1 / 32

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. [Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]. Author: Pascal Paillier Presenter: 廖俊威. Outline. Introduction

lois-whitaker
Download Presentation

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes [Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.] Author: Pascal Paillier Presenter: 廖俊威

  2. Outline • Introduction • Notation and math. assumption • Scheme 1 • Scheme 2 • Scheme 3 • Properties • Conclusion

  3. Introduction(1/2) • 兩個主要的Trapdoor技術 • RSA • Diffie-Hellman • 提出新的技術 • Composite Residuosity • 提出新的計算性問題 • Composite Residuosity Class Problem

  4. Introduction(2/2) • 提出3個架構在上述假設的同態加密機制(Homomophic encryption schemes), 之中包含一個新的trapdoor permutation • 滿足semantically secure, 不過, 作者沒有證明.

  5. Notation and math. assumption (1/10) • p, q are two large primes. • n = pq [ex: 35=5*7] • Euler phi-function: ψ(n) = (p-1)(q-1)[=4*6=24] • Carmichael function: λ(n) = lcm(p-1,q-1) [=λ(35)=lcm(4,6)=12] • |Zn2*| = ψ(n2) = nψ(n) [=n2(1-1/p)(1-1/q)] • Any w∈Zn2*, • wλ = 1 mod n [612 mod 35 = 1] • wnλ = 1 mod n [635*12 mod 35 = 1]

  6. Notation and math. assumption (2/10) • RSA[n,e] problem • Extracting e-th roots modulo n where n=pq • n-th residue modulo n2 • A number z is the n-th residue modulo n2 if there exist a number y ∈Zn2*, such that z=ynmod n2 • CR[n] problem • deciding n-th residuosity • The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem. • All of its instances are polynomially equivalent. • There exists no polynomial time distinguisher for n-th residues modulo n2, i.e. CR[n] is intractable.

  7. Notation and math. assumption (3/10)

  8. Notation and math. assumption (4/10) • if order(g) = kn where k is nonzero multiple of n then εg is bijective. • Domain and Co-domain are the same order nψ(n) and the function is 1-to-1.

  9. Notation and math. assumption (5/10)

  10. Notation and math. assumption (6/10) • Class[n,g] problem • computing the class function in base g. • given w∈Zn2*, compute [w]g • random-self-reducible problem • the bases g are independent

  11. Notation and math. assumption (7/10) • Class[n] problem • composite residuosity class problem • given w∈Zn2*, g∈B, compute [w]g • Class[n] Fact[n]

  12. Notation and math. assumption (8/10)

  13. Notation and math. assumption (9/10) • Class[n] RSA[n,n] • D-Class[n] problem • decisional Class[n] problem • given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or not

  14. Scheme 1(1/6) • New probabilistic encryption scheme

  15. Scheme 1 (2/6)

  16. Scheme 1 (3/6) • One-way function • Given x, to compute f(x) = y is easy. • Given y, to find x s.t. f(x) = y is hard. • One-way trapdoor • f() is a one-way function. • Given a secret s, given y, to find x s.t. f(x) = y is easy. • Trapdoor permutation • f() is a one-way trapdoor. • f() is bijective.

  17. Scheme 1 (4/6)

  18. Scheme 1 (5/6) • Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. • Inverting our scheme is by the definition the composite residuosity class problem.

  19. Scheme 1 (6/6) • Scheme 1 is semantically secure ⇔ the Decisional composite residuosity assumption(CR[n] problem) holds. • m0, m1: known messages. • c:ciphertext of either m0 or m1. • [w]g=0 iff w is the n-th residue modulo n2. • c=εg(m0,r) iff cg-m0 mod n2 is the n-th residue modulo n2. • Vice-versa.

  20. Scheme 2(1/5) • New one-way trapdoor permutation

  21. Scheme 2(2/5)

  22. Scheme 2(3/5)

  23. Scheme 2(4/5)

  24. Scheme 2(5/5) • Digital Signatures

  25. Scheme 3(1/4) • Cost down for decryption complexity. • Restricting the ciphertext space Zn2* to subgroup <g> of smaller order.

  26. Scheme 3(2/4)

  27. Scheme 3(3/4) • PDL[n,g] problem • Partial discrete logarithm problem • Given w∈<g>, compute [w]g • D-PDL[n,g] problem • Decisional partial discrete logarithm problem • Given w∈<g>, x∈Zn, decide whether [w]g=x.

  28. Scheme 3(4/4) • Scheme 3 is one-way ⇔ PDL[n,g] is hard. • Scheme 3 is semantically secure ⇔ D-PDL[n,g] is hard.

  29. Properties(1/3) • Random-Self-Reducibility • A good algorithm for the average case implies a good algorithm for the worst case.

  30. Properties(2/3) • Additive Homomorphic Properties

  31. Properties(3/3) • Self-Blinding • Any ciphertext can be publicly changed into another one without affecting the plaintext.

  32. Conclusion(4/4) • 提出新的數論問題Class[n] • 基於composite degree residues的trapdoor的機制 • 雖然並沒有提出任何證明作者的scheme能抵抗CCA,但作者相信小小的修改Scheme 1與3就可以對抗CCA,並能透過random oracle來證明

More Related