 Welcome to this talk about identity-based encryption for fair anonymity applications, defining, implementing, and applying randomizable RCCA secure IBE for Asia Crypt 2021. I'm Yi Wang, and this is a joint work with Rong Maocheng, Xing Yi Huang, Jian Tinglin, Baosheng Wang, and Moutin Yang. In this talk, we many concern the applications of fair anonymity. For example, in the scenario of anonymous communication, users in the anonymity set communicate with each other in an anonymous manner. Once someone abuses the anonymity service for illegal activities, we hope there is a trusted authority that can revoke the anonymity of malicious users. So, the fair anonymity aims to achieve a balance of individual privacy and societal safety. Obviously, identity-based encryption, namely IBE, is a natural candidate for such a setting. IBE was introduced by Shamir in the 1980s, and the first efficient realization was proposed by Bonin and Franklin in 2001. In IBE, IBE encrypts messages with the identity of Bob. For example, email address and Bob can degrade the self-attached with secret key, SKBob, which is generated by the key generation center, namely KGC. So, the KGC can check any self-attached generated by the users and play the role of trusted authority in previous scenery. Apart from the fair anonymity, the other properties of such anonymous communication put some extra constraints on the underlying encryption scheme. First, the scheme should support the randomization of several texts so that the server can hide the connections of incoming and outgoing several texts. In particular, the randomization of several texts does not change the underlying identity and the plan text, so Bob can still obtain the correct plan text from several texts C' Besides, it is desirable that the randomization of several texts does not involve any public parameters. Second, the server text should be anonymous and do not reveal any information about the identity of the receiver. Otherwise, the attacker can correlate several texts with respect to underlying identity, as the randomization of several texts does not change the identity. Third, the encryption scheme should be secure against active attacker who can probe the server with malicious self-attached. A combination of those constraints points at re-randomizability, receiver anonymity, and RCCA security. In particular, RCCA security is a meaningful relaxation of CCA security for public key encryption and it is compatible with randomizability. So we turn to study how to achieve those properties in the context of IBE simultaneously. Here are our main results. First, we define a new security notion called anonymous identity-based RCCA security for IBE. Then we implement a concrete IBE scheme that satisfies anonymous ID RCCA security and re-randomizability. Finally, we apply this IBE scheme to build identity-based universal mixnet with fair anonymity. Now we introduce the definition of anonymous ID RCCA security first. In fact, Gantry has defined the notion of anonymous ID RCCA security already at EuroCrypt 2006. It is a combination of ID RCCA security and receiver anonymity. In the security game, adversary first chooses two identities ID0, ID1, and two plaintexts M0, M1 after receiving the public parameters generated by the challenger. And then it is required to guess the identity IDB and the plaintext MC of challenge self-attached C-START generated by the challenger. During the whole game, the adversary is granted access to key generation and decryption oracles. We imitate the definition of RCCA security to formalize the notion of anonymous ID RCCA security. The main difference between anonymous ID CCA and ID RCCA security lies in the decryption oracle. Specifically, in the decryption oracle of anonymous ID RCCA security, if identity ID is equal to either ID0 or ID1, the challenger would decrypt the self-attached C with both SKID0 and SKID1 and check whether the decryption results intersect the plaintext picked by the adversary. Otherwise, the challenger decrypts C with SKID only and check whether M is equal to either M0 or M1. Anyway, those additional actions prevent the adversary from winning the game trivially. Next, we introduce how to build a randomizable IBZ with anonymous ID RCCA security. At the core of our construction is the double-strand paradigm. In the Ergama-based universal cryptosystem, the self-attached of plaintext M is composed of two strands of Ergama encryption, EYM and EY1. By the homomorphic properties of the Ergama encryption, strand EY1 can be used to re-randomize both EYM and itself correctly. So, the double-strand paradigm offers an elegant way to re-encrypt self-attached without any public parameters. However, this paradigm cannot be applied to the well-known game tree IBZ. As IDCCA security contradicts to the homomorphic property, to overcome this issue, we describe the game tree IBZ scheme briefly. Let E be the symmetric bilinear map, P be the random generator of G, A in brackets denotes