1. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. By Pascal Paillier and David Pointcheval

2. Outline  Introduction  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

3. Introduction(1/2)  兩個主要的 Trapdoor 技術 RSA Diffie-Hellman  提出新的技術 Composite Residuosity  提出新的計算性問題 Composite Residuosity Class Problem

4. Introduction(2/2)  提出 3 個架構在上述假設的同態加密機制 (Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation  作者提出證明, scheme 具有抵抗 adaptive chosen-ciphertext attack(IND-CCA2) in the random oracle.

5. Outline  Introduction  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

6. Notation(1/3)  p, q are two large primes.  n = pq  Euler phi-function ψ(n) = (p-1)(q-1)

7. Notation(2/3)  Carmichael function λ(n) = lcm(p-1,q-1)  |Z n 2 *| = ψ(n 2 ) = nψ(n)  By Carmichael theorem, Any w ∈ Z n 2 *, w λ = 1 mod n w nλ = 1 mod n 2

8. Notation(3/3)  RSA[n,e] problem c = m e mod n Extracting e th roots modulo n.  Relation P 1 P 2 (resp. P 1 ≡ P 2 ) will denoted that problem P 1 is polynomial reducible to the problem P 2.

9. Deciding Composite Residuosity (1/5)  n th residue modulo n 2 A number z is the n th residue modulo n 2 if there exist a number y such that z = y n mod n 2

10. Deciding Composite Residuosity (2/5)  CR[n] problem deciding n th residuosity. Distinguishing n th residues from non n th residues.  The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.

11. Deciding Composite Residuosity (3/5)  self-reducible A function f evaluating any instance x can be reduced in polynomial time to the evaluation of f on one or more random instances y i.

12. Deciding Composite Residuosity (4/5)  Random-self-reducible In the domain of f, an arbitrary worst-case instance x is mapped to a random set of instances y 1, …,y k. f(x) can be computed in polynomial time, and then f(y 1 ), …,f(y k ) are taking the average with respect to the induced distribution on y i. The average case complexity of f is the same as the worse case randomized complexity of f. All of its instances are polynomially equivalent.

13. Deciding Composite Residuosity (5/5)  There exists no polynomial time distinguisher for n th residues modulo n 2, i.e. CR[n] is intractable.

14. Computing Composite Residuosity Class(1/13)  g ∈ Z n 2 *  ε g : Z n × Z n * → Z n 2 * be a integer- valued function defined by ε g (x,y) = g x y n mod n 2

15. Computing Composite Residuosity Class(2/13)  B α ⊂ Z n 2 * The set of elements of order nα  Set B is their disjoint union for α=1, …,λ

16. Computing Composite Residuosity Class(3/13)  If the order of g is a nonzero multiple of n them ε g is bijective. ε g : Z n × Z n * → Z n 2 * by ε g (x,y) = g x y n mod n 2 Two groups Z n × Z n * and Z n 2 * have the same order nψ(n). i.e. ε g is surjective.

18. Computing Composite Residuosity Class(5/13)

19. Computing Composite Residuosity Class(6/13)    

20. Computing Composite Residuosity Class(7/13)  Class[n,g] problem n th Residuosity Class Problem of base g Computing the class function in base g given w ∈ Z n 2 *, compute [w] g random-self-reducible problem the bases g are independent

21. Computing Composite Residuosity Class(8/13)  Class[n,g] problem is random-self- reducible problem over w ∈ Z n 2 * Easily transform any w ∈ Z n 2 * into a random instance w ’ ∈ Z n 2 * with uniform distribution. By w ’ =wg α β n mod n 2 where αandβ are taken uniform at random over Z n. After [w ’ ] g has been computed, it is so simply to return [w] g =[w ’ ] g -α mod n.

22. Computing Composite Residuosity Class(9/13)  Class[n,g] is random-self-reducible over g ∈ B, i.e. ∀ g 1,g 2 ∈ B,Class[n,g 1 ] ≡ Class[n,g 2 ]  For Class[n,g] problems, the bases g are independent. We can to look upon it as a computational problem which purely relies on n.  Class[n] problem Computational composite residuosity class problem given w ∈ Z n 2 * and g ∈ B, compute [w] g

23. Computing Composite Residuosity Class(10/13)    

24. Computing Composite Residuosity Class(11/13)   D-Class[n] problem decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not 

25. Computing Composite Residuosity Class(12/13)  Fact[n] The factorization of n.  RSA[n] c = m e mod n Extracting e th roots modulo n  CR[n] deciding n th residuosity.

26. Computing Composite Residuosity Class(13/13)  Class[n] Computational composite residuosity class problem given w ∈ Z n 2 * and g ∈ B, compute [w] g  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not 

27. Notions of Security(1/3)  Indistinguishability of encryption(IND)  Non-malleability(NM) Given the encryption of a plaintext x, the attack cannot produce the encryption of a meaningfully related plaintext x ’.(For example, x ’ =x+1)

28. Notions of Security(2/3)  Chosen-plaintext attack (CPA)  Non-adaptive chosen-ciphertext attack (CCA1)  Adaptive chosen-ciphertext attack (CCA2)  IND-CCA2 and NM-CCA2 are strictly equivalent notions.

29. Notions of Security(3/3)

30. Random Oracle Model  Hash functions are considered to be ideal. i.e. perfect random.  From a security viewpoint, this impacts by giving the attacker an additional access to the random oracles of the scheme.

31. Outline  Background  Notation and math. assumption  Scheme 1  Scheme 2  Scheme 3  Properties  Conclusion

32. Scheme 1(1/4)  New probabilistic encryption scheme 

33. Scheme 1 (2/4)

34. Scheme 1 (3/4)  One-way function Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.  One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.  Trapdoor permutation f() is a one-way trapdoor. f() is bijective.

35. Scheme 1 (4/4)

36. Security Analysis(1/21)  Against an adaptive chosen- ciphertext attack.(IND-CCA2)  In the scenario, the adversary makes of queries of her choice to a decryption oracle during two stages.

37. Security Analysis(2/21)  The first stage, the find stage Attacker chooses two messages. Requests encryption oracle to encrypted one of them. the encryption oracle makes the secret choice of which one.

38. Security Analysis(3/21)  The second stage, the guess stage To query the decryption oracle with ciphertext of her choice.  Finally, she tell her guess about the choice the encryption oracle made.

39. Security Analysis(4/21)  Random oracle A t-bit random number Two hash functions  G, H: {0,1}* → {0,1} |n|

40. Security Analysis(5/21)  Provided t=Ω(|n| δ ) for δ>0, Scheme 1 is semantically secure against adaptive chosen-ciphertext attacks (IND-CCA2) under the Decision Composite Residuosity assumption (D-Class assumption) in the random oracle.  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not

41. Security Analysis(6/21)  An adversary A=(A 1,A 2 ) against semantic security of scheme 1. A 1 : the find stage A 2 : the guess stage  This adversary to efficiently decide n th residuosity classes.

42. Security Analysis(7/21)  Oracle G Indistinduishability of encryption  Oracle H Adaptive attack

43. Security Analysis(8/21)  Simulation of the Decryption Oracle The attacker asks for aciphertext c to be decrypted. The simulator checks in the query- history from the random oracle H. Whether some entry leads to the ciphertext c and then return m; otherwise, it return “ failure ”.

44. Security Analysis(9/21)  Quasi-perfect simulation The probability of producing a valid ciphertext without asking the query (m,r) to the random oracle H (whose answer a has to satisfy the test a n = z mod n) is upper bounded by 1/ψ(n) ≦ 2/n, which is clearly negligible.

45. Security Analysis(10/21)  Initialization n=pq, g ∈ Z n 2 * Public: n,g Private: λ

46. Security Analysis(11/21)  Encryption Plaintext: m < 2 |n|-t-1 Randomly select r < 2 t z=H(m,r) n mod n 2 M=m||r +G(z mod n) mod n Ciphertext: c=g M z mod n 2

47. Security Analysis(12/21)  Decryption Ciphertext: c=g M z mod n 2 ∈ Z n 2 * M=[L(c λ mod n 2 )/L(g λ mod n 2 )] mod n z ’ =g -M c mod n m ’ ||r ’ =M-G(z ’ ) mod n If H(m ’,r ’ ) n = z ’ mod n, then the plaintext is m ’ Otherwise, output “ failure ”

48. Security Analysis(13/21)  Attacker A to design a distinguisher B for n th residuosity class.  (w,α) is a instance of the D-Class problem, where α is the n th residuosity class of w.  D-Class[n] decisional Class[n] problem given w ∈ Z n 2 *,g ∈ B, α ∈ Z n, decide whether α=[w] g or not

49. Security Analysis(14/21)  Distinguisher B(1/2) Randomly chooses u ∈ Z n, v ∈ Z n *, 0 ≦ r<2 t. Compute the follows  z=wg -α v n mod n  c=wg u v n mod n 2 Run A 1 and gets two messages m 0,m 1

50. Security Analysis(15/21)  Distinguisher B(2/2) Chooses a bit b Run A 2 on the ciphertext c, supposed to the ciphertext of m b and using the random r.

51. Security Analysis(16/21)  Shut this game down z is asked to the oracle G, shut this game down and B return 1.  This event will be denote by AskG If (m 0,r) or (m 1,r) are asked to the oracle H, shut this geme down and B return 0.  This event will be denote by AskH In any other case, B return 0 when A 2 end.

52. Security Analysis(17/21)  One event AskG or AskH is likely to happen, B terminate the game.  The random choice of r, Pr[AskH]=O(q H /2 t ) in any case, q H =#(queries asked to the oracle H) and 0 ≦ r<2 t.  G and H are seen like random oracles, the attacker has no chance to correctly guess b, during a real attack.

53. Security Analysis(18/21)  In α=[w] g case If none of the events AskG or AskH occur, then  AdvA ≦ Pr[ AskG ∨ AskH | [w]g = α]

54. Security Analysis(19/21)  In α≠[w] g case z is perfectly random (independent of c), then Pr[AskG] ≦ q G /ψ(n), q G =#(queries asked to the oracle G) and u ∈ Z n, v ∈ Z n *, z=wg -α v n mod n

55. Security Analysis(20/21) The advantage of distinguisher B in deciding the n th residuosity classes:

56. Security Analysis(21/21) Reduction Cost –If there exists an active attacker A against semantic security, one can decide n th residuosity classes with an advantage greater then