Distribution Small - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Distribution Small

Description:

Encryption: message m {0,1,2,..,n-1}, random choose r(Zn) ... Theoretical general construction: '91, Dolev-Dwork-Naor (non-malleability) ... – PowerPoint PPT presentation

Number of Views:33
Avg rating:3.0/5.0
Slides: 11
Provided by: cdcInform
Category:

less

Transcript and Presenter's Notes

Title: Distribution Small


1
Distribution Small
n 35, e 17. All possible n-adic
representations of re mod n2 for r?(Z/nZ) . 1
0, 32 34, 33 18, 9 0, 6 13,
8 34, 4 29, 16 33, 17 30, 13 12,
11 2, 12 29, 23 17, 24 24, 22 4,
18 31, 19 13, 31 32, 27 17, 29 3,
26 11, 2 28, 3 27, 34 16. The
number of the second coefficient of re mod n2 for
0ltrltn. 0 2, 1 0, 2 1, 3 1, 4
1, 5 0, 6 0, 7 0, 8 0, 9
0, 10 0, 11 1, 12 1, 13 2, 14 0,
15 0, 16 1, 17 2, 18 1, 19 0, 20
0, 21 0, 22 0, 23 0, 24 1, 25 0,
26 0, 27 1, 28 1, 29 2, 30 1, 31
1, 32 1, 33 1, 34 2.
2
General Conversion (G-RSA)
Key generation (e,n) RSA public key, d RSA
secret key, f one-way
function Encryption message m ?0,1,2,..,n-1,
random choose r?(Zn),
ciphertext (c1,c2) (re mod n, m f(r) mod n)
Decryption r c1d mod n, m c2/f(r) mod n.
  • One-wayness of G-RSA
  • ltgt one-wayness of the map re mod n to
    f(r) mod n.
  • (2) Semantic Security of G-RSA
  • ltgt to distinguish two distributions
  • Rand (x,y) x?(Zn)x, y?Zn, OW
    (xe,f(x))x?(Zn)x

3
Number Theoretic Problems VI
Define one-way function fe,n,l(a) (a -
MSBl(a))e mod n, a - MSBl(a) means the most l
significant bits are zeroed.
Computational RSAMSBZ problem Let cme mod
n. Compute fe,n,l(m), for given RSA key (n,e),
ciphertext c.
Decisional RSAMSBZ problem Distinguish two
distributions Rand (x,y) x?(Zn)x, y?Zn,
RSAMSBZ (xe mod n, fe,n,l(x))x?(Zn)x
message m
RSA problem
m-MSB(m)
00000
ciphertext cme mod n
fe,n,l(m)
RSA-MSBZ problem
4
Assumptions
C-RSAMSBZ assumption for any adversary
AC-RSAMSBZ we have
D-RSAMSBZ assumption for any adversary
AD-RSAMSBZ we have
5
RSA-MSBZ Cryptosystem
Key generation (e,n) RSA public key, d RSA
secret key Encryption message m
?0,1,2,..,n-1, random choose r?(Zn),
ciphertext (c1,c2) (re mod n, m
fe,n,l(r)) Decryption r c1d mod n, m
c2/fe,n,l(r) mod n.
  • One-wayness of RSA-MSBZ ltgt standard RSA
    assumption (Perfect)
  • Semantic Security of RSA-MSBZ ltgt D-RSAMSBZ
    assumption
  • Adversary to break D-RSAMSBZ problem can compute
  • the least significant bits of nonce s.t. c
    mod n.

These security results are similar with those of
S-Paillier cryptosystem.
6
Proof for Perfect Oracle
  • Input yre mod n, Output LSB(r)
  • OC-RSAMSBZ(y) fe,n,l(r),
  • w y2-e mod n, OC-RSA-MSBZ (w) fe,n,l(2-1r mod
    n),
  • Return 0 if 2-e fe,n,l(r) fe,n,l(2-1r mod n)
    mod n, else Return 1.

Note that MSBl((rn)/2)?MSBl(r)/2
If LSB(r) 0, the distribution ((r/2)e mod n,
((r-MSBl(r))/2)e mod n) is not uniform but in
RSAMSBZX. Thus we can detect several bits.
7
Security Notation for Public-key Encryption
Schemes
Indistinguishability (IND) (semantical
security) an adversary can not learn any
information about the plaintext x underlying
a challenge ciphertext y. Non-malleability
(NM) given a challenge ciphertext y, an
adversary can not output a different cipher-
text y such that their plaintexts x, x are
meaningfully related (x x1).
Chosen Plaintext Attack (CPA) An adversary
can obtain ciphertexts of plaintexts of her
choice. Chosen Ciphertext Attack (CCA) An
adversary is allowed to access an decryption
oracle in any time.
The security is presented by the goals IND, NM
and attacks CPA,CCA
IND-CPA, IND-CCA, NM-CPA, NM-CCA.
8
Relationship among the notions
Theorem (Bellare-Desai-Pointcheval-Rogaway 98)
NM-CPA
NM-CCA
IND-CCA
IND-CPA
A ? B if a cryptosystem ? meeting notation of
security A, then ? also meets
notation of security B.
Example (1) the PKCS1 version 1.5 is not
IND-CCA by Bleichenbacher attack. (2) Paillier
cryptosystem is IND-CPA but NM-CPA. (Let c
(1mn)yn mod n2 be a ciphertext, then c(1n) is
the ciphertext of m1.)
9
History of IND-CCA public-key cryptosystems
  • Theoretical general construction
  • 91, Dolev-Dwork-Naor (non-malleability)
  • 91, Rackoff-Simon (non-interactive
    zero-knowledge)
  • Random oracle model
  • 93, Bellare-Rogaway (RSA),
  • 99, Fujisaki-Okamoto-Pointcheval (One-way
    trapdoor)
  • Others
  • Standard model
  • 98, Cramer-Shoup (Decisional Diffie-Hellmann).
  • (No RSA-type Schemes)

10
An IND-CCA public-key cryptosystem using RSA
Key generation (K1) Let k be the bit-length
of n. (k1024, k0 k1 160) (K2) Let (e,n)
be a public-key and d be the secret key of the
RSA. (K3) g 0,1k ? 0,1k0, h
0,1k00,1k? 0,1 k1 Encryption a message m
is chosen from 0,1k0 (E1) generate random
r in 0,1k (E2) C re mod n, B m xor g(r)
, H h(m,r). (E3) The ciphertext is
(C,B,H). Decryption (D1) r Cd mod n, m B
xor g(r), (D2) check H h(m,r), if yes,
return m as a message, else reject.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Distribution Small" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!