Socialist millionaire: Difference between revisions

From formulasearchengine
Jump to navigation Jump to search
en>Acutkosky
 
Line 1: Line 1:
Name: Bertha Caviness<br>My age: 21<br>Country: France<br>Town: Tremblay-En-France <br>Postal code: 93290<br>Address: 36 Avenue Jean Portalis<br><br>Also visit my web page: [http://ll.my/backupplugin938916 wordpress backup]
'''Cocks IBE scheme''' is an [[identity based encryption]] system proposed by [[Clifford Cocks]] in 2001.<ref>Clifford Cocks, [http://www.cesg.gov.uk/site/ast/idpkc/media/ciren.pdf An Identity Based Encryption Scheme Based on Quadratic Residues], ''Proceedings of the 8th IMA International Conference on Cryptography and Coding'', 2001</ref> The security of the scheme is based on the hardness of the [[quadratic residuosity problem]].
 
==Protocol==
 
===Setup===
The PKG chooses:
# a public RSA-modulus <math>\textstyle n = pq</math>, where <math>\textstyle p,q,\,p \equiv q \equiv 3 \mod 4</math> are prime and kept secret,
# the message and the cipher space <math>\textstyle \mathcal{M} = \left\{-1,1\right\}, \mathcal{C} = \mathbb{Z}_n</math> and
# a secure public hash function <math>\textstyle f: \left\{0,1\right\}^* \rightarrow \mathbb{Z}_n</math>.
 
===Extract===
When user <math>\textstyle ID</math> wants to obtain his private key, he contacts the PKG through a secure channel. The PKG
# derives <math>\textstyle a</math> with <math>\textstyle \left(\frac{a}{n}\right) = 1</math> by a determistic process from <math>\textstyle ID</math> (e.g. multiple application of <math>\textstyle f</math>),
# computes <math>\textstyle r = a^{\frac{n+5-p-q}{8}} \mod n</math> (which fulfils either <math>\textstyle r^2 = a \mod n</math> or <math>\textstyle r^2 = -a \mod n</math>, see below) and
# transmits <math>\textstyle r</math> to the user.
 
===Encrypt===
To encrypt a bit (coded as <math>\textstyle 1</math>/<math>\textstyle -1</math>) <math>\textstyle m \in \mathcal{M}</math> for <math>\textstyle ID</math>, the user
# chooses random <math>\textstyle t_1</math> with <math>\textstyle m = \left(\frac{t_1}{n}\right)</math>,
# chooses random <math>\textstyle t_2</math> with <math>\textstyle m = \left(\frac{t_2}{n}\right)</math>, different from  <math>\textstyle t_1</math>,
# computes <math>\textstyle c_1 = t_1 + at_1^{-1} \mod n </math> and  <math> c_2= t_2 - at_2^{-1}</math> and
# sends <math>\textstyle s=(c_1, c_2)</math> to the user.
 
===Decrypt===
To decrypt a ciphertext <math>s=(c_1, c_2)</math> for user <math>ID</math>, he
# computes <math>\alpha = c_1 + 2r</math> if <math> r^2=a </math> or <math>\alpha = c_2 + 2r</math> otherwise, and
# computes <math>m = \left(\frac{\alpha}{n}\right)</math>.
 
Note that here we are assuming that the encrypting entity does not know whether <math> ID</math> has the [[Quadratic_residue#Complexity_of_finding_square_roots|square root]] <math>r</math> of <math> a</math> or <math> -a</math>. In this case we have to send a ciphertext for both cases. As soon as this information is known to the encrypting entity, only one element needs to be sent.
 
===Correctness===
 
First note that since <math>\textstyle p \equiv q \equiv 3 \mod 4</math> (i.e. <math>\left(\frac{-1}{p}\right) = \left(\frac{-1}{q}\right) = -1</math>)  and <math>\textstyle \left(\frac{a}{n}\right) \Rightarrow \left(\frac{a}{p}\right) = \left(\frac{a}{q}\right)</math>, either <math>\textstyle a</math> or <math>\textstyle -a</math> is a [[quadratic residue]] modulo <math>\textstyle n</math>.
 
Therefore, <math>\textstyle r</math> is a square root of <math>\textstyle a</math> or <math>\textstyle -a</math>:
 
<math>
\begin{align}
r^2 &= \left(a^{\frac{n+5-p-q}{8}}\right)^2 \\
    &= \left(a^{\frac{n+5-p-q - \Phi\left(n\right)}{8}}\right)^2 \\
    &= \left(a^{\frac{n+5-p-q - (p-1)(q-1)}{8}}\right)^2 \\
    &= \left(a^{\frac{n+5-p-q - n+p+q-1}{8}}\right)^2 \\
    &= \left(a^{\frac{4}{8}}\right)^2  \\
    &= \pm a \\
\end{align}
</math>
 
Moreover (for the case that <math>\textstyle a</math> is a quadratic residue, same idea holds for <math>\textstyle -a</math>):
 
