Quantum‐resistant anonymous identity‐based encryption with trable identities

Identity‐based encryption (IBE), introduced by Shamir, eliminates the need for public‐key infrastructure. The sender can simply encrypt a message by using the recipient's identity (such as email or IP address) without needing to look up the public key. In particular, when ciphertexts of an IBE do not reveal recipient's identity, this scheme is known as an anonymous IBE scheme. Recently, Blazy et al. (ARES '19) analysed the trade‐off between public safety and unconditional privacy in anonymous IBE and introduced a new notion that incorporates traceability into anonymous IBE, called anonymous IBE with traceable identities (AIBET). However, their construction is based on the discrete logarithm assumption, which is insecure in the quantum era. In this paper, we first formalize the consistency of tracing key of the AIBET scheme to ensure that a ciphertext cannot be traced with the use of wrong tracing keys. Subsequently, we present a generic formulation concept that can be used to transform structure‐specific lattice‐based anonymous IBE schemes into an AIBET. Finally, we apply this concept to Katsumata and Yamada's compact anonymous IBE scheme (Asiacrypt '16) to obtain the first quantum‐resistant AIBET scheme that is adaptively secure under the ring learning with errors assumption without random oracle.