Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography in Subgroups of Z n * Jens Groth UCLA.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography in Subgroups of Z n * Jens Groth UCLA."— Presentation transcript:

1 Cryptography in Subgroups of Z n * Jens Groth UCLA

2 RSA subgroup n = pq = (2p´r p +1)(2q´r q +1) G ≤ Z n *, |G|=p´q´ RSA subgroup pair: (n, g) where g ← G |p´|=|q´|=100

3 Agenda RSA subgroup RSA subgroup Strong RSA subgroup assumption Strong RSA subgroup assumption Homomorphic integer commitment Homomorphic integer commitment Digital signature Digital signature Digital signature II Digital signature II Decisional RSA subgroup assumption Decisional RSA subgroup assumption Homomorphic cryptosystem Homomorphic cryptosystem

4 Strong RSA subgroup assumption K generates RSA subgroup pair (n,g) n = pq = (2p´r p +1)(2q´r q +1), g ← G Strong RSA subgroup assumption for K: Hard to find u,w  Z n * and e,d>1: g = uw e and u d = 1 (mod n)

5 Homomorphic integer commitment Public key: n, g, h, where g, h ← G Commit to m: c = g m h r (small randomizer) Verify opening (u, e>1, r) of c with message m: c = ug m h r and u e = 1 Homomorphic: (Uu)g M+m h R+r = Ug M h R ug m h r and (Uu) Ee = 1 Root extraction: Adversary c, e≠0 opening c e allows us to open c

6 Signature Public key: n, a, g, h, where a, g, h ← G Secret key: p´q´ Sign m  {0,1} l : e ← prime({0,1} l+1 ) r ← {0,...,e-1} y = (ag m h r ) e -1 mod p´q´ Verify signature (y,e,r) on m: y e = ag m h r Speedup: Use e t, t>1 allowing smaller prime e

7 Signature II Public key: n, a, g, where a, g ← G Secret key: p´q´ Sign m  {0,1} l : e ← prime({0,1} l+1 ) y = (ag m ) e -1 mod p´q´ Verify signature (y,e) on m: y e = ag m Theorem: Secure against adaptive chosen message attack

8 Proof Adversary adaptively queries m 1,..., m k and receives signatures (y 1,e 1 ),..., (y k, e k ) and forges signature (y,e) on m Two cases: I: e is new II: e = e i

9 Proof: e is new (n,  ) RSA subgroup pair e 1,..., e k ← prime({0,1} l+1 ), E =  e i  =  r, a =  E, g =  E Simulated public key: n, a, g On query m i answer (y i,e i ), where y i =  E/e i  mE/e i Forged signature (y,e) on m so y e = ag m =  E(r+m) breaks strong RSA subgroup assumption

10 Proof: e = e i (n,  ) RSA subgroup pair guess i e 1,..., e k ← prime({0,1} l+1 ), E =  j≠i e j a =  rE, g =  E On query m i hope to find l+1-bit prime factor e i of r+m i. Significant probability since r = sp´q´+t. Return y i =  E(r+m i )/e i. Forged signature (y,e i ) on m so y e i = ag m =  E(r+m) breaks strong RSA subgroup assumption

11 Decisional RSA subgroup assumption K generates RSA subgroup pair (n,g) n = pq = (2p´r p +1)(2q´r q +1), g ← G with r p r q B-smooth. |p´|=|q´|=160, B = 2 15 Decisional RSA subgroup assumption for K: Hard to distinguish G and QR n

12 Homomorphic cryptosystem Public key: n, g, h, where h ← G, g ← QR n Secret key: p´q´, factorization of ord(g) Encrypt m: c = ± g m h r Decrypt c: c p´q´ = ± (g m h r ) p´q´ = ± (g p´q´ ) m r g = ord(g p´q´ ) is B-smooth For all p i |r g find m mod p i by searching for m i so ( c p´q´ ) r g /p i = ± (g p´q´r g /p i ) m i Chinese remainder: m mod r g

13 Properties of cryptosystem Homomorphic: ± g M+m h R+r = ( ± g M h R )( ± g m h r ) Root extraction: Adversary c, e≠0 opening c e allows us to open c Low expansion rate: |c|/|m| Homomorphic integer commitment

14 Conclusion RSA subgroup - strong RSA subgroup assumption - decisional RSA subgroup assumption RSA subgroup - strong RSA subgroup assumption - decisional RSA subgroup assumption Signature y e = ag m h r speedup Signature y e = ag m h r speedup Signature II y e = ag m secure against CMA Signature II y e = ag m secure against CMA Homomorphic integer commitment g m h r speedup Homomorphic integer commitment g m h r speedup Homomorphic cryptosystem g m h r Homomorphic cryptosystem g m h r

Download ppt "Cryptography in Subgroups of Z n * Jens Groth UCLA."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
7. Asymmetric encryption-

7. Asymmetric encryption-
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.

Dr. Lo’ai Tawalbeh Summer 2007 Chapter 9 – Public Key Cryptography and RSA Dr. Lo’ai Tawalbeh New York Institute of Technology (NYIT) Jordan’s Campus INCS.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
1. RSA basics 2. Key generation 3. What it would take to break RSA

1. RSA basics 2. Key generation 3. What it would take to break RSA
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.

Cryptography and Network Security Chapter 9. Chapter 9 – Public Key Cryptography and RSA Every Egyptian received two names, which were known respectively.
Public Key Cryptography and the RSA Algorithm

Public Key Cryptography and the RSA Algorithm
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Similar presentations

Ads by Google