Next Article in Journal
A Hybrid, Data-Driven Causality Exploration Method for Exploring the Key Factors Affecting Mobile Payment Usage Intention
Next Article in Special Issue
An Efficient Approach to Point-Counting on Elliptic Curves from a Prominent Family over the Prime Field Fp
Previous Article in Journal
A Conservative and Implicit Second-Order Nonlinear Numerical Scheme for the Rosenau-KdV Equation
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Generalized Galbraith’s Test: Characterization and Applications to Anonymous IBE Schemes

by
Paul Cotan
1,2,† and
George Teşeleanu
1,3,*,†
1
Advanced Technologies Institute, 10 Dinu Vintilă, 021102 Bucharest, Romania
2
Department of Computer Science, “Al.I.Cuza” University of Iaşi, 700506 Iaşi, Romania
3
Simion Stoilow Institute of Mathematics of the Romanian Academy, 21 Calea Grivitei, 010702 Bucharest, Romania
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Mathematics 2021, 9(11), 1184; https://doi.org/10.3390/math9111184
Submission received: 8 April 2021 / Revised: 18 May 2021 / Accepted: 18 May 2021 / Published: 24 May 2021

Abstract

:
The main approaches currently used to construct identity-based encryption (IBE) schemes are based on bilinear mappings, quadratic residues and lattices. Among them, the most attractive approach is the one based on quadratic residues, due to the fact that the underlying security assumption is a well-understood hard problem. The first such IBE scheme was constructed by Cocks, and some of its deficiencies were addressed in subsequent works. In this paper, we focus on two constructions that address the anonymity problem inherent in Cocks’ scheme, and we tackle some of their incomplete theoretical claims. More precisely, we rigorously study Clear et al.’s and Zhao et al.’s schemes and give accurate probabilities of successful decryption and identity detection in the non-anonymized version of the schemes. Furthermore, in the case of Zhao et al.’s scheme, we give a proper description of the underlying security assumptions.

1. Introduction

From a desire to avoiding several issues (e.g., management of trust, public-key recovery) inherent to public-key cryptography, Shamir came up in 1984 with an interesting and novel concept: identity-based encryption [1]. In the IBE model, a user’s public key is simply derived from some of the user’s personal data such as their e-mail address, their phone number or even their personal address.
Unfortunately, the construction of a practical IBE scheme was postponed until 2001 when two such schemes were proposed. The first one was proposed by Boneh and Franklin [2] and is based on bilinear maps. Briefly, using a different approach, Cocks proposed a scheme based on quadratic residues [3]. Despite the simplicity of their idea, a disadvantage of the scheme is that it has a large ciphertext-to-plaintext ratio. More precisely, to encrypt one bit, we have to transmit two large integers.
As pointed out in [2], Cocks’ proposal does not provide anonymity in the sense of Bellare et al. [4]. Concretely, Galbraith devised a test that can distinguish which identity was used to create a given Cocks-like ciphertext. The test has been thoroughly analyzed in [5,6]. Despite this impediment, several schemes that achieve anonymity have been proposed in the literature [5,7,8,9,10,11].
In terms of ciphertext expansion, the most efficient anonymous proposal is the one described by Boneh, Gentry, and Hamburg [9]. However, encryption time is quartic in the security parameters and thus makes the scheme very inefficient. Two years later, Ateniese and Gasti [5] proposed a practical scheme that achieves anonymity. The scheme is universally anonymous; (i.e., the anonymization process is independent of encryption and requires only access to the user’s id). The scheme is further improved by Schipor [11]. By using a trial and error method, he manages to shrink the size of Ateniese and Gasti-type ciphertexts.
A xor-homomorphic variant, which is also universally anonymous, was proposed by Clear et al. [7,12]. By switching to polynomials, they where able to show that the scheme has an underlying algebraic structure. This structure was later studied and simplified by Joye [8]. As a consequence, he managed to improve both the speed and ciphertext expansion of Clear et al.’s IBE scheme. Using an earlier study [6], Nica and Ţiplea [13] reassessed Joye’s proposal and provide a simpler description of the scheme. By taking a different approach, Zhao et al. [10] managed to further speed up encryption. Unfortunately, their scheme have twice the ciphertext expansion compared to Joye’s scheme.
In this paper, we reevaluate some of the claims made by Clear et al. [7,12] and Zhao et al. [10] regarding their proposals. More precisely, we rigorously formulate and prove some of the claims made by these authors, thus providing the reader with a better understanding of the intrinsic algebraic structures in both schemes.

Structure of the Paper

We introduce notations and definitions used throughout the paper in Section 2. The extension of Galbraith’s test to polynomial rings is rigorously studied in Section 3. In Section 4 and Section 5, we apply our results to obtain precise characterizations of Clear et al.’s and Zhao et al.’s IBE schemes. We conclude with Section 6.

2. Preliminaries

2.1. Notations

Throughout the paper, λ denotes a security parameter. Furthermore, the notation | S | denotes the cardinality of a set S. The action of selecting a random element x from a sample space X is denoted by x $ X , while x y represents the assignment of value y to variable x. The probability of the event E happening is denoted by P r [ E ] . The quotient of the integer division of a by n, assuming n 0 , is denoted a div n .
The Jacobi symbol of an integer a modulo an integer n is represented by J n ( a ) . We let Q R n and Q N R n be the set of quadratic and, respectively, non-quadratic residues modulo n. Furthermore, J n denotes the sets of integers modulo n with Jacobi symbol 1.

2.2. Identity-Based Encryption

An IBE scheme consists of four probabilistic polynomial-time (PPT) algorithms: Setup, KeyGen, Enc and Dec. The first one takes as input a security parameter and outputs the system’s public parameters together with a master key. The KeyGen algorithm takes as input an identity i d together with the public parameters and the master key, and outputs a private key associated with the i d . The Enc algorithm, starting with a message m, an identity i d , and the public parameters, encrypts m into some ciphertext c (the encryption key is i d or some binary string derived from i d ). The last algorithm decrypts c into m by using the private key associated to i d .
Definition 1
(Anonymity and Indistinguishability under Selective Identity and Chosen Plaintext Attacks—anon-ind-id-cpa). The anon-ind-id-cpa security of an IBE scheme S is formulated by means of the following game between a challenger C and an adversary A:
  • Setup ( λ ) : The challenger C generates the public parameters p p and sends them to adversary A while keeping the master key m s k to himself.
  • Queries: The adversary issues a finite number of adaptive queries. A query can be one of the following types:
    • Private key query. When A requests a query for an identity, the challenger runs the KeyGen algorithm and returns the resulting private key to A.
    • Encryption query. Adversary A can issue only one query of this type. He sends C two pairs ( i d 0 , m 0 ) and ( i d 1 , m 1 ) consisting of two equal-length plaintexts m 0 and m 1 and two identities i d 0 and i d 1 . The challenger flips a coin b { 0 , 1 } and encrypts m b using i d b . The resulting ciphertext c is sent to the adversary. The following restrictions are in place: private key queries for i d 0 and i d 1 must never be issued.
  • Guess: In this phase, the adversary outputs a guess b { 0 , 1 } . He wins the game if b = b .
The advantage of an adversary A attacking an IBE scheme is defined as
IBEAdv A , S ( λ ) = | P r [ b = b ] 1 / 2 |
where the probability is computed over the random bits used by C and A. An IBE scheme is anon-ind-id-cpa secure if, for any PPT adversary A, the advantage IBEAdv A , S ( λ ) is negligible. If we consider i d 0 = i d 1 in the above game, we obtain the concept of ind-id-cpa security.
We further state the security assumption used to prove the security of the IBE schemes mentioned in this paper.
Definition 2
(Quadratic Residuosity—qr). Choose two large prime numbers p , q 2 λ and compute n = p q . Let A be a PPT algorithm that returns 1 on input ( x , n ) if x Q R n . We define
A D V A QR ( λ ) = P r [ A ( x , n ) = 1 | x $ Q R n ] P r [ A ( x , n ) = 1 | x $ J n Q R n ] .
The Quadratic Residuosity assumption states that for any PPT algorithm A, the advantage A D V A QR ( λ ) is negligible.

