Identity-Based Matchmaking Encryption, Revisited: Strong Security and Practical Constructions from Standard Classical and Post-Quantum Assumptions

Identity-based matchmaking encryption (IB-ME) [Ateniese et al. Crypto 2019] allows users to communicate privately in an anonymous and authenticated manner. After the seminal paper by Ateniese et al., a lot of work has been done on the security and construction of IB-ME. In this work, we revisit the security definitions and construction of IB-ME and provide the following three contributions. -- First, we embark on the task of classifying the existing security notions of IB-ME. We systematically categorize privacy into three core categories (CPA, CCA, and privacy in the case of mismatch) and authenticity into four categories (NMA and CMA both against insiders and outsiders). In particular, we reconsider privacy when the sender\u27s identity is mismatched during decryption, considered as ``enhanced privacy\u27\u27~[Francati et al., INDOCRYPT 2021], and provide a new simple security game, called mismatch security, that captures the essence of it. This structured framework not only facilitates more precise comparisons between different IB-ME schemes, but also serves as a valuable tool for evaluating the security of newly proposed schemes. -- Second, we propose a highly efficient and strongly secure IB-ME scheme from the bilinear Diffie-Hellman assumption in the random oracle model. The scheme is based on the Ateniese et al. scheme, but we introduce several techniques to improve its security and efficiency. Especially, we found that the Fujisaki-Okamoto transformation enhances not only privacy but also authenticity. As a result, we obtain a scheme that offers a more compact decryption key and ciphertext than the Ateniese et al. scheme, while achieving CCA and CMA, and mismatch security. -- Third, we propose a new generic construction of IB-ME from anonymous identity-based encryption, identity-based signature, and reusable extractors. Our construction not only achieves CCA, CMA, and mismatch security, but is also the most efficient among existing generic constructions. Through this construction, we obtain various IB-ME schemes from both classical and post-quantum assumptions. For example, we obtain a more efficient scheme from the symmetric external Diffie-Hellman assumption in the standard model, and a practical scheme from lattices in the quantum random oracle model whose secret keys and ciphertexts are less than 5 kilobytes. Moreover, our generic construction produces the first pairing-free IB-ME scheme in the standard model and the first tightly secure lattice-based IB-ME scheme in the quantum random oracle model