# A Closer Look at Anonymity and Robustness in Encryption Schemes

DOI: 10.1007/978-3-642-17373-8_29

- Cite this paper as:
- Mohassel P. (2010) A Closer Look at Anonymity and Robustness in Encryption Schemes. In: Abe M. (eds) Advances in Cryptology - ASIACRYPT 2010. ASIACRYPT 2010. Lecture Notes in Computer Science, vol 6477. Springer, Berlin, Heidelberg

## Abstract

In this work, we take a closer look at *anonymity* and *robustness* in encryption schemes. Roughly speaking, an anonymous encryption scheme hides the identity of the secret-key holder, while a robust encryption scheme guarantees that every ciphertext can only be decrypted to a valid plaintext under the intended recipient’s secret key.

In case of anonymous encryption, we show that if an anonymous PKE or IBE scheme (in presence of CCA attacks) is used in a hybrid encryption, all bets regarding the anonymity of the resulting encryption are off. We show that this is the case even if the symmetric-key component is anonymous. On the positive side, however, we prove that if the key-encapsulation method is, additionally *weakly robust* the resulting hybrid encryption remains anonymous. Some of the existing anonymous encryption schemes are known to be weakly robust which makes them more desirable in practice.

In case of robust encryption, we design several *efficient* constructions for transforming any PKE/IBE scheme into weakly and strongly robust ones. Our constructions only add a minor computational overhead to the original schemes, while achieving better ciphertext sizes compared to the previous constructions. An important property of our transformations is that they are non-keyed and do not require any modifications to the public parameters of the original schemes.

We also introduce a relaxation of the notion of robustness we call *collision-freeness*. We primarily use collision-freeness as an *intermediate notion* by showing a more efficient construction for transforming any collision-free encryption scheme into a strongly robust one. We believe that this simple notion can be a plausible replacement for robustness in some scenarios in practice. The advantage is that most existing schemes seem to satisfy collision-freeness without any modifications.