Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol of Lecture Notes in Computer Science, pp , Springer-Verlag, 1999.]

Outline  Introduction  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

Introduction(1/2)  兩個主要的 Trapdoor 技術 RSA Diffie-Hellman  提出新的技術 Composite Residuosity  提出新的計算性問題 Composite Residuosity Class Problem

Introduction(2/2)  提出 3 個架構在上述假設的同態加密機制 (Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation  滿足 semantically secure, 不過, 作者沒 有證明.

Outline  Background  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

Notation and math. assumption (1/10)  p, q are two large primes.  n = pq  Euler phi-function: ψ(n) = (p-1)(q-1)  Carmichael function: λ(n) = lcm(p-1,q-1)  |Z n 2 *| = ψ(n 2 ) = nψ(n)  Any w ∈ Z n 2 *, w λ = 1 mod n w nλ = 1 mod n

Notation and math. assumption (2/10)  RSA[n,e] problem Extracting e-th roots modulo n where n=pq  Relation P 1 P 2 (resp. P 1 ≡ P 2 ) will denoted that problem P 1 is polynomial reducible to the problem P 2.  n-th residue modulo n 2 A number z is th n-th residue modulo n 2 if there exist a number y such that z=y n mod n 2

Notation and math. assumption (3/10)  CR[n] problem deciding n-th residuosity  The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.  There exists no polynomial time distinguisher for n-th residues modulo n 2, i.e. CR[n] is intractable.

Notation and math. assumption (4/10) 

Notation and math. assumption (5/10)  if order(g) = kn where k is nonzero multiple of n then ε g is bijective. Domain and Co-domain are the same order nψ(n) and the function is 1-to-1. 

Notation and math. assumption (6/10)    

Notation and math. assumption (7/10)  Class[n,g] problem computing the class function in base g. given w ∈ Z n 2 *, compute [w] g random-self-reducible problem the bases g are independent

Notation and math. assumption (8/10)  Class[n] problem composite residuosity class problem given w ∈ Z n 2 *, g ∈ B, compute [w] g   Class[n] Fact[n]

Notation and math. assumption (9/10)    

Notation and math. assumption (10/10)  Class[n] RSA[n,n]  D-Class[n] problem decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not 

Outline  Background  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

Scheme 1(1/6)  New probabilistic encryption scheme 

Scheme 1 (2/6)    

Scheme 1 (3/6)  One-way function Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.  One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.  Trapdoor permutation f() is a one-way trapdoor. f() is bijective.

Scheme 1 (4/6) 

Scheme 1 (5/6)  Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. Inverting our scheme is by the definition the composite residuosity class problem.

Scheme 1 (6/6)  Scheme 1 is semantically secure ⇔ the Decisional composite residuosity assumption(CR[n] problem) holds. m 0, m 1 : known messages. c:ciphertext of either m 0 or m 1. [w] g =0 iff w is the n-th residue modulo n 2. c=ε g (m 0,r) iff cg -m 0 mod n 2 is the n-th residue modulo n 2. Vice-versa.

Outline  Background  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

Scheme 2(1/5)  New one-way trapdoor permutation 

Scheme 2(2/5) 

Scheme 2(3/5) 

Scheme 2(4/5) 

Scheme 2(5/5)  Digital Signatures 

Outline  Background  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

Scheme 3(1/4)  Cost down for decryption complexity.  Restricting the ciphertext space Z n 2 * to subgroup of smaller order. 

Scheme 3(2/4)    

Scheme 3(3/4)  PDL[n,g] problem Partial discrete logarithm problem Given w ∈, compute [w] g  D-PDL[n,g] problem Decisional partial discrete logarithm problem Given w ∈, x ∈ Z n, decide whether [w] g =x.

Scheme 3(4/4)  Scheme 3 is one-way ⇔ PDL[n,g] is hard.  Scheme 3 is semantically secure ⇔ D-PDL[n,g] is hard. 

Outline  Background  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

Properties(1/3)  Random-Self-Reducibility A good algorithm for the average case implies a good algorithm for the worst case.

Properties(2/3)  Additive Homomorphic Properties

Properties(3/3)  Self-Blinding Any ciphertext can be publicly changed into another one without affecting the plaintext.

Outline  Background  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

Conclusion(1/4) SchemeMainPermutationFast Variant RSAElGamal One- wayness Class[n]RSA[n,n]PDL[n,g]RSA[n,F 4 ]DH[p] Semantic Secure CR[n]noneD-PDL[n,g]noneDDH[p] Plaintext size |n|2|n||n| |p| Ciphertext size 2|n| |n|2|p|

EncMainPermutat ion Fast Variant RSAElGamal |n|,|p|= |n|,|p|= |n|,|p|= |n|,|p|= |n|,|p|=

DecMainPermutat ion Fast Variant RSAElGamal |n|,|p|= |n|,|p|= |n|,|p|= |n|,|p|= |n|,|p|=

Conclusion(4/4)  提出新的數論問題 Class[n]  基於 composite degree residues 的 trapdoor 的機制  雖然並沒有提出任何證明作者的 scheme 能 抵抗 CCA ，但作者相信小小的修改 Scheme 1 與 3 就可以對抗 CCA ，並能透過 random oracle 來證明