1

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Author: Pascal Paillier

Presenter: 廖俊威

[Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]

2

Outline

• Introduction

• Notation and math. assumption

• Scheme 1

• Scheme 2

• Scheme 3

• Properties

• Conclusion

3

Introduction(1/2)

• 兩個主要的 Trapdoor技術– RSA– Diffie-Hellman

• 提出新的技術– Composite Residuosity

• 提出新的計算性問題– Composite Residuosity Class Problem

4

Introduction(2/2)

• 提出 3個架構在上述假設的同態加密機制(Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation

• 滿足 semantically secure, 不過 , 作者沒有證明 .

5

Notation and math. assumption (1/10)

• p, q are two large primes.• n = pq [ex: 35=5*7]• Euler phi-function: ψ(n) = (p-1)(q-1)

[=4*6=24]• Carmichael function: λ(n) = lcm(p-1,q-1)

[=λ(35)=lcm(4,6)=12]• |Zn2*| = ψ(n2) = nψ(n) [=n2(1-1/p)(1-1/q)]• Any w Z∈ n2*,

– wλ = 1 mod n [612 mod 35 = 1]– wnλ = 1 mod n [635*12 mod 35 = 1]

6

Notation and math. assumption (2/10)

• RSA[n,e] problem– Extracting e-th roots modulo n where n=pq

• n-th residue modulo n2 – A number z is the n-th residue modulo n2 if there exist a num

ber y Z∈ n2*, such that z=ynmod n2

• CR[n] problem– deciding n-th residuosity

• The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.– All of its instances are polynomially equivalent.

• There exists no polynomial time distinguisher for n-th residues modulo n2, i.e. CR[n] is intractable.

7

Notation and math. assumption (3/10)

• 2

2

*

* *

2

, where the set of elements

of order and = for =1,...,

: an integer-valued function by

( , ) mod

n

g n n n

x ng

g B B Z

n B B

Z Z Z

x y g y n

8

Notation and math. assumption (4/10)

• if order(g) = kn where k is nonzero multiple of n then εg is bijective.

– Domain and Co-domain are the same order nψ(n) and the function is 1-to-1.

• 2

*

*

, ,

we call that n-th residuosity class of with respect to ,

the unique integer s.t. ( , )

the class of is denoted [ ]

n

n n g

g

g B w Z

w g

x Z y Z x y w

w w

9

Notation and math. assumption (5/10)

•

•

2[ ] 0 is a n-th residue modulo gw w n 2

2

*1 2 1 2 1 2

*

, , [ ] [ ] [ ] mod

the class function [ ] is a homomorphism

from ( , ) to ( , ),

g g gn

g

nn

w w Z w w w w n

w w

Z Z g

10

Notation and math. assumption (6/10)

• Class[n,g] problem– computing the class function in base g.

– given w Z∈ n2*, compute [w]g

– random-self-reducible problem – the bases g are independent

11

Notation and math. assumption (7/10)

• Class[n] problem– composite residuosity class problem

– given w Z∈ n2*, g B, compute [w]∈ g

• • Class[n] Fact[n]

1 2

12 1[ ] [ ]g gg g

12

Notation and math. assumption (8/10)

•

•

2

2

set { | 1 mod }

is multiplicative subgroup of mod

over which the function such that

1, ( ) is clearly well-defined.

n

n

S u n u n

n

L

uu S L u

n

2

* 21, ( mod ) [ ] mod nn

w Z L w n w n

13

Notation and math. assumption (9/10)

• Class[n] RSA[n,n]• D-Class[n] problem

– decisional Class[n] problem

– given w Z∈ n2*,g B, x Z∈ ∈ n, decide whether x=[w]g or not

•

[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n

14

Scheme 1(1/6)

• New probabilistic encryption scheme

• 2

and random base

. . gcd( ( mod ), ) 1

( , ) as public parameters;

( , ) ( ) as private pair.

n pq g B

s t L g n n

n g

p q

15

Scheme 1 (2/6)

•

• 2

2

2

Dec:

ciphertext

( mod ) plaintext mod

( mod )

c n

L c nm n

L g n

2

Enc:

plaintext ; random number

ciphertext mod

i.e. = ( , )

(trapdoor function with as the trapdoor secret,

one-wayness iff [ ] hold)

m n

g

m n r n

c g r n

c m r

Class n

16

Scheme 1 (3/6)

• One-way function– Given x, to compute f(x) = y is easy.– Given y, to find x s.t. f(x) = y is hard.

• One-way trapdoor– f() is a one-way function.– Given a secret s, given y, to find x s.t. f(x) = y is easy.

• Trapdoor permutation– f() is a one-way trapdoor.– f() is bijective.

17

Scheme 1 (4/6)

• 2

12

23 35

12

12

For example:

5*7 35; 1225

( ) 4*6 24; ( ) (4,6) 12

Take 13 s.t. gcd( (13 mod 1225),35) 1

Let 23, 19

Enc: 13 19 mod 1225 53

(53 mod 1225) Dec: mod35

(13 mod 1225)

n n

n n lcm

g L

m r

c

Lm

L

-1

24 = mod 35

33

=24 33 mod 35

=23

18

Scheme 1 (5/6)

• Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds.– Inverting our scheme is by the definition the c

omposite residuosity class problem.

