A Key-private Cryptosystem from the Quadratic Residuosity
Marc Joye
Technicolor, 175 S San Antonio Rd, Los Altos, CA 94022, U.S.A.
Keywords:
Public-Key Encryption, Key Privacy, Quadratic Residuosity.
Abstract:
This paper presents a key-private public-key cryptosystem. More specifically, in addition to confidentiality,
it provides privacy. Informally, ciphertexts yield no information whatsoever about its recipient (beyond what
is publicly known). The presented cryptosystem also features a very fast key generation: the key generation
boils down to a mere squaring modulo an RSA modulus. Further, it comes with strong security guarantees: it
is proved to be semantically secure and key-private under the standard quadratic residuosity assumption.
1 INTRODUCTION
In numerous scenarios, the recipient’s identity in a
transmission needs to be kept private. This allows
users to maintain some privacy. Protecting commu-
nication content may be not enough, as already ob-
served in a couple of papers (e.g., (Barth et al., 2006;
Bellare et al., 2001; Kiayias et al., 2007)). For exam-
ple, by analyzing the traffic between an antenna and
a mobile device, one can recover some information
about [at least] user’s position and some details about
the use of her mobile device. This information leaks
easily during all day: it is a common habit, indeed, to
use a mobile phone every day and to keep it (almost)
always switched on.
Key privacy in public-key encryption assumes
a “homogeneous” environment. Indeed, if users
make use of different cryptosystems or of the same
cryptosystem but with keys of different lengths,
anonymity is likely to be lost. The notion of
anonymity is therefore is restricted to users sharing
the same cryptosystem (with different keys) and com-
mon parameters. This implicitly defines a group of
users.
Kiayias et al. introduce and model in (Ki-
ayias et al., 2007) the concept of group encryption.
This is the analogue for encryption of group signa-
tures (Chaum and van Heyst, 1991). Group encryp-
tion allows one to conceal the identity of the recip-
ient of a given ciphertext among a set of legitimate
receivers. However, in case of misuse, some author-
ity (the group manager) is capable of recovering the
recipient’s identity. This paper mostly deals with full
anonymity: anonymity cannot be revoked.
Furthermore, in addition to security and privacy
properties, group encryption offers verifiability: a
sender can convince a verifier that the formed cipher-
text can be decrypted by a group member. In this
paper, we relax the requirements for group encryp-
tion. In the particular context of media broadcasting
or wireless communications, we face a different situa-
tion where the sender (the broadcaster or the wireless
emitter) can be trusted. This relaxation is justified by
the fact that, in practical uses of the infrastructure, the
sender has no interest in cheating because of business
and reputation aspects. Moreover, it is very unlikely
that an attacker can impersonate the sender, due to the
particular material infrastructure needed (expensive,
powerful, ...). Such an attacker should, indeed, mute
the licit signals and substitute them with illicit ones,
keeping all existing communications alive and faking
the attacked ones.
As aforementioned, key-private encryption is a
form of encryption which allows one to conceal
the identity of the ciphertext’s recipient. Known
constructions for key-private cryptosystems involve
somewhat costly key generations. We present in this
paper a key-private cryptosystem enjoying a fast key
generation. In our case, the key generation boils down
to a mere modular squaring. Furthermore, to our best
knowledge, the presented cryptosystem is the sole
key-private construction that is provably secure under
the standard quadratic residuosity assumption, in the
standard model.
Outline of the Paper: The rest of this paper is or-
ganized as follows. In the next section, we review
some background on public-key encryption. We then
398
Joye M..
A Key-private Cryptosystem from the Quadratic Residuosity.
DOI: 10.5220/0005569703980404
In Proceedings of the 12th International Conference on Security and Cryptography (SECRYPT-2015), pages 398-404
ISBN: 978-989-758-117-5
Copyright
c
2015 SCITEPRESS (Science and Technology Publications, Lda.)
proceed in Section 3 with the presentation of a key-
private cryptosystem. We show its correctness and
study its features. In Section 4, we prove that the
scheme is semantically secure and key-private. Fi-
nally, we conclude in Section 5.
2 PRELIMINARIES
2.1 Public-Key Encryption
In order to better capture the property that users may
share some common parameters in a homogeneous
environment, the key generation algorithm is divided
in two sub-algorithms: the common-key generation
algorithm and the key generation algorithm.
