Cryptography in Subgroups of Zn - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

Cryptography in Subgroups of Zn

Description:

Cryptography in Subgroups of Zn* Jens Groth. UCLA. RSA subgroup. n = pq ... Strong RSA subgroup assumption. Homomorphic integer commitment. Digital signature ... – PowerPoint PPT presentation

Number of Views:40
Avg rating:3.0/5.0
Slides: 15
Provided by: JensG3
Category:

less

Transcript and Presenter's Notes

Title: Cryptography in Subgroups of Zn


1
Cryptography in Subgroups of Zn
  • Jens Groth
  • UCLA

2
RSA subgroup
n pq (2prp1)(2qrq1)G Zn ,
GpqRSA subgroup pair (n, g) where g ?
G pq100
3
Agenda
  • RSA subgroup
  • Strong RSA subgroup assumption
  • Homomorphic integer commitment
  • Digital signature
  • Digital signature II
  • Decisional RSA subgroup assumption
  • Homomorphic cryptosystem

4
Strong RSA subgroup assumption
K generates RSA subgroup pair (n,g) n pq
(2prp1)(2qrq1), g ? G Strong RSA subgroup
assumption for K Hard to find u,w ? Zn and
e,dgt1 g uwe and ud 1 (mod n)
5
Homomorphic integer commitment
Public key n, g, h, where g, h ? G Commit to m
c gmhr (small randomizer) Verify opening
(u, egt1, r) of c with message m c ugmhr and
ue 1
Homomorphic (Uu)gMmhRr UgMhR ugmhr and
(Uu)Ee 1 Root extraction Adversary c, e?0
opening ce allows us to open c
6
Signature
Public key n, a, g, h, where a, g, h ? GSecret
key pq Sign m ? 0,1l e ?
prime(0,1l1) r ? 0, . . . ,e-1 y
(agmhr)e-1 mod pq Verify signature (y,e,r) on
m ye agmhr Speedup Use et, tgt1 allowing
smaller prime e
7
Signature II
Public key n, a, g, where a, g ? GSecret key
pq Sign m ? 0,1l e ? prime(0,1l1)
y (agm)e-1 mod pq Verify signature (y,e) on
m ye agm Theorem Secure against
adaptive chosen message attack
8
Proof
Adversary adaptively queries m1, . . . , mk and
receives signatures (y1,e1), . . . , (yk, ek) and
forges signature (y,e) on m Two cases I e is
new II e ei
9
Proof e is new
(n, ?) RSA subgroup pair e1, . . . , ek ?
prime(0,1l1) , E ?ei ? ?r , a ?E, g
?E Simulated public key n, a, g On query mi
answer (yi,ei), where yi ?E/ei ?mE/ei Forged
signature (y,e) on m so ye agm ?E(rm) breaks
strong RSA subgroup assumption
10
Proof e ei
(n, ?) RSA subgroup pair guess i e1, . . . , ek
? prime(0,1l1) , E ?j?iej a ?rE , g
?E On query mi hope to find l1-bit prime factor
ei of rmi. Significant probability since r
spqt. Return yi ?E(rmi)/ei. Forged
signature (y,ei) on m so yei agm ?E(rm)
breaks strong RSA subgroup assumption
11
Decisional RSA subgroup assumption
K generates RSA subgroup pair (n,g) n pq
(2prp1)(2qrq1), g ? G with rprq
B-smooth. pq160, B 215 Decisional
RSA subgroup assumption for K Hard to
distinguish G and QRn
12
Homomorphic cryptosystem
Public key n, g, h, where h ? G, g ? QRnSecret
key pq, factorization of ord(g) Encrypt m
c gmhr Decrypt c cpq (gmhr)pq
(gpq)m rg ord(gpq) is B-smooth For all
pirg find m mod pi by searching for mi so
(cpq)rg/pi (gpqrg/pi)mi Chinese
remainder m mod rg
13
Properties of cryptosystem
Homomorphic gMmhRr (gMhR)(gmhr) Root
extraction Adversary c, e?0 opening ce allows
us to open c Low expansion rate
c/m Homomorphic integer commitment
14
Conclusion
  • RSA subgroup- strong RSA subgroup assumption-
    decisional RSA subgroup assumption
  • Signature ye agmhr speedup
  • Signature II ye agm secure against CMA
  • Homomorphic integer commitment gmhr speedup
  • Homomorphic cryptosystem gmhr
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Cryptography in Subgroups of Zn" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!