Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries ASIACRYPT'99, LNCS 1716, pp , By Pascal Paillier and David Pointcheval

Outline  Notation and math. assumption  Scheme 1

Notation and math. Assumption (1/9)  CR[n] problem deciding n th residuosity. Distinguishing n th residues from non n th residues.

Notation and math. Assumption (2/9)  g ∈ Z n 2 *  ε g : Z n × Z n * → Z n 2 * be a integer- valued function defined by ε g (x,y) = g x y n mod n 2

Notation and math. Assumption (3/9)   Given base g ∈ B and w ∈ Z n 2 *, we want to find x ∈ Z n and y ∈ Z n * s.t. ε g (x, y) = g x y n mod n 2 = w

Notation and math. Assumption (4/9)    

Notation and math. Assumption (5/9)  Class[n] problem n th Residuosity Class Problem of base g Computing the class function in base g given w ∈ Z n 2 *, compute [w] g [w] g = x  x is the smallest non-negative integer s.t ε g (x, y) = g x y n mod n 2 = w random-self-reducible problem the bases g are independent

Notation and math. Assumption (6/9)      

Notation and math. Assumption (7/9)   D-Class[n] problem decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not 

Notation and math. Assumption (8/9)  Fact[n] The factorization of n.  RSA[n] c = m e mod n Extracting e th roots modulo n  CR[n] deciding n th residuosity.

Notation and math. Assumption (9/9)  Class[n] Computational composite residuosity class problem given w ∈ Z n 2 * and g ∈ B, compute [w] g  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not 

Notions of Security(1/3)  Indistinguishability of encryption(IND)  Non-malleability(NM) Given the encryption of a plaintext x, the attacker cannot produce the encryption of a meaningfully related plaintext x ’.(For example, x ’ =x+1)

Notions of Security(2/3)  Chosen-plaintext attack (CPA)  Non-adaptive chosen-ciphertext attack (CCA1)  Adaptive chosen-ciphertext attack (CCA2)  IND-CCA2 and NM-CCA2 are strictly equivalent notions.

Notions of Security(3/3)

Random Oracle Model  Hash functions are considered to be ideal. i.e. perfect random.  From a security viewpoint, this impacts by giving the attacker an additional access to the random oracles of the scheme.

Outline  Notation and math. assumption  Scheme 1

Scheme 1(1/4)  New probabilistic encryption scheme 

Scheme 1 (2/4)

Scheme 1 (3/4)  One-way function Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.  One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.  Trapdoor permutation f() is a one-way trapdoor. f() is bijective.

Scheme 1 (4/4)

Security Analysis(1/21)  Against an adaptive chosen- ciphertext attack.(IND-CCA2)  In the scenario, the adversary makes of queries of her choice to a decryption oracle during two stages.

Security Analysis(2/21)  The first stage, the find stage Attacker chooses two messages. Requests encryption oracle to encrypted one of them. the encryption oracle makes the secret choice of which one.

Security Analysis(3/21)  The second stage, the guess stage To query the decryption oracle with ciphertext of her choice.  Finally, she tell her guess about the choice the encryption oracle made.

Security Analysis(4/21)  Random oracle A t-bit random number Two hash functions  G, H: {0,1}* → {0,1} |n|

Security Analysis(5/21)  Provided t=Ω(|n| δ ) for δ>0, Scheme 1 is semantically secure against adaptive chosen-ciphertext attacks (IND-CCA2) under the Decision Composite Residuosity assumption (D-Class assumption) in the random oracle.  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not

Security Analysis(6/21)  An adversary A=(A 1,A 2 ) against semantic security of scheme 1. A 1 : the find stage A 2 : the guess stage  This adversary to efficiently decide n th residuosity classes.

Security Analysis(7/21)  Oracle G Indistinduishability of encryption  Oracle H Adaptive attack

Security Analysis(8/21)  Simulation of the Decryption Oracle The attacker asks for a ciphertext c to be decrypted. The simulator checks in the query- history from the random oracle H. Whether some entry leads to the ciphertext c and then return m; otherwise, it return “ failure ”.

Security Analysis(9/21)  Quasi-perfect simulation The probability of producing a valid ciphertext without asking the query (m,r) to the random oracle H (whose answer a has to satisfy the test a n = z mod n) is upper bounded by 1/ψ(n) ≦ 2/n, which is clearly negligible.

Security Analysis(10/21)  Initialization n=pq, g ∈ Z n 2 * Public: n,g Private: λ

Security Analysis(11/21)  Encryption Plaintext: m < 2 |n|-t-1 Randomly select r < 2 t z=H(m,r) n mod n 2 M=m||r +G(z mod n) mod n Ciphertext: c=g M z mod n 2

Security Analysis(12/21)  Decryption Ciphertext: c=g M z mod n 2 ∈ Z n 2 * M=[L(c λ mod n 2 )/L(g λ mod n 2 )] mod n z ’ =g -M c mod n m ’ ||r ’ =M-G(z ’ ) mod n If H(m ’,r ’ ) n = z ’ mod n, then the plaintext is m ’ Otherwise, output “ failure ”

Security Analysis(13/21)  Attacker A to design a distinguisher B for n th residuosity class.  (w,α) is a instance of the D-Class problem, where α is the n th residuosity class of w.  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, α ∈ Z n, decide whether α=[w] g or not

Security Analysis(14/21)  Distinguisher B(1/2) Randomly chooses u ∈ Z n, v ∈ Z n *, 0 ≦ r<2 t. Compute the follows  z=wg -α v n mod n  c=wg u v n mod n 2 Run A 1 and gets two messages m 0,m 1

Security Analysis(15/21)  Distinguisher B(2/2) Chooses a bit b Run A 2 on the ciphertext c, supposed to the ciphertext of m b and using the random r.

Security Analysis(16/21)  Shut this game down z is asked to the oracle G, shut this game down and B return 1.  This event will be denote by AskG If (m 0,r) or (m 1,r) are asked to the oracle H, shut this geme down and B return 0.  This event will be denote by AskH In any other case, B return 0 when A 2 end.

Security Analysis(17/21)  One event AskG or AskH is likely to happen, B terminate the game.  The random choice of r, Pr[AskH]=O(q H /2 t ) in any case, q H =#(queries asked to the oracle H) and 0 ≦ r<2 t.  G and H are seen like random oracles, the attacker has no chance to correctly guess b, during a real attack.

Security Analysis(18/21)  In α=[w] g case If none of the events AskG or AskH occur, then  AdvA ≦ Pr[ AskG ∨ AskH | [w]g = α]

Security Analysis(19/21)  In α≠[w] g case z is perfectly random (independent of c), then Pr[AskG] ≦ q G /ψ(n), q G =#(queries asked to the oracle G) and u ∈ Z n, v ∈ Z n *, z=wg -α v n mod n

Security Analysis(20/21) The advantage of distinguisher B in deciding the n th residuosity classes:

Security Analysis(21/21) Reduction Cost –If there exists an active attacker A against semantic security, one can decide n th residuosity classes with an advantage greater then