In this section, we discuss Cocks’ method and the Boneh-Gentry-Hamburg method.

9.1.1 Cocks’ IBE

An elegant solution to the problem of constructing an IBE was given by Cocks [70].

Briefly, the idea is the following. Our description is based on [40].

For a positive integer N, the set QR(N)consists of all quadratic residues modulo Nand J(N)is the set of all elements ofZZN having Jacobi symbol 1. An element in J(N)\QR(N)is a non-square having Jacobi symbol 1.

Set-Up. The public parameters of the system consists of N=pq(where p and q are primes such that factoring N is hard); a random u from J(N)\QR(N); and a hash function H()which maps identities into J(N). The master secret key is the factorization(p,q)of N.

KeyGen. The secret key corresponding to an identityidis obtained by first com- puting R=H(id)and then r to be either√

Ror √

uRaccording as R is a square modulo N or not. The secret key foridis r.

Encrypt. To encrypt a bit m (represented as+1 or−1) using an identityid, com- pute R fromidas above; randomly choose t0,t1fromZZNand for a∈ {0,1}compute da= (t_a²+u^aR)/taand ca=m·(^t_N^a). The ciphertext consists of the two elements ((d0,c0),(d1,c1)).

Decrypt. For decryption using identityidand secret key r, first set a∈ {0,1}such that r²=u^aR, where R is obtained fromid as above. Set g=d_a+2r. Note that g=_(t

a+r)² t_a

and hence,(_N^g) = (^t_N^a). So, the receiver can compute m=ca·(_N^g).

While this is an interesting protocol, one main problem with it is that the size of the ciphertext is very large. The overhead consists of two elements ofZZNper bit of the message.

The security of the system is based on the quadratic residuacity (QR) assump- tion under the random oracle model. The QR assumption is that given an element x of J(N)it is hard to determine whether x is actually a square modulo N, or whether it is a pseudo-square, i.e., it is a non-square modulo both p and q. If N can be fac-

tored into its constituent primes, then it is easy to solve the problem of determining the quadratic character of x. So, the hardness of the quadratic residuacity problem presupposes the hardness of the factoring problem.

9.1.2 Boneh-Gentry-Hamburg IBE

Boneh, Gentry and Hamburg [40] have given a non-pairing based IBE which is more space efficient compared to Cocks method. The construction is described in two parts. In the first part, an IBE is described which encrypts a single bit. This is a general description of which the Cocks-IBE is not an instantiation. In the second part, they show how to reuse the random elements for more than one bit. It is such reuse which significantly reduces the size of the ciphertext compared to Cocks’

scheme.

Below we describe the IBE from [40] for which the ciphertext length is⌈log₂N⌉+ 2ℓ for an ℓ-bit message and N= pq as before. This construction is called Ba- sicIBE in [40]. Another construction is described for which the ciphertext is

⌈log₂N⌉+ (ℓ+1)bits long. The description of this construction is omitted.

BasicIBE.

LetI Ddenote the identity space.

Set-Up. Let N=pq, where p and q are primes such that it is difficult to factorize N.

Choose a uniform random u from J(N)\QR(N). Let H :I D× {1, . . . , ℓ} →J(N) be a hash function which the security reduction models as a random oracle. The public parameters consists of(N,u,H). The master secret key is(p,q)along with a key K for a pseudo-random function FK :I D× {1, . . . , ℓ} → {0,1,2,3}.

KeyGen. The input consists of an identity id, the master secret key (p,q)and a message length parameter ℓ. The decryption key did corresponding to id is (r1, . . . ,r_ℓ)where the rj’s are obtained as follows.

For j=1, . . . , ℓdo Rj=H(id,j)∈J(N);

w=FK(id,j)∈ {0,1,2,3};

let a∈ {0,1}be such that u^aR_j∈QR(N);

let{z₀,z₁,z₂,z₃}be the four square roots of u^aR_jinZZN; set rj=z_w;

end.

Encrypt. The input consists of the public parameters(N,u,H), an identityidand a message m=m₁···m_ℓ∈ {−1,1}^ℓ. Generate a uniform random s∈ZZ_N and set S =s². The ciphertext is(S,c,c) where c= (c₁, . . . ,c_ℓ) and c= (c₁, . . . ,c_ℓ)and these are generated as follows.

For j=1, . . . , ℓdo R_j=H(id,j);

(f,g) =Q(N,Rj,S);

(f,g) =Q(N,uR_j,S);

cj=mj·_g(s)

N

; cj=mj·_g(s)

N

; end.

Decrypt. The input is a ciphertext(S,c,c)encrypted to an identityidand the cor- responding decryption key d_id= (r1, . . . ,r_ℓ).

For j=1, . . . , ℓdo Rj=H(id,j);

if r²_j=Rj

(f,g) =Q(N,Rj,S);

set mj=c_j·_f(r

j) N

; if r²_j=uR_j

(f,g) =Q(N,uR_j,S);

set mj=cj·_f(r

j) N

; end;

output m1. . . ,m_ℓ.

The function H generates elements in J(N). Given a function H^′which generates elements in ZZ_N, it is easy to construct H. Fix a publicly known element z∈ZZ_N whose Jacobi symbol is−1 and let x=H^′(id,j). Now return either x or zx as the output of H(id,j)according as whether the Jacobi symbol of x is 1 or−1.

The algorithm Q in the above description is a deterministic algorithm which takes three inputs – a positive integer N and two elements ofZZN and returns two polynomials f,gsatisfying the following conditions.

• If R and S are quadratic residues and r and s are respectively any square roots of Rand S, then f(r)g(s)is a quadratic residue.

• If R is a quadratic residue and r is any square root of R, then f(r)f(−r)S is a quadratic residue.

From the first condition, it follows that(f(r)/N)is equal to(g(s)/N). The sound- ness of decryption follows from this condition. The second condition is required for the security reduction to go through. The following example of Q has been described in [40]: given input(N,R,S), construct a solution(x,y)∈ZZ²_Nto the equa- tion Rx²+Sy²=1 and output the polynomials f(r) =xr+1 and g(s) =2ys+2.

The main difficulty in the scheme is in finding a suitable solution(x,y). Several ap- proaches are described in [40], but, none of them are at the level of practicality for the accepted security level. Another approach to this problem is discussed in [111].