Generalized Galbraith’s Test: Characterization and Applications to Anonymous IBE Schemes

. The main approaches currently used to construct identity based encryption (IBE) schemes are based on bilinear mappings, quadratic residues and lattices. Among them, the most attractive approach is the one based on quadratic residues, due to the fact that the underlying security assumption is a well understood hard problem. The first such IBE scheme was constructed by Cocks and some of its deficiencies were addressed in subsequent works. In this paper, we will focus on two constructions that address the anonymity problem inherent in Cocks’ scheme and we will tackle some of their incomplete theoretical claims. More precisely, we rigorously study Clear et. al and Zhao et. al ’s schemes and give accurate probabilities of successful decryption and identity detection in the non-anonymized version of the schemes. Also, in the case of Zhao et. al ’s scheme, we give a proper description of the underlying security assumptions.


Introduction
From a desire to avoiding several issues4 inherent to public-key cryptography, Shamir came up in 1984 with an interesting and novel concept: identity based encryption [12].In the IBE model, a user's public key is simply derived from some of the user's personal data such as his e-mail address, his phone number or even his personal address.
Unfortunately, the construction of a practical IBE scheme was postponed until 2001, when two such schemes where proposed.The first one was proposed by Boneh and Franklin [4] and is based on bilinear maps.Shortly, using a different approach, Cocks proposed a scheme based on quadratic residues [8].Despite the simplicity of his idea, a disadvantage of the scheme is that it has a large ciphertext per plaintext ratio.More precisely, to encrypt one bit we have to transmit two large integers.
As pointed out in [4], Cocks' proposal does not provide anonymity in the sense of Bellare et al. [2].Concretely, Galbraith devised a test that can distinguish which identity was used to create a given Cocks-like ciphertext.The test has been thoroughly analyzed in [1,13].Despite this impediment, several schemes that achieve anonymity have been proposed in the literature [1,5,7,9,11,15].
In terms of ciphertext expansion, the most efficient anonymous proposal is the one described by Boneh, Gentry and Hamburg [5].However, encryption time is quartic in the security parameters, and thus makes the scheme very inefficient.Two years later, Ateniese and Gasti [1] propose a practical scheme that achieves anonymity.Moreover, the scheme is universally anonymous (i.e. the anonymization process is independent of encryption and requires only access to the user's id).The scheme is further improved by Schipor [11].By using a trial and error method, he manages to shrink the size of Ateniese and Gasti-type ciphertexts.
A xor-homomorphic variant, that is also universally anonymous, was proposed by Clear et al. [6,7].By switching to polynomials, they where able to show that scheme has an underlying algebraic structure.This structure was later studied and simplified by Joye [9].As a consequence, he managed to improve both the speed and ciphertext expansion of Clear et al.'s IBE scheme.Using an earlier study [13], Nica and Ţiplea [10] reassess Joye's proposal and provide a simpler description of the scheme.By taking a different approach, Zhao et al. [15] manage to further speed-up encryption.Unfortunately, they have twice the ciphertext expansion compared to Joye's scheme.
In this paper we reevaluate some of the claims made by Clear et al. [6,7] and Zhao et al. [15] regarding their proposals.More precisely, we rigorously formulate and prove some of the claims made by these authors.Thus, providing the reader with a better understanding of the intrinsic algebraic structures in both schemes.
Structure of the paper.We introduce notations and definitions used throughout the paper in Section 2. The extension of Galbraith's test to polynomial rings is rigorously studied in Section 3. In Sections 4 and 5 we apply our results to obtain precise characterizations of Clear et al. and Zhao et al.IBE schemes.We conclude with Section 6.

Preliminaries
Notations.Throughout the paper, λ denotes a security parameter.Also, the notation |S| denotes the cardinality of a set S. The action of selecting a random element x from a sample space X is denoted by x $ ← − X, while x ← y represents the assignment of value y to variable x.The probability of the event E to happen is denoted by P r [E].The quotient of the integer division of a by n, assuming n ̸ = 0, is denoted a div n.
The Jacobi symbol of an integer a modulo an integer n is represented by J n (a).We let QR n and QN R n be the set of quadratic and, respectively, nonquadratic residues modulo n.Also, J n denotes the sets of integers modulo n with Jacobi symbol 1.

