Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier...

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Author: Pascal PaillierPresenter: 陳國璋

[Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]

Outline

Introduction Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Introduction(1/2)

兩個主要的 Trapdoor 技術 RSA Diffie-Hellman

提出新的技術 Composite Residuosity

提出新的計算性問題 Composite Residuosity Class Problem

Introduction(2/2)

提出 3 個架構在上述假設的同態加密機制(Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation

滿足 semantically secure, 不過 , 作者沒有證明 .

Outline

Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Notation and math. assumption (1/10)

p, q are two large primes. n = pq Euler phi-function: ψ(n) = (p-1)(q-1) Carmichael function: λ(n) = lcm(p-1,q-1) |Zn2*| = ψ(n2) = nψ(n) Any w∈Zn2*,

wλ = 1 mod n wnλ = 1 mod n


RSA[n,e] problem Extracting e-th roots modulo n where n=pq

Relation P1 P2 (resp. P1≡P2) will denoted that problem P1 is polynomial reducible to the problem P2.

n-th residue modulo n2 A number z is th n-th residue modulo n2 if there e

xist a number y such that z=ynmod n2


CR[n] problem deciding n-th residuosity

The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.

There exists no polynomial time distinguisher for n-th residues modulo n2, i.e. CR[n] is intractable.


2

2

*

* *

2

, where the set of elements

of order and = for =1,...,

: an integer-valued function by

( , ) mod

n

g n n n

x ng

g B B Z

n B B

Z Z Z

x y g y n


if order(g) = kn where k is nonzero multiple of n then εg is bijective. Domain and Co-domain are the same order

nψ(n) and the function is 1-to-1. 2

*

*

, ,

we call that n-th residuosity class of with respect to ,

the unique integer s.t. ( , )

the class of is denoted [ ]

n

n n g

g

g B w Z

w g

x Z y Z x y w

w w


2[ ] 0 is a n-th residue modulo gw w n 2

2

*1 2 1 2 1 2

*

, , [ ] [ ] [ ] mod

the class function [ ] is a homomorphism

from ( , ) to ( , ),

g g gn

g

nn

w w Z w w w w n

w w

Z Z g


Class[n,g] problem computing the class function in base g. given w∈Zn2*, compute [w]g

random-self-reducible problem the bases g are independent


Class[n] problem composite residuosity class problem given w∈Zn2*, g∈B, compute [w]g

Class[n] Fact[n]

1 2

12 1[ ] [ ]g gg g


2

2

set { | 1 mod }

is multiplicative subgroup of mod

over which the function such that

1, ( ) is clearly well-defined.

n

n

S u n u n

n

L

uu S L u

n

2

* 21, ( mod ) [ ] mod nn

w Z L w n w n


Class[n] RSA[n,n] D-Class[n] problem

decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or n

ot

[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n

Outline


Scheme 1(1/6)

New probabilistic encryption scheme

2

and random base

. . gcd( ( mod ), ) 1

( , ) as public parameters;

( , ) ( ) as private pair.

n pq g B

s t L g n n

n g

p q

Scheme 1 (2/6)

2

2

2

Dec:

ciphertext

( mod ) plaintext mod

( mod )

c n

L c nm n

L g n

2

Enc:

plaintext ; random number

ciphertext mod

i.e. = ( , )

(trapdoor function with as the trapdoor secret,

one-wayness iff [ ] hold)

m n

g

m n r n

c g r n

c m r

Class n

Scheme 1 (3/6) One-way function

Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.

One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.

Trapdoor permutation f() is a one-way trapdoor. f() is bijective.

Scheme 1 (4/6)

2

12

23 35

12

12

For example:

5*7 35; 1225

( ) 4*6 24; ( ) (4,6) 12

Take 13 s.t. gcd( (13 mod 1225),35) 1

Let 23, 19

Enc: 13 19 mod 1225 53

(53 mod 1225) Dec: mod35

(13 mod 1225)

n n

n n lcm

g L

m r

c

Lm

L

-1

24 = mod 35

33

=24 33 mod 35

=23

Scheme 1 (5/6)

Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. Inverting our scheme is by the definition the

composite residuosity class problem.

Scheme 1 (6/6) Scheme 1 is semantically secure ⇔ the D

ecisional composite residuosity assumption(CR[n] problem) holds. m0, m1: known messages. c:ciphertext of either m0 or m1. [w]g=0 iff w is the n-th residue modulo n2. c=εg(m0,r) iff cg-m0 mod n2 is the n-th residue

modulo n2. Vice-versa.

Outline


Scheme 2(1/5) New one-way trapdoor permutation

2

and random base . .

gcd( ( mod ), ) 1

( , ) as public parameters;

( , ) ( ) as private pair.

n pq g B s t

L g n n

n g

p q

Scheme 2(2/5)

1

21 2

22

1 2

g

Enc:

plaintext , split

ciphertext mod

i.e. ( , )

(perumtation come from the bijectivity of ;

trapdoorness iff the factorization of n;

one-way iff [ , ] i

m n

g

m n m m nm

c g m n

c m m

RSA n n

s hard.)

