Anonymous Homomorphic IBE with Application to Anonymous Aggregation

: All anonymous identity-based encryption (IBE) schemes that are group homomorphic (to the best of our knowledge) require knowledge of the identity to compute the homomorphic operation. This paper is motivated by this open problem, namely to construct an anonymous group-homomorphic IBE scheme that does not sacriﬁce anonymity to perform homomorphic operations. Note that even when strong assumptions, such as indistinguishability obfuscation (iO), are permitted, no schemes are known. We succeed in solving this open problem by assuming iO and the hardness of the DBDH problem over rings (speciﬁcally, Z N 2 for RSA modulus N ). We then use the existence of such a scheme to construct an IBE scheme with re-randomizable anonymous encryption keys, which we prove to be IND-ID-RCCA secure. Finally, we use our results to construct identity-based anonymous aggregation protocols.


Introduction
The problem we tackle in this paper relates to a primitive known as identity-based group homomorphic encryption (IBGHE), which is defined in [1]. Basically, IBGHE is identity-based encryption that is homomorphic for some group operation, and the ciphertext space for every identity forms a group. Moreover, the decryption function is a group homomorphism between the ciphertext group and the plaintext group. GHE has several applications, discussed in [1], and an IBGHE facilitates those applications in an identity-based infrastructure.
It is an open problem to construct an IBGHE that is simultaneously anonymous and homomorphic for addition. There are only two IBGHE schemes that support modular addition to the best of our knowledge, namely the XOR-homomorphic variant of the Cocks IBE scheme in [1] and the more recent IBGHE scheme from [2] that is homomorphic for addition modulo smooth square-free integers. Now, Joye has discovered that the Cocks IBE scheme itself is XOR-homomorphic [3], but the scheme is not an IBGHE since the ciphertext space with the homomorphic operation forms a quasigroup and not a group. Some readers might wonder about schemes that are considered multiplicatively homomorphic, which allow addition in the exponent, and question why we do not classify them as IBGHE schemes for addition. The reason is that the corresponding additive group has exponential order, and decryption can only recover messages using Pollard's lambda algorithm that are less than some polynomial bound, so the valid message space does not form an additive group. Now the two IBGHE schemes supporting modular addition that we are aware of are not anonymous, but there are variants of these schemes that achieve anonymity. However, although such schemes gain anonymity, they lose the homomorphic property. Most usually, we need to know the identity associated with a ciphertext in order to correctly compute the homomorphic operation, and so when the identity is hidden from us, as it is when the scheme is anonymous, we cannot compute the homomorphic operation. Therefore, in a nutshell, the open problem we address in this paper is to construct an IBGHE for addition that is anonymous while retaining the homomorphic operation. Note that while we have concentrated on GHE, it is important to point out that there are no other additively homomorphic schemes (such as quasigroup homomorphic schemes, such as Cocks, as observed by Joye) that achieve simultaneous anonymity and the ability to carry out the homomorphic operation without knowing the identity associated with a ciphertext. Of course, our focus is not on bounded homomorphisms, such as LWE-based schemes that incorporate noise, but instead on those with an algebraic structure and support for a theoretically unbounded number of operations. One of the reasons we opt for GHE over linearly homomorphic LWE-based schemes is that the former enjoy the desired property of strong unlinkability; that is, an evaluated ciphertext is distributed the same as a fresh ciphertext in the view of the key holder (recipient), whereas LWE-based schemes achieve this only by requiring an expensive bootstrapping operation and making a circular security assumption.

Motivation and Applications
Beyond theoretical interest, there are applications that motivate consideration of this open problem. We construct an anonymous IBE using an anonymous IBGHE as a building block. We prove this scheme IND-ID-RCCA secure (note that RCCA is a slight relaxation of CCA2). Our anonymous IBE scheme has two interesting properties. First, it allows one to generate anonymous keys associated with a particular identity. Therefore, an encryptor can encrypt a message using an anonymous key for some unknown recipient. Secondly, such keys can be rerandomized such that the resulting anonymous key is computationally unlinkable to the original anonymous key. This finds an immediate application in anonymous aggregation, as we describe below.
Consider the following application scenario. Suppose we have a collection of sensor nodes that collect data and send it to a central server. Suppose the data are numerical measurements, and there are different recipients depending on external factors. Each sensor data encrypts a measurement with the recipient's identity and sends it en route to the central server. It is desirable that ciphertexts that are seen by potential adversaries do not reveal the associated recipient's identity. Along the route there are nodes that function as aggregators that can be authorized independently by each sensor node to aggregate the data coming from that sensor node. If a sensor node give authorization to the aggregator, then the aggregator should be able to aggregate data for the same recipient coming from any of the sensor nodes that have given authorization. Addition (summation) is a common type of aggregation since perhaps only an average measurement is needed by the recipient. To fulfill this application scenario, we need an IBE scheme that is anonymous and homomorphic for addition, where the homomorphic operation can be computed without knowing the recipient's identity.
Consider two senders that produce ciphertexts for the recipient id. Both of them send their respective authorization keys to an aggregator whose identity isī d, they perform aggregation on the two ciphertexts and send the result on to a second aggregator. The second aggregator should not be able to perform aggregation with the result unless they are given an authorization key fromī d. However, the recipient should be able to decrypt all such ciphertexts intended for them, including the result of the aggregation. Now the issue is that the recipient's identity is hidden from the aggregators. However, the result of their aggregation needs to be decryptable by the recipient id and also "fresh", such that the second aggregator, who may be authorized by the original senders, but not authorized by the first aggregator, should not be able to perform aggregation on the result. We describe our approach to solving this problem below.

