority (TA) may hold a master decryption key that enables them to decrypt the ciphertexts of any user. An instance of MUE is ElGamal, which does not require a trusted setup or involve a Trusted Authority with a “backdoor”, whereas another instance of an MUE is a public-key encryption scheme with a double decryption mechanism (DD-PKE), as defined by Galindo and Herranz [11] where the public parameters are generated along with a master secret key by a TA.
An MUE is a tuple of PPT algorithms ( Setup , KeyGen , Enc , Dec , mDec ) with plaintext space M and ciphertext space C ^ , defined as follows:
  • Setup ( 1 λ ) : takes as input a security parameter λ and outputs a pair ( PP , MSK ) consisting of public parameters PP and an optional master secret key MSK , which may be set to ⊥,
  • KeyGen ( PP ) : takes as input the public parameters PP and outputs a pair of public/private keys ( pk , sk ) .
  • Enc ( PP , pk , m ) : takes as input the public parameters PP , a user’s public key pk and a message m M , and outputs a ciphertext c C C ^ .
  • Dec ( PP , sk , c ) : takes as input the public parameters PP , a secret key sk and a ciphertext c C ^ , and outputs either a plaintext m M or ⊥ if decryption fails.
  • mDec ( PP , MSK , pk , c ) : takes as input the public parameters PP , the master secret key MSK , a user’s public key pk and a ciphertext c C ^ and outputs either a plaintext m M or ⊥ if decryption fails or MSK = .

2.6. Elliptic Curves over Rings

Proposition 1 
([5]). If N = p q is some RSA modulus, i.e., p and q are primes of about the same bit length λ, then there is an efficient construction of elliptic curves E : y 2 z = x 3 + a x z 2 + b z 3 over Z N 2 such that M : = lcm ( # E ( Z p ) , # E ( Z q ) ) has at least two large (of about the same size as p and q) prime factors.
Lemma 1 
([5]). As in Proposition 1, let M N have at least two large prime factors (of about λ bits). If  π ( M ) denotes the product of all small prime factors of M, then
Pr s $ Π ( M ) gcd ( s , M ) 1 is negligible in λ
where Π ( M ) : = { s Z N 2 \ { 0 } | gcd ( s , π ( M ) ) = 1 } .

2.7. Indistinguishability Obfuscation

Definition 4 
(Indistinguishability Obfuscation).(Based on Definition 7 from ([12]) A uniform PPT machine i O is called an indistinguishability obfuscator for every circuit class { C κ } if the following two conditions are met:
  • Correctness: For every κ N , for every C C κ , for every x in the domain of C, we have that
    Pr C ( x ) = C ( x ) : C i O ( C ) = 1 .
  • Indistinguishability: For every κ N , for all pairs of circuits C 0 , C 1 C κ , if  C 0 ( x ) = C 1 ( x ) for all inputs x, then for all PPT adversaries A , we have:
    | Pr A ( i O ( C 0 ) ) = 1 | | Pr A ( i O ( C 1 ) ) = 1 | negl ( κ ) .

2.8. Puncturable Pseudorandom Function

A puncturable pseudorandom function (PRF) is a constrained PRF ( Key , Eval ) with an additional PPT algorithm Puncture . Let n ( · ) and m ( · ) be polynomials. Our definition here is based on Section 2.5 of [6]. A PRF key K is generated with the PPT algorithm Key , which takes as input the security parameter κ . The  Eval algorithm is deterministic, and on input of a key K and an input string x { 0 , 1 } n ( κ ) , outputs a string y { 0 , 1 } m ( κ ) .
A puncturable PRF allows one to obtain a “punctured” key K Puncture ( K , S ) with respect to a subset of input strings S { 0 , 1 } n ( κ ) with | S | = poly ( κ ) . It is required that Eval ( K , x ) = Eval ( K , x ) x { 0 , 1 } n ( κ ) \ S , and for any poly-bounded adversary ( A 1 , A 2 ) with S A 1 ( 1 κ ) { 0 , 1 } n ( κ ) and | S | = poly ( κ ) , any key K Key ( 1 κ ) , any K Puncture ( K , S ) and any x S , it holds that
Pr A 2 ( K , x , Eval ( K , x ) ) = 1 Pr A 2 ( K , x , u ) = 1 negl ( κ )
where u $ { 0 , 1 } m ( κ ) .

3. Construction of Anonymous Additively Homomorphic IBE

3.1. PKTK MUE Scheme

We now describe the cryptosystem from [5] that is an instance of an MUE and satisfies some interesting properties, including the fact that even the Trusted Authority cannot determine which user a ciphertext is created for (Property 3 [5]), so the scheme is anonymous even to the TA under the hardness of DDH in E ( Z N 2 ) . The scheme is very similar to Galbraith’s elliptic-curve-based Paillier scheme [13].
  • Setup ( 1 λ ) : On input of a security parameter λ , this algorithm generates an RSA modulus N = p q where p and q are primes of about the same bit length λ . Then it constructs an elliptic curve E : y 2 z = x 3 + a x z 2 + b z 3 over Z N 2 such that E has the properties described in Proposition 1. Furthermore, it chooses a point Q = ( x , y , z ) E ( Z N 2 ) whose order divides M = lcm ( # E ( Z p ) , # E ( Z q ) ) . It outputs the public parameters PP : = ( N , π ( ( M ) , a , b , Q ) and the master secret key MSK : = M . The plaintext space is M = Z N , and the ciphertext space is C ^ = Q × Q , M 1 .
  • KeyGen ( PP ) : chooses s $ Z M * at random (This can be performed by sampling s $ Π ( M ) (which is possible as π ( M ) is included in PP )) and computes R s Q . It outputs public key pk : = R and secret key sk : = s .
  • Enc ( PP , pk , m ) : chooses a random value r $ Z N 2 and computes the ciphertext ( A , B ) as
    A r Q and B r R + M m .
  • Dec ( p p , sk , ( A , B ) ) : outputs
    m x ( B s A ) N .
  • mDec ( PP , MSK , ( A , B ) ) : outputs
    m x ( M B ) N M 1 mod N .

