A commitment cannot be both perfect hiding and perfect binding

國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

• Binding: It is difficult to find two value-randomness (𝑥, 𝑟) pairs that were committed to the same commitment. That is:

𝐴𝑑𝑣_{𝒜,€‚²²„•} ^{³„?1„?…} (𝜅)¹²³Pr 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥_•, 𝑟_• = 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥_—, 𝑟_— ∧ 𝑥_•, 𝑟_• ≠ 𝑥_—, 𝑟_— : 𝑥_•, 𝑥_—, 𝑟_•, 𝑟_— ← 𝒜

(11)

Theorem 1: A commitment cannot be both perfect hiding and perfect binding

Proof. At least, it is impossible in a two-party setting. The term perfect means even the adversary has unbounded computational power, the probability of breaking the hiding/binding property is still 0. The proof is intuitive. First, by the pigeonhole principle, it has to be a one-to-one mapping relationship between the domain and the co-domain fields if one commitment is perfect binding.

Assume the co-domain size is 𝑛, it could be easily explained why the perfect hiding is infeasible.

Given a value 𝑥 and its commitment 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑟 for some randomness 𝑟, all other values 𝑦 ≠ 𝑥 in this setting will not be perfect hiding because for all possible randomness 𝑟′, relationship 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑟 = 𝑐𝑜𝑚𝑚𝑖𝑡 𝑦, 𝑟′ will definitely fail owing to the one-to-one mapping. In other words, there are at most 𝑛 − 1 possible value of 𝑐𝑜𝑚𝑚𝑖𝑡 𝑦, 𝑟′ , and the damaged probability directly indicates that the commitment with perfect hiding and perfect binding is infeasible in a two-party setting. By the way, in literature [43], an addition third party is employed to construct a commitment with perfect hiding and perfect binding.

Pedersen commitments

Let 𝑔, ℎ be two generators in a multiplicative cyclic group 𝔾 with order 𝑞 , and the discrete logarithm problem between ℎ and base 𝑔 is unknown. For a value 𝑥 ∈ ℤ_W^∗ , the Pedersen commitment [44] is computed as 𝑐 ← 𝑔^ƒℎ^s where 𝑟 ^$ ℤ_W^∗ and it is opened via providing (𝑥, 𝑟).

The Pederson commitment is computational binding based on the hardness of the DL problem. In other words, the Pederson commitment is binding if 𝐴𝑑𝑣_𝒜,𝔾 ^Š‹ (𝜅) is negligible. On the other hand, it is perfect hiding because for all commitment 𝑐 ← 𝑔^ƒℎ^s, the following relationship holds.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

2.2.4 Key derivation function

A key derivation function (𝐾𝐷𝐹) [45], [46] is a particular function based on hash functions. With a high min-entropy randomness 𝑟, the 𝐾𝐷𝐹 deterministically outputs a high min-entropy key for other cryptosystems like encryption schemes or pseudo random functions. Let 𝛴 be a source of key material. A key derivation function 𝐾𝐷𝐹 is called (𝑡, 𝑞, 𝜀(𝜅))-secure with respect to 𝛴 if for any polynomial-time algorithm 𝒜 running in time 𝑡 with at most 𝑞 oracle queries the probability 𝐴𝑑𝑣_𝒜 ^¸Š”(𝜅) ≤ 𝜀(𝜅) for distinguishing the output of 𝐾𝐷𝐹(𝑘, 𝑐) from uniformly drawn random strings of the same length, assuming that (𝑘, 𝛼) ← 𝛴 where 𝑘 is the secret key material and 𝛼 is some side information. It is assumed that 𝒜 knows 𝛼, has control over the context information 𝑐 and has oracle access to 𝐾𝐷𝐹(𝑘,·) which cannot be queried on 𝑐.

2.2.5 Pseudo random function

A pseudo random function [47], [48] is a key driven function that takes a high min-entropy key and a seed as input in order to output a number that looks random. Let 𝑘 be a high min-entropy key, any polynomial time adversary cannot distinguish value 𝑃𝑅𝐹(𝑘, 𝑠) from a random number.

