Cryptography in Subgroups of Z n * Jens Groth UCLA

RSA subgroup n = pq = (2p´r p +1)(2q´r q +1) G ≤ Z n *, |G|=p´q´ RSA subgroup pair: (n, g) where g ← G |p´|=|q´|=100

Agenda RSA subgroup RSA subgroup Strong RSA subgroup assumption Strong RSA subgroup assumption Homomorphic integer commitment Homomorphic integer commitment Digital signature Digital signature Digital signature II Digital signature II Decisional RSA subgroup assumption Decisional RSA subgroup assumption Homomorphic cryptosystem Homomorphic cryptosystem

Strong RSA subgroup assumption K generates RSA subgroup pair (n,g) n = pq = (2p´r p +1)(2q´r q +1), g ← G Strong RSA subgroup assumption for K: Hard to find u,w  Z n * and e,d>1: g = uw e and u d = 1 (mod n)

Homomorphic integer commitment Public key: n, g, h, where g, h ← G Commit to m: c = g m h r (small randomizer) Verify opening (u, e>1, r) of c with message m: c = ug m h r and u e = 1 Homomorphic: (Uu)g M+m h R+r = Ug M h R ug m h r and (Uu) Ee = 1 Root extraction: Adversary c, e≠0 opening c e allows us to open c

Signature Public key: n, a, g, h, where a, g, h ← G Secret key: p´q´ Sign m  {0,1} l : e ← prime({0,1} l+1 ) r ← {0,...,e-1} y = (ag m h r ) e -1 mod p´q´ Verify signature (y,e,r) on m: y e = ag m h r Speedup: Use e t, t>1 allowing smaller prime e

Signature II Public key: n, a, g, where a, g ← G Secret key: p´q´ Sign m  {0,1} l : e ← prime({0,1} l+1 ) y = (ag m ) e -1 mod p´q´ Verify signature (y,e) on m: y e = ag m Theorem: Secure against adaptive chosen message attack

Proof Adversary adaptively queries m 1,..., m k and receives signatures (y 1,e 1 ),..., (y k, e k ) and forges signature (y,e) on m Two cases: I: e is new II: e = e i

Proof: e is new (n,  ) RSA subgroup pair e 1,..., e k ← prime({0,1} l+1 ), E =  e i  =  r, a =  E, g =  E Simulated public key: n, a, g On query m i answer (y i,e i ), where y i =  E/e i  mE/e i Forged signature (y,e) on m so y e = ag m =  E(r+m) breaks strong RSA subgroup assumption

Proof: e = e i (n,  ) RSA subgroup pair guess i e 1,..., e k ← prime({0,1} l+1 ), E =  j≠i e j a =  rE, g =  E On query m i hope to find l+1-bit prime factor e i of r+m i. Significant probability since r = sp´q´+t. Return y i =  E(r+m i )/e i. Forged signature (y,e i ) on m so y e i = ag m =  E(r+m) breaks strong RSA subgroup assumption

Decisional RSA subgroup assumption K generates RSA subgroup pair (n,g) n = pq = (2p´r p +1)(2q´r q +1), g ← G with r p r q B-smooth. |p´|=|q´|=160, B = 2 15 Decisional RSA subgroup assumption for K: Hard to distinguish G and QR n

Homomorphic cryptosystem Public key: n, g, h, where h ← G, g ← QR n Secret key: p´q´, factorization of ord(g) Encrypt m: c = ± g m h r Decrypt c: c p´q´ = ± (g m h r ) p´q´ = ± (g p´q´ ) m r g = ord(g p´q´ ) is B-smooth For all p i |r g find m mod p i by searching for m i so ( c p´q´ ) r g /p i = ± (g p´q´r g /p i ) m i Chinese remainder: m mod r g

Properties of cryptosystem Homomorphic: ± g M+m h R+r = ( ± g M h R )( ± g m h r ) Root extraction: Adversary c, e≠0 opening c e allows us to open c Low expansion rate: |c|/|m| Homomorphic integer commitment

Conclusion RSA subgroup - strong RSA subgroup assumption - decisional RSA subgroup assumption RSA subgroup - strong RSA subgroup assumption - decisional RSA subgroup assumption Signature y e = ag m h r speedup Signature y e = ag m h r speedup Signature II y e = ag m secure against CMA Signature II y e = ag m secure against CMA Homomorphic integer commitment g m h r speedup Homomorphic integer commitment g m h r speedup Homomorphic cryptosystem g m h r Homomorphic cryptosystem g m h r