On the Security of EPOC and TSH-ESIGN

Transcription

1 On the Security of EPOC and TSH-ESIGN Tatsuaki Okamoto Tetsutaro Kobayashi NTT Laboratories 1-1 Hikarinooka, Yokosuka-shi, Japan {okamoto, kotetsu Abstract We submitted a public-key encryption scheme, EPOC, and digital signature scheme, TSH-ESIGN, to IEEE P1363a. The security of EPOC and TSH-ESIGN is based on the intractability of factoring n = p 2 q,wherepand q are primes. TSH-ESIGN is also based on the intractability of the approximate e-th root (AERP) assumption, which is the approximate version of the RSA assumption. This draft describes the latest research status on the intractability of factoring n = p 2 q and the approximate e-th root assumption, and concludes that these problems are considered to be almost as intractable as those of factoring n = pq and of inverting the RSA function (i.e., solving the e-th root). 1 Security of EPOC and TSH-ESIGN 1.1 Security of EPOC EPOC (EPOC-2 with one-time padding) [9] is proven to be secure in the strongest sense (nonmalleable against chosen ciphertext attacks: NM-CCA2) under the random oracle model and the factoring assumption of n = p 2 q. That is, EPOC is as secure as factoring n = p 2 q (in the strongest sense in the random oracle model). Schemes Security Number-theoretical Random function against CCA assumption assumption EPOC-2(with OTP) Secure (NM-CCA) Factoring Truly random OAEP Secure (NM-CCA) RSA Truly random Cramer-Shoup Secure (NM-CCA) DDH UOWHF 1.2 Security of TSH-ESIGN TSH-ESIGN [7] is proven to be secure in the strongest sense (existentially unforgeable against adaptive chosen message attacks: EUF-CMA) under the random oracle model and the approximate e-th root (AERP) assumption (with modulus n = p 2 q), which is the approximate version of the RSA assumption. That is, TSH-ESIGN is as secure as AERP (in the strongest sense in the random oracle model). 1

2 Definition 1.1 Let G be a key-generator of the TSH-ESIGN algorithm. Approximate e-th root problem (AERP) is, for given pk := {n, e} Gen(1 k ) and y R {0, 1} k 1, to find x (Z/nZ)\pZ such that 0 y == [x e mod n] k. The approximate e-th root problem (AERP) is intractable, if for any (uniform/non-uniform) probabilistic polynomial time machine Adv, for any constant c, for sufficiently large k, Pr[Adv(k, n, e, y) x] < 1/k c, where 0 y == [x e mod n] k. The probability is taken over the coin flips of G and A. The assumption that the approximate e-th root problem (AERP) is intractable is called the approximate e-th root assumption (AERP assumption). Table 1: Comparison of security Schemes Security Number-theoretical Random function against CMA assumption assumption TSH-ESIGN Secure (EUF-CMA) AERP Truly random PSS or FDH-RSA Secure (EUF-CMA) RSA Truly random EC-Schnorr Secure (EUF-CMA) EC Discrete Log. Truly random Schemes Table 2: Comparison of computation amount Sig. Gen. (M(1024)) Sig. Ver. (M(1024)) TSH-ESIGN 9 5 RSA-based scheme (e.g., PSS or FDH-RSA) EC-based scheme (e.g., EC-Schnorr or EC-DSA) On the intractability of factoring n = p 2 q Although it is not known whether n = p 2 q is more tractable to factor than n = pq, some special algorithms to factor n = p 2 q have been studied [11, 12, 13, 1]. However, such techniques are specific on the elliptic curve factoring method (ECM), and the fastest algorithm for factoring both n = pq and n = p 2 q is the number field sieve (NFS) method, whose running time depends only on the composite size, n. (Even these algorithms based on the ECM [11, 12, 13] are just several times faster than the traditional ECM.) Recently Boneh et.al. presented an algorithm for factoring n = p r q with large r, using the LLL algorithm (lattice reduction) [2]. Their algorithm, however, is only effective for the 2

3 case where r is large (at least (log p) 1/2 ). If r is constant (or small), the running time of their algorithm is exponential in n. Hence, as for n = p 2 q, their algorithm is less efficient than the ECM and NFS methods. Therefore, currently the size of n = p 2 q can be the same as n = pq if n is sufficiently large (e.g., n is at least 1024). 3 On the intractability of the approximate e-th root problem The square degree version of ESIGN was proposed in 1985 [8], which was broken by Brickell and DeLaurentis in the same year [3, 4]. In other words, they showed an efficient algorithm to solve the approximatesquare root problem (AERP with e = 2). They also presented an efficient algorithm to solve the cubic version, AERP with e =3. In late 1980 s, French mathematicians, Girault, Toffin and Vallée, extensively studied various types of the approximate e-th root modulo n problems, by using the lattice base reduction [5, 14, 15]. (Brickell and DeLaurentis s attack is a special case of their lattice base reduction attack.) However, they could find no efficient solution to AERP with e 4. Since the lattice base reduction is currently the only effective tool to solve such approximate e-th root modulo n problems, we have no way to efficiently solve AERP with e 4. (Note that the lattice base reduction is a very powerful tool to solve various problems: for example, almost all knapsack public-key cryptosystems were broken by the lattice base reduction.) We have the following conjecture on AERP: Conjecture: Problem A is expected polynomial-time reducible to problem B. Problem A: Given three positive integers, M and n, and e, solve s which satisfies s e M (mod n). Problem B: Given four positive integers, M,n, δ, ande, and positive real number ε such that solve s which satisfies δ =( e 1 e ε) n, M s e mod n<m+ δ. If the following conjecture is true, AERP is as intractable as the RSA inversion or the Rabin inversion. In particular, when e is even (e.g., 8, 16,...), which we recommend, the conjecture implies that AERP is as intractable as factoring n. Note: The original ESIGN based on the same problem as TSH-ESIGN has been already adopted by ISO/IEC (digital signatures with appendix). (TSH-ESIGN is a provably secure variant of the original ESIGN.) 3

