Dr. Tsuyoshi Takagi Darmstadt University of Technology

1. An IND-CCA2 Public-Key Cryptosystem with Fast Decryption using Quadratic Fields- NICE-X Cryptosystem - Dr. Tsuyoshi Takagi Darmstadt University of Technology (joint work with Prof. Buchmann and Prof. Sakurai) ICISC 2001

2. RSA Cryptosystem ’78 de facto standard of public-key cryptosystems p, q: primes, n = pq, L = LCM(p－1, q－1), ed ≡ 1 mod L e, n: public key, d: secret key, (factoring, n: 1024 bits) M: message, M ∈{0,1,2,….,n-1}. Encryption: C ≡Me mod n e: small (216+1), FAST. d: large (d>n1/2), SLOW, cubic complexity, O((log n)3). Decryption: M≡ Cd mod n ICISC 2001

3. For the sake of high security, a secret key is stored on a smart card (tamper-free) and the decryption computation is carried out on it. A special coprocessor is required for computing the decryption function on a smart card, which is very expensive. Currently no public-key cryptosystems are used for a large scale market, such as cash cards or SIM cards for mobile phones Fast decryption is desired ICISC 2001

4. 1024 bits 1536 bits 2048 bits RSA encryption 1.1 ms 3.2 ms 4.3 ms RSA decryption 118.6 ms 370.6 ms 798.5 ms RSA (CRT) 36.4 ms 111.5 235.2 ms NICE encryption 962.0 ms 2654.7 ms 5661.0 ms NICE decryption 1.7 ms 2.9 ms 4.3 ms Average on 100 random keys, Celeron 500 MHz, LiDIA library, e = 216 +1. NICE cryptosystem (Paulus,Takagi’00) • NICE cryptosystem is constructed over class groups of quadratic discriminants Cl(D). • The security of NICE is based on factoring problems. • Decryption time is of quadratic complexity O((log D)2). The decryption time is fast even for large keys. ICISC 2001

5. Efficiency of quadratic complexity ms Cubic complexity O((log n)3) Quadratic complexity O((log D)2) bits The decryption of NICE is fast even for large keys. 1.7 ms for 1024-bit public-keys. 4.3 ms for 2048-bit public-keys. ICISC 2001

6. Key generation Secret keys: p, q (p,q: primes) Public keys: (1) discriminant D = -pq2, (2) kernel element P∈ Ker(GoToMaxOrder) Cl(D): the class group of quadratic discriminant D. An element of Cl(D) is represented by two integers (a,b), where b2 ≡D mod 4a, 0 < a < (|D|/3)1/2. GoToMaxOrder: Cl(D) ⇒ Cl(-p), Inverse: Cl(-p) ⇒ Cl(D). P (a,b) (a’,b’) Cl(D), public Inverse GoToMaxOrder Ker(GoToMaxOrder) is cyclic #Ker(GoToMaxOrder) = q±1 Pr, r ∈{0,1,..,q}is random in Ker Cl(-p), secret (A,B) (1,1) ICISC 2001

7. Encryption and Decryption Encryption: (1) M: message ideal ∈Cl(D) with M=(a,b), a < (p/4)1/2, (2) r: random integer ∈{0,1,2,…,q-1}, (3) C = MPr∈ Cl(D). (1) GoToMaxOrder(C) =GoToMaxOrder(MPr) = GoToMaxOrder(M)GoToMaxOrder(Pr) = GoToMaxOrder(M) (2) Inverse(GoToMaxOrder(M)) = M for M = (a,b), a < (p/4)1/2 Decryption: (1) K = GoToMaxOrder(C), (2) M = Inverse(K). Encryption C = MPr M Cl(D) (p/4)1/2 Decryption Cl(-p) K ICISC 2001

8. Why quadratic complexity O((log D)2)? Decryption = GoToMaxOrder + Inverse GoToMaxOrder: Input: (a,b) of Cl(D), Output: (A,B) of Cl(-p) 1. A = a; 2. x ≡ 1/q mod a; 3. B ≡ x b mod 2a; 4. (A,B) = Reduction (A,B) 5. Return (A,B) Inverse: Input: (A,B) of Cl(-p), Output: (a,b) of Cl(D) 1. a = A; 2. b ≡ Bq mod 2a; 3. Return (a,b) Modular inverse: O((log D)2) Modular multiplication: O((log D)2) Reduction: O((log D)2) by [BB98]. Reduction: Input: primitive ideal (a,b), discriminant D Output: reduced ideal (a,b) 1. c = (D-b2)/4a; 2. While (-a<b≦a<c) or (0≦b≦a=c) do 2.1 find s,t such that –a≦t=b+2sa < a; 2.2 (a,b,c) = (c-s(b+t)/2,t,a); 3. If a=c and b<0 then b = -b; 4. Return (a,b) ICISC 2001

