Presentation is loading. Please wait.

Presentation is loading. Please wait.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient."— Presentation transcript:

1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. By Pascal Paillier and David Pointcheval

2 Outline  Notation and math. assumption  Scheme 1

3 Notation and math. Assumption (1/9)  CR[n] problem deciding n th residuosity. Distinguishing n th residues from non n th residues.

4 Notation and math. Assumption (2/9)  g ∈ Z n 2 *  ε g : Z n × Z n * → Z n 2 * be a integer- valued function defined by ε g (x,y) = g x y n mod n 2

5 Notation and math. Assumption (3/9)   Given base g ∈ B and w ∈ Z n 2 *, we want to find x ∈ Z n and y ∈ Z n * s.t. ε g (x, y) = g x y n mod n 2 = w

6 Notation and math. Assumption (4/9)    

7 Notation and math. Assumption (5/9)  Class[n] problem n th Residuosity Class Problem of base g Computing the class function in base g given w ∈ Z n 2 *, compute [w] g [w] g = x  x is the smallest non-negative integer s.t ε g (x, y) = g x y n mod n 2 = w random-self-reducible problem the bases g are independent

8 Notation and math. Assumption (6/9)      

9 Notation and math. Assumption (7/9)   D-Class[n] problem decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not 

10 Notation and math. Assumption (8/9)  Fact[n] The factorization of n.  RSA[n] c = m e mod n Extracting e th roots modulo n  CR[n] deciding n th residuosity.

11 Notation and math. Assumption (9/9)  Class[n] Computational composite residuosity class problem given w ∈ Z n 2 * and g ∈ B, compute [w] g  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not 

12 Notions of Security(1/3)  Indistinguishability of encryption(IND)  Non-malleability(NM) Given the encryption of a plaintext x, the attacker cannot produce the encryption of a meaningfully related plaintext x ’.(For example, x ’ =x+1)

13 Notions of Security(2/3)  Chosen-plaintext attack (CPA)  Non-adaptive chosen-ciphertext attack (CCA1)  Adaptive chosen-ciphertext attack (CCA2)  IND-CCA2 and NM-CCA2 are strictly equivalent notions.

14 Notions of Security(3/3)

15 Random Oracle Model  Hash functions are considered to be ideal. i.e. perfect random.  From a security viewpoint, this impacts by giving the attacker an additional access to the random oracles of the scheme.

16 Outline  Notation and math. assumption  Scheme 1

17 Scheme 1(1/4)  New probabilistic encryption scheme 

18 Scheme 1 (2/4)

19 Scheme 1 (3/4)  One-way function Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.  One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.  Trapdoor permutation f() is a one-way trapdoor. f() is bijective.

20 Scheme 1 (4/4)

21 Security Analysis(1/21)  Against an adaptive chosen- ciphertext attack.(IND-CCA2)  In the scenario, the adversary makes of queries of her choice to a decryption oracle during two stages.

22 Security Analysis(2/21)  The first stage, the find stage Attacker chooses two messages. Requests encryption oracle to encrypted one of them. the encryption oracle makes the secret choice of which one.

23 Security Analysis(3/21)  The second stage, the guess stage To query the decryption oracle with ciphertext of her choice.  Finally, she tell her guess about the choice the encryption oracle made.

24 Security Analysis(4/21)  Random oracle A t-bit random number Two hash functions  G, H: {0,1}* → {0,1} |n|

25 Security Analysis(5/21)  Provided t=Ω(|n| δ ) for δ>0, Scheme 1 is semantically secure against adaptive chosen-ciphertext attacks (IND-CCA2) under the Decision Composite Residuosity assumption (D-Class assumption) in the random oracle.  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not

26 Security Analysis(6/21)  An adversary A=(A 1,A 2 ) against semantic security of scheme 1. A 1 : the find stage A 2 : the guess stage  This adversary to efficiently decide n th residuosity classes.

