Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Published byMarshall Wilkin Modified over 9 years ago

Similar presentations

Presentation on theme: "Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based."— Presentation transcript:

1 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based Encryption Schemes with Tight Security Reduction Kaoru Kurosawa, Ibaraki University Tsuyoshi Takagi, TU Darmstadt

2 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan One-wayness and Semantic-security One-wayness: E(m)  m is hard. Semantic security = IND-CPA (CCA) : E(m)  any information on m is hard against CPA (CCA).

3 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Random Oracle Model Hash function H is treated as a random function in the random oracle model. However, RO model proof is heuristic. If we replace RO to a practical hash function, then the proof is no longer valid.

4 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan IND-CCA in the Standard Model Cramer-Shoup schemes: 1. (Crypto’98:) Decisional DH assumption. One-wayness = DH assumption. RSA-based IND-CCA scheme is unknown!

5 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CPA schemes In the Standard Model, 1. RSA-Paillier scheme is IND-CPA: One-wayness = RSA (Catalano et al., Asiacrypt’02) 2. Rabin-Paillier scheme is IND-CPA: One-wayness = Factoring Blum integers (Galindo et al., PKC’03) in this talk

6 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our result Proof Technique Factoring Probability Galindo et al. (PKC’03) ε 2 - LLL, RSA-Paillier Proposed proof ε - totally elemental Let ε be a success probability that breaks the one-wayness of Rabin-Paillier scheme.

7 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-Paillier scheme (Public-key) N (= pq) and e. (Secret key) d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) For random r ∈ R Z N *, C = r e + mN mod N 2. ---- (1) (Decryption) r = C d mod N, m = (C – r e mod N 2 )/N.

8 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of RSA-Paillier Proposition 1 (Semantic Security) IND-CPA if {r e mod N 2 | r ∈ Z N * } and {r e mod N 2 | r ∈ Z N 2 * } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking RSA. (Catalano et al., Asiacrypt’02) Two oracle calls are required => reduction probability ε 2.

9 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Rabin-Paillier scheme (Public-key) N (= pq), Blum integer (Secret key) p,q, d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) r ∈ R SQ N = {s 2 mod n | s ∈ Z N * }, C = r 2e + mN mod N 2. ---- (2) (Decryption) A = C d mod N, find the unique solution r ∈ SQ N of r 2 = A mod N, m = (C – r 2e mod N)/N.

10 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of Rabin-Paillier Proposition 1 (Semantic Security) IND-CPA if {r 2e mod N 2 | r ∈ SQ N } and {r 2e mod N 2 | r ∈ SQ N 2 } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking factoring. (Galindo et al., PKC 2003) The same proof technique with RSA-Paillier => reduction prob. ε 2.

11 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof Let O be an Oracle that find m from C with prob.ε. We will show a factoring algorithm A by using O. On input N, 1. Choose fake r ∈ Z n * and m ∈ Z n s.t. (r/N) = -1 2. Query C = r 2e + mN mod N 2 to oracle O. 3. O answers proper m s.t. C = r 2e + mN mod N 2, with prob. ε, where r ∈ SQ N.

12 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) Note that C = r 2e = r 2e mod N. Thus, r 2 = r 2 + yN in Z for some -n<y<n. 4. A computes y. x = r 2 w = C - mN = r 2e = (x + yN) e mod N 2. = x e + ex e-1 yN mod N 2. Thus, y = (ex e-1 ) -1 ((w-x e mod N 2 )/N) mod N.

13 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) 6. A computes r by solving quadratic equation r 2 = x + yN in Z. 7. Finally, A computes gcd(r - r,N) = p or q, because r 2 = r 2 mod N with r ∈ SQ N and r ∈ Z n * s.t. (r/N) = -1. A has asked oracle O only once => reduction probability ε.

14 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Concluding Remarks 1. We proposed a tight reduction algorithm for Rabin-Paillier cryptosystem. 2. A similar result with the following variant: C = (r + a/r) e + mN mod N 2, where (a/p) = (a/q) = -1. 3. An IND-CCA variant in RO-model is C = (r 2e + mN mod N 2 )|| H(r,m). It is still IND-CPA & OW in standard model.

15 Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CCA schemes in RO Model Schemes - reduced problem Reduction Probability RSA-OAEP (Crypto’01) ε 2 - RSA Problem SAEP (Crypto’01) ε - Factoring Let ε be a success probability breaking IND-CCA scheme.

Download ppt "Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based."

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Similar presentations

Ads by Google