On the Anonymity of Identity-Based Encryption

Anonymity of identity-based encryption (IBE) means that given a ciphertext, one cannot distinguish the target identity from a random identity. In this paper, we thoroughly discuss the anonymity of IBE systems. We found that the current definition of anonymity is obscure to describe some IBE systems, such as Gentry IBE system. Furthermore, current definition cannot express the degree of anonymity. Sowedivide the degree of anonymity intoweak anonymity and strong anonymity based on indistinguishability between different games. For weakly anonymous IBE systems, the target identity in a ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types. Type 1 means that a random tuple can be seen as a valid ciphertext, while type 2 cannot. Based on our new definitions, we show that three famous IBE systems, Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, have strong but different types of anonymity.


Introduction
Shamir [1] proposed the concept of identity-based encryption (IBE) in 1984 to simplify the public key infrastructure. In an IBE system, public keys for users can be formed from arbitrary strings such as e-mail addresses, IP addresses, or other meaningful strings. Anyone can encrypt messages using the identity, and only the owner of the corresponding secret key can decrypt the messages. But Shamir did not give a concrete construction of IBE until Boneh and Franklin [2] presented the first practical IBE system based on groups with efficiently computable bilinear maps. Another but less efficient IBE system using quadratic residues was proposed by Cocks [3]. After that, many new IBE systems are proposed [4][5][6][7][8][9][10][11].
Anonymous IBE was first noticed by Boyen [12] and later formalized by Abdalla et al. [13,14]. Roughly speaking, an IBE system is said to be recipient anonymous or simply anonymous if the ciphertext leaks no information about the recipient's identity. In other words, an attack cannot distinguish the target identity from a random identity for a ciphertext. Recently, people found that the anonymity of IBE can help to construct public key encryption with keyword search (PEKS) systems [13,[15][16][17].
The first anonymous IBE system is Boneh-Franklin IBE system [2]. In fact, this system has intrinsic anonymity; that is, its semantic security equals anonymity. But Boneh-Franklin IBE system is proposed in the random oracle model [18]. Boyen and Waters [8] gave the first construction of anonymous IBE in the standard model under the decisional bilinear Diffie-Hellman (BDH) and decisional linear assumptions. Another efficient construction of anonymous IBE in the standard model was proposed by Gentry [9], but it is proven secure under a dynamic and complicates assumption. After that, many new anonymous IBE systems in the standard model are proposed [19][20][21]. An extension of anonymous IBE, named committed blind anonymous IBE, was proposed by Camenisch et al. [22] in which a user can request the decryption key for a given identity without the key generation entity learning the identity.
When studying how to construct anonymous IBE systems, researchers have found if asymmetric bilinear maps are used in previous IBE systems [4][5][6][7]; these systems seem anonymous. But how to prove anonymous security of these systems from simple assumptions was unknown until Ducas [23] gave a positive answer. He showed that an IBE system can be proven anonymous with some minor modification. Another anonymous IBE system using asymmetric bilinear map is proposed by Chen et al. [24]. Recently, Herranz et al. [25] discussed the relations between semantic security and anonymity for IBE systems.
When an "anonymous" IBE system is constructed, we should prove its anonymity. It seems to prove anonymity for IBE systems, we only need to prove that we cannot distinguish the target identity from the challenge ciphertext in the security game for anonymity. However, current anonymous IBE systems, except Gentry IBE system [9], all use a stronger game called Game Random than the standard game for anonymity where the challenge ciphertext is composed of independently random group elements to prove anonymity. Obviously, if a valid ciphertext is indistinguishable from a random tuple, it is definitely anonymous. However, the game Game Random is overqualified for anonymity, because anonymity only requires that an attacker cannot distinguish the target identity for a ciphertext. Hence, current definition of anonymity is not complete enough to describe the anonymity of current IBE systems.
Our Results. We make a concrete analysis of the anonymity of identity-based encryption systems. We found that current definition of anonymity is obscure to describe some IBE systems, such as Gentry IBE system [9]. Furthermore, current definition cannot express the degree of anonymity. By using the indistinguishability of some related security games, we divide anonymity into two degrees: weak anonymity and strong anonymity. Weak anonymity equals current definition of anonymity, in which the target identity for a ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types. Type 1 means that a random tuple can be seen as a valid ciphertext for some identity, while type 2 cannot. Based on our discussion, we analyse some IBE systems. We show that three famous IBE systems, Gentry IBE System [9], Boyen-Waters IBE system [8], and Lewko IBE System [26], have strong but different types of anonymity.
Organization. The paper is organized as follows. We give necessary background information and definitions of security in Section 2. We then analyse the anonymity and define different degrees and types of anonymity in Section 3. In Section 4, we discuss the anonymity of some current IBE systems. At last we conclude the paper with Section 5.