Following the syntax of (Bellare et al., 2001) (see
also (Goldwasser and Micali, 1984)), we define a
public-key encryption scheme as a tuple of four algo-
rithms (SETUP,KEYGEN,ENCRYPT,DECRYPT):
COMMON-KEY GENERATION The common-key
generation algorithm SETUP takes as input a
security parameter 1
κ
and outputs some common
parameters PP
R
← SETUP(1
κ
).
KEY GENERATION The key generation algorithm
KEYGEN is a randomized algorithm that takes on
input PP and returns a matching pair of public
key and secret key for some user: (upk, usk)
R
←
KEYGEN(PP).
ENCRYPTION Let M denote the message space. The
encryption algorithm ENCRYPT is a randomized
algorithm that takes in a public key upk and a
plaintext m ∈ M , and returns a ciphertext C. We
write C ← ENCRYPT
upk
(m).
DECRYPTION The decryption algorithm DECRYPT
takes in secret key usk (matching upk) and cipher-
text C and returns the corresponding plaintext m
or a special symbol ⊥ indicating that the cipher-
text is invalid. We write m ← DECRYPT
usk
(C) if C
is a valid ciphertext and ⊥ ← DECRYPT
usk
(C) if it
is not.
We require that DECRYPT
usk
(ENCRYPT
upk
(m)) =
m for all messages m ∈ M .
2.2 Security Notions
Indistinguishability of Encryptions: The notion
of indistinguishability of encryptions (Goldwasser
and Micali, 1984) captures a strong notion of data-
privacy: The adversary should not learn any informa-
tion whatsoever about a plaintext given its encryption
beyond the length of the plaintext.
We view an adversary A as a pair (A
1
,A
2
) of
probabilistic algorithms. This corresponds to adver-
sary A running in two stages. In the “find” stage, al-
gorithm A
1
, on input public parameters PP and a pub-
lic key upk, outputs two (different) equal-size mes-
sages m
0
and m
1
∈ M and some state information s.
In the “guess” stage, algorithm A
2
receives a chal-
lenge ciphertext C which is the encryption of m
b
un-
der upk and where b is chosen at random in {0,1}.
The goal of A
2
is to recover the value of b from s
and C.
A public-key encryption scheme is said semanti-
cally secure (or indistinguishable) if
Pr
PP
R
← SETUP(1
κ
),
(upk,usk)
R
← KEYGEN(PP),
(m
0
,m
1
,s) ← A
1
(PP,upk),
b
R
← {0, 1},C ← ENCRYPT
upk
(m
b
)
:
A
2
(s,C) = b
#
−
1
2
is negligible in the security parameter for any
polynomial-time adversary A; the probability is taken
over the random coins of the experiment according to
the distribution induced by SETUP and KEYGEN and
over the random coins of the adversary.
As we are in the public-key setting, the adversary
A = (A
1
,A
2
) is given the public key upk and so can
encrypt any message of its choice. In other words, the
adversary can mount chosen-plaintext attacks (CPA).
Hence, we write IE-CPA the security notion achieved
by a semantically secure encryption scheme.
1
Indistinguishability of Keys: Analogously, the no-
tion of indistinguishability of keys captures a strong
requirement about key privacy: The adversary should
not be able to link whatsoever a ciphertext with its
underlying encryption key.
As before, we view an adversary A as a pair
(A
1
,A
2
) of probabilistic algorithms. In the “find”
stage, algorithm A
1
, on input two public keys upk
0
and upk
1
, outputs a message m and some state infor-
mation s. Then in the “guess” stage, algorithm A
2
receives a challenge ciphertextC which is the encryp-
tion of m under upk
b
where b is chosen at random in
{0,1}. The goal of A
2
is to recover the value of b
from s and C.
More formally, a public-key encryption scheme is
1
We deviate from the usual notation of IND-CPA to empha-
size the fact that indistinguishability is about encryptions.