3. Generalized Galbraith’s Test

According to [5,14], Galbraith developed a test that shows that Cocks’ scheme [3] is not anonymous. A straightforward generalization of Galbraith’s test to the ring Z n [ x ] / ( x 2 R ) was introduced in [7,12]. More precisely, we define the generalized Galbraith test as
G T n ( R , f 0 x + f 1 ) = J n ( f 1 2 f 0 2 R ) ,
where R J n and f 0 x + f 1 Z n [ x ] / ( x 2 R ) .
The authors of [7,12] briefly describe some aspects of the generalized version of the test, but some of their claims were not rigorously formulated and/or proved. More precisely, they assume that f 0 , f 1 Z n and this is not always the case (since we are working with polynomials from Z n [ x ] / ( x 2 R ) and not Z n [ x ] / ( x 2 R ) ). Note that when f 0 , f 1 Z n , the generalized Galbraith test is identical to the original Galbraith test.
In this limited scenario, Clear et al. prove that their scheme is anonymous by reducing their security proof to some result from [5,6]. Although is not explicitly mentioned in [7,12], using the results from [5,6] we can also compute the probability of success of Galbraith’s test when we choose to use Clear et al.’s IBE scheme without implementing the anonymization technique.
The generalized Galbraith test is also used in [10] to show that their scheme is not anonymous. Although the authors also assume that f 0 , f 1 Z n , they do not compute the test’s success probability for their IBE scheme, and in this case the probability cannot be derived from [5,6].
Motivated by these applications, we further study the generalized Galbraith test without any restrictions. More precisely, our goals are to better understand the behavior of the test and to develop the exact success probabilities for the test against Clear et al.’s and Zhao et al.’s non-anonymized IBE schemes.
Let p and q be two primes and n = p q be their product. In this section, we study the cardinalities of the following sets:
P p ( R ) = { f 0 x + f 1 Z p [ x ] / ( x 2 R ) J p ( f 1 2 f 0 2 R ) = } P n 0 ( R ) = { f 0 x + f 1 Z n [ x ] / ( x 2 R ) J n ( f 1 2 f 0 2 R ) = 0 } P n 1 , 2 ( R ) = { f 0 x + f 1 Z n [ x ] / ( x 2 R ) J p ( f 1 2 f 0 2 R ) = 1 , J q ( f 1 2 f 0 2 R ) = 2 } ,
where { 1 , 0 , 1 } and 1 , 2 { 1 , 1 } .
Before stating our results, we first present a lemma from [6] that further helps us compute our desired cardinalities.
Lemma 1
([6]). Let p > 2 be a prime, k = p div 4 , and R Z p . Then,
| Q R p ( a + Q R p ) | = k 1 , i f p = 4 k + 1 a n d R Q R p k , i f p = 4 k + 1 a n d R Q N R p , o r p = 4 k + 3 .
Now let us compute the cardinality of P p .
Lemma 2.
The following statements are true
1. 
If R Q N R p then | P p 0 ( R ) | = 1 , else | P p 0 ( R ) | = 2 p 1 .
2. 
If R Q N R p then | P p 1 ( R ) | = ( p 2 1 ) / 2 , else | P p 1 ( R ) | = ( p 1 ) 2 / 2 .
3. 
If R Q N R p then | P p 1 ( R ) | = ( p 2 1 ) / 2 , else | P p 1 ( R ) | = ( p 1 ) 2 / 2 .
Proof. 
To prove the first statement, we simply have to count the elements that satisfy f 1 2 f 0 2 R mod p . If R Q N R p , our single option is f 0 = f 1 = 0 . Otherwise, for each non-zero value of f 0 2 we have two distinct f 1 values. Hence, we obtain 2 ( p 1 ) possibilities.
Now, we will prove the second statement. When f 0 , f 1 0 mod p , we can rewrite f 1 2 f 0 2 R as c 2 R , where c f 0 1 f 1 mod p . Using 1, we obtain that the number of possibilities is
k 1 , if p = 4 k + 1 and R Q R p k , if p = 4 k + 1 and R Q N R p , or p = 4 k + 3 .
When f 0 0 mod p , we obtain that J p ( f 1 2 ) = 1 and this is true only if f 1 0 mod p . Hence, we obtain p 1 possibilities.
In the case f 1 0 mod p , we obtain that J p ( f 0 2 R ) = 1 , and thus f 0 0 mod p . When R Q R p , we obtain p 1 possibilities, and when R Q N R p , we have none.
Adding all the possibilities we obtain
( p 1 ) [ ( p 5 ) / 2 + 2 ] = ( p 1 ) 2 / 2 if p = 4 k + 1 and R Q R p ( p 1 ) [ ( p 1 ) / 2 + 1 ] = ( p 2 1 ) / 2 if p = 4 k + 1 and R Q N R p ( p 1 ) [ ( p 3 ) / 2 + 1 ] = ( p 1 ) 2 / 2 if p = 4 k + 3 and R Q R p ( p 1 ) [ ( p 3 ) / 2 + 2 ] = ( p 2 1 ) / 2 if p = 4 k + 3 and R Q N R p
The last statement is obtained by subtracting the cardinalities of P p 0 ( R ) and P p 1 ( R ) from | Z [ x ] / ( x 2 R ) | . □
Using the Chinese remainder theorem, we obtain the following cardinalities.
Corollary 1.
The following statements are true
1. 
If R J n Q R n then | P n 0 ( R ) | = p 2 + q 2 1 , else | P n 0 ( R ) | = ( 2 p 1 ) q 2 + ( 2 q 1 ) ( p 1 ) 2 .
2. 
If R J n Q R n then | P n 1 , 2 ( R ) | = ( p 2 1 ) ( q 2 1 ) / 4 , else | P n 1 , 2 ( R ) | = ( p 1 ) 2 ( q 1 ) 2 / 4 .
Let h ( x ) be a polynomial such that G T n ( R , h ( x ) ) = 1 and A Z n [ x ] / ( x 2 R ) a set of polynomials. We further define the set
T n ( R , h ( x ) , A ) = { h ( x ) · f ( x ) f ( x ) A } .
Lemma 3.
The following identity holds | T p ( R , h ( x ) , A ) | = | A | .
Proof. 
If R Q N R p , then the polynomial x 2 R is irreducible. Hence, Z p [ x ] / ( x 2 R ) is a field. Therefore, h ( x ) only permutes the set A.
When R Q R p , we distinguish two cases. When h ( x ) 1 exists, then we again have a permutation of the set. Otherwise, h ( x ) has the form h ( x ) = t ( x ± r ) , for a t Z p . However, in this case we obtain that ( t r ) 2 t 2 R = 0 , and this contradicts our assumption (i.e., G T n ( R , h ( x ) ) = 1 ). Hence, h ( x ) 1 always exists. □
Corollary 2.
The following identity holds | T n ( R , h ( x ) , A ) | = | A | .
We further present a lemma that states that the generalized Galbraith test is “multiplicative”. This lemma stays at the base of the anonymization technique described in [7,12].
Lemma 4
([7,12]). Let e ( x ) f ( x ) · g ( x ) mod x 2 R . Then G T n ( R , e ( x ) ) = G T n ( R , f ( x ) ) · G T n ( R , g ( x ) ) .