19

Scheme 1 (6/6)

• Scheme 1 is semantically secure ⇔ the Decisional composite residuosity assumption(CR[n] problem) holds.– m0, m1: known messages.– c:ciphertext of either m0 or m1. – [w]g=0 iff w is the n-th residue modulo n2.– c=εg(m0,r) iff cg-m0 mod n2 is the n-th residue m

odulo n2.– Vice-versa.

20

Scheme 2(1/5)

• New one-way trapdoor permutation•

2

and random base . .

gcd( ( mod ), ) 1

( , ) as public parameters;

( , ) ( ) as private pair.

n pq g B s t

L g n n

n g

p q

21

Scheme 2(2/5)

•

1

21 2

22

1 2

g

Enc:

plaintext , split

ciphertext mod

i.e. ( , )

(perumtation come from the bijectivity of ;

trapdoorness iff the factorization of n;

one-way iff [ , ] i

m n

g

m n m m nm

c g m n

c m m

RSA n n

s hard.)

22

Scheme 2(3/5)

•

1

1

2

2

1 2

1

2

mod2

Dec:

ciphertext

( mod ) Step 1: mod

( mod )

(retrieves mod as Scheme 1)

Step 2: ' mod (recover mod )

Step 3: ' mod

(RSA d

m n

n

c n

L c nm n

L g n

m m n

c cg n m n

m c n

1 2

ecryption, public exponent )

plaintext

e n

m m nm

23

Scheme 2(4/5)

• 2

12

23 35

1

23

For example:

5*7 35; 1225

( ) 4*6 24; ( ) (4,6) 12

Take 13 s.t. gcd( (13 mod 1225),35) 1

Let 1178 23 35*33

Enc: 13 33 mod 1225 4

Dec: 23

' 4 13 mod 35 17

n n

n n lcm

g L

m

c

m

c

135 mod12 11

2 17 mod 35 17 mod 35 33m

24

Scheme 2(5/5)

• Digital Signatures

• 2

1

1

*

1 2

2

1 2

1/ mod 2

2

hash functon : {0.1}

message , the signer computes the signatures ( , )

( ( ) mod ) mod

( mod )

( ( ) ) mod

( ) ? mod

based on [ , ]

k

n

s n

s n

h N Z

m s s

L h m ns n

L g n

s h m g n

h m g s n

RSA n n

25

Scheme 3(1/4)

• Cost down for decryption complexity.

• Restricting the ciphertext space Zn2* to subgroup

<g> of smaller order.•

2

2

, 1 ,

then ,

( mod )[ ] mod

( mod )g

g B

w g

L w nw n

L g n

26

Scheme 3(2/4)

•

•

2

Enc:

plaintext , random number

ciphertext mod

(trapdoor function with as secret key;

one-way iff [ , ])

m nr

m n r n

c g n

PDL n g

2

2

2

Dec:

ciphertext

( mod ) plaintext mod

( mod )

c n

L c nm n

L g n

27

Scheme 3(3/4)

• PDL[n,g] problem– Partial discrete logarithm problem

– Given w <g>, compute [w]∈ g

• D-PDL[n,g] problem– Decisional partial discrete logarithm problem

– Given w <g>, x Z∈ ∈ n, decide whether [w]g=x.

28

Scheme 3(4/4)

• Scheme 3 is one-way ⇔ PDL[n,g] is hard.

• Scheme 3 is semantically secure ⇔ D-PDL[n,g] is hard.

• [ , ] [ ] and [ , ] [ ]PDL n g Class n D PDL n g CR n

29

Properties(1/3)

• Random-Self-Reducibility– A good algorithm for the average case implies

a good algorithm for the worst case.

30

Properties(2/3)

• Additive Homomorphic Properties–

2

2

2 2

1 2

21 2 1 2

2

21 1 2

21

2

two encryption function

mod and mod

are additively homomorphic on Z .

, ,

( ( ) ( )mod ) mod

( ( ) mod ) mod

( ( ) mod ) mod

( ( ) mod )

( ( )

m r m nr

n

n

k

m

m

m

m g r n m g n

m m Z k N

D E m E m n m m n

D E m n km n

D E m g n m m n

D E m n

D E m

11 22

modmod )

mm nn

31

Properties(3/3)

• Self-Blinding– Any ciphertext can be publicly changed into

another one without affecting the plaintext.–

2 2

,

( ( ) mod ) or ( ( ) mod )

n

n nr

m Z r N

D E m r n m D E m g n m

32

Conclusion(4/4)

• 提出新的數論問題 Class[n]

• 基於 composite degree residues的 trapdoor的機制

• 雖然並沒有提出任何證明作者的 scheme能抵抗 CCA，但作者相信小小的修改 Scheme 1與 3就可以對抗 CCA，並能透過 random oracle來證明