Establishing secure and anonymous communication channel: KEM/DEM-based construction and its implementation

Several cryptographic tools provide anonymity in a cryptographic sense, but solely using such a tool does not guarantee anonymity; for example, even if the underlying cryptographic primitives enable anonymity in some sense, a communication system using these tools may reveal the senders' IP address. Moreover, since a certificate of public key infrastructure contains information of a key holder, and that contradicts anonymity of the key holder, the certificate must be removed. Therefore, it seems difficult to check the validity of the public key in an anonymous environment. That is, constructing a secure and anonymous communication protocol, where end-to-end encryption and anonymous authentication are achieved simultaneously, is an important issue to be solved.In ACM SAC 2014 (and IEEE Trans. Emerging Topics Comput. 2016), such a protocol was proposed, where it applies identity-based encryption (IBE) for packet encryption without contradicting anonymity. However, this protocol is inefficient and approximately 20 times slower than that of SSL communications because IBE requires heavy cryptographic pairing computations.In this paper, we propose a more efficient, secure, and anonymous communication protocol, which achieves the same security level as the IBE-based protocol does. The protocol is exempted from pairing computation for establishing a secure channel by applying hybrid encryption instead of IBE. We implement the protocol and show that it is more efficient (overall approximately 1.2 times faster) than the IBE-based protocol. In particular, the decryption algorithm of our protocol is several hundred times faster than that of the IBE-based protocol. In our protocol, we employ the ElGamal KEM scheme and 128-bit AES as the underlying KEM and DEM schemes, respectively, and we have used the TEPLA library for the prototype implementation.