Title: Paillier Cryptosystem99
1Paillier Cryptosystem99
Key generation RSA modulus n, secret key d n-1
modf(n). Encryption message m ?0,1,2,..,n-1,
random choose r?(Zn),
ciphertext c (1mn) rn mod n2. Decryption r
cd mod n, m L(cr-n mod n2), L(x) (x-1)/n.
Some properties (1)f(r,m) rn (1mn) mod n2 is
homomorphic for r,m, namely, f(r1,m1)
f(r2,m2) f(r1,m3), where r3 r1r2 mod n, m3
m1m2 mod n. (2)(Z/n2Z) nf(n). (3)The order
of (1mn) modulo n2 is n, where m in (Zn).
(4)The order of rn mod n2 is a divisor of
f(n). (5)rn mod n2 (r zn)n mod n2 for any
integer z. (6)Assume gcd(p,(q-1)/2)1. If we know
an element g whose order modulo n2 is p, then
the modulus n can be factored using g.
2Simplified Paillier Cryptosystem01
Key generation RSA public key (e,n), RSA secret
key d Encryption message m ?0,1,2,..,n-1,
random choose r?(Zn),
ciphertext c (1mn) re mod n2. Decryption r
cd mod n, m L(cr-e mod n2), L(x) (x-1)/n.
Key generation p 47, q 53, n 2491, e 3
gt d 1595 Encryption r 1089, re mod
n2 811121, c
(1777n)811121 mod n2 2255901 Decryption
r cd mod n 1089, m L(c r-e mod n2) 777
3Security of the S-Paillier Scheme
One-way assumption of S-Paillier for any
adversary AOW we have
Semantic security of S-Paillier for any
adversary ASS we have
4Number Theoretic Problem III
Computational e-th Root (C-R) problem Let cre
mod n2. Compute r mod n2, for given RSA key
(n,e), ciphertext c.
Computational e-th Root (C-R) assumption for
any adversary AC-SR we have
Theorem 1 solving C-R problem gt breaking
one-wayness of S-Paillier (the
direction lt is unknown)
Theorem 2 solving C-R problem lt solving RSA
problem (the direction gt
is unknown)
5Number Theoretic Problem IV
Decisional Small e-th Root (D-SR) problem
Distinguish two distributions Rand x
x?(Zn2), Small y xe mod n2 x?(Zn)
Decisional Small e-th Root (D-SR) assumption for
any adversary AD-DpdRSA we have
Theorem 3 S-Paillier scheme is semantically
secure under D-SR assumption
We can use small encryption exponent e.
6S-Paillier Scheme is semantically secure under
D-SR assumption
We prove that if the advantage of ASS is not
negligible then the advantage of the adversary
ASP is also not negligible.
- Algorithm adversary ASP
- Input n, x ?(Zn2)
- Output 1 if x is in Small,
- 0 if x is in Rand
- m0, m1? ASS1 (n,e)
- b?0,1
- r? ASS2 (m0, m1, x(1mbn))
- If br then return 1
- else return 0
If x?Rand then the distribution of x(1mbn) is
random and ASS2 can not distinguish m0, m1. Pr
ASP(x?Rand)1 1/2.
If x is in D-SR, then x(1mbn) is a
cipher- text of mb and ASS2 can distinguish m0,
m1. Pr ASP(x? Small)1 1/2 Adv(ASS2)/2.
Adv(ASP) Pr ASP(x?Small)1 Pr
ASP(x?Rand)1
Adv(ASS2)/2.
7One-wayness v.s. Semantic Security
Let n be k-bit RSA modulus.
QR Quadratic Residuosity C-DRSA
Computational Dependent RSA, D-DRSA Decisional
Dependent RSA C-R Computational e-th
Root, D-SR Decisional Small
e-th Root
Plaintext size One-wayness
Semantic Security HC-RSA log k bits
RSA RSA D-RSA k
bits C-DpdRSA D-DpdRSA S-Paillier
k bits ? (C-R)
D-SR
- Their one-wayness except HC-RSA are not
equivalent to RSA assumption. - The relationship between computational problem
and its decisional problem - has not been well studied.
There are some solutions for these questions
ST02.
8 New Security Results
- One-wayness of S-Paillier ltgt RSAaprx assumption
- RSAaprx assumption ltgt standard RSA assumption
- D-SR assumption ltgt RSARSAaprx assumption
- Adversary to break D-SR can compute the least
significant - bits of nonce s.t. c mod n.
Plaintext size One-wayness
Semantic Security HC-RSA log k bits
RSA RSA Dpd-RSA k bits
C-DpdRSA D-DpdRSA S-Paillier
k bits RSA D-RSARSAaprx
9Number Theoretic Problems V
Denote by a0 n a1 the n-adic representation
of a in Zn2.
RSA Approximation (RSAaprx) problem Let cme mod
n. Compute me mod n21, for given RSA key (n,e),
ciphertext c.
Decisional RSARSAaprx problem Distinguish two
distributions Rand (x,y) x?(Zn)x, y?Zn,
RSAaprx (xemod n, xe mod n21 )xe?(Zn)x
message m
me mod n2 me0 n me1
RSA problem
ciphertext cme mod n
me mod n21
10Assumptions
RSAaprx assumption for any adversary ARSAarpx we
have
D-RSARSAaprx assumption for any adversary AD-SR
we have
11Proof for Perfect Oracle
- Input b0re mod n, Output LSB(r)
- 1. ORSAaprx(b0) b1,
- a0 b02-e mod n, ORSAaprx (a0) a1
- Return 0 if a0na1 2-e(b0nb1) mod n2, else
Return 1.
12Non-Perfect Oracle Case (Catalano et at. 2002)
- Input re mod n, Output r
- 1. ORSAaprx(re mod n) re mod n2,
- Choose random a mod n, and compute ue aere mod
n, - ORSAaprx (ue mod n) ue mod n2,
- Solve z such that ar u (1nz) mod n2,
- Solve r such that u Ar mod n2, where Aa (1-nz)
mod n2, - Return r
(1)Two instances re mod n, ue mod n are
independent. (2)z of step 4 can be computed by
ae re ue (1zen) mod n2. (3)In step 5, for
given integers Aa(1-nz) modulo n2, we can find
integers r,u of equation uAr mod n2, in
polynomial time of log n.