The formal security definition of the 𝑃𝑅𝐹 function is described in the follow experiment. 𝑃𝑅𝐹 is called (𝑡, 𝑞, 𝜀(𝜅))-secure if for any polynomial-time algorithm 𝒜 running in time 𝑡 with at most 𝑞 oracle queries the probability 𝐴𝑑𝑣_𝒜 ^»«”(𝜅) ≤ 𝜀(𝜅) for distinguishing the outputs of 𝑃𝑅𝐹(𝑘, 𝑠) from the outputs of a truly random function 𝑓 of the same length, assuming that 𝒜 has oracle access to 𝒪_»«”(·) which contains either 𝑃𝑅𝐹(𝑘,·) or 𝑓(·) and which cannot be queried on 𝑠.

2.2.6 Message authentication code

A message authentication code [49] is also a key driven technology frequently adopted to ensure the integrity of transmitted data. It is comprised of the algorithms.

• 𝑀𝐾𝐺𝑒𝑛(1^¼): on input security parameter 𝜅, it outputs a key 𝑚𝑘 ← {0, 1}^¼.

• 𝑇𝑎𝑔(𝑚𝑘, 𝑚): on input a key 𝑚𝑘 and a message 𝑚, output tag 𝜇 ← 𝑇𝑎𝑔(𝑚𝑘, 𝑚).

• 𝑉𝑟𝑓𝑦(𝑚𝑘, 𝑚, 𝜇): on input a key 𝑚𝑘, a message 𝑚 and a tag 𝜇 outputs 1 if 𝜇 is valid or 0 otherwise.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

A message authentication code is secure if no polynomial time adversary can forge a legal message authentication code without knowing the corresponding key. Let 𝑚𝑘 ← 𝑀𝐾𝐺𝑒𝑛(κ), and oracle 𝒪_»«”(·) returns 𝑇𝑎𝑔(𝑚𝑘, 𝑚), the security is formalized as the following probability estimation.

The only limit is the outputted message 𝑚^∗ has never been queried to oracle 𝒪_»«” · .

𝐴𝑑𝑣_𝒜,ÁÂŽ ^{Ã?3‚ƒ…2}(𝜅)¹²³Pr [1 = 𝑉𝑟𝑓𝑦 𝑚𝑘, 𝑚^∗, 𝜇^∗ : (𝑚^∗, 𝜇^∗) ← 𝒜^{𝒪ÄÅÆ(·)}] (13)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

3. Public key encryption

The public key encryption has been proposed for decades. Users in public key cryptosystems have a pair of public / private keys. Among these, the public key is publically available, which is designed to encrypt a message or to verify the digital signatures. On the other hand, the secret key is utilized to decrypt ciphertexts or to sign a signature over a message. Compared to symmetric encryption schemes, there are pros and cons about public key encryption. The advantage is that no key agreement or key distribution problems should be solved before message transmissions; and the disadvantage is most public key encryption systems require higher computational costs than symmetric encryption schemes. Another drawback of public key encryption is that a trusted party called public key infrastructure (PKI) is required to guarantee the relationship between public keys and user identities, but it is omitted throughout this dissertation since it is another issue beside the main encryption / decryption functionalities. In this section, the framework including the syntax and the security notions will be introduced first. Then, several previous public key encryption schemes will be revised. Following, two famous ciphertext computation skills for public key encryption schemes, homomorphic encryption and commutative encryption, will be briefly discussed. Finally, two research paper about the commutative encryption is going to be introduced at the end of this section.

3.1 Framework

As shown in Figure 8, the scenario of public key encryption could be realized as follows. A public key encryption is established by setting some public parameters. Then, each user picks a pair of public key and private key. The public key can be published to all users, while the secret key should be kept in a private manner. Assume a sender Alice desires to encrypt and deliver some message to a receiver Bob, she utilizes Bob’s public key to encrypt it. The encrypted ciphertext will be transmitted in public channels. Finally, Bob decrypts the ciphertext using his private key and gets the hidden message.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Figure 8: The public key encryption

3.1.1 Syntax

The public key encryption (PKE) schemes are composed of four polynomial-time algorithms:

𝑆𝑒𝑡𝑢𝑝, 𝐾𝐺𝑒𝑛, 𝐸𝑛𝑐, and 𝐷𝑒𝑐, which are defined below.