4 4 Conclusion The both problems, factoring n = p 2 q and approximate e-th root problem (AERP), were explicitly raised by us in For the last 14 years the both problems have been extensively investigated by many excellent researchers such as Adleman, Bleichenbacher, Brickell, DeLaurentis, Girault, McCurley, Odlyzko, Peralta, Pollard, Shamir, Toffin, Vallée. The authors have been also communicated with Lenstra and Buchmann on these problems. The fact that no efficient algorithms on the both problems have been found for more than 14 years after they were raised implies that these problems are considered to be almost as intractable as factoring n = pq and the RSA problem. References [1] Adleman, L.M. and McCurley, K.S.: Open Problems in Number Theoretic Complexity,II (open problems: C7, O7a and O7b), Proc. of ANTS-I, LNCS 877, Springer-Verlag, pp (1995). [2] Boneh, D., Durfee, G. and Howgrave-Graham, N.: Factoring N = p r q for Large r, Proc.of Crypto 99, LNCS 1666, Springer-Verlag, pp (1999) [3] Brickell, E. and DeLaurentis, J.: An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi, Proc. of Crypto 85, LNCS 218, Springer-Verlag, pp (1986) [4] Brickell, E. and Odlyzko: Cryptanalysis: A Survey of Recent Results, Chap.10, Contemporary Cryptology, Simmons (Ed.), IEEE Press, pp (1991). [5] Girault, M., Toffin, P. and Vallée, B.: Computation of Approximate L-th Roots Modulo n and Application to Cryptography, Proc. of Crypto 88, LNCS 403, Springer-Verlag, pp (1990) [6] Okamoto, T.: A Fast Signature Scheme Based on Congruential Polynomial Operations, IEEE Trans. on Inform. Theory, IT-36, 1, pp (1990). [7] Okamoto, T., Fujisaki, E. and Morita, H.: TSH-ESIGN: Efficient Digital Signature Scheme Using Trisection Size Hash, submission to P1363a (1998). [8] Okamoto, T. and Shiraishi, A.: A Fast Signature Scheme Based on Quadratic Inequalities, Proc. of the ACM Symposium on Security and Privacy, ACM Press (1985). [9] Okamoto, T., Uchiyama, S. and Fujisaki, E.: EPOC: Efficient Probabilistic Public-Key Encryption, submission to IEEE P1363a (1998). [10] T. Okamoto, and S. Uchiyama, A New Public-Key Cryptosystem as Secure as Factoring, Proc. of Eurocrypt 98, LNCS, Springer-Verlag (1998). [11] Peralta, R.: Bleichenbacher s improvement for factoring numbers of the form N = PQ 2 (private communication) (1997). 4

5 [12] Peralta, R. and Okamoto, E.: Faster Factoring of Integers of a Special Form, IEICE Trans. Fundamentals, E79-A, 4, pp (1996). [13] Pollard, J.L.: Manuscript (1997). [14] Vallée, B., Girault, M. and Toffin, P.: How to Break Okamoto s Cryptosystem by Reducing Lattice Bases, Proc. of Eurocrypt 88, LNCS 330, Springer-Verlag, pp (1988) [15] Vallée, B., Girault, M. and Toffin, P.: How to Guess L-th Roots Modulo n by Reducing Lattice Bases, Proc. of Conference of ISSAC-88 and AAECC-6, (1988) 5 Appendix A: Patent Statement by Nippon Telegraph Telephone Corporation (NTT) Nippon Telegraph Telephone Corporation (NTT) has submitted EPOC and TSH-ESIGN to IEEE P1363a. Should these submissions be selected for inclusion in the IEEE P1363a, NTT hereby declares that it is prepared to license its patents, both granted and pending, which are necessary to use and/or sell implementations of the above submissions to an unrestricted number of applicants on a worldwide, non-exclusive, royalty-free basis. 6 Appendix B: Specification of EPOC Key Generation: G The input and output of G are as follows: [Input ] Security parameter k(= plen). [Output ] A pair of public-key, (n, g, h, H, G, plen, hlen, glen, rlen), and secret-key, (p, g p ). The operation of G, on input k, is as follows: Choose two primes p, q ( p = q = k), and compute n = p 2 q. Here, p 1=p u and q 1=q v such that p and q are primes, and u and v are O(log k). Choose g (Z/nZ) randomly such that the order of g p := g p 1 mod p 2 is p. (Note that gcd(p, q 1) = 1 and gcd(q,p 1) = 1.) Choose h 0 from (Z/nZ) randomly and independently from g. Compute h := h n 0 mod n. Set plen := k. SetrLen such that rlen plen 1. Select (hash) functions H: {0, 1} {0, 1} hlen,andg: {0, 1} {0, 1} glen. Note: g p is a supplementary parameter that improves the efficiency of decryption, since g p can be calculated from p and g. h can be g n mod n when hlen =(2+c 0 )k (c o is a constant > 0). H and G canbefixedbythesystemandsharedbymanyusers. 5

