Download presentation

Presentation is loading. Please wait.

Published byMarshall Wilkin Modified over 2 years ago

1
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based Encryption Schemes with Tight Security Reduction Kaoru Kurosawa, Ibaraki University Tsuyoshi Takagi, TU Darmstadt

2
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan One-wayness and Semantic-security One-wayness: E(m) m is hard. Semantic security = IND-CPA (CCA) : E(m) any information on m is hard against CPA (CCA).

3
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Random Oracle Model Hash function H is treated as a random function in the random oracle model. However, RO model proof is heuristic. If we replace RO to a practical hash function, then the proof is no longer valid.

4
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan IND-CCA in the Standard Model Cramer-Shoup schemes: 1. (Crypto’98:) Decisional DH assumption. One-wayness = DH assumption. RSA-based IND-CCA scheme is unknown!

5
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CPA schemes In the Standard Model, 1. RSA-Paillier scheme is IND-CPA: One-wayness = RSA (Catalano et al., Asiacrypt’02) 2. Rabin-Paillier scheme is IND-CPA: One-wayness = Factoring Blum integers (Galindo et al., PKC’03) in this talk

6
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our result Proof Technique Factoring Probability Galindo et al. (PKC’03) ε 2 - LLL, RSA-Paillier Proposed proof ε - totally elemental Let ε be a success probability that breaks the one-wayness of Rabin-Paillier scheme.

7
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-Paillier scheme (Public-key) N (= pq) and e. (Secret key) d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) For random r ∈ R Z N *, C = r e + mN mod N 2. ---- (1) (Decryption) r = C d mod N, m = (C – r e mod N 2 )/N.

8
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of RSA-Paillier Proposition 1 (Semantic Security) IND-CPA if {r e mod N 2 | r ∈ Z N * } and {r e mod N 2 | r ∈ Z N 2 * } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking RSA. (Catalano et al., Asiacrypt’02) Two oracle calls are required => reduction probability ε 2.

9
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Rabin-Paillier scheme (Public-key) N (= pq), Blum integer (Secret key) p,q, d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) r ∈ R SQ N = {s 2 mod n | s ∈ Z N * }, C = r 2e + mN mod N 2. ---- (2) (Decryption) A = C d mod N, find the unique solution r ∈ SQ N of r 2 = A mod N, m = (C – r 2e mod N)/N.

10
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of Rabin-Paillier Proposition 1 (Semantic Security) IND-CPA if {r 2e mod N 2 | r ∈ SQ N } and {r 2e mod N 2 | r ∈ SQ N 2 } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking factoring. (Galindo et al., PKC 2003) The same proof technique with RSA-Paillier => reduction prob. ε 2.

11
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof Let O be an Oracle that find m from C with prob.ε. We will show a factoring algorithm A by using O. On input N, 1. Choose fake r ∈ Z n * and m ∈ Z n s.t. (r/N) = -1 2. Query C = r 2e + mN mod N 2 to oracle O. 3. O answers proper m s.t. C = r 2e + mN mod N 2, with prob. ε, where r ∈ SQ N.

12
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) Note that C = r 2e = r 2e mod N. Thus, r 2 = r 2 + yN in Z for some -n

13
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) 6. A computes r by solving quadratic equation r 2 = x + yN in Z. 7. Finally, A computes gcd(r - r,N) = p or q, because r 2 = r 2 mod N with r ∈ SQ N and r ∈ Z n * s.t. (r/N) = -1. A has asked oracle O only once => reduction probability ε.

14
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Concluding Remarks 1. We proposed a tight reduction algorithm for Rabin-Paillier cryptosystem. 2. A similar result with the following variant: C = (r + a/r) e + mN mod N 2, where (a/p) = (a/q) = -1. 3. An IND-CCA variant in RO-model is C = (r 2e + mN mod N 2 )|| H(r,m). It is still IND-CPA & OW in standard model.

15
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CCA schemes in RO Model Schemes - reduced problem Reduction Probability RSA-OAEP (Crypto’01) ε 2 - RSA Problem SAEP (Crypto’01) ε - Factoring Let ε be a success probability breaking IND-CCA scheme.

Similar presentations

OK

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on world war 2 Ppt on network theory limited Ppt on municipal corporation of delhi Ppt on area of parallelogram and triangles types Ppt on child labour free download Ppt on information security in distributed mobile system Ppt on hydrogen fuel cell vehicles bmw Ppt on business environment nature concept and significance meaning Ppt on the art of warfare Ppt on bucky paper uses