Scheme 2(3/5)

1

1

2

2

1 2

1

2

mod2

Dec:

ciphertext

( mod ) Step 1: mod

( mod )

(retrieves mod as Scheme 1)

Step 2: ' mod (recover mod )

Step 3: ' mod

(RSA d

m n

n

c n

L c nm n

L g n

m m n

c cg n m n

m c n

1 2

ecryption, public exponent )

plaintext

e n

m m nm

Scheme 2(4/5)

2

12

23 35

1

23

For example:

5*7 35; 1225

( ) 4*6 24; ( ) (4,6) 12

Take 13 s.t. gcd( (13 mod 1225),35) 1

Let 1178 23 35*33

Enc: 13 33 mod 1225 4

Dec: 23

' 4 13 mod 35 17

n n

n n lcm

g L

m

c

m

c

135 mod12 11

2 17 mod 35 17 mod 35 33m

Scheme 2(5/5)

Digital Signatures 2

1

1

*

1 2

2

1 2

1/ mod 2

2

hash functon : {0.1}

message , the signer computes the signatures ( , )

( ( ) mod ) mod

( mod )

( ( ) ) mod

( ) ? mod

based on [ , ]

k

n

s n

s n

h N Z

m s s

L h m ns n

L g n

s h m g n

h m g s n

RSA n n

Outline


Scheme 3(1/4) Cost down for decryption complexity. Restricting the ciphertext space Zn

2* to subgroup <g> of smaller order.

2

2

, 1 ,

then ,

( mod )[ ] mod

( mod )g

g B

w g

L w nw n

L g n

Scheme 3(2/4)

2

Enc:

plaintext , random number

ciphertext mod

(trapdoor function with as secret key;

one-way iff [ , ])

m nr

m n r n

c g n

PDL n g

2

2

2

Dec:

ciphertext

( mod ) plaintext mod

( mod )

c n

L c nm n

L g n

Scheme 3(3/4)

PDL[n,g] problem Partial discrete logarithm problem Given w∈<g>, compute [w]g

D-PDL[n,g] problem Decisional partial discrete logarithm proble

m Given w∈<g>, x∈Zn, decide whether [w]g=x.

Scheme 3(4/4)

Scheme 3 is one-way ⇔ PDL[n,g] is hard. Scheme 3 is semantically secure ⇔ D-PD

L[n,g] is hard.

[ , ] [ ] and [ , ] [ ]PDL n g Class n D PDL n g CR n

Outline


Properties(1/3)

Random-Self-Reducibility A good algorithm for the average case

implies a good algorithm for the worst case.

Properties(2/3)

Additive Homomorphic Properties

2

2

2 2

1 2

21 2 1 2

2

21 1 2

21

2

two encryption function

mod and mod

are additively homomorphic on Z .

, ,

( ( ) ( )mod ) mod

( ( ) mod ) mod

( ( ) mod ) mod

( ( ) mod )

( ( )

m r m nr

n

n

k

m

m

m

m g r n m g n

m m Z k N

D E m E m n m m n

D E m n km n

D E m g n m m n

D E m n

D E m

11 22

modmod )

mm nn

Properties(3/3)

Self-Blinding Any ciphertext can be publicly changed into

another one without affecting the plaintext.

2 2

,

( ( ) mod ) or ( ( ) mod )

n

n nr

m Z r N

D E m r n m D E m g n m

Outline


Conclusion(1/4)Scheme Main Permutation Fast

VariantRSA ElGamal

One-wayness

Class[n] RSA[n,n] PDL[n,g] RSA[n,F4] DH[p]

SemanticSecure

CR[n] none D-PDL[n,g] none DDH[p]

Plaintext size

|n| 2|n| |n| |n| |p|

Ciphertext size

2|n| 2|n| 2|n| |n| 2|p|

Enc Main Permutation

Fast Variant

RSA ElGamal

|n|,|p|=512

5120 5120 4032 17 1536

|n|,|p|=768

7680 7680 5568 17 2304

|n|,|p|=1024

10240 10240 7104 17 3072

|n|,|p|=1536

15360 15360 10176 17 4608

|n|,|p|=2048

20480 20480 13248 17 6144

Dec Main Permutation

Fast Variant

RSA ElGamal

|n|,|p|=512

768 1088 480 192 768

|n|,|p|=768

1152 1632 480 288 1152

|n|,|p|=1024

1536 2176 480 384 1536

|n|,|p|=1536

2304 3264 480 576 2304

|n|,|p|=2048

3072 4352 480 768 3072

Conclusion(4/4)

提出新的數論問題 Class[n] 基於 composite degree residues 的 trapd

oor 的機制雖然並沒有提出任何證明作者的 scheme 能

抵抗 CCA ，但作者相信小小的修改 Scheme 1 與 3 就可以對抗 CCA ，並能透過 random oracle 來證明

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier...

Documents

Transcript of Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier...