WO2016073057A2 - Method and apparatus for making cocks ciphertexts anonymous without ciphertext expansion - Google Patents

Abstract

Cocks scheme is an efficient identity-based encryption scheme whose semantic security relies on a standard assumption. In particular, it does not use bilinear maps (a.k.a pairings). Unlike most pairing-based schemes, Cocks scheme is not anonymous. The present embodiments provide methods for anonymizing Cocks ciphertexts. Previous 5 attempts in this direction resulted in longer ciphertexts or were quite impractical. The methods according to the present principles are computationally inexpensive and do not increase the size of the ciphertexts.

Description

METHOD AND APPARATUS FOR MAKING COCKS CIPHERTEXTS ANONYMOUS WITHOUT CIPHERTEXT EXPANSION

RELATED APPLICATION

This patent application claims the benefit of U.S. Provisional Application No.

62/055,738 filed on September 26, 2014, titled "Making Cocks Ciphertexts Anonymous without Ciphertext Expansion," and the disclosure of which is incorporated by reference herein in its entirety. Field of the Invention

The present principles relate to cryptography, and more specifically, to a cryptosystem directed to an identity-based encryption (IBE) scheme described by Clifford Cocks in his article "An identity based encryption scheme based on quadratic residues", In B. Honary, editor, Cryptography and Coding, volume 2260 of Lecture Notes in Computer Science, pages 360-363, Springer, 2001.

Background Information

This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art. Referenced Documents

[1] Giuseppe Ateniese and Paolo Gasti. Universally anonymous IBE based on the quadratic residuosity assumption. In M. Fischlin, editor, Topics in Cryptology— CT-RSA 2009, volume 5473 of Lecture Notes in Computer Science, pages 32-47. Springer, 2009.

[2] Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and Giuseppe Persiano. Public key encryption with keyword search. In C. Cachin and J. Camenisch, editors, Advances in Cryptology— EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 506-522. Springer, 2004.

[3] Dan Boneh and Matthew K. Franklin. Identity-based encryption from the Weil pairing. SIAM J. Comput , 32(3):586-615, 2003. [4] Dan Boneh, Craig Gentry, and Michael Hamburg. Space-efficient identity based encryption without pairings. In 48th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2007), pages 647-657. IEEE Computer Society, 2007.

[5] Michael Clear, Hitesh Tewari, and Ciaran McGoldrick. Anonymous IBE from quadratic residuosity with improved performance. In D. Pointcheval and D. Vergnaud, editors, Progress in Cryptology— AFRICACRYPT 2014, volume 8469 of Lecture Notes in Computer Science, pages 377-397. Springer, 2014.

[6] Clifford Cocks. An identity based encryption scheme based on quadratic residues. In B. Honary, editor, Cryptography and Coding, volume 2260 of Lecture Notes in Computer Science, pages 360-363. Springer, 2001.

[7] Giovanni Di Crescenzo and Vishal Saraswat. Public key encryption with searchable keywords based on Jacobi symbols. In K. Srinathan, CP. Rangan, and M. Yung, editors, Progress in Cryptology— INDOCRYPT 2007, volume 4859 of Lecture Notes in Computer Science, pages 282-296. Springer, 2007.

[8] Adi Shamir. Identity-based cryptosystems and signature schemes. In G. R.

Blakley and D. Chaum, editors, Advances in Cryptology, Proceedings of CRYPTO '84, volume 196 of Lecture Notes in Computer Science, pages 47-53. Springer, 1985.

Cocks ' scheme

The first efficient identity-based encryption scheme that does not rely on pairings over elliptic curves is due to Cocks [6]. It works in standard RSA (Ri vest-Shamir- Adleman) groups. Its security relies on the quadratic residuosity assumption (in the random oracle model). For a positive integer N, we let J_N(d) denote the Jacobi symbol modulo N of an integer a and _N denote the subset of elements in (Έ/ΝΈ)^Χ whose Jacobi symbol is +1, wherein Έ/ΝΈ is the ring of integers modulo N and (Έ/ΝΈ)^Χ denotes its multiplicative group. Specifically, TL/NTL ={0,1,2,... , N-l } and (Έ/ΝΈ)^Χ = {x in TL/NTL such that gcd(x,N) = 1 }. For example,

- if N=6 then Έ/ΝΈ = {0,1,2,3,4,5 } and (Z/NZ)^X={ 1,5 ) ;

- if N=7 then Έ/ΝΈ = {0,1,2,3,4,5,6} and (Z/NZ)^X={ 1,2,3,4,5,6} .

We use Q _W to denote the set of quadratic residues in JJ_W. The quadratic residuosity assumption says that, for some security parameter κ, the distribution of PQR (K) = {(N, V) I (p, q) - RSAgen (κ),Ν ^ pq,V QM_W) and of P_nqr(K) = {(N,V)\(p,q)

R R

<- RSAgen ( κ), N <- pq, 7 <- J_w \ Q _W) are computationally indistinguishable, where RSAgen is a probabilistic polynomial-time algorithm that generates two equal-size primes p

R

and q, and "<-" indicates a probabilistic process.

The generalized Cocks' scheme proceeds as follows. The generalized flow diagram of the process is illustrated as process 300 in Figure 3.

SETUP(1^K) Given a security parameter κ, SETUP 310 generates an RSA modulus N = pq where p and q are prime. It also selects an element u G _N \ QM_W. The system parameters are mpk = {N,u,J } where Ή is a cryptographic hash function mapping bit- strings to _N. The master secret key is msk = (p, q}.

