Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier...
-
date post
22-Dec-2015 -
Category
Documents
-
view
221 -
download
0
Transcript of Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier...
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
Author: Pascal PaillierPresenter: 陳國璋
[Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]
Outline
Introduction Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
Introduction(1/2)
兩個主要的 Trapdoor 技術 RSA Diffie-Hellman
提出新的技術 Composite Residuosity
提出新的計算性問題 Composite Residuosity Class Problem
Introduction(2/2)
提出 3 個架構在上述假設的同態加密機制(Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation
滿足 semantically secure, 不過 , 作者沒有證明 .
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
Notation and math. assumption (1/10)
p, q are two large primes. n = pq Euler phi-function: ψ(n) = (p-1)(q-1) Carmichael function: λ(n) = lcm(p-1,q-1) |Zn2*| = ψ(n2) = nψ(n) Any w∈Zn2*,
wλ = 1 mod n wnλ = 1 mod n
Notation and math. assumption (2/10)
RSA[n,e] problem Extracting e-th roots modulo n where n=pq
Relation P1 P2 (resp. P1≡P2) will denoted that problem P1 is polynomial reducible to the problem P2.
n-th residue modulo n2 A number z is th n-th residue modulo n2 if there e
xist a number y such that z=ynmod n2
Notation and math. assumption (3/10)
CR[n] problem deciding n-th residuosity
The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.
There exists no polynomial time distinguisher for n-th residues modulo n2, i.e. CR[n] is intractable.
Notation and math. assumption (4/10)
2
2
*
* *
2
, where the set of elements
of order and = for =1,...,
: an integer-valued function by
( , ) mod
n
g n n n
x ng
g B B Z
n B B
Z Z Z
x y g y n
Notation and math. assumption (5/10)
if order(g) = kn where k is nonzero multiple of n then εg is bijective. Domain and Co-domain are the same order
nψ(n) and the function is 1-to-1. 2
*
*
, ,
we call that n-th residuosity class of with respect to ,
the unique integer s.t. ( , )
the class of is denoted [ ]
n
n n g
g
g B w Z
w g
x Z y Z x y w
w w
Notation and math. assumption (6/10)
2[ ] 0 is a n-th residue modulo gw w n 2
2
*1 2 1 2 1 2
*
, , [ ] [ ] [ ] mod
the class function [ ] is a homomorphism
from ( , ) to ( , ),
g g gn
g
nn
w w Z w w w w n
w w
Z Z g
Notation and math. assumption (7/10)
Class[n,g] problem computing the class function in base g. given w∈Zn2*, compute [w]g
random-self-reducible problem the bases g are independent
Notation and math. assumption (8/10)
Class[n] problem composite residuosity class problem given w∈Zn2*, g∈B, compute [w]g
Class[n] Fact[n]
1 2
12 1[ ] [ ]g gg g
Notation and math. assumption (9/10)
2
2
set { | 1 mod }
is multiplicative subgroup of mod
over which the function such that
1, ( ) is clearly well-defined.
n
n
S u n u n
n
L
uu S L u
n
2
* 21, ( mod ) [ ] mod nn
w Z L w n w n
Notation and math. assumption (10/10)
Class[n] RSA[n,n] D-Class[n] problem
decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or n
ot
[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
Scheme 1(1/6)
New probabilistic encryption scheme
2
and random base
. . gcd( ( mod ), ) 1
( , ) as public parameters;
( , ) ( ) as private pair.
n pq g B
s t L g n n
n g
p q
Scheme 1 (2/6)
2
2
2
Dec:
ciphertext
( mod ) plaintext mod
( mod )
c n
L c nm n
L g n
2
Enc:
plaintext ; random number
ciphertext mod
i.e. = ( , )
(trapdoor function with as the trapdoor secret,
one-wayness iff [ ] hold)
m n
g
m n r n
c g r n
c m r
Class n
Scheme 1 (3/6) One-way function
Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.
One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.
Trapdoor permutation f() is a one-way trapdoor. f() is bijective.
Scheme 1 (4/6)
2
12
23 35
12
12
For example:
5*7 35; 1225
( ) 4*6 24; ( ) (4,6) 12
Take 13 s.t. gcd( (13 mod 1225),35) 1
Let 23, 19
Enc: 13 19 mod 1225 53
(53 mod 1225) Dec: mod35
(13 mod 1225)
n n
n n lcm
g L
m r
c
Lm
L
-1
24 = mod 35
33
=24 33 mod 35
=23
Scheme 1 (5/6)
Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. Inverting our scheme is by the definition the
composite residuosity class problem.
Scheme 1 (6/6) Scheme 1 is semantically secure ⇔ the D
ecisional composite residuosity assumption(CR[n] problem) holds. m0, m1: known messages. c:ciphertext of either m0 or m1. [w]g=0 iff w is the n-th residue modulo n2. c=εg(m0,r) iff cg-m0 mod n2 is the n-th residue
modulo n2. Vice-versa.
