a new rabin-type trapdoor permutation and its applicationssamoa/stm.pdf · a new rabin-type...

A New Rabin-typeTrapdoor Permutation

and its Applications

Katja Schmidt-Samoa

TU Darmstadt

STM 2005

Trapdoor one-way PermutationsApplications

Outline

1 Trapdoor one-way PermutationsDefinition and ExamplesNew Provably Secure Trapdoor OW Permutations

2 ApplicationsHybrid EncryptionTrapdoor Hashing

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation


Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Informal Def. of Trapdoor OW Permutations

Definition

F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :

fi is easy to compute

f (x)x

hard

easy with trapdoor

easy





Definition



fi is hard to invert

f (x)x

hard

easy with trapdoor

easy





Definition




a trapdoor si exists s.t. inverting fi is easy knowing si

f (x)x

hard

easy with trapdoor

easy





Definition




a trapdoor si exists s.t. inverting fi is easy knowing si

and

F is easy to sample

f (x)x

hard

easy with trapdoor

easy




Trapdoor OW Permutations in Cryptography

Used for public key encryption, digital signatures, privateinformation retrieval, . . .

↪→ of prime importance!







. . . BUT . . .







. . . BUT . . .

Existence (of OW functions) is unproven to date!







. . . BUT . . .


Alternative: provably secure trapdoor OW permutations

break one-wayness ⇒ solve presumably hard problem







. . . BUT . . .


Alternative: provably secure trapdoor OW permutations

break one-wayness ⇒ solve presumably hard problem

BUT: only a very few number of candidates known




Famous Candidates for Trapdoor OW Functions

RSA permutation (1978)

n = pq, gcd(e, ϕ(n)) = 1

Z×

n −→ Z×

n

x 7→ xe mod n

Trapdoor:d = e−1 mod ϕ(n)

Hard problem: RSA




Famous Candidates for Trapdoor OW Functions

RSA permutation (1978)

n = pq, gcd(e, ϕ(n)) = 1

Z×

n −→ Z×

n

x 7→ xe mod n

Trapdoor:d = e−1 mod ϕ(n)

Hard problem: RSA

Rabin (1979)

n = pq

Z×

n −→ QR(n)

x 7→ x2 mod n

Trapdoor: p, q

Hard problem: FACT

NO injection (4-to-1), but:p, q = 3 mod 4⇒ squaringmod n = pq is permutationon QR(n) (Blum-Williams)




New Trapdoor OW Permutations

p, q ∈ PRIMES(k), n = p2q

Definition (Set of n-th residues mod n)

N-R(n) := {x ∈ Z×

n |x = yn mod n for a y ∈ Z×

n }

Theorem

xn = yn mod n ⇐⇒ x = y mod pq.

⇓ ⇓ ⇓ ⇓ ⇓

Theorem

If factoring n = p2q is hard, then

fN-R : N-R(n) −→ N-R(n)x 7→ xn mod n

andfpq : Z

×

pq −→ N-R(n)

x 7→ xn mod n

are trapdoor OW permutations (trapdoor: d = n−1 mod ϕ(pq))




Similarities between Proposal and Rabin

Z×

n −→ N-R(n) for n = p2q

x 7→ xn mod n

Z×

n −→ QR(n) for n = pq

x 7→ x2 mod n

homomorph

p-to-1 4-to-1

non-trivial kernel element reveals fact. of n

restriction to N-R(n) is permuta-tion

restriction to QR(n) is permuta-tion (p = q = 3 mod 4)

restriction to Z×

pq is permutation no analogue known

hard to distinguish N-R(n) andZ×

n

hard to distinguish QR(n) and Z×

n

above distinction is easy of fact. of n is known

x ∈ N-R(n) ⇐⇒ xp−1 = 1 mod p2



Hybrid EncryptionTrapdoor Hashing

Hybrid Encryption

Problem

laborious key management in secret key cryptography, costlyoperations in public key cryptography




Hybrid Encryption

Problem

laborious key management in secret key cryptography, costlyoperations in public key cryptography

Solution

public key scheme that uses efficient secret key encryption as blackbox

↪→ hybrid encryption




Frameworks for Hybrid Encryption

Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)






Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)







Cramer/Shoup 2001: KEM/DEM framework








Abe/Kurosawa/Gennaro 2005: Tag-KEM/DEM framework








Abe/Kurosawa/Gennaro 2005: Tag-KEM/DEM framework

. . .




A New Tag-KEM

Key-Gen(1k): Choose p, q ∈ PRIMES(k)Compute n = p2q, d = n−1 mod ϕ(pq)Define rLen = 2k − 2Return pk = (n, rLen) and sk = (d , p, q)

KEM-Key(pk): Choose ω ∈ {0, 1, . . . , 2rLen − 1}Compute G (ω) = dk DEM-keyReturn (ω, dk)

Encappk(ω, τ): Compute c1 = ωn mod nCompute c2 = H(ω, τ) integrity-checkReturn Ψ = (c1, c2)

Decapsk(Ψ, τ): parse Ψ to c1, c2

Compute r = cd1 mod pq

If |r |2 > rLen or H(r , τ) 6= c2, return ⊥,return G (r), else




Comparison

Scheme assumpt. encrypt decrypt pk

EPOC-2 FACT 7k/2 MM(3k) 3k/2 MM(2k) + 7k/4 MM(k) 9kEPOC-3 Gap-HR 7k/2 MM(3k) 3k/2 MM(2k) 9kProposed FACT 9k/2 MM(3k) 3k MM(k) 3k

Table: Comparison between proposed hybrid encryption scheme and

EPOC-2/3

MM(k) = multiplication modulo k-bit number (k = |p|2 = |q|2)




Trapdoor Hashing

− blinding: hash values of differentmessages are indistinguishable

− binding: without secret key noone can find collisions

Weak altering trapdoor collisions:

uniformity: trapdoor hashes are indistinguishable from real hashes

such that: hash

hash

trap−coll




Trapdoor Hashing

− blinding: hash values of differentmessages are indistinguishable

− binding: without secret key noone can find collisions

Strong altering trapdoor collisions:

uniformity: trapdoor hashes are indistinguishable from real hashes

such that: hash

hash

trap−coll




Comparison

Scheme Assumption strong hash weak alt.

