1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 廖俊威 [Published in J. Stern, Ed., Advances in.

Slides:

Advertisements

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Advertisements

Algorithms Chapter 15 Dynamic Programming - Rod

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Pricing and Power Control in a Multicell Wireless Data Network Po Yu Chen October, 2001 IEEE Journal on Select Areas in Communications.

7. Asymmetric encryption-

1 Finding a shortest vector in a two-dimensional lattice modulo m Theoretical Computer Science, Vol 172, 1997 Gunter Rote 田錦燕95/06/01.

1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻.

目的「升學調查系統」，幫助某一學校調查並記錄其歷屆畢業生報考研究所的情況、未來提供給學弟妹作參考，以及學校推廣之相關工作。功能需求紀錄並追蹤歷屆畢業生升學的狀態協助畢業生做升學輔導未來提供學弟妹作查詢、參考計算上榜率、前十大學校上榜率.

Self proxy signature scheme IJCSNS International Journal of Computer Science and Network Security,VOL.7 No.2,Februry 2007 Author:Young-seol Kim,Jik Hyun.

1 Secure Context-sensitive Authorization 2005 Author ： Kazuhiro Minami, David Kotz Presented by Shih Yu Chen.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.

1. 假設以下的敘述為一未提供 “ 捷徑計算 ” 能力的程式段，試用程式設計的技巧，使此敘述經此改寫的動作後，具有與 “ 捷徑計算 ” 之處理方法相同之處理模式。 if and then E1 else E2 endif.

Structural Equation Modeling Chapter 7 觀察變數路徑分析＝路徑分析觀察變數路徑分析.

Certificateless Public Key Encryption without Paring Joonsang Baek, Reihaneh Safavi- Naunu, and Willy Susilo 報告者：陳國璋.

基礎物理總論基礎物理總論熱力學與統計力學（三） Statistical Mechanics 東海大學物理系施奇廷.

Monte Carlo Simulation Part.2 Metropolis Algorithm Dept. Phys. Tunghai Univ. Numerical Methods C. T. Shih.

1 A new identity based proxy signature scheme Source: Lecture Notes In Computer Science Author: Chunxiang Gu and Yuefei Zhu Presenter: 林志鴻.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

Network Connections ★★★☆☆ 題組： Contest Archive with Online Judge 題號： Network Connections 解題者：蔡宗翰解題日期： 2008 年 10 月 20 日題意：給你電腦之間互相連線的狀況後，題.

A Server-aided Signature Scheme Based on Secret Sharing for Mobile Commerce Source: Journal of Computers, Vol.19, No.1, April 2008 Author: Chin-Ling Chen,

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

: The largest Clique ★★★★☆ 題組： Contest Archive with Online Judge 題號： 11324: The largest Clique 解題者：李重儀解題日期： 2008 年 11 月 24 日題意：簡單來說，給你一個 directed.

The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 20 July 2011.

Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.

自動機 (Automata) Time: 1:10~2:00 Monday: practice exercise, quiz 2:10~4:00 Wednesday: lecture Textbook: (new!) An Introduction to Formal Languages and Automata,

Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.

Dynamic Multi-signatures for Secure Autonomous Agents Panayiotis Kotzanikolaou Mike Burmester.

: GCD - Extreme II ★★★★☆ 題組： Contest Archive with Online Judge 題號： 11426: GCD - Extreme II 解題者：蔡宗翰解題日期： 2008 年 9 月 19 日題意：最多 20,000 組測資，題目會給一個數字.

1 Provably secure randomized blind signature scheme based on bilinear pairing Source: Computers and Mathematics with Applications Author: Chun-I Fan, Wei-Zhe.

: Expect the Expected ★★★★☆ 題組： Contest Archive with Online Judge 題號： 11427: Expect the Expected 解題者：李重儀解題日期： 2008 年 9 月 21 日題意：玩一種遊戲 (a game.

Chapter 3 Entropy : An Additional Balance Equation

Cryptography in Subgroups of Z n * Jens Groth UCLA.