3.2. Our Scheme

Our scheme is essentially the transformation in [6] applied to the MUE scheme above. We need to define a program F MapPK that is obfuscated as part of the public parameters. Let E be an MUE scheme such as the PKTK scheme above, which has message space Z N . The program F MapPK takes an identity id and maps it to the public key pk id .
Program  F MapPK ( id ) :
1.   Compute r id PRF . Eval ( K , id ) .
2.   Compute ( pk id , sk id ) E . KeyGen ( PP E ; r id ) .
3.   Output  pk id
Let E be the PKTK MUE scheme. Let i O be an indistinguishability obfuscator and let PRF be a puncturable PRF. We now define the construction.
  • AH . Setup ( 1 λ ) : On input of security parameter λ , compute ( PP E , MSK E ) E . Setup ( 1 λ ) . Next, generate K PRF . Gen ( 1 λ ) and compute O i O ( F MapPK PP E , K ) . Output ( PP : = ( O , PP E ) , MSK : = ( K , MSK E ) .
  • AH . KeyGen ( MSK , id ) : On input of master secret key MSK : = ( K , MSK E ) and an identity id , compute r id PRF . Eval ( K , id ) . Next, generate ( pk id , sk id ) E . KeyGen ( PP E ; r id ) . Output sk id .
  • AH . Enc ( PP , id , m ) : On input of public parameters PP , an identity id and a message m Z N , obtain pk id O ( id ) and compute c E . Enc ( PP E , pk id , m ) . Output c.
  • AH . Dec ( sk id , c ) : On input of a secret key sk id for identity id , compute m E . Dec ( PP E , sk id , c ) and output m.
Theorem 1. 
Assuming indistinguishability obfuscation and the hardness of DDH in E ( Z N 2 ) , AH is an anonymous and IND-ID-CPA secure IBE scheme.
Proof. 
The theorem follows as a consequence of Theorem 1 in [6], where the underlying public-key encryption scheme is replaced with the PKTK MUE scheme whose key privacy and semantic security rely on the hardness of DDH in E ( Z N 2 ) .    □
This simple construction serves mainly as a possible result for an anonymous homomorphic IBE where the homomorphic operation can be computed without knowing the identity associated with one or more ciphertexts. We leave the construction of more efficient and perhaps even practical schemes of this nature as an open problem.

4. Anonymous IBE with Rerandomizable Anonymous Encryption Keys

In this section, we present an anonymous IBE scheme that is a variant of Boneh–Franklin and show that it is both anonymous and IND - ID - RCCA secure. The scheme has two interesting properties: the generation of anonymous keys associated with a particular recipient identity and the rerandomization of such keys. In regard to the former, anonymous keys allow a party to encrypt a message for an unknown recipient; that is, the key hides the identity of the recipient. In regard to the rerandomization of these keys, a rerandomized key is computationally unlinkable to another anonymous key with the same associated identity. Therefore, two anonymous keys for the same identity, where one is obtained by rerandomizing the other, cannot be linked in any way. These properties are essential in our application of anonymous aggregation in the next section. Here, we observe that an essential building block of our construction is an anonymous homomorphic IBE for addition modulo N as realized in the previous section. In fact, an anonymous homomorphic IBE from LWE does not suffice here; a group homomorphic scheme appears to be necessary.

4.1. Our Construction

Let g G be a generator of a cyclic group G , and let g T G T be a generator of another cyclic group G T . Both groups are of order N, a large semiprime. Now let e : G × G G T be a non-degenerate bilinear map between G and G T (the target group) such that g T = e ( g , g ) . The notational convention we follow in this section is to write group elements using uppercase letters whose integer exponent with respect to the generator is the corresponding lowercase letter. Our construction is based around the Boneh–Franklin scheme. We now describe our construction, which serves to illustrate various concepts we would like to establish. Let H be a hash function modeled as a random oracle that maps identity strings to elements of G . The master secret key contains an integer s $ Z N chosen at setup while the public parameters contain S g s . The other building blocks are an anonymous group homomorphic IBE scheme E m that is homomorphic for addition modulo N, a NIZK and an IND-CCA2 secure symmetric encryption scheme. Consider a recipient identity id . Then we derive the public key for id as A H ( id ) G . The encryptor chooses a random integer r $ Z N and computes A ^ A r . Then they compute ψ 1 E m . Enc ( PP IBE , id , r ) and z 1 E m . Enc ( PP IBE , id , 1 M ) . Subsequently, the encryptor chooses a random integer b $ Z N and computes B g b and ψ 2 PKE . Enc ( pk T , b ; ρ ) for some randomness ρ . Finally, the encryptor generates a NIZK proof π that ψ 2 encrypts the discrete logarithm of B with respect to base g. We derive the symmetric key k e ( A ^ b , S ) G T and encrypt the message with the symmetric encryption scheme using the key k.
In the real mode, a decryptor with a secret key sk id : = ( S id : = A s , sk IBE , id E m . KeyGen ( MSK IBE , id ) ) for identity id , computes r E m . Dec ( sk id , ψ 1 ) and k e ( B , S id ) r G T . In the security proof, when we do not have access to S id , we alternatively derive k as follows. First, we decrypt ψ 2 with the trapdoor secret key to obtain b then we compute k e ( A ^ b , S ) G T .
To generate an anonymous key for an identity, consider the following algorithm:
  • GenAnonKey ( PP , id ) :
    r $ Z N
    ψ E m . Enc ( PP IBE , id , r )
    z E m . Enc ( PP IBE , id , 1 M )
    A H ( id )
    A ^ A r
    Return AnK : = ( A ^ , ψ , z )
An anonymous key AnK lets a party encrypt messages for an unknown intended recipient, which is computationally hidden from the party.
To rerandomize an AnK generated as above, the following algorithm is used:
  • RerandomizeKey ( PP , AnK ) :
    Parse AnK as ( A ^ , ψ , z )
    r $ Z N
    A ^ A ^ r
    u 1 , u 2 $ Z N
    ψ ψ r * z u 1
    z z u 2
    Return AnK : = ( A ^ , ψ , z )
The advantage of RerandomizeKey is that given an anonymous key derived with this algorithm from an original anonymous key; no party can link the keys and determine that they are related (i.e., have the same intended recipient). The anonymous key is preprended to every ciphertext generated with it, so, therefore, it is advantageous to rerandomize it so ciphertexts are not linked to each other.
We present the scheme formally now. Note that the encryption algorithm may alternatively accept an anonymous key AnK as input instead of a recipient identity.
Algorithm 1 formally describes the scheme.

