public-key cryptosystems based on composite degree residuosity classes author: pascal paillier...

Public-Key Cryptosystems Based o n Composite Degree Residuosity C lasses Author: Pascal Pai llier Presenter: 陳陳陳 [Published in J. Stern, Ed., Advances in Cryptology- EU ROCRYPT'99, vol. 1592 of Lecture Notes in Computer Scie nce, pp. 223-238, Springer-Verlag, 1999.]

Post on 22-Dec-2015




0 download


Page 1: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Author: Pascal PaillierPresenter: 陳國璋

[Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]

Page 2: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Introduction Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Page 3: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


兩個主要的 Trapdoor 技術 RSA Diffie-Hellman

提出新的技術 Composite Residuosity

提出新的計算性問題 Composite Residuosity Class Problem

Page 4: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


提出 3 個架構在上述假設的同態加密機制(Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation

滿足 semantically secure, 不過 , 作者沒有證明 .

Page 5: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Page 6: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (1/10)

p, q are two large primes. n = pq Euler phi-function: ψ(n) = (p-1)(q-1) Carmichael function: λ(n) = lcm(p-1,q-1) |Zn2*| = ψ(n2) = nψ(n) Any w∈Zn2*,

wλ = 1 mod n wnλ = 1 mod n

Page 7: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (2/10)

RSA[n,e] problem Extracting e-th roots modulo n where n=pq

Relation P1 P2 (resp. P1≡P2) will denoted that problem P1 is polynomial reducible to the problem P2.

n-th residue modulo n2 A number z is th n-th residue modulo n2 if there e

xist a number y such that z=ynmod n2

Page 8: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (3/10)

CR[n] problem deciding n-th residuosity

The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.

There exists no polynomial time distinguisher for n-th residues modulo n2, i.e. CR[n] is intractable.

Page 9: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (4/10)




* *


, where the set of elements

of order and = for =1,...,

: an integer-valued function by

( , ) mod


g n n n

x ng

g B B Z

n B B


x y g y n

Page 10: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (5/10)

if order(g) = kn where k is nonzero multiple of n then εg is bijective. Domain and Co-domain are the same order

nψ(n) and the function is 1-to-1. 2



, ,

we call that n-th residuosity class of with respect to ,

the unique integer s.t. ( , )

the class of is denoted [ ]


n n g


g B w Z

w g

x Z y Z x y w

w w

Page 11: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (6/10)

2[ ] 0 is a n-th residue modulo gw w n 2


*1 2 1 2 1 2


, , [ ] [ ] [ ] mod

the class function [ ] is a homomorphism

from ( , ) to ( , ),

g g gn



w w Z w w w w n

w w

Z Z g

Page 12: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (7/10)

Class[n,g] problem computing the class function in base g. given w∈Zn2*, compute [w]g

random-self-reducible problem the bases g are independent

Page 13: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (8/10)

Class[n] problem composite residuosity class problem given w∈Zn2*, g∈B, compute [w]g

Class[n] Fact[n]

1 2

12 1[ ] [ ]g gg g

Page 14: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (9/10)



set { | 1 mod }

is multiplicative subgroup of mod

over which the function such that

1, ( ) is clearly well-defined.



S u n u n



uu S L u



* 21, ( mod ) [ ] mod nn

w Z L w n w n

Page 15: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Notation and math. assumption (10/10)

Class[n] RSA[n,n] D-Class[n] problem

decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or n


[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n

Page 16: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Page 17: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 1(1/6)

New probabilistic encryption scheme


and random base

. . gcd( ( mod ), ) 1

( , ) as public parameters;

( , ) ( ) as private pair.

n pq g B

s t L g n n

n g

p q

Page 18: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 1 (2/6)






( mod ) plaintext mod

( mod )

c n

L c nm n

L g n



plaintext ; random number

ciphertext mod

i.e. = ( , )

(trapdoor function with as the trapdoor secret,

one-wayness iff [ ] hold)

m n


m n r n

c g r n

c m r

Class n

Page 19: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 1 (3/6) One-way function

Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.

One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.

Trapdoor permutation f() is a one-way trapdoor. f() is bijective.

Page 20: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 1 (4/6)



23 35



For example:

5*7 35; 1225

( ) 4*6 24; ( ) (4,6) 12

Take 13 s.t. gcd( (13 mod 1225),35) 1

Let 23, 19

Enc: 13 19 mod 1225 53

(53 mod 1225) Dec: mod35

(13 mod 1225)

n n

n n lcm

g L

m r





24 = mod 35


=24 33 mod 35


Page 21: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 1 (5/6)

Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. Inverting our scheme is by the definition the

composite residuosity class problem.

Page 22: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 1 (6/6) Scheme 1 is semantically secure ⇔ the D

ecisional composite residuosity assumption(CR[n] problem) holds. m0, m1: known messages. c:ciphertext of either m0 or m1. [w]g=0 iff w is the n-th residue modulo n2. c=εg(m0,r) iff cg-m0 mod n2 is the n-th residue

modulo n2. Vice-versa.

