Abstract
Anonymity of identity-based encryption (IBE) means that given a ciphertext, one cannot distinguish the target identity from a random identity. In this paper, we thoroughly discuss the anonymity of IBE systems. We found that the current definition of anonymity is obscure to describe some IBE systems, such as Gentry IBE system. Furthermore, current definition cannot express the degree of anonymity. So we divide the degree of anonymity into weak anonymity and strong anonymity based on indistinguishability between different games. For weakly anonymous IBE systems, the target identity in a ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types. Type 1 means that a random tuple can be seen as a valid ciphertext, while type 2 cannot. Based on our new definitions, we show that three famous IBE systems, Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, have strong but different types of anonymity.
Highlights
Shamir [1] proposed the concept of identity-based encryption (IBE) in 1984 to simplify the public key infrastructure
We found that current definition of anonymity is obscure to describe some IBE systems, such as Gentry IBE system [9]
For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple
Summary
Shamir [1] proposed the concept of identity-based encryption (IBE) in 1984 to simplify the public key infrastructure. Boyen and Waters [8] gave the first construction of anonymous IBE in the standard model under the decisional bilinear Diffie-Hellman (BDH) and decisional linear assumptions Another efficient construction of anonymous IBE in the standard model was proposed by Gentry [9], but it is proven secure under a dynamic and complicates assumption. When an “anonymous” IBE system is constructed, we should prove its anonymity It seems to prove anonymity for IBE systems, we only need to prove that we cannot distinguish the target identity from the challenge ciphertext in the security game for anonymity. Weak anonymity equals current definition of anonymity, in which the target identity for a ciphertext cannot be distinguished from a random identity.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have