Our Results
We present a feasibility result in this work of an additively homomorphic IBGHE that is both anonymous and supports the evaluation of the homomorphic operation without knowing a user's identity. Our construction is based on iO and the hardness of DDH in elliptic curves over Z N 2 where N is an RSA modulus. These are strong assumptions but we make headway on this open problem. Elliptic curves over rings have been less widely studied; Pailler [4] introduced the types of curves we use in this paper, which are over the ring Z N 2 , while Peter et al. [5] describe a specific class of curves that are suitable to instantiate our construction. Furthermore, iO has not been realized from standard assumptions, although there have been several recent advances in constructing iO from quite different approaches under different assumptions, which gives us more confidence that iO exists. To obtain our feasibility result, we first borrow an idea from [6] to leverage obfuscation to map an identity string to a freshly generated public key of some encryption scheme. In fact, abstracting for a moment from the specific construction, we will describe the high-level paradigm. As part of the public parameters, we have an obfuscated program that maps an identity to a public key in some multi-user system with public parameters. The public keys in a multi-user system share the same set of common public parameters-think of the generator g and modulus p in ElGamal [7] as the common public parameters, except ElGamal is of no use here since it is only multiplicatively homomorphic. Nevertheless, ElGamal serves to illustrate another property that this paradigm requires, namely that the multi-user system supports key privacy where key privacy can be viewed as the analog to anonymity in the identity-based setting; that is, the ciphertexts in the multi-user system do not reveal the public key they are associated with, which is the case in ElGamal. We are using the term multi-user system in a broad sense here, permitting both the case where we have a trusted authority and the case where we do not. In the former, the public parameters are generated by a trusted authority with a backdoor (master secret key) such that the trusted authority can decrypt any ciphertext. In our paradigm, the public parameters of the multi-user system will be generated by the trusted authority of the IBE scheme and published as part of the IBE scheme's public parameters. Therefore, we need the multi-user system to be both key-private and additively homomorphic, where the homomorphic operation can be computed without knowing the public key associated with a ciphertext. The fundamental question is: can we concretely realize a multi-user system that has both key privacy and an additive homomorphism. We can answer this question in the affirmative by using a variant of the Paillier scheme based on elliptic curves over rings that is presented in [5], which is a multi-user system supporting homomorphic addition modulo a large semiprime N and for which we can easily show that key privacy holds assuming the hardness of DDH in elliptic curves over Z N 2 .

Anonymous IBE with Rerandomizable Anonymous Keys
Next, we present an anonymous IBE scheme based on the Boneh-Franklin scheme, which we prove IND-ID-RCCA secure. Our scheme requires an additively homomorphic anonymous IBE scheme as a building block (as described above and which we realize in Section 3). Our anonymous IBE scheme has two interesting properties. First, it allows one to generate anonymous keys associated with a particular identity. Therefore, an encryptor can encrypt a message using an anonymous key for some unknown recipient. Secondly, such keys can be rerandomized such that the resulting anonymous key is computationally unlinkable to the original anonymous key. One of the applications for this scheme is in realizing identity-based anonymous aggregation in Section 5. This is the first IBE scheme that is both anonymous and IND-ID-RCCA secure.