EXTRACT_msk(id) Using hash function H, EXTRACT 320 first sets R = Ή (id). If R E Q JV it computes r = ff¹/² mod N; otherwise it computes r = (uR)¹^² mod N. EXTRACT returns user's private key d_id = (r).

ENCRYPT(id, m) To encrypt a message m G {0,1} for user with identity id, ENCRYPT 330 chooses at random t,i G TL/NTL such that J_N t) = J_N(t) = (-l)^m. It then computes

R _ uR

c = t Λ— mod N and c = t + ^ mod N

t t

where R = Ή (id). The returned ciphertext is C = {c, c}.

DECRYPT_d._d(C) From d_id = {r} and C = {c,c), if r²≡ Ή (id) (mod N), DECRYPT 340 sets γ = c; otherwise it sets γ = c. Plaintext m is then recovered as

i- r + 2r)

m

Remark 1. The above description generalizes the original scheme. In [6], Cocks considers Blum integers; namely, RSA moduli N = pq with p, q≡ 3 (mod 4). Doing so, it follows that Jp(— 1) =Jq(— 1) =— 1 and therefore — 1 G _N \ Q _W. The original scheme corresponds to the case u =— 1. SUMMARY OF THE INVENTION

The present invention recognizes the need to improve the existing systems and methods for implementing crytosystems.

In accordance with an aspect of the present principles, a method is presented for communicating a message m, comprising:

accessing the message m;

generating an anonymized ciphertext C = {c', c'} where

c' = ANO ( c, d, Ή(\ά)) and c' = ANO ( c, d, uJ-C( d

for some d, d G TL/NTL such that J_N (d² - \ (id)) = J_N (d² - \η (id)) = -1, where

C = {c, c] is a generalized Cocks ciphertext of the message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO (x, y, Γ) returns z, where = x and = ^{xy+ r} _an(j choosing at random β G [0,1] and set z = z^ ; x+y

and

transmitting the ciphertext C = {c^f, c'} via a communication channel.

In accordance with another aspect of the present principles, a method is presented for processing an anonymized ciphertext, comprising:

receiving the anonymized ciphertext C = {c^f, c'}, via a communication channel, where c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d, uJf (id)) for some d, d G TL/NTL such that ]_N (d²— 4J-C (id)) = ]_N (d²— 4uJ-C (id)) =—1, where C = {c, c} is a generalized Cocks ciphertext of a message m G {0,1} for an identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO (x, y, Γ) returns z, where = x and z^ = and choosing at random β G {0,1} and set z = z^ ; and

generating a plaintext message m by:

obtaining d and d,

from the decryption key d_id = {r} and the anonymized ciphertext C = {c', c'}, if r²≡ J-C (id) (mod N) , setting γ' = c', δ = d and Δ = Ή (id) ; otherwise setting γ' = c', δ = d and Δ = VLH (id) (mod N) , and setting the message m as one of

(1) m = ^w(y+2r), wherein

( _y,_g mod N if J_N(y' - 4Δ) = -1

(2) m = -^ wherein

W + 2r) if;_w(y'² - 4A) = l

τ =

,((y' + 2r)0S - 2r)(5 - y')) if r'² - 4Δ) = -1

In accordance with another aspect of the present principles, an apparatus is presented for generating an anonymized ciphertext comprising:

a processor configured to generate the anonymized ciphertext C = {c', c'} from a message m where

c' = ANO ( c, d, Ή(\ά)) and c' = ANO ( c, d, uJ-C( d

for some d, d G TL/NTL such that J_N(d² - \ (id)) = J_N(d² - \η (id)) = -1, where C = {c, c} is a generalized Cocks ciphertext of the message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where = x and = ^{xy+ r} _an(j choosing at random β G [0,1] and set z = x+y

z^(/J); and

a communication interface, coupled to a communication channel, configured to transmit the ciphertext C = {c^r, c'} via the communication channel. In accordance with another aspect of the present principles, an apparatus is presented for processing an anonymized ciphertext, comprising:

a communication interface, coupled to a communication channel, configured to receive the anonymized ciphertext C = {c^r, c'}, via a communication channel; and

a processor configured to access the ciphertext C = {c^f, c'}, where

c' = ANO ( c, d, Ή(\ά)) and c' = ANO ( δ, ά, υ,Ή (id)) for some d, d G TL/NTL such that J_N(d² - \ (id)) = J_N(d² - \η (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of a message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer; wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where = x and = and choosing at random β G {0,1} and set z = and wherein

the processor is further configured to generate a plaintext message m by:

obtaining d and d,

from the decryption key d_id = (r) and the ciphertext C = {c, c], if Ή (id) (mod N), setting γ' = c, δ = d and Δ = Ή (id); otherwise setting γ' δ = d and Δ = VLH (id) (mod N) , and

setting the message m as one of

1 l-J_N( +2r)

(1) m = , wherein

(^T-^ mod N if J_N(y' - 4Δ) = -1

(2) m = wherein

JN (Y' + 2T) if ;_w(y'² - 4A) = l

((y' + 2rX6 - 2r (S - y')) if JN (Y'^{2 ~} 4Δ) = -l^'