1 A new identity based proxy signature scheme Source: E print Author: Bin Wang Presenter: 林志鴻.

845: Gas Station Numbers ★★★ 題組： Problem Set Archive with Online Judge 題號： 845: Gas Station Numbers. 解題者：張維珊解題日期： 2006 年 2 月題意：將輸入的數字，經過重新排列組合或旋轉數字，得到比原先的數字大，

Public Encryption: RSA

Structural Equation Modeling Chapter 6 CFA 根據每個因素有多重指標，以減少測量誤差並可建立問卷的構念效度驗證性因素分析.

質數 (Prime) 相關問題 (III) — 如何找出相對大的質數 Date: May 27, 2009 Introducer: Hsing-Yen Ann.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.

McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc.,All Rights Reserved. 壹企業研究導論.

兩黨與多黨政黨體系 Lijphart (1984) Party Systems: Two-Party and Multiparty Patterns.

Security Analysis of Server-Aided Public Key Generation Protocols on Low-power Devices for Ad-hoc Networks Source: 2008 ISECS Author: Tianjie Cao, Xianping.

: Finding Paths in Grid ★★★★☆ 題組： Contest Archive with Online Judge 題號： 11486: Finding Paths in Grid 解題者：李重儀解題日期： 2008 年 10 月 14 日題意：給一個 7 個 column.

1 Knapsack Cryptosystems 2 ◎ Merkle-Hellman Knapsack Cryptosystem 觀察： (1) 0/1 knapsack problem (i.e. sum of subset) 例：已知 C = 14, A = (1, 10, 5, 22, 3)

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in.

1 Chemical and Engineering Thermodynamics Chapter 1 Introduction Sandler.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Public Key Model 8. Cryptography part 2.

 Introduction  Requirements for RSA  Ingredients for RSA  RSA Algorithm  RSA Example  Problems on RSA.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.

The RSA Algorithm Rocky K. C. Chang, March

On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.

MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.

By Yernar.  Background  Key generation  Encryption  Decryption  Preset Bits  Example.

A Method for Obtaining Digital Signatures and Public-key Cryptosystems

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

A Novel Technique for Image Authentication in Frequency Domain using Discrete Fourier Transformation Technique (IAFDDFTT) Malaysian Journal of Computer.

The Paillier Cryptosystem

15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.

Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.

Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.

Introduction to Pubic Key Encryption CSCI 5857: Encoding and Encryption.

ID-base Signature from Pairings on Elliptic Curve Kenneth G. Paterson From IACR Server 2002/004 Reference :Identity-Based Encryption from the Weil Pairing.

Impossibility proofs for RSA signatures in the standard model Pascal Paillier Topics in Cryptology – CT-RSA 2007.

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.

B504/I538: Introduction to Cryptography

Presentation transcript:

1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 廖俊威 [Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol of Lecture Notes in Computer Science, pp , Springer-Verlag, 1999.]

2 Outline Introduction Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

3 Introduction(1/2) 兩個主要的 Trapdoor 技術 –RSA –Diffie-Hellman 提出新的技術 –Composite Residuosity 提出新的計算性問題 –Composite Residuosity Class Problem

4 Introduction(2/2) 提出 3 個架構在上述假設的同態加密機制 (Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation 滿足 semantically secure, 不過, 作者沒有證明.

5 Notation and math. assumption (1/10) p, q are two large primes. n = pq [ex: 35=5*7] Euler phi-function: ψ(n) = (p-1)(q-1) [=4*6=24] Carmichael function: λ(n) = lcm(p-1,q-1) [=λ(35)=lcm(4,6)=12] |Z n 2 *| = ψ(n 2 ) = nψ(n) [=n 2 (1-1/p)(1-1/q)] Any w ∈ Z n 2 *, –w λ = 1 mod n [6 12 mod 35 = 1] –w nλ = 1 mod n [6 35*12 mod 35 = 1]

6 Notation and math. assumption (2/10) RSA[n,e] problem –Extracting e-th roots modulo n where n=pq n-th residue modulo n 2 –A number z is the n-th residue modulo n 2 if there exist a number y ∈ Z n 2 *, such that z=y n mod n 2 CR[n] problem –deciding n-th residuosity The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem. –All of its instances are polynomially equivalent. There exists no polynomial time distinguisher for n-th residues modulo n 2, i.e. CR[n] is intractable.

7 Notation and math. assumption (3/10)

8 Notation and math. assumption (4/10) if order(g) = kn where k is nonzero multiple of n then ε g is bijective. –Domain and Co-domain are the same order nψ(n) and the function is 1-to-1.

9 Notation and math. assumption (5/10)

10 Notation and math. assumption (6/10) Class[n,g] problem –computing the class function in base g. –given w ∈ Z n 2 *, compute [w] g –random-self-reducible problem –the bases g are independent

11 Notation and math. assumption (7/10) Class[n] problem –composite residuosity class problem –given w ∈ Z n 2 *, g ∈ B, compute [w] g Class[n] Fact[n]

12 Notation and math. assumption (8/10)

13 Notation and math. assumption (9/10) Class[n] RSA[n,n] D-Class[n] problem –decisional Class[n] problem –given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not

14 Scheme 1(1/6) New probabilistic encryption scheme

15 Scheme 1 (2/6)

16 Scheme 1 (3/6) One-way function –Given x, to compute f(x) = y is easy. –Given y, to find x s.t. f(x) = y is hard. One-way trapdoor –f() is a one-way function. –Given a secret s, given y, to find x s.t. f(x) = y is easy. Trapdoor permutation –f() is a one-way trapdoor. –f() is bijective.

17 Scheme 1 (4/6)

18 Scheme 1 (5/6) Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. –Inverting our scheme is by the definition the composite residuosity class problem.

19 Scheme 1 (6/6) Scheme 1 is semantically secure ⇔ the Decisional composite residuosity assumption(CR[n] problem) holds. –m 0, m 1 : known messages. –c:ciphertext of either m 0 or m 1. –[w] g =0 iff w is the n-th residue modulo n 2. –c=ε g (m 0,r) iff cg -m 0 mod n 2 is the n-th residue modulo n 2. –Vice-versa.

20 Scheme 2(1/5) New one-way trapdoor permutation

21 Scheme 2(2/5)

22 Scheme 2(3/5)

23 Scheme 2(4/5)

24 Scheme 2(5/5) Digital Signatures

25 Scheme 3(1/4) Cost down for decryption complexity. Restricting the ciphertext space Z n 2 * to subgroup of smaller order.

26 Scheme 3(2/4)

27 Scheme 3(3/4) PDL[n,g] problem –Partial discrete logarithm problem –Given w ∈, compute [w] g D-PDL[n,g] problem –Decisional partial discrete logarithm problem –Given w ∈, x ∈ Z n, decide whether [w] g =x.

28 Scheme 3(4/4) Scheme 3 is one-way ⇔ PDL[n,g] is hard. Scheme 3 is semantically secure ⇔ D- PDL[n,g] is hard.

29 Properties(1/3) Random-Self-Reducibility –A good algorithm for the average case implies a good algorithm for the worst case.

30 Properties(2/3) Additive Homomorphic Properties –

31 Properties(3/3) Self-Blinding –Any ciphertext can be publicly changed into another one without affecting the plaintext. –

32 Conclusion(4/4) 提出新的數論問題 Class[n] 基於 composite degree residues 的 trapdoor 的機制雖然並沒有提出任何證明作者的 scheme 能抵抗 CCA ，但作者相信小小的修改 Scheme 1 與 3 就可以對抗 CCA ，並能透過 random oracle 來證明

33 In mathematics, a bijection, or a bijective function is a function f from a set X to a set Y with the property that, for every y in Y, there is exactly one x in X such that f(x) = y.mathematicsfunctionset