1 / 14

The Bit Security of Paillier’s Encryption Scheme

The Bit Security of Paillier’s Encryption Scheme. Advisor: Hsueh-I Lu. B89902016 紀緯傑 B89902088 蔡碩展 B89902092 謝旺叡 B89902100 陳育成. Reference. The Bit Security of Paillier’s Encryption Scheme Dario Catalano, Rosario Gennaro, and Nick Howgrave-Graham, Euro Crypt ‘01

alicia
Download Presentation

The Bit Security of Paillier’s Encryption Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Bit Security of Paillier’s Encryption Scheme Advisor: Hsueh-I Lu B89902016紀緯傑 B89902088蔡碩展 B89902092 謝旺叡 B89902100 陳育成

  2. Reference • The Bit Security of Paillier’s Encryption Scheme Dario Catalano, Rosario Gennaro, and Nick Howgrave-Graham, Euro Crypt ‘01 • Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Pascal Paillier, Euro Crypt ’99

  3. Topics • Preliminaries • Hardness of the Least Significant Bit • Simultaneous Security of Many Bits • Conclusion

  4. Preliminaries • N = pq is an RSA modulus,a group Z*N2. Let g є Z*N2 be an element whose order is a nonzero multiple of N Thus given g, for an element ωє Z*N2,there exists (c,z) є ZN × ZN2 s.t. ω= gczN mod N2 (c is the class of ω relative to g,denoted Classg(ω) )

  5. Preliminaries (continued) • Lemma of Paillier’s scheme • If the order of g is a nonzero multiple of n then єg is bijective. • Class [n, g] is random-self-reducible over w 

  6. Definition 1 • Computing the function Classg(·) is hard if for every probabilistic poly-time algorithm A,there exists a negligible function negl() s.t.

  7. Lemma 1 • Let N be a random n-bit RSA modulus, yZn*, c an even element of Zn and g an element in B. Then, denoting z = 2-1 mod N, (gc * yN)z = (g(c/2) * y’N) mod N2 for some y’Zn*

  8. Definition • Computing Classg() is B-hard if, •  probabilistic polynomial time algo A •  a negligible function negl() • c  [0…B] Pr[A(N, g, w) = c] < negl(n)

  9. Theorem 1 • Let N be a random n-bit RSA modulus, and let the functions Eg(·, ·) • and Classg(·) be de.ned as above. If the function Classg(·) is hard (see De.nition • 1), then the predicate lsb(·) is hard for it.

  10. Perfect Case--破() • ComputeClass(O, w, g,N) • 1. z = 2^-1 mod N • 2. c = () • 3. for i = 0 to n = |N| • 4. x = O(g,w) • 5. c = c|x • 6. if (x==1) then • 7. w = w · g^-1 mod N^2 (bit zeroing) • 8. w = w^z mod N^2 (bit shifting) • 9. return c

  11. Theorem 2 • Let N be a random n-bit RSA modulus; B=2b ,where b = log B = ω(log n). If the function Classg() is B-hard then it has n-b simultaneously hard-core bits

  12. Theorem 3 • M is an m-bit odd integer, G is a group with respect to the operation of multiplication. Let f: ZM→G be a one-way,trapdoor isomorphic function (i.e.f (a+b mod M) = f (a) · f (b) G) If f is hard to invert when its input belongs to the closed interval [0…B], with B=2b,then f has m-b simultaneously hard bits.

  13. Application to Secure Encryption • OUR SOLUTION • RSA modulus N, size = 1024 • Message M, size = 128 • Plain RSA • FROM Strong Security Proofs for RSA and Rabin bits • Hide only one bit • We need 128 exponentiations

  14. Application to Secure Encryption • BLUM-GOLDWASSER(RSA/Rabin) • FROM Proc. Of Crypto ‘84 • Pay the O (m / log n) • Remark • We need only O (m / k), k=w (log n) • For longer messages, we may catch up with the other scheme

More Related