410 likes | 431 Views
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier. Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries. Presenter: 陳國璋. ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999.
E N D
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries Presenter: 陳國璋 ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. By Pascal Paillier and David Pointcheval
Outline • Notation and math. assumption • Scheme 1
Notation and math. Assumption(1/9) • CR[n] problem • deciding nth residuosity. • Distinguishing nth residues from non nth residues.
Notation and math. Assumption(2/9) • g∈Zn2* • εg: Zn × Zn* → Zn2* be a integer-valued function defined by • εg(x,y) = gx yn mod n2
Notation and math. Assumption(3/9) • Given base g∈B and w∈Zn2*, we want to find x∈Zn and y∈Zn* s.t. εg(x, y) = gx yn mod n2 = w
Notation and math. Assumption(5/9) • Class[n] problem • nth Residuosity Class Problem of base g • Computing the class function in base g • given w∈Zn2*, compute [w]g • [w]g = x • x is the smallest non-negative integer s.tεg(x, y) = gx yn mod n2 = w • random-self-reducible problem • the bases g are independent
Notation and math. Assumption(7/9) • D-Class[n] problem • decisional Class[n] problem • given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or not
Notation and math. Assumption(8/9) • Fact[n] • The factorization of n. • RSA[n] • c = me mod n • Extracting eth roots modulo n • CR[n] • deciding nth residuosity.
Notation and math. Assumption(9/9) • Class[n] • Computational composite residuosity class problem • given w∈Zn2* and g∈B, compute [w]g • D-Class[n] • decisional Class[n] problem • given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or not
Notions of Security(1/3) • Indistinguishability of encryption(IND) • Non-malleability(NM) • Given the encryption of a plaintext x, the attacker cannot produce the encryption of a meaningfully related plaintext x’.(For example, x’=x+1)
Notions of Security(2/3) • Chosen-plaintext attack (CPA) • Non-adaptive chosen-ciphertext attack (CCA1) • Adaptive chosen-ciphertext attack (CCA2) • IND-CCA2 and NM-CCA2 are strictly equivalent notions.
Random Oracle Model • Hash functions are considered to be ideal. i.e. perfect random. • From a security viewpoint, this impacts by giving the attacker an additional access to the random oracles of the scheme.
Outline • Notation and math. assumption • Scheme 1
Scheme 1(1/4) • New probabilistic encryption scheme
Scheme 1 (3/4) • One-way function • Given x, to compute f(x) = y is easy. • Given y, to find x s.t. f(x) = y is hard. • One-way trapdoor • f() is a one-way function. • Given a secret s, given y, to find x s.t. f(x) = y is easy. • Trapdoor permutation • f() is a one-way trapdoor. • f() is bijective.
Security Analysis(1/21) • Against an adaptive chosen-ciphertext attack.(IND-CCA2) • In the scenario, the adversary makes of queries of her choice to a decryption oracle during two stages.
Security Analysis(2/21) • The first stage, the find stage • Attacker chooses two messages. • Requests encryption oracle to encrypted one of them. • the encryption oracle makes the secret choice of which one.
Security Analysis(3/21) • The second stage, the guess stage • To query the decryption oracle with ciphertext of her choice. • Finally, she tell her guess about the choice the encryption oracle made.
Security Analysis(4/21) • Random oracle • A t-bit random number • Two hash functions • G, H: {0,1}* →{0,1}|n|
Security Analysis(5/21) • Provided t=Ω(|n|δ) for δ>0, Scheme 1 is semantically secure against adaptive chosen-ciphertext attacks (IND-CCA2) under the Decision Composite Residuosity assumption (D-Class assumption) in the random oracle. • D-Class[n] • decisional Class[n] problem • given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or not
Security Analysis(6/21) • An adversary A=(A1,A2) against semantic security of scheme 1. • A1: the find stage • A2: the guess stage • This adversary to efficiently decide nth residuosity classes.
Security Analysis(7/21) • Oracle G • Indistinduishability of encryption • Oracle H • Adaptive attack
Security Analysis(8/21) • Simulation of the Decryption Oracle • The attacker asks for a ciphertext c to be decrypted. • The simulator checks in the query-history from the random oracle H. • Whether some entry leads to the ciphertext c and then return m; otherwise, it return “failure”.
Security Analysis(9/21) • Quasi-perfect simulation • The probability of producing a valid ciphertext without asking the query (m,r) to the random oracle H (whose answer a has to satisfy the test an = z mod n) is upper bounded by 1/ψ(n)≦2/n, which is clearly negligible.
Security Analysis(10/21) • Initialization • n=pq, g∈Zn2* • Public: n,g • Private: λ
Security Analysis(11/21) • Encryption • Plaintext: m < 2|n|-t-1 • Randomly select r < 2t • z=H(m,r)n mod n2 • M=m||r +G(z mod n) mod n • Ciphertext: c=gMz mod n2
Security Analysis(12/21) • Decryption • Ciphertext: c=gMz mod n2 ∈Zn2* • M=[L(cλmod n2)/L(gλmod n2)] mod n • z’=g-Mc mod n • m’||r’=M-G(z’) mod n • If H(m’,r’)n = z’ mod n, then the plaintext is m’ • Otherwise, output “failure”
Security Analysis(13/21) • Attacker A to design a distinguisher B for nth residuosity class. • (w,α) is a instance of the D-Class problem, where α is the nth residuosity class of w. • D-Class[n] • decisional Class[n] problem • given w∈Zn2*,g∈B, α∈Zn, decide whether α=[w]g or not
Security Analysis(14/21) • Distinguisher B(1/2) • Randomly chooses u∈Zn, v∈Zn*, 0≦r<2t. • Compute the follows • z=wg-αvn mod n • c=wguvn mod n2 • Run A1 and gets two messages m0,m1
Security Analysis(15/21) • Distinguisher B(2/2) • Chooses a bit b • Run A2 on the ciphertext c, supposed to the ciphertext of mb and using the random r.
Security Analysis(16/21) • Shut this game down • z is asked to the oracle G, shut this game down and B return 1. • This event will be denote by AskG • If (m0,r) or (m1,r) are asked to the oracle H, shut this geme down and B return 0. • This event will be denote by AskH • In any other case, B return 0 when A2 end.
Security Analysis(17/21) • One event AskG or AskH is likely to happen, B terminate the game. • The random choice of r, Pr[AskH]=O(qH/2t) in any case, qH=#(queries asked to the oracle H) and 0≦r<2t. • G and H are seen like random oracles, the attacker has no chance to correctly guess b, during a real attack.
Security Analysis(18/21) • In α=[w]g case • If none of the events AskG or AskH occur, then • AdvA ≦ Pr[ AskG ∨ AskH | [w]g = α]
Security Analysis(19/21) • In α≠[w]g case • z is perfectly random (independent of c), then Pr[AskG] ≦ qG/ψ(n), qG=#(queries asked to the oracle G) and u∈Zn, v∈Zn*, z=wg-αvn mod n
Security Analysis(20/21) • The advantage of distinguisher B in deciding the nth residuosity classes:
Security Analysis(21/21) • Reduction Cost • If there exists an active attacker A against semantic security, one can decide nth residuosity classes with an advantage greater then