<math>
\begin{align}
\left(\frac{s+2r}{n}\right) &= \left(\frac{t + at^{-1} +2r}{n}\right) = \left(\frac{t\left(1+at^{-2} +2rt^{-1}\right)}{n}\right) \\
                            &= \left(\frac{t\left(1+r^2t^{-2} +2rt^{-1}\right)}{n}\right) = \left(\frac{t\left(1+rt^{-1}\right)^2}{n}\right) \\
                            &= \left(\frac{t}{n}\right) \left(\frac{1+rt^{-1}}{n}\right)^2 = \left(\frac{t}{n}\right)\left(\pm 1\right)^2 = \left(\frac{t}{n}\right) \\
\end{align}
</math>
 
==Security==
It can be shown that breaking the scheme is equivalent to solving the quadratic residuosity problem, which is suspected to be very hard. The common rules for choosing a [[RSA modulus]] hold: Use a secure <math>\textstyle n</math>, make the choice of <math>\textstyle t</math> uniform and random and moreover include some authenticity checks for <math>\textstyle t</math> (otherwise, an [[adaptive chosen ciphertext attack]] can be mounted by altering packets that transmit a single bit and using the [[Random oracle|oracle]] to observe the effect on the decrypted bit).
 
==Problems==
A major disadavantage of this scheme is that it can encrypt messages only bit per bit - therefore, it is only suitable for small data packets like a session key. To illustrate, consider a 128 bit key that is transmitted using a 1024 bit modulus. Then, one has to send 2 * 128 * 1024 bit = 32 KByte (when it is not known whether <math>r</math> is the square of  <math>a</math> or <math>-a</math>), which is only acceptable for environments in which session keys change infrequently.
 
This scheme does not preserve key-privacy, i.e. a passive adversary can recover meaningful information about the identity of the recipient observing the ciphertext.
 
==References==
<references/>
 
[[Category:Identity-based cryptography]]

Revision as of 08:32, 5 January 2014

Cocks IBE scheme is an identity based encryption system proposed by Clifford Cocks in 2001.[1] The security of the scheme is based on the hardness of the quadratic residuosity problem.

Protocol

Setup

The PKG chooses:

  1. a public RSA-modulus n=pq, where p,q,pq3mod4 are prime and kept secret,
  2. the message and the cipher space ={1,1},𝒞=n and
  3. a secure public hash function f:{0,1}*n.

Extract

When user ID wants to obtain his private key, he contacts the PKG through a secure channel. The PKG

  1. derives a with (an)=1 by a determistic process from ID (e.g. multiple application of f),
  2. computes r=an+5pq8modn (which fulfils either r2=amodn or r2=amodn, see below) and
  3. transmits r to the user.

Encrypt

To encrypt a bit (coded as 1/1) m for ID, the user

  1. chooses random t1 with m=(t1n),
  2. chooses random t2 with m=(t2n), different from t1,
  3. computes c1=t1+at11modn and c2=t2at21 and
  4. sends s=(c1,c2) to the user.

Decrypt

To decrypt a ciphertext s=(c1,c2) for user ID, he

  1. computes α=c1+2r if r2=a or α=c2+2r otherwise, and
  2. computes m=(αn).

Note that here we are assuming that the encrypting entity does not know whether ID has the square root r of a or a. In this case we have to send a ciphertext for both cases. As soon as this information is known to the encrypting entity, only one element needs to be sent.

Correctness

First note that since pq3mod4 (i.e. (1p)=(1q)=1) and (an)(ap)=(aq), either a or a is a quadratic residue modulo n.

Therefore, r is a square root of a or a:

r2=(an+5pq8)2=(an+5pqΦ(n)8)2=(an+5pq(p1)(q1)8)2=(an+5pqn+p+q18)2=(a48)2=±a

Moreover (for the case that a is a quadratic residue, same idea holds for a):

(s+2rn)=(t+at1+2rn)=(t(1+at2+2rt1)n)=(t(1+r2t2+2rt1)n)=(t(1+rt1)2n)=(tn)(1+rt1n)2=(tn)(±1)2=(tn)

Security

It can be shown that breaking the scheme is equivalent to solving the quadratic residuosity problem, which is suspected to be very hard. The common rules for choosing a RSA modulus hold: Use a secure n, make the choice of t uniform and random and moreover include some authenticity checks for t (otherwise, an adaptive chosen ciphertext attack can be mounted by altering packets that transmit a single bit and using the oracle to observe the effect on the decrypted bit).

Problems

A major disadavantage of this scheme is that it can encrypt messages only bit per bit - therefore, it is only suitable for small data packets like a session key. To illustrate, consider a 128 bit key that is transmitted using a 1024 bit modulus. Then, one has to send 2 * 128 * 1024 bit = 32 KByte (when it is not known whether r is the square of a or a), which is only acceptable for environments in which session keys change infrequently.

This scheme does not preserve key-privacy, i.e. a passive adversary can recover meaningful information about the identity of the recipient observing the ciphertext.

References

  1. Clifford Cocks, An Identity Based Encryption Scheme Based on Quadratic Residues, Proceedings of the 8th IMA International Conference on Cryptography and Coding, 2001