Some RSA-based Encryption Schemes with Tight Security Reduction - PowerPoint PPT Presentation

About This Presentation
Title:

Some RSA-based Encryption Schemes with Tight Security Reduction

Description:

Some RSA-based Encryption Schemes with Tight Security Reduction Kaoru Kurosawa, Ibaraki University Tsuyoshi Takagi, TU Darmstadt One-wayness and Semantic-security One ... – PowerPoint PPT presentation

Number of Views:127
Avg rating:3.0/5.0
Slides: 16
Provided by: Tsuy9
Learn more at: https://www.iacr.org
Category:

less

Transcript and Presenter's Notes

Title: Some RSA-based Encryption Schemes with Tight Security Reduction


1
Some RSA-basedEncryption Schemes withTight
Security Reduction
  • Kaoru Kurosawa, Ibaraki University
  • Tsuyoshi Takagi, TU Darmstadt

2
One-wayness and Semantic-security
  • One-wayness E(m) ? m is hard.
  • Semantic security IND-CPA (CCA)
  • E(m) ? any information on m is hard against
    CPA (CCA).

3
Random Oracle Model
  • Hash function H is treated as a random function
    in the random oracle model.
  • However,
  • RO model proof is heuristic.
  • If we replace RO to a practical hash function,
  • then the proof is no longer valid.

4
IND-CCA in the Standard Model
  • Cramer-Shoup schemes
  • 1. (Crypto98) Decisional DH assumption.
  • One-wayness DH assumption.
  • RSA-based IND-CCA scheme is unknown!

5
RSA-based IND-CPA schemes
  • In the Standard Model,
  • 1. RSA-Paillier scheme is IND-CPA
  • One-wayness RSA
  • (Catalano et al., Asiacrypt02)
  • 2. Rabin-Paillier scheme is IND-CPA
  • One-wayness Factoring Blum integers
  • (Galindo et al., PKC03)

in this talk
6
Our result
Let e be a success probability that breaks the
one-wayness of Rabin-Paillier scheme.
Proof Technique Factoring Probability
Galindo et al. (PKC03) e2 - LLL,
RSA-Paillier Proposed proof
e - totally elemental
7
RSA-Paillier scheme
  • (Public-key) N ( pq) and e.
  • (Secret key) d ( e-1 mod (p-1)(q-1))
  • (Plaintext) m ? ZN
  • (Ciphertext) For random r ?R ZN,
  • C re mN mod N2. ---- (1)
  • (Decryption) r Cd mod N,
  • m (C re mod N2)/N.

8
Security of RSA-Paillier
  • Proposition 1 (Semantic Security)
  • IND-CPA if re mod N2 r ? ZN and
  • re mod N2 r ? ZN2 are indistinguishable.
  • Proposition 2 (One-wayness)
  • One-wayness breaking RSA.
  • (Catalano et al., Asiacrypt02)

Two oracle calls are required gt reduction
probability e2.
9
Rabin-Paillier scheme
  • (Public-key) N ( pq), Blum integer
  • (Secret key) p,q, d ( e-1 mod (p-1)(q-1))
  • (Plaintext) m ? ZN
  • (Ciphertext) r ?R SQN s2 mod n s? ZN ,
  • C r2e mN mod N2. ---- (2)
  • (Decryption) A Cd mod N,
  • find the unique solution r? SQN of r2 A mod
    N,
  • m (C r2e mod N)/N.

10
Security of Rabin-Paillier
  • Proposition 1 (Semantic Security)
  • IND-CPA if r2e mod N2 r ? SQN and
  • r2e mod N2 r? SQN2 are indistinguishable.
  • Proposition 2 (One-wayness)
  • One-wayness breaking factoring.
  • (Galindo et al., PKC 2003)

The same proof technique with RSA-Paillier gt
reduction prob. e2.
11
Our Proof
  • Let O be an Oracle that find m from C with
    prob.e.
  • We will show a factoring algorithm A by using O.
  • On input N,
  • 1. Choose fake r ? Zn and m ? Zn s.t. (r/N)
    -1
  • 2. Query C r2e mN mod N2 to oracle O.
  • 3. O answers proper m s.t. C r2e mN mod N2,
  • with prob. e, where r ? SQN.

12
Our Proof (Cont.)
  • Note that C r2e r2e mod N.
  • Thus, r2 r2 yN in Z for some -nltyltn.
  • 4. A computes y.
  • x r2
  • w C - mN r2e (x yN)e mod N2.
  • xe exe-1yN
    mod N2.
  • Thus, y (exe-1)-1 ((w-xe mod N2)/N) mod N.

13
Our Proof (Cont.)
  • 6. A computes r
  • by solving quadratic equation r2 x yN in
    Z.
  • 7. Finally, A computes gcd(r - r,N) p or q,
  • because r2 r2 mod N with r ? SQN
  • and r ? Zn s.t. (r/N) -1.

A has asked oracle O only once gt reduction
probability e.
14
Concluding Remarks
  • 1. We proposed a tight reduction algorithm for
    Rabin-Paillier cryptosystem.
  • 2. A similar result with the following variant
  • C (r a/r)e mN mod N2,
  • where (a/p) (a/q) -1.
  • 3. An IND-CCA variant in RO-model is
  • C (r2e mN mod N2 ) H(r,m).
  • It is still IND-CPA OW in standard model.

15
RSA-based IND-CCA schemes in RO Model
Let e be a success probability breaking IND-CCA
scheme.
Schemes - reduced problem Reduction
Probability RSA-OAEP (Crypto01) e
2 - RSA Problem SAEP (Crypto01)
e - Factoring
Write a Comment
User Comments (0)
About PowerShow.com