Previous works

國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

• Honest-but-Curious adversary: Adversaries in this classification follow the protocols or algorithms in principle. They work normally, return correct value and tell the truth. The only disadvantage is that the adversaries are curious so that they try to acquire more information or secrets than what they were expected to know.

• Malicious adversary: These adversaries do not follow the protocols and algorithms. They try their best to track or obtain the secrets. They might eavesdrop all communication channels, tamper several messages, or even pretend users or servers. These actions might crash the cryptosystems, but they don’t care.

3.2 Previous works

From 1983, Rivest et al. [9] proposed the first public key encryption RSA, numerous PKE works were gradually proposed to satisfy different algebra systems, higher security and better efficiency, etc. For example, the original PKE scheme, RSA, was built over composite modular cyclic group algebra; then, the ElGamal encryption [10] applied the computation in a prime modular cyclic group system. Other PKE schemes might base on bilinear mapping systems or even lattice algebras.

In this section, some previous PKE works are revised, which some of them will be adopted as building blocks in latter sections.

3.2.1 RSA

RSA [9] is the first public key encryption scheme named by authors Rivest, Shamir and Adleman, and these authors won the Tuning Award 2002 [52] owing to the contribution of public key encryption schemes. Rather than the prime modular cyclic group defined in section 2.1.2, RSA works over a cyclic group with a composite modular. The algorithms are briefly introduced below:

• 𝑆𝑒𝑡𝑢𝑝 1^É : No initialization setting is required in RSA so that the public parameter is merely 𝑝𝑝 ← 1^É.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameter, a user computes 𝑁 ← 𝑝𝑞 where 𝑝, 𝑞 < 1^É are two big prime random numbers with equal bit-length. Let 𝜙(∙) be the Euler’s function and

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

𝑘 ← 𝜙(𝑁) , the user randomly picks a public key 𝑒 ∈ ℤ_~^∗ where gcd 𝑒, 𝑘 = 1 , and computes the secret key 𝑑 where 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 𝑘. Then, it publishes the public key (𝑒, 𝑁) and keeps the secret key 𝑑 in private. Parameters 𝑝 and 𝑞 can be deleted after computing the secret key. It is worthy to remark that finding an inverse of the public key 𝑒 is quite hard based on the integer factoring problem unless the confidential values 𝑝 and 𝑞 are known. The message space ℳ is set to ℤ_x.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚, the sender computes 𝐶 ≡ 𝑚² 𝑚𝑜𝑑 𝑁.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through 𝑚 ≡ 𝐶¹ 𝑚𝑜𝑑 𝑁.

Correctness: The RSA ciphertext can be properly decrypted follows:

𝐶¹ ≡ 𝑚^{21 ²‚1 ~} ≡ 𝑚^• 𝑚𝑜𝑑 𝑁 ≡ 𝑚 (𝑚𝑜𝑑 𝑁) (17)

Security notion

RSA is a deterministic encryption scheme so that it is not secure in the indistinguishability model, which deterministic means this encryption doesn’t take random numbers into consideration. In other words, the same message 𝑚 and the same public key 𝑝𝑘 imply the same ciphertext 𝐶 in deterministic encryption schemes. In the indistinguishable games, an adversary is given 𝑝𝑝 and 𝑝𝑘 , he can output his chosen messages (𝑚_Í, 𝑚_•) and later distinguish the challenge 𝐶_Ï by verifying 𝑚_Ͳ and 𝑚_•². The whole process even does not rely on the oracle accesses. In terms of security, it is convinced that RSA is not IND-CPA secure.

It is remarkable that some variants of RSA conquer the deterministic problem through the padding systems. A padded message is the concatenation of a random number and a message (𝑚^Ó ← 𝑟||𝑚) where 𝑟 ^$ {0,1}^{x °|ℳ|} and 𝑚 ∈ ℳ stand for the randomize and the message, respectively. The encryption and decryption remain 𝐶 ≡ 𝑚′² 𝑚𝑜𝑑 𝑛 and 𝑚′ ≡ 𝐶¹ 𝑚𝑜𝑑 𝑛, respectively. Only one additional step is to compute 𝑚 ← 𝐿𝑆𝐵_ℳ(𝑚′). Compared to the original RSA scheme, the RSA

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

secure or even IND-CCA2 secure; relatively, there is one drawback that their message spaces were dramatically decreased from ℤ_x^∗ to the least |ℳ| bits. Definitely, number |ℳ| is quite small because number 𝑁 − |ℳ|, as a randomness, has to be long enough to ensure the security.