4. Clear et al. IBE Scheme

4.1. Scheme Description

Clear et al. [12] were the first to study the algebraic structure of Cocks’ ciphertexts. A more in-depth study of the underlying structure can be found in [6,8,13]. As a result of Clear et al.’s study, the authors managed to describe a partially homomorphic IBE scheme [12], and later they improve the scheme such that is also anonymous [7].
We further present a slightly improved version of Clear et al.’s IBE scheme. We start by presenting the non-anonymized version.
  • Setup ( λ ) : Given a security parameter λ , generate two primes p , q > 2 λ and compute their product n = p q . The public parameters are p p = { n , u , H , H } and the master secret key is m s k = { p , q } , where u Z n such that J p ( u ) = J q ( u ) = 1 , H : { 0 , 1 } J n and H : { 0 , 1 } Z n ( x ) / ( x 2 R ) are two cryptographic hash functions. Note that H must also satisfy the property that for any identity i d { 0 , 1 } , R H ( i d ) and h ( x ) H ( i d ) , it holds that
    G T n ( R , h ( x ) ) = G T n ( u R , h ( x ) ) = 1 .
  • KeyGen ( p p , m s k , i d ) : Let R = H ( i d ) . If R Q R n , then compute r R 1 / 2 mod n . Otherwise, compute r ( u R ) 1 / 2 mod n . The private key is r.
  • Enc ( p p , i d , m ) : On inputting p p , an identity i d and a message m { 1 , 1 } , compute the hash value R = H ( i d ) and randomly choose two polynomials f ( x ) , f ¯ ( x ) of degree 1 from Z n [ x ] such that J n ( f 1 ) = J n ( f ¯ 1 ) = m , where f 1 = f ( 0 ) and f ¯ 1 = f ¯ ( 0 ) . Furthermore, calculate
    g ( x ) f 1 1 · f ( x ) 2 mod ( x 2 R ) and g ¯ ( x ) ( f ¯ 1 ) 1 · f ¯ ( x ) 2 mod ( x 2 u R ) .
    Return the ciphertext C = ( g ( x ) , g ¯ ( x ) ) .
  • Dec ( r , C ) : On input p p , a secret key r and a ciphertext C = ( c ( x ) , c ¯ ( x ) ) , compute
    m = J n ( c ( r ) ) if r 2 H ( i d ) mod n ; J n ( c ¯ ( r ) ) otherwise .
Correctness: The correctness of the decryption algorithm follows by noticing that when r 2 H ( i d ) mod n , we have
m = J n ( c ( r ) ) = J n ( f 1 1 · f ( r ) 2 ) = J n ( f 1 1 ) = m .
When r 2 u H ( i d ) mod n , we can proceed similarly.
Using the generalized Galbraith test, it can be shown that the scheme is not anonymous (see Section 4.3). Hence, we need to upgrade the scheme with an anonymization algorithm. We further describe the method as presented in [7,12]. Note that the Anon algorithm anonymizes the ciphertext, while the DeAnon reverses the process.
  • Anon ( p p , i d , C ) : Given the public parameters p p , an identity i d and a ciphertext C = ( c ( x ) , c ¯ ( x ) ), compute R = H ( i d ) and h ( x ) = H ( i d ) . Furthermore, generate two random bits v 1 , v 2 { 0 , 1 } and calculate
    g ( x ) g ( x ) · h ( x ) v 1 mod ( x 2 R ) g ¯ ( x ) g ¯ ( x ) · h ( x ) v 2 mod ( x 2 u R ) .
    Return the anonymized ciphertext C = ( g ( x ) , g ¯ ( x ) ) .
  • DeAnon ( p p , i d , C ) : On input p p , a secret key r, and a ciphertext C = ( c ( x ) , c ¯ ( x ) ) , compute R = H ( i d ) , h ( x ) = H ( i d ) and
    g ( x ) g ( x ) · h ( x ) ( 1 w 1 ) / 2 mod ( x 2 R ) g ¯ ( x ) g ¯ ( x ) · h ( x ) ( 1 w 2 ) / 2 mod ( x 2 u R ) ,
    where w 1 = G T n ( R , c ( x ) ) and w 2 = G T n ( R , c ¯ ( x ) ) . Return the non-anonymized ciphertext C = ( g ( x ) , g ¯ ( x ) ) .

4.2. Previous Analysis

Let f ( x ) = a x + b , where a Z n and b Z n . Note that J n ( b ) is our message. Then
b 1 · f ( x ) 2 b 1 · ( a 2 R 2 + b 2 + 2 a b x ) a 2 b 1 R 2 + b + 2 a x mod x 2 R .
In the IBE scheme presented in [12], the authors select random polynomials f ( x ) until G T n ( R , f ( x ) ) = 1 . Furthermore, when proving the security of their scheme, they also impose an additional restriction, that a 2 b 1 R 2 + b Z n . In the updated version of the scheme [7], the authors simply generate polynomials until a 2 b 1 R 2 + b Z n . Using these restrictions, we can reduce the generalized version of Galbraith’s test to the original version. However, in reality, we should not be able to distinguish the polynomials generated by the IBE scheme from random polynomials from Z [ x ] / ( x 2 R ) . For this reason, in our version, we removed the requirement a 2 b 1 R 2 + b Z n , and as we shall see next, we can prove that we cannot distinguish these polynomials from random ones.