• 𝑆𝑒𝑡𝑢𝑝 1^É : On input a secure parameter, this algorithm probabilistically generates public parameters 𝑝𝑝 which is published for further computations.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input 𝑝𝑝, a user probabilistically generates a pair of keys: a public key 𝑝𝑘 and a secret key 𝑠𝑘.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender encrypts a message 𝑚 into a ciphertext 𝐶 using the receiver’s public key 𝑝𝑘. In some cases, if the encryption is probabilistic which means randomness is taken into consideration in the encryption process, an abbreviation 𝐸𝑛𝑐(𝑝𝑘, 𝑚, 𝑟) denotes the encryption of message 𝑚 using public key 𝑝𝑘 and randomness 𝑟.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The receiver deterministically decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 using his secret key 𝑠𝑘.

Correctness: The PKE scheme works properly if the following relationship holds:

∀κ ∈ ℕ, ∀m ∈ ℳ, 𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 1^É , 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 : 𝐷𝑒𝑐 𝑠𝑘, 𝐸𝑛𝑐 𝑝𝑘, 𝑚 = 𝑚 (14)

‧

Figure 9: The OW and IND experiments for PKE security

3.1.2 Security notions

In terms of security, the most convincing framework is a game-based model [50], [51] between an adversary 𝒜 and a simulator 𝒮. Generally speaking, if there is an adversary who has advanced probability 𝐴𝑑𝑣_𝒜,»¸Ë^{Ì•²2°²‚12}(κ) to win the applied game, then this particular ability will be utilized to break some hardness assumptions. ² The internal reductions between the PKE schemes and the

2 In fact, there are various security models to define the indistinguishability for PKE schemes. For example, one common model can be described as follows: an adversary 𝒜_• interacts with the simulator through the decryption oracle 𝒪_Š and it outputs (𝑚_Í, 𝑚_•) ; another adversary 𝒜_— interacts with the simulator through the decryption oracle 𝒪_Š¡ and it outputs 𝑏′ . But two adversaries are forbidden to communicate with each other. This is a common adopted indistinguishability model for ciphertext computable schemes like equality test and homomorphic encryption. In this work, it is only discussed about the basic indistinguishability models: IND-CPA, IND-CCA and IND-CCA2. Owing to their simple definition, they are widely accepted and

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

applied hardness assumptions will be implemented through experiments simulated by the simulator. As shown in Figure 9, to precisely formalize an experiment, games and modes are required to be defined first, which the former one defines how to win an experiment, and the latter one shows how much help will the adversary obtain.

Game models

A game model between an adversary 𝒜 and a simulator 𝒮 defines the goal that the adversary tries to reach. If the adversary has non-negligible probability to achieve this goal, the adversary is said wins this game; otherwise, it is said the PKE scheme is secure in this game model. Two common seen game models are introduced as follows:

• One-way (OW): A PKE scheme is called one-way secure if given a ciphertext 𝐶 ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚) and the public key 𝑝𝑘 which encrypts 𝐶, it is hard to find the hidden message 𝑚 from the ciphertext 𝐶. The detail steps are listed below for clear expression.

o Phase 1: The simulator produces the public parameters 𝑝𝑝 and a pair of keys (𝑠𝑘, 𝑝𝑘) and sends (𝑝𝑝, 𝑝𝑘) to the adversary.

o Phase 2: The simulator randomly picks 𝑚^{∗ $} ℳ and encrypts it as 𝐶^∗ ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚^∗). Then, 𝐶^∗ is sent to the adversary as a challenge.

o Phase 3: The adversary outputs 𝑚′ at the end. The adversary wins if 𝑚^∗= 𝑚′; or it loses, otherwise.

• Indistinguishable (IND): A PKE scheme is called indistinguishable secure when an adversary has a correct guess of which one of his chosen two messages was encrypted as a challenge. Step by step, the detail of this game is discussed in three phases.

o Phase 1: The simulator produces the public parameters 𝑝𝑝 and a pair of keys (𝑠𝑘, 𝑝𝑘) and sends (𝑝𝑝, 𝑝𝑘) to the adversary.

o Phase 2: The adversary outputs two messages (𝑚_Í, 𝑚_•) to the simulator on its choice. Then, the simulator randomly picks the 𝑏-th one and encrypts it as 𝐶_Ï ←

$

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

o Phase 3: The adversary outputs a guess 𝑏′ at the end. The adversary wins if 𝑏 = 𝑏′;

or it loses, otherwise.