Identity-Based Anonymous Aggregation
In an identity-based anonymous aggregation (IBAA) protocol, every identity has an associated secret key derivable by the Trusted Authority with their master secret key. Every identity can issue an authorization key to an aggregator that allows the aggregator to perform aggregation on ciphertexts created by that identity, but for any recipient identity. We envisage that, in practice, more complex policies may be used to control authorization, which is beyond the scope of this work. Here we simply model authorization with symmetric keys. Therefore, a symmetric key functions as an authorization key that can be issued to aggregators. For every ciphertext, the encryptor generates a fresh symmetric key κ (effectively a session or transport key) and uses it to encrypt the IBE ciphertext that encrypts the message. This symmetric key κ is encrypted with the authorization key for the sender so that any party who is given this key can recover the IBE ciphertext that encrypts the message. However, the recipient must always be able to decrypt a ciphertext intended for them, irrespective of whether it has been given an authorization key (for aggregation) by the encryptor. To solve this problem, the ciphertext also incorporates an IBE encryption of κ so that the recipient can recover the IBE ciphertext that encrypts the message. One of the main challenges is in relation to aggregation. It is straightforward for the aggregator to evaluate the homomorphic operation on both IBE ciphertexts without knowing the recipient's identity (anonymous group-homomorphic IBE enables this). However, we must use a fresh symmetric key to encrypt this evaluated IBE ciphertext in order to ensure unlinkability. However, how do we encrypt this fresh key with the recipient's identity without knowledge of the identity so that they can decrypt the result of the aggregation? One solution to this is to use FHE and then rely on bootstrapping for unlinkability, but this requires us to make a circular security assumption, and, furthermore, bootstrapping in the identity-based settings requires strong assumptions, such as iO. Our solution is to use our anonymous IBE scheme with its rerandomizable anonymous keys (described above), and this solves all our problems (including strong unlinkability) while being more efficient than FHE and without the need for a circular security assumption. Furthermore, we rely on the IND-ID-RCCA security to prove a desirable property of aggregation validity whereby no party who has not been granted authorization as an aggregator can perform a pre-determined transformation of the plaintext.

Notation
A quantity is said to be negligible with respect to some parameter λ, written negl(λ), if it is asymptotically bounded from above by the reciprocal of all polynomials in λ.
For a probability distribution D, we denote by x ←$ D that x is sampled according to D. If S is a set, y ←$ S denotes that y is sampled from x according to the uniform distribution on S.
The support of a predicate f : A → {0, 1} for some domain A is denoted by supp( f ), and is defined by the set {a ∈ A : f (a) = 1}.

Identity-Based Encryption
Definition 1. An Identity-Based Encryption (IBE) scheme is a tuple of PPT algorithms (G, K, E, D) defined with respect to a message space M, an identity space I and a ciphertext spaceĈ as follows: On input (in unary) of a security parameter λ, generates public parameters PP and a master secret key MSK. Output (PP, MSK).

• K(MSK, id):
On input of the master secret key MSK and an identity id ∈ I: a secret key sk id for identity id is derived and output.
• E(PP, id, m): On input of public parameters PP, an identity id ∈ I, and a message m ∈ M, a ciphertext c ∈ C ⊆Ĉ that encrypts m under identity id is output.
• D(sk id , c): On input of a secret key sk id for identity id ∈ I and a ciphertext c ∈Ĉ, a m is output if c is a valid encryption under identity id; otherwise, a failure symbol ⊥ is output.

Public-Key GHE
An important subclass of partial homomorphic encryption is the class of public-key encryption schemes that admit a group homomorphism between their ciphertext space and plaintext space. This class corresponds to what is considered "classical" HE [8], where a single group operation is supported, most usually, addition. Gjøsteen [9] examined the abstract structure of these cryptosystems in terms of groups and characterized their security as relying on the hardness of a subgroup membership problem. Armknecht, Katzenbeisser and Peter [8] rigorously formalized the notion and called it group homomorphic encryption (GHE). We recap with the formal definition of GHE by Armknecht, Katzenbeisser and Peter [8].
Definition 2 (GHE, Definition 1 in [8]). A public-key encryption scheme E = (G, E, D) is called group homomorphic, if for every (pk, sk) ← G(1 λ ), the plaintext space M and the ciphertext spaceĈ (written in multiplicative notation) are non-trivial groups such that the decryption onĈ \ C returns the symbol ⊥.

Definition 3 (Identity-Based Group Homomorphic Encryption (IBGHE), Based on [1]).
Let E = (G, K, E, D) be an IBE scheme with message space M, identity space I and ciphertext space C. The scheme E is group homomorphic if, for every (PP, MSK) ← G(1 λ ), every id ∈ I, and every sk id ← K(MSK, id), the message space (M, ·) is a non-trivial group, and there is a binary operation * : C 2 → C such that the following properties are satisfied for the restricted ciphertext space C id = {c ∈ C : D sk id (c) = ⊥}:

GH.1:
The set of all encryptions C id = {c | c ← E(PP, id, m), m ∈ M} ⊆ C id is a non-trivial group with respect to the operation * .