4.3. New Analysis

We first study the cardinality of the set
D n ( R ) = { b 1 ( a x + b ) 2 mod x 2 R a Z n , b Z n } ,
which contains the polynomials generated by the scheme presented in Section 4.1. Note that we further consider that R 0 . Otherwise, we can trivially recover b by computing f ( 0 ) .
Lemma 5.
If R Q N R p then | D p ( R ) | = ( p 2 1 ) / 2 , otherwise | D p ( R ) | = ( p 1 ) ( p + 3 ) / 2 .
Proof. 
Rewriting b 1 ( a x + b ) 2 = d 1 ( c x + d ) 2 we obtain
a 2 d R + b 2 d c 2 b R + d 2 b mod p 2 a b d 2 c d b mod p .
From the second equation, we obtain a c mod p . Keeping this in mind, the first equation becomes ( d b ) ( a 2 R b d ) 0 mod p . If a 0 mod p , then we obtain that d b mod p since b , d Z p . Else, either d b mod p or d b 1 a 2 R mod p .
We further consider a 0 mod p . If R Q N R p then b b 1 a 2 R mod p ; otherwise from b ± a R 1 / 2 mod p , we obtain b b 1 a 2 R mod p . Therefore, if R Q N R p , we obtain that | D p ( R ) | = ( p 1 ) ( p 1 ) / 2 + p 1 = ( p 1 ) ( p + 1 ) / 2 . Otherwise, we obtain | D p ( R ) | = [ ( p 3 ) / 2 + 2 ] ( p 1 ) + p 1 = ( p 1 ) ( p + 3 ) / 2 . □
Corollary 3.
If R J n Q R n , then | D n ( R ) | = ( p 2 1 ) ( q 2 1 ) / 4 , and if R Q R n , then | D n ( R ) | = ( p 1 ) ( p + 3 ) ( q 1 ) ( q + 3 ) / 4 .
Now, we consider the set of ciphertexts that can be correctly decrypted
D n ( R ) = { b 1 ( a x + b ) 2 mod x 2 R a Z n ; b , a r + b Z n } .
Lemma 6.
When R Q R p we have | D p ( R ) | = ( p 2 1 ) / 2 .
Proof. 
From a r + b 0 mod p we obtain a b r 1 mod p since r , b Z n . Looking at the proof of Lemma 5, we observe that in the case a 0 mod p , the sets are not affected by the added restriction since b r 1 0 mod p . When a 0 mod p , the only case that is affected is b a r mod p . Therefore, we obtain our desired result. □
Corollary 4.
If R Q R n , then | D n ( R ) | = ( p 2 1 ) ( q 2 1 ) / 4 .
Corollary 5.
The probability of correct decryption is 1 O ( 1 / n ) .
Proof. 
From Corollaries 3 and 4 we obtain that the probability is
| D n ( R ) | | D n ( R ) | = ( p + 1 ) ( q + 1 ) ( p + 3 ) ( q + 3 ) 1 O 1 n .
 □
Now we will study ciphertexts with a given generalized Galbraith value. Thus, we define
D p ( R ) = { f 0 x + f 1 D p ( R ) J p ( f 1 2 f 0 2 R ) = } D n 0 ( R ) = { f 0 x + f 1 D n ( R ) J n ( f 1 2 f 0 2 R ) = 0 } D n 1 ( R ) = { f 0 x + f 1 D n ( R ) J p ( f 1 2 f 0 2 R ) = J q ( f 1 2 f 0 2 R ) = 1 } ,
where { 0 , 1 } .
Lemma 7.
The following statements are true
1. 
If R Q N R p then | D p 0 ( R ) | = 0 , else | D p 0 ( R ) | = 2 ( p 1 ) .
2. 
If R Q N R p then | D p 1 ( R ) | = ( p 2 1 ) / 2 , else | D p 1 ( R ) | = ( p 1 ) 2 / 2 .
Proof. 
Since f D p 0 ( R ) , we have ( a 2 b 1 R + b ) 2 4 a 2 R 0 mod p . This is equivalent with a 2 b 1 R b 0 mod p . If R Q N R p , then D p 0 ( R ) = . Otherwise, we obtain ( a r b ) ( a r + b ) 0 mod p . Thus, we can rewrite the set as D p 0 ( R ) = { 2 a r ( x ± r ) a Z p } .
We further count the distinct elements of D p 0 ( R ) . From 2 a ( x ± r ) 2 c ( x ± r ) mod x 2 R , we obtain a ± c mod p . From 2 a ( x + r ) 2 c ( x r ) mod x 2 R we obtain a ( x + r ) + c ( x + r ) 0 mod x 2 R . Hence, we obtain a = c = 0 , which is impossible. Thus, the cardinality of D p 0 ( R ) is 2 ( p 1 ) .
The last statement results from observing that all the elements from D p ( R ) have the Jacobi symbol J p ( f 1 2 f 0 2 R ) either 1 or 0 when R Q R p . Hence, using 5, we obtain our result. □
Corollary 6.
The following statements are true
1. 
If R J n Q R n , then | D n 0 ( R ) | = 0 , else if R Q R n | D n 0 ( R ) | = ( p 1 ) ( q 1 ) ( p + q + 2 ) .
2. 
If R J n Q R n , then | D n 1 ( R ) | = ( p 2 1 ) ( q 2 1 ) / 4 , else if R Q R n | D n 1 ( R ) | = ( p 1 ) 2 ( q 1 ) 2 / 4 .
Now we can properly analyze the efficiency of the generalized Galbraith test.
Corollary 7.
The probability that a ciphertext f ( x ) produced by the scheme from Section 4.1 has G T n ( R , f ( x ) ) = 1 is 1 O ( 1 / n ) .
Proof. 
According to Corollaries 4 and 6 we have
| D n 1 ( R ) | | D n ( R ) | = 1 if R J n Q R n ( p + 1 ) ( q + 1 ) ( p + 3 ) ( q + 3 ) 1 + O 1 n if R Q R n .
 □
Corollary 8.
The generalized Galbraith test can detect ciphertexts produced by the scheme from Section 4.1 with a probability of 1 / 2 + O ( 1 / n ) .
Proof. 
According to Corollaries 1 and 3, we have
| D n ( R ) | | P n 1 , 1 ( R ) P n 1 , 1 ( R ) | = 1 / 2 if R J n Q R n ( p + 3 ) ( q + 3 ) 2 ( p + 1 ) ( q + 1 ) 1 2 + O 1 n if R Q R n .
 □
Lemma 8.
The following equality holds D p 1 ( R ) = P p 1 , 1 ( R ) .
Proof. 
We will show that P p 1 , 1 ( R ) D p 1 ( R ) and D p 1 ( R ) P p 1 , 1 ( R ) . Our second inclusion is trivial because P p 1 , 1 ( R ) contains all possible 1-degree polynomials that have Jacobi symbol equal to 1. Now, let us focus on the first inclusion. We take a random f = f 0 x + f 1 P p 1 , 1 ( R ) , and we search for a pair ( a , b ) Z p × Z p such that f 0 x + f 1 = b 1 ( a x + b ) 2 = 2 a x + a 2 R b 1 + b . From this, we have f 0 2 a mod p and f 1 a 2 R b 1 + b mod p . As a result, we can derive a 2 1 f 0 mod p and b 2 b f 1 + 4 1 f 0 2 R 0 mod p . Therefore, we obtain Δ = f 1 2 4 · 4 1 f 0 2 R = f 1 2 f 0 2 R , which has the Jacobi symbol 1 according to the definition of P p 1 , 1 ( R ) .
Now let us assume that b 0 mod p . Then, we have f 1 ± ( f 1 2 f 0 2 R ) 1 / 2 0 mod p . This implies that f 0 2 R 0 mod p . Since R 0 mod p , we obtain that f 0 0 mod p and implicitly a 0 mod p . However, when a 0 mod p , we can choose the other root b f 1 mod p , which is different from 0 since we cannot have both f 0 and f 1 equal to 0.
When f 0 0 mod p , we can choose b as either of the two roots ( Δ 0 mod p ). Thus, we obtain that f D p 1 ( R ) . This concludes our proof. □
Corollary 9.
The following equality holds D n 1 ( R ) = P n 1 , 1 ( R ) .
Corollary 10.
Either T n ( R , h ( x ) , D n 1 ( R ) ) = P n 1 , 1 ( R ) or T n ( R , h ( x ) , D n 1 ( R ) ) = P n 1 , 1 ( R ) depending if either G T p ( R , h ( x ) ) = 1 or G T q ( R , h ( x ) ) = 1 .
Proof. 
We assume without loss of generality that G T p ( R , h ( x ) ) = 1 . Using Corollary 9, we obtain the following equality T n ( R , h ( x ) , D n 1 ( R ) ) = T n ( R , h ( x ) , P n 1 , 1 ( R ) ) . Since P n 1 , 1 ( R ) contains all the polynomials f ( x ) with G T n ( R , f ( x ) ) = 1 and the generalized Galbraith test is “multiplicative” (see Lemma 4), we have T n ( R , h ( x ) , P n 1 , 1 ( R ) ) P n 1 , 1 ( R ) .
For the second inclusion, we use the fact that h ( x ) has an inverse (see the proof of Lemma 3). Hence, T n ( R , h ( x ) 1 , P n 1 , 1 ( R ) ) P n 1 , 1 ( R ) . This relation can be rewritten as P n 1 , 1 ( R ) T n ( R , h ( x ) , P n 1 , 1 ( R ) ) . This concludes our proof. □
Remark 1.
Corollary 10 is also proven in [7] but using different techniques. We chose to reprove it since it follows directly from our analysis.
We further assume without loss of generality that G T p ( R , h ( x ) ) = 1 .
Corollary 11.
Let P n + , ( R ) = P n 1 , 1 ( R ) P n 1 , 1 ( R ) and D ˜ n ( R ) = D n 1 ( R ) T n ( R , h ( x ) , D n 1 ( R ) ) . Then the distributions
X n = { f ( x ) f ( x ) $ D ˜ n ( R ) } Y n = { f ( x ) f ( x ) $ P n + , ( R ) }
are identical.
In order to prove that their anonymization technique is secure, Clear et al. first established a series of computational indistinguishability results. The one that we are interested in states that
Z n = { G T n ( R , f ( x ) ) f ( x ) $ D ˜ n ( R ) }
is computationally indistinguishable from the uniform distribution U on { 1 , 1 } , under the qr assumption. In [6], the authors prove a stronger result: the two distributions are statistically indistinguishable. Since we removed Clear et al.’s restriction, we need to prove that the statistically indistinguishability still holds. Using the results developed in this subsection, we can prove exactly that.
Theorem 1.
The following distribution
Z n = { G T n ( R , f ( x ) ) f ( x ) $ D ˜ n ( R ) }
is statistically indistinguishable from the uniform distribution U on { 1 , 1 } .
Proof. 
We will show that the statistical distance Δ ( Z n , U ) between Z n and U is negligible, where
Δ ( Z n , U ) = 1 2 b { 1 , 1 } P r [ Z n = b ] P r [ U = b ] .
Let D ¯ n ( R ) = T n ( R , h ( x ) , D n ( R ) ) and D ¯ n 1 ( R ) = T n ( R , h ( x ) , D n 1 ( R ) ) . In order to compute P r [ Z n = b ] , we make use of Corollaries 1 and 2. Thus, taking into account that
P r [ f ( x ) D n ( R ) ] = P r [ f ( x ) D ¯ n ( R ) ] = 1 / 2 ,
and that f ( x ) $ D n ( R ) D ¯ n ( R ) , we obtain
P r [ Z n = 1 ] = P r [ G T n ( R , f ( x ) ) = 1 ] = P r [ G T n ( R , f ( x ) ) = 1 f ( x ) D n ( R ) ] · P r [ f ( x ) D n ( R ) ] + P r [ G T n ( R , f ( x ) ) = 1 f ( x ) D ¯ n ( R ) ] · P r [ f ( x ) D ¯ n ( R ) ] = 1 2 · | D n 1 ( R ) | | D ˜ n ( R ) | + 1 2 · | D ¯ n 1 ( R ) | | D ˜ n ( R ) | = | D n 1 ( R ) | | D ˜ n ( R ) | = 1 2 + O 1 n .
In a similar way, one can obtain
P r [ Z n = 1 ] = 1 2 + O 1 n .
Now, the statistical distance Δ ( Z n , U ) becomes
Δ ( X n , U ) = 1 2 1 2 + O 1 n 1 2 + 1 2 + O 1 n 1 2 = O 1 n .
Since n is exponentially large in the security parameter λ , the statistical distance is negligible. □