In accordance with another aspect of the present principles, a computer program product stored in non-transitory computer-readable storage media is presented, comprising computer-executable instructions for:

accessing the message m;

generating an anonymized ciphertext C = {c', c'} where

c' = ANO ( c, d, Ή(\ά)) and c' = ANO ( c, d, uJ-C( d for some d, d G TL/NTL such that J_N(d² - \ (id)) = J_N(d² - \η (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of the message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where = x and = and choosing at random β G {0,1} and set z = z^ ; and

transmitting the ciphertext C = {c^r, c'} via a communication channel. In accordance with another aspect of the present principles, a computer program product stored in non-transitory computer-readable storage media is presented, comprising computer-executable instructions for:

receiving the anonymized ciphertext C = {c^r, c'}, via a communication channel; and accessing the ciphertext C = {c^f, c'}, where

c' = ANO ( c, d, Ή(\ά)) and c' = ANO ( c, d, uJ-C( d for some d, d G TL/NTL such that J_N(d² - \ (id)) = J_N(d² - \η (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of a message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer; wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where = x and = ^{xy+ r} _an(j choosing at random β G [0,1] and set z = z^ ;

x+y

and

generating a plaintext message m by:

obtaining d and d,

from the decryption key d_id = (r) and the ciphertext C = {c, c], if r²≡ Ή (id) (mod N), setting γ' = c, δ = d and Δ = Ή (id); otherwise setting γ' = c, δ = d and Δ = VLH (id) (mod N) , and

setting the message m as one of

(i) m = , wherein

(^T-^ mod N if J_N(y' - 4Δ) = -1 (2) m = -^ , wherein

^'My' + 2r) if ;_w (y' - 4A) = l

J_N((y' + 2r)(S - 2r)(S - γ')) if ]_Ν {γ'² - 4Δ) = -i

DETAILED DESCRIPTION OF THE DRAWINGS

The above-mentioned and other features and advantages of this invention, and the manner of attaining them, will become more apparent and the invention will be better understood by reference to the following description of embodiments of the invention taken in conjunction with the accompanying drawings, wherein:

Figure 1 illustrates a block diagram of an exemplary system in which various aspects of the exemplary embodiments of the present principles may be implemented.

Figure 2 illustrates an arrangement wherein data is exchanged between two terminals, according to an embodiment of the present principles.

Figure 3 illustrates the generalized Cocks' scheme. Figure 4 illustrates an exemplary apparatus for performing an ANO procedure, according to an embodiment of the present principles.

Figure 5 illustrates an exemplary process for producing an anonymous Cocks' ciphertext, according to an embodiment of the present principles.

Figure 6 illustrates an exemplary process for decrypting an anonymous Cocks cipertext, according to an embodiment of the present principles.

Figure 7 illustrates another exemplary process for producing an anonymous Cocks' ciphertext, according to an embodiment of the present principles.

Figure 8 illustrates another exemplary process for decrypting an anonymous Cocks cipertext, according to an embodiment of the present principles.

The examples set out herein are not to be construed as limiting the scope of the claims in any manner.

DETAILED DESCRIPTION

Companion public-key system

Cocks' IBE scheme can be turned into a public-key cryptosystem by seeing the identity— or more precisely, the hashed value thereof: R = Ή (id)— as the public key. Since the encryption key is made public in public -key cryptosystems (and so need not to be extracted from an identity), one can choose R as a quadratic residue modulo N. This reduces the size of ciphertexts by a factor of 2. On the downside, the so-obtained system is no longer identity-based.

In more detail, we have the following public-key cryptosystem. SETUP(1^K) Given a security parameter κ, SETUP generates an RSA modulus N = pq where p and q are prime. Modulus N is shared among users and serves as a common reference string. The factorization of N is erased. The public parameters are PP = {N}.

KEYGEN(PP) Key generation algorithm KEYGEN chooses at random r G Έ/ΝΈ and sets ff = r² mod N. It outputs the public key upk = (ff) and matching private key usk = {r}.

ENCRYPT_upk(m) To encrypt a message m G {0,1}, ENCRYPT chooses at random t G Έ/ΝΈ such that J_N(t) = (-l)^m and computes

R

c = t +— mod N.

t

The returned ciphertext

DECRYPT_usk(C) From ciphertext C = (c), DECRYPT recovers plaintext m as

l - J_N(c + 2r)

m =

Technical problems to solve

As pointed out by Galbraith (see [2]), Cocks' scheme is not anonymous. A detailed discussion on the so-called Galbraith's test can be found in [1]. Given elements c, R G Έ/ΝΈ, Galbraith' s test computes

J_N(c² - 4R).

Galbraith observes that if id is the recipient's identity of a Cocks ciphertext c (resp. c) then, letting R = Ή (id) , J_N(c - 4Jf (id)) = 1 (resp. J_N(c - 4uH (id)) = 1). Also for an identity id*≠ id , the same test will result in a value of 1 or—1. Given two possible recipients with respective identities id₀ and id_{l 5} a Cocks encryption of a / -bit message therefore reveals whether the corresponding ciphertext is intended for id₀ or id-L . Ateniese and Gasti show in [1] that Galbraith's is the "best test" possible against the anonymity of Cocks' scheme.

Several attempts were made to address the issue of anonymity [4,7,1,5]. Among them the most efficient ones are those of Ateniese and Gasti [1] and the recent one by Clear et al. [5]. Table 1 in [5] gives a comparison of the schemes. On one hand, the scheme by Clear et al. features the best encryption and decryption times (i.e., 79 ms and 27 ms for a 128- message with a key-size of 1024 bits in their setting). On the other hand, the scheme of [5] has a poor space efficiency: ciphertext expansion is double that of Cocks' scheme and almost double that of Ateniese-Gasti scheme [1].

