Public-Key Cryptosystems Based on Co mposite Degree Residuosity Classes Presenter: 陳陳陳 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier ficient Public-Key Cryptosystem ovably Secure against Active Adversarie ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. By Pascal Paillier and David Pointcheval
41
Embed
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier. Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries. Presenter: 陳國璋. ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
Presenter: 陳國璋
EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier
Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries
ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. By Pascal Paillier and David Pointcheval
Outline
Notation and math. assumption Scheme 1
Notation and math. Assumption(1/9)
CR[n] problem deciding nth residuosity. Distinguishing nth residues from non nth resid
ues.
Notation and math. Assumption(2/9)
g∈Zn2* εg: Zn × Zn* → Zn2* be a integer-valued fu
nction defined by εg(x,y) = gx yn mod n2
Notation and math. Assumption(3/9)
Given base g∈B and w∈Zn2*, we want to find x∈Zn and y∈Zn* s.t. εg(x, y) = gx yn mod n2 = w
2
*
*, for ,
we call that ,
the unique integer
the class of is denoted
n-th residuosity class of with respect to
s.t. ( , )
[ ]
n
g
n n g
w g
x Z y Z
g B
x y w
w Z
w w
Notation and math. Assumption(4/9)
2[ ] 0 is a n-th residue modulo gw w n
2
2 1 2 1 2
*
*1 2, ,
the class function
[ ] [ ] [ ] mod
homomorphism
f
[ ] is a
rom ( , ) to ( , ),
g g
n
n
g
g
n
ww w w nw
Z
w Z
w
g
w
Z
Notation and math. Assumption(5/9)
Class[n] problem nth Residuosity Class Problem of base g Computing the class function in base g given w∈Zn2*, compute [w]g
[w]g = x x is the smallest non-negative integer s.t εg(x, y)
= gx yn mod n2 = w random-self-reducible problem the bases g are independent
Notation and math. Assumption(6/9)
2
2
set { | 1 mod }
is
over which the function such that
multiplicative subgroup of mod
1, ( ) is clearly well-def .inedn
n
n
uu S
S u n u n
L
L un
2
* 21, ( mod ) [ ] mod nn
w Z L w n w n 2
2
( mod )[ ] mod
( mod ) g
L w nw n
L g n
Notation and math. Assumption(7/9)
D-Class[n] problem
decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or no
t
[ ] [ ]Class n Fact n[ ] [ , ]Class n RSA n n
[ ] [ ] [ ]CR n D Class n Class n
Notation and math. Assumption(8/9)
Fact[n] The factorization of n.
RSA[n] c = me mod n Extracting eth roots modulo n
CR[n] deciding nth residuosity.
Notation and math. Assumption(9/9)
Class[n] Computational composite residuosity class problem given w∈Zn2* and g∈B, compute [w]g
D-Class[n] decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or no
t
[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n
Notions of Security(1/3)
Indistinguishability of encryption(IND) Non-malleability(NM)
Given the encryption of a plaintext x, the attacker cannot produce the encryption of a meaningfully related plaintext x’.(For example, x’=x+1)
Hash functions are considered to be ideal. i.e. perfect random.
From a security viewpoint, this impacts by giving the attacker an additional access to the random oracles of the scheme.
Outline
Notation and math. assumption Scheme 1
Scheme 1(1/4)
New probabilistic encryption scheme
2
and random base
. . gcd( ( mod
( , ) as public parameters
( , ) ( ) as
), ) 1
private pair
;
.
n
n pq g B
s t L g
g
q
n n
p
Scheme 1 (2/4)
•
•
1, ( ) is clearly well-defined.n
uu S L u
n
2
2
2
Dec:
ciphertext
( mod ) plaintext mod
( mod )
c n
L c nm n
L g n
2
= ( , ) and [ ] =
as the trapdoor secret
one-wayne
Enc:
plaintext ; random number
ciphertext mod
i.e.
(trapdo
ss
or function with ,
) iff [ ] hold
g g
m n
c m r c m
Class n
m n r n
c g r n
2
2
( mod )[ ] mod
( mod ) g
L w nw n
L g n
Scheme 1 (3/4) One-way function
Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.
One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.
Trapdoor permutation f() is a one-way trapdoor. f() is bijective.
Scheme 1 (4/4)
• 2
12
23 35
12
12
For example:
5*7 35; 1225
( ) 4*6 24; ( ) (4,6) 12
Take 13 s.t. gcd( (13 mod 1225),35) 1
Let 23, 19
Enc: 13 19 mod 1225 53
(53 mod 1225) Dec: mod35
(13 mod 1225)
n n
n n lcm
g L
m r
c
Lm
L
-1
24 = mod 35
33
=24 33 mod 35
=23
1
, ( ) is clearly well-defined.n
uu S L u
n
Security Analysis(1/21)
Against an adaptive chosen-ciphertext attack.(IND-CCA2)
In the scenario, the adversary makes of queries of her choice to a decryption oracle during two stages.
Security Analysis(2/21)
The first stage, the find stage Attacker chooses two messages. Requests encryption oracle to encrypted
one of them. the encryption oracle makes the secret
choice of which one.
Security Analysis(3/21)
The second stage, the guess stage To query the decryption oracle with cipherte
xt of her choice. Finally, she tell her guess about the choic
e the encryption oracle made.
Security Analysis(4/21)
Random oracle A t-bit random number Two hash functions
G, H: {0,1}* →{0,1}|n|
Security Analysis(5/21) Provided t=Ω(|n|δ) for δ>0, Scheme 1 is semanti
cally secure against adaptive chosen-ciphertext attacks (IND-CCA2) under the Decision Composite Residuosity assumption (D-Class assumption) in the random oracle.
D-Class[n] decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or n
ot
Security Analysis(6/21)
An adversary A=(A1,A2) against semantic security of scheme 1. A1: the find stage A2: the guess stage
This adversary to efficiently decide nth residuosity classes.
Security Analysis(7/21)
Oracle G Indistinduishability of encryption
Oracle H Adaptive attack
Security Analysis(8/21)
Simulation of the Decryption Oracle The attacker asks for a ciphertext c to be dec
rypted. The simulator checks in the query-history fro
m the random oracle H. Whether some entry leads to the ciphertext c
and then return m; otherwise, it return “failure”.
Security Analysis(9/21) Quasi-perfect simulation
The probability of producing a valid ciphertext without asking the query (m,r) to the random oracle H (whose answer a has to satisfy the test an = z mod n) is upper bounded by 1/ψ(n)≦2/n, which is clearly negligible.
Decryption Ciphertext: c=gMz mod n2 ∈Zn2* M=[L(cλmod n2)/L(gλmod n2)] mod n z’=g-Mc mod n m’||r’=M-G(z’) mod n If H(m’,r’)n = z’ mod n, then the plaintext
is m’ Otherwise, output “failure”
Security Analysis(13/21) Attacker A to design a distinguisher B for
nth residuosity class. (w,α) is a instance of the D-Class problem,
where α is the nth residuosity class of w. D-Class[n]
decisional Class[n] problem given w∈Zn2*,g∈B, α∈Zn, decide whether α
=[w]g or not
Security Analysis(14/21)
Distinguisher B(1/2) Randomly chooses u∈Zn, v∈Zn*, 0≦r<2t. Compute the follows
z=wg-αvn mod n c=wguvn mod n2
Run A1 and gets two messages m0,m1
Security Analysis(15/21)
Distinguisher B(2/2) Chooses a bit b Run A2 on the ciphertext c, supposed to the c
iphertext of mb and using the random r.
Security Analysis(16/21) Shut this game down
z is asked to the oracle G, shut this game down and B return 1. This event will be denote by AskG
If (m0,r) or (m1,r) are asked to the oracle H, shut this geme down and B return 0. This event will be denote by AskH
In any other case, B return 0 when A2 end.
Security Analysis(17/21) One event AskG or AskH is likely to happe
n, B terminate the game. The random choice of r, Pr[AskH]=O(qH/2
t) in any case, qH=#(queries asked to the oracle H) and 0≦r<2t.
G and H are seen like random oracles, the attacker has no chance to correctly guess b, during a real attack.
Security Analysis(18/21)
In α=[w]g case If none of the events AskG or AskH occur, the
n AdvA ≦ Pr[ AskG ∨ AskH | [w]g = α]
Security Analysis(19/21)
In α≠[w]g case z is perfectly random (independent of c), the
n Pr[AskG] ≦ qG/ψ(n), qG=#(queries asked to the oracle G) and u∈Zn, v∈Zn*, z=wg-αvn mod n
Security Analysis(20/21)
• The advantage of distinguisher B in deciding the nth residuosity classes:
Pr[1| [ ] ] Pr[1| [ ] ]
Pr[ | [ ] ] Pr[ | [ ] ]
Pr[ | [ ] ] Pr[ | [ ] ] Pr
2
[ | [ ] ]
2
2
( )
g g
g g
g g g
GHt
GHt
w w
AskG w AskG w
AskG AskH w AskH w AskG w
qqAd
AdvB
qqAdv
vAn
An
Security Analysis(21/21)
• Reduction Cost– If there exists an active attacker A against semantic
security, one can decide nth residuosity classes with an advantage greater then