Cocks IBE scheme

Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001.^[1] The security of the scheme is based on the hardness of the quadratic residuosity problem.

Protocol

Setup

The PKG chooses:

1. a public RSA-modulus [math]\displaystyle{ \textstyle n = pq }[/math], where [math]\displaystyle{ \textstyle p,q,\,p \equiv q \equiv 3 \bmod 4 }[/math] are prime and kept secret,
2. the message and the cipher space [math]\displaystyle{ \textstyle \mathcal{M} = \left\{-1,1\right\}, \mathcal{C} = \mathbb{Z}_n }[/math] and
3. a secure public hash function [math]\displaystyle{ \textstyle f: \left\{0,1\right\}^* \rightarrow \mathbb{Z}_n }[/math].

Extract

When user [math]\displaystyle{ \textstyle ID }[/math] wants to obtain his private key, he contacts the PKG through a secure channel. The PKG

1. derives [math]\displaystyle{ \textstyle a }[/math] with [math]\displaystyle{ \textstyle \left(\frac{a}{n}\right) = 1 }[/math] by a deterministic process from [math]\displaystyle{ \textstyle ID }[/math] (e.g. multiple application of [math]\displaystyle{ \textstyle f }[/math]),
2. computes [math]\displaystyle{ \textstyle r = a^{(n+5-p-q)/8} \pmod n }[/math] (which fulfils either [math]\displaystyle{ \textstyle r^2 = a \pmod n }[/math] or [math]\displaystyle{ \textstyle r^2 = -a \pmod n }[/math], see below) and
3. transmits [math]\displaystyle{ \textstyle r }[/math] to the user.

Encrypt

To encrypt a bit (coded as [math]\displaystyle{ \textstyle 1 }[/math]/[math]\displaystyle{ \textstyle -1 }[/math]) [math]\displaystyle{ \textstyle m \in \mathcal{M} }[/math] for [math]\displaystyle{ \textstyle ID }[/math], the user

1. chooses random [math]\displaystyle{ \textstyle t_1 }[/math] with [math]\displaystyle{ \textstyle m = \left(\frac{t_1}{n}\right) }[/math],
2. chooses random [math]\displaystyle{ \textstyle t_2 }[/math] with [math]\displaystyle{ \textstyle m = \left(\frac{t_2}{n}\right) }[/math], different from [math]\displaystyle{ \textstyle t_1 }[/math],
3. computes [math]\displaystyle{ \textstyle c_1 = t_1 + at_1^{-1} \pmod n }[/math] and [math]\displaystyle{ c_2= t_2 - at_2^{-1} \pmod n }[/math] and
4. sends [math]\displaystyle{ \textstyle s=(c_1, c_2) }[/math] to the user.

Decrypt

To decrypt a ciphertext [math]\displaystyle{ s=(c_1, c_2) }[/math] for user [math]\displaystyle{ ID }[/math], he

1. computes [math]\displaystyle{ \alpha = c_1 + 2r }[/math] if [math]\displaystyle{ r^2=a }[/math] or [math]\displaystyle{ \alpha = c_2 + 2r }[/math] otherwise, and
2. computes [math]\displaystyle{ m = \left(\frac{\alpha}{n}\right) }[/math].

Note that here we are assuming that the encrypting entity does not know whether [math]\displaystyle{ ID }[/math] has the square root [math]\displaystyle{ r }[/math] of [math]\displaystyle{ a }[/math] or [math]\displaystyle{ -a }[/math]. In this case we have to send a ciphertext for both cases. As soon as this information is known to the encrypting entity, only one element needs to be sent.

Correctness

First note that since [math]\displaystyle{ \textstyle p \equiv q \equiv 3 \pmod 4 }[/math] (i.e. [math]\displaystyle{ \left(\frac{-1}{p}\right) = \left(\frac{-1}{q}\right) = -1 }[/math]) and [math]\displaystyle{ \textstyle \left(\frac{a}{n}\right) \Rightarrow \left(\frac{a}{p}\right) = \left(\frac{a}{q}\right) }[/math], either [math]\displaystyle{ \textstyle a }[/math] or [math]\displaystyle{ \textstyle -a }[/math] is a quadratic residue modulo [math]\displaystyle{ \textstyle n }[/math].

Therefore, [math]\displaystyle{ \textstyle r }[/math] is a square root of [math]\displaystyle{ \textstyle a }[/math] or [math]\displaystyle{ \textstyle -a }[/math]:

[math]\displaystyle{ \begin{align} r^2 &= \left(a^{(n+5-p-q)/8}\right)^2 \\ &= \left(a^{(n+5-p-q - \Phi(n))/8}\right)^2 \\ &= \left(a^{(n+5-p-q - (p-1)(q-1))/8}\right)^2 \\ &= \left(a^{(n+5-p-q - n+p+q-1)/8}\right)^2 \\ &= \left(a^{4/8}\right)^2 \\ &= \pm a \end{align} }[/math]

Moreover, (for the case that [math]\displaystyle{ \textstyle a }[/math] is a quadratic residue, same idea holds for [math]\displaystyle{ \textstyle -a }[/math]):

[math]\displaystyle{ \begin{align} \left(\frac{s+2r}{n}\right) &= \left(\frac{t + at^{-1} +2r}{n}\right) = \left(\frac{t\left(1+at^{-2} +2rt^{-1}\right)}{n}\right) \\ &= \left(\frac{t\left(1+r^2t^{-2} +2rt^{-1}\right)}{n}\right) = \left(\frac{t\left(1+rt^{-1}\right)^2}{n}\right) \\ &= \left(\frac{t}{n}\right) \left(\frac{1+rt^{-1}}{n}\right)^2 = \left(\frac{t}{n}\right)(\pm 1)^2 = \left(\frac{t}{n}\right) \end{align} }[/math]

Security

It can be shown that breaking the scheme is equivalent to solving the quadratic residuosity problem, which is suspected to be very hard. The common rules for choosing a RSA modulus hold: Use a secure [math]\displaystyle{ \textstyle n }[/math], make the choice of [math]\displaystyle{ \textstyle t }[/math] uniform and random and moreover include some authenticity checks for [math]\displaystyle{ \textstyle t }[/math] (otherwise, an adaptive chosen ciphertext attack can be mounted by altering packets that transmit a single bit and using the oracle to observe the effect on the decrypted bit).

Problems

A major disadvantage of this scheme is that it can encrypt messages only bit per bit - therefore, it is only suitable for small data packets like a session key. To illustrate, consider a 128 bit key that is transmitted using a 1024 bit modulus. Then, one has to send 2 × 128 × 1024 bit = 32 KByte (when it is not known whether [math]\displaystyle{ r }[/math] is the square of a or −a), which is only acceptable for environments in which session keys change infrequently.

This scheme does not preserve key-privacy, i.e. a passive adversary can recover meaningful information about the identity of the recipient observing the ciphertext.

References

0.00 (0 votes) Original source: https://en.wikipedia.org/wiki/Cocks IBE scheme. Read more