Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001. The security of the scheme is based on the hardness of the quadratic residuosity problem.
Contents
Setup
The PKG chooses:
- a public RSA-modulus
n = p q , wherep , q , p ≡ q ≡ 3 mod 4 are prime and kept secret, - the message and the cipher space
M = { − 1 , 1 } , C = Z n - a secure public hash function
f : { 0 , 1 } ∗ → Z n
Extract
When user
- derives
a with( a n ) = 1 by a determistic process fromI D (e.g. multiple application off ), - computes
r = a ( n + 5 − p − q ) / 8 mod n (which fulfils eitherr 2 = a mod n orr 2 = − a mod n , see below) and - transmits
r to the user.
Encrypt
To encrypt a bit (coded as
- chooses random
t 1 m = ( t 1 n ) , - chooses random
t 2 m = ( t 2 n ) , different fromt 1 - computes
c 1 = t 1 + a t 1 − 1 mod n andc 2 = t 2 − a t 2 − 1 - sends
s = ( c 1 , c 2 ) to the user.
Decrypt
To decrypt a ciphertext
- computes
α = c 1 + 2 r ifr 2 = a orα = c 2 + 2 r otherwise, and - computes
m = ( α n ) .
Note that here we are assuming that the encrypting entity does not know whether
Correctness
First note that since
Therefore,
Moreover (for the case that
Security
It can be shown that breaking the scheme is equivalent to solving the quadratic residuosity problem, which is suspected to be very hard. The common rules for choosing a RSA modulus hold: Use a secure
Problems
A major disadavantage of this scheme is that it can encrypt messages only bit per bit - therefore, it is only suitable for small data packets like a session key. To illustrate, consider a 128 bit key that is transmitted using a 1024 bit modulus. Then, one has to send 2 × 128 × 1024 bit = 32 KByte (when it is not known whether
This scheme does not preserve key-privacy, i.e. a passive adversary can recover meaningful information about the identity of the recipient observing the ciphertext.