Socialist millionaire

Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001.^[1] The security of the scheme is based on the hardness of the quadratic residuosity problem.

Protocol

Setup

The PKG chooses:

1. a public RSA-modulus ${\displaystyle n=pq}$, where ${\displaystyle p,q,p\equiv q\equiv 3mod4}$ are prime and kept secret,
2. the message and the cipher space ${\displaystyle \mathcal{ℳ}=\{-1,1\},\mathcal{𝒞}={\mathbb{\mathbb{Z}}}_n}$ and
3. a secure public hash function ${\displaystyle f:{\{0,1\}}^{*}\to {\mathbb{\mathbb{Z}}}_n}$.

Extract

When user ${\displaystyle ID}$ wants to obtain his private key, he contacts the PKG through a secure channel. The PKG

1. derives ${\displaystyle a}$ with ${\displaystyle \left(\frac{a}{n}\right)=1}$ by a determistic process from ${\displaystyle ID}$ (e.g. multiple application of ${\displaystyle f}$),
2. computes ${\displaystyle r=a^{\frac{n+5-p-q}{8}}modn}$ (which fulfils either ${\displaystyle r^2=amodn}$ or ${\displaystyle r^2=-amodn}$, see below) and
3. transmits ${\displaystyle r}$ to the user.

Encrypt

To encrypt a bit (coded as ${\displaystyle 1}$/${\displaystyle -1}$) ${\displaystyle m\in \mathcal{ℳ}}$ for ${\displaystyle ID}$, the user

1. chooses random ${\displaystyle t_1}$ with ${\displaystyle m=\left(\frac{t_1}{n}\right)}$,
2. chooses random ${\displaystyle t_2}$ with ${\displaystyle m=\left(\frac{t_2}{n}\right)}$, different from ${\displaystyle t_1}$,
3. computes ${\displaystyle c_1=t_1+a{t}_1^{-1}modn}$ and ${\displaystyle c_2=t_2-a{t}_2^{-1}}$ and
4. sends ${\displaystyle s=(c_1,c_2)}$ to the user.

Decrypt

To decrypt a ciphertext ${\displaystyle s=(c_1,c_2)}$ for user ${\displaystyle ID}$, he

1. computes ${\displaystyle \alpha =c_1+2r}$ if ${\displaystyle r^2=a}$ or ${\displaystyle \alpha =c_2+2r}$ otherwise, and
2. computes ${\displaystyle m=\left(\frac{\alpha }{n}\right)}$.

Note that here we are assuming that the encrypting entity does not know whether ${\displaystyle ID}$ has the square root ${\displaystyle r}$ of ${\displaystyle a}$ or ${\displaystyle -a}$. In this case we have to send a ciphertext for both cases. As soon as this information is known to the encrypting entity, only one element needs to be sent.

Correctness

First note that since ${\displaystyle p\equiv q\equiv 3mod4}$ (i.e. ${\displaystyle \left(\frac{-1}{p}\right)=\left(\frac{-1}{q}\right)=-1}$) and ${\displaystyle \left(\frac{a}{n}\right)\Rightarrow \left(\frac{a}{p}\right)=\left(\frac{a}{q}\right)}$, either ${\displaystyle a}$ or ${\displaystyle -a}$ is a quadratic residue modulo ${\displaystyle n}$.

Therefore, ${\displaystyle r}$ is a square root of ${\displaystyle a}$ or ${\displaystyle -a}$:

${\displaystyle \begin{array}{ll}{r}^2& ={\left(a^{\frac{n+5-p-q}{8}}\right)}^2\\ & ={\left(a^{\frac{n+5-p-q-\mathrm{\Phi }\left(n\right)}{8}}\right)}^2\\ & ={\left(a^{\frac{n+5-p-q-(p-1)(q-1)}{8}}\right)}^2\\ & ={\left(a^{\frac{n+5-p-q-n+p+q-1}{8}}\right)}^2\\ & ={\left(a^{\frac{4}{8}}\right)}^2\\ & =\pm a\\ \end{array}}$

Moreover (for the case that ${\displaystyle a}$ is a quadratic residue, same idea holds for ${\displaystyle -a}$):

${\displaystyle \begin{array}{ll}\left(\frac{s+2r}{n}\right)& =\left(\frac{t+a{t}^{-1}+2r}{n}\right)=\left(\frac{t(1+a{t}^{-2}+2r{t}^{-1})}{n}\right)\\ & =\left(\frac{t(1+r^2{t}^{-2}+2r{t}^{-1})}{n}\right)=\left(\frac{t{(1+r{t}^{-1})}^2}{n}\right)\\ & =\left(\frac{t}{n}\right){\left(\frac{1+r{t}^{-1}}{n}\right)}^2=\left(\frac{t}{n}\right){(\pm 1)}^2=\left(\frac{t}{n}\right)\\ \end{array}}$

Security

It can be shown that breaking the scheme is equivalent to solving the quadratic residuosity problem, which is suspected to be very hard. The common rules for choosing a RSA modulus hold: Use a secure ${\displaystyle n}$, make the choice of ${\displaystyle t}$ uniform and random and moreover include some authenticity checks for ${\displaystyle t}$ (otherwise, an adaptive chosen ciphertext attack can be mounted by altering packets that transmit a single bit and using the oracle to observe the effect on the decrypted bit).

Problems

A major disadavantage of this scheme is that it can encrypt messages only bit per bit - therefore, it is only suitable for small data packets like a session key. To illustrate, consider a 128 bit key that is transmitted using a 1024 bit modulus. Then, one has to send 2 * 128 * 1024 bit = 32 KByte (when it is not known whether ${\displaystyle r}$ is the square of ${\displaystyle a}$ or ${\displaystyle -a}$), which is only acceptable for environments in which session keys change infrequently.

This scheme does not preserve key-privacy, i.e. a passive adversary can recover meaningful information about the identity of the recipient observing the ciphertext.

References