Symbols ℤ_x^∗, ℳ and 𝐿𝑆𝐵_ℳ(∙) could be referred to Table 1 in the beginning of chapter 2.

3.2.2 Paillier encryption

Paillier encryption [13], [14] is also an encryption scheme based on cyclic groups with composite modular number 𝑁 = 𝑝𝑞 . In advance, it’s quite interesting that numbers are computed over modular 𝑁^—, rather than modular 𝑁.

• 𝑆𝑒𝑡𝑢𝑝 1^É : No initialization setting is required in Paillier so that the public parameter is merely 𝑝𝑝 ← 1^É.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameter, a user computes 𝑁 = 𝑝𝑞 where 𝑝, 𝑞 < 1^É are two big prime random numbers with equal bit-length. Let 𝜙(∙) be the Euler’s function and 𝜆𝑁 ← 𝜙(𝑁^—), the user randomly picks an element 𝑔 ∈ ℤ_x∗¡ where gcd 𝑔^Ö, 𝑁 = 1. Then, it publishes the public key (𝑔, 𝑁) and privately stores the secret key 𝜆. Parameters 𝑝 and 𝑞 can be deleted after computing the secret key. It is worthy to remark that finding the secret key 𝜆 is quite hard based on the integer factoring problem unless the confidential values 𝑝 and 𝑞 are known. The message space ℳ is set to ℤ_x^∗.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚, the sender selects a random number 𝑟 ^$ ℤ_x∗¡ and computes 𝐶 ≡ 𝑔^²𝑟^x 𝑚𝑜𝑑 𝑁^—.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through 𝑚 ≡ ( 𝐿(𝐶^Ö 𝑚𝑜𝑑 𝑁^—) 𝐿(𝑔^Ö 𝑚𝑜𝑑 𝑁^—)) 𝑚𝑜𝑑 𝑁 where 𝐿 𝑥 ¹²³ (𝑥 − 1) 𝑁.

Correctness: The correctness of Paillier ciphertext is a bit complicated. It can be properly decrypted follows:

𝐿 𝐶^Ö 𝑚𝑜𝑑 𝑁^— 𝐿 𝑔^Ö 𝑚𝑜𝑑 𝑁^— 𝑚𝑜𝑑 𝑁

= 𝐿 𝑔^²Ö𝑟^Öx 𝑚𝑜𝑑 𝑁^— 𝐿 𝑔^Ö 𝑚𝑜𝑑 𝑁^— 𝑚𝑜𝑑 𝑁

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

= 𝐿 𝑔^²Ö 𝑚𝑜𝑑 𝑁^— 𝐿 𝑔^Ö 𝑚𝑜𝑑 𝑁^— 𝑚𝑜𝑑 𝑁 (18)

By the skillful design of the modular 𝑁^—, element 𝑔 satisfies three properties below:

1. ∀𝑔 ∈ ℤ_x∗¡: 𝑔^Öx = 1 (𝑚𝑜𝑑 𝑁^—)

2. Since 1 + 𝑁 ∈ 𝑁^—, so that ∀𝑔 ∈ ℤ_x∗¡, ∃ 𝑎 ∈ 𝑁, 𝑏 ∈ 𝑁^— ∶ 𝑔 = 1 + 𝑁 ^•𝑏^x (𝑚𝑜𝑑 𝑁^—).

3. Following property 2, an explicit equation ∀𝑔 ∈ ℤ_x∗¡: 𝑔^Ö = 1 + 𝑎𝜆𝑁 (𝑚𝑜𝑑 𝑁^—) can be obtained. The inference is straightforward by expanding the polynomial equation that

𝑔^Ö = 1 + 𝑁 ^•Ö𝑏^Öx = 1 + 𝑁 ^•Ö (𝑚𝑜𝑑 𝑁^—) = 1 + 𝑎𝜆𝑁 + ^•Ö 𝐶_„^•Ö

„Ø— 𝑁^„ = 1 + 𝑎𝜆𝑁 (𝑚𝑜𝑑 𝑁^—)

(19)

4. Following property 3, the relationship ∀𝑔 ∈ ℤ_x∗¡, ∀𝑚 ∈ 𝑁: 𝑔^²Ö = 1 + 𝑎𝑚𝜆𝑁 (𝑚𝑜𝑑 𝑁^—) can be obtained. The inference is similar to equation (19).

