Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic protocols 2014, Lecture 6

Similar presentations


Presentation on theme: "Cryptographic protocols 2014, Lecture 6"— Presentation transcript:

1 Cryptographic protocols 2014, Lecture 6
Trapdoor discrete logarithm. Paillier Helger Lipmaa University of Tartu, Estonia

2 Up to now Introduction to the field
Simple secure computation protocols based on DDH ("DL is hard" family) Can design many efficient 2MAH protocols General problem: Alice needs to compute DL which is hard by assumption

3 this time Trapdoor discrete logarithm
hard if you do not know secret key easy if you do Paillier cryptosystem Some protocols E-voting

4 trapdoor discrete logarithm
Def. Binomial coefficient: Relation with exponent.: a = n, b = 1: modulo n²: Idea: while encrypting, use g = 1 + n as a generator in a group modulo n². Needed: can compute DL only while knowing some secret

5 getting closer to paillier...
Enc(m; r) = ((n + 1)ᵐ hʳ, (n + 1)ʳ ) mod n² // Analogy to Elgamal possible but not so efficient |Enc (m; r)| = 4 |m| since m∈ ℤn Paillier cryptosystem (1999): Enc(m; r) = (n + 1)ᵐ rⁿ = (mn + 1) rⁿ mod n² Trapdoor (idea): related to knowledge of factorization of n We need later (1 + mn) < n²

6 Various pairing assumptions
Some assumptions Factoring RSA Strong RSA Discrete Log CDH DDH SVP CVP LWE RLWE gapSVP DCRA Various pairing assumptions

7 factoring Assumption: given a large composite number, it is infeasible to factor it Not quite: it is easy to factor any even number also say any square numbers Common version: given n = pq, for two random large primes p and q, it is difficult to find p and q

8 factoring Probably the best known hard problem
The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. ~~~~~~~ Carl Friedrich Gauss Classical computers: subexponential but superpolynomial time (like DL instantiation 1) Quantum computers: easy (like DL)

9 getting closer to paillier...
Paillier cryptosystem (1999): for random large p and q, let pk = n ← pq c = Enc(m; r) = (mn + 1) rⁿ mod n² Trapdoor (idea): knowledge of the factoring of n More precisely: trapdoor = i, such that one can recover m efficiently from cⁱ mod n² only if i is known

10 Note on r Let r = a + bn for a, b < n
rⁿ = (a + bn)ⁿ = aⁿ + n · (aⁿ ⁻ ¹ bn) = aⁿ mod n² Thus one can always assume b = 0 Or: r ∈ ℤn*

11 getting closer to paillier...
Paillier: c=Enc(m; r) = (mn + 1) rⁿ mod n² Idea: trapdoor = i, such that one can recover m efficiently from cⁱ mod n² only if i is known cⁱ = (mn + 1)ⁱ rⁿⁱ = (1 + imn) rⁿⁱ mod n² Most logical: i is such that rⁿⁱ = 1 mod n²

12 recall: totient function
φ (N) is the order of multiplicative group ℤN* In our case: for any r∈ℤ*n², r^(φ (n²)) = 1 mod n² φ (p) = p - 1 for prime p (0 is not invertible) φ (N) = N · Π (1 - 1 / p') in general product over all distinct primes p' that divide N Here: φ (n²) = p²q² (1 - 1 / p) (1 - 1 / q) = pq(p - 1)(q - 1) = n·φ(n)

13 factoring => φ Assume knowledge of p, q
Can efficiently compute φ := φ (n) = (p - 1) (q - 1)

14 QUIZ: φ => factoring
Assume knowl. of n=pq and φ=(p-1)(q-1)=n- (p+q)+1 Knowing n and φ, one can compute s = p + q Knowing n = pq and s : q = s - p, thus n = p (s - p), thus p² - sp + n = 0 Quadratic equation, thus can find p efficiently

15 getting closer to paillier...
Paillier: c = Enc(m; r) = (mn + 1) rⁿ mod n² Trapdoor: φ := (p - 1) (q - 1), μ := φ⁻¹ mod n Thus (rⁿ)^φ = r^(φ(n²)) = 1 mod n² Thus c^φ = (mn + 1)^φ = φmn + 1 mod n²

16 getting closer to paillier...
c^φ = (mn + 1)^φ = φmn + 1 mod n² Decryption: // Need to recover m from c^φ Define L (x) := (x - 1) / n for x < n² Problem: n is not invertible modulo n² Thus L(c^φ mod n²) = φ m mod n m ← L(c^φ mod n²) μ mod n (= φ m φ ⁻¹ = m mod n) Assuming x < n², this is integer division

17 paillier encryption Paillier.Keygen (gk): Paillier.Setup (κ):
Choose good keylength (length of p, q) Return gk ← keylength Paillier.Keygen (gk): p, q ← random keylength-long primes φ ← (p-1)(q-1); μ ← φ⁻ ¹ mod n; n ← pq Return ((φ,μ), n) /* secret key, public key */ n public key n φ=(p-1)(q-1), n=pq r∈ℤ n*, m∈ℤn c ← (mn + 1) rⁿ mod n² Paillier.Enc (gk, n; m, r): /* Assumes r ← ℤ n*: randomized alg. */ c ← (mn + 1) rⁿ mod n² Return c Paillier.Dec (gk, (φ, μ); c): m ← TDL(c^φ mod n²) · μ mod n Return m c* ← c^φ mod n² m ← TDL(c*)μ

18 security If factoring is easy then Paillier can be broken
Opposite not known How would you come up with precise security assumption? Tautological assumption... :( but been well known for 15 years

19 Chosen-Plaintext Attack
IND-CPA Security n pk φ, n r, e←{0,1} (m0,m1 ) c ← (mₑn + 1) rⁿ mod n² m ← TDL(c^φ) μ e* e* = e ?

20 Decisional Composite Residuosity
DCR assumption Decisional Composite Residuosity Paillier = (Setup, Keygen, Enc, Dec) Adv[DCR] := | Pr[DCR = 1] - 1 / 2 | A ε-breaks DCR security iff Adv[DCR] ≥ ε DCR is (τ,ε)-secure iff no PPT adversary ε-breaks DCRA security in time ≤ τ DCR is secure iff it is (poly(κ),negl(κ))- secure Game DCR(κ,A) gk ← Setup (κ) ((φ,μ), n) ← Keygen (κ) m ← ℤn r ← ℤn* c₀ ← Enc (n; m, r) c₁ ← Enc (n; 0, r) e ← {0, 1} e* ← A (n, cₑ) Return e = e* ? 1 : 0

21 Paillier is IND-CPA secure
Theorem. DCR is (≈τ, ≈ε)-secure iff Paillier is (τ,ε)-IND-CPA secure. Proof idea. DCR states Paillier is real-or-random IND-CPA-secure. We know from before that real- or-random IND-CPA = left-or-right IND-CPA.

22 malleability of paillier
Recall: Enc (m, r) = (n + 1)ᵐ rⁿ mod n² => Enc (m, r) · Enc (m', r') = Enc (m + m', r · r') Thus, additively homomorphic just remember that randomizer multiplies For example: Enc (m; r) Enc (0; r') = Enc (m; rr')

23 efficiency Factoring of n must be hard Thus |n| ≥ 3000
(2|n| = 6000)-bit arithmetic vs 160-bit arithmetic with Elgamal+elliptic curves Much, much slower... but: decryption does not need computation of DL n-bit arithm. on elliptic curves is slower than n-bit modular arithm.

24 scalar product protocol
for i = 1 to n rᵢ←ℤn* cᵢ←Enc(aᵢ; rᵢ) Protocol r'←ℤn* d←Πcᵢ^(bᵢ)·Enc(0; r') {cᵢ} pk,sk aᵢ∈{0,1}ᴸ a={aᵢ:i∈[n]} pk bᵢ∈{0,1}ᴸ b={bᵢ:i∈[n]} M←Dec(d) d Decryption succeeds when Σaᵢbᵢ ≤ n2²ᴸ is small, e.g., n2²ᴸ < 2^402^3000 d=Enc(Σaᵢbᵢ;... + r') M=Σaᵢbᵢ

25 d← c^(f₁ - f₀) · Enc(f₀; r')
(2, 1)-CPIR protocol Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c^(f₁ - f₀) · Enc(f₀; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ M←Dec(d) d

26 For larger L, apply protocol many times
CPIR complexity Commun. (bits) Alice's comp. (exp, DL) Bob's comp. (exp) Elgamal 4*160 3·160^(2.58)+2^(L/2) 5 · 160^(2.58) Elgamal bitwise (2L + 2)*160 (L + 2) · 160^(2.58) 2L · 160^(2.58) Paillier 6000 2 · 6000^(2.58) Concrete keylengths may vary For first protocol, need L ≤ 160 For third protocol, need L ≤ 3000 For larger L, apply protocol many times

27 more protocols We only saw 2-message 2-party protocols
but there are many more...

28 e-voting: motivation

29 e-voting: motivation Motivations: better security direct democracy
conveniency

30 e-voting cᵢ cᵢ Tally({cᵢ})

31 two-candidate e-voting
pk pk sk Enc(cᵢ) Enc(Σcᵢ) Dec(Σcᵢ) cᵢ ∈ {0, 1} ... = #voters who prefered 1 complete tally can be computed from this efficiently

32 multiple-candidate e-voting
pk pk sk Enc(cᵢ) Enc(Σcᵢ) Dec(Σcᵢ) cᵢ ∈ {0, ..., C - 1} 2 = = 1 + 1 non-unique

33 quiz: how to? pk pk sk Enc(f(cᵢ)) Enc(Σf(cᵢ)) g(Dec(Σf(cᵢ))) Hint:
cᵢ ∈ {0, ..., C - 1} Hint: Let V = #voters V f(i) < f (i + 1)

34 presentation in (V+1)ary number system
Multiple voters f (i) := (V + 1)ⁱ Then clearly Vf (i) = V (V + 1)ⁱ < (V + 1)ⁱ ⁺ ¹ = f (i + 1) Voter i outputs Enc ((V + 1)^(cᵢ)) Server 1 outputs Enc (Σᵢ (V + 1)^(cᵢ)) Server 2 outputs Σᵢ (V + 1)^(cᵢ) = Σₑ Tₑ (V + 1)^e presentation in (V+1)ary number system 1 TV ... T₁ T₀

35 Efficiency The number to be decrypted: ≤ (V + 1)^C
Country like Estonia: V = , C = 150 => (V + 1)^C ≈ 2^(2840) Cannot compute DL of this size! Must use Paillier

36 Remarks: malicious security
We assumed here that everybody is semihonest honest-but-curious In real elections, parties can be malicious => All parties must additionally "prove" they acted correctly Second part of the lecture series However, one must first design a protocol secure in semihonest model

37 Study outcomes Trapdoor discrete logarithm: idea
Paillier with all gory details Example: efficiency of Paillier E-voting

38 What next? We saw how to use homomorphism to obtain interesting protocols However, the number of such protocols is limited Next lectures: adding tools: recursion, multiple rounds


Download ppt "Cryptographic protocols 2014, Lecture 6"

Similar presentations


Ads by Google