Background
In this section, we briefly review the concepts of the bilinear maps, identity-based encryption, and its security models for semantic security and anonymity.

Bilinear Maps
Definition 1. Let G, G be two cyclic multiplicative groups with prime order . Let be a generator of G and : G×G → G a bilinear map with the following properties: (1) bilinearity: for all , V ∈ G and for all , ∈ Z, one has ( , V ) = ( , V) ; (2) nondegeneracy: the map does not send all pairs in G × G to the identity in G . Observe that since G, G are groups of prime order, this implies that if is a generator of G then ( , ) is a generator of G .
We say that G is a bilinear group if the group operation in G and the bilinear map : G × G → G are both efficiently computable.
Bilinear maps are also called pairings. We assume that there is an efficient algorithm G for generating bilinear groups. The algorithm G, on input a security parameter , outputs a tuple = [ , G, G 1 , ∈ G, ], where is a generator and log( ) = Θ( ).

2.2.
Algorithms. An IBE system consists of the following four algorithms: Setup, KeyGen, Encrypt, and Decrypt.
Setup (1 ). This algorithm takes as input the security parameter and outputs a public key PK and a master secret key MK. The public key implies also a key space K(PK) and an identity space ID(PK).
KeyGen(MK, I). This algorithm takes as input the master secret key MK and an identity I ∈ ID(PK) and outputs a secret key SK I associated with I.
Encrypt(PK, I, M). This algorithm takes as input the public key PK, an identity I, and a message and outputs a ciphertext CT.
Decrypt(SK I , CT). This algorithm takes as input a secret key SK I and the ciphertext CT. If the ciphertext is an encryption to I, then the algorithm outputs the encrypted message .

Security Models.
The chosen plaintext security (semantic security) and anonymity of an IBE system are defined according to the following IND-ID-CPA (indistinguishability against full identity and chosen plaintext attacks) game and ANON-ID-CPA (anonymity against full identity and chosen plaintext attacks) game, respectively.

IND-ID-CPA Game
Setup. The challenger B runs the Setup algorithm and gives PK to the adversary A.
Phase 1. The adversary A submits an identity I. The challenger creates a secret key SK I for that identity and gives it to the adversary.

Challenge.
A submits a challenge identity I * and two equal length messages 0 , 1 to B with the restriction that each identity I given out in the key phase must not be I * . Then B flips a random coin ∈ {0, 1} and passes the ciphertext CT * = Encrypt(PK, , I * ) to A.
Phase 2. Phase 1 is repeated with the restriction that any queried identity I is not I * .
Guess. A outputs its guess of .

The advantage of A in this game is defined as Adv
Definition 2. One says that an IBE system is IND-ID-CPA secure, if no probabilistic polynomial time adversary A has a nonnegligible advantage in winning the IND-ID-CPA game.

ANON-ID-CPA Game
Setup. The challenger B runs the Setup algorithm and gives PK to the adversary A. Phase 1. The adversary A submits an identity I. The challenger creates a secret key SK I for that identity and gives it to the adversary.

Challenge.
A submits two challenge identities I * 0 , I * 1 and a message to B with the restriction that each identity I given out in the key phase must not be I * 0 or I * 1 . Then B flips a random coin ∈ {0, 1} and passes the ciphertext CT * = Encrypt(PK, , I * ) to A. Phase 2. Phase 1 is repeated with the restriction that any queried identity I is not I * 0 or I * 1 .

Guess.
A outputs its guess of .