The present embodiments provide a constructive method for anonymizing ciphertexts. Remarkably, it is at the same time practical and efficient. In particular, the resulting anonymized Cocks ciphertexts and their generalizations have the same size as regular Cocks ciphertexts. The same method readily applies to Cocks' companion public -key cryptosystem.

We use the notations described before. Let m G {0,1} be a plaintext message and let C denote the corresponding ciphertext. Specifically, for some random integers t, t satisfying

J_N(t) = J_N(i) = (-l)^m,

we have C = {c, c] where

R _ uR

c = t Λ— mod N and c = t +—=- mod N

t t

with ff = Jf(id).

As discussed previously, when R = Ή (id), we have J_N(c²— 4ff) = J_N(c²— 4uR) = 1. This is known as Galbraith's test. Further, for an identity id^*≠ id, letting R^* = Ή (id^*), J_N (c²— 4ff ^*) and J_N(c²— 4uR^*) have the same probability of being 1 or—1. The idea is to make Galbraith's test useless by transforming the ciphertext so that for all identities, id included, the output of Galbraith's test will be 1 or—1 with the same probability. The decryption algorithm should be adapted accordingly.

The same method readily applies to Cocks' companion public-key cryptosystem.

ANO procedure

Consider the following procedure ANO, illustrated generally in block diagram form in Figure 4. It transforms an element x G Έ/ΝΈ such that J_N(x²— 4Γ) = 1 (i.e., Galbraith's test equal to 1 w.r.t. Γ) into an element with Galbraith's test (w.r.t. Γ) of 1 or—1 with probability i

-. The inputs to ANO procedure (410) are two elements x, y G Έ/ΝΈ and an element Γ G j_N such that

x² - 4r) = -;_w(y² - 4r) = l , and the output is an element z G Έ/ΝΈ. We write z = ANO (x,y, Γ).

1: procedure ANO(x, y, Γ)

2:

3

4: Return z.

5: end procedure

Application

We now show that if we define C = [c', c'} where

c' = ANO (c, d, R) and c' = ANO (c,d,uR) then C is an anonymized encryption for m, for some d, d G Έ/ΝΈ satisfying J_N(d²— 4ff) = J_N(d² -4uR) = -1.

Proof. Note that the one who encrypts does not know in advance if R G QM_W or not (note that if R £ QM_W then uR G QM_W). This is why the one who encrypts has to send both c' and c' , and only one of d and c' is useful for decryption.

Suppose first that R G QM_W. In this case, c' is useless for decryption and leaks no information. Then, letting r = R¹^² mod N, we have:

1. If β = 0 then J_N(c'² - 4ff) = ]_N(c² - 4ff) = 1;

2. If /? = 1 then

J_N(c'² - 4ff) = ;_w((^C _{c d} ) - 4ff) = J_N((cd + 4ff)² - 4R(c + d)²)

= J_N((cd)² + (4i?)² - 4ff(c² + d²))

= J_N(c²-4R)-J_N(d² -4R) = -l.

2

The case R G J_N \ Q _W is similar. We then have J_N(c' — 4uR) = 1 when β = 0 and ;_w(c'² - uR) = -1 when /? = 1. Decryption The decryption algorithm has to be modified accordingly when β = 1. An exemplary process 600 of recovering the plaintext m is illustrated in Figure 6.

DECRYPT_d._d (C) DECRYPT obtains d and d, for example, but not limited to, as part of the system parameters mpk, as the result of a computation, or as fixed global parameters. From d_id = {r} and C = {c', c'}, at SELECT 610, if r²≡ Ή (id) (mod N), DECRYPT sets γ' = c', δ = d and Δ = Ή (id) ; otherwise it sets γ' = c', δ = d and Δ = uJ-C (id) (mod N). Next, it computes σ = ]_N( '² - 4Δ) at DE-ANONYMIZE 620. If σ = 1 it sets γ = γ'; otherwise (i.e., if σ =— 1) it sets

-γ'δ + Δ

γ = ^■ — mod N.

γ'— o

Eventually DECRYPT 630 recovers plaintext m as

i - r + 2r)

m = .

2

Remark 2. Note that σ = (-1)^β .

Remark 3. For better efficiency, DECRYPT can, as an alternative to evaluating y, set

^T

1 and recover plaintext m as m =— .

2

First exemplary embodiment

The first embodiment, generally illustrated in block diagram form in Figure 5, is concerned with the generalized Cocks' scheme with system parameters m pk = {N, u, J } where N = pq is an RSA modulus, u is a quadratic non-residue in _N, and Ή is a hash function mapping bit-strings to _N. Let C = {c, c} be a Cocks ciphertext of a message m G {0,1} for some identity id. Then applying the ANO procedure defined as 1 : procedure ANO(x, y, Γ)

2:

3

4: Return z.

5: end procedure returns an anonymized ciphertext C = {c', c'} where

c' = ANO ( c, d, Ή(\ά)) and c' = ANO ( c, d, uJ-C( d for some d, d G Έ/ΝΈ such that J_N(d² - 4Jf (id)) = J_N (d² - 4uH (id)) = -1, from ANO procedure 510 and ANO procedure 520, respectively.

