Advanced Cryptography
February 20, 2007
Lecture 6
Lecturer: Victor Shoup
1
Scribe: Marisa Debowsky
Introduction
Today, we will describe the Cramer-Shoup cryptosystem (introduced in 1999). It’s more efficient than the
Cramer-Damgard scheme we gave last week and has the advantage of being state-free, but at the cost of a
possibly stronger assumption: we will need the strong RSA assumption to prove that the Cramer-Shoup
scheme is secure.
2
The RSA Problem
Recall the ordinary RSA problem: given n, y ∈ Z∗n and given an exponent e, find x ∈ Z∗n such that xe = y.
The RSA assumption is that this is a computationally hard problem to solve. (We have omitted some
technical details in this statement: for example, it should be the case that n is the product of primes, say
n = pq, and the residue class y should have the uniform distribution over Z∗n . It’s unclear whether or not e
is random, but it surely should be an input to the problem.)
Consider a variant we’ll call the flexible RSA problem: given an RSA modulus n ∈ Z∗n and a residue
class y ∈ Z∗n , find some pair (x, e) with x ∈ Z∗n , e > 1 and xe = y. Here, the adversary is free to choose e
after seeing n and y. The strong RSA assumption is that this (easier) problem is computationally hard.
The strong RSA assumption first appeared in Σ-protocols; here, we will use it to analyze a signature scheme.
3
3.1
The Cramer-Shoup Cryptosystem
The High-Level Idea
Before we describe the Cramer-Shoup scheme in detail, let’s contrast it for a moment with the CramerDamgard scheme (with which it shares many essential elements). Imagine a similar setup. In the CramerShoup scheme, rather than an authentication tree with a fixed branching factor k of depth `, we have one
“big, bushy tree” of depth 1. There’s one root node, and a branch is determined by a random prime. As in
Cramer-Damgard, we use one fixed prime to determine the leaves (which are messages).
3.2
Details of the Setup
First, establish system parameters ` and `0 with ` + 1 < `0 . Let H : {0, 1}∗ → {0, 1}` be a collision-resistant
hash function.
The key generation algorithm will set up an RSA modulus of a special form, and it will run as
follows. Generate `0 -bit primes p and q of the form p = 2p0 + 1, q = 2q 0 + 1 with both p0 and q 0 also prime,
2
and assume p 6= q.1 Set N = pq. Let G = (Z∗N ) be the subgroup of squares. We set up the public key for
1 The primes p0 and q 0 are called “Sophie Germain primes” in number theory, or “strong primes” in computer science.
Although conjectured and widely believed, it has not been proven that there are infinitely many Sophie Germain primes. Their
density has also been conjectured. Let π(x) denote the number of primes less than or equal to x; by the Prime Number Theorem,
π(x) ≈ x/ log x. Similarly, let π ∗ (x) denote the number of Sophie Germain primes less than or equal to x. The conjecture is
that π ∗ (x) ≈ C · x/(log x)2 for some constant C.
L6-1
the Guillou-Quisquater scheme: choose x, a ∈ G at random (which is to say: choose a random number mod
n and square it). Then choose an (` + 1)-bit prime e0 . Set the public and secret keys to be:
PK
SK
=
=
(N, x, a, e0 )
(P K, p, q)
(The secret key contains everything in the public key, as well as the factorization of N .) So far, we have the
same setup as in the Cramer-Damgard scheme, but with N = pq and x, a ∈ (Z∗N )2 .
To sign a message m where m is an arbitrary bit string:
• Choose a random (` + 1)-bit prime, e. (We will insist that e 6= e0 , although if they are sufficiently large,
this would happen with negligible probability.)
• Choose z 0 ∈ G at random.
• Solve for a0 in the equation
0
(z 0 )e = a0 xH(m)
(1)
where the hash of m is the challenge. (We’re running the ZK simulator backwards.)
• Once a0 is fixed, we authenticate it: solve for z in the equation
0
z e = axH(a )
(2)
This is tantamount to computing an eth root: we compute e−1 modulo φ(N ) (that is, we use the secret
key).
• The signature is the triple (e, z, z 0 ).
To verify a signature:
• Test equations (1) and (2).
• Check that e is an odd (` + 1)-bit number.
(Note that it’s important for e to be prime, but we’ll see later why we needn’t burden the verifier with
a primality test.)
We will prove the security of the scheme under the strong RSA assumption using the fact that H is
collision-resistant.
4
Algebraic Background
Before launching into the proof of security, let’s develop some machinery with which to manipulate these
groups. By the Chinese Remainder Theorem, we know that ZN is isomorphic, as a ring, to Zp × Zq . The
corresponding multiplicative groups of units are also isomorphic (as groups). That is:
ZN
Z∗N
∼
= Zp × Zq (as rings)
∼
= Z∗p × Z∗q (as groups)
Z∗p and Z∗q are cyclic groups of orders p − 1 and q − 1, respectively, and p = 2p0 + 1, so p − 1 = 2p0 ;
likewise, q − 1 = 2q 0 . Therefore, we can write:
Z∗N
∼
=
∼
=
∼
=
∼
=
Z∗p × Z∗q (written multiplicatively)
Zp−1 × Zq−1 (written additively)
Z2 × Z0p × Z2 × Z0q
Z2 × Z2 × ZN 0 where N 0 = p0 q 0 .
L6-2
When we square both sides, we see that
2
(Z∗N ) ∼
= ZN 0 ,
since multiplication by 2 kills Z2 (we’re thinking of Z2 written additively) and permutes ZN 0 (also written
additively).
Remark 1 Choose x ∈ ZN 0 and square it; with overwhelming probability, you’ll get a generator of ZN 0
(that is, an element of order N 0 ). The probability of landing in a subgroup is
1
1 1
1
+
−
·
.
p0
q0
p0 q 0
5
The Security Analysis
First, let’s establish our notation for the analysis up front. Let A be the adversary in the signature attack
game and let Q0 be the number of signing requests. For i = 1, 2, . . . , Q0 :
• Let mi be the ith message signed.
• Let (ei , zi , zi0 ) be the ith signature.
0
• Write the ith iteration of Equation (1) as a0i = (zi0 )e · x−H(mi ) (where a0i is the internal value used to
verify).
Let m be the forged message and denote its signature by (e, z, z 0 ); define its corresponding equation to be
0
a0 = (z 0 )e x−H(m) .
Throughout the analysis, we will assume that the Hash function has not been compromised. Under that
assumption, we identify three types of forgeries.
Type I Forgery For some j = 1, . . . , Q0 : both e = ej and a0 = a0j .
(This is similar to the Type I Forgery in the Cramer-Damgard scheme.)
Type II Forgery For some j = 1, . . . , Q0 : we have e = ej , but a0 6= a0j .
(This is similar to the Type II Forgery in the Cramer-Damgard scheme.)
Type III Forgery For all i = 1, . . . , Q0 : e 6= ei .
This is what really distinguishes the Cramer-Shoup scheme from the Cramer-Damgard scheme. From
the perspective of the security analysis, we can consider the ei ’s to be generated up from (even though,
literally, it’s not practical to put the ei ’s in the key).
Forgeries of Types I and II are handled exactly as in the Cramer-Damgard scheme; in these cases we break
the standard (random prime exponent) RSA assumption. In Type III Forgeries, we use our adversary to
solve an instance of the “flexible” RSA problem, under the strong RSA assumption. Given:
N = (2p0 + 1)(2q 0 + 1) = pq,
p, q, p0 , q 0 primes, and
x∗ ∈ Z∗N ,
∗
we want to find e∗ and w∗ such that (w∗ )e = x∗ where e∗ > 1.
We present to A a simulated challenger in the signing game and hope it looks the same as in the real
signing algorithm.
L6-3
The Simulator.
Choose random primes e0 , e1 , . . . , eQ0 . For the public key, x should be a square:
∗ 2 e0 Qi ei
x ← (x )
. (Assume that the parameters ` and `0 are chosen such that ei does not divide φ(N ),
so raising to the power e permutes Z∗N .) We generate a as a ← xr , where r is chosen at random from
{0, 1, . . . , N 2 }. (We should argue that x and a have the right distribution; we’ll return to that at the end.)
0
A Type III forgery will look like a triple (e, z, z 0 ) satisfying the equation z e = a · xH(a ) . (It doesn’t
matter what a0 is right now.) Plug in what we know to this equation:
ze
0
= xr+H(z )
0Q
0
= (x∗ )2e i ei (r+H(a ))
Q
Let α denote 2e0 i ei (r + H(a0 )), so that z e = (x∗ )α . What we want to do is to apply the gcd trick; we
might not be able to get an eth root of x∗ , but we’ll get a different root (and it’ll be enough to break the
flexible RSA problem). Let d denote the gcd of e and α. The only requirement we made was that e was
odd and of appropriate length. An odd number e won’t be divisible by 4, and by size considerations, e can’t
be divisible by p0 or q 0 ; therefore, since φ(N ) = 4 · p0 · q 0 , our assumptions on e suffice for us to claim that
gcd(e, φ(N )) = 1. Thus, we have:
d d
z e/d = (x∗ )α/d ,
i.e.,
z e/d
(x∗ )α/d
d
= βd = 1 .
Therefore, β is in the kernel of the dth power map, but the kernel of the dth power map in Z∗N is {1}, so
indeed β = 1, giving
z e/d = (x∗ )α/d .
(3)
If d = gcd(e, α), then gcd(e/d, α/d) = 1. The usual Extended Euclidean Algorithm will allow us to find
z ∗ such that
(z ∗ )e/d = x∗ .
There are a few loose ends here. We can set up the simulator in this way, so we know the preimages of x
and a under the relevant prime powers. We can run the signing algorithm with no tricks. But two questions
remain:
1. Is the distribution of a correct? It was supposed to be a random square.
2. Is e/d > 1? We need this to win the flexible RSA game.
To answer the first question: We can assume with overwhelming probability that x has order N 0
(i.e., hxi = G). To get an exact uniform distribution on a ∈ G, we need to choose r ← {0, 1, . . . , N 0 − 1}.
But we don’t know N 0 , so we can’t do that. Instead, what’s a number close to N 0 ? In the sense of statistical
distance, N 0 ≈ N/4, so 4N N 0 ≈ N 2 . Let’s make an information-theoretic argument.
If we choose r ← {0, 1, . . . , 4N N 0 − 1}, then the answers to questions (1) and (2) are essentially the same.
Under the assumption that r ← {0, 1, . . . , 4N N 0 − 1}, the first question is trivially ‘yes’. To answer the
0
second question: write r = s · N 0 + t where 0 ≤ t < N 0 . Then xr = xsN +t and |x| = N 0 , so xr = xt . But:
• t is uniformly distributed over {0, 1, . . . , N 0 − 1};
• s is uniformly distributed over {0, 1, . . . , 4N − 1};
• t and s are independent;
• s and a are independent.
L6-4
Thus, s and t generate r. The point (and we’ll see this point recurring many times over) is that if we show
an adversary xr = xt , that adversary still doesn’t know anything about s, thereby turning s into the “extra”
randomness that we can use for hiding.
Q
Recall that α = 2e0 i ei (r + H(a0 )). We want to look at gcd(α, e). We don’t know that e is Q
prime, so
suppose there exists a P which is an odd prime dividing e. By size constraints, P doesn’t divide 2e0 i ei p0 q 0 .
Thus, we can plug in r to α and we get
Y
α = 2e0
ei (sN 0 + t + H(a0 )).
i
In terms of random variables, we can condition on fixed values of everything that A sees (N , t, e, and so
forth), and still s is uniformly distributed over some set (whatever set from which it was initially chosen).
Thus:
α = As + B where P - A .
(A and B are constants; s is uniformly distributed, like we said.)
What’s the probability that As + B ≡ 0 mod P ? It’ll be about 1/P . (It’s only equal to 1/P if s is
chosen from 0, 1, . . . , P − 1. But the probability is close to 1/P since As + B ≡ 0 has a unique solution
modulo P .)
Thus: e/d > 1 with probability at least about
bigger than zero, which is good enough for us.)
1
P
, which answers the second question. (It’s a constant
Finally, we conclude: if As + B 6≡ 0 mod P , then P - α, so e - α. Therefore, gcd(e, α) < e (which means
e/d 6= 1), and thus we break the flexible RSA problem, as desired. The scheme is secure against Type III
Forgeries, and, combining with the data from the previous lecture on forgeries of Types I and II, we conclude
that the scheme is secure against adaptive chosen message attack.
6
References and Upcoming Topics
R. Cramer, V. Shoup. Signature schemes based on the Strong RSA Assumption. In ACM Transactions on
Information and System Security (ACM TISSEC) 3(3), pages 161–185, 2000. Extended abstract in Proc.
6th ACM Conf. on Computer and Communications Security, 1999.
http://shoup.net/papers/sig.pdf
Next week, we’ll look at other applications of the strong RSA assumption.
L6-5