𝑔^²Ö = (1 + 𝑎𝜆𝑁)^² = 1 + 𝑎𝑚𝜆𝑁 + ^² 𝐶_„^²

„Ø— (𝑎𝜆𝑁)^„ = 1 + 𝑎𝑚𝜆𝑁 (𝑚𝑜𝑑 𝑁^—) (20)

Let 𝑔^Ö = 1 + 𝑎𝜆𝑁 𝑚𝑜𝑑 𝑁^— and 𝑔^²Ö = 𝑎𝑚𝜆𝑁 𝑚𝑜𝑑 𝑁^—, equation (18) becomes:

𝑔^²Ö 𝑚𝑜𝑑 𝑁^— 𝑔^Ö 𝑚𝑜𝑑 𝑁^— = 𝑎𝑚𝜆 𝑎𝜆 = 𝑚 𝑚𝑜𝑑 𝑁^— (21)

Security notion

As an additive homomorphic encryption, the Paillier encryption is at most IND-CCA secure.

Briefly, in the IND-CCA2 game, after the adversary outputs (𝑚_Í, 𝑚_•) and receives the challenge 𝐶_Ï← 𝑔^²Ù𝑟^x, he can request a decryption query 𝐶′ ← 𝐶_Ï𝑠^x to the decryption oracle 𝒪_Š¡ for some

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

adversary is absolutely able to win the IND-CCA2 game. The homomorphism and security models like IND-CCA and IND-CCA2 will be discussed in latter sections.

Paillier encryption has been widely applied to several applications. Some variants of Paillier encryption might improve the security notion through disabling the homomorphism of Paillier encryption. One of the most famous application is to build a public key encryption with double trapdoor decryption mechanism [55].

3.2.3 ElGamal encryption

The ElGamal encryption [10] is a PKE scheme based on the Diffie-Hellman key exchange [24] in a prime modular cyclic group. The algorithms are briefly recalled below:

• 𝑆𝑒𝑡𝑢𝑝 1^É : The algorithm takes as input a secure parameter 1^É and outputs a cyclic group as the public parameters 𝑝𝑝 ← {𝔾, 𝑞, 𝑝, 𝑔} which was defined in section 2.1.2. The message space ℳ is set to the group 𝔾.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameters, a user randomly picks 𝑥 ^$ ℤ_W^∗ as its private key and publishes the public key 𝑦 ← 𝑔^s.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚, the sender randomly picks 𝑟 ^$ ℤ_W^∗ and computes 𝐶 ← 𝑈, 𝑉 , 𝑈 ← 𝑔^ƒ, 𝑉 ← 𝑚𝑦^ƒ

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through

𝑚 ← 𝑉/𝑈^s

Correctness: The ElGamal ciphertext can be properly decrypted follows:

𝑉 𝑈^s = 𝑚𝑦^ƒ 𝑔^sƒ = 𝑚 (22)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Security notion

ElGamal is IND-CCA secure [56], the multiplicative homomorphism limits its security upper bound. The homomorphism will be formally introduced in later sections. Here it is briefly treated as a computable property over ciphertexts. Following, it is easy to discuss why it is not IND-CCA2 secure. Let 𝑝𝑝 and 𝑝𝑘 be given to the adversary, then it outputs its chosen (𝑚_Í, 𝑚_•) and receives the challenge 𝐶_Ï ← (𝑔^ƒ, 𝑚_Ï𝑦^ƒ) in the IND-CCA2 game. The challenge 𝐶_Ï is forbidden to be requested to the decryption oracle 𝒪_Š¡. Whereas, the adversary can trickily send a variant ciphertext 𝐶^∗ ← (𝑔^ƒÜÝ, 𝑚_Ï𝑦^ƒÜÝ) to the decryption oracle 𝒪_Š¡ where 𝑠 ^$ ℤ_W^∗. The simulator has no idea about this situation so that it returns the decrypted 𝑚_Ï and the adversary trivially wins the game. It is said that the decryption oracle of ElGamal encryption cannot detect the tampered ciphertext so that it is at most IND-CCA secure, rather than IND-CCA2 secure.