Identity-based encryption
An IBE scheme consists of four probabilistic polynomial-time (PPT) algorithms, namely Setup, KeyGen, Enc and Dec.The input of the first algorithm is the security parameter and the output is the master secret key and system's public parameters.The following algorithm requires as input the set formed by an identity id, the master secret key and the public parameters and returns a private key associated to id.The third algorithm, Enc, receives a message m, an identity id together with the public parameters and encrypts m using a key derived from id obtaining the ciphertext c.The last algorithm, Dec, decrypts c by using the private key associated to id and acquiring the initial message m.

Definition 1 (Anonymity and Indistinguishability under Selective Identity and Chosen Plaintext Attacks -anon-ind-id-cpa). The anon-indid-cpa security of an IBE scheme S is formulated by means of the following game between a challenger C and an adversary A:
Setup(λ): The challenger C generates the public parameters pp and sends them to adversary A, while keeping the master key msk to himself.Queries: The adversary issues a finite number of adaptive queries.A query can be one of the following types: -Private key query.When A requests a query for an identity, the challenger runs the KeyGen algorithm and returns the resulting private key to A. -Encryption query.Adversary A can issue only one query of this type.He sends C two pairs (id 0 , m 0 ) and (id 1 , m 1 ) consisting of two equal length plaintexts m 0 and m 1 and two identities id 0 and id 1 .The challenger flips a coin b ∈ {0, 1} and encrypts m b using id b .The resulting ciphertext c is sent to the adversary.The following restrictions are in place: private key queries for id 0 and id 1 must never be issued.Guess: In this phase, the adversary outputs a guess b ′ ∈ {0, 1}.He wins the game, if b ′ = b.

The advantage of an adversary A attacking an IBE scheme is defined as
where the probability is computed over the random bits used by C and A. An IBE scheme is anon-ind-id-cpa secure, if for any PPT adversary A the advantage IBEAdv A,S (λ) is negligible.If we consider id 0 = id 1 in the above game, we obtain the concept of ind-id-cpa security.
We further state the security assumption used to prove the security of the IBE schemes mentioned in this paper.
Definition 2 (Quadratic Residuosity -qr).Choose two large prime numbers p, q ≥ 2 λ and compute n = pq.Let A be a PPT algorithm that returns 1 on input (x, n) if x ∈ QR n .We define The Quadratic Residuosity assumption states that for any PPT algorithm A the advantage ADV qr A (λ) is negligible.

Generalized Galbraith's Test
According to [1,3], Galbraith developed a test which shows that Cocks' scheme [8] is not anonymous.A straightforward generalization of Galbraith's test to the ring Z n [x]/(x 2 − R) was introduced in [6,7].More precisely, we define the generalized Galbraith test as where R ∈ J n and The authors of [6,7] briefly describe some aspects of the generalized version of the test, but some of their claims were not rigorously formulated and/or proved.More precisely, they assume that f 0 , f 1 ∈ Z * n and this is not always the case 5 .Remark that when f 0 , f 1 ∈ Z * n , the generalized Galbraith test is identical to the original Galbraith test.
In this limited scenario, Clear et al. prove that their scheme is anonymous by reducing their security proof to some result from [1,13].Although is not explicitly mentioned in [6,7], using the results from [1,13] we can also compute the success probability of Galbraith's test when we choose to use Clear et al.'s IBE scheme without implementing the anonymization technique.
The generalized Galbraith test is also used in [15] to show that their scheme is not anonymous.Although the authors also assume that f 0 , f 1 ∈ Z * n , they do not compute the test's success probability for their IBE scheme and in this case the probability cannot be derived from [1,13].
Motivated by these applications, we further study the generalized Galbraith test without any restrictions.More precisely, our goals are to better understand the behaviour of the test and to develop the exact success probabilities for the test against Clear et al.'s and Zhao et al.'s non-anonymized IBE schemes.
Let p and q be two primes and n = pq be their product.In this section we will study the cardinalities of the following sets Before stating our results, we first present a lemma from [13] that further helps us compute our desired cardinalities.
Lemma 2. The following statements are true Proof.To prove the first statement, we simply have to count the elements that satisfy Otherwise, for each non-zero value of f 2 0 we have two distinct f 1 values.Hence, we obtain 2(p − 1) possibilities.Now we will prove the second statement.When When f 0 ≡ 0 mod p, we obtain that J p (f 2 1 ) = 1 and this is true only if f 1 ̸ ≡ 0 mod p.Hence, we obtain p − 1 possibilities.
In the case f 1 ≡ 0 mod p, we obtain that J p (−f 2 0 R) = 1, and thus f 0 ̸ ≡ 0 mod p.When −R ∈ QR p , we obtain p − 1 possibilities and when −R ∈ QN R p we have none.
Adding all the possibilities we obtain The last statement is obtained by subtracting the cardinalities of P 0 p (R) and Using the Chinese remainder theorem, we obtain the following cardinalities.
Corollary 1.The following statements are true a set of polynomials.We further define the set When R ∈ QR p we distinguish two case.When h(x) −1 exists, then we again have a permutation of the set.Otherwise, h(x) has the form h(x) = t(x ± r), for a t ∈ Z * p .But in this case we obtain that (tr) 2 − t 2 R = 0 and this contradicts our assumption (i.e GT n (R, h(x)) = −1).Hence, h(x) −1 always exists.
⊓ ⊔ Corollary 2. The following identity holds We further present a lemma that states that the generalized Galbraith test is "multiplicative".This lemma stays at the base of the anonymization technique described in [6,7].