GH.2:
The restricted decryption D * sk id We are interested in schemes whose plaintext space forms a group and which allow the operation to be homomorphically applied an unbounded number of times. There exist schemes, however, that do not satisfy all the requirements of GHE, namely their ciphertext space does not form a group but instead forms a quasigroup (a group without associativity), such as the Cocks' IBE [10], which was shown to be inherently XOR-homomorphic by Joye [3].

Multi-User Encryption
A multi-user encryption (MUE) scheme is an abstraction from a class of public-key encryption schemes where the public keys of users share common public parameters, whose generation may or may not include a trusted setup, in which case a Trusted Authority (TA) may hold a master decryption key that enables them to decrypt the ciphertexts of any user. An instance of MUE is ElGamal, which does not require a trusted setup or involve a Trusted Authority with a "backdoor", whereas another instance of an MUE is a public-key encryption scheme with a double decryption mechanism (DD-PKE), as defined by Galindo and Herranz [11] where the public parameters are generated along with a master secret key by a TA.
An MUE is a tuple of PPT algorithms (Setup, KeyGen, Enc, Dec, mDec) with plaintext space M and ciphertext space C, defined as follows: • Setup(1 λ ): takes as input a security parameter λ and outputs a pair (PP, MSK) consisting of public parameters PP and an optional master secret key MSK, which may be set to ⊥, • KeyGen(PP): takes as input the public parameters PP and outputs a pair of public/private keys (pk, sk). • Enc(PP, pk, m): takes as input the public parameters PP, a user's public key pk and a message m ∈ M, and outputs a ciphertext c ∈ C ⊆ C. • Dec(PP, sk, c): takes as input the public parameters PP, a secret key sk and a ciphertext c ∈ C, and outputs either a plaintext m ∈ M or ⊥ if decryption fails. • mDec(PP, MSK, pk, c): takes as input the public parameters PP, the master secret key MSK, a user's public key pk and a ciphertext c ∈ C and outputs either a plaintext m ∈ M or ⊥ if decryption fails or MSK = ⊥.

Elliptic Curves over Rings
). If N = pq is some RSA modulus, i.e., p and q are primes of about the same bit length λ, then there is an efficient construction of elliptic curves E : ) has at least two large (of about the same size as p and q) prime factors.

Indistinguishability Obfuscation
Definition 4 (Indistinguishability Obfuscation). (Based on Definition 7 from ( [12]) A uniform PPT machine iO is called an indistinguishability obfuscator for every circuit class {C κ } if the following two conditions are met: • Correctness: For every κ ∈ N, for every C ∈ C κ , for every x in the domain of C, we have that • Indistinguishability: For every κ ∈ N, for all pairs of circuits C 0 , C 1 ∈ C κ , if C 0 (x) = C 1 (x) for all inputs x, then for all PPT adversaries A, we have:

Puncturable Pseudorandom Function
A puncturable pseudorandom function (PRF) is a constrained PRF (Key, Eval) with an additional PPT algorithm Puncture. Let n(·) and m(·) be polynomials. Our definition here is based on Section 2.5 of [6]. A PRF key K is generated with the PPT algorithm Key, which takes as input the security parameter κ. The Eval algorithm is deterministic, and on input of a key K and an input string x ∈ {0, 1} n(κ) , outputs a string y ∈ {0, 1} m(κ) .

PKTK MUE Scheme
We now describe the cryptosystem from [5] that is an instance of an MUE and satisfies some interesting properties, including the fact that even the Trusted Authority cannot determine which user a ciphertext is created for (Property 3 [5]), so the scheme is anonymous even to the TA under the hardness of DDH in E(Z N 2 ). The scheme is very similar to Galbraith's elliptic-curve-based Paillier scheme [13]. • Setup(1 λ ) : On input of a security parameter λ, this algorithm generates an RSA modulus N = pq where p and q are primes of about the same bit length λ. Then it constructs an elliptic curve E : y 2 z = x 3 + axz 2 + bz 3 over Z N 2 such that E has the properties described in Proposition 1. Furthermore, it chooses a point Q = (x, y, z) ∈ E(Z N 2 ) whose order divides M = lcm(#E(Z p ), #E(Z q )).

Our Scheme
Our scheme is essentially the transformation in [6] applied to the MUE scheme above. We need to define a program F MapPK that is obfuscated as part of the public parameters. Let E be an MUE scheme such as the PKTK scheme above, which has message space Z N . The program F MapPK takes an identity id and maps it to the public key pk id .

3.
Output pk id Let E be the PKTK MUE scheme. Let iO be an indistinguishability obfuscator and let PRF be a puncturable PRF. We now define the construction.

Theorem 1. Assuming indistinguishability obfuscation and the hardness of DDH in E(Z N 2 ), AH is an anonymous and IND-ID-CPA secure IBE scheme.
Proof. The theorem follows as a consequence of Theorem 1 in [6], where the underlying public-key encryption scheme is replaced with the PKTK MUE scheme whose key privacy and semantic security rely on the hardness of DDH in E(Z N 2 ).
This simple construction serves mainly as a possible result for an anonymous homomorphic IBE where the homomorphic operation can be computed without knowing the identity associated with one or more ciphertexts. We leave the construction of more efficient and perhaps even practical schemes of this nature as an open problem.

Anonymous IBE with Rerandomizable Anonymous Encryption Keys
In this section, we present an anonymous IBE scheme that is a variant of Boneh-Franklin and show that it is both anonymous and IND-ID-RCCA secure. The scheme has two interesting properties: the generation of anonymous keys associated with a particular recipient identity and the rerandomization of such keys. In regard to the former, anonymous keys allow a party to encrypt a message for an unknown recipient; that is, the key hides the identity of the recipient. In regard to the rerandomization of these keys, a rerandomized key is computationally unlinkable to another anonymous key with the same associated identity. Therefore, two anonymous keys for the same identity, where one is obtained by rerandomizing the other, cannot be linked in any way. These properties are essential in our application of anonymous aggregation in the next section. Here, we observe that an essential building block of our construction is an anonymous homomorphic IBE for addition modulo N as realized in the previous section. In fact, an anonymous homomorphic IBE from LWE does not suffice here; a group homomorphic scheme appears to be necessary.

Our Construction
Let g ∈ G be a generator of a cyclic group G, and let g T ∈ G T be a generator of another cyclic group G T . Both groups are of order N, a large semiprime. Now let e : G × G → G T be a non-degenerate bilinear map between G and G T (the target group) such that g T = e(g, g). The notational convention we follow in this section is to write group elements using uppercase letters whose integer exponent with respect to the generator is the corresponding lowercase letter. Our construction is based around the Boneh-Franklin scheme. We now describe our construction, which serves to illustrate various concepts we would like to establish. Let H be a hash function modeled as a random oracle that maps identity strings to elements of G. The master secret key contains an integer s ←$ Z N chosen at setup while the public parameters contain S ← g s . The other building blocks are an anonymous group homomorphic IBE scheme E m that is homomorphic for addition modulo N, a NIZK and an IND-CCA2 secure symmetric encryption scheme. Consider a recipient identity id. Then we derive the public key for id as A ← H(id) ∈ G. The encryptor chooses a random integer r ←$ Z N and computesÂ ← A r . Then they compute ψ 1 ← E m .Enc(PP IBE , id, r) and z 1 ← E m .Enc(PP IBE , id, 1 M ). Subsequently, the encryptor chooses a random integer b ←$ Z N and computes B ← g b and ψ 2 ← PKE.Enc(pk T , b; ρ) for some randomness ρ. Finally, the encryptor generates a NIZK proof π that ψ 2 encrypts the discrete logarithm of B with respect to base g. We derive the symmetric key k ← e(Â b , S) ∈ G T and encrypt the message with the symmetric encryption scheme using the key k.
In the real mode, a decryptor with a secret key sk id := (S id := A s , sk IBE,id ← E m .KeyGen(MSK IBE , id)) for identity id, computes r ← E m .Dec(sk id , ψ 1 ) and k ← e(B, S id ) r ∈ G T . In the security proof, when we do not have access to S id , we alternatively derive k as follows. First, we decrypt ψ 2 with the trapdoor secret key to obtain b then we compute k ← e(Â b , S) ∈ G T .
To generate an anonymous key for an identity, consider the following algorithm: • GenAnonKey(PP, id): Return AnK := (Â, ψ, z) An anonymous key AnK lets a party encrypt messages for an unknown intended recipient, which is computationally hidden from the party.
To rerandomize an AnK generated as above, the following algorithm is used: • RerandomizeKey(PP, AnK): Return AnK := (Â , ψ , z ) The advantage of RerandomizeKey is that given an anonymous key derived with this algorithm from an original anonymous key; no party can link the keys and determine that they are related (i.e., have the same intended recipient). The anonymous key is preprended to every ciphertext generated with it, so, therefore, it is advantageous to rerandomize it so ciphertexts are not linked to each other.
We present the scheme formally now. Note that the encryption algorithm may alternatively accept an anonymous key AnK as input instead of a recipient identity.
Algorithm 1 formally describes the scheme.