The resulting anonymized ciphertext C can be decrypted as per the decryption algorithm presented before.

Second exemplary embodiment

The second embodiment is a specialization of the first embodiment to the original Cocks' scheme; namely with system parameters +k = {N, J } where N = pq with p, q≡ 3 (mod 4) and u =— 1. Given a ciphertext C = {c, c] corresponding to the encryption of a message m G {0,1} for some identity id, we have C = {c^f, c'} where

c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d,— Jf(id)) for some d, d G Έ/ΝΈ such that J_N(d² - 4Jf(id)) = J_N(d² - \uH~ (id)) = -1. Procedure ANO is the same as the one described in the first exemplary embodiment.

Third exemplary embodiment

The third exemplary embodiment is to use one of the methods of the first or second exemplary embodiments by taking d = d.

Fourth exemplary embodiment

The fourth exemplary embodiment is to use one of the methods of the previous embodiments and to derive the value of d (resp. d) as a function of the identity of the receiver in a way that d (resp. d) satisfies J_N (d²— Ή (id)) =— 1 (resp. J_N (d²— uM (id)) = -1).

Fifth exemplary embodiment

The fifth exemplary embodiment is to use one of the methods of the previous embodiments and to choose for d (resp. d) the smallest nonnegative integer such that ]_N (d² - 4Jf (id)) = -1 (resp. ;_w (d² - uM (id)) = -1).

Sixth exemplary embodiment

The sixth exemplary embodiment is to use one of the methods of the first, second, or third exemplary embodiments, to fix the value of d as a global value to be used with all identities and to include it in the system parameters. Hash function Ή satisfies the extra condition that J_N (d² - 4Jf(id)) = -1 (resp. /_w (d² - 4uK(\d)) = -1). Seventh exemplary embodiment

The seventh exemplary embodiment is a specialization of the sixth exemplary embodiment where p≡—q (mod 4) and d (resp. d) is chosen as d = 0 (resp. d = 0). The extra condition on Ή is then automatically fulfilled. The proposed methods solve an open problem, namely anonymizing Cocks ciphertexts without ciphertext expansion. Further, the proposed methods are universal in the sense that no secret key is required to anonymize a ciphertext.

There are numerous applications for identity-based encryption [8,3]. Cocks' scheme comes with strong security guarantees as it works in standard RSA groups: its security is well understood. The presented methods allow one to convert, for free (i.e., without ciphertext expansion) Cocks ciphertexts into anonymous Cocks ciphertexts. The same is true for the generalizations of Cocks' IBE scheme. A notable application of anonymous IBEs resides in public key encryption with keyword search (PEKS) [2]. PEKS allows searching on data that is encrypted using a public- key system. A typical application is for an email gateway to test whether or not the keyword "urgent" is present in an email. The gateway then routes the email if it is the case. Of course the gateway should only learn whether the word "urgent" is present but nothing else about the email. Further applications for PEKS can be found in [2].

Designing a PEKS from Cocks' scheme was previously not possible since in its original version Cocks' scheme is not anonymous.

FIG. 1 illustrates a block diagram of an exemplary system in which various aspects of the exemplary embodiments of the present principles may be implemented. System 100 may be embodied as a device including the various components described below and is configured to performed the processes described above. Examples of such devices, include, but is not limited to, personal computers, laptop computers, smartphones, tablet computers, digital multimedia set top boxes, digital television receivers, personal video recording systems, connected home appliances, and servers. System 100 may be communicatively coupled to other similar systems, and to trusted third parties via a communication channel as shown in Figure 2 and as known by those skilled in the art to implement the exemplary cryptosystems described above.

The system 100 may include at least one processor 110 configured to execute instructions loaded therein for implementing the various processes as discussed above. Processor 110 may include embedded memory, input output interface and various other circuitry as known in the art. The system 100 may also include at least one memory 120 (e.g., a volatile memory device, a non-volatile memory device). System 100 may additionally include a storage device 140, which may include non-volatile memory, including, but not limited to, EEPROM, ROM, PROM, RAM, DRAM, SRAM, flash, magnetic disk drive, and/or optical disk drive. The storage device 140 may comprise an internal storage device, an attached storage device and/or a network accessible storage device, as non-limiting examples. System 100 may also include an encryption/decryption module 130 configured to process data to provide an encrypted message or decrypted message. Encryption/decryption module 130 represents the module(s) that may be included in a device to perform the encryption and/or decryption functions. As is known, a device may include one or both of the encryption and decryption modules, for example, encryption may be done on a regular PC since encryption does not involve secret key so that the PC need not include secure memory for storing the input parameters (i.e., the public system parameters and the user's identity). Decryption however, requires secret keys (i.e., the decryption key) and is done in a secure device, for example a smart card. As memory is expensive on smart card, the encryption functionality may not always be provided on a smart card. The encryption and/or decryption may be performed using shared resources as known to those skilled in the art. Additionally, encryption/decryption module 130 may be implemented as a separate element of system 100 or may be incorporated within processors 110 as a combination of hardware and software as known to those skilled in the art.

Program code to be loaded onto processors 110 to perform the various processes described hereinabove may be stored in storage device 140 and subsequently loaded onto memory 120 for execution by processors 110. In accordance with the exemplary embodiments of the present principles, one or more of the processor(s) 110, memory 120, storage device 140 and encryption/decryption module 130 may store one or more of the various items during the performance of the processes discussed herein above, including, but not limited to a public key, a private keys, encrypted messages, equations, formula, matrices, variables, operations, and operational logic.