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
Scheme 2(1/5) New one-way trapdoor permutation
2
and random base . .
gcd( ( mod ), ) 1
( , ) as public parameters;
( , ) ( ) as private pair.
n pq g B s t
L g n n
n g
p q
Scheme 2(2/5)
1
21 2
22
1 2
g
Enc:
plaintext , split
ciphertext mod
i.e. ( , )
(perumtation come from the bijectivity of ;
trapdoorness iff the factorization of n;
one-way iff [ , ] i
m n
g
m n m m nm
c g m n
c m m
RSA n n
s hard.)
Scheme 2(3/5)
1
1
2
2
1 2
1
2
mod2
Dec:
ciphertext
( mod ) Step 1: mod
( mod )
(retrieves mod as Scheme 1)
Step 2: ' mod (recover mod )
Step 3: ' mod
(RSA d
m n
n
c n
L c nm n
L g n
m m n
c cg n m n
m c n
1 2
ecryption, public exponent )
plaintext
e n
m m nm
Scheme 2(4/5)
2
12
23 35
1
23
For example:
5*7 35; 1225
( ) 4*6 24; ( ) (4,6) 12
Take 13 s.t. gcd( (13 mod 1225),35) 1
Let 1178 23 35*33
Enc: 13 33 mod 1225 4
Dec: 23
' 4 13 mod 35 17
n n
n n lcm
g L
m
c
m
c
135 mod12 11
2 17 mod 35 17 mod 35 33m
Scheme 2(5/5)
Digital Signatures 2
1
1
*
1 2
2
1 2
1/ mod 2
2
hash functon : {0.1}
message , the signer computes the signatures ( , )
( ( ) mod ) mod
( mod )
( ( ) ) mod
( ) ? mod
based on [ , ]
k
n
s n
s n
h N Z
m s s
L h m ns n
L g n
s h m g n
h m g s n
RSA n n
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
Scheme 3(1/4) Cost down for decryption complexity. Restricting the ciphertext space Zn
2* to subgroup <g> of smaller order.
2
2
, 1 ,
then ,
( mod )[ ] mod
( mod )g
g B
w g
L w nw n
L g n
Scheme 3(2/4)
2
Enc:
plaintext , random number
ciphertext mod
(trapdoor function with as secret key;
one-way iff [ , ])
m nr
m n r n
c g n
PDL n g
2
2
2
Dec:
ciphertext
( mod ) plaintext mod
( mod )
c n
L c nm n
L g n
Scheme 3(3/4)
PDL[n,g] problem Partial discrete logarithm problem Given w∈<g>, compute [w]g
D-PDL[n,g] problem Decisional partial discrete logarithm proble
m Given w∈<g>, x∈Zn, decide whether [w]g=x.
Scheme 3(4/4)
Scheme 3 is one-way ⇔ PDL[n,g] is hard. Scheme 3 is semantically secure ⇔ D-PD
L[n,g] is hard.
[ , ] [ ] and [ , ] [ ]PDL n g Class n D PDL n g CR n
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
Properties(1/3)
Random-Self-Reducibility A good algorithm for the average case
implies a good algorithm for the worst case.
Properties(2/3)
Additive Homomorphic Properties
2
2
2 2
1 2
21 2 1 2
2
21 1 2
21
2
two encryption function
mod and mod
are additively homomorphic on Z .
, ,
( ( ) ( )mod ) mod
( ( ) mod ) mod
( ( ) mod ) mod
( ( ) mod )
( ( )
m r m nr
n
n
k
m
m
m
m g r n m g n
m m Z k N
D E m E m n m m n
D E m n km n
D E m g n m m n
D E m n
D E m
11 22
modmod )
mm nn
Properties(3/3)
Self-Blinding Any ciphertext can be publicly changed into
another one without affecting the plaintext.
2 2
,
( ( ) mod ) or ( ( ) mod )
n
n nr
m Z r N
D E m r n m D E m g n m
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
Conclusion(1/4)Scheme Main Permutation Fast
VariantRSA ElGamal
One-wayness
Class[n] RSA[n,n] PDL[n,g] RSA[n,F4] DH[p]
SemanticSecure
CR[n] none D-PDL[n,g] none DDH[p]
Plaintext size
|n| 2|n| |n| |n| |p|
Ciphertext size
2|n| 2|n| 2|n| |n| 2|p|
Enc Main Permutation
Fast Variant
RSA ElGamal
|n|,|p|=512
5120 5120 4032 17 1536
|n|,|p|=768
7680 7680 5568 17 2304
|n|,|p|=1024
10240 10240 7104 17 3072
|n|,|p|=1536
15360 15360 10176 17 4608
|n|,|p|=2048
20480 20480 13248 17 6144
Dec Main Permutation
Fast Variant
RSA ElGamal
|n|,|p|=512
768 1088 480 192 768
|n|,|p|=768
1152 1632 480 288 1152
|n|,|p|=1024
1536 2176 480 384 1536
|n|,|p|=1536
2304 3264 480 576 2304
|n|,|p|=2048
3072 4352 480 768 3072
Conclusion(4/4)
提出新的數論問題 Class[n] 基於 composite degree residues 的 trapd
oor 的機制 雖然並沒有提出任何證明作者的 scheme 能
抵抗 CCA ,但作者相信小小的修改 Scheme 1 與 3 就可以對抗 CCA ,並能透過 random oracle 來證明