27 Security Analysis(7/21)  Oracle G Indistinduishability of encryption  Oracle H Adaptive attack

28 Security Analysis(8/21)  Simulation of the Decryption Oracle The attacker asks for a ciphertext c to be decrypted. The simulator checks in the query- history from the random oracle H. Whether some entry leads to the ciphertext c and then return m; otherwise, it return “ failure ”.

29 Security Analysis(9/21)  Quasi-perfect simulation The probability of producing a valid ciphertext without asking the query (m,r) to the random oracle H (whose answer a has to satisfy the test a n = z mod n) is upper bounded by 1/ψ(n) ≦ 2/n, which is clearly negligible.

30 Security Analysis(10/21)  Initialization n=pq, g ∈ Z n 2 * Public: n,g Private: λ

31 Security Analysis(11/21)  Encryption Plaintext: m < 2 |n|-t-1 Randomly select r < 2 t z=H(m,r) n mod n 2 M=m||r +G(z mod n) mod n Ciphertext: c=g M z mod n 2

32 Security Analysis(12/21)  Decryption Ciphertext: c=g M z mod n 2 ∈ Z n 2 * M=[L(c λ mod n 2 )/L(g λ mod n 2 )] mod n z ’ =g -M c mod n m ’ ||r ’ =M-G(z ’ ) mod n If H(m ’,r ’ ) n = z ’ mod n, then the plaintext is m ’ Otherwise, output “ failure ”

33 Security Analysis(13/21)  Attacker A to design a distinguisher B for n th residuosity class.  (w,α) is a instance of the D-Class problem, where α is the n th residuosity class of w.  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, α ∈ Z n, decide whether α=[w] g or not

34 Security Analysis(14/21)  Distinguisher B(1/2) Randomly chooses u ∈ Z n, v ∈ Z n *, 0 ≦ r<2 t. Compute the follows  z=wg -α v n mod n  c=wg u v n mod n 2 Run A 1 and gets two messages m 0,m 1

35 Security Analysis(15/21)  Distinguisher B(2/2) Chooses a bit b Run A 2 on the ciphertext c, supposed to the ciphertext of m b and using the random r.

36 Security Analysis(16/21)  Shut this game down z is asked to the oracle G, shut this game down and B return 1.  This event will be denote by AskG If (m 0,r) or (m 1,r) are asked to the oracle H, shut this geme down and B return 0.  This event will be denote by AskH In any other case, B return 0 when A 2 end.

37 Security Analysis(17/21)  One event AskG or AskH is likely to happen, B terminate the game.  The random choice of r, Pr[AskH]=O(q H /2 t ) in any case, q H =#(queries asked to the oracle H) and 0 ≦ r<2 t.  G and H are seen like random oracles, the attacker has no chance to correctly guess b, during a real attack.

38 Security Analysis(18/21)  In α=[w] g case If none of the events AskG or AskH occur, then  AdvA ≦ Pr[ AskG ∨ AskH | [w]g = α]

39 Security Analysis(19/21)  In α≠[w] g case z is perfectly random (independent of c), then Pr[AskG] ≦ q G /ψ(n), q G =#(queries asked to the oracle G) and u ∈ Z n, v ∈ Z n *, z=wg -α v n mod n

40 Security Analysis(20/21) The advantage of distinguisher B in deciding the n th residuosity classes:

41 Security Analysis(21/21) Reduction Cost –If there exists an active attacker A against semantic security, one can decide n th residuosity classes with an advantage greater then

Download ppt "Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient."

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.

1 Generic Conversions for Constructing IND-CCA2 Public-key Encryption in the Random Oracle Model Tatsuaki Okamoto NTT.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
7. Asymmetric encryption-

7. Asymmetric encryption-
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.

1 IDENTITY BASED ENCRYPTION SECURITY NOTIONS AND NEW IBE SCHEMES FOR SAKAI KASAHARA KEY CONSTRUCTION N. DENIZ SARIER.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

Similar presentations

Ads by Google