Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Slides:

Advertisements

Similar presentations

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Advertisements

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

Asymmetric-Key Cryptography

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

7. Asymmetric encryption-

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

Identity Based Encryption

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

A Designer’s Guide to KEMs Alex Dent

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Chapter 3 Encryption Algorithms & Systems (Part B)

1 CIS 5371 Cryptography 9. Data Integrity Techniques.

A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.

Codes, Ciphers, and Cryptography-RSA Encryption

 Introduction  Requirements for RSA  Ingredients for RSA  RSA Algorithm  RSA Example  Problems on RSA.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

8. Data Integrity Techniques

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Status of Draft ANSI X9.44 (& More) Burt Kaliski and Jakob Jonsson RSA Laboratories NIST Key Management Workshop November 1–2, 2001 (Rev. November 6, 2001)

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

Cryptography Lecture 8 Stefan Dziembowski

1 AN EFFICIENT METHOD FOR FACTORING RABIN SCHEME SATTAR J ABOUD 1, 2 MAMOUN S. AL RABABAA and MOHAMMAD A AL-FAYOUMI 1 1 Middle East University for Graduate.

RSA and its Mathematics Behind

RSA Ramki Thurimella.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.

By Yernar.  Background  Key generation  Encryption  Decryption  Preset Bits  Example.

Modular Arithmetic with Applications to Cryptography Lecture 47 Section 10.4 Wed, Apr 13, 2005.

Background on security

1 Number Theory and Advanced Cryptography 5. Cryptanalysis of RSA Chih-Hung Wang Sept Part I: Introduction to Number Theory Part II: Advanced Cryptography.

Utilizing Performance Monitors for Compromising keys of RSA on Intel Platforms Sarani Bhattacharya and Debdeep Mukhopadhyay Dept. of Computer Science and.

IND-CPA and IND-CCA Concepts Summary  Basic Encryption Security Definition: IND-CPA  Strong Encryption Security Definition: IND-CCA  IND-CPA, IND-CCA.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 Yevgeniy Dodis Leonid Reyzin.

RSA and its Mathematics Behind July Topics  Modular Arithmetic  Greatest Common Divisor  Euler’s Identity  RSA algorithm  Security in RSA.

Public Key Systems 1 Merkle-Hellman Knapsack Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem.

1 Network and Computer Security (CS 475) Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson.

Information Security CS 526

Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.

Tae-Joon Kim Jong yun Jun

A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Information Security and Management 10. Other Public-key Cryptosystems Chih-Hung Wang Fall

Public Key Cryptosystem In Symmetric or Private Key cryptosystems the encryption and decryption keys are either the same or can be easily found from each.

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.

On the Hardness of Proving CCA-Security of Signed ElGamal Bogdan Warinschi (University of Bristol) joint work with David Bernhard, Marc Fischlin.

Topic 26: Discrete LOG Applications

B504/I538: Introduction to Cryptography

Topic 24: Finding Prime Numbers, RSA

Digital Signature Schemes and the Random Oracle Model

Topic 25: Discrete LOG, DDH + Attacks on Plain RSA

Topic 30: El-Gamal Encryption

Cryptography Lecture 25.

Presentation transcript:

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based Encryption Schemes with Tight Security Reduction Kaoru Kurosawa, Ibaraki University Tsuyoshi Takagi, TU Darmstadt

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan One-wayness and Semantic-security One-wayness: E(m)  m is hard. Semantic security = IND-CPA (CCA) : E(m)  any information on m is hard against CPA (CCA).

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Random Oracle Model Hash function H is treated as a random function in the random oracle model. However, RO model proof is heuristic. If we replace RO to a practical hash function, then the proof is no longer valid.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan IND-CCA in the Standard Model Cramer-Shoup schemes: 1. (Crypto’98:) Decisional DH assumption. One-wayness = DH assumption. RSA-based IND-CCA scheme is unknown!

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CPA schemes In the Standard Model, 1. RSA-Paillier scheme is IND-CPA: One-wayness = RSA (Catalano et al., Asiacrypt’02) 2. Rabin-Paillier scheme is IND-CPA: One-wayness = Factoring Blum integers (Galindo et al., PKC’03) in this talk

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our result Proof Technique Factoring Probability Galindo et al. (PKC’03) ε 2 - LLL, RSA-Paillier Proposed proof ε - totally elemental Let ε be a success probability that breaks the one-wayness of Rabin-Paillier scheme.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-Paillier scheme (Public-key) N (= pq) and e. (Secret key) d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) For random r ∈ R Z N *, C = r e + mN mod N (1) (Decryption) r = C d mod N, m = (C – r e mod N 2 )/N.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of RSA-Paillier Proposition 1 (Semantic Security) IND-CPA if {r e mod N 2 | r ∈ Z N * } and {r e mod N 2 | r ∈ Z N 2 * } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking RSA. (Catalano et al., Asiacrypt’02) Two oracle calls are required => reduction probability ε 2.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Rabin-Paillier scheme (Public-key) N (= pq), Blum integer (Secret key) p,q, d (= e -1 mod (p-1)(q-1)) (Plaintext) m ∈ Z N (Ciphertext) r ∈ R SQ N = {s 2 mod n | s ∈ Z N * }, C = r 2e + mN mod N (2) (Decryption) A = C d mod N, find the unique solution r ∈ SQ N of r 2 = A mod N, m = (C – r 2e mod N)/N.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Security of Rabin-Paillier Proposition 1 (Semantic Security) IND-CPA if {r 2e mod N 2 | r ∈ SQ N } and {r 2e mod N 2 | r ∈ SQ N 2 } are indistinguishable. Proposition 2 (One-wayness) One-wayness = breaking factoring. (Galindo et al., PKC 2003) The same proof technique with RSA-Paillier => reduction prob. ε 2.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof Let O be an Oracle that find m from C with prob.ε. We will show a factoring algorithm A by using O. On input N, 1. Choose fake r ∈ Z n * and m ∈ Z n s.t. (r/N) = Query C = r 2e + mN mod N 2 to oracle O. 3. O answers proper m s.t. C = r 2e + mN mod N 2, with prob. ε, where r ∈ SQ N.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) Note that C = r 2e = r 2e mod N. Thus, r 2 = r 2 + yN in Z for some -n<y<n. 4. A computes y. x = r 2 w = C - mN = r 2e = (x + yN) e mod N 2. = x e + ex e-1 yN mod N 2. Thus, y = (ex e-1 ) -1 ((w-x e mod N 2 )/N) mod N.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Our Proof (Cont.) 6. A computes r by solving quadratic equation r 2 = x + yN in Z. 7. Finally, A computes gcd(r - r,N) = p or q, because r 2 = r 2 mod N with r ∈ SQ N and r ∈ Z n * s.t. (r/N) = -1. A has asked oracle O only once => reduction probability ε.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Concluding Remarks 1. We proposed a tight reduction algorithm for Rabin-Paillier cryptosystem. 2. A similar result with the following variant: C = (r + a/r) e + mN mod N 2, where (a/p) = (a/q) = An IND-CCA variant in RO-model is C = (r 2e + mN mod N 2 )|| H(r,m). It is still IND-CPA & OW in standard model.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan RSA-based IND-CCA schemes in RO Model Schemes - reduced problem Reduction Probability RSA-OAEP (Crypto’01) ε 2 - RSA Problem SAEP (Crypto’01) ε - Factoring Let ε be a success probability breaking IND-CCA scheme.