3.2.4 Cramer Shoup encryption

The Cramer Shoup encryption [11], [12] can be regarded as a variant of the ElGamal encryption, which enhanced the security notion by breaking the homomorphism. In a high-level view, the Cramer Shoup encryption inherits the cyclic group system and computations of the ElGamal encryption; in addition, it includes a proof value that stops adversaries from tamping a ciphertext.

Let the algorithms be shown first and the security proof follows later.

• 𝑆𝑒𝑡𝑢𝑝 1^É : The algorithm takes as input a secure parameter 1^É and outputs a cyclic group {𝔾, 𝑞, 𝑝, 𝑔} which was defined in section 2.1.2. The message space ℳ is set to the group 𝔾. In addition, another group element ℎ ^$ 𝔾 is randomly chosen, which the DL problem of ℎ over base 𝑔 is not known. Besides, an extra hash function 𝐻: {0, 1}^∗ → ℤ_W^∗ is required.

Finally, the public parameters are set as 𝑝𝑝 ← {𝔾, 𝑞, 𝑝, 𝑔, ℎ, 𝐻}.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameters, a user randomly picks (𝑥_•, 𝑥_—, 𝑥_Þ, 𝑥_ß, 𝑥_à) ^$ ℤ_W^∗ as its private key and publishes the public key (𝑐, 𝑑, 𝑦) where 𝑐 ← 𝑔^s ℎ^s¡, 𝑑 ← 𝑔^sáℎ^sâ and 𝑦 ← 𝑔^sã.

• 𝐸𝑛𝑐 𝑝𝑘, 𝑚 : To encrypt a message 𝑚, the sender randomly picks 𝑟 ^$ ℤ^∗

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

𝐶 ← 𝑈, 𝑉, 𝑊, 𝑋 , 𝑈 ← 𝑔^ƒ, 𝑉 ← ℎ^ƒ, 𝑊 ← 𝑚𝑦^ƒ,

𝑋 ← (𝑐𝑑^æ)^ƒ, 𝜉 ← 𝐻(𝑈, 𝑉, 𝑊) (23)

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver firstly computes 𝜉 ← 𝐻(𝑈, 𝑉, 𝑊) and verifies whether 𝑋=𝑈^{s Üsáæ}𝑉^s¡Üsâæ. It aborts if the verification fails; otherwise, it decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through 𝑚 ← 𝑊/𝑈^sã.

Correctness: The Cramer Shoup ciphertext is identical to that in ElGamal, which follows:

𝑊 𝑈^sã = 𝑚𝑦^ƒ 𝑔^sム= 𝑚 (24)

The verification before decryption is inferred below:

𝑋 = (𝑐𝑑^æ)^ƒ = (𝑔^s ℎ^s¡)^ƒ(𝑔^sáℎ^sâ)^ƒæ = 𝑔^{ƒ s Üsáæ} ℎ^{ƒ s¡Üsâæ}𝑈^{s Üsáæ}𝑉^s¡Üsâæ (25)

Security notion

Although the Cramer Shoup encryption is an extension of the ElGamal encryption, it could be proved IND-CCA2 secure, or so called semantic secure. The key difference is that the oracle can detect the tampered ciphertext so that the attack for ElGamal encryption doesn’t work. In other words, the ciphertext in the Cramer Shoup encryption is no longer homomorphic (computable).

The detail proof relies on the DDH hardness assumption, which is formalized in literature [11], [12]. It is worthy to remark that besides the indistinguishability games, another security notion called plaintext awareness (PA) [39], [51], [57] is also a common regulation of PKE schemes and the Cramer Shoup scheme is also proved PA-secure in literature [57].

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

在文檔中 可搜尋式加密和密文相等性驗證 - 政大學術集成 (頁 45-52)