The Bit Security of Paillier’s Encryption Scheme. Advisor: Hsueh-I Lu. B89902016 紀緯傑 B89902088 蔡碩展 B89902092 謝旺叡 B89902100 陳育成. Reference. The Bit Security of Paillier’s Encryption Scheme Dario Catalano, Rosario Gennaro, and Nick Howgrave-Graham, Euro Crypt ‘01
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
The Bit Security of Paillier’s Encryption Scheme Advisor: Hsueh-I Lu B89902016紀緯傑 B89902088蔡碩展 B89902092 謝旺叡 B89902100 陳育成
Reference • The Bit Security of Paillier’s Encryption Scheme Dario Catalano, Rosario Gennaro, and Nick Howgrave-Graham, Euro Crypt ‘01 • Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Pascal Paillier, Euro Crypt ’99
Topics • Preliminaries • Hardness of the Least Significant Bit • Simultaneous Security of Many Bits • Conclusion
Preliminaries • N = pq is an RSA modulus,a group Z*N2. Let g є Z*N2 be an element whose order is a nonzero multiple of N Thus given g, for an element ωє Z*N2,there exists (c,z) є ZN × ZN2 s.t. ω= gczN mod N2 (c is the class of ω relative to g,denoted Classg(ω) )
Preliminaries (continued) • Lemma of Paillier’s scheme • If the order of g is a nonzero multiple of n then єg is bijective. • Class [n, g] is random-self-reducible over w
Definition 1 • Computing the function Classg(·) is hard if for every probabilistic poly-time algorithm A,there exists a negligible function negl() s.t.
Lemma 1 • Let N be a random n-bit RSA modulus, yZn*, c an even element of Zn and g an element in B. Then, denoting z = 2-1 mod N, (gc * yN)z = (g(c/2) * y’N) mod N2 for some y’Zn*
Definition • Computing Classg() is B-hard if, • probabilistic polynomial time algo A • a negligible function negl() • c [0…B] Pr[A(N, g, w) = c] < negl(n)
Theorem 1 • Let N be a random n-bit RSA modulus, and let the functions Eg(·, ·) • and Classg(·) be de.ned as above. If the function Classg(·) is hard (see De.nition • 1), then the predicate lsb(·) is hard for it.
Perfect Case--破() • ComputeClass(O, w, g,N) • 1. z = 2^-1 mod N • 2. c = () • 3. for i = 0 to n = |N| • 4. x = O(g,w) • 5. c = c|x • 6. if (x==1) then • 7. w = w · g^-1 mod N^2 (bit zeroing) • 8. w = w^z mod N^2 (bit shifting) • 9. return c
Theorem 2 • Let N be a random n-bit RSA modulus; B=2b ,where b = log B = ω(log n). If the function Classg() is B-hard then it has n-b simultaneously hard-core bits
Theorem 3 • M is an m-bit odd integer, G is a group with respect to the operation of multiplication. Let f: ZM→G be a one-way,trapdoor isomorphic function (i.e.f (a+b mod M) = f (a) · f (b) G) If f is hard to invert when its input belongs to the closed interval [0…B], with B=2b,then f has m-b simultaneously hard bits.
Application to Secure Encryption • OUR SOLUTION • RSA modulus N, size = 1024 • Message M, size = 128 • Plain RSA • FROM Strong Security Proofs for RSA and Rabin bits • Hide only one bit • We need 128 exponentiations
Application to Secure Encryption • BLUM-GOLDWASSER(RSA/Rabin) • FROM Proc. Of Crypto ‘84 • Pay the O (m / log n) • Remark • We need only O (m / k), k=w (log n) • For longer messages, we may catch up with the other scheme