The advantage of A in this game is defined as Adv
Definition 3. One says that an IBE system is ANON-ID-CPA secure, if no probabilistic polynomial time adversary A has a nonnegligible advantage in winning the ANON-ID-CPA game.
Some systems such as [8,27] use weaker notions called IND-sID-CPA (indistinguishability against selective identity and chosen plaintext attacks) security and ANON-sID-CPA (anonymity against selective identity and chosen plaintext attacks) security, which are against selective identity. In the selective identity models, the adversary submits the target identity I * (or I * 1 , I * 2 ) before public parameters are generated.

Analysis of Anonymity
Most IBE systems are constructed on bilinear maps. However, it is hard to construct anonymous IBE systems due to the bilinearity of bilinear maps, that is, for all , V ∈ G and for all , ∈ Z , we have ( , V ) = ( , V ). For pairing-based IBE systems, it is easy for us to test the target identity if an IBE system is not anonymous. Roughly speaking, if an IBE system is not anonymous, supposing that 1 , . . . , ∈ G are components of a ciphertext of such a system, we can construct elements 1 , . . . , ∈Ĝ from the public parameters and some identity I to check whether ( 1 , 1 ) ⋅ ⋅ ⋅ ( , ) = 1, where : G ×Ĝ → G denotes the bilinear map used in the system. If the equation is true, the target identity is I. Using this method, we can easily see that some previous IBE systems are not anonymous, such as [4-7, 10, 11].
Gentry proposed the concept of ANON-IND-ID-CPA (anonymity and indistinguishability against full identity and chosen plaintext attacks) security in [9] which is the conjunction of IND-ID-CPA security and ANON-ID-CPA security. It seems that Gentry's definition is equivalent to IND-ID-CPA security and ANON-ID-CPA security, but there is a flaw which makes them not equivalent. To make up this flaw in Gentry's definition, we first review Gentry's definition and rewrite these definitions using the indistinguishability between some similar security games.

ANON-IND-ID-CPA Game
Setup. The challenger B runs the Setup algorithm and gives PK to the adversary A. Phase 1. The adversary A submits an identity I. The challenger creates a secret key SK I for that identity and gives it to the adversary.

Challenge.
A submits two challenge identities I * 0 , I * 1 and two equal length message 0 , 1 to B with the restriction that each identity I given out in the key phase must not be I * 0 or I * 1 . Then B picks two random bits , ∈ {0, 1} and passes the ciphertext CT * = Encrypt(PK, , I * ) to A.
Phase 2. Phase 1 is repeated with the restriction that any queried identity I is not I * 0 or I * 1 .

Guess.
A outputs its guess of and of . Though the ANON-IND-ID-CPA game is the conjunction of the IND-ID-CPA game and the ANON-ID-CPA game, they are not always equivalent. If the assumption used in the IND-ID-CPA game is different from the assumption used in the ANON-ID-CPA game, these two games cannot be combined to be the ANON-IND-ID-CPA game. In Gentry's definition, they are equivalent because only one assumption called the Decision -ABDHE assumption is used in these games.