5. Zhao et al. IBE Scheme

5.1. Scheme Description

In [10], the authors introduce two IBE schemes that work with polynomials modulo n, where n is the product of two primes p, q chosen such that p q mod 4 . Zhao et al. prove the security of their schemes under the strong qr assumption (which is basically the qr assumption with the restriction that p q mod 4 ).
Starting from their first scheme, we devised a new scheme from which we removed the necessity of choosing p q mod 4 . In this case, the proof from [10] can be easily adapted to obtain that our scheme is secure under the qr assumption.
  • Setup ( λ ) : Given a security parameter λ , generate two primes p , q > 2 λ and compute their product n = p q . Randomly generate two integers u , y Z such that J p ( u ) = J q ( u ) = 1 and J p ( y ) = J q ( y ) . The public parameters are p p = { n , u , y , H } , where H : { 0 , 1 } J n is a cryptographic hash function. The master secret key is m s k = { p , q } .
  • KeyGen ( p p , m s k , i d ) : Let R = H ( i d ) . If R Q R n , then compute r R 1 / 2 mod n . Otherwise, compute r = ( u R ) 1 / 2 mod n . The private key is r.
  • Enc ( p p , i d , m ) : On inputting p p , an identity i d and a message m { 0 , 1 } , compute the hash value R = H ( i d ) and randomly choose two polynomials f ( x ) , f ¯ ( x ) of degree 1 from Z n [ x ] . Furthermore, calculate
    g ( x ) = f ( x ) 2 mod ( x 2 R ) and g ¯ ( x ) = f ¯ ( x ) 2 mod ( x 2 u R ) .
    Return the ciphertext C = ( y m · g ( x ) , y m · g ¯ ( x ) ) .
  • Dec ( p p , r , C ) : On input p p , a secret key r and a ciphertext C = ( c ( x ) , c ¯ ( x ) ) , compute
    m = J n ( c ( r ) ) if r 2 H ( i d ) mod n ; J n ( c ¯ ( r ) ) otherwise .
Correctness: The correctness of the decryption algorithm follows by noticing that when r 2 H ( i d ) mod n , we have
m = J n ( c ( r ) ) = J n ( y m · f ( r ) 2 ) = [ J p ( y ) · J q ( y ) ] m = [ J p ( y ) 2 ] m = ( 1 ) m ,
and thus we can recover the message m. When r 2 u H ( i d ) mod n , we can proceed similarly.
Although this proposal is not anonymous (see Section 5.3), it can be made as such by using the same anonymization technique as in Section 4.1.

5.2. Previous Work

When p q mod 4 and y = 1 , we obtain the scheme described in [10]. Note that in this case we can choose h ( x ) = x since G T n ( R , x · c ( x ) ) = G T n ( R , c ( x ) ) . When analyzing the scheme, the authors do not prove the success probability of decryption and of the generalized Galbraith test against their first proposal. Furthermore, when computing the size of the ciphertext space, Zhao et al. managed to prove that it is at least ( p 1 ) ( p 3 ) ( q 1 ) ( q 3 ) / 16 (see the next section for the exact size). Two other aspects that are not rigorously stated are: the two complexity assumptions used to prove the anonymity of their second scheme and their argument that leads to the necessity of these two assumptions.

5.3. New Analysis

We start with studying the cardinality of the following sets:
C n , 0 ( R ) = { ( a x + b ) 2 mod x 2 R a , b Z n } , C n , 1 ( R ) = { y ( a x + b ) 2 mod x 2 R a , b Z n } ,
which contain the polynomials generated by the scheme presented in Section 5.1. Note that we further consider that R 0 . Otherwise, we can trivially recover m by computing J n ( g ( 0 ) ) = J n ( y m b 2 ) = J n ( y m ) = ( 1 ) m .
Lemma 9.
Let R Q R p . If J p ( y ) = 1 then C p , 0 ( R ) C p , 1 ( R ) = { 0 } ; else we have C p , 0 ( R ) = C p , 1 ( R ) . We also have | C p , 0 ( R ) | = | C p , 1 ( R ) | = ( p + 1 ) 2 / 4 .
Proof. 
Let J p ( y ) = 1 . We first prove that the sets C p , 0 ( R ) C p , 1 ( R ) = { 0 } . Let f ( x ) C p , 0 ( R ) C p , 1 ( R ) . Then f ( x ) ( a x + b ) 2 mod x 2 R and f ( x ) y ( c x + d ) 2 mod x 2 R for a , b , c , d Z p . This is identical with
a 2 R + b 2 y ( c 2 R + d 2 ) mod p 2 a b 2 c d y mod p
which is equivalent with
( a r + b ) 2 y ( c r + d ) 2 mod p ( a r b ) 2 y ( c r d ) 2 mod p .
If a , b , c , d 0 , from any of the equations we obtain that y Q R p . Therefore, we obtain a contradiction, and thus a = b = c = d = 0 .
When J p ( y ) = 1 , we have
f ( x ) y ( a x + b ) 2 u 2 ( a x + b ) 2 ( u a x + u b ) 2 mod x 2 R ,
where u 2 y mod p . Hence, if f ( x ) C p , 1 ( R ) , then f ( x ) C p , 0 ( R ) . Similarly, we obtain that f ( x ) C p , 0 ( R ) then f ( x ) C p , 1 ( R ) . Therefore, C p , 0 ( R ) = C p , 1 ( R ) .
Let f 1 ( x ) = ( a 1 x + b 1 ) 2 , f 2 ( x ) = ( a 2 x + b 2 ) 2 C p , 0 ( R ) . If f 1 ( x ) f 2 ( x ) mod x 2 R , then f 1 ( x ) 1 / 2 ± f 2 ( x ) 1 / 2 mod x 2 R . Thus, ( a 1 a 2 ) x + ( b 1 b 2 ) 0 mod x 2 R . Therefore, we have a 1 ± a 2 mod p and b 1 ± b 2 mod p . Note that for a 1 0 , we always have a 1 a 1 mod p , and thus we obtain two numbers that reach the same value when squared, and similarly for b 1 . Hence, we obtain that | C p , 0 ( R ) | = [ ( p 1 ) / 2 + 1 ] 2 = ( p + 1 ) 2 / 4 . Similarly, we obtain | C p , 1 ( R ) | = ( p + 1 ) 2 / 4 . □
Corollary 12.
Let R Q R n . We assume without loss of generality that J p ( y ) = 1 . Then | C n , 0 ( R ) | = | C n , 1 ( R ) | = ( p + 1 ) 2 ( q + 1 ) 2 / 16 . Furthermore, | C n , 0 ( R ) C n , 1 ( R ) | = ( p + 1 ) 2 / 4 and | C n , 0 ( R ) C n , 1 ( R ) | = ( p + 1 ) 2 ( q + 1 ) 2 / 8 ( p + 1 ) 2 / 4 .
Lemma 10.
Let R Q N R p . Then we have | C p , 0 ( R ) | = ( p 2 + 1 ) / 2 and C p , 0 ( R ) = C p , 1 ( R ) .
Proof. 
Since R Q N R p , then Z [ x ] / ( x 2 R ) is a field. Let f 1 ( x ) = ( a 1 x + b 1 ) 2 0 , f 2 ( x ) = ( a 2 x + b 2 ) 2 0 C p , 0 ( R ) . If f 1 ( x ) f 2 ( x ) mod x 2 R , then ( f 1 ( x ) f 2 ( x ) 1 ) 2 1 mod x 2 R . Thus, f 1 ( x ) f 2 ( x ) 1 ± 1 mod x 2 R , which is equivalent with f 1 ( x ) ± f 2 ( x ) mod x 2 R . Hence, | C p , 0 ( R ) | = ( p 2 + 1 ) / 2 .
Let f ( x ) C p , 0 ( R ) C p , 1 ( R ) . Then f ( x ) g ( x ) 2 mod x 2 R and f ( x ) y h ( x ) 2 mod x 2 R for g ( x ) , h ( x ) Z p [ x ] / ( x 2 R ) { 0 } . This is equivalent with
y ( g ( x ) h ( x ) 1 ) 2 ( v + w x ) 2 v 2 + w 2 R + 2 v w x mod x 2 R
which translates into
v 2 + w 2 R y mod p 2 v w x 0 mod p
We either have v = 0 or w = 0 . Hence, either w 2 y R 1 mod p or v 2 y mod p . If J p ( y ) = 1 , then the second equality lead to a contradiction and hence v = 0 and w ( y R 1 ) 1 / 2 mod p . This leads to g ( x ) h ( x ) 1 ( y R 1 ) 1 / 2 x mod x 2 R . Hence, we obtain that C p , 0 ( R ) = C p , 1 ( R ) . If J p ( y ) = 1 , then the first equality leads to a contradiction, and thus v y 1 / 2 mod p and w = 0 . This leads to g ( x ) h ( x ) 1 y 1 / 2 mod x 2 R . Therefore, we obtain our desired result. □
Corollary 13.
Let R J n Q R n . Then C n , 0 ( R ) = C n , 1 ( R ) and | C n , 0 ( R ) | = ( p 2 + 1 ) ( q 2 + 1 ) / 4 .
Now, we consider the sets of ciphertexts that can be correctly decrypted
C n , 0 ( R ) = { ( a x + b ) 2 mod x 2 R a , b Z n ; a r + b Z n } , C n , 1 ( R ) = { y ( a x + b ) 2 mod x 2 R a , b Z n ; a r + b Z n } .
Lemma 11.
Let R Q R p . If J p ( y ) = 1 then C p , 0 ( R ) C p , 1 ( R ) = ; else we have C p , 0 ( R ) = C p , 1 ( R ) . We also have | C p , 0 ( R ) | = | C p , 1 ( R ) | = ( p 2 1 ) / 4 .
Proof. 
We first note that if a = b = 0 , then a x + b Z n . Using Lemma 9, we obtain the first statement.
Now, we want to see how many of these pairs collapse to the same polynomial value. Similarly to the proof of Lemma 9, from f 1 ( x ) f 2 ( x ) mod x 2 R , we obtain a 1 ± a 2 mod p and b 1 ± b 2 mod p . These numbers must also satisfy the restriction b 1 a 1 r mod p .
We first consider the case a 1 = a 2 = 0 . Since we have b 1 a 1 r + b 1 Z p , then there are ( p 1 ) / 2 non-collapsing values for b 1 . On the other hand, if a 1 0 , then for a 1 we are able to find ( p 1 ) / 2 different non-collapsing values and for b 1 we are able to find 2 + ( p 3 ) / 2 = ( p + 1 ) / 2 non-collapsing values. (we have to count the pairs ( a 1 , 0 ) and ( a 1 , a 1 r ) ) Hence, there will be ( p 1 ) ( p + 1 ) / 4 such polynomials in C p , 0 ( R ) . Similarly, we obtain that | C p , 1 ( R ) | = ( p 2 1 ) / 4 . □
Corollary 14.
Let R Q R n . Then | C n , 0 ( R ) | = | C n , 1 ( R ) | = ( p 2 1 ) ( q 2 1 ) / 16 . Furthermore, C n , 0 ( R ) C n , 1 ( R ) = and | C n , 0 ( R ) C n , 1 ( R ) | = ( p 2 1 ) ( q 2 1 ) / 8 .