AKey-privateCryptosystemfromtheQuadraticResiduosity
399
said anonymous (or key-private) if
Pr
PP
R
← SETUP(1
κ
)
(upk
0
,usk
0
)
R
← KEYGEN(PP),
(upk
1
,usk
1
)
R
← KEYGEN(PP),
(m
,
s) ← A
1
(PP,upk
0
,upk
1
),
b
R
← {0,1},C ← ENCRYPT
upk
b
(m)
:
A
2
(s,C) = b
#
−
1
2
is negligible in the security parameter for any
polynomial-time adversary A; the probability is taken
over the random coins of the experiment according to
the distribution induced by SETUP and KEYGEN and
over the random coins of the adversary.
This definition of anonymity gives rise to the se-
curity notion of IK-CPA or indistinguishability of keys
under chosen-plaintext attacks.
Of course, the goals of data-privacy and key-
privacy can be combined to define extended security
notions. A public-key encryption scheme achieves
IND-CPA security (indistinguishability under chosen-
plaintext attacks) if it is both IE-CPA and IK-CPA.
2.3 Complexity Assumptions
It is useful to introduce some notation. Let N = pq
be the product of two (odd) primes p and q. The Ja-
cobi symbol modulo N of an integer a is denoted by
a
N
. The set of integers whose Jacobi symbol is 1
is denoted by J
N
, J
N
=
a ∈ (Z/NZ)
×
|
a
N
= 1
;
the set of quadratic residues is denoted by QR
N
,
QR
N
=
a ∈ (Z/NZ)
×
|
a
p
=
a
q
= 1
. Note that
QR
N
is a subset of J
N
.
Definition 1 (Quadratic Residuosity Assumption).
Let RSAGen be a probabilistic algorithm which, given
a security parameter 1
κ
, outputs primes p and q and
their product N = pq. The Quadratic Residuosity
(QR) assumption asserts that the success probability
defined as the distance
Pr[D(x,N) = 1 | x
R
← QR
N
] −
Pr[D(x,N) = 1 | x
R
← J
N
\ QR
N
]
is negligible for any probabilistic polynomial-time
distinguisher D; the probabilities are taken over the
experiment of running (N, p,q) ← RSAGen(1
κ
) and
choosing at random x ∈ QR
N
and x ∈ J
N
\ QR
N
.
3 A KEY-PRIVATE
CRYPTOSYSTEM
3.1 Description
Using the syntax introduced in Section 2.1, the cryp-
tosystem is defined as follows.
SETUP(1
κ
) Given as input security parameter 1
κ
,
SETUP generates an RSA modulus N = pq where
p and q are prime and p ≡ −q (mod 4). The fac-
torization of N is erased. The public parameters
are PP = {N}.
KEYGEN(PP) For user i, the key generation algorithm
KEYGEN picks a random element r
i
∈
R
Z/NZ and
sets R
i
= r
i
2
mod N. It outputs the public key
upk
i
= {R
i
} and matching private key usk
i
= {r
i
}.
ENCRYPT
upk
i
(m) To encrypt a message m ∈ {0,1} for
user i, ENCRYPT chooses at random t ∈
R
Z/NZ
and β ∈
R
{0,1}, and sets
τ = (−1)
m
2t
N
and
c =
t
2
+ R
i
2t
mod N if β = 0
2R
i
t
t
2
+ R
i
mod N if β = 1
.
The returned ciphertext is C = {τ, c}.
DECRYPT
usk
i
(C) Given a ciphertext C = {τ,c}, the
decryption algorithm DECRYPT first computes σ =
c
2
−R
i
N
. If σ = −1, it updates c as c ←
R
i
c
mod N.
It then returns plaintext m as
m =
1− τ·
c+r
i
N
2
.
3.2 Correctness
We show that a correctly generated ciphertext C =
{τ,c} decrypts to the matching plaintext m.
First observe that the condition p ≡ −q (mod 4)
implies that
−1
N
=
−1
p
−1
q
= −1. This in turn
implies that σ = (−1)
β
. Indeed, there are two cases:
1. [β = 0] Then c =
t
2
+R
i
2t
mod N. Consequently, we
get
c
2
− R
i
≡
t
4
+ R
i
2
+ 2t
2
R
i
4t
2
− R
i
≡
t
2
− R
i
2t
2
(mod N) .
SECRYPT2015-InternationalConferenceonSecurityandCryptography
400
This yields
c
2
−R
i
N
= 1.