These are two widely applied game models. Definitely, the one-way security is quite weaker than the indistinguishable security, and the reduction is intuitive: if one can break the one-way security to obtain the message, there is no doubt to break the indistinguishable security. On the contrary, an adversary who breaks the indistinguishability has no idea to output a whole message from the challenged ciphertext. In general, most PKE schemes only consider the indistinguishable security unless they are designed for some special purposes like equality test which will be formally discussed in latter sections.

Adversary modes

In principle, the adversary modes are defined to describe how much extra help will be available from the simulator side. In those games defined above, the simulator is responsible to generate the parameters 𝑝𝑝, a pair of keys (𝑠𝑘, 𝑝𝑘) and the challenge. The primitive games are additionally enhanced with the adversary modes. More information will be provided to the adversary through oracle accesses which are maintained by the simulator. There are three modes including the chosen plaintext attack (CPA), chosen ciphertext attack (CCA) and adaptive chosen ciphertext attack (CCA2), which differ from the accessibility of oracles 𝒪_Š and 𝒪_Š¡.

• In CPA mode, 𝒪_Š = 𝒪_Š¡ =⊥.

• In CCA mode, 𝒪_Š = 𝐷_• and 𝒪_Š¡ =⊥.

• In CCA2 mode, 𝒪_Š = 𝐷_• and 𝒪_Š¡ = 𝐷_—.

The both oracles can be requested for polynomial-many but not infinite times. Take the IND-CCA2 experiment for example, the adversary can request decryption queries to oracle 𝒪_Š for polynomial-many times in Phase 1. Then, after outputting (𝑚_Í, 𝑚_•) and receiving 𝐶_Ï ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚_Ï), it still can ask decryption queries to oracle 𝒪_Š¡ for polynomial-many times in Phase

‧

definition of the game-mode model is illustrated in Figure 9. Besides, functions 𝐷_• and 𝐷_— that were applied to implement oracles are also formalized inside Figure 9. Both these two security models can be regulated by mathematical expressions. A public key encryption is called OW-CCA2 secure or IND-OW-CCA2 secure if probability 𝐴𝑑𝑣_𝒜,»¸Ë^{“ª°ŽŽÂ—} or 𝐴𝑑𝑣_𝒜,»¸Ë^{ÎxŠ°ŽŽÂ—} is negligible, respectively, where two probabilities are defined as follows.

𝐴𝑑𝑣_𝒜,»¸Ë^{“ª°ŽŽÂ—} 𝜅 ¹²³Pr

The most concerned model nowadays might be the IND-CCA2 security which is the strongest one among above discussions, it is also called the semantic security for PKE schemes. In a high-level description, when an adversary who is given adaptive oracle accesses still has no idea to distinguish the chosen message from the challenge, it is believed that almost no information is leaked from the ciphertext. By the way, if a public key encryption can be proved IND-CCA2 secure, it denotes the forward security that no other encrypted ciphertext will be influenced even a specific ciphertext is broken.

Honest or malicious

Besides the adversary modes, there is another model of adversary that is classified by the adversary’s behavior. Definitely, the behavior of adversary is not controllable. They are merely discussed in different classification. For example, an encryption scheme is called IND-CCA secure against honest adversaries, but when the adversary cheats, that encryption scheme might not be

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

• Honest-but-Curious adversary: Adversaries in this classification follow the protocols or algorithms in principle. They work normally, return correct value and tell the truth. The only disadvantage is that the adversaries are curious so that they try to acquire more information or secrets than what they were expected to know.

• Malicious adversary: These adversaries do not follow the protocols and algorithms. They try their best to track or obtain the secrets. They might eavesdrop all communication channels, tamper several messages, or even pretend users or servers. These actions might crash the cryptosystems, but they don’t care.

3.2 Previous works

From 1983, Rivest et al. [9] proposed the first public key encryption RSA, numerous PKE works were gradually proposed to satisfy different algebra systems, higher security and better efficiency, etc. For example, the original PKE scheme, RSA, was built over composite modular cyclic group algebra; then, the ElGamal encryption [10] applied the computation in a prime modular cyclic group system. Other PKE schemes might base on bilinear mapping systems or even lattice algebras.

