Upload
lois-whitaker
View
24
Download
0
Embed Size (px)
DESCRIPTION
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. [Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]. Author: Pascal Paillier Presenter: 廖俊威. Outline. Introduction - PowerPoint PPT Presentation
Citation preview
1
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
Author: Pascal Paillier
Presenter: 廖俊威
[Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]
2
Outline
• Introduction
• Notation and math. assumption
• Scheme 1
• Scheme 2
• Scheme 3
• Properties
• Conclusion
3
Introduction(1/2)
• 兩個主要的 Trapdoor技術– RSA– Diffie-Hellman
• 提出新的技術– Composite Residuosity
• 提出新的計算性問題– Composite Residuosity Class Problem
4
Introduction(2/2)
• 提出 3個架構在上述假設的同態加密機制(Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation
• 滿足 semantically secure, 不過 , 作者沒有證明 .
5
Notation and math. assumption (1/10)
• p, q are two large primes.• n = pq [ex: 35=5*7]• Euler phi-function: ψ(n) = (p-1)(q-1)
[=4*6=24]• Carmichael function: λ(n) = lcm(p-1,q-1)
[=λ(35)=lcm(4,6)=12]• |Zn2*| = ψ(n2) = nψ(n) [=n2(1-1/p)(1-1/q)]• Any w Z∈ n2*,
– wλ = 1 mod n [612 mod 35 = 1]– wnλ = 1 mod n [635*12 mod 35 = 1]
6
Notation and math. assumption (2/10)
• RSA[n,e] problem– Extracting e-th roots modulo n where n=pq
• n-th residue modulo n2 – A number z is the n-th residue modulo n2 if there exist a num
ber y Z∈ n2*, such that z=ynmod n2
• CR[n] problem– deciding n-th residuosity
• The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.– All of its instances are polynomially equivalent.
• There exists no polynomial time distinguisher for n-th residues modulo n2, i.e. CR[n] is intractable.
7
Notation and math. assumption (3/10)
• 2
2
*
* *
2
, where the set of elements
of order and = for =1,...,
: an integer-valued function by
( , ) mod
n
g n n n
x ng
g B B Z
n B B
Z Z Z
x y g y n
8
Notation and math. assumption (4/10)
• if order(g) = kn where k is nonzero multiple of n then εg is bijective.
– Domain and Co-domain are the same order nψ(n) and the function is 1-to-1.
• 2
*
*
, ,
we call that n-th residuosity class of with respect to ,
the unique integer s.t. ( , )
the class of is denoted [ ]
n
n n g
g
g B w Z
w g
x Z y Z x y w
w w
9
Notation and math. assumption (5/10)
•
•
2[ ] 0 is a n-th residue modulo gw w n 2
2
*1 2 1 2 1 2
*
, , [ ] [ ] [ ] mod
the class function [ ] is a homomorphism
from ( , ) to ( , ),
g g gn
g
nn
w w Z w w w w n
w w
Z Z g
10
Notation and math. assumption (6/10)
• Class[n,g] problem– computing the class function in base g.
– given w Z∈ n2*, compute [w]g
– random-self-reducible problem – the bases g are independent
11
Notation and math. assumption (7/10)
• Class[n] problem– composite residuosity class problem
– given w Z∈ n2*, g B, compute [w]∈ g
• • Class[n] Fact[n]
1 2
12 1[ ] [ ]g gg g
12
Notation and math. assumption (8/10)
•
•
2
2
set { | 1 mod }
is multiplicative subgroup of mod
over which the function such that
1, ( ) is clearly well-defined.
n
n
S u n u n
n
L
uu S L u
n
2
* 21, ( mod ) [ ] mod nn
w Z L w n w n
13
Notation and math. assumption (9/10)
• Class[n] RSA[n,n]• D-Class[n] problem
– decisional Class[n] problem
– given w Z∈ n2*,g B, x Z∈ ∈ n, decide whether x=[w]g or not
•
[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n
14
Scheme 1(1/6)
• New probabilistic encryption scheme
• 2
and random base
. . gcd( ( mod ), ) 1
( , ) as public parameters;
( , ) ( ) as private pair.
n pq g B
s t L g n n
n g
p q
15
Scheme 1 (2/6)
•
• 2
2
2
Dec:
ciphertext
( mod ) plaintext mod
( mod )
c n
L c nm n
L g n
2
Enc:
plaintext ; random number
ciphertext mod
i.e. = ( , )
(trapdoor function with as the trapdoor secret,
one-wayness iff [ ] hold)
m n
g
m n r n
c g r n
c m r
Class n
16
Scheme 1 (3/6)
• One-way function– Given x, to compute f(x) = y is easy.– Given y, to find x s.t. f(x) = y is hard.
• One-way trapdoor– f() is a one-way function.– Given a secret s, given y, to find x s.t. f(x) = y is easy.
• Trapdoor permutation– f() is a one-way trapdoor.– f() is bijective.
