Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 廖俊威 [Published in J. Stern, Ed., Advances in.

Published byDwain Marvin Goodman Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 廖俊威 [Published in J. Stern, Ed., Advances in."— Presentation transcript:

1 1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 廖俊威 [Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]

2 2 Outline Introduction Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

3 3 Introduction(1/2) 兩個主要的 Trapdoor 技術 –RSA –Diffie-Hellman 提出新的技術 –Composite Residuosity 提出新的計算性問題 –Composite Residuosity Class Problem

4 4 Introduction(2/2) 提出 3 個架構在上述假設的同態加密機制 (Homomophic encryption schemes), 之中 包含一個新的 trapdoor permutation 滿足 semantically secure, 不過, 作者沒有證 明.

5 5 Notation and math. assumption (1/10) p, q are two large primes. n = pq [ex: 35=5*7] Euler phi-function: ψ(n) = (p-1)(q-1) [=4*6=24] Carmichael function: λ(n) = lcm(p-1,q-1) [=λ(35)=lcm(4,6)=12] |Z n 2 *| = ψ(n 2 ) = nψ(n) [=n 2 (1-1/p)(1-1/q)] Any w ∈ Z n 2 *, –w λ = 1 mod n [6 12 mod 35 = 1] –w nλ = 1 mod n [6 35*12 mod 35 = 1]

6 6 Notation and math. assumption (2/10) RSA[n,e] problem –Extracting e-th roots modulo n where n=pq n-th residue modulo n 2 –A number z is the n-th residue modulo n 2 if there exist a number y ∈ Z n 2 *, such that z=y n mod n 2 CR[n] problem –deciding n-th residuosity The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem. –All of its instances are polynomially equivalent. There exists no polynomial time distinguisher for n-th residues modulo n 2, i.e. CR[n] is intractable.

7 7 Notation and math. assumption (3/10)

8 8 Notation and math. assumption (4/10) if order(g) = kn where k is nonzero multiple of n then ε g is bijective. –Domain and Co-domain are the same order nψ(n) and the function is 1-to-1.

9 9 Notation and math. assumption (5/10)

10 10 Notation and math. assumption (6/10) Class[n,g] problem –computing the class function in base g. –given w ∈ Z n 2 *, compute [w] g –random-self-reducible problem –the bases g are independent

11 11 Notation and math. assumption (7/10) Class[n] problem –composite residuosity class problem –given w ∈ Z n 2 *, g ∈ B, compute [w] g Class[n] Fact[n]

12 12 Notation and math. assumption (8/10)

13 13 Notation and math. assumption (9/10) Class[n] RSA[n,n] D-Class[n] problem –decisional Class[n] problem –given w ∈ Z n 2 *,g ∈ B, x ∈ Z n, decide whether x=[w] g or not

14 14 Scheme 1(1/6) New probabilistic encryption scheme

15 15 Scheme 1 (2/6)

16 16 Scheme 1 (3/6) One-way function –Given x, to compute f(x) = y is easy. –Given y, to find x s.t. f(x) = y is hard. One-way trapdoor –f() is a one-way function. –Given a secret s, given y, to find x s.t. f(x) = y is easy. Trapdoor permutation –f() is a one-way trapdoor. –f() is bijective.

17 17 Scheme 1 (4/6)

18 18 Scheme 1 (5/6) Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. –Inverting our scheme is by the definition the composite residuosity class problem.

19 19 Scheme 1 (6/6) Scheme 1 is semantically secure ⇔ the Decisional composite residuosity assumption(CR[n] problem) holds. –m 0, m 1 : known messages. –c:ciphertext of either m 0 or m 1. –[w] g =0 iff w is the n-th residue modulo n 2. –c=ε g (m 0,r) iff cg -m 0 mod n 2 is the n-th residue modulo n 2. –Vice-versa.

20 20 Scheme 2(1/5) New one-way trapdoor permutation

21 21 Scheme 2(2/5)

22 22 Scheme 2(3/5)

23 23 Scheme 2(4/5)

24 24 Scheme 2(5/5) Digital Signatures

25 25 Scheme 3(1/4) Cost down for decryption complexity. Restricting the ciphertext space Z n 2 * to subgroup of smaller order.

26 26 Scheme 3(2/4)

27 27 Scheme 3(3/4) PDL[n,g] problem –Partial discrete logarithm problem –Given w ∈, compute [w] g D-PDL[n,g] problem –Decisional partial discrete logarithm problem –Given w ∈, x ∈ Z n, decide whether [w] g =x.

28 28 Scheme 3(4/4) Scheme 3 is one-way ⇔ PDL[n,g] is hard. Scheme 3 is semantically secure ⇔ D- PDL[n,g] is hard.

29 29 Properties(1/3) Random-Self-Reducibility –A good algorithm for the average case implies a good algorithm for the worst case.

30 30 Properties(2/3) Additive Homomorphic Properties –

31 31 Properties(3/3) Self-Blinding –Any ciphertext can be publicly changed into another one without affecting the plaintext. –

32 32 Conclusion(4/4) 提出新的數論問題 Class[n] 基於 composite degree residues 的 trapdoor 的機制 雖然並沒有提出任何證明作者的 scheme 能 抵抗 CCA ,但作者相信小小的修改 Scheme 1 與 3 就可以對抗 CCA ,並能透過 random oracle 來證明

33 33 In mathematics, a bijection, or a bijective function is a function f from a set X to a set Y with the property that, for every y in Y, there is exactly one x in X such that f(x) = y.mathematicsfunctionset

Download ppt "1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 廖俊威 [Published in J. Stern, Ed., Advances in."

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Algorithms Chapter 15 Dynamic Programming - Rod

Algorithms Chapter 15 Dynamic Programming - Rod
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Pricing and Power Control in a Multicell Wireless Data Network Po Yu Chen October, 2001 IEEE Journal on Select Areas in Communications.

Pricing and Power Control in a Multicell Wireless Data Network Po Yu Chen October, 2001 IEEE Journal on Select Areas in Communications.
7. Asymmetric encryption-

7. Asymmetric encryption-
1 Finding a shortest vector in a two-dimensional lattice modulo m Theoretical Computer Science, Vol 172, 1997 Gunter Rote 田錦燕95/06/01.

1 Finding a shortest vector in a two-dimensional lattice modulo m Theoretical Computer Science, Vol 172, 1997 Gunter Rote 田錦燕95/06/01.
1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻.

1 ID-Based Proxy Signature Using Bilinear Pairings Author: Jing Xu, Zhenfeng Zhang, and Dengguo Feng Presenter: 林志鴻.
目的 「升學調查系統」,幫助某一學校調查並記錄 其歷屆畢業生報考研究所的情況、未來提供給 學弟妹作參考,以及學校推廣之相關工作。 功能需求 紀錄並追蹤歷屆畢業生升學的狀態 協助畢業生做升學輔導 未來提供學弟妹作查詢、參考 計算上榜率、前十大學校上榜率.

目的 「升學調查系統」,幫助某一學校調查並記錄 其歷屆畢業生報考研究所的情況、未來提供給 學弟妹作參考,以及學校推廣之相關工作。 功能需求 紀錄並追蹤歷屆畢業生升學的狀態 協助畢業生做升學輔導 未來提供學弟妹作查詢、參考 計算上榜率、前十大學校上榜率.
Self proxy signature scheme IJCSNS International Journal of Computer Science and Network Security,VOL.7 No.2,Februry 2007 Author:Young-seol Kim,Jik Hyun.

Self proxy signature scheme IJCSNS International Journal of Computer Science and Network Security,VOL.7 No.2,Februry 2007 Author:Young-seol Kim,Jik Hyun.
1 Secure Context-sensitive Authorization 2005 Author : Kazuhiro Minami, David Kotz Presented by Shih Yu Chen.

1 Secure Context-sensitive Authorization 2005 Author : Kazuhiro Minami, David Kotz Presented by Shih Yu Chen.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
1. 假設以下的敘述為一未提供 “ 捷徑計算 ” 能力的程式段,試用程 式設計的技巧,使此敘述經此改 寫的動作後,具有與 “ 捷徑計算 ” 之 處理方法相同之處理模式。 if and then E1 else E2 endif.

1. 假設以下的敘述為一未提供 “ 捷徑計算 ” 能力的程式段,試用程 式設計的技巧,使此敘述經此改 寫的動作後,具有與 “ 捷徑計算 ” 之 處理方法相同之處理模式。 if and then E1 else E2 endif.
Structural Equation Modeling Chapter 7 觀察變數路徑分析=路徑分析 觀察變數路徑分析.

Structural Equation Modeling Chapter 7 觀察變數路徑分析=路徑分析 觀察變數路徑分析.
Certificateless Public Key Encryption without Paring Joonsang Baek, Reihaneh Safavi- Naunu, and Willy Susilo 報告者:陳國璋.

Certificateless Public Key Encryption without Paring Joonsang Baek, Reihaneh Safavi- Naunu, and Willy Susilo 報告者:陳國璋.
基礎物理總論 基礎物理總論 熱力學與統計力學(三) Statistical Mechanics 東海大學物理系 施奇廷.

基礎物理總論 基礎物理總論 熱力學與統計力學(三) Statistical Mechanics 東海大學物理系 施奇廷.
Monte Carlo Simulation Part.2 Metropolis Algorithm Dept. Phys. Tunghai Univ. Numerical Methods C. T. Shih.

Monte Carlo Simulation Part.2 Metropolis Algorithm Dept. Phys. Tunghai Univ. Numerical Methods C. T. Shih.
1 A new identity based proxy signature scheme Source: Lecture Notes In Computer Science Author: Chunxiang Gu and Yuefei Zhu Presenter: 林志鴻.

1 A new identity based proxy signature scheme Source: Lecture Notes In Computer Science Author: Chunxiang Gu and Yuefei Zhu Presenter: 林志鴻.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 793 - Network Connections ★★★☆☆ 題組: Contest Archive with Online Judge 題號: 793 - Network Connections 解題者:蔡宗翰 解題日期: 2008 年 10 月 20 日 題意:給你電腦之間互相連線的狀況後,題.

Network Connections ★★★☆☆ 題組: Contest Archive with Online Judge 題號: Network Connections 解題者:蔡宗翰 解題日期: 2008 年 10 月 20 日 題意:給你電腦之間互相連線的狀況後,題.
A Server-aided Signature Scheme Based on Secret Sharing for Mobile Commerce Source: Journal of Computers, Vol.19, No.1, April 2008 Author: Chin-Ling Chen,

A Server-aided Signature Scheme Based on Secret Sharing for Mobile Commerce Source: Journal of Computers, Vol.19, No.1, April 2008 Author: Chin-Ling Chen,

Similar presentations

Ads by Google