Security
The scheme cannot be proved IND-ID-CCA2 secure in the conventional sense because the AnK portion of the ciphertext is malleable, and so too is the NIZK proof potentially (unless a non-malleable NIZK is used). We can, however, prove the scheme secure against an adaptive chosen ciphertext attack in a relaxed model, namely the notion IND-ID-RCCA .

Theorem 2.
Assuming E m is IND-ID-CPA secure, PKE is IND-CPA secure and NIZK is a sound and zero-knowledge NIZK, then our scheme is IND-ID-RCCA secure under the hardness of DBDH in the random oracle model.

Algorithm 1
Our IBE scheme with rerandomizable anonymous keys.
Hybrid 0: This is the real system that encrypts the challenge message m 0 . Let k be the symmetric key used to produce the symmetric ciphertext ψ 3 . Hybrid 1: The change we make in this hybrid is to how ψ 1 is generated. Instead of encrypting randomness r, we choose another uniform random element s and produce ψ 1 as an IBE encryption of s. We still use the previous symmetric key k to produce ψ 3 , which is a symmetric encryption of ψ 1 m 0 .
The indistinguishability between Hybrids 0 and 1 follows from the semantic security of the E m . In the reduction, we use the "trapdoor" mode discussed earlier to derive the symmetric key; that is, for a typical ciphertext, we decrypt ψ ! to obtain b and compute e(Â, S) b . When we decrypt ψ 3 , we check if the first component of the plaintext matches ψ 1 ; otherwise, we output ⊥. Secondly, if the second component is m 0 or m 1 , we output "test" as is required in IND-ID-RCCA. If the ciphertext we gave the adversary is queried for decryption, then we also output "test".

Hybrid 2:
The change we make in this hybrid is to how ψ 1 is generated. We compute it instead as an encryption of some uniformly random element z = b but still use k (as in the previous hybrid) to produce ψ 3 .
Hybrids 1 and 2 are indistinguishable from the IND-CCA2 security of PKE. In the reduction, we return the original approach (i.e., the "real" mode) to compute the symmetric key.

Hybrid 3:
The change we make in this hybrid is to generate the symmetric key uniformly at random.
The indistinguishability of Hybrids 2 and 3 follows from the hardness of DBDH.
The indistinguishability of Hybrids 3 and 4 follows from the iND-CCA2 security of the symmetric encryption scheme. We are now in a hybrid where the second challenge message m 1 is encrypted. The remaining hybrids reverse the changes in Hybrids 1-3 until we arrive at a hybrid that is the real system that encrypts the challenge message m 1 . This completes our proof. This is an immediate consequence of the semantic security and anonymity of E m .

Identity-Based Anonymous Aggregation
In an identity-based anonymous aggregation protocol, a collection of nodes encrypt data for different recipients and forward them to their neighbors. The intended recipient, along with an aggregator, is able to extract the following grouping, functional unit or "package", comprising the tuple (h, v, z), which we define momentarily. Let E be an anonymous IBGHE scheme (such as AH in Section 3), and let H be a collision-resistant function. Furthermore, let id be the recipient's identity. Then we have h = H(id), v ← E.Enc(PP E , id, m) and z ← E.Enc(PP E , id, 0). For two such tuples, c := (h, v, z) and c := (h , v , z ), the aggregation algorithm is defined in Algorithm 2.
The hash of the recipient's identity h allows an aggregator to determine whether two ciphertexts have the same intended recipient, in which case, the hash components are equal, and aggregation can be performed; otherwise, aggregating both ciphertexts would produce an invalid result. With this approach, we obtain one-way anonymity. The v component is an E encryption under the recipient's identity of the plaintext value. For the sake of simplicity, we are assuming the plaintext space is M := Z N . For referential convenience, we designate this type of scheme P-type. Now, an alternative approach is to exclude the hash component from this tuple such that an aggregator cannot learn anything about the recipient's identity, nor can it determine whether two ciphertexts have the same recipient. As such, aggregation is always performed, but we need some way for the decryptor to establish whether a ciphertext is valid or has been likely contaminated through aggregation with a different identity. A solution to this emerges when the plaintext space is exponentially large, as is the case here. The idea is to include additional encryptionv of −m where the underlying plaintext of v is m such that v * v decrypts to zero (or 1 M , the identity element). The decryptor discards a ciphertext as invalid if v * v does not decrypt to zero. Homomorphically adding (pairwise) a pair of ciphertexts (v ,v ) associated with another identity results in a pair of encryptions of random values in Z N . Therefore, the resulting ciphertext will be rejected as invalid by the decryptor with overwhelming probability. For referential convenience, we designate this type of scheme F-type. The aggregation algorithm for this type is shown in Algorithm 3.