The advantage of A in this game is defined as Adv
To cover the difference caused by different assumptions and full or selective security, we focus on the core of these games. In the IND-ID-CPA game, the adversary needs to distinguish an encryption of the chosen message from an encryption of a random message both for the challenge identity, while in the ANON-ID-CPA game, the adversary 4 Journal of Applied Mathematics needs to distinguish an encryption for the challenge identity from an encryption for a random identity both of the chosen message. And in the combined ANON-IND-ID-CPA game, the adversary needs to distinguish an encryption of the chosen message for the challenge identity from an encryption of a random message for a random identity. Hence, we can redefine these concepts using the indistinguishability between different challenge ciphertexts.
Let be a message and I * a challenge identity both chosen by the adversary. Let be a random message and I a random identity. We define the following games which differ on what challenge ciphertext is given by the simulator to the adversary.
(i) Game ,I * : it is the basic game. The challenger runs the Setup algorithm and gives the public key to the adversary. The adversary can make a secret key query for I, where I is not equal to the target identity I * .
(ii) Game ,I * : this is like Game ,I * except that the challenge ciphertext is Encrypt(PK, , I * ).
(iii) Game ,I : this is like Game ,I * except that the challenge ciphertext is Encrypt(PK, , I ).
(iv) Game ,I : this is like Game ,I * except that the challenge ciphertext is Encrypt(PK, , I ).
Using the indistinguishability between these games, we rewrite the definitions of ANON-IND-ID-CPA, IND-ID-CPA, and ANON-ID-CPA securities as follows.
Definition 5. One says that an IBE system is ANON-IND-ID-CPA secure, if no probabilistic polynomial time adversary A has a nonnegligible advantage in distinguishing between Game ,I * and Game ,I . Definition 6. One says that an IBE system is IND-ID-CPA secure, if no probabilistic polynomial time adversary A has a nonnegligible advantage in distinguishing between Game ,I * and Game ,I * .
Definition 7. One says that an IBE system is ANON-ID-CPA secure, if no probabilistic polynomial time adversary A has a nonnegligible advantage in distinguishing between Game ,I * and Game ,I .
Definitions for selective identity are similar except that in all the games the adversary should submit the target identity I * before public parameters are generated. Note that Game ,I * , Game ,I , and Game ,I are three different games. We have the following result for the relation between ANON-IND-ID-CPA security, IND-ID-CPA security, and ANON-ID-CPA security. Proof. We have where 1 , 2 are both negligible. Equation (1) holds because E is IND-ID-CPA secure and (2) holds because E is ANON-ID-CPA secure. So which means that E is ANON-IND-ID-CPA secure.
However, it is still unknown whether ANON-IND-ID-CPA security is equivalent to IND-ID-CPA security and ANON-ID-CPA security. The following lemma is an efficient method to prove the anonymity, which is used for some previous systems, such as Caro-Iovino-Persiano HIBE system [28], Seo-Cheon HIBE system [29].

Lemma 9. If an IBE system E is IND-ID-CPA secure, and there is no polynomial time adversary who can distinguish between
,I * and ,I with nonnegligible advantage, then E is ANON-ID-CPA secure.
Proof. We have where 1 , 2 , 3 are all negligible. Equations (4) and (5) hold because E is IND-ID-CPA secure and (6) holds according to the hypothesis. So which means that E is ANON-ID-CPA secure.
In some anonymous IBE systems, such as Boyen-Waters anonymous IBE system, they use a new game called Game Random . We define it as follows.
(i) Game Random : this is like Game ,I * except that the challenge ciphertext consists of independent random group elements.
Note that Game Random is different from Game ,I . Though they are similar concepts, they are not always equivalent. Game Random is a special game in which the challenge ciphertext is composed of independent random group elements, while the challenge ciphertext of Game ,I is still a valid ciphertext. Since every element is random, the ciphertext leaks no information about the identity. So if the transition from Game ,I * to Game Random is computationally indistinguishable, the IBE system is no doubt anonymous. This proof method was used in Boyen-Waters anonymous IBE system and later anonymous IBE systems. Obviously, the Journal of Applied Mathematics 5 transition from Game ,I * to Game ,I is different from the transition from Game ,I * to Game Random . The difference leads to the following classification of anonymous IBE systems.
Definition 10 (weak anonymity). One says that an IBE system has weak anonymity, if no probabilistic polynomial time adversary A has a nonnegligible advantage in distinguishing between Game ,I * and Game ,I or distinguishing between Game ,I * and Game ,I .
Definition 11 (strong anonymity). One says that an IBE system has strong anonymity, if no probabilistic polynomial time adversary A has a nonnegligible advantage in distinguishing between Game ,I * and Game Random .
Obviously, weak anonymity is the standard definition shown in previous articles where the target identity is indistinguishable from a random identity. It is easy to see that weak anonymity is required for all anonymous IBE systems and strong anonymity implies weak anonymity. So weak anonymity is also called standard anonymity, while strong anonymity is called superstandard anonymity. In the next section, we will analyse some IBE systems based on our definitions of anonymity. We will see that these IBE systems all have strong anonymity. To further clarify the anonymity of IBE systems, we use the difference between Game ,I and Game Random to define two types of anonymity, named type 1 anonymity and type 2 anonymity. First we define the equivalence of two games. Let Game A , Game B be two games. If any ciphertext output by Game A can seem as a properly distributed ciphertext output by Game B and vice versa, we say that Game A equals Game B or Game A = Game B . Obviously, Game A = Game B means that Game A is indistinguishable from Game B . However, if two games are indistinguishable, they are not always equivalent. For example, for any IND-IND-CPA secure IBE system, Game ,I * ̸ = Game ,I * , but they are indistinguishable according to the definition of IND-ID-CPA security.