2. [β = 1] Then c =
2R
i
t
t
2
+R
i
mod N. Hence, we have
c
2
− R
i
≡
4R
i
2
t
2
t
4
+ R
i
2
+ 2t
2
R
i
− R
i
≡ −R
i
−4R
i
t
2
t
4
+ R
i
2
+ 2t
2
R
i
+ 1
≡ −R
i
t
2
− R
i
t
2
+ R
i
2
(mod N)
and thus
c
2
−R
i
N
=
−R
i
N
= −1.
When σ = −1 (or equivalently, β = 1), the de-
cryption algorithm updates c as c ←
R
i
c
mod N, which
gives c =
t
2
+R
i
2t
mod N. In all cases, we then have
τ·
c+ r
i
N
= τ ·
2t
N
= (−1)
m
by noting that c+ r
i
≡
t
2
+R
i
2t
+ r
i
≡
(t+r
i
)
2
2t
≡ 2t
t+r
i
2t
2
(mod N) since R
i
= r
i
2
mod N; and thereby
1− τ·
c+r
i
N
2
=
1− (−1)
m
2
= m .
3.3 Comparison
For the sake of comparison, we reviewbelow the cele-
brated Goldwasser-Micali cryptosystem (Goldwasser
and Micali, 1984) and the single-bit variant of the
BGH cryptosystem (Boneh et al., 2007) —-both rely-
ing on the quadratic residuosity, without random ora-
cles.
Goldwasser-Micali Cryptosystem: This cryp-
tosystem does not allow multiple users to use the
same RSA modulus. There is no SETUP algorithm.
KEYGEN(1
κ
) Given as input security parameter 1
κ
,
KEYGEN generates an RSA modulus N
i
= p
i
q
i
where p
i
and q
i
. It also chooses a random ele-
ment y
i
∈ J
N
i
\ QR
N
i
. It outputs the public key for
user i, upk
i
= {N
i
,y
i
}, and the matching private
key usk
i
= {p
i
}.
ENCRYPT
upk
i
(m) To encrypt a message m ∈ {0,1} for
user i, ENCRYPT chooses at random t ∈
R
Z/N
i
Z
and sets
C = y
i
m
t
2
mod N
i
.
The returned ciphertext is C.
DECRYPT
usk
i
(C) Given a ciphertextC, the decryption
algorithm DECRYPT first computes σ =
C
p
i
. It
then returns plaintext m as
m =
1− σ
2
.
Single-bit BGH Cryptosystem: In the public-key
setting, the BGH cryptosystem requires a publicly
available oracle Q taking as input an RSA modulus N
and two quadratic residues R,S ∈ QR
N
and outputting
two polynomials f,g ∈ (Z/NZ)[X] such that
• f(r)g(s) ∈ QR
N
for all square roots r of R and s
of S;
• f(r) f(−r) ∈ QR
N
for all square roots r of R.
This can be achieved by deterministically con-
structing a solution (x,y) ∈ (Z/NZ)
2
to the equation
Rx
2
+ Sy
2
= 1
and returning
f(X) = xX + 1 and g(X) = 2yX + 2 .
Following (Boneh et al., 2007), it is readily veri-
fied that f(r)g(s) = 2(xr+1)(ys+ 1) = (Rx
2
+ Sy
2
−
1) + 2(xr + 1)(ys + 1) = (rx + sy + 1)
2
∈ QR
N
and
f(r) f(−r) = (xr+ 1)(−xr+ 1) = −Rx
2
+ 1 = Sy
2
∈
QR
N
.
SETUP(1
κ
) Given as input security parameter 1
κ
,
SETUP generates an RSA modulus N = pq where
p and q are prime. The factorization of N is
erased. The public parameters are PP = {N}.
KEYGEN(PP) For user i, the key generation algorithm
KEYGEN picks a random element r
i
∈
R
Z/NZ and
sets R
i
= r
i
2
mod N. It outputs the public key
upk
i
= {R
i
} and matching private key usk
i
= {r
i
}.
ENCRYPT
upk
i
(m) To encrypt a message m ∈ {0,1} for
user i, ENCRYPT chooses at random s ∈
R
Z/NZ
and sets S = s
2
mod N. It calls oracle Q ,
( f, g) ← Q (N, R
i
,S) ,
and computes
c = (−1)
m
g(s)
N
!
