Identity Based Encryption (IBE) has been constructed from bilinear pairings, lattices and quadratic residuosity. The latter is an attractive basis for an IBE owing to the fact that it is a well-understood hard problem from number theory. Cocks constructed the first such scheme, and subsequent improvements have been made to achieve anonymity and improve space efficiency. However, the anonymous variants of Cocks' scheme thus far are all less efficient than the original. In this paper, we present a new universallyanonymous IBE scheme based on the quadratic residuosity problem. Our scheme has better performance than the universally anonymous scheme from Ateniese and Gasti (CT-RSA 2009) at the expense of more ciphertext expansion. Another contribution of this paper is a modification to a variant of the space-efficient scheme by Boneh, Gentry and Hamburg (FOCS 07) that results in an IND-ID-CPA secure IBE scheme with comparable efficiency to Cocks, but with reduced ciphertext expansion. This is an extended version of a paper that appeared at Africacrypt 2014 [1]. The author's work is funded by the Irish Research Council EMBARK Initiative.to encrypt a 128-bit symmetric key; note that IBE is typically used as part of a KEM-DEM). While this is still practical, it is desirable to obtain an anonymous IBE from quadratic residuosity whose performance is on par with the original Cocks scheme, especially for time-critical applications.
Universal AnonymityAteniese and Gasti's scheme also enjoys the property of universal anonymization, first introduced at Asiacrypt 2005 by Hayashi and Tanaka [13]. This property allows any party to anonymize a ciphertext without access to the secret key of the recipient. An illustrative application involves disparate systems distinguished by whether they need to know the intended recipient of encrypted data. Regulations may stipulate that some systems learn the recipient's identity. At some suitable point prior to sending the encrypted data to less trusted systems, the encrypted data can be anonymized by any party without knowledge of the secret key.