Page 23: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Page 24: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 2(1/5) New one-way trapdoor permutation


and random base . .

gcd( ( mod ), ) 1

( , ) as public parameters;

( , ) ( ) as private pair.

n pq g B s t

L g n n

n g

p q

Page 25: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 2(2/5)


21 2


1 2



plaintext , split

ciphertext mod

i.e. ( , )

(perumtation come from the bijectivity of ;

trapdoorness iff the factorization of n;

one-way iff [ , ] i

m n


m n m m nm

c g m n

c m m

RSA n n

s hard.)

Page 26: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 2(3/5)





1 2






( mod ) Step 1: mod

( mod )

(retrieves mod as Scheme 1)

Step 2: ' mod (recover mod )

Step 3: ' mod

(RSA d

m n


c n

L c nm n

L g n

m m n

c cg n m n

m c n

1 2

ecryption, public exponent )


e n

m m nm

Page 27: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 2(4/5)



23 35



For example:

5*7 35; 1225

( ) 4*6 24; ( ) (4,6) 12

Take 13 s.t. gcd( (13 mod 1225),35) 1

Let 1178 23 35*33

Enc: 13 33 mod 1225 4

Dec: 23

' 4 13 mod 35 17

n n

n n lcm

g L





135 mod12 11

2 17 mod 35 17 mod 35 33m

Page 28: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 2(5/5)

Digital Signatures 2




1 2


1 2

1/ mod 2


hash functon : {0.1}

message , the signer computes the signatures ( , )

( ( ) mod ) mod

( mod )

( ( ) ) mod

( ) ? mod

based on [ , ]



s n

s n

h N Z

m s s

L h m ns n

L g n

s h m g n

h m g s n

RSA n n

Page 29: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Page 30: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 3(1/4) Cost down for decryption complexity. Restricting the ciphertext space Zn

2* to subgroup <g> of smaller order.



, 1 ,

then ,

( mod )[ ] mod

( mod )g

g B

w g

L w nw n

L g n

Page 31: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 3(2/4)



plaintext , random number

ciphertext mod

(trapdoor function with as secret key;

one-way iff [ , ])

m nr

m n r n

c g n

PDL n g






( mod ) plaintext mod

( mod )

c n

L c nm n

L g n

Page 32: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 3(3/4)

PDL[n,g] problem Partial discrete logarithm problem Given w∈<g>, compute [w]g

D-PDL[n,g] problem Decisional partial discrete logarithm proble

m Given w∈<g>, x∈Zn, decide whether [w]g=x.

Page 33: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Scheme 3(4/4)

Scheme 3 is one-way ⇔ PDL[n,g] is hard. Scheme 3 is semantically secure ⇔ D-PD

L[n,g] is hard.

[ , ] [ ] and [ , ] [ ]PDL n g Class n D PDL n g CR n

Page 34: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Page 35: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Random-Self-Reducibility A good algorithm for the average case

implies a good algorithm for the worst case.

Page 36: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Additive Homomorphic Properties



2 2

1 2

21 2 1 2


21 1 2



two encryption function

mod and mod

are additively homomorphic on Z .

, ,

( ( ) ( )mod ) mod

( ( ) mod ) mod

( ( ) mod ) mod

( ( ) mod )

( ( )

m r m nr







m g r n m g n

m m Z k N

D E m E m n m m n

D E m n km n

D E m g n m m n

D E m n

D E m

11 22

modmod )

mm nn

Page 37: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Self-Blinding Any ciphertext can be publicly changed into

another one without affecting the plaintext.

2 2


( ( ) mod ) or ( ( ) mod )


n nr

m Z r N

D E m r n m D E m g n m

Page 38: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion

Page 39: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Conclusion(1/4)Scheme Main Permutation Fast

VariantRSA ElGamal


Class[n] RSA[n,n] PDL[n,g] RSA[n,F4] DH[p]


CR[n] none D-PDL[n,g] none DDH[p]

Plaintext size

|n| 2|n| |n| |n| |p|

Ciphertext size

2|n| 2|n| 2|n| |n| 2|p|

Page 40: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Enc Main Permutation

Fast Variant

RSA ElGamal


5120 5120 4032 17 1536


7680 7680 5568 17 2304


10240 10240 7104 17 3072


15360 15360 10176 17 4608


20480 20480 13248 17 6144

Page 41: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in

Dec Main Permutation

Fast Variant

RSA ElGamal


768 1088 480 192 768


1152 1632 480 288 1152


1536 2176 480 384 1536


2304 3264 480 576 2304


3072 4352 480 768 3072

Page 42: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in


提出新的數論問題 Class[n] 基於 composite degree residues 的 trapd

oor 的機制 雖然並沒有提出任何證明作者的 scheme 能

抵抗 CCA ,但作者相信小小的修改 Scheme 1 與 3 就可以對抗 CCA ,並能透過 random oracle 來證明