Algorithm 3 Aggregation algorithm in F-type setting.
Agg.Aggregate(c, c ). ( Since any party who obtains the ciphertext tuple as above can modify the underlying plaintext (malleability), we may wish to restrict this ability to a subset of authorized parties, which we refer to as aggregators. While a suitable means of access control for granting such authorization to aggregators is beyond the scope of this work (e.g., ABE and related primitives may be of import), we describe a simplified paradigm that can be adapted and extended as required. Typically, we would expect the ciphertext tuple above to be encrypted with a non-malleable encryption scheme, such as an IND-CCA2 secure symmetric-key encryption scheme denoted by SKE. Moreover, a random symmetric key κ is first generated, and the tuple c is then encrypted, i.e., we have ψ ← SKE.Enc(κ, c). The natural question is, then, how does one obtain κ? Note that both authorized aggregators and the recipient must be able to access κ. First, an appropriate means of access control can be employed to allow authorized aggregators to access κ, a subject that, as aforementioned, is outside the scope of this work. Secondly, and most importantly, the intended recipient must be able to access κ. The challenge arises for intermediate aggregators who need to encrypt a fresh κ under the recipient's identity, which is hidden from them due to the desired property of anonymity. It is apparent from the proof of aggregation validity that the IBE scheme in which κ is encrypted must be secure against adaptive chosen ciphertext attacks. Aggregation validity is a property that is defined in the next section and informally means that no efficient adversary who is given an encryption of a message m and who is neither an authorized aggregator nor the intended recipient can produce a valid ciphertext that encrypts a targeted modification of m, that is, t · m for some a priori decided t = 1 M .
We now formalize the identity-based anonymous aggregation (IBAA) in a simplified form where the authorization of aggregators is based on symmetric encryption, which is sufficient for our purposes, but we note this may be replaced with a more complex form of access control accommodated by a more generalized definition.

Definition 5.
An identity-based anonymous aggregation (IBAA) protocol P consists of the following PPT algorithms: • Setup(1 λ ): On input of a security parameter λ, generate public parameters PP and master secret key MSK. Output (PP, MSK). • KeyGen(MSK, id): On input of a master secret key MSK and an identity id, output a secret key sk id for identity id. • Authorize(sk id ): On input of a secret key sk id for identity id, output an authorization key that permits aggregation on ciphertexts generated by a source (sender) with identity id. • Enc(PP, sk id , id, m): On input of public parameters PP, a secret key for the source (sender) sk id whose identity is id, a recipient identity id and message m ∈ M, produce a ciphertext c that encrypts m under identity id and output c. • Dec(sk id , c): On input of a secret key sk id for identity id and a ciphertext c, output a message m ∈ M if c is a valid ciphertext for identity id; otherwise, output ⊥. • Aggregate(PP, sk id , (ak 1 , c 1 ), (ak 2 , c 2 )): On input of public parameters PP, the aggregator's secret key sk id for their identity id and two ciphertexts c 1 and c 2 with corresponding authorization keys ak 1 and ak 2 (it may be the case that ak 1 = ak 2 ) that permit aggregation, if ak 1 permits aggregation on c 1 and ak 2 permits aggregation on c 2 , then output c such that Dec(sk id , c ) = Dec(sk id , c 1 ) * Dec(sk id , c 2 ) for some operation * (typically for an abelian group). Otherwise, output ⊥. Additionally, in order to perform aggregation on c , a party needs an authorization key from id.
This primitive is very similar to homomorphic IBE, except there are a few notable differences. First, only senders who are authorized by the TA can encrypt messages, which can be decrypted by the recipient if they have received a secret key from the TA for their identity. Secondly, aggregation is possible on a sender's ciphertext only if the aggregator has received an authorization key from the sender. Dec(sk id , Aggregate(PP, skī d , (ak 1 , c 1 ), (ak 2 , c 2 ))) = m 1 * m 2 iff ak i ∈ Authorize(sk id * i ) (except with negligible probability) where I is the identity space. More precisely, the second part of the iff in the above condition is actually a security condition, which we now treat on its own. Definition 6. An IBAA scheme is said to satisfy (selective) aggregation validity if for all t = 0 ∈ M, the advantage of any PPT adversary A = (A 1 , A 2 ) is negligible in the security parameter where the advantage is defined as follows: where O = KeyGen(MSK, ·) except queries cannot be made for identities id and id. It is assumed that |M| is exponentially large and the min-entropy of M is sufficiently higher than the security parameter.

