Paillier Cryptosystem99 - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Paillier Cryptosystem99

Description:

Decryption: r = cd mod n, m = L(cr-n mod n2), L(x) = (x-1)/n. Some properties: (1)f(r,m) = rn (1 mn) mod n2 is homomorphic for r,m, namely, ... – PowerPoint PPT presentation

Number of Views:313
Avg rating:3.0/5.0
Slides: 13
Provided by: cdcInform
Category:

less

Transcript and Presenter's Notes

Title: Paillier Cryptosystem99


1
Paillier Cryptosystem99
Key generation RSA modulus n, secret key d n-1
modf(n). Encryption message m ?0,1,2,..,n-1,
random choose r?(Zn),
ciphertext c (1mn) rn mod n2. Decryption r
cd mod n, m L(cr-n mod n2), L(x) (x-1)/n.
Some properties (1)f(r,m) rn (1mn) mod n2 is
homomorphic for r,m, namely, f(r1,m1)
f(r2,m2) f(r1,m3), where r3 r1r2 mod n, m3
m1m2 mod n. (2)(Z/n2Z) nf(n). (3)The order
of (1mn) modulo n2 is n, where m in (Zn).
(4)The order of rn mod n2 is a divisor of
f(n). (5)rn mod n2 (r zn)n mod n2 for any
integer z. (6)Assume gcd(p,(q-1)/2)1. If we know
an element g whose order modulo n2 is p, then
the modulus n can be factored using g.
2
Simplified Paillier Cryptosystem01
Key generation RSA public key (e,n), RSA secret
key d Encryption message m ?0,1,2,..,n-1,
random choose r?(Zn),
ciphertext c (1mn) re mod n2. Decryption r
cd mod n, m L(cr-e mod n2), L(x) (x-1)/n.
Key generation p 47, q 53, n 2491, e 3
gt d 1595 Encryption r 1089, re mod
n2 811121, c
(1777n)811121 mod n2 2255901 Decryption
r cd mod n 1089, m L(c r-e mod n2) 777
3
Security of the S-Paillier Scheme
One-way assumption of S-Paillier for any
adversary AOW we have

Semantic security of S-Paillier for any
adversary ASS we have

4
Number Theoretic Problem III
Computational e-th Root (C-R) problem Let cre
mod n2. Compute r mod n2, for given RSA key
(n,e), ciphertext c.
Computational e-th Root (C-R) assumption for
any adversary AC-SR we have
Theorem 1 solving C-R problem gt breaking
one-wayness of S-Paillier (the
direction lt is unknown)
Theorem 2 solving C-R problem lt solving RSA
problem (the direction gt
is unknown)
5
Number Theoretic Problem IV
Decisional Small e-th Root (D-SR) problem
Distinguish two distributions Rand x
x?(Zn2), Small y xe mod n2 x?(Zn)
Decisional Small e-th Root (D-SR) assumption for
any adversary AD-DpdRSA we have

Theorem 3 S-Paillier scheme is semantically
secure under D-SR assumption
We can use small encryption exponent e.
6
S-Paillier Scheme is semantically secure under
D-SR assumption
We prove that if the advantage of ASS is not
negligible then the advantage of the adversary
ASP is also not negligible.
  • Algorithm adversary ASP
  • Input n, x ?(Zn2)
  • Output 1 if x is in Small,
  • 0 if x is in Rand
  • m0, m1? ASS1 (n,e)
  • b?0,1
  • r? ASS2 (m0, m1, x(1mbn))
  • If br then return 1
  • else return 0

If x?Rand then the distribution of x(1mbn) is
random and ASS2 can not distinguish m0, m1. Pr
ASP(x?Rand)1 1/2.
If x is in D-SR, then x(1mbn) is a
cipher- text of mb and ASS2 can distinguish m0,
m1. Pr ASP(x? Small)1 1/2 Adv(ASS2)/2.
Adv(ASP) Pr ASP(x?Small)1 Pr
ASP(x?Rand)1
Adv(ASS2)/2.
7
One-wayness v.s. Semantic Security
Let n be k-bit RSA modulus.
QR Quadratic Residuosity C-DRSA
Computational Dependent RSA, D-DRSA Decisional
Dependent RSA C-R Computational e-th
Root, D-SR Decisional Small
e-th Root
Plaintext size One-wayness
Semantic Security HC-RSA log k bits
RSA RSA D-RSA k
bits C-DpdRSA D-DpdRSA S-Paillier
k bits ? (C-R)
D-SR
  • Their one-wayness except HC-RSA are not
    equivalent to RSA assumption.
  • The relationship between computational problem
    and its decisional problem
  • has not been well studied.

There are some solutions for these questions
ST02.
8
New Security Results
  • One-wayness of S-Paillier ltgt RSAaprx assumption
  • RSAaprx assumption ltgt standard RSA assumption
  • D-SR assumption ltgt RSARSAaprx assumption
  • Adversary to break D-SR can compute the least
    significant
  • bits of nonce s.t. c mod n.

Plaintext size One-wayness
Semantic Security HC-RSA log k bits
RSA RSA Dpd-RSA k bits
C-DpdRSA D-DpdRSA S-Paillier
k bits RSA D-RSARSAaprx
9
Number Theoretic Problems V
Denote by a0 n a1 the n-adic representation
of a in Zn2.
RSA Approximation (RSAaprx) problem Let cme mod
n. Compute me mod n21, for given RSA key (n,e),
ciphertext c.
Decisional RSARSAaprx problem Distinguish two
distributions Rand (x,y) x?(Zn)x, y?Zn,
RSAaprx (xemod n, xe mod n21 )xe?(Zn)x
message m
me mod n2 me0 n me1
RSA problem
ciphertext cme mod n
me mod n21
10
Assumptions
RSAaprx assumption for any adversary ARSAarpx we
have

D-RSARSAaprx assumption for any adversary AD-SR
we have

11
Proof for Perfect Oracle
  • Input b0re mod n, Output LSB(r)
  • 1. ORSAaprx(b0) b1,
  • a0 b02-e mod n, ORSAaprx (a0) a1
  • Return 0 if a0na1 2-e(b0nb1) mod n2, else
    Return 1.

12
Non-Perfect Oracle Case (Catalano et at. 2002)
  • Input re mod n, Output r
  • 1. ORSAaprx(re mod n) re mod n2,
  • Choose random a mod n, and compute ue aere mod
    n,
  • ORSAaprx (ue mod n) ue mod n2,
  • Solve z such that ar u (1nz) mod n2,
  • Solve r such that u Ar mod n2, where Aa (1-nz)
    mod n2,
  • Return r

(1)Two instances re mod n, ue mod n are
independent. (2)z of step 4 can be computed by
ae re ue (1zen) mod n2. (3)In step 5, for
given integers Aa(1-nz) modulo n2, we can find
integers r,u of equation uAr mod n2, in
polynomial time of log n.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Paillier Cryptosystem99" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!