Scheme Description
Clear et al. [6] were the first to study the algebraic structure of Cocks' ciphertexts.A more in depth study of the underlying structure can be found in [9,10,13].As a result of Clear et al.'s study, the authors managed to describe a partially homomorphic IBE scheme [6] and later they improve the scheme such that is also anonymous [7].
We further present a slightly improved version of Clear et al.'s IBE scheme.We start by presenting the non-anonymized version.

Setup(λ):
Given a security parameter λ, generate two primes p, q > 2 λ and compute their product n = pq.The public parameters are pp = {n, u, H, H ′ } and the master secret key is msk = {p, q}, where are two cryptographic hash functions.Note that H ′ must also satisfy the property that for any identity id ∈ {0, 1} * , R ← H(id) and h(x) ← H ′ (id), it holds that Otherwise, computes r ≡ (uR) 1/2 mod n.The private key is r.Enc(pp, id, m): On inputting pp, an identity id and a message m ∈ {−1, 1}, compute the hash value R = H(id) and randomly choose two polynomials Return the ciphertext C = (g(x), g(x)).Dec(r, C): On input pp, a secret key r and a ciphertext C = (c(x), c(x)), compute Correctness : The correctness of the decryption algorithm follows by noticing that when r 2 ≡ H(id) mod n we have When r 2 ≡ uH(id) mod n, we can proceed similarly.
Using the generalized Galbraith test, it can be shown that the scheme is not anonymous (see Section 4.2).Hence, we need to upgrade the scheme with an anonymization algorithm.We further describe the method as presented in [6,7].Note that the Anon algorithm anonymizes the ciphertext, while the DeAnon reverses the process.
Anon(pp, id, C): Given the public parameters pp, an identity id and a ciphertext C = (c(x), c(x)), compute R = H(id) and h(x) = H ′ (id).Also, generate two random bits v 1 , v 2 ∈ {0, 1} and calculate Return the anonymized ciphertext where In the IBE scheme presented in [6], the authors select random polynomials f (x) until GT n (R, f (x)) = 1.Also, when proving the security of their scheme, they also impose an additional restriction, that In the updated version of the scheme [7], the authors simply generate polynomials until Using these restrictions, we can reduce the generalized version of Galbraith's test to the original version.But, in reality we should not be able to distinguish the polynomials generated by the IBE scheme from random polynomials from Z[x]/(x 2 − R).For this reason, in our version we removed the requirement n and as we shall see next we can prove that we cannot distinguish these polynomials from random ones.