4.2. Security

The scheme cannot be proved IND-ID-CCA2 secure in the conventional sense because the AnK portion of the ciphertext is malleable, and so too is the NIZK proof potentially (unless a non-malleable NIZK is used). We can, however, prove the scheme secure against an adaptive chosen ciphertext attack in a relaxed model, namely the notion IND - ID - RCCA .
Theorem 2. 
Assuming E m is IND-ID-CPA secure, PKE is IND-CPA secure and NIZK is a sound and zero-knowledge NIZK, then our scheme is IND - ID - RCCA secure under the hardness of DBDH in the random oracle model.
Algorithm 1 Our IBE scheme with rerandomizable anonymous keys.
    Setup ( 1 λ )
       ( PP IBE , MSK IBE ) E m . Setup ( 1 λ )
       ( pk T , sk T ) PKE . Gen ( 1 λ )
       H $ H
       s $ Z N
       S g s
       CRS NIZK . CRSGen ( 1 λ )
      Return ( PP : = ( H , S , PP IBE , pk T , CRS ) , MSK : = ( K , s , MSK IBE , sk T ) )
    KeyGen ( MSK , id )
       A H ( id )
       S id A s
       sk IBE , id E m . KeyGen ( MSK IBE , id )
      Return sk id : = ( S id , sk IBE , id )
    Enc ( PP , id , m )
       r $ Z N
       ψ 1 E m . Enc ( PP IBE , id , r )
       z E m . Enc ( PP IBE , id , 1 M )
       A H ( id )
       A ^ A r
       b $ Z N
       B g b
       ρ $ { 0 , 1 } ρ // where ρ is the
         length of randomness required for PKE . Enc
       ψ 2 PKE . Enc ( pk T , b ; ρ )
       π NIZK . Prove ( CRS , ( g , B , pk T , ψ 2 ) , ( b , ρ ) )
         // the NIZK uses relation R (below)
       k e ( A ^ b , S )
       ψ 3 SKE . Enc ( k , ψ 1 m )
      Return c : = ( A ^ , ψ 1 , z , B , ψ 2 , π , ψ 3 )
    Dec ( sk id , c )
       ( S id , sk IBE , id ) sk id
       ( A ^ , ψ 1 , z , B , ψ 2 , π , ψ 3 ) c
      If NIZK . Verify ( CRS , ( g , B , pk T , ψ 2 ) , π ) 1
         Return ⊥
       r E m . Dec ( sk IBE , id , ψ 1 )
       I f A ^ A r
          Return ⊥
       k e ( S id , B ) r
      Return SKE . Dec ( k , ψ 3 )
   Relation  R ( stmt : = ( g , B , pk T , ψ 2 ) , w : = ( b , ρ ) )
      Return B = g b ψ 2 = PKE . Enc ( pk T , b ; ρ )
Proof. 
We prove the theorem by means of a hybrid argument. We start with a real system that encrypts the first challenge message m 0 , and move to a hybrid that encrypts the second challenge message m 1 .
  • Hybrid 0: This is the real system that encrypts the challenge message m 0 . Let k be the symmetric key used to produce the symmetric ciphertext ψ 3 .
  • Hybrid 1: The change we make in this hybrid is to how ψ 1 is generated. Instead of encrypting randomness r, we choose another uniform random element s and produce ψ 1 as an IBE encryption of s. We still use the previous symmetric key k to produce ψ 3 , which is a symmetric encryption of ψ 1 m 0 .
  The indistinguishability between Hybrids 0 and 1 follows from the semantic security of the E m . In the reduction, we use the “trapdoor” mode discussed earlier to derive the symmetric key; that is, for a typical ciphertext, we decrypt ψ ! to obtain b and compute e ( A ^ , S ) b . When we decrypt ψ 3 , we check if the first component of the plaintext matches ψ 1 ; otherwise, we output ⊥. Secondly, if the second component is m 0 or m 1 , we output “test” as is required in IND-ID-RCCA. If the ciphertext we gave the adversary is queried for decryption, then we also output “test”.
  • Hybrid 2: The change we make in this hybrid is to how ψ 1 is generated. We compute it instead as an encryption of some uniformly random element z b but still use k (as in the previous hybrid) to produce ψ 3 .
  Hybrids 1 and 2 are indistinguishable from the IND-CCA2 security of PKE. In the reduction, we return the original approach (i.e., the “real” mode) to compute the symmetric key.
  • Hybrid 3: The change we make in this hybrid is to generate the symmetric key uniformly at random.
  The indistinguishability of Hybrids 2 and 3 follows from the hardness of DBDH.
  • Hybrid 4: In this hybrid, we change how ψ 3 is produced. Instead of encrypting ψ 1 m 0 , we encrypt ψ 1 m 1 .  
  The indistinguishability of Hybrids 3 and 4 follows from the iND-CCA2 security of the symmetric encryption scheme. We are now in a hybrid where the second challenge message m 1 is encrypted. The remaining hybrids reverse the changes in Hybrids 1–3 until we arrive at a hybrid that is the real system that encrypts the challenge message m 1 . This completes our proof.    □
Corollary 1. 
Assuming E m is an IND-ID-CPA secure anonymous IBE, then our scheme is anonymous.
This is an immediate consequence of the semantic security and anonymity of E m .

5. Identity-Based Anonymous Aggregation

In an identity-based anonymous aggregation protocol, a collection of nodes encrypt data for different recipients and forward them to their neighbors. The intended recipient, along with an aggregator, is able to extract the following grouping, functional unit or “package”, comprising the tuple ( h , v , z ) , which we define momentarily. Let E be an anonymous IBGHE scheme (such as AH in Section 3), and let H be a collision-resistant function. Furthermore, let id be the recipient’s identity. Then we have h = H ( id ) , v E . Enc ( PP E , id , m ) and z E . Enc ( PP E , id , 0 ) . For two such tuples, c : = ( h , v , z ) and c : = ( h , v , z ) , the aggregation algorithm is defined in Algorithm 2.
Algorithm 2 Aggregation algorithm in P-type setting.
    Agg . Aggregate ( c , c ) .
       ( h , v , z ) c
       ( h , v , z ) c
      If h h :
         Output ⊥
       s 1 , s 2 $ Z N
       v v * v * z s 1
       z z s 2
      Return c : = ( h : = h , v , z )
The hash of the recipient’s identity h allows an aggregator to determine whether two ciphertexts have the same intended recipient, in which case, the hash components are equal, and aggregation can be performed; otherwise, aggregating both ciphertexts would produce an invalid result. With this approach, we obtain one-way anonymity. The v component is an E encryption under the recipient’s identity of the plaintext value. For the sake of simplicity, we are assuming the plaintext space is M : = Z N . For referential convenience, we designate this type of scheme P-type.
Now, an alternative approach is to exclude the hash component from this tuple such that an aggregator cannot learn anything about the recipient’s identity, nor can it determine whether two ciphertexts have the same recipient. As such, aggregation is always performed, but we need some way for the decryptor to establish whether a ciphertext is valid or has been likely contaminated through aggregation with a different identity. A solution to this emerges when the plaintext space is exponentially large, as is the case here. The idea is to include additional encryption v ¯ of m where the underlying plaintext of v is m such that v * v ¯ decrypts to zero (or 1 M , the identity element). The decryptor discards a ciphertext as invalid if v * v ¯ does not decrypt to zero. Homomorphically adding (pairwise) a pair of ciphertexts ( v , v ¯ ) associated with another identity results in a pair of encryptions of random values in Z N . Therefore, the resulting ciphertext will be rejected as invalid by the decryptor with overwhelming probability. For referential convenience, we designate this type of scheme F-type. The aggregation algorithm for this type is shown in Algorithm 3.
Algorithm 3 Aggregation algorithm in F-type setting.
    Agg . Aggregate ( c , c ) .
       ( v , v ¯ , z ) c
       ( v , v ¯ , z ) c
       s 1 , s 2 , s 3 $ Z N
       v v * v * z s 1
       v ¯ v ¯ * v ¯ * z s 2
       z z s 3
      Return c : = ( v , v ¯ , z )
Since any party who obtains the ciphertext tuple as above can modify the underlying plaintext (malleability), we may wish to restrict this ability to a subset of authorized parties, which we refer to as aggregators. While a suitable means of access control for granting such authorization to aggregators is beyond the scope of this work (e.g., ABE and related primitives may be of import), we describe a simplified paradigm that can be adapted and extended as required. Typically, we would expect the ciphertext tuple above to be encrypted with a non-malleable encryption scheme, such as an IND-CCA2 secure symmetric-key encryption scheme denoted by SKE . Moreover, a random symmetric key κ is first generated, and the tuple c is then encrypted, i.e., we have ψ SKE . Enc ( κ , c ) . The natural question is, then, how does one obtain κ ? Note that both authorized aggregators and the recipient must be able to access κ . First, an appropriate means of access control can be employed to allow authorized aggregators to access κ , a subject that, as aforementioned, is outside the scope of this work. Secondly, and most importantly, the intended recipient must be able to access κ . The challenge arises for intermediate aggregators who need to encrypt a fresh κ under the recipient’s identity, which is hidden from them due to the desired property of anonymity. It is apparent from the proof of aggregation validity that the IBE scheme in which κ is encrypted must be secure against adaptive chosen ciphertext attacks. Aggregation validity is a property that is defined in the next section and informally means that no efficient adversary who is given an encryption of a message m and who is neither an authorized aggregator nor the intended recipient can produce a valid ciphertext that encrypts a targeted modification of m, that is, t · m for some a priori decided t 1 M .
We now formalize the identity-based anonymous aggregation (IBAA) in a simplified form where the authorization of aggregators is based on symmetric encryption, which is sufficient for our purposes, but we note this may be replaced with a more complex form of access control accommodated by a more generalized definition.