17
Scheme 1 (4/6)
• 2
12
23 35
12
12
For example:
5*7 35; 1225
( ) 4*6 24; ( ) (4,6) 12
Take 13 s.t. gcd( (13 mod 1225),35) 1
Let 23, 19
Enc: 13 19 mod 1225 53
(53 mod 1225) Dec: mod35
(13 mod 1225)
n n
n n lcm
g L
m r
c
Lm
L
-1
24 = mod 35
33
=24 33 mod 35
=23
18
Scheme 1 (5/6)
• Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds.– Inverting our scheme is by the definition the c
omposite residuosity class problem.
19
Scheme 1 (6/6)
• Scheme 1 is semantically secure ⇔ the Decisional composite residuosity assumption(CR[n] problem) holds.– m0, m1: known messages.– c:ciphertext of either m0 or m1. – [w]g=0 iff w is the n-th residue modulo n2.– c=εg(m0,r) iff cg-m0 mod n2 is the n-th residue m
odulo n2.– Vice-versa.
20
Scheme 2(1/5)
• New one-way trapdoor permutation•
2
and random base . .
gcd( ( mod ), ) 1
( , ) as public parameters;
( , ) ( ) as private pair.
n pq g B s t
L g n n
n g
p q
21
Scheme 2(2/5)
•
1
21 2
22
1 2
g
Enc:
plaintext , split
ciphertext mod
i.e. ( , )
(perumtation come from the bijectivity of ;
trapdoorness iff the factorization of n;
one-way iff [ , ] i
m n
g
m n m m nm
c g m n
c m m
RSA n n
s hard.)
22
Scheme 2(3/5)
•
1
1
2
2
1 2
1
2
mod2
Dec:
ciphertext
( mod ) Step 1: mod
( mod )
(retrieves mod as Scheme 1)
Step 2: ' mod (recover mod )
Step 3: ' mod
(RSA d
m n
n
c n
L c nm n
L g n
m m n
c cg n m n
m c n
1 2
ecryption, public exponent )
plaintext
e n
m m nm
23
Scheme 2(4/5)
• 2
12
23 35
1
23
For example:
5*7 35; 1225
( ) 4*6 24; ( ) (4,6) 12
Take 13 s.t. gcd( (13 mod 1225),35) 1
Let 1178 23 35*33
Enc: 13 33 mod 1225 4
Dec: 23
' 4 13 mod 35 17
n n
n n lcm
g L
m
c
m
c
135 mod12 11
2 17 mod 35 17 mod 35 33m
24
Scheme 2(5/5)
• Digital Signatures
• 2
1
1
*
1 2
2
1 2
1/ mod 2
2
hash functon : {0.1}
message , the signer computes the signatures ( , )
( ( ) mod ) mod
( mod )
( ( ) ) mod
( ) ? mod
based on [ , ]
k
n
s n
s n
h N Z
m s s
L h m ns n
L g n
s h m g n
h m g s n
RSA n n
25
Scheme 3(1/4)
• Cost down for decryption complexity.
• Restricting the ciphertext space Zn2* to subgroup
<g> of smaller order.•
2
2
, 1 ,
then ,
( mod )[ ] mod
( mod )g
g B
w g
L w nw n
L g n
26
Scheme 3(2/4)
•
•
2
Enc:
plaintext , random number
ciphertext mod
(trapdoor function with as secret key;
one-way iff [ , ])
m nr
m n r n
c g n
PDL n g
2
2
2
Dec:
ciphertext
( mod ) plaintext mod
( mod )
c n
L c nm n
L g n
27
Scheme 3(3/4)
• PDL[n,g] problem– Partial discrete logarithm problem
– Given w <g>, compute [w]∈ g
• D-PDL[n,g] problem– Decisional partial discrete logarithm problem
– Given w <g>, x Z∈ ∈ n, decide whether [w]g=x.
28
Scheme 3(4/4)
• Scheme 3 is one-way ⇔ PDL[n,g] is hard.
• Scheme 3 is semantically secure ⇔ D-PDL[n,g] is hard.
• [ , ] [ ] and [ , ] [ ]PDL n g Class n D PDL n g CR n
29
Properties(1/3)
• Random-Self-Reducibility– A good algorithm for the average case implies
a good algorithm for the worst case.
30
Properties(2/3)
• Additive Homomorphic Properties–
2
2
2 2
1 2
21 2 1 2
2
21 1 2
21
2
two encryption function
mod and mod
are additively homomorphic on Z .
, ,
( ( ) ( )mod ) mod
( ( ) mod ) mod
( ( ) mod ) mod
( ( ) mod )
( ( )
m r m nr
n
n
k
m
m
m
m g r n m g n
m m Z k N
D E m E m n m m n
D E m n km n
D E m g n m m n
D E m n
D E m
11 22
modmod )
mm nn
31
Properties(3/3)
• Self-Blinding– Any ciphertext can be publicly changed into
another one without affecting the plaintext.–
2 2
,
( ( ) mod ) or ( ( ) mod )
n
n nr
m Z r N
D E m r n m D E m g n m
32
Conclusion(4/4)
• 提出新的數論問題 Class[n]
• 基於 composite degree residues的 trapdoor的機制
• 雖然並沒有提出任何證明作者的 scheme能抵抗 CCA,但作者相信小小的修改 Scheme 1與 3就可以對抗 CCA,並能透過 random oracle來證明