New Analysis
We first study the cardinality of the set n }, which contains the polynomials generated by the scheme presented in Section 4.1.Note that we further consider that R ̸ = 0. Otherwise, we can trivially recover b by computing f (0). 2 we obtain From the second equation we obtain a ≡ c mod p. Keeping this in mind, the first equation becomes Now, we consider the set of ciphertexts that can be correctly decrypted Proof.From ar + b ≡ 0 mod p we obtain a ≡ −br −1 mod p since r, b ∈ Z * n .Looking at the proof of Lemma 5, we observe that in the case a ≡ 0 mod p the sets are not affected by the added restriction since −br −1 ̸ ≡ 0 mod p.When a ̸ ≡ 0 mod p, the only case that is affected is b ≡ −ar mod p.Therefore, we obtain our desired result.

Corollary 5. The probability of correct decryption is 1 − O(1/n).
Proof.From Corollaries 3 and 4 we obtain that the probability is

Lemma 7.
The following statements are true Otherwise, we obtain (ar − b)(ar + b) ≡ 0 mod p.Thus, we can rewrite the set as Hence, we obtain a = c = 0 which is impossible.Thus, the cardinality of D 0 p (R) is 2(p − 1).The last statement results from observing that all the elements from D p (R) have the Jacobi symbol J p (f 2 1 − f 2 0 R) either 1 or 0 when R ∈ QR p .Hence, using Lemma 5 we obtain our result.
⊓ ⊔ Corollary 6.The following statements are true Proof.According to Corollaries 4 and 6 we have ⊓ ⊔ Corollary 8.The generalized Galbraith test can detect ciphertexts produced by the scheme from Section 4.1 with a probability of 1/2 + O(1/n).
Proof.According to Corollaries 1 and 3 we have ⊓ ⊔ Lemma 8.The following equality holds D 1 p (R) = P 1,1 p (R). Proof.We will show that P 1,1 p (R) ⊆ D 1 p (R) and D 1 p (R) ⊆ P 1,1 p (R).Our second inclusion is trivial because P 1,1 p (R) contains all possible 1-degree polynomials which have Jacobi symbol equal to 1. Now, let us focus on the first inclusion.We take a random f = f 0 x + f 1 ∈ P 1,1 p (R) and we search for a pair (a, b) which has the Jacobi symbol 1 according to the definition of P 1,1 p (R).Now let us assume that b ≡ 0 mod p. Then we have f 1 ± (f 2 1 − f 2 0 R) 1/2 ≡ 0 mod p.This implies that f 2 0 R ≡ 0 mod p. Since, R ̸ ≡ 0 mod p we obtain that f 0 ≡ 0 mod p and implicitly a ≡ 0 mod p. But, when a ≡ 0 mod p we can choose the other root b ≡ f 1 mod p, which is different from 0 since we cannot have both f 0 and f 1 equal to 0.
When f 0 ̸ ≡ 0 mod p, we can choose b as either of the two roots 6 .Thus, we obtain that f ∈ D 1 p (R).This concludes our proof.⊓ ⊔ Corollary 9.The following equality holds 6 ∆ ̸ ≡ 0 mod p Proof.We assume without loss of generality that GT p (R, h(x)) = 1.Using Corollary 9 we obtain the following equality and the generalized Galbraith test is "multiplicative" (see Lemma 4), we have For the second inclusion we use the fact that h(x) has an inverse (see the proof of Lemma 3).Hence, n (R).This relation can be rewritten as . This concludes our proof.⊓ ⊔ Remark 1. Corollary 10 is also proven in [7], but using different techniques.We chose to reprove it since it follows directly from our analysis.
We further assume without loss of generality that GT p (R, h(x)) = 1.
Then the distributions In order to prove that their anonymization technique is secure, Clear et al. first established a series of computational indistinguishability results.The one that we are interested in states that is computationally indistinguishable from the uniform distribution U on {−1, 1}, under the qr assumption.In [13], the authors prove a stronger result: the two distributions are statistically indistinguishable.Since we removed Clear et al.'s restriction, we need to prove that the statistically indistinguishability still holds.Using the results developed in this subsection we can prove exactly that.

Theorem 1. The following distribution
Proof.We will show that the statistical distance ∆(Z n , U ) between Z n and U is negligible, where In order to compute P r[Z n = b] we make use of Corollaries 1 and 2. Thus, taking into account that In a similar way one can obtain Since n is exponentially large in the security parameter λ, the statistical distance is negligible.⊓ ⊔

Scheme Description
In [15], the authors introduce two IBE schemes that work with polynomials modulo n, where n is the product of two primes p, q chosen such that p ≡ −q mod 4. Zhao et al. prove the security of their schemes under the strong qr assumption 7 .Starting from their first scheme, we devised a new scheme from which we removed the necessity of choosing p ≡ −q mod 4. In this case, the proof from [15] can be easily adapted to obtain that our scheme is secure under the qr assumption.