Definition 12.
For an anonymous IBE system E, if Game ,I = Game Random , one says that E has type 1 anonymity, or else E has type 2 anonymity. If an IBE system E has only weak anonymity, it is obvious that Game ,I ̸ = Game Random ; that is, E has type 2 anonymity. So there is no type 1 anonymous IBE system with only weak anonymity. For a strongly anonymous IBE system, type 1 anonymity always means that it only needs to prove E's anonymity in the ANON-IND-ID-CPA game or in the ANON-ID-CPA game, while type 2 anonymity always means that E needs additional steps to prove strong anonymity, for example, proving the indistinguishability of transition from Game ,I to Game Random .
Note that there is some IBE system which has the property Game ,I = Game Random , such as Boneh-Boyen IBE system. In Boneh-Boyen IBE system, a ciphertext is like ( , ) , ( I ℎ) , . It is easy to see that a random tuple is still a valid ciphertext for some identity and message. But as we know, Boneh-Boyen IBE system is not anonymous because there is a gap between Game ,I and Game ,I .

Anonymity of Some IBE Systems
In this section, we analyse some IBE systems based on our definitions of anonymity. We discuss three famous anonymous IBE systems: Gentry IBE System [9], Boyen-Waters IBE system [8], and Lewko IBE System [26]. We show that these three IBE systems are all strongly anonymous but have different types. [9]. We show that Gentry's anonymous IBE system has type 1 strong anonymity. We first briefly describe Gentry IBE system as follows.

Gentry IBE System
Setup (1 ). Given the security parameter , the setup algorithm first gets ( , G, G , , ) ← G( ). Next it chooses another random generator ℎ ∈ G and random integer ∈ Z . Then the setup algorithm sets 1 = . The public key PK is published as and the master key MK is KeyGen(MK, I). To generate the secret key SK I for an identity I ∈ Z , the key extract algorithm chooses random I ∈ Z and outputs SK I as The constraints are that I ̸ = and the PKG always uses the same random value I for I.

Encrypt(PK, I, M). To encrypt a message
∈ G for an identity I, the algorithm chooses random integers ∈ Z and outputs the ciphertext CT as Decrypt(SK I , CT). To decrypt a ciphertext CT = ( , 1 , 2 ) for an identity I, using the corresponding secret key SK I = ( I , ℎ I ) outputs Proof. Let C 1 be the set of all the possible ciphertext output by Game ,I and C 2 the set of all the possible ciphertext outputs by Game Random . We will show that C 1 = C 2 . Obviously, we have C 1 ⊂ C 2 . Note that this claim is true for all IBE systems.

6
Journal of Applied Mathematics Next, for a random tuple ( , 1 , 2 ), where 1 ∈ G and , 2 ∈ G , we say that it is a valid ciphertext of Gentry-AIBE system. At first we can set 2 = ( , ) for some and then we can set 1 = 1 − ⋅I for some identity I and = ⋅ ( , ℎ) − for some message . So we have C 2 ⊂ C 1 .
As a result, C 1 = C 2 . This means that the challenge ciphertext output by Game , can seem as a challenge ciphertext by Game Random and vice versa. Then for Gentry-AIBE system, Game , = Game Random .
From Lemmas 13 and 14, we get the following result.
Theorem 15. Gentry IBE system has type 1 strong anonymity. [8]. For an anonymous IBE system, equation Game ,I = Game Random means that it is intrinsically strongly anonymous, just as we showed for Gentry IBE system in the previous section. The equation also holds for some previous systems, for example, Boneh-Franklin IBE system. But for some strongly anonymous IBE systems, it does not hold; that is, Game , ̸ = Game Random . In fact, these two games are computationally indistinguishable under some assumption, for example, the decisional linear assumption.