Corollary 15.
The probability of correct decryption is 1 + O ( 1 / n 2 ) .
Proof. 
From Corollaries 12 and 14, we obtain that the probability is
| C n , 0 ( R ) C n , 1 ( R ) | | C n , 0 ( R ) C n , 1 ( R ) | = ( p 2 1 ) ( q 2 1 ) ( p + 1 ) 2 ( q + 1 ) 2 8 δ 1 + O 1 n 2 ,
where δ { ( p + 1 ) 2 / 4 , ( q + 1 ) 2 / 4 } . □
Now we will study ciphertexts with a given generalized Galbraith value. Thus, we define
C p ( R ) = { f 0 x + f 1 C p , 0 ( R ) C p , 1 ( R ) J p ( f 1 2 f 0 2 R ) = } , C n 0 ( R ) = { f 0 x + f 1 C n , 0 ( R ) C n , 1 ( R ) J n ( f 1 2 f 0 2 R ) = 0 } , C n 1 ( R ) = { f 0 x + f 1 C n , 0 ( R ) C n , 1 ( R ) J p ( f 1 2 f 0 2 R ) = J q ( f 1 2 f 0 2 R ) = } ,
where { 0 , 1 } .
Lemma 12.
The following statements are true
1. 
If R Q N R p then | C p 0 ( R ) | = 1 ; else
| C p 0 ( R ) | = p if J p ( y ) = 1 , 2 p 1 if J p ( y ) = 1 .
2. 
If R Q N R p then | C p 1 ( R ) | = ( p 2 1 ) / 2 , else
| C p 1 ( R ) | = ( p 1 ) 2 / 4 if J p ( y ) = 1 , ( p 1 ) 2 / 2 if J p ( y ) = 1 .
Proof. 
Let f = y m ( a x + b ) 2 = y m ( a 2 R + b 2 + 2 a b x ) , where m { 0 , 1 } . We observe that J n ( f 1 2 f 0 2 R ) = J n ( ( a 2 R + b 2 ) 2 4 a 2 b 2 R ) . Hence, the Jacobi symbol is independent of y.
Since f C p 0 ( R ) we have ( a 2 R + b 2 ) 2 4 a 2 b 2 R 0 mod p . This is equivalent with a 2 R b 2 0 mod p . If R Q N R p , then C p 0 ( R ) = { 0 } . Otherwise, we obtain ( a r b ) ( a r + b ) 0 mod p . Thus, we can rewrite the set as C p 0 ( R ) = { 2 a 2 r y m ( ± x + r ) a Z p ; m { 0 , 1 } } . Let
C p , 0 0 ( R ) = { 2 a 2 r ( ± x + r ) a Z p } , C p , 1 0 ( R ) = { 2 a 2 r y ( ± x + r ) a Z p } .
We further count the distinct elements of C p , 0 0 ( R ) . From 2 a 2 r ( ± x + r ) 2 c 2 r ( ± x + r ) mod x 2 R we obtain a ± c mod p . From the relation 2 a 2 r ( x + r ) 2 c 2 r ( x + r ) mod x 2 R we obtain a 2 ( x + r ) + c 2 ( x r ) 0 mod x 2 R . Hence, we obtain a = c = 0 . Thus, the cardinality of C p , 1 0 ( R ) is p.
Now let us consider the intersection of C p , 0 0 ( R ) and C p , 1 0 ( R ) . From 2 a 2 r ( ± x + r ) 2 y c 2 r ( ± x + r ) mod x 2 R we obtain a ± y c mod p if J p ( y ) = 1 and a = c = 0 otherwise. Hence, C p , 0 0 ( R ) = C p , 1 0 ( R ) , if J p ( y ) = 1 and C p , 0 0 ( R ) C p , 1 0 ( R ) = { 0 } otherwise.
The last statement results from observing that all the elements from C p , 0 ( R ) C p , 1 ( R ) have the Jacobi symbol J p ( f 1 2 f 0 2 R ) either 1 or 0. Hence, using Lemma 9, we obtain our result. □
Corollary 16.
We assume without loss of generality that J p ( y ) = 1 . Then the following statements are true
1. 
If R J n Q R n then | C n 0 ( R ) | = ( p 2 + q 2 ) / 2 , else if R Q R n | C n 0 ( R ) | = ( p q + 1 ) ( p + q ) / 2 ( p + 1 ) 2 / 4 .
2. 
If R J n Q R n then | C n 1 ( R ) | = ( p 2 1 ) ( q 2 1 ) / 4 , else if R Q R n | C n 1 ( R ) | = ( p 1 ) 2 ( q 1 ) 2 / 8 .
Corollary 17.
The probability that a ciphertext f ( x ) produced by the scheme from Section 5.1 has G T n ( R , f ( x ) ) = 1 is 1 + O ( 1 / n 2 ) .
Proof. 
According to Corollaries 12, 13 and 16 we have
| C n 1 ( R ) | | C n , 0 ( R ) C n , 1 ( R ) | = ( p 2 1 ) ( q 2 1 ) ( p 2 + 1 ) ( q 2 + 1 ) 1 + O 1 n 2 if R J n Q R n ( p 1 ) 2 ( q 1 ) 2 ( p + 1 ) 2 ( q + 1 ) 2 8 δ 1 + O 1 n 2 if R Q R n ,
where δ { ( p + 1 ) 2 / 4 , ( q + 1 ) 2 / 4 } . □
Corollary 18.
The generalized Galbraith test can detect ciphertexts produced by the scheme from Section 5.1 with a probability of 1 / 2 + O ( 1 / n 2 ) if R J n Q R n and 1 / 4 + O ( 1 / n 2 ) if R Q R n .
Proof. 
According to Corollaries 1, 12 and 13 we have
| C n ( R ) | | P n 1 , 1 ( R ) P n 1 , 1 ( R ) | = ( p 2 + 1 ) ( q 2 + 1 ) 2 ( p 2 1 ) ( q 2 1 ) 1 2 + O 1 n 2 if R J n Q R n ( p + 1 ) 2 ( q + 1 ) 2 8 δ 4 ( p 1 ) 2 ( q 1 ) 2 1 4 + O 1 n 2 if R Q R n ,
where δ { ( p + 1 ) 2 / 4 , ( q + 1 ) 2 / 4 } . □
Using our results, we further redo the analysis from [10] and present the exact assumptions used to prove that the IBE scheme from Section 5.1 can be anonymized using the technique described in Section 4.1.
Let P n + ( R ) = P n 1 , 1 ( R ) P n 1 , 1 ( R ) and C n ( R ) = C n , 0 ( R ) C n , 1 ( R ) . According to Corollaries 1, 12 and 13, we have that | P n + ( R ) × P n + ( u R ) | = O ( p 2 q 2 ) and | C n ( R ) × C n ( u R ) | = O ( 3 p 2 q 2 / 8 δ ) , where δ { p 2 / 4 , q 2 / 4 } . Since p and q are large primes, we can make the following computational assumption
Assumption 1.
For an identity i d , the set P n + ( R ) × P n + ( u R ) is computationally indistinguishable from the ciphertext space when v 1 = v 2 = 0 (i.e., C n ( R ) × C n ( u R ) ).
Let P n ( R ) = P n 1 , 1 ( R ) P n 1 , 1 ( R ) . According to Corollaries 1, 2, 12 and 13, we have that | P n ( R ) × P n ( u R ) | = O ( p 2 q 2 ) and
| T n ( R , h ( x ) , C n ( R ) ) × T n ( u R , h ( x ) , C n ( u R ) ) | = | C n ( R ) × C n ( u R ) | = O ( 3 p 2 q 2 / 8 δ ) ,
where δ { p 2 / 4 , q 2 / 4 } . Since p and q are large primes, we can make the following computational assumption:
Assumption 2.
For an identity i d , the set P n + ( R ) × P n ( u R ) is computationally indistinguishable from the ciphertext space when v 1 = v 2 = 1 (i.e., T n ( R , h ( x ) , C n ( R ) ) × T n ( u R , h ( x ) , C n ( u R ) ) ).