Definition 5. 
An identity-based anonymous aggregation (IBAA) protocol P consists of the following PPT algorithms:
  • Setup ( 1 λ ) : On input of a security parameter λ, generate public parameters PP and master secret key MSK . Output ( PP , MSK ) .
  • KeyGen ( MSK , id ) : On input of a master secret key MSK and an identity id , output a secret key sk id for identity id .
  • Authorize ( sk id ˜ ) : On input of a secret key sk id ˜ for identity id ˜ , output an authorization key that permits aggregation on ciphertexts generated by a source (sender) with identity id ˜ .
  • Enc ( PP , sk id ˜ , id , m ) : On input of public parameters PP , a secret key for the source (sender) sk id ˜ whose identity is id ˜ , a recipient identity id and message m M , produce a ciphertext c that encrypts m under identity id and output c.
  • Dec ( sk id , c ) : On input of a secret key sk id for identity id and a ciphertext c, output a message m M if c is a valid ciphertext for identity id ; otherwise, output⊥.
  • Aggregate ( PP , sk id ˜ , ( ak 1 , c 1 ) , ( ak 2 , c 2 ) ) : On input of public parameters PP , the aggregator’s secret key sk id ˜ for their identity id ˜ and two ciphertexts c 1 and c 2 with corresponding authorization keys ak 1 and ak 2 (it may be the case that ak 1 = ak 2 ) that permit aggregation, if  ak 1 permits aggregation on c 1 and ak 2 permits aggregation on c 2 , then output c such that Dec ( sk id , c ) = Dec ( sk id , c 1 ) * Dec ( sk id , c 2 ) for some operation * (typically for an abelian group). Otherwise, output ⊥. Additionally, in order to perform aggregation on c , a party needs an authorization key from id ˜ .
This primitive is very similar to homomorphic IBE, except there are a few notable differences. First, only senders who are authorized by the TA can encrypt messages, which can be decrypted by the recipient if they have received a secret key from the TA for their identity. Secondly, aggregation is possible on a sender’s ciphertext only if the aggregator has received an authorization key from the sender.  
Correctness: 
For i { 1 , 2 } , all ( PP , MSK ) Setup ( 1 λ ) , all identities  id i * I (senders) id ¯ I (aggregator) and id I (recipient), all  sk id i * KeyGen ( MSK , id i * ) , all  sk id ¯ KeyGen ( MSK , id ¯ ) , all  sk id KeyGen ( MSK , id ) , all  m i M , all  c i Enc ( PP , id i * , id , m i )  and any  ak i , then
Dec ( sk id , Aggregate ( PP , sk id ¯ , ( ak 1 , c 1 ) , ( ak 2 , c 2 ) ) ) = m 1 * m 2
iff  ak i Authorize ( sk id i * ) (except with negligible probability) where I is the identity space. More precisely, the second part of the iff in the above condition is actually a security condition, which we now treat on its own.
Definition 6. 
An IBAA scheme is said to satisfy (selective) aggregation validity if for all t 0 M , the advantage of any PPT adversary A = ( A 1 , A 2 ) is negligible in the security parameter where the advantage is defined as follows:
Adv A , AV = Pr Dec ( sk id , c ) t * m : ( PP , MSK ) Setup ( 1 λ ) , ( id ˜ , id ) A 1 ( 1 λ ) , m $ M , sk id ˜ KeyGen ( MSK , id ˜ ) , sk id KeyGen ( MSK , id ) , c Enc ( PP , sk id ˜ , id , m ) , c A 2 O ( PP , c ) )
where O = KeyGen ( MSK , · ) except queries cannot be made for identities id ˜ and id . It is assumed that | M | is exponentially large and the min-entropy of M is sufficiently higher than the security parameter.
Definition 7. 
An IBAA scheme is said to satisfy (selective) strong unlinkability if the advantage of any PPT adversary A = ( A 1 , A 2 ) is negligible in the security parameter where the advantage is defined as follows:
Adv A , UL = Pr A 2 O ( PP , c , c , c ) 1 : ( PP , MSK ) Setup ( 1 λ ) , ( id ˜ , id ˜ , id ˜ , m , m , id ) A 1 ( 1 λ ) , sk id ˜ KeyGen ( MSK , id ˜ ) , sk id ˜ KeyGen ( MSK , id ˜ ) , sk id ˜ KeyGen ( MSK , id ˜ ) , ak Authorize ( sk id ˜ ) , ak Authorize ( sk id ˜ ) , c Enc ( PP , sk id ˜ , id , m ) , c Enc ( PP , sk id ˜ , id , m ) , c Aggregate ( PP , sk id ˜ , ( ak , c ) , ( ak , c ) )
Pr A 2 O ( PP , c , c , c ) 1 : ( PP , MSK ) Setup ( 1 λ ) , ( id ˜ , id ˜ , id ˜ , m , m , id ) A 1 ( 1 λ ) , sk id ˜ KeyGen ( MSK , id ˜ ) , sk id ˜ KeyGen ( MSK , id ˜ ) , sk id ˜ KeyGen ( MSK , id ˜ ) , ak Authorize ( sk id ˜ ) , ak Authorize ( sk id ˜ ) , c Enc ( PP , sk id ˜ , id , m ) , c Enc ( PP , sk id ˜ , id , m ) , c Enc ( PP , sk id ˜ , id , m * m )
where O = KeyGen ( MSK , · ) ; note that queries can be made for identity id .
Definition 8. 
An IBAA scheme is said to be one-way anonymous if the advantage of any PPT adversary A = ( A 1 , A 2 ) is negligible in the security parameter where the advantage is defined as follows:
Adv A , OW - ANON = Pr A 2 O ( PP , c ) id : ( PP , MSK ) Setup ( 1 λ ) , ( id ˜ , m ) A 1 ( 1 λ ) , id $ I , sk id ˜ KeyGen ( MSK , id ˜ ) , c Enc ( PP , sk id ˜ , id , m )
where O = KeyGen ( MSK , · ) . It is assumed that I is exponentially large and the min-entropy of I is sufficiently higher than the security parameter.

