Cocks IBE scheme explained

Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001.^[1] The security of the scheme is based on the hardness of the quadratic residuosity problem.

Protocol

Setup

The PKG chooses:

a public RSA-modulus

stylen=pq

, where

stylep,q,p\equivq\equiv3\bmod4

are prime and kept secret,

the message and the cipher space

stylel{M}=\left\{-1,1\right\},l{C}=Z_n

and

a secure public hash function

stylef:\left\{0,1\right\}^* → Z_n

Extract

When user

styleID

wants to obtain his private key, he contacts the PKG through a secure channel. The PKG

derives

stylea

with

style\left(	a
	n

\right)=1

by a deterministic process from

styleID

(e.g. multiple application of

stylef

computes

styler=a^(n+5-p-q)/8\pmodn

(which fulfils either

styler²=a\pmodn

styler²=-a\pmodn

, see below) and

transmits

styler

to the user.

Encrypt

To encrypt a bit (coded as

style1

style-1

)

stylem\inl{M}

for

styleID

, the user

chooses random

stylet₁

with

stylem=\left(

	t₁
	n

\right)

chooses random

stylet₂

with

stylem=\left(

	t₂
	n

\right)

, different from

stylet₁

computes

stylec₁=t₁+

	-1
at
	1

\pmodn

and

c₂₌t₂-

	-1
at
	2

\pmodn

and

sends

styles=(c_1,c₂₎

to the user.

Decrypt

To decrypt a ciphertext

s=(c_1,c₂₎

for user

, he

computes

\alpha=c₁+2r

r^2=a

\alpha=c₂+2r

otherwise, and

computes

m=\left(

	\alpha
	n

\right)

Note that here we are assuming that the encrypting entity does not know whether

has the square root

-a

. In this case we have to send a ciphertext for both cases. As soon as this information is known to the encrypting entity, only one element needs to be sent.

Correctness

First note that since

stylep\equivq\equiv3\pmod4

(i.e.

\left(	-1
	p

\right)=\left(

	-1
	q

\right)=-1

) and

style\left(	a
	n

\right) ⇒ \left(

	a
	p

\right)=\left(

	a
	q

\right)

, either

stylea

style-a

is a quadratic residue modulo

stylen

Therefore,

styler

is a square root of

stylea

style-a

\begin{align} r²&=\left(a^(n+5-p-q)/8\right)²\\ &=\left(a^(n+5-p-q\right)²\\ &=\left(a^(n+5-p-q\right)²\\ &=\left(a^(n+5-p-q\right)²\\ &=\left(a^4/8\right)²\\ &=\pma \end{align}

Moreover, (for the case that

stylea

is a quadratic residue, same idea holds for

style-a

\begin{align} \left(	s+2r
	n

\right)&=\left(

	t+at^-1+2r
	n

\right)=\left(

	t\left(1+at^-2+2rt^-1\right)
	n

\right)\\ &=\left(

	t\left(1+r^2t^-2+2rt^-1\right)
	n

\right)=\left(

	t\left(1+rt^-1\right)²
	n

\right)\\ &=\left(

	t
	n

\right)\left(

	1+rt^-1
	n

\right)²=\left(

	t
	n

\right)(\pm1)²=\left(

	t
	n

\right) \end{align}

Security

It can be shown that breaking the scheme is equivalent to solving the quadratic residuosity problem, which is suspected to be very hard. The common rules for choosing a RSA modulus hold: Use a secure

stylen

, make the choice of

stylet

uniform and random and moreover include some authenticity checks for

stylet

(otherwise, an adaptive chosen ciphertext attack can be mounted by altering packets that transmit a single bit and using the oracle to observe the effect on the decrypted bit).

Problems

A major disadvantage of this scheme is that it can encrypt messages only bit per bit - therefore, it is only suitable for small data packets like a session key. To illustrate, consider a 128 bit key that is transmitted using a 1024 bit modulus. Then, one has to send 2 × 128 × 1024 bit = 32 KByte (when it is not known whether

is the square of a or −a), which is only acceptable for environments in which session keys change infrequently.

This scheme does not preserve key-privacy, i.e. a passive adversary can recover meaningful information about the identity of the recipient observing the ciphertext.

References

Clifford Cocks, An Identity Based Encryption Scheme Based on Quadratic Residues, Proceedings of the 8th IMA International Conference on Cryptography and Coding, 2001