Boyen-Waters IBE System
As an example, we will show that Boyen-Waters anonymous IBE system is a type 2 anonymous IBE system; that is, it does not satisfy the equation. We first briefly describe Boyen-Waters IBE system as follows.
Setup (1 ). Given the security parameter , the setup algorithm first gets ( , G, G , , ) ← G( ). Next it chooses another two random group elements 0 , 1 ∈ G and five random integers , 1 , 2 , 3 , 4 ∈ Z . Then the setup algorithm sets Ω = ( , ) 1 2 The public key PK is published as and the master key MK is KeyGen(MK, I). To generate the secret key SK I for an identity I ∈ Z , the key extract algorithm chooses random 1 , 2 ∈ Z and outputs SK I as Encrypt(PK, I, M). To encrypt a message ∈ G for an identity I, the algorithm chooses random integers , 1 , 2 ∈ Z and outputs the ciphertext CT as Decrypt(SK I , CT). To decrypt a ciphertext CT = ( , 1 , 2 , 3 , 4 , 5 ) for an identity I, using the corresponding secret key SK I = ( 1 , 2 , 3 , 4 , 5 ) outputs Using the conjunction of Lemmas 1, 2, and 3 in [8], we have the following result for Boyen-Waters IBE system. Proof. Given a random tuple ( , 1 , 2 , 3 , 4 , 5 ) where ∈ G and 1 , . . . , 5 ∈ G, we say that it has at most 1/ probability to be a valid ciphertext of BW-AIBE system. At first we set 3 = V 1 2 and 5 = V 2 4 for some 1 and 2 , respectively, and then we can set 2 = V − 1 1 for some , but a valid ciphertext requires that 4 = V −s 2 3 . Since 4 is a random element of G, so 4 has only 1/ probability to be V From Lemmas 16 and 17, we can easily get the following result.
Theorem 18. Boyen-Waters IBE system has type 2 strong anonymity. [26]. Boyen-Waters IBE system only has selective security. We now show that a fully secure IBE system, Lewko IBE system, has type 2 full anonymity. Lewko IBE system is constructed from dual orthonormal bases and can seem as a translation of Lewko-Waters IBE system [11] in prime order groups. In Lewko's original description, she only gave a proof for chosen plaintext security.

Lewko IBE System
Lewko IBE system is constructed on dual orthonormal bases of dual pairing vector spaces. We first review vectors of group elements. Given a group element ∈ G and a vector k = (V 1 , . . . , V ) ∈ Z , we write k to denote a -tuple of elements of G : k := ( V 1 , . . . , V ). For any ∈ Z and k, w ∈ Z , we have ( k ) = k = ( V 1 , . . . , V ) and k+w = ( V 1 + 1 , . . . , V + ). We also use to denote the pairing of vectors: Journal of Applied Mathematics 7 For a fixed (constant) dimension , we choose two random bases B := (b 1 , . . . , b ) and B * := (b 1 , . . . , b ) of Z × , subject to the constraint that (B, B * ) are called dual orthonormal bases and Dual(Z ) denotes the set of dual orthonormal bases. We then describe Lewko IBE system as follows.
Obviously, the set of all possible 2 is contained in span ( d 1 , d 2 , d 3 , d 4 ). Note that any nonzero vectors in span ( d 5 , d 6 ) are not included in span ( d 1 , d 2 , d 3 , d 4 ), so Game ,I ̸ = Game Random for Lewko IBE system which means that Lewko IBE system has type 2 anonymity.

Comparison.
Like previous analysis for Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, we can analyse other anonymous IBE systems. A brief comparison for some anonymous IBE systems is given in Table 1. We would find that all listed IBE systems have strong anonymity, that is, superstandard anonymity. Though weak anonymity, that is, standard anonymity, is the current definition of anonymity, to the best of our knowledge, there is no IBE system having only weak anonymity. Hence we leave an open problem to construct an IBE system with only weak anonymity.

Conclusion
In this paper, we discuss the anonymity of identity-based encryption systems. Anonymity can be divided into two degrees: weak anonymity and strong anonymity. If an IBE system has weak anonymity, the target identity of its ciphertext cannot be distinguished from a random identity. For strongly anonymous IBE systems, the whole ciphertext cannot be distinguished from a random tuple. We also discuss the type of anonymity and divide it into two types: type 1 means that a random tuple can be seen as a valid ciphertext for some identity, while type 2 cannot. We show that some current anonymous IBE systems, such as Gentry IBE system, Boyen-Waters IBE system, and Lewko IBE system, have strong but different type of anonymity. We hope that our analysis of anonymity would help to construct more anonymous IBE and related systems.