6. Construction of IBAA

We now present a construction of the primitive defined in Section 5. Our construction requires an anonymous homomorphic IBE scheme E m for the plaintext values, a collision-resistant hash function family, a symmetric encryption scheme E SKE , a PRF and an anonymous IBE E k for encrypting the keys. Let H be a family of collision-resistant hash functions. Our IBAA scheme is shown in Algorithm 4.
Algorithm 4 Our IBAA scheme—first five algorithms.
    Agg . Setup ( 1 λ ) .
       K PRF . Gen ( 1 λ )
       ( PP IBE , MSK IBE ) E m . Setup ( 1 λ )
       ( PP IBE , MSK IBE ) E k . Setup ( 1 λ )
       H $ H
      Return ( PP : = ( H , PP IBE , PP IBE ) , MSK : = ( K , MSK IBE , MSK IBE ) )
    Agg . KeyGen ( MSK , id ) .
       r α PRF . Eval ( K , id A )
       α id E SKE . Gen ( 1 λ ; r α )
       sk IBE E m . KeyGen ( MSK IBE , id )
       sk IBE E k . KeyGen ( MSK IBE , id )
      Return sk id : = ( α id , sk IBE , sk IBE )
    Agg . Authorize ( sk id ˜ ) .
       ( α id ˜ , sk IBE , sk IBE ) sk id ˜
      Return ak id ˜ : = α id ˜
    Agg . Enc ( PP , sk id ˜ , id , m ) .
       ( α id ˜ , sk IBE , sk IBE ) sk id ˜
       κ E SKE . Gen ( 1 λ )
       h H ( id )
       c 1 E SKE . Enc ( α id ˜ , κ )
       c 2 E k . Enc ( PP IBE , id , κ )
       v E m . Enc ( PP IBE , id , m )
       z E m . Enc ( PP IBE , id , 1 M )
       c 3 E SKE . Enc ( κ , ( h , v , z ) )
      Return c : = ( c 1 , c 2 , c 3 )
    Agg . Dec ( sk id , c ) .
       ( α id , sk IBE , sk IBE ) sk id
       κ E k . Dec ( sk IBE , c 2 )
       t E SKE . Dec ( κ , c 3 )
      If t = :
         Return ⊥
       ( h , v , z ) t
       m E m . Dec ( sk IBE , v )
      Return m
We now prove an important result.
Theorem 3. 
Assuming E k is IND - ID - RCCA secure and SKE is IND-CCA2 secure, then the IBAA scheme in Algorithm 4 satisfies aggregation validity.
Proof. 
We prove the theorem via a hybrid argument. To avoid repetition and to make the analysis more concise, we describe some notations for things that are common to all steps in the argument. For each step, we need to construct a simulator that uses an adversary A against selective aggregation validity in either the hybrid from the step in question or the previous hybrid to attack the security of one of the underlying primitives. However, the security games for each of these primitives involve an adversary outputting a guess bit, whereas adversary A outputs a ciphertext c . Therefore, an essential part of the reduction is to show how we convert this ciphertext c into a bit b { 0 , 1 } such that either b or its complement can be sent to the challenger to break the security of the underlying primitive. For the sake of brevity in the reductions below, we simply describe how b is computed from c .
  • Hybrid 0: This is the real system.
  • Hybrid 1: In this hybrid, we change c 1 to the encryption of a uniformly random and independent element.  
Indistinguishability follows from the IND-CCA2 security of the symmetric encryption scheme. The reduction, in this case, is straightforward.
  • Hybrid 2: In this hybrid, we change the c 2 component of the ciphertext to an encryption of a random element drawn from the message space of the E k scheme. Therefore, instead of encrypting κ , we encrypt a random element ρ .  
We can use an adversary that has a non-negligible advantage distinguishing between Hybrids 0 and 1 to construct an adversary that has a non-negligible advantage against the IND - ID - RCCA security of E k . The reduction is as follows. First, we run A 1 to obtain ( id ˜ , id ). We sample m $ M . We run Setup and all steps of the encryption algorithm except the step that generates c 2 . Therefore, we, for example, generate κ , c 1 and c 3 . We set μ 0 κ and μ 1 ρ where ρ is a uniform random element in the message space of E k and send the pair of messages ( μ 0 , μ 1 ) to the IND - ID - RCCA challenger. We receive a challenge ciphertext e, and we set c 1 e and set c ( c 1 , c 2 , c 3 ) . Then we run A 2 with the public parameters and ciphertext c and obtain c . We parse c as ( c 1 , c 2 , c 3 ) . Then the reduction sends c 1 to the IND - ID - RCCA decryption oracle, and if the oracle responds with test , then check if c 3 is decryptable with κ or ρ and let μ be the tuple obtained, or else if the oracle responds with a plaintext k, check if c 3 is decryptable with k and set μ to be the tuple returned. Otherwise, set μ . Finally, the guess bit b is computed as b μ . E m . Dec ( sk IBE , μ . v ) = m * t , where sk IBE is the key we have derived in the simulation. Indistinguishability follows from the IND - ID - RCCA security of E k .
  • Hybrid 3: In this hybrid, we change the c 3 component of the ciphertext to an encryption of a random element drawn from the message space of the SKE scheme.  
  •   In the reduction, we parse c as ( c 1 , c 2 , c 3 ) and decrypt c 2 with the secret key derived in the simulation to obtain κ . If  κ decrypts c 3 , set μ to the resulting tuple. Otherwise, send c 3 to the IND-CCA2 decryption oracle and set μ to the response. Finally, the guess bit b is computed as b μ . E m . Dec ( sk IBE , μ . v ) = m * t where sk IBE is the key we have derived in the simulation. Indistinguishability follows from the IND-CCA2 security of the SKE scheme.
The adversary has a negligible advantage in this game since the ciphertext c does not contain any information about m. The result follows.    □
We have omitted the aggregation algorithm from Algorithm 4 since this varies depending on whether we target the P-type or F-type setting. Our goal is to achieve strong unlinkability, aggregation validity and (one-way/full) anonymity in the (P-type/F-type) settings.