Definition 7.
An IBAA scheme is said to satisfy (selective) strong unlinkability if the advantage of any PPT adversary A = (A 1 , A 2 ) is negligible in the security parameter where the advantage is defined as follows: where O = KeyGen(MSK, ·); note that queries can be made for identity id.

Definition 8.
An IBAA scheme is said to be one-way anonymous if the advantage of any PPT adversary A = (A 1 , A 2 ) is negligible in the security parameter where the advantage is defined as follows: where O = KeyGen(MSK, ·). It is assumed that I is exponentially large and the min-entropy of I is sufficiently higher than the security parameter.

Construction of IBAA
We now present a construction of the primitive defined in Section 5. Our construction requires an anonymous homomorphic IBE scheme E m for the plaintext values, a collisionresistant hash function family, a symmetric encryption scheme E SKE , a PRF and an anonymous IBE E k for encrypting the keys. Let H be a family of collision-resistant hash functions. Our IBAA scheme is shown in Algorithm 4.
For the sake of brevity in the reductions below, we simply describe how b is computed from c .
Hybrid 0: This is the real system. Hybrid 1: In this hybrid, we change c 1 to the encryption of a uniformly random and independent element.
Indistinguishability follows from the IND-CCA2 security of the symmetric encryption scheme. The reduction, in this case, is straightforward.

Hybrid 2:
In this hybrid, we change the c 2 component of the ciphertext to an encryption of a random element drawn from the message space of the E k scheme. Therefore, instead of encrypting κ, we encrypt a random element ρ.
We can use an adversary that has a non-negligible advantage distinguishing between Hybrids 0 and 1 to construct an adversary that has a non-negligible advantage against the IND-ID-RCCA security of E k . The reduction is as follows. First, we run A 1 to obtain ( id, id). We sample m ←$ M. We run Setup and all steps of the encryption algorithm except the step that generates c 2 . Therefore, we, for example, generate κ, c 1 and c 3 . We set µ 0 ← κ and µ 1 ← ρ where ρ is a uniform random element in the message space of E k and send the pair of messages (µ 0 , µ 1 ) to the IND-ID-RCCA challenger. We receive a challenge ciphertext e, and we set c 1 ← e and set c ← (c 1 , c 2 , c 3 ). Then we run A 2 with the public parameters and ciphertext c and obtain c . We parse c as (c 1 , c 2 , c 3 ). Then the reduction sends c 1 to the IND-ID-RCCA decryption oracle, and if the oracle responds with test, then check if c 3 is decryptable with κ or ρ and let µ be the tuple obtained, or else if the oracle responds with a plaintext k, check if c 3 is decryptable with k and set µ to be the tuple returned. Otherwise, set µ ← ⊥. Finally, the guess bit b is computed as where sk IBE is the key we have derived in the simulation. Indistinguishability follows from the IND-ID-RCCA security of E k .

Hybrid 3:
In this hybrid, we change the c 3 component of the ciphertext to an encryption of a random element drawn from the message space of the SKE scheme.
In the reduction, we parse c as (c 1 , c 2 , c 3) and decrypt c 2 with the secret key derived in the simulation to obtain κ. If κ decrypts c 3 , set µ to the resulting tuple. Otherwise, send c 3 to the IND-CCA2 decryption oracle and set µ to the response. Finally, the guess bit b is computed as b ← µ = ⊥ ∧ .E m .Dec(sk IBE , µ.v) = m * t where sk IBE is the key we have derived in the simulation. Indistinguishability follows from the IND-CCA2 security of the SKE scheme.
The adversary has a negligible advantage in this game since the ciphertext c does not contain any information about m. The result follows.
We have omitted the aggregation algorithm from Algorithm 4 since this varies depending on whether we target the P-type or F-type setting. Our goal is to achieve strong unlinkability, aggregation validity and (one-way/full) anonymity in the (P-type/F-type) settings.

P-Type Setting
We can, however, readily obtain strong unlinkability together with aggregation validity in the P-type setting of one-way anonymity, which we will now describe. Unfortunately, our approach is inherently restricted to one-way anonymity, leaving open the problem of achieving strong unlinkability and aggregation validity in the F-type setting of full anonymity; we will tackle this problem later. Our approach for the P-type setting involves instantiating E k with an IND-ID-CCA2 secure IBE scheme. The hash of the target identity h in the tuple encrypted by c 3 is used as an identity string; that is, c 2 is an encryption with E k under identity string h of the symmetric key κ. The ciphertext component c 3 is an encryption of the tuple (h, v, z). The aggregation algorithm for our IBAA scheme in this setting is given in Algorithm 5.