Some RSA-based Encryption Schemes with Tight Security Reduction

1
Some RSA-basedEncryption Schemes withTight
Security Reduction

• Kaoru Kurosawa, Ibaraki University
• Tsuyoshi Takagi, TU Darmstadt

2
One-wayness and Semantic-security

• One-wayness E(m) ? m is hard.
• Semantic security IND-CPA (CCA)
• E(m) ? any information on m is hard against
  CPA (CCA).

3
Random Oracle Model

• Hash function H is treated as a random function
  in the random oracle model.
• However,
• RO model proof is heuristic.
• If we replace RO to a practical hash function,
• then the proof is no longer valid.

4
IND-CCA in the Standard Model

• Cramer-Shoup schemes
• 1. (Crypto98) Decisional DH assumption.
• One-wayness DH assumption.
• RSA-based IND-CCA scheme is unknown!

5
RSA-based IND-CPA schemes

• In the Standard Model,
• 1. RSA-Paillier scheme is IND-CPA
• One-wayness RSA
• (Catalano et al., Asiacrypt02)
• 2. Rabin-Paillier scheme is IND-CPA
• One-wayness Factoring Blum integers
• (Galindo et al., PKC03)

in this talk
6
Our result
Let e be a success probability that breaks the
one-wayness of Rabin-Paillier scheme.
Proof Technique Factoring Probability
Galindo et al. (PKC03) e2 - LLL,
RSA-Paillier Proposed proof
e - totally elemental
7
RSA-Paillier scheme

• (Public-key) N ( pq) and e.
• (Secret key) d ( e-1 mod (p-1)(q-1))
• (Plaintext) m ? ZN
• (Ciphertext) For random r ?R ZN,
• C re mN mod N2. ---- (1)
• (Decryption) r Cd mod N,
• m (C re mod N2)/N.

8
Security of RSA-Paillier

• Proposition 1 (Semantic Security)
• IND-CPA if re mod N2 r ? ZN and
• re mod N2 r ? ZN2 are indistinguishable.
• Proposition 2 (One-wayness)
• One-wayness breaking RSA.
• (Catalano et al., Asiacrypt02)

Two oracle calls are required gt reduction
probability e2.
9
Rabin-Paillier scheme

• (Public-key) N ( pq), Blum integer
• (Secret key) p,q, d ( e-1 mod (p-1)(q-1))
• (Plaintext) m ? ZN
• (Ciphertext) r ?R SQN s2 mod n s? ZN ,
• C r2e mN mod N2. ---- (2)
• (Decryption) A Cd mod N,
• find the unique solution r? SQN of r2 A mod
  N,
• m (C r2e mod N)/N.

10
Security of Rabin-Paillier

• Proposition 1 (Semantic Security)
• IND-CPA if r2e mod N2 r ? SQN and
• r2e mod N2 r? SQN2 are indistinguishable.
• Proposition 2 (One-wayness)
• One-wayness breaking factoring.
• (Galindo et al., PKC 2003)

The same proof technique with RSA-Paillier gt
reduction prob. e2.
11
Our Proof

• Let O be an Oracle that find m from C with
  prob.e.
• We will show a factoring algorithm A by using O.
• On input N,
• 1. Choose fake r ? Zn and m ? Zn s.t. (r/N)
  -1
• 2. Query C r2e mN mod N2 to oracle O.
• 3. O answers proper m s.t. C r2e mN mod N2,
• with prob. e, where r ? SQN.

12
Our Proof (Cont.)

• Note that C r2e r2e mod N.
• Thus, r2 r2 yN in Z for some -nltyltn.
• 4. A computes y.
• x r2
• w C - mN r2e (x yN)e mod N2.
• xe exe-1yN
  mod N2.
• Thus, y (exe-1)-1 ((w-xe mod N2)/N) mod N.

13
Our Proof (Cont.)

• 6. A computes r
• by solving quadratic equation r2 x yN in
  Z.
• 7. Finally, A computes gcd(r - r,N) p or q,
• because r2 r2 mod N with r ? SQN
• and r ? Zn s.t. (r/N) -1.

A has asked oracle O only once gt reduction
probability e.
14
Concluding Remarks

• 1. We proposed a tight reduction algorithm for
  Rabin-Paillier cryptosystem.
• 2. A similar result with the following variant
  
• C (r a/r)e mN mod N2,
• where (a/p) (a/q) -1.
• 3. An IND-CCA variant in RO-model is
• C (r2e mN mod N2 ) H(r,m).
• It is still IND-CPA OW in standard model.

15
RSA-based IND-CCA schemes in RO Model
Let e be a success probability breaking IND-CCA
scheme.
Schemes - reduced problem Reduction
Probability RSA-OAEP (Crypto01) e
2 - RSA Problem SAEP (Crypto01)
e - Factoring