6.1. P-Type Setting

We can, however, readily obtain strong unlinkability together with aggregation validity in the P-type setting of one-way anonymity, which we will now describe. Unfortunately, our approach is inherently restricted to one-way anonymity, leaving open the problem of achieving strong unlinkability and aggregation validity in the F-type setting of full anonymity; we will tackle this problem later. Our approach for the P-type setting involves instantiating E k with an IND-ID-CCA2 secure IBE scheme. The hash of the target identity h in the tuple encrypted by c 3 is used as an identity string; that is, c 2 is an encryption with E k under identity string h of the symmetric key κ . The ciphertext component c 3 is an encryption of the tuple ( h , v , z ) . The aggregation algorithm for our IBAA scheme in this setting is given in Algorithm 5.
Algorithm 5 Our IBAA scheme aggregation algorithm for P-type setting.
    Agg . Aggregate ( PP , sk id ˜ , ( ak , ( c 1 , c 2 , c 3 ) ) , ( ak , ( c 1 , c 2 , c 3 ) ) ) .
       ( α id ˜ , sk IBE , sk IBE ) sk id ˜
       α ak
       α ak
       κ E SKE . Dec ( α , c 1 )
       κ E SKE . Dec ( α , c 1 )
      If κ = or κ = :
         Output ⊥
       ( h , v , z ) E SKE . Dec ( κ , c 3 )
       ( h , v , z ) E SKE . Dec ( κ , c 3 )
      If h h :
         Output ⊥
       s 1 , s 2 $ Z N
       v v * v * z s 1
       z z s 2
       κ E SKE . Gen ( 1 λ )
       c 1 E SKE . Enc ( α i d ˜ , κ )
       c 2 E k . Enc ( PP IBE , h , κ )
       c 3 E SKE . Enc ( κ , ( h : = h , v , z )
      Return ( c 1 , c 2 , c 3 )

6.2. F-Type Setting

Now, we turn our attention to the more challenging problem of obtaining aggregation validity together with strong unlinkability in the F-type setting of full anonymity. We observe that we can solve this problem with (identity-based) fully homomorphic encryption (FHE). The idea is to encrypt the hash h with an identity-based FHE scheme to obtain ciphertext ψ h and place ψ h in the tuple ( h , v , z ) instead of h. The aggregator can then homomorphically produce encryption of a fresh key under identity h by performing homomorphic evaluation on ψ h . The additional expense of homomorphic evaluation aside, the major prohibitive factor of this approach is the fact that bootstrapping is necessary to achieve unlinkability, and this requires us to make a circular security assumption. Hence we seek to solve the problem in an alternative way, avoiding FHE and bootstrapping.
Instead, we rely on an IND - ID - RCCA secure IBE scheme that is both anonymous and satisfies strong unlinkability with the ability to generate rerandomizable anonymous encryption keys for a particular identity. We make use of our anonymous IBE scheme from the previous section to fulfill our requirements. Recall that this scheme comes with two useful algorithms:
  • GenAnonKey ( PP , id ) .
  • RerandomizeKey ( PP , AnK ) .
Given the public parameters and an identity string,  Algorithm GenAnonKey generates an anonymous key AnK , which hides the identity and can be used to encrypt a message for that identity. The second algorithm, RerandomizeKey , given the public parameters and an anonymous key, derives an unrelated anonymous key for the same identity such that no party can link the keys and determine that they are related (i.e., have the same intended recipient). The anonymous key is preprended to every ciphertext generated with it, so, therefore, it is advantageous to rerandomize it, so the ciphertexts are not linked to each other. Algorithm 6 shows how this algorithm is used in our IBAA scheme’s aggregation algorithm for the F-type setting. Note that although we do not show it, it is also necessary to slightly modify the encryption and decryption algorithms of our IBAA scheme to accommodate the F-type setting.
Algorithm 6 Our IBAA scheme aggregation algorithm for F-type setting.
    Agg . Aggregate ( PP , sk id ˜ , ( ak , ct ) , ( ak , ct ) ) .
       ( α id ˜ , sk IBE , sk IBE ) sk id ˜
       ( c 1 , c 2 : = ( AnK , ψ ) , c 3 ) ct
       ( c 1 , c 2 : = ( AnK , ψ ) , c 3 ) ct
       α ak
       α ak
       κ E SKE . Dec ( α , c 1 )
       κ E SKE . Dec ( α , c 1 )
      If κ = or κ = :
         Output ⊥
       ( v , v ¯ , z ) E SKE . Dec ( κ , c 3 )
       ( v , v ¯ , z ) E SKE . Dec ( κ , c 3 )
       s 1 , s 2 , s 3 $ Z N
       v v * v * z s 1
       v ¯ v ¯ * v ¯ * z s 2
       z z s 3
       κ E SKE . Gen ( 1 λ )
       c 1 E SKE . Enc ( α i d ˜ , κ )
       AnK RerandomizeKey ( PP IBE , AnK )
       c 2 ( AnK , E k . Enc ( PP IBE , AnK , κ ) )
       c 3 E SKE . Enc ( κ , ( v , v ¯ , z )
      Return ( c 1 , c 2 , c 3 )

Author Contributions

Cryptography M.C.; Project supervision H.T. All authors have read and agreed to the published version of the manuscript.

Funding

This research recevied funding ADAPT grant number 13/RC/2106_P2 and CONNECT grant number 13/RC/2077_P2.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
IBEIdentity-Based Encryption
TATrusted Authority

References

  1. Clear, M.; Hughes, A.; Tewari, H. Homomorphic Encryption with Access Policies: Characterization and New Constructions. In Proceedings of the AFRICACRYPT 13, Cairo, Egypt, 22–24 June 2013; Youssef, A., Nitaj, A., Hassanien, A.E., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 2013; Volume 7918, pp. 61–87. [Google Scholar] [CrossRef]
  2. Clear, M.; McGoldrick, C. Additively Homomorphic IBE from Higher Residuosity. In Proceedings of the Public Key Cryptography (1), Beijing, China, 14–17 April 2019; Lin, D., Sako, K., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2019; Volume 11442, pp. 496–515. [Google Scholar]
  3. Joye, M. Identity-Based Cryptosystems and Quadratic Residuosity. In Proceedings of the Public Key Cryptography (1), Taipei, Taiwan, 6–9 March 2016; Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2016; Volume 9614, pp. 225–254. [Google Scholar]
  4. Paillier, P. Trapdooring Discrete Logarithms on Elliptic Curves over Rings. In Proceedings of the ASIACRYPT, Kyoto, Japan, 3–7 December 2000; Okamoto, T., Ed.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2000; Volume 1976, pp. 573–584. [Google Scholar]
  5. Peter, A.; Kronberg, M.; Trei, W.; Katzenbeisser, S. Additively Homomorphic Encryption with a Double Decryption Mechanism, Revisited. In Proceedings of the ISC, Passau, Germany, 19–21 September 2012; Gollmann, D., Freiling, F.C., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2012; Volume 7483, pp. 242–257. [Google Scholar]
  6. Clear, M.; McGoldrick, C. Bootstrappable Identity-Based Fully Homomorphic Encryption. In Proceedings of the CANS, Heraklion, Crete, Greece, 22–24 October 2014; Gritzalis, D., Kiayias, A., Askoxylakis, I.G., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2014; Volume 8813, pp. 1–19. [Google Scholar]
  7. ElGamal, T. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Proceedings of the CRYPTO’84, Santa Barbara, CA, USA, 19–22 August 1984; Blakley, G.R., Chaum, D., Eds.; LNCS. Springer: Berlin/Heidelberg, Germany, 1984; Volume 196, pp. 10–18. [Google Scholar]
  8. Armknecht, F.; Katzenbeisser, S.; Peter, A. Group homomorphic encryption: Characterizations, impossibility results, and applications. Des. Codes Cryptogr. 2012, 67, 209–232. [Google Scholar] [CrossRef]
  9. Gjøsteen, K. Symmetric Subgroup Membership Problems. In Proceedings of the PKC 2005, Les Diablerets, Switzerland, 23–26 January 2005; Vaudenay, S., Ed.; LNCS. Springer: Berlin/Heidelberg, Germany, 2005; Volume 3386, pp. 104–119. [Google Scholar]
  10. Cocks, C. An Identity Based Encryption Scheme Based on Quadratic Residues. In Proceedings of the Cryptography and Coding, 8th IMA International Conference, Cirencester, UK, 17–19 December 2001; Honary, B., Ed.; LNCS. Springer: Berlin/Heidelberg, Germany, 2001; Volume 2260, pp. 360–363. [Google Scholar]
  11. Galindo, D.; Herranz, J. On the security of public key cryptosystems with a double decryption mechanism. Inf. Process. Lett. 2008, 108, 279–283. [Google Scholar] [CrossRef]
  12. Garg, S.; Gentry, C.; Halevi, S.; Raykova, M.; Sahai, A.; Waters, B. Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. In Proceedings of the 54th FOCS, Berkeley, CA, USA, 26–29 October 2013; IEEE Computer Society Press: Washington, DC, USA, 2013; pp. 40–49. [Google Scholar]
  13. Galbraith, S.D. Elliptic Curve Paillier Schemes. J. Cryptol. 2002, 15, 129–138. [Google Scholar] [CrossRef]
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Clear, M.; Tewari, H. Anonymous Homomorphic IBE with Application to Anonymous Aggregation. Cryptography 2023, 7, 22. https://doi.org/10.3390/cryptography7020022

AMA Style

Clear M, Tewari H. Anonymous Homomorphic IBE with Application to Anonymous Aggregation. Cryptography. 2023; 7(2):22. https://doi.org/10.3390/cryptography7020022

Chicago/Turabian Style

Clear, Michael, and Hitesh Tewari. 2023. "Anonymous Homomorphic IBE with Application to Anonymous Aggregation" Cryptography 7, no. 2: 22. https://doi.org/10.3390/cryptography7020022

Article Metrics

Back to TopTop