In this section, some previous PKE works are revised, which some of them will be adopted as building blocks in latter sections.

3.2.1 RSA

RSA [9] is the first public key encryption scheme named by authors Rivest, Shamir and Adleman, and these authors won the Tuning Award 2002 [52] owing to the contribution of public key encryption schemes. Rather than the prime modular cyclic group defined in section 2.1.2, RSA works over a cyclic group with a composite modular. The algorithms are briefly introduced below:

• 𝑆𝑒𝑡𝑢𝑝 1^É : No initialization setting is required in RSA so that the public parameter is merely 𝑝𝑝 ← 1^É.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameter, a user computes 𝑁 ← 𝑝𝑞 where 𝑝, 𝑞 < 1^É are two big prime random numbers with equal bit-length. Let 𝜙(∙) be the Euler’s function and

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

𝑘 ← 𝜙(𝑁) , the user randomly picks a public key 𝑒 ∈ ℤ_~^∗ where gcd 𝑒, 𝑘 = 1 , and computes the secret key 𝑑 where 𝑒𝑑 ≡ 1 𝑚𝑜𝑑 𝑘. Then, it publishes the public key (𝑒, 𝑁) and keeps the secret key 𝑑 in private. Parameters 𝑝 and 𝑞 can be deleted after computing the secret key. It is worthy to remark that finding an inverse of the public key 𝑒 is quite hard based on the integer factoring problem unless the confidential values 𝑝 and 𝑞 are known. The message space ℳ is set to ℤ_x.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚, the sender computes 𝐶 ≡ 𝑚² 𝑚𝑜𝑑 𝑁.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through 𝑚 ≡ 𝐶¹ 𝑚𝑜𝑑 𝑁.

Correctness: The RSA ciphertext can be properly decrypted follows:

𝐶¹ ≡ 𝑚^{21 ²‚1 ~} ≡ 𝑚^• 𝑚𝑜𝑑 𝑁 ≡ 𝑚 (𝑚𝑜𝑑 𝑁) (17)

Security notion

RSA is a deterministic encryption scheme so that it is not secure in the indistinguishability model, which deterministic means this encryption doesn’t take random numbers into consideration. In other words, the same message 𝑚 and the same public key 𝑝𝑘 imply the same ciphertext 𝐶 in deterministic encryption schemes. In the indistinguishable games, an adversary is given 𝑝𝑝 and 𝑝𝑘 , he can output his chosen messages (𝑚_Í, 𝑚_•) and later distinguish the challenge 𝐶_Ï by verifying 𝑚_Ͳ and 𝑚_•². The whole process even does not rely on the oracle accesses. In terms of security, it is convinced that RSA is not IND-CPA secure.

It is remarkable that some variants of RSA conquer the deterministic problem through the padding systems. A padded message is the concatenation of a random number and a message (𝑚^Ó ← 𝑟||𝑚) where 𝑟 ^$ {0,1}^{x °|ℳ|} and 𝑚 ∈ ℳ stand for the randomize and the message, respectively. The encryption and decryption remain 𝐶 ≡ 𝑚′² 𝑚𝑜𝑑 𝑛 and 𝑚′ ≡ 𝐶¹ 𝑚𝑜𝑑 𝑛, respectively. Only one additional step is to compute 𝑚 ← 𝐿𝑆𝐵_ℳ(𝑚′). Compared to the original RSA scheme, the RSA

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

secure or even IND-CCA2 secure; relatively, there is one drawback that their message spaces were dramatically decreased from ℤ_x^∗ to the least |ℳ| bits. Definitely, number |ℳ| is quite small because number 𝑁 − |ℳ|, as a randomness, has to be long enough to ensure the security.

Symbols ℤ_x^∗, ℳ and 𝐿𝑆𝐵_ℳ(∙) could be referred to Table 1 in the beginning of chapter 2.

3.2.2 Paillier encryption

Paillier encryption [13], [14] is also an encryption scheme based on cyclic groups with composite modular number 𝑁 = 𝑝𝑞 . In advance, it’s quite interesting that numbers are computed over modular 𝑁^—, rather than modular 𝑁.

