Download presentation

Presentation is loading. Please wait.

Published byMarshall Wilkin Modified over 2 years ago

1
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based Encryption Schemes with Tight Security Reduction Kaoru Kurosawa, Ibaraki University Tsuyoshi Takagi, TU Darmstadt

2
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan One-wayness and Semantic-security One-wayness: E(m) m is hard. Semantic security = IND-CPA (CCA) : E(m) any information on m is hard against CPA (CCA).

3
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Random Oracle Model Hash function H is treated as a random function in the random oracle model. However, RO model proof is heuristic. If we replace RO to a practical hash function, then the proof is no longer valid.

4
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan IND-CCA in the Standard Model Cramer-Shoup schemes: 1. (Crypto’98:) Decisional DH assumption. One-wayness = DH assumption. RSA-based IND-CCA scheme is unknown!

5
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CPA schemes In the Standard Model, 1. RSA-Paillier scheme is IND-CPA: One-wayness = RSA (Catalano et al., Asiacrypt’02) 2. Rabin-Paillier scheme is IND-CPA: One-wayness = Factoring Blum integers (Galindo et al., PKC’03) in this talk

6
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our result Proof Technique Factoring Probability Galindo et al. (PKC’03) ε 2 - LLL, RSA-Paillier Proposed proof ε - totally elemental Let ε be a success probability that breaks the one-wayness of Rabin-Paillier scheme.

7
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-Paillier scheme (Public-key) N (= pq) and e. (Secret key) d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) For random r ∈ R Z N *, C = r e + mN mod N 2. ---- (1) (Decryption) r = C d mod N, m = (C – r e mod N 2 )/N.

8
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of RSA-Paillier Proposition 1 (Semantic Security) IND-CPA if {r e mod N 2 | r ∈ Z N * } and {r e mod N 2 | r ∈ Z N 2 * } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking RSA. (Catalano et al., Asiacrypt’02) Two oracle calls are required => reduction probability ε 2.

9
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Rabin-Paillier scheme (Public-key) N (= pq), Blum integer (Secret key) p,q, d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) r ∈ R SQ N = {s 2 mod n | s ∈ Z N * }, C = r 2e + mN mod N 2. ---- (2) (Decryption) A = C d mod N, find the unique solution r ∈ SQ N of r 2 = A mod N, m = (C – r 2e mod N)/N.

10
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of Rabin-Paillier Proposition 1 (Semantic Security) IND-CPA if {r 2e mod N 2 | r ∈ SQ N } and {r 2e mod N 2 | r ∈ SQ N 2 } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking factoring. (Galindo et al., PKC 2003) The same proof technique with RSA-Paillier => reduction prob. ε 2.

11
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof Let O be an Oracle that find m from C with prob.ε. We will show a factoring algorithm A by using O. On input N, 1. Choose fake r ∈ Z n * and m ∈ Z n s.t. (r/N) = -1 2. Query C = r 2e + mN mod N 2 to oracle O. 3. O answers proper m s.t. C = r 2e + mN mod N 2, with prob. ε, where r ∈ SQ N.

12
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) Note that C = r 2e = r 2e mod N. Thus, r 2 = r 2 + yN in Z for some -n

13
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) 6. A computes r by solving quadratic equation r 2 = x + yN in Z. 7. Finally, A computes gcd(r - r,N) = p or q, because r 2 = r 2 mod N with r ∈ SQ N and r ∈ Z n * s.t. (r/N) = -1. A has asked oracle O only once => reduction probability ε.

14
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Concluding Remarks 1. We proposed a tight reduction algorithm for Rabin-Paillier cryptosystem. 2. A similar result with the following variant: C = (r + a/r) e + mN mod N 2, where (a/p) = (a/q) = -1. 3. An IND-CCA variant in RO-model is C = (r 2e + mN mod N 2 )|| H(r,m). It is still IND-CPA & OW in standard model.

15
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CCA schemes in RO Model Schemes - reduced problem Reduction Probability RSA-OAEP (Crypto’01) ε 2 - RSA Problem SAEP (Crypto’01) ε - Factoring Let ε be a success probability breaking IND-CCA scheme.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google