Setup(λ):
Given a security parameter λ, generate two primes p, q > 2 λ and compute their product n = pq.Randomly generate two integers u, y ∈ Z n such that J p (u) = J q (u) = −1 and J p (y) = −J q (y).The public parameters are pp = {n, u, y, H}, where H : {0, 1} * → J n is a cryptographic hash function.The master secret key is msk = {p, q}.
Otherwise, computes r = (uR) 1/2 mod n.The private key is r.Enc(pp, id, m): On inputting pp, an identity id and a message m ∈ {0, 1}, compute the hash value R = H(id) and randomly chooses two polynomials Return the ciphertext C = (y m • g(x), y m • g(x)).Dec(pp, r, C): On input pp, a secret key r and a ciphertext C = (c(x), c(x)), compute Correctness : The correctness of the decryption algorithm follows by noticing that when r 2 ≡ H(id) mod n we have and thus we can recover the message m.When r 2 ≡ uH(id) mod n, we can proceed similarly.Although this proposal is not anonymous (see Section 5.2), it can be made as such by using the same anonymization technique as in Section 4.1.
Previous Work.When p ≡ −q mod 4 and y = −1 we obtain the scheme described in [15].Note that in this case we can choose h(x) = x since GT n (R, x • c(x)) = −GT n (R, c(x)).When analyzing the scheme, the authors do not prove the success probability of decryption and of the generalized Galbraith test against their first proposal.Also, when computing the size of the ciphertext space, Zhao et al. managed to prove that it is at least (p − 1)(p − 3)(q − 1)(q − 3)/16 (see the next section for the exact size).Two other aspects that are not rigorously stated are: the two complexity assumptions used to prove the anonymity of their second scheme and their argument that leads to the necessity of these two assumptions.

New Analysis
We start with studying the cardinality of the following sets which contain the polynomials generated by the scheme presented in Section 5.1.Note that we further consider that R ̸ = 0. Otherwise, we can trivially recover m by computing J n (g(0 Proof.Let J p (y) = −1.We first prove that the sets C p,0 (R) If a, b, c, d ̸ = 0, from any of the equations we obtain that y ∈ QR p .Therefore, we obtain a contradiction, and thus a = b = c = d = 0.
When J p (y) = 1, we have where We either have v = 0 or w = 0. Hence, either w 2 ≡ yR −1 mod p or v 2 ≡ y mod p.If J p (y) = −1 then the second equality lead to a contradiction and hence v = 0 and w ≡ (yR −1 ) 1/2 mod p.This leads to g(x)h(x) −1 ≡ (yR −1 ) 1/2 x mod x 2 − R. Hence, we obtain that C p,0 (R) = C p,1 (R).If J p (y) = 1 then the first equality lead to a contradiction, and thus v ≡ y 1/2 mod p and w = 0.This leads to g(x)h(x) −1 ≡ y 1/2 mod x 2 − R. Therefore, we obtain our desired result.
⊓ ⊔ Now, we consider the sets of ciphertexts that can be correctly decrypted Using Lemma 9 we obtain the first statement.Now, we want to see how many of these pairs are collapsing to the same polynomial value.Similarly to the proof of Lemma 9, from f 1 (x) ≡ f 2 (x) mod x 2 − R we obtain a 1 ≡ ±a 2 mod p and b 1 ≡ ±b 2 mod p.These numbers must also satisfy the restriction b 1 ̸ ≡ −a 1 r mod p.
The last statement results from observing that all the elements from C p,0 (R)∪ C p,1 (R) have the Jacobi symbol J p (f 2 1 −f 2 0 R) either 1 or 0. Hence, using Lemma 9 we obtain our result.
⊓ ⊔ Corollary 16.We assume without loss of generality that J p (y) = 1.Then the following statements are true
4. Now we can proper analyze the efficiency of the generalized Galbraith test.