• 𝑆𝑒𝑡𝑢𝑝 1^É : No initialization setting is required in Paillier so that the public parameter is merely 𝑝𝑝 ← 1^É.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameter, a user computes 𝑁 = 𝑝𝑞 where 𝑝, 𝑞 < 1^É are two big prime random numbers with equal bit-length. Let 𝜙(∙) be the Euler’s function and 𝜆𝑁 ← 𝜙(𝑁^—), the user randomly picks an element 𝑔 ∈ ℤ_x∗¡ where gcd 𝑔^Ö, 𝑁 = 1. Then, it publishes the public key (𝑔, 𝑁) and privately stores the secret key 𝜆. Parameters 𝑝 and 𝑞 can be deleted after computing the secret key. It is worthy to remark that finding the secret key 𝜆 is quite hard based on the integer factoring problem unless the confidential values 𝑝 and 𝑞 are known. The message space ℳ is set to ℤ_x^∗.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚, the sender selects a random number 𝑟 ^$ ℤ_x∗¡ and computes 𝐶 ≡ 𝑔^²𝑟^x 𝑚𝑜𝑑 𝑁^—.

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through 𝑚 ≡ ( 𝐿(𝐶^Ö 𝑚𝑜𝑑 𝑁^—) 𝐿(𝑔^Ö 𝑚𝑜𝑑 𝑁^—)) 𝑚𝑜𝑑 𝑁 where 𝐿 𝑥 ¹²³ (𝑥 − 1) 𝑁.

Correctness: The correctness of Paillier ciphertext is a bit complicated. It can be properly decrypted follows:

𝐿 𝐶^Ö 𝑚𝑜𝑑 𝑁^— 𝐿 𝑔^Ö 𝑚𝑜𝑑 𝑁^— 𝑚𝑜𝑑 𝑁

= 𝐿 𝑔^²Ö𝑟^Öx 𝑚𝑜𝑑 𝑁^— 𝐿 𝑔^Ö 𝑚𝑜𝑑 𝑁^— 𝑚𝑜𝑑 𝑁

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

= 𝐿 𝑔^²Ö 𝑚𝑜𝑑 𝑁^— 𝐿 𝑔^Ö 𝑚𝑜𝑑 𝑁^— 𝑚𝑜𝑑 𝑁 (18)

By the skillful design of the modular 𝑁^—, element 𝑔 satisfies three properties below:

1. ∀𝑔 ∈ ℤ_x∗¡: 𝑔^Öx = 1 (𝑚𝑜𝑑 𝑁^—)

2. Since 1 + 𝑁 ∈ 𝑁^—, so that ∀𝑔 ∈ ℤ_x∗¡, ∃ 𝑎 ∈ 𝑁, 𝑏 ∈ 𝑁^— ∶ 𝑔 = 1 + 𝑁 ^•𝑏^x (𝑚𝑜𝑑 𝑁^—).

3. Following property 2, an explicit equation ∀𝑔 ∈ ℤ_x∗¡: 𝑔^Ö = 1 + 𝑎𝜆𝑁 (𝑚𝑜𝑑 𝑁^—) can be obtained. The inference is straightforward by expanding the polynomial equation that

𝑔^Ö = 1 + 𝑁 ^•Ö𝑏^Öx = 1 + 𝑁 ^•Ö (𝑚𝑜𝑑 𝑁^—) = 1 + 𝑎𝜆𝑁 + ^•Ö 𝐶_„^•Ö

„Ø— 𝑁^„ = 1 + 𝑎𝜆𝑁 (𝑚𝑜𝑑 𝑁^—)

(19)

4. Following property 3, the relationship ∀𝑔 ∈ ℤ_x∗¡, ∀𝑚 ∈ 𝑁: 𝑔^²Ö = 1 + 𝑎𝑚𝜆𝑁 (𝑚𝑜𝑑 𝑁^—) can be obtained. The inference is similar to equation (19).

𝑔^²Ö = (1 + 𝑎𝜆𝑁)^² = 1 + 𝑎𝑚𝜆𝑁 + ^² 𝐶_„^²

„Ø— (𝑎𝜆𝑁)^„ = 1 + 𝑎𝑚𝜆𝑁 (𝑚𝑜𝑑 𝑁^—) (20)

Let 𝑔^Ö = 1 + 𝑎𝜆𝑁 𝑚𝑜𝑑 𝑁^— and 𝑔^²Ö = 𝑎𝑚𝜆𝑁 𝑚𝑜𝑑 𝑁^—, equation (18) becomes:

𝑔^²Ö 𝑚𝑜𝑑 𝑁^— 𝑔^Ö 𝑚𝑜𝑑 𝑁^— = 𝑎𝑚𝜆 𝑎𝜆 = 𝑚 𝑚𝑜𝑑 𝑁^— (21)

Security notion

As an additive homomorphic encryption, the Paillier encryption is at most IND-CCA secure.

Briefly, in the IND-CCA2 game, after the adversary outputs (𝑚_Í, 𝑚_•) and receives the challenge 𝐶_Ï← 𝑔^²Ù𝑟^x, he can request a decryption query 𝐶′ ← 𝐶_Ï𝑠^x to the decryption oracle 𝒪_Š¡ for some

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

adversary is absolutely able to win the IND-CCA2 game. The homomorphism and security models like IND-CCA and IND-CCA2 will be discussed in latter sections.

Paillier encryption has been widely applied to several applications. Some variants of Paillier encryption might improve the security notion through disabling the homomorphism of Paillier encryption. One of the most famous application is to build a public key encryption with double trapdoor decryption mechanism [55].

3.2.3 ElGamal encryption

The ElGamal encryption [10] is a PKE scheme based on the Diffie-Hellman key exchange [24] in a prime modular cyclic group. The algorithms are briefly recalled below:

• 𝑆𝑒𝑡𝑢𝑝 1^É : The algorithm takes as input a secure parameter 1^É and outputs a cyclic group as the public parameters 𝑝𝑝 ← {𝔾, 𝑞, 𝑝, 𝑔} which was defined in section 2.1.2. The message space ℳ is set to the group 𝔾.

• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameters, a user randomly picks 𝑥 ^$ ℤ_W^∗ as its private key and publishes the public key 𝑦 ← 𝑔^s.

• 𝐸𝑛𝑐(𝑝𝑘, 𝑚): To encrypt a message 𝑚, the sender randomly picks 𝑟 ^$ ℤ_W^∗ and computes 𝐶 ← 𝑈, 𝑉 , 𝑈 ← 𝑔^ƒ, 𝑉 ← 𝑚𝑦^ƒ

• 𝐷𝑒𝑐(𝑠𝑘, 𝐶) : The receiver decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 through

𝑚 ← 𝑉/𝑈^s

Correctness: The ElGamal ciphertext can be properly decrypted follows:

𝑉 𝑈^s = 𝑚𝑦^ƒ 𝑔^sƒ = 𝑚 (22)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Security notion

ElGamal is IND-CCA secure [56], the multiplicative homomorphism limits its security upper bound. The homomorphism will be formally introduced in later sections. Here it is briefly treated as a computable property over ciphertexts. Following, it is easy to discuss why it is not IND-CCA2 secure. Let 𝑝𝑝 and 𝑝𝑘 be given to the adversary, then it outputs its chosen (𝑚_Í, 𝑚_•) and receives the challenge 𝐶_Ï ← (𝑔^ƒ, 𝑚_Ï𝑦^ƒ) in the IND-CCA2 game. The challenge 𝐶_Ï is forbidden to be requested to the decryption oracle 𝒪_Š¡. Whereas, the adversary can trickily send a variant

ElGamal is IND-CCA secure [56], the multiplicative homomorphism limits its security upper bound. The homomorphism will be formally introduced in later sections. Here it is briefly treated as a computable property over ciphertexts. Following, it is easy to discuss why it is not IND-CCA2 secure. Let 𝑝𝑝 and 𝑝𝑘 be given to the adversary, then it outputs its chosen (𝑚_Í, 𝑚_•) and receives the challenge 𝐶_Ï ← (𝑔^ƒ, 𝑚_Ï𝑦^ƒ) in the IND-CCA2 game. The challenge 𝐶_Ï is forbidden to be requested to the decryption oracle 𝒪_Š¡. Whereas, the adversary can trickily send a variant

在文檔中 可搜尋式加密和密文相等性驗證 - 政大學術集成 (頁 36-53)