Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Some RSA-based
Encryption Schemes with
Tight Security Reduction
Kaoru Kurosawa, Ibaraki University
Tsuyoshi Takagi, TU Darmstadt
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
One-wayness and Semantic-security
• One-wayness: E(m)  m is hard.
• Semantic security = IND-CPA (CCA) :
E(m)  any information on m is hard
against CPA (CCA).
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Random Oracle Model
• Hash function H is treated as a random function
in the random oracle model.
However,
RO model proof is heuristic.
If we replace RO to a practical hash function,
then the proof is no longer valid.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
IND-CCA in the Standard Model
Cramer-Shoup schemes:
1. (Crypto’98:) Decisional DH assumption.
One-wayness = DH assumption.
RSA-based IND-CCA scheme is unknown!
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
RSA-based IND-CPA schemes
In the Standard Model,
1. RSA-Paillier scheme is IND-CPA:
One-wayness = RSA
(Catalano et al., Asiacrypt’02)
in this talk
2. Rabin-Paillier scheme is IND-CPA:
One-wayness = Factoring Blum integers
(Galindo et al., PKC’03)
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Our result
Let ε be a success probability that breaks
the one-wayness of Rabin-Paillier scheme.
Proof Technique
Factoring Probability
Galindo et al. (PKC’03)
- LLL, RSA-Paillier
ε2
Proposed proof
- totally elemental
ε
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
RSA-Paillier scheme
(Public-key) N (= pq) and e.
(Secret key) d (= e-1 mod (p-1)(q-1))
(Plaintext) m ∈ ZN
(Ciphertext) For random r ∈R ZN*,
C = re + mN mod N2.
---- (1)
(Decryption) r = Cd mod N,
m = (C – re mod N2)/N.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Security of RSA-Paillier
• Proposition 1 (Semantic Security)
IND-CPA if {re mod N2 | r ∈ ZN*} and
{re mod N2 | r ∈ ZN2*} are indistinguishable.
• Proposition 2 (One-wayness)
One-wayness = breaking RSA.
(Catalano et al., Asiacrypt’02)
Two oracle calls are required => reduction probability ε2.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Rabin-Paillier scheme
•
•
•
•
(Public-key) N (= pq), Blum integer
(Secret key) p,q, d (= e-1 mod (p-1)(q-1))
(Plaintext) m ∈ ZN
(Ciphertext) r ∈R SQN = {s2 mod n | s∈ ZN *},
C = r2e + mN mod N2.
---- (2)
• (Decryption) A = Cd mod N,
find the unique solution r∈ SQN of r2 = A mod N,
m = (C – r2e mod N)/N.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Security of Rabin-Paillier
• Proposition 1 (Semantic Security)
IND-CPA if {r2e mod N2 | r ∈ SQN} and
{r2e mod N2 | r∈ SQN2} are indistinguishable.
• Proposition 2 (One-wayness)
One-wayness = breaking factoring.
(Galindo et al., PKC 2003)
The same proof technique with RSA-Paillier => reduction prob. ε2.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Our Proof
Let O be an Oracle that find m from C with prob.ε.
We will show a factoring algorithm A by using O.
On input N,
1. Choose fake r ∈ Zn* and m ∈ Zn s.t. (r/N) = -1
2. Query C = r2e+ mN mod N2 to oracle O.
3. O answers proper m s.t. C = r2e + mN mod N2,
with prob. ε, where r ∈ SQN.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Our Proof (Cont.)
Note that C = r2e = r2e mod N.
Thus, r2 = r2 + yN in Z for some -n<y<n.
4. A computes y.
x = r2
w = C - mN = r2e = (x + yN)e mod N2.
= xe + exe-1yN mod N2.
Thus, y = (exe-1)-1 ((w-xe mod N2)/N) mod N.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Our Proof (Cont.)
6. A computes r
by solving quadratic equation r2 = x + yN in Z.
7. Finally, A computes gcd(r - r,N) = p or q,
because r2 = r2 mod N with r ∈ SQN
and r ∈ Zn* s.t. (r/N) = -1.
A has asked oracle O only once => reduction probability ε.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
Concluding Remarks
1. We proposed a tight reduction algorithm for
Rabin-Paillier cryptosystem.
2. A similar result with the following variant:
C = (r + a/r)e + mN mod N2,
where (a/p) = (a/q) = -1.
3. An IND-CCA variant in RO-model is
C = (r2e+ mN mod N2 )|| H(r,m).
It is still IND-CPA & OW in standard model.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”
Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan
RSA-based IND-CCA schemes
in RO Model
Let ε be a success probability breaking IND-CCA scheme.
Schemes - reduced problem
RSA-OAEP (Crypto’01)
- RSA Problem
SAEP (Crypto’01)
- Factoring
Reduction Probability
ε2
ε
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction”