Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Presenter: 陳國璋

EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier

Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries

ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. By Pascal Paillier and David Pointcheval

Outline

Notation and math. assumption Scheme 1

Notation and math. Assumption(1/9)

CR[n] problem deciding nth residuosity. Distinguishing nth residues from non nth resid

ues.


g∈Zn2* εg: Zn × Zn* → Zn2* be a integer-valued fu

nction defined by εg(x,y) = gx yn mod n2


Given base g∈B and w∈Zn2*, we want to find x∈Zn and y∈Zn* s.t. εg(x, y) = gx yn mod n2 = w

2

*

*, for ,

we call that ,

the unique integer

the class of is denoted

n-th residuosity class of with respect to

s.t. ( , )

[ ]

n

g

n n g

w g

x Z y Z

g B

x y w

w Z

w w


2[ ] 0 is a n-th residue modulo gw w n

2

2 1 2 1 2

*

*1 2, ,

the class function

[ ] [ ] [ ] mod

homomorphism

f

[ ] is a

rom ( , ) to ( , ),

g g

n

n

g

g

n

ww w w nw

Z

w Z

w

g

w

Z


Class[n] problem nth Residuosity Class Problem of base g Computing the class function in base g given w∈Zn2*, compute [w]g

[w]g = x x is the smallest non-negative integer s.t εg(x, y)

= gx yn mod n2 = w random-self-reducible problem the bases g are independent


2

2

set { | 1 mod }

is

over which the function such that

multiplicative subgroup of mod

1, ( ) is clearly well-def .inedn

n

n

uu S

S u n u n

L

L un

2

* 21, ( mod ) [ ] mod nn

w Z L w n w n 2

2

( mod )[ ] mod

( mod ) g

L w nw n

L g n


D-Class[n] problem

decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or no

t

[ ] [ ]Class n Fact n[ ] [ , ]Class n RSA n n

[ ] [ ] [ ]CR n D Class n Class n


Fact[n] The factorization of n.

RSA[n] c = me mod n Extracting eth roots modulo n

CR[n] deciding nth residuosity.


Class[n] Computational composite residuosity class problem given w∈Zn2* and g∈B, compute [w]g

D-Class[n] decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or no

t

[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n

Notions of Security(1/3)

Indistinguishability of encryption(IND) Non-malleability(NM)

Given the encryption of a plaintext x, the attacker cannot produce the encryption of a meaningfully related plaintext x’.(For example, x’=x+1)


Chosen-plaintext attack (CPA) Non-adaptive chosen-ciphertext attack

(CCA1) Adaptive chosen-ciphertext attack (CCA

2) IND-CCA2 and NM-CCA2 are strictly equiv

alent notions.


Random Oracle Model

Hash functions are considered to be ideal. i.e. perfect random.

From a security viewpoint, this impacts by giving the attacker an additional access to the random oracles of the scheme.

Outline

Notation and math. assumption Scheme 1

Scheme 1(1/4)

New probabilistic encryption scheme

2

and random base

. . gcd( ( mod

( , ) as public parameters

( , ) ( ) as

), ) 1

private pair

;

.

n

n pq g B

s t L g

g

q

n n

p

Scheme 1 (2/4)

•

•

1, ( ) is clearly well-defined.n

uu S L u

n

2

2

2

Dec:

ciphertext

( mod ) plaintext mod

( mod )

c n

L c nm n

L g n

2

= ( , ) and [ ] =

as the trapdoor secret

one-wayne

Enc:

plaintext ; random number

ciphertext mod

i.e.

(trapdo

ss

or function with ,

) iff [ ] hold

g g

m n

c m r c m

Class n

m n r n

c g r n

2

2

( mod )[ ] mod

( mod ) g

L w nw n

L g n

Scheme 1 (3/4) One-way function

Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.

One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.

Trapdoor permutation f() is a one-way trapdoor. f() is bijective.

Scheme 1 (4/4)

• 2

12

23 35

12

12

For example:

5*7 35; 1225

( ) 4*6 24; ( ) (4,6) 12

Take 13 s.t. gcd( (13 mod 1225),35) 1

Let 23, 19

Enc: 13 19 mod 1225 53

(53 mod 1225) Dec: mod35

(13 mod 1225)

n n

n n lcm

g L

m r

c

Lm

L

-1

24 = mod 35

33

=24 33 mod 35

=23

1

, ( ) is clearly well-defined.n

uu S L u

n

Security Analysis(1/21)

Against an adaptive chosen-ciphertext attack.(IND-CCA2)

In the scenario, the adversary makes of queries of her choice to a decryption oracle during two stages.


