1 / 14

Cryptography in Subgroups of Z n *

Cryptography in Subgroups of Z n *. Jens Groth UCLA. RSA subgroup. n = pq = (2p´r p +1)(2q´r q +1) G ≤ Z n * , | G |=p´q´ RSA subgroup pair: (n, g) where g ← G |p´|=|q´|=100. Agenda . RSA subgroup Strong RSA subgroup assumption Homomorphic integer commitment Digital signature

gibson
Download Presentation

Cryptography in Subgroups of Z n *

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography in Subgroups of Zn* Jens Groth UCLA

  2. RSA subgroup n = pq = (2p´rp+1)(2q´rq+1)G ≤ Zn* , |G|=p´q´RSA subgroup pair: (n, g) where g ← G |p´|=|q´|=100

  3. Agenda • RSA subgroup • Strong RSA subgroup assumption • Homomorphic integer commitment • Digital signature • Digital signature II • Decisional RSA subgroup assumption • Homomorphic cryptosystem

  4. Strong RSA subgroup assumption K generates RSA subgroup pair (n,g) n = pq = (2p´rp+1)(2q´rq+1), g ←G Strong RSA subgroup assumption for K: Hard to find u,w  Zn* and e,d>1: g = uwe and ud = 1 (mod n)

  5. Homomorphic integer commitment Public key: n, g, h, where g, h ← G Commit to m: c = gmhr (small randomizer) Verify opening (u, e>1, r) of c with message m:c = ugmhr and ue = 1 Homomorphic: (Uu)gM+mhR+r = UgMhR ugmhr and (Uu)Ee = 1 Root extraction: Adversary c, e≠0 opening ce allows us to open c

  6. Signature Public key: n, a, g, h, where a, g, h ← GSecret key: p´q´ Sign m  {0,1}l : e ← prime({0,1}l+1) r ← {0, . . . ,e-1} y = (agmhr)e-1 mod p´q´ Verify signature (y,e,r) on m: ye = agmhr Speedup: Use et, t>1 allowing smaller prime e

  7. Signature II Public key: n, a, g, where a, g ←GSecret key: p´q´ Sign m  {0,1}l : e ← prime({0,1}l+1) y = (agm)e-1 mod p´q´ Verify signature (y,e) on m: ye = agm Theorem: Secure against adaptive chosen message attack

  8. Proof Adversary adaptively queries m1, . . . , mk and receives signatures (y1,e1), . . . , (yk, ek) and forges signature (y,e) on m Two cases: I: e is new II: e = ei

  9. Proof: e is new (n, ) RSA subgroup pair e1, . . . , ek ← prime({0,1}l+1) , E = ei  = r , a = E, g = E Simulated public key: n, a, g On query mi answer (yi,ei), where yi = E/eimE/ei Forged signature (y,e) on m so ye = agm = E(r+m) breaks strong RSA subgroup assumption

  10. Proof: e = ei (n, ) RSA subgroup pair guess i e1, . . . , ek ← prime({0,1}l+1) , E = j≠ieja = rE , g = E On query mi hope to find l+1-bit prime factor ei of r+mi. Significant probability since r = sp´q´+t. Return yi = E(r+mi)/ei. Forged signature (y,ei) on m so yei = agm = E(r+m)breaks strong RSA subgroup assumption

  11. Decisional RSA subgroup assumption K generates RSA subgroup pair (n,g) n = pq = (2p´rp+1)(2q´rq+1), g ←G with rprq B-smooth. |p´|=|q´|=160, B = 215 Decisional RSA subgroup assumption for K: Hard to distinguish G and QRn

  12. Homomorphic cryptosystem Public key: n, g, h, where h ← G, g ← QRnSecret key: p´q´, factorization of ord(g) Encrypt m: c = ±gmhr Decrypt c: cp´q´ = ±(gmhr)p´q´ = ±(gp´q´)m rg = ord(gp´q´) is B-smooth For all pi|rg find m mod pi by searching for mi so (cp´q´)rg/pi = ±(gp´q´rg/pi)mi Chinese remainder: m mod rg

  13. Properties of cryptosystem Homomorphic: ±gM+mhR+r = (±gMhR)(±gmhr) Root extraction: Adversary c, e≠0 opening ce allows us to open c Low expansion rate: |c|/|m| Homomorphic integer commitment

  14. Conclusion • RSA subgroup- strong RSA subgroup assumption- decisional RSA subgroup assumption • Signature ye = agmhr speedup • Signature II ye = agm secure against CMA • Homomorphic integer commitment gmhr speedup • Homomorphic cryptosystem gmhr

More Related