[BK90] DL NO ≈ 1 exp. ≈ 1 mult.

[KR00] FACT YES ≈ |m|2 mult. ≈ 5 mult.

[ST01] FACT NO 1 exp. 1 add. + bit shift

proposed FACT YES 1 exp. 1 add. + bit shift

Table: Comparison of trapdoor hash families suitable for Shamir-Tauman

online-offline signatures [ST01]




Conclusion

invented new trapdoor permutations based on factoringn = p2q




Conclusion


proposed new hybrid encryption scheme




Conclusion



designed new practical trapdoor hashes




Conclusion



designed new practical trapdoor hashes

Thanks for your attention!


The KEM/DEM Framework

Cramer/Shoup 2001

KEM (Key Encapsulation Mechanism)

Encapsulation

a random key dk isgenerated

dk is encrypted to cwith public KEM-key

Decapsulation

c is decrypted withsecret KEM-key

cf. public key encryption scheme without messages

DEM (Data Encapsulation Mechanism)

cf. secret key encryption scheme


The KEM/DEM Framework, cont’d

Generic method

Encryption

dk← [ KEM-Keypk

τ ← [ DEM-Encdk(m)

Ψ← [ Encappk(dk)

Return (Ψ, τ)

Decryption

dk←[ Decapsk(Ψ)

m←[ DEM-Decdk(τ)

Return m

Security

CCA-secure KEM + CCA-secure DEM = CCA secure KEM/DEM

adversary with adaptive oracle access to Decapsk cannot distinguishif a given DEM key is encapsulated in challenge or not. Restriction:Decapsk must not be queried on challenge.


The Tag-KEM/DEM Framework

Abe/Kurosawa/Gennaro 2005

Tag-KEM (Key Encapsulation Mechanism)

Encapsulation

a random key dk isgenerated

dk is encrypted to cwith public KEM-keyand the tag

Decapsulation

c is decrypted withsecret KEM-key and thetag

DEM (Data Encapsulation Mechanism)

cf. secret key encryption scheme


The Tag-KEM/DEM Framework, cont’d

Generic method

Encryption

dk← [ KEM-Keypk

τ ← [ DEM-Encdk(m)

Ψ← [ Encappk(dk, τ)

Return (Ψ, τ)

Decryption

dk←[ Decapsk(Ψ, τ)

m←[ DEM-Decdk(τ)

Return m

Security

CCA-secure tag-KEM: adversary with adaptive oracle access toDecapsk cannot distinguish if a given DEM key is encapsulated inchallenge or not. Restriction: Decapsk must not be queried onchallenge (Ψ, τ). Queries (Ψ, τ ′ 6= τ) are ok↪→ integrity of tag↪→ DEM is required to be secure against passive attacks only


On-line/Off-line Signatures

Ordinary signatures:

sign


On-line/Off-line Signatures

Ordinary signatures:

sign

On-line/off-line signatures:

off−line phase

sign

on−line phase

precomputation

Invented 1996 by Even/Goldreich/Micali

Improved Construction 2001 by Shamir/Tauman


Shamir-Tauman On-line Off-line Signatures

Key generation:

hash

3. publish

hash

2. generate hash keys1. generate sign keys



Key generation:

hash

3. publish

hash


Off-line phase:

hashdummycoinsdummy

message

2. sign hash1. create hash



Key generation:

hash

3. publish

hash


Off-line phase:

hashdummycoinsdummy

message

2. sign hash1. create hash

On-line phase:

trap−coll

Signature:

message tobe signed


Shamir-Tauman On-line Off-line Signatures, cont’d

Efficiency

overhead: weakly trapdoor altering (on-line)

↪→ weak trapdoor altering should be extremely fast



Efficiency



Security

weakly secure signature scheme + weak trapdoor hash⇒strongly secure on-line/off-line signature scheme

even weaklier secure signature scheme + strong trapdoor hash⇒strongly secure on-line/off-line signature scheme



Efficiency



Security

weakly secure signature scheme + weak trapdoor hash⇒strongly secure on-line/off-line signature scheme

even weaklier secure signature scheme + strong trapdoor hash⇒strongly secure on-line/off-line signature scheme

Conclusion

We need strong trapdoor hash with extremely fast weak trapdooraltering.


J. F. Boyar and S. A. Kurtz.A discrete logarithm implementation of perfect zero-knowledgeblobs.Journal of Cryptology, 2(2):63–76, 1990.

H. Krawczyk and T. Rabin.Chameleon signatures.In NDSS. The Internet Society, 2000.

A. Shamir and Y. Tauman.Improved online/offline signature schemes.In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notesin Computer Science, pages 355–367. Springer, 2001.


a new rabin-type trapdoor permutation and its applicationssamoa/stm.pdf · a new rabin-type...

Documents