The first stage, the find stage Attacker chooses two messages. Requests encryption oracle to encrypted

one of them. the encryption oracle makes the secret

choice of which one.


The second stage, the guess stage To query the decryption oracle with cipherte

xt of her choice. Finally, she tell her guess about the choic

e the encryption oracle made.


Random oracle A t-bit random number Two hash functions

G, H: {0,1}* →{0,1}|n|

Security Analysis(5/21) Provided t=Ω(|n|δ) for δ>0, Scheme 1 is semanti

cally secure against adaptive chosen-ciphertext attacks (IND-CCA2) under the Decision Composite Residuosity assumption (D-Class assumption) in the random oracle.

D-Class[n] decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or n

ot


An adversary A=(A1,A2) against semantic security of scheme 1. A1: the find stage A2: the guess stage

This adversary to efficiently decide nth residuosity classes.


Oracle G Indistinduishability of encryption

Oracle H Adaptive attack


Simulation of the Decryption Oracle The attacker asks for a ciphertext c to be dec

rypted. The simulator checks in the query-history fro

m the random oracle H. Whether some entry leads to the ciphertext c

and then return m; otherwise, it return “failure”.

Security Analysis(9/21) Quasi-perfect simulation

The probability of producing a valid ciphertext without asking the query (m,r) to the random oracle H (whose answer a has to satisfy the test an = z mod n) is upper bounded by 1/ψ(n)≦2/n, which is clearly negligible.


Initialization n=pq, g∈Zn2* Public: n,g Private: λ


Encryption Plaintext: m < 2|n|-t-1

Randomly select r < 2t

z=H(m,r)n mod n2

M=m||r +G(z mod n) mod n Ciphertext: c=gMz mod n2


Decryption Ciphertext: c=gMz mod n2 ∈Zn2* M=[L(cλmod n2)/L(gλmod n2)] mod n z’=g-Mc mod n m’||r’=M-G(z’) mod n If H(m’,r’)n = z’ mod n, then the plaintext

is m’ Otherwise, output “failure”

Security Analysis(13/21) Attacker A to design a distinguisher B for

nth residuosity class. (w,α) is a instance of the D-Class problem,

where α is the nth residuosity class of w. D-Class[n]

decisional Class[n] problem given w∈Zn2*,g∈B, α∈Zn, decide whether α

=[w]g or not


Distinguisher B(1/2) Randomly chooses u∈Zn, v∈Zn*, 0≦r<2t. Compute the follows

z=wg-αvn mod n c=wguvn mod n2

Run A1 and gets two messages m0,m1


Distinguisher B(2/2) Chooses a bit b Run A2 on the ciphertext c, supposed to the c

iphertext of mb and using the random r.

Security Analysis(16/21) Shut this game down

z is asked to the oracle G, shut this game down and B return 1. This event will be denote by AskG

If (m0,r) or (m1,r) are asked to the oracle H, shut this geme down and B return 0. This event will be denote by AskH

In any other case, B return 0 when A2 end.

Security Analysis(17/21) One event AskG or AskH is likely to happe

n, B terminate the game. The random choice of r, Pr[AskH]=O(qH/2

t) in any case, qH=#(queries asked to the oracle H) and 0≦r<2t.

G and H are seen like random oracles, the attacker has no chance to correctly guess b, during a real attack.


In α=[w]g case If none of the events AskG or AskH occur, the

n AdvA ≦ Pr[ AskG ∨ AskH | [w]g = α]


In α≠[w]g case z is perfectly random (independent of c), the

n Pr[AskG] ≦ qG/ψ(n), qG=#(queries asked to the oracle G) and u∈Zn, v∈Zn*, z=wg-αvn mod n


• The advantage of distinguisher B in deciding the nth residuosity classes:

Pr[1| [ ] ] Pr[1| [ ] ]

Pr[ | [ ] ] Pr[ | [ ] ]

Pr[ | [ ] ] Pr[ | [ ] ] Pr

2

[ | [ ] ]

2

2

( )

g g

g g

g g g

GHt

GHt

w w

AskG w AskG w

AskG AskH w AskH w AskG w

qqAd

AdvB

qqAdv

vAn

An


• Reduction Cost– If there exists an active attacker A against semantic

security, one can decide nth residuosity classes with an advantage greater then

22(

2

1 )2

2

Dq Gt

G DH

H

t

q qqAdv

qqAdvA

n n

An

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Documents