.
The returned ciphertext is C = {S,c}.
DECRYPT
usk
i
(C) Given a ciphertext C = {S, c}, the
decryption algorithm DECRYPT first calls Q to ob-
tain
( f, g) ← Q (N, R
i
,S)
and computes σ =
f(r
i
)
N
. It then returns plaintext
m as
m =
1− σ
2
.
AKey-privateCryptosystemfromtheQuadraticResiduosity
401
The BGH cryptosystem requires finding a solu-
tion (x,y) ∈ (Z/NZ)
2
to the equation R
i
x
2
+ Sy
2
= 1,
which constitutes a real bottleneck. Indeed, the best
method currently available is of quartic complexity.
This in turn incurs rather long encryption and decryp-
tion times. The main advantage of the BGH system
resides in the bandwidth saved when large cipher-
texts (i.e., multi-bit ciphertexts) are processed. As
this paper is concerned with speed-efficient (and not
bandwidth-efficient) key-private cryptosystems, the
BGH cryptosystem will not be included in the com-
parison.
Key Privacy: The Goldwasser-Micali cryptosys-
tem is semantically secure under the quadratic resid-
uosity assumption in the standard model. Unfortu-
nately, it is not key-private. As already noticed for
the RSA cryptosystem in (Bellare et al., 2001), one
problem is that the value of the ciphertext leaks some
information about the modulus. If C > N
j
then we
know for sure that user j (i.e., the user with public
key {N
j
,y
j
}) is not the recipient of the ciphertext C.
This issue is easily mitigated in the case of RSA
by adding a carefully chosen multiple of the modulus
to the ciphertext. But this simple fix does not apply
here. Indeed, given a ciphertext C for an unknown
recipient, we can always compute
τ
j
=
C
N
j
.
If τ
j
6= 1 then we can deduce that user j is not the
recipient of the ciphertextC.
Performance: In addition of being key-private, the
scheme of Section 3.1 has a much more efficient
key generation than the Goldwasser-Micali scheme.
It simply requires evaluating a square modulo N
whereas the Goldwasser-Micali scheme requires gen-
erating two large primes and a pseudo-square. This
means that a device with limited computing capabili-
ties can generate keys for the scheme of Section 3.1.
The key generation can even be made easier —at
the expense of a larger public key— by defining R
i
as
R
i
= r
i
2
+ αN (instead of R
i
= r
i
2
mod N) for some
random α ∈
R
{0,1}
|N|+κ
.
4 SECURITY ANALYSIS
The two next propositions assess the security of the
scheme under the quadratic residuosity assumption.
Proposition 1. The scheme is IE-CPA under the
quadratic residuosity assumption.
Proof. Assume there exists an IE-CPA adversary A
that can break the scheme with probability ε. We will
use A to decide whether a random element w in J
N
is
a quadratic residue modulo N or not.
Consider the following distinguisher D(w, N) for
solving the QR problem:
1. Define R
i
= w, set upk
i
= {R
i
}, and give
(N, upk
i
) to A;
2. Choose a random bit b ∈
R
{0,1} and com-
pute the encryption of b under public key
upk
i
as C
b
= {τ
b
,c
b
} where τ
b
= (−1)
b
2t
N
and
c
b
=
t
2
+R
i
2t
mod N if β = 0
2R
i
t
t
2
+R
i
mod N if β = 1
some random element t ∈
R
Z/NZ and bit
β ∈
R
{0,1};
3. GiveC
b
= {τ
b
,c
b
} to A and obtain its guess
b
′
;
4. If b
′
= b return 1; otherwise return 0.
There are two cases to distinguish.
Case 1: Suppose first that w is a quadratic residue
modulo N. Clearly, D returns 1 exactly when
A wins in the IE-CPA game. We thus have
Pr[D(w,N) = 1 | w ∈ QR
N
] = ε.
Case 2: Suppose now that w ∈ J
N
\ QR
N
. It is im-
portant to see that if t (mod {p,q}) is replaced
with
R
i
t
(mod {p, q}) in the computation of c
b
,
the value of c
b
is unchanged:
h
R
i
t
i
2
+ R
i
2
R
i
t
≡
t
2
+ R
i
2t
(mod {p, q})
and
2R
i
R
i
t
h
R
i
t
i
2
+ R
i
≡
2R
i
t
t
2
+ R
i
(mod {p, q}) .
Hence, consider t
1
,t
2
,t
3
∈ (Z/NZ)
×
such that
• t
1
≡ t (mod p), t
1
≡ R
i
/t (mod q);
• t
2
≡ R
i
/t (mod p), t
2
≡ t (mod q);
• t
3
≡ R
i
/t (mod p), t
3
≡ R
i
/t (mod q).
In A’s view, from c
b
, the four possible values t,
t
1
, t
2
, and t
3
are equally likely. At the same time,
since R
i
∈ J
N
\ QR
N
we also have
t
N
=
t
3
N
6=
t
1
N
=
t
2
N
.
The probability that A recovers
2t
N
from c
b
is
therefore
1
2
—note that τ
b
carries no information
on
2t
N
since b is random in {0,1}. As a result, D
will return 1 with probability
1
2
.
SECRYPT2015-InternationalConferenceonSecurityandCryptography
402
We so obtain:
Pr
D(w,N) = 1 | w ∈ QR
N
−
Pr
D(w,N) = 1 | w ∈ J
N
\ QR
N
=
ε−
1
2
which must be negligible by the QR assumption.
Hence, the scheme is IE-CPA secure under the QR
assumption.
In order to prove that the scheme is key-private,
we need useful lemma adapted from (Ateniese and
Gasti, 2009, Lemma 2). It considers the two follow-
ing sets:
X
0
=
n
u ∈ Z/NZ |
u
2
−R
i
p
=
u
2
−R
i
q
= 1
o
and
X
1
=
n
u ∈ Z/NZ |
u
2
−R
i
p
=
u
2
−R
i
q
= −1
o
.
Lemma 1. Let RSAGen be a probabilistic algorithm
which, given a security parameter 1
κ
, outputs primes
p and q and their product N = pq. Let also r
i
be a
random element in Z/NZ and R
i
= r
i
2
mod N. Then,
under the quadratic residuosity assumption, the sta-
tistical distance
Pr
D(x,R
i
,N) = 1 | x
R
← X
0
−
Pr
D(x,R
i
,N) = 1 | x
R
← X
1
is negligible for any probabilistic polynomial-time
distinguisher D; the probabilities are taken over the
experiment of running (N, p,q) ← RSAGen(1
κ
), sam-
pling r
i
R
← (Z/NZ)
×
, and choosing at random x ∈ X
0
and x ∈ X
1
.
Proposition 2. The scheme is IK-CPA under the
quadratic residuosity assumption.
Proof. Since the scheme is already known to
be IE-CPA, Halevi’s sufficient condition for key-
privacy (Halevi, 2005) teaches us that the scheme
meets the IK-CPA notion if the statistical distance be-
tween the two distributions
D
0
=
(upk
0
,upk
1
,ENCRYPT
upk
0
(m)) |
(upk
0
,usk
0
),(upk
1
,usk
1
)
R
← KEYGEN(PP),
m
R
← M
and
D
1
=
(upk
0
,upk
1
,ENCRYPT
upk
1
(m)) |
(upk
0
,usk
0
),(upk
1
,usk
1
)
R
← KEYGEN(PP),
m
R
← M
is negligible. In our case, a ciphertext encrypted under
key upk
b
(with b ∈ {0,1}) is of the form C
b
= (τ
b
,c
b
)
where τ
b
= (−1)
m
2t
N
for some t. If message m is
unknown and uniformly drawn in {0,1}, τ
b
does not
help in distinguishing between D
0
and D
1
. Only the
c
b
-component of C
b
needs to be considered. When
the public key is upk
b
= R
i
b
then
c
(β)
b
:=
c
(0)
b
=
t
2
+R
i
b
2t
mod N , or
c
(1)
b
=
2R
i
b
t
t
2
+R
i
b
mod N
for some random t ∈ Z/NZ.
Omitting upk
0
,upk
1
to ease the reading, Halevi’s
criterion requires that the distributions D
0
= {c
(β)
0
|
β
R
← {0, 1}} and D
1
= {c
(β)
1
| β
R
← {0, 1}} are indis-
tinguishable with overwhelming probability.
