1 / 15

Some RSA-based Encryption Schemes with Tight Security Reduction

Some RSA-based Encryption Schemes with Tight Security Reduction. Kaoru Kurosawa, Ibaraki University Tsuyoshi Takagi, TU Darmstadt. One-wayness and Semantic-security. One-wayness: E ( m )  m is hard. Semantic security = IND-CPA (CCA) :

xenia
Download Presentation

Some RSA-based Encryption Schemes with Tight Security Reduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Some RSA-basedEncryption Schemes withTight Security Reduction Kaoru Kurosawa, Ibaraki University Tsuyoshi Takagi, TU Darmstadt

  2. One-wayness and Semantic-security • One-wayness: E(m)  m is hard. • Semantic security = IND-CPA (CCA) : E(m) any information on m is hard against CPA (CCA).

  3. Random Oracle Model • Hash function H is treated as a random function in the random oracle model. However, RO model proof is heuristic. If we replace RO to a practical hash function, then the proof is no longer valid.

  4. IND-CCA in the Standard Model Cramer-Shoup schemes: 1. (Crypto’98:) Decisional DH assumption. One-wayness = DH assumption. RSA-based IND-CCA scheme is unknown!

  5. RSA-based IND-CPA schemes In the Standard Model, 1. RSA-Paillier scheme is IND-CPA: One-wayness = RSA (Catalano et al., Asiacrypt’02) 2. Rabin-Paillier scheme is IND-CPA: One-wayness = Factoring Blum integers (Galindo et al., PKC’03) in this talk

  6. Our result Let ε be a success probability that breaks the one-wayness of Rabin-Paillier scheme. Proof Technique Factoring Probability Galindo et al. (PKC’03) ε2 - LLL, RSA-Paillier Proposed proof ε - totally elemental

  7. RSA-Paillier scheme (Public-key) N(= pq) and e. (Secret key) d (= e-1 mod (p-1)(q-1)) (Plaintext) m ∈ ZN (Ciphertext) For random r ∈R ZN*, C = re+ mN mod N2. ---- (1) (Decryption) r= Cdmod N, m = (C – remod N2)/N.

  8. Security of RSA-Paillier • Proposition 1 (Semantic Security) IND-CPA if {remod N2| r ∈ ZN*}and {remod N2| r ∈ ZN2*} are indistinguishable. • Proposition 2(One-wayness) One-wayness = breaking RSA. (Catalano et al., Asiacrypt’02) Two oracle calls are required => reduction probabilityε2.

  9. Rabin-Paillier scheme • (Public-key) N(= pq), Blum integer • (Secret key) p,q, d (= e-1mod (p-1)(q-1)) • (Plaintext) m ∈ ZN • (Ciphertext) r ∈R SQN = {s2 mod n | s∈ ZN *}, C = r2e+ mN mod N2. ---- (2) • (Decryption) A = Cdmod N, find the unique solution r∈ SQN of r2 = A mod N, m = (C – r2emod N)/N.

  10. Security of Rabin-Paillier • Proposition 1 (Semantic Security) IND-CPA if {r2emod N2| r ∈ SQN}and {r2emod N2| r∈ SQN2} are indistinguishable. • Proposition 2(One-wayness) One-wayness = breaking factoring. (Galindo et al., PKC 2003) The same proof technique with RSA-Paillier => reduction prob.ε2.

  11. Our Proof Let O be an Oracle that find m from C with prob.ε. We will show a factoring algorithm A by using O. On input N, 1. Choose faker ∈ Zn* and m ∈ Zns.t. (r/N) = -1 2. Query C = r2e+ mN mod N2 to oracle O. 3. O answers proper m s.t. C = r2e+ mN mod N2, with prob. ε, where r ∈ SQN.

  12. Our Proof (Cont.) Note that C = r2e= r2emod N. Thus, r2 = r2 + yN in Z for some -n<y<n. 4. A computes y. x = r2 w=C - mN = r2e= (x + yN)e mod N2. = xe+ exe-1yN mod N2. Thus, y = (exe-1)-1((w-xemod N2)/N) mod N.

  13. Our Proof (Cont.) 6. A computesr by solving quadratic equationr2 = x + yN in Z. 7. Finally, A computes gcd(r - r,N) = p or q, because r2 = r2 mod N with r ∈ SQN and r ∈ Zn*  s.t. (r/N) = -1. A has asked oracle O only once => reduction probabilityε.

  14. Concluding Remarks 1. We proposed a tight reduction algorithm for Rabin-Paillier cryptosystem. 2. A similar result with the following variant: C = (r + a/r)e+ mN mod N2, where (a/p) = (a/q) = -1. 3. An IND-CCA variant in RO-model is C = (r2e+ mN mod N2 )|| H(r,m). It is still IND-CPA & OW in standard model.

  15. RSA-based IND-CCA schemes in RO Model Let ε be a success probability breaking IND-CCA scheme. Schemes - reduced problemReduction Probability RSA-OAEP (Crypto’01)ε2 - RSA Problem SAEP (Crypto’01) ε - Factoring

More Related