The Bit Security of Paillier

1
The Bit Security of Pailliers Encryption Scheme

• Advisor Hsueh-I Lu

B89902016 ??? B89902088 ??? B89902092
??? B89902100 ???
2
Reference

• The Bit Security of Pailliers Encryption Scheme
• Dario Catalano, Rosario Gennaro, and Nick
  Howgrave-Graham, Euro Crypt 01
• Public-Key Cryptosystems Based on Composite
  Degree Residuosity Classes
• Pascal Paillier, Euro Crypt 99

3
Topics

• Preliminaries
• Hardness of the Least Significant Bit
• Simultaneous Security of Many Bits
• Conclusion

4
Preliminaries

• N pq is an RSA modulus,a group ZN2.
• Let g ? ZN2 be an element whose order is a
  nonzero multiple of N
• Thus given g, for an element ? ? ZN2,there
  exists (c,z) ? ZN ZN2 s.t. ? gczN mod N2
• (c is the class of ? relative to g,denoted
  Classg(?) )

5
Preliminaries (continued)

• Lemma of Pailliers scheme
• If the order of g is a nonzero multiple of n then
  ?g is bijective.
• Class n, g is random-self-reducible over w ?

6
Definition 1

• Computing the function Classg() is hard if for
  every probabilistic poly-time algorithm A,there
  exists a negligible function negl() s.t.

7
Lemma 1

• Let N be a random n-bit RSA modulus, y?Zn, c an
  even element of Zn and g an element in B. Then,
  denoting z 2-1 mod N,
• (gc yN)z (g(c/2) yN) mod N2
• for some y?Zn

8
Definition

• Computing Classg() is B-hard if,
• ? probabilistic polynomial time algo A
• ? a negligible function negl()
• c ? 0B
• PrA(N, g, w) c lt negl(n)

9
Theorem 1

• Let N be a random n-bit RSA modulus, and let the
  functions Eg(, )
• and Classg() be de.ned as above. If the function
  Classg() is hard (see De.nition
• 1), then the predicate lsb() is hard for it.

10
Perfect Case--?()

• ComputeClass(O, w, g,N)
• 1. z 2-1 mod N
• 2. c ()
• 3. for i 0 to n N
• 4. x O(g,w)
• 5. c cx
• 6. if (x1) then
• 7. w w g-1 mod N2 (bit zeroing)
• 8. w wz mod N2 (bit shifting)
• 9. return c

11
Theorem 2

• Let N be a random n-bit RSA modulus B2b , where
  b log B ?(log n). If the function Classg() is
  B-hard then it has n-b simultaneously hard-core
  bits

12
Theorem 3

• M is an m-bit odd integer, G is a group with
  respect to the operation of multiplication.
• Let f ZM?G be a one-way,trapdoor isomorphic
  function
• (i.e.f (ab mod M) f (a) f (b) ? G)
• If f is hard to invert when its input belongs
  to the closed interval 0B, with B2b,then f
  has m-b simultaneously hard bits.

13
Application to Secure Encryption

• OUR SOLUTION
• RSA modulus N, size 1024
• Message M, size 128
• Plain RSA
• FROM Strong Security Proofs for RSA and Rabin
  bits
• Hide only one bit
• We need 128 exponentiations

14
Application to Secure Encryption

• BLUM-GOLDWASSER(RSA/Rabin)
• FROM Proc. Of Crypto 84
• Pay the O (m / log n)
• Remark
• We need only O (m / k), kw (log n)
• For longer messages, we may catch up with the
  other scheme