Write
X
0,b
=
u ∈ Z/NZ |
u
2
−R
i
b
p
=
u
2
−R
i
b
q
= 1
X
1,b
=
u ∈ Z/NZ |
u
2
−R
i
b
p
=
u
2
−R
i
b
q
= −1
Y
b
=
u ∈ Z/NZ |
u
2
−R
i
b
p
= −
u
2
−R
i
b
q
As shown in Section 3.2, we have c
(0)
b
∈ X
0,b
and
c
(1)
b
∈ Y
b
since
c
(0)
b
2
− R
i
b
=
t
2
− R
i
b
2t
2
and
c
(1)
b
2
− R
i
b
= −R
i
b
t
2
− R
i
b
t
2
+ R
i
b
2
where t
R
← Z/NZ. Hence, we can see that
D
b
c
≡
(
u | u
R
← X
0,b
∪ X
1,b
when β = 0
u | u
R
← Y
b
when β = 1
.
The first assertion (when β = 0) follows from
Lemma 1 (the notation
c
≡ means computationally
equivalent —under the QR assumption in this case).
Indeed, we have
u | u
R
← X
0,b
c
≡
u | u
R
← X
1,b
.
The second assertion (when β = 1) follows by noting
that the Jacobi symbol
−R
i
b
N
= −1.
As a consequence, assuming the QR assumption,
the distribution D
b
appears indistinguishable from the
uniform distribution over Z/NZ. This concludes the
proof by noting that D
0
and D
1
are essentially the
same sets: any random element is D
0
is also an el-
ement in D
1
, and vice-versa.
AKey-privateCryptosystemfromtheQuadraticResiduosity
403
5 CONCLUSIONS
The cryptosystem presented in this paper can be used
in any application requiring efficient public-key en-
cryption provably secure in the standard model with
strong privacy guarantees. Remarkably, it offers
both data privacy and key privacy under the standard
quadratic residuosity assumption. In addition, it fea-
tures a very fast key generation and is so well suited
to constrained devices requiring an on-board key gen-
eration.
REFERENCES
Ateniese, G. and Gasti, P. (2009). Universally anonymous
IBE based on the quadratic residuosity assumption. In
Fischlin, M., editor, Topics in Cryptology − CT-RSA
2009, volume 5473 of Lecture Notes in Computer Sci-
ence, pages 32–47. Springer.
Barth, A., Boneh, D., and Waters, B. (2006). Privacy
in encrypted content distribution using private broad-
cast encryption. In Di Crescenzo, G. and Rubin, A.,
editors, Financial Cryptography and Data Security,
volume 4107 of Lecture Notes in Computer Science,
pages 52–64. Springer.
Bellare, M., Boldyreva, A., Desai, A., and Pointcheval,
D. (2001). Key-privacy in public-key encryption.
In Boyd, C., editor, Advances in Cryptology − ASI-
ACRYPT 2001, volume 2248 of Lecture Notesin Com-
puter Science, pages 566–582. Springer.
Boneh, D., Gentry, C., and Hamburg, M. (2007). Space-
efficient identity based encryption without pairings.
In 48th Annual IEEE Symposium on Foundations
of Computer Science (FOCS 2007), pages 647–657.
IEEE Computer Society. Full version available as
Cryptology ePrint Archive, Report 2007/177.
Chaum, D. and van Heyst, E. (1991). Group signatures. In
Davies, D. W., editor, Advances in Cryptology − EU-
ROCRYPT’91, volume 547 of Lecture Notes in Com-
puter Science, pages 257–265. Springer.
Goldwasser, S. and Micali, S. (1984). Probabilistic encryp-
tion. J. Comput. Syst. Sci., 28(2):270–299.
Halevi, S. (2005). A sufficient condition for key-privacy.
IACR Cryptology ePrint Archive, Report 2005/005.
Kiayias, A., Tsiounis, Y., and Yung, M. (2007). Group en-
cryption. In Kurosawa, K., editor, Advances in Cryp-
tology − ASIACRYPT 2007, volume 4833 of Lecture
Notes in Computer Science, pages 181–199. Springer.
SECRYPT2015-InternationalConferenceonSecurityandCryptography
404