9. Number-theoretic problems (1)QFDLP: quadratic field discrete logarithm problem - for G,A∈CL(D), solving discrete logarithm x s.t. Gx = A. (2)FP: factoring D = -pq2. (3)SKEP: the smallest kernel-equivalent problem - for A∈CL(D), computing the ideal I s.t. N(I) is the smallest, GoToMaxOrder(A) = GoToMaxOrder(I), (4)DKP: decisional kernel problem Theorem: QFDLP => FP => SKEP => DKP ICISC 2001

10. Security Results for NICE (1) The one-wayness of NICE cryptosystem is as hard as solving the SKEP (2) The semantic security of the NICE cryptosystem is as hard as solving the DKP m: the messages (d: secret key ) E(m): ciphertexts One-wayness Adversary e: public key ICISC 2001

11. Semantically Secure (1) Algorithm A1, on input pk, finds two message m0, m1 (find stage). m0: message A1 e: public key m1: message ciphertext of m0 or m1 encryption c=E(mb) random (2) Algorithm A2, on input m0, m1, c =E(mb), guesses b (guess stage). A2 b ICISC 2001

12. Chosen Ciphertext Attack Decryption oracle ciphertext C p,q Decryption of C 1999, Jaulmes and Joux proposed a CCA against NICE. Fact: Ideal I s.t. N(I)<|D|1/2 is reduced or reduced after one reduction. (1)Choose two ideals A1,A2 s.t. 2(k-2)/2<N(Ai)<2(k-1)/2, where k is the bit-length of p. (2)Ask the ideal Ai to the decryption oracle, and obtain ideal Bi for i=1,2. Let A1=(a1,b1), A2=(a2,b2), B1=(c1,d1), B2=(c1,d1), then we have relations: c1 = (x12 +p)/4 and c2 = (x22 + p)/4, where x1,x2 are unknown. (3)Solve (x2-x1)(x2+x1)=4(c2-c1), and find p. ICISC 2001

13. NICE-X Cryptosystem (1)The NICE-X cryptosystem is Semantically Secure against Chosen Ciphertext Attack (IND-CCA2) in the random oracle model under the SKEP. (2)The NICE-X cryptosystem inherits the fast decryption. - Its overhead from NICE is only the computation of hash functions. ICISC 2001

14. NICE-X Cryptosystem Hash functions, g: Ker → {0,1}k1, h: {0,1}k1×Ker → {0,1}k2. Encryption: R: random ideal ∈Cl(D) with R=(a,b), R ∈ SI(D), Q: random ideal ∈Kernel(D), C = RQ, B = m xor g(Q), H = h(m,Q) (C,B,H) is the cipher text of a message m ∈{0,1}k1 Decryption: R = Inverse(GoToMaxOrder(C)), Check R∈ SI(D), Q = C R-1, m = B xor g(Q), Check H = h(m,Q), if not reject. Semantically Secure against Chosen Ciphertext Attack (IND-CCA2) ICISC 2001

15. Encryption of NICE-X D: public key (quadratic discriminant) SI(D), Kernel(D): special subsets of class group Cl(D) g,h: one-way hash functions random R in SI(D) random Q in Kernel(D) message m g(Q) C=RQ h(m,Q) g(Q) + C = RQ B = m + g(Q) H = h(m,Q) SKEP = to compute R,Q for a given C. ICISC 2001

16. Decryption of NICE-X Ciphertext (C,B,H) = (RQ, m+g(Q), h(m,Q)) C B H secret key Check H’=H If not, Reject R Q g(Q) + g(Q) Check R in SI(D) If not, Reject h(m,Q) message m H’ = h(m,Q) ICISC 2001

17. NICE-X is IND-CCA2 under SKEP Let A be a CCA adversary of the NICE-X cryptosystem with advantage ε, with time t, qG queries to the hash function G, qH queries to the hash function H, qD queries to the decryption oracle D. Then there is an algorithm for solving SKEP with at least (ε/2)(1 – qD/2k2), time at most t + (qH + qG)k + (qH + qG) TE, TE is the encryption time of the NICE-X cryptosystem, in the random oracle model. Point: we can check Q is random mask of C by N(CQ-1)<2k/2. ICISC 2001

18. References You can download them from the following homepae: http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/ttakagi.html (1) S. Paulus, T. Takagi, “A New Public-key Cryptosystem over the Quadratic Order with Quadratic Decryption Time”, Journal of Cryptology, 13, pp.263-272, 2000. (2) M. Hartmann, S. Paulus, T. Takagi, “NICE - New Ideal Coset Encryption -”, Workshop on Cryptographic Hardware and Embedded Systems (CHES), LNCS 1717, pp. 328-339, 1999. (3) J. Buchmann, K. Sakurai, T. Takagi, “An IND-CCA2 Public-Key Cryptosystem with Fast Decryption”, 4th International Conference on Information Security and Cryptology, ICISC'01, LNCS 2288, pp.51-71, 2002. ICISC 2001