The system 100 may also include communication interface 150 that enables communication with other devices via communication channel 160. The communication interface 150 may include, but is not limited to a transceiver configured to transmit and receive data from communication channel 160. The communication interface may include, but is not limited to, a modem or network card and the communication channel may be implemented within a wired and/or wireless medium. The various components of system 100 may be connected or communicatively coupled together using various suitable connections, including, but not limited to internal buses, wires, and printed circuit boards.

As a non-limiting example, one or more of the above-identified components may receive and/or store the information (e.g., to be encrypted, resulting from decryption) and/or the ciphertext (e.g., to be decrypted, to be operated on homomorphically, resulting from encryption). As a further non-limiting example, one or more of the above-identified components may receive and/or store the encryption function(s) and/or the decryption function(s), as described herein above. The exemplary embodiments of this invention may be carried out by computer software implemented by the processor 110 or by hardware, or by a combination of hardware and software. As a non-limiting example, the exemplary embodiments of this invention may be implemented by one or more integrated circuits. The memory 120 may be of any type appropriate to the technical environment and may be implemented using any appropriate data storage technology, such as optical memory devices, magnetic memory devices, semiconductor-based memory devices, fixed memory and removable memory, as non- limiting examples. The processor 110 may be of any type appropriate to the technical environment, and may encompass one or more of microprocessors, general purpose computers, special purpose computers and processors based on a multi-core architecture, as non-limiting examples.

Figure 2 illustrates an arrangement wherein data is exchanged between two terminals 210 and 220 in accordance with the present principles. Each of the terminals 210 and 220 include encryptor/decryptor modules 230 and 240, respectively, and may additionally include each of the other components of system 100 described above, as appropriate. Terminals 210 and 220 are communicatively coupled to each other via communication channel 250, which may be implemented via wired and/or wireless medium. Additionally, arrangement 200 may include a trusted third party 260 communicatively coupled to terminals 210 and 220, wherein third party 260 may in some cases, among other things, generate common parameters and the keys, distribute them to the terminals, certify the public keys generated, and/or generate common keys in a manner known to those skilled in the art. For example, in identity based encryption, the setup algorithm is performed by the trusted third party to generate, among other things, the master secret key. Following key generation, a message can be encrypted and decrypted by the terminals as described above, and transmitted and received via communication channel 250.

Figure 3 illustrates a generalized flow diagram of the Cocks' scheme. Figure 4 illustrates how the procedure ANO may be implemented in an exemplary system according to present principles in block diagram form. Figure 5 illustrates how the ANO procedures may be used to implement an exemplary anonymous cryptosystem to produce an anonymous Cocks' ciphertext according to the present principles. Figure 6 illustrates how to decrypt such an anonymous Cocks cipertext in an exemplary decryption system according to the present principles.

Figures 7 and 8 show exemplary flow charts according to the present principles. The flow charts illustrate the homomorphic crypto processes discussed above. The processes of Figures 4 and 5 may be executed by e.g., a processor 110 of Figure 1. The processes may represent, e.g., computer program products having the computer-executable instructions which may be stored in non-transitory computer-readable storage media 120 of Figure 1 as described before.

Specifically, Figure 7 illustrates an exemplary process for producing an anonymous Cocks' ciphertext, according to an embodiment of the present principles. At step 710, it accesses the message m. At step 720, it generates an anonymized ciphertext C = {c', c'} where c' = ANO ( c, d, Jf(id)) and c' = ANO ( c. d. uM (id)) for some d, d G TL/NTL such that J_N (d² - \ (id)) = J_N (d² - \η (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of the message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO (x, y, Γ) returns z,

and choosing at random β G {0,1} and set

step 730, it transmits the ciphertext C = {c', c'} via a communication channel.

Figure 8 illustrates another exemplary process for decrypting an anonymous Cocks cipertext, according to an embodiment of the present principles. At step 810, it receives the anonymized ciphertext C' = {c', c'}, via a communication channel, where c' = ANO ( c, d, Jf(id)) and c' = ANO c, d, uJ-C(\d)) for some ά, ά Ε Έ/ΝΈ such that ]_N (d²— 4J-C (id)) = ]_N (d²— υΉ (id)) = — 1, where C = {c, c) is a generalized Cocks ciphertext of a message m G {0,1} for an identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO (x, y, Γ) returns z, where = x and z^ = ^Xy^+y _< ^and choosing at random β G {0,1} and set z = At step 820, it generates a plaintext message m by: obtaining d and d,

from the decryption key d_id = (r) and the anonymized ciphertext C = {c', c'}, if r²≡ Ή (id) (mod N), setting γ' = c', δ = d and Δ = Ή (id) ; otherwise setting γ' = c', δ = d and Δ = VLH (id) (mod N) , and

setting the message m as one of

l-J_N(Y+2r)

(1) m = ; wherein

2

1

The foregoing has provided by way of exemplary embodiments and non-limiting examples a description of the method and systems contemplated by the inventor. It is clear that various modifications and adaptations may become apparent to those skilled in the art in view of the description. However, such various modifications and adaptations fall within the scope of the teachings of the various embodiments described above.