6. Conclusions

In this paper, we reevaluated the extension of Galbraith’s test to the polynomial ring Z n [ x ] / ( x 2 R ) . By studying its exact behaviour, we were able to perform a deeper and a more rigorous analysis of Clear et al.’s and Zhao et al.’s IBE schemes. Therefore, we offer the reader a better understanding of these two schemes. To be more specific, we obtained a precise value for the probability of a successful decryption, the exact efficiency of the generalized Galbraith test, and, in the case of Zhao et al.’s IBE scheme, a thorough description of the underlying security assumptions.

Future Work

In [15], the authors introduce an analog of Galbraith’s test for higher residues. We believe that a more in-depth study of this test can lead to a simpler description of it and can also help researchers to devise an anonymizing technique that renders this test ineffective.

Author Contributions

Conceptualization, G.T.; Formal analysis, P.C. and G.T.; Project administration, G.T.; Resources, P.C. and G.T.; Software, G.T.; Supervision, G.T.; Validation, P.C. and G.T.; Writing—original draft, P.C. and G.T.; Writing—review & editing, G.T. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Shamir, A. Identity-Based Cryptosystems and Signature Schemes. In CRYPTO 1984: Advances in Cryptology; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1985; Volume 196, pp. 47–53. [Google Scholar]
  2. Boneh, D.; Franklin, M.K. Identity-Based Encryption from the Weil Pairing. In CRYPTO 2001: Advances in Cryptology; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2139, pp. 213–229. [Google Scholar]
  3. Cocks, C. An Identity Based Encryption Scheme Based on Quadratic Residues. In Cryptography and Coding 2001: Cryptography and Coding; Lecture Notes in Computer Science; IMACC 2001; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2260, pp. 360–363. [Google Scholar]
  4. Bellare, M.; Boldyreva, A.; Desai, A.; Pointcheval, D. Key-Privacy in Public-Key Encryption. In ASIACRYPT 2001: Advances in Cryptology; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2248, pp. 566–582. [Google Scholar]
  5. Ateniese, G.; Gasti, P. Universally Anonymous IBE Based on the Quadratic Residuosity Assumption. In CT-RSA 2009: Topics in Cryptology; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5473, pp. 32–47. [Google Scholar]
  6. Ţiplea, F.L.; Iftene, S.; Teşeleanu, G.; Nica, A.M. On the distribution of quadratic residues and non-residues modulo composite integers and applications to cryptography. Appl. Math. Comput. 2020, 372, 124993. [Google Scholar] [CrossRef]
  7. Clear, M.; Tewari, H.; McGoldrick, C. Anonymous IBE from Quadratic Residuosity with Improved Performance. In AFRICACRYPT 2014: Progress in Cryptology; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8469, pp. 377–397. [Google Scholar]
  8. Joye, M. Identity-Based Cryptosystems and Quadratic Residuosity. In Public-Key Cryptography–PKC 2016; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9614, pp. 225–254. [Google Scholar]
  9. Boneh, D.; Gentry, C.; Hamburg, M. Space-efficient Identity Based Encryption Without Pairings. In Proceedings of the FOCS 2007, IEEE Computer Society, Providence, RI, USA, 20–23 October 2007; pp. 647–657. [Google Scholar]
  10. Zhao, X.; Cao, Z.; Dong, X.; Zheng, J. Anonymous IBE from Quadratic Residuosity with Fast Encryption. In ISC 2020: Information Security; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2020; Volume 12472, pp. 3–19. [Google Scholar]
  11. Schipor, G.A. On the Anonymization of Cocks IBE Scheme. In BalkanCryptSec 2014: Cryptography and Information Security in the Balkans; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 9024, pp. 194–202. [Google Scholar]
  12. Clear, M.; Hughes, A.; Tewari, H. Homomorphic Encryption with Access Policies: Characterization and New Constructions. In AFRICACRYPT 2013: Progress in Cryptology; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 7918, pp. 61–87. [Google Scholar]
  13. Nica, A.M.; Țiplea, F.L. On Anonymization of Cocks’ Identity-based Encryption Scheme. Comput. Sci. J. Mold. 2019, 81, 283–298. [Google Scholar]
  14. Boneh, D.; Crescenzo, G.D.; Ostrovsky, R.; Persiano, G. Public Key Encryption with Keyword Search. In EUROCRYPT 2004: Advances in Cryptology; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3027, pp. 506–522. [Google Scholar]
  15. Zhao, X.; Cao, Z.; Dong, X.; Shao, J. Extended Galbraith’s Test on the Anonymity of IBE Schemes from Higher Residuosity. Des. Codes Cryptogr. 2021, 89, 241–253. [Google Scholar] [CrossRef]
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Cotan, P.; Teşeleanu, G. Generalized Galbraith’s Test: Characterization and Applications to Anonymous IBE Schemes. Mathematics 2021, 9, 1184. https://doi.org/10.3390/math9111184

AMA Style

Cotan P, Teşeleanu G. Generalized Galbraith’s Test: Characterization and Applications to Anonymous IBE Schemes. Mathematics. 2021; 9(11):1184. https://doi.org/10.3390/math9111184

Chicago/Turabian Style

Cotan, Paul, and George Teşeleanu. 2021. "Generalized Galbraith’s Test: Characterization and Applications to Anonymous IBE Schemes" Mathematics 9, no. 11: 1184. https://doi.org/10.3390/math9111184

APA Style

Cotan, P., & Teşeleanu, G. (2021). Generalized Galbraith’s Test: Characterization and Applications to Anonymous IBE Schemes. Mathematics, 9(11), 1184. https://doi.org/10.3390/math9111184

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop