slides

Transcription

slides

Paillier’s Cryptosystem Modulo p 2 q
and Its Applications
to Trapdoor Commitment Schemes
Katja Schmidt-Samoa1
1 TU
2 Future
Tsuyoshi Takagi2
Darmstadt, Germany
University – Hakodate, Japan
MyCrypt 2005
Trapdoor One-way Permutations
Applications
Outline
1
Definition
New Provably Secure Trapdoor OW Permutations
2
Applications
Homomorphic Encryption
Trapdoor Hashing for On-line/Off-line Signatures
Trapdoor Hashing for Chameleon Signatures
K. Schmidt-Samoa, T. Takagi
Paillier modulo p 2 q
Applications
Definition
Informal Def. of Trapdoor OW Permutations
Definition
F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-way
permutations if for all i:
fi is easy to compute
fi is hard to invert
a trapdoor si exists s.t. inverting fi is easy knowing si
and
F is easy to sample
easy
x
hard
f (x)
easy with trapdoor
Applications
Definition
New Trapdoor OW Permutations
p, q ∈ PRIMES(k), n = p 2 q
Theorem
x n = y n mod n ⇐⇒ x = y mod pq.
⇓⇓⇓⇓⇓
Theorem
If factoring n = p 2 q is hard, then
N-R(n) −→ N-R(n)
x 7→ x n mod n
and
Z×
pq −→ N-R(n)
x 7→ x n mod n
are trapdoor OW permutations (trapdoor: d = n −1 mod ϕ(pq)),
where
N-R(n) = {y n mod n | y ∈ Z×
n } (set of n-th residues mod n).
Applications
Semantically Secure Homomorphic Encryption
General scheme
R × M −→ Z×
n
r, m
7→
e m
r g
for “suitable” M, R, e, g .
mod n
Goldwasser/Micali 1984
Benaloh/Fischer 1986
Naccache/Stern 1998



 always n = pq
limited bandwidth and/or


 heavy decryption
Breakthrough: Change of group structure!
Okamoto/Uchiyama 1998 n = p 2 q
o
n2 for n = pq
Paillier 1999
Applications
Paillier Modulo p 2 q
Theorem
×
f : Z×
n × Zn −→ Zn2
r , m 7→ r n (1 + mn) mod n2 = r n (1 + n)m mod n2
Paillier: if n = pq, then f is a permutation
Applications
Theorem
×
f : Z×
n × Zn −→ Zn2
new: if n = p 2 q, then we have
f (r , m) = f (r + ipq, m − ir −1 pq) for i ∈ Z
back
Applications
Theorem
×
f : Z×
n × Zn −→ Zn2
We restrict message space to Zpq ,→ permutation. Scheme is:
Applications
Theorem
×
f : Z×
n × Zn −→ Zn2
We restrict message space to Zpq ,→ permutation.
Scheme is:



homomorphic

same as
semantically secure under decisional
Paillier



n-th residuosity assumption
Applications
Theorem
×
f : Z×
n × Zn −→ Zn2
We restrict message space to Zpq ,→ permutation.
Scheme is:



homomorphic

same as
semantically secure under decisional
Paillier



n-th residuosity assumption
o same as
and one-way under FACT
Okamoto/Uchiyama
Applications
Trapdoor Hashing
− blinding: hash values of different
messages are indistinguishable
hash
− binding: without secret key no
one can find collisions
Weak altering trapdoor collisions:
trap−coll
such that:
hash
uniformity: trapdoor hashes are indistinguishable from real hashes
Applications
Trapdoor Hashing
hash
− blinding: hash values of different
messages are indistinguishable
− binding: without secret key no
one can find collisions
Strong altering trapdoor collisions:
trap−coll
such that:
hash
uniformity: trapdoor hashes are indistinguishable from real hashes
Applications
On-line/Off-line Signatures
Ordinary signatures:
sign
Applications
On-line/Off-line Signatures
Ordinary signatures:
sign
On-line/off-line signatures:
precomputation
off−line phase
sign
on−line phase
Invented 1996 by Even/Goldreich/Micali
Improved construction 2001 by Shamir/Tauman
Applications
Shamir-Tauman On-line Off-line Signatures
Key generation:
hash
1. generate sign keys
2. generate hash keys
hash
3. publish
Applications
Key generation:
hash
hash
3. publish
Off-line phase:
hash
dummy
message
dummy
coins
1. create hash
2. sign hash
Applications
Key generation:
hash
hash
3. publish
Off-line phase:
hash
dummy
message
dummy
coins
1. create hash
2. sign hash
On-line phase:
Signature:
trap−coll
message to
be signed
Applications
Shamir-Tauman On-line/Off-line Signatures, cont’d
Efficiency
overhead: weakly trapdoor altering (on-line)
,→ weakly trapdoor altering should be extremely fast
Applications
Efficiency
Security
weakly secure signature scheme + weak trapdoor hash
⇒strongly secure on-line/off-line signature scheme
even weaklier secure signature scheme + strong trapdoor hash
Applications
Efficiency
Security
weakly secure signature scheme + weak trapdoor hash
even weaklier secure signature scheme + strong trapdoor hash
Conclusion
We need strong trapdoor hash with extremely fast weak trapdoor
altering.
Applications
A New Trapdoor Hash for Shamir-Tauman On-Off Sigs
Theorem
{0, 1}l × Zpq −→ N-R(n)
m, r
7→
(m||r )n mod n
is a strong trapdoor hash with extremly fast weak altering
(n = p 2 q, message-length l: |(m||r )|2 < |n|2 )
length-restrictions: 6= modn
binding: (m0 ||r0 )n = (m1 ||r1 )n mod n ⇐⇒ m0 ||r0 =m1 ||r1 mod pq
weakly trapdoor altering: given: m, r and mt (h = (m||r )n mod n)
wanted: rt s.t. m||r = mt ||rt mod pq
,→ rt = 2l+1 (m − mt ) + r mod pq (fast!).
strongly trapdoor altering: given: hash h and message mt
wanted: rt s.t. (mt ||rt )n = h mod n
,→ rt = h1/n − 2l+1 mt mod pq
Applications
Comparison
Scheme
[BK90]
[KR00]
[ST01]
proposed
Assumption
DL
FACT
FACT
FACT
strong
NO
YES
NO
YES
hash
≈ 1 exp.
≈ |m|2 mult.
1 exp.
1 exp.
weak alt.
≈ 1 mult.
≈ 5 mult.
1 add. + bit shift
1 add. + bit shift
Table: Comparison of trapdoor hash families suitable for [ST01]
Applications
Chameleon Signatures
Problem in ordinary dig sig schemes
sig can be verified by everyone ,→ recipient can show sig around
Applications
Chameleon Signatures
Problem in ordinary dig sig schemes
sig can be verified by everyone ,→ recipient can show sig around
Solutions
Chaum 1990: Undeniable sigs, using complex ZK proofs
Krawczyk, Rabin 1998: use hash-than-sign paradigm with trapdoor
hash (recipient = trapdoor holder)
recipient can forge sigs of messages of his choice ,→ no third
party will be convinced of authenticity
signer can deny forged sigs by presenting hash collision
on-line/off-line trapdoor hash enhances signing efficiency
Applications
A New On-line/Off-line Trapdoor Hash
Theorem
Let n = p 2 q. Then
k
{0, 1}l × Z×
n × {0, 1}
m, r , s
−→ N-R(n)
7→
(1 + (m||s)n)r n mod n2
is an on-line-off-line trapdoor hash
(length l, k: |(m||s)|2 < |n|2 ∧ s > pq).
Return to Paillier
First FACT-based on-off trapdoor hash suitable for chameleon
signatures
Applications
Conclusion
proposed new trapdoor permutations based on factoring
n = p2q
Applications
Conclusion
n = p2q
analyzed Paillier modulo p 2 q
Applications
Conclusion
n = p2q
designed new practical trapdoor hashes
Applications
Conclusion
n = p2q
designed new practical trapdoor hashes
Thanks for your attention!
Applications
J. F. Boyar and S. A. Kurtz.
A discrete logarithm implementation of perfect zero-knowledge
blobs.
Journal of Cryptology, 2(2):63–76, 1990.
H. Krawczyk and T. Rabin.
Chameleon signatures.
In NDSS. The Internet Society, 2000.
A. Shamir and Y. Tauman.
Improved online/offline signature schemes.
In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notes
in Computer Science, pages 355–367. Springer, 2001.

slides

Transcription

Similar documents