6 6.2 Encryption: E Let SymE =(SymEnc,SymDec) be a pair of symmetric-key encryption and decryption algorithms with symmetric-key K, where the length of K is glen. Encryption algorithm SymEnc takes key K and plaintext X, and returns ciphertext SymEnc(K, X). Decryption algorithm SymDec takes key K and ciphertext Y, and returns plaintext SymDec(K, Y ). The input and output of E are as follows: [Input ] Plaintext M {0, 1} mlen along with public-key (n, g, h, H, G, plen, hlen, glen, rlen) and SymEnc. [Output ] Ciphertext C =(C 1,C 2 ). The operation of E, on input M, (n, g, h, H, G, plen, hlen, glen, rlen) andsymenc, isas follows: Select R {0, 1} rlen uniformly, and compute G(R). Compute H(M R). Here M R denotes the concatenation of M and R. C 1 := g R h H(M R) mod n, C 2 := SymEnc(G(R),M). Remark: A typical way to realize SymE is one-time padding. That is, SymEnc(K, X) :=K X, andsymdec(k, Y ):=K Y,where denotes the bit-wise exclusive-or operation. 6.3 Decryption: D The input and output of D are as follows: [Input ] Ciphertext C =(C 1,C 2 ) along with public-key (n, g, h, H, G, plen, hlen, glen, rlen), secret-key (p, g p )andsymdec. [Output ] Plaintext M or null string. The operation of D, on input C =(C 1,C 2 )alongwith(n, g, h, H, G, plen, hlen, glen), (p, g p )andsymdec, is as follows: Compute C p := C 1 p 1 mod p 2,andR := L(Cp) L(g p) Compute M := SymDec(G(R ),C 2 ). Check whether the following equation holds or not: C 1 = g R h H(M R ) mod n. mod p, wherel(x) := x 1 p. If it holds, output M as decrypted plaintext. Otherwise, output null string. 6

7 7 Appendix C: Specification of TSH-ESIGN 7.1 Key Generation: G The input and output of G is as follows: [Input ] Security parameter k(= plen), which is a positive integer. [Output ] A pair of public-key, (n, e, H, plen), and secret-key, (p, q). The operation of G, on input k, is as follows: Choose two primes p, q ( p = q = k), and compute n := p 2 q. Here, p 1=p u and q 1=q v such that p and q are primes, and u and v are O(log k). Select an integer e>4 (e.g., e =2 l, l = O(log n)). Set plen := k. Select a (hash) function H: {0, 1} {0, 1} plen 1. Remark: Since not H(x) itself but 0 H(x) is always required in the signing and verification procedures, H(x) can be realized by using hash function H : {0, 1} {0, 1} plen as follows: first H (x) is computed, then the most significant bit of H (x) is set to be 0 with preserving the other bits. The resulting value is 0 H(x). 7.2 Signing: S The input and output of S is as follows: [Input ] Message M {0, 1} mlen along with public-key (n, e, H, plen). [Output ]SignatureS. The operation of S, on input M and (p, q, n, e, H, plen), is as follows: 1. Pick r at random and uniformly from (Z/pqZ)\pZ/pZ := {r Z/pqZ gcd(r, p) =1}. 2. Set z (0 H(M) 0 2 plen )andα (z r e )modn. 3. Set (w 0,w 1 ) such that w 0 = α, pq (1) w 1 = w 0 pq α. (2) If w 1 2 2pLen 1, then go back to Step 1. (I.e., if the most significant bit of w 1 is 1, then go back to Step 1.) 4. Set t w 0 mod p, ands (r + tpq) modn. er e 1 5. Output S as the signature of M. 7

8 7.3 Verification: V The input and output of V is as follows: [Input ]PairofsignatureS and message M along with public-key (n, e, H, plen). [Output ] Verification result (valid or invalid). The operation of V, on input (M,S) alongwith(n, e, H, plen) is as follows: Check whether the following equation hold or not: [S e mod n] plen == 0 H(M). (3) Here [X] k denotes the most significant k bits of X. If it holds, output valid (or 1). Otherwise output invalid (or 0). 8