AP, and A in brackets T denotes EPP to the A. The self-attached of game tree IBZ consists of three parts, key self-attached, data self-attached, and validity checking. During the decryption procedure, the validity checking part is used to test the validity of self-attached, while the key self-attached is decrypted to obtain the session key for recovering the plain text from data self-attached. In particular, the value of vector beta in X4 changes with X1 to X3, so re-encrypting self-attached EIDM with EID1 would not get a valid self-attached. Consider that re-encryption does not change the plain text M. We modify vector beta in X4 to vector mu and obtain a variant of game tree IBZ. The vector mu includes the hash value of plain text M. Now, we can obtain a game tree IBZ-based universal crypto system by applying the variant of game tree IBZ to the double-strand paradigm. However, this construction does not satisfy anonymous IDRCCA security because the adversary in the security game can guess the plain text and re-encrypt strand EIDM by performing the explanation with it and verifying the guess by curing the decryption oracle. So, we have to restrict the manner of randomization. To defend against previous attack, we introduce extra components in the validity checking part of both strands and perturb the randomness S in strand EIDM with C0 and Z1. However, the adversary is still able to re-randomize EIDM by performing multiplication with public parameter identity and plain text. To restrict the randomization minor further, we mask the validity checking part with the secret value U and encapsulate U with another two strands, E'IDU and E'ID1. The random value U, short among those four strands, prevents adversary from obtaining valid self-attest by mixing strands from different self-attest or randomizing strands with public parameters. Now, there is only one way to re-randomize the self-attest. To prove the anonymous IDRCCA security of our construction, we make negligible modifications to the simulation of security game step by step. First, the setup and extraction algorithms are modified to generate secret keys without master key. Then, the challenge plan self-attest is computed using alternative encryption algorithm such that the distribution of self-attest is independent of the underlying identity IDB and plain text MC. Finally, the challenger answers all the decryption queries via a time-unbounded decryption algorithm that uses public parameters and the challenge self-attest only to decrypt self-attest. At this time, the extraction and decryption queries do not provide extra information about master key and secret keys to the adversary, and the challenge self-attest perfectly hides the identity and plain text. So, the advantage of adversary is zero. Finally, we present an ID-based universal mixnet based on such IBG. Universal mixnet is usually constructed for providing anonymous communication among parties. An ID-based universal mixnet consists of a bulletin board, a trusted authority, a set of senders, receivers, and mix nodes. For simplicity, we assume there are own senders, own receivers, and three mix nodes. In the initialization stage, the trusted authorities play the role of key generation center and generate secret keys for each user's and mix nodes. In the package generation stage, suppose every sender SI intends to send messages MI to a receiver R5I, where function phi is a projection that depicts the relationship between senders and receivers. The package P1I generated by sender SI is composed of two parts. One is the symmetric self-attest of messages, and the other is IBE self-attest of symmetric keys. All the packets are uploaded to the bulletin board. Then, the first mix node M1 downloads all the packets and performs mixing operations. In particular, it decrypts the first IBE self-attest in packet P1I to obtain symmetric key, K1I, and then decrypts the symmetric self-attest with K1I. Finally, mix node M1 randomizes the rest of IBE self-attest and generates a new packet P2I and uploads all the new packets to the bulletin board in random orders. Similarly, mix node M2 downloads packets from bulletin board and performs same mixing operations and uploads all the packets P3I to the bulletin board in random order. After mix node M3 completing the mixing operation, the receiver can download all the packets from bulletin board and decrypt every IBE self-attest to retrieve symmetric key and decrypt the corresponding symmetric self-attest to retrieve messages. Compared with previous universal mix node, our identity-based universal mix node achieves fair anonymity. The trusted authority can revoke the anonymity upon abuse. Also, due to the anonymous ID and CCA security of IBE scheme, our mix node enjoys stronger unlinkability. Finally, the IBE eliminates the public certificate management and our mix node can provide more covert communication for the sender and this is all the main results of our work. Okay, that's all. Thank you.