The embodiments described herein may be implemented in, for example, a method or a process, an apparatus, a software program, a data stream, or a signal. Even if only discussed in the context of a single form of implementation (for example, discussed only as a method), the implementation of features discussed above may also be implemented in other forms (for example, an apparatus or program). An apparatus may be implemented in, for example, appropriate hardware, software, and firmware. The methods may be implemented in, for example, an apparatus such as, for example, a processor, which refers to processing devices in general, including, for example, a computer, a microprocessor, an integrated circuit, or a programmable logic device. Processors also include communication devices, such as, for example, computers, cell phones, portable/personal digital assistants ("PDAs"), and other devices that facilitate communication of information between end-users.

Reference to "one embodiment" or "an embodiment" or "one implementation" or "an implementation" of the present principles, as well as other variations thereof, mean particular feature, structure, characteristic, and so forth described in connection with the embodiment is included in at least one embodiment of the present principles. Thus, the appearances of the phrase "in one embodiment" or "in an embodiment" or "in one implementation" or "in an implementation", as well any other variations, appearing in various places throughout the specification are not necessarily all referring to the same embodiment.

Additionally, this application or its claims may refer to "determining" various pieces of information. Determining the information may include one or more of, for example, estimating the information, calculating the information, predicting the information, or retrieving the information from memory.

Further, this application or its claims may refer to "accessing" various pieces of information. Accessing the information may include one or more of, for example, receiving the information, retrieving the information (for example, from memory), storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.

Additionally, this application or its claims may refer to "receiving" various pieces of information. Receiving is, as with "accessing", intended to be a broad term. Receiving the information may include one or more of, for example, accessing the information, or retrieving the information (for example, from memory). Further, "receiving" is typically involved, in one way or another, during operations such as, for example, storing the information, processing the information, transmitting the information, moving the information, copying the information, erasing the information, calculating the information, determining the information, predicting the information, or estimating the information.

As will be evident to one of skill in the art, implementations may produce a variety of signals formatted to carry information that may be, for example, stored or transmitted. The information may include, for example, instructions for performing a method, or data produced by one of the described embodiments. For example, a signal may be formatted to carry the bitstream of a described embodiment. Such a signal may be formatted, for example, as an electromagnetic wave (for example, using a radio frequency portion of spectrum) or as a baseband signal. The formatting may include, for example, encoding a data stream and modulating a carrier with the encoded data stream. The information that the signal carries may be, for example, analog or digital information. The signal may be transmitted over a variety of different wired and/or wireless links, as is known. The signal may be stored on a processor-readable medium.

While several embodiments have been described and illustrated herein, those of ordinary skill in the art will readily envision a variety of other means and/or structures for performing the functions and/or obtaining the results and/or one or more of the advantages described herein, and each of such variations and/or modifications is deemed to be within the scope of the present embodiments. More generally, those skilled in the art will readily appreciate that all parameters, dimensions, materials, and configurations described herein are meant to be exemplary and that the actual parameters, dimensions, materials, and/or configurations will depend upon the specific application or applications for which the teachings herein is/are used. Those skilled in the art will recognize, or be able to ascertain using no more than routine experimentation, many equivalents to the specific embodiments described herein. It is, therefore, to be understood that the foregoing embodiments are presented by way of example only and that, within the scope of the appended claims and equivalents thereof, the embodiments disclosed may be practiced otherwise than as specifically described and claimed. The present embodiments are directed to each individual feature, system, article, material and/or method described herein. In addition, any combination of two or more such features, systems, articles, materials and/or methods, if such features, systems, articles, materials and/or methods are not mutually inconsistent, is included within the scope of the present embodiment.

Claims

1. A method for communicating a message m, comprising:

accessing the message m;

generating an anonymized ciphertext C = {c^r, c'} where

c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d, uK (id)) for some d, d G TL/NTL such that J_N(d² - Jf (id)) = J_N(d² - uJf (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of the message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where z^ = x and = ^{xy+ r} _an(j choosing at random β G [0,1] and set z = z^ ; x+y

and

transmitting the ciphertext C = {c^r, c'} via a communication channel.

2. The method of claim 1 , wherein N = pq, p and q are prime with p, q≡ 3 (mod 4), and u =—1.

3. The method of claim 1 wherein d = d.

4. The method of claim 1 , wherein d is the smallest nonnegative integer which satisfies J_N (d²— 4Jf (id)) =—1, and d is the smallest nonnegative integer which satisfies J_N(d²— uJf (id)) = -1.

5. The method of claim 1 , wherein a plurality of messages are communicated for a plurality of users, and wherein d and d are fixed as global values to be used with identities of the plurality of users.

6. The method of claim 5, wherein N = pq, p and q are prime with p≡—q (mod 4), and d = 0, d = 0.

7. A method for processing an anonymized ciphertext, comprising:

receiving the anonymized ciphertext C' = {c', c'}, via a communication channel, where c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d, uH" (id)) for some d, d G Z/NZ such that 7_w (d²— 4Jf (id)) = ]_N(d²— uJ-C (id)) =—1, where C = {c, c] is a generalized Cocks ciphertext of a message m G {0,1} for an identity id , Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W , and N is a composite integer, wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where z^ = x and z^ =

, and choosing at random β G {0,1} and set z = z^ ; and

generating a plaintext message m by:

obtaining d and d,

from the decryption key d_id = {r} and the anonymized ciphertext C = {c', c'}, if r²≡ J-C (id) (mod N), setting γ' = c', δ = d and Δ = K (id) ; otherwise setting γ' = c', δ = d and Δ = i^H~(id) (mod N), and

setting the message m as one of

(1) m = , wherein

(2) m = -^, wherein

]_N {y' + 2r) if ;_w(y'² - 4A) = l

τ

((y' + 2r)(S - 2r) (S - y')) if /_W(r'² - 4Δ) = -l^'

8. The method of claim 7, wherein N = pq with p, q≡ 3 (mod 4) and u =— 1.

9. The method of claim 7 wherein d = d.

10. The method of claim 7, wherein d is the smallest nonnegative integer which satisfies J_N (d²— 4Jf (id)) =—1, and d is the smallest nonnegative integer which satisfies J_N(d²— uK (id)) = -1.

11. An apparatus for generating an anonymized ciphertext comprising:

a processor configured to generate the anonymized ciphertext C = {c^r, c'} from a message m where

c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d, uK (id)) for some d, d G TL/NTL such that J_N(d² - Jf (id)) = /_w(d² - uK )) = -1, where C = {c, c} is a generalized Cocks ciphertext of the message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where = x and = and choosing at random β G {0,1} and set z = z⁽«; and

a communication interface, coupled to a communication channel, configured to transmit the ciphertext C = {c^f, c'} via the communication channel.

12. The apparatus of claim 11 , wherein N = pq, p and q are prime with p, q≡

3 (mod 4), and u =— 1.

13. The apparatus of claim 11 wherein d = d.

14. The apparatus of claim 11 , wherein d is the smallest nonnegative integer which satisfies 7w (d² — Jf (id)) =—1, and d is the smallest nonnegative integer which satisfies J_N(d²— uKQd = -1.

15. The apparatus of claim 11 , wherein a plurality of messages are communicated for a plurality of users, and wherein d and d are fixed as global values to be used with identities of the plurality of users.

16. The apparatus of claim 15, wherein N = pq, p and q are prime with p≡— q (mod 4), and d = 0, d = 0.

17. An apparatus for processing an anonymized ciphertext, comprising:

a communication interface, coupled to a communication channel, configured to receive the anonymized ciphertext C = {c', c'}, via a communication channel; and

a processor configured to access the ciphertext C = {c^f, c'}, where

c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d, uK (id)) for some d, d G Έ/ΝΈ such that J_N(d² - Jf (id)) = J_N(d² - uJf (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of a message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer; wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where z^ = x and = and choosing at random β G {0,1} and set z = and wherein

the processor is further configured to generate a plaintext message m by:

obtaining d and d,

from the decryption key d_id = {r} and the ciphertext C = {c, c], if r²≡ J-C (id) (mod N), setting γ' = c, δ = d and Δ = K (id) ; otherwise setting γ' = c, δ = d and Δ = uK (id) (mod N), and

setting the message m as one of

(1) m = , wherein

(^T-^ mod N if J_N(y' - 4Δ) = -1 (2) m = -^ , wherein

^' + 2r) if ;_w(y'² - 4A) = l

((y' + 2r)(S - 2r) (S - y')) if /_W(r'² - 4Δ) = -l^'

18. The apparatus of claim 17, wherein N = pq with p, q≡ 3 (mod 4) and u =— 1.

19. The apparatus of claim 17 wherein d = d.

20. The apparatus of claim 17, wherein d is the smallest nonnegative integer which satisfies J_N (d² — Jf (id)) =—1, and d is the smallest nonnegative integer which satisfies J_N (d²— uK (id)) = -1.

21. A computer program product stored in non- transitory computer-readable storage media comprising computer-executable instructions for:

accessing the message m;

generating an anonymized ciphertext C = {c^f, c'} where

c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d, uK (id)) for some d, d G Έ/ΝΈ such that J_N (d² - ΑΉ (id)) = J_N (d² - AuH" (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of the message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer, wherein the procedure ANO is defined as ANO(x, y, Γ) returns z, where z^ = x and = ^{xy+ r} _ancj choosing at random β G [0,1] and set z = z^ ;

x+y

and

transmitting the ciphertext C = {c^r, c'} via a communication channel.

22. A computer program product stored in non-transitory computer-readable storage media comprising computer-executable instructions for:

receiving the anonymized ciphertext C = {c', c'}, via a communication channel; and accessing the ciphertext C = {c', c'}, where

c' = ANO ( c, d, Jf(id)) and c' = ANO ( c, d, uK (id)) for some d, d G Έ/ΝΈ such that J_N (d² - ΑΉ (id)) = ]_N d² - AuH" (id)) = -1, where C = {c, c] is a generalized Cocks ciphertext of a message m G {0,1} for some identity id, Ή is a cryptographic hash function mapping bit-strings to elements of _N, u G _N \ Q _W, and N is a composite integer; wherein the procedure ANO is defined as ANO (x, y, Γ) returns z, where z^ = x and = and choosing at random β G {0,1} and set z = z^ ; and

generating a plaintext message m by:

obtaining d and d, from the decryption key d_id = (r) and the ciphertext C = {c, c], if d) (mod N), setting γ' = c, δ = d and Δ = Ή (id); otherwise setting γ' d and Δ = uK (id) (mod N), and

setting the message m as one of

w^(y+2r), wherein

(2) m = -^ , wherein

7_w(y' + 2r) if /_w(y'² - 4A) = l

((γ' + 2r)(S - 2r)(S - y')) if /«(χ'² - 4Δ) = -l^'