Some RSA-based Encryption Schemes with Tight Security Reduction

Size: px

Start display at page:

Download "Some RSA-based Encryption Schemes with Tight Security Reduction"

Susan Richards
6 years ago
Views:

1 Some RSA-based Encyption Schemes with Tight Secuity Reduction Kaou Kuosawa 1 and Tsuyoshi Takagi 2 1 Ibaaki Univesity, Nakanausawa, Hitachi, Ibaaki, , Japan kuosawa@cis.ibaaki.ac.jp 2 Technische Univesität Damstadt, Fachbeeich Infomatik, Alexandest.10, D Damstadt, Gemany ttakagi@cdc.infomatik.tu-damstadt.de Abstact. In this pape, we study some RSA-based semantically secue encyption schemes IND-CPA) in the standad model. We fist deive the exactly tight one-wayness of Rabin-Paillie encyption scheme which assumes that factoing Blum integes is had. We next popose the fist IND-CPA scheme whose one-wayness is equivalent to factoing geneal n = pq not factoing Blum integes). Ou eductions of one-wayness ae vey tight because they equie only one decyption-oacle quey. Keywods: Factoing, semantic secuity, tight eduction, RSA-Paillie, Rabin-Paillie. 1 Intoduction 1.1 Backgound An encyption scheme should have stong one-wayness as well as high semantic secuity. Theefoe, it is desiable to constuct a semantically secue encyption scheme whose one-wayness is equivalent to factoing n = pq in the standad model. Thee ae seveal povably secue constuctions in the andom oacle model. Fo example, see [Sho01,FOPS01,Bon01].) RSA-Paillie encyption scheme is semantically secue against chosen plaintext attacks IND-CPA) in the standad model unde the RSA-Paillie assumption [CGHN01]. The assumption claims that SMALL RSAP = { e mod n 2 Z n } and LARGE RSAP = { e mod n 2 Z n 2} ae indistinguishable, whee n, e) is the public-key of RSA. Futhe, it is oneway if beaking RSA is had. The latte poblem was fist aised by [ST02] and finally poved by [CNS02] using LLL algoithm of lattice theoy. On the othe hand, n= pq) is called a Blum intege if p = q = 3 mod 4. Galindo et al. ecently consideed Rabin-Paillie encyption scheme and showed that it is one-way if factoing Blum integes is had [GMMV03]. Howeve, thee is a lage gap between the one-wayness which they poved and the difficulty of factoing. That is, suppose that the one-wayness is boken

2 with pobability ε. Then what Galindo et al. poved is that Blum integes can be factoed with pobability ε 2. Futhe the factoing poblem is esticted to Blum integes, but not geneal p, q. The one-wayness of Okamoto-Uchiyama scheme [OU98] is equivalent to factoing n = p 2 q, but not n = pq.) 1.2 Ou Contibution In this pape, we study the tight one-wayness of some RSA-based semantically secue encyption schemes IND-CPA) in the standad model, whee the onewayness must be equivalent to factoing n = pq. We fist show that Rabin-Paillie encyption scheme has no gap between the eal one-wayness and the difficulty of factoing Blum integes. In othe wods, we give a factoing algoithm with success pobability ε.) Ou poof technique is quite diffeent fom pevious poofs. In paticula: Ou poof technique equies only one decyption-oacle quey while the pevious poofs fo RSA/Rabin-Paillie encyption schemes equie two oacle queies [CNS02,GMMV03]. No LLL algoithm is equied, which was essentially used in the pevious poofs fo RSA/Rabin-Paillie schemes [CNS02,GMMV03]. We next popose the fist IND-CPA scheme such that the one-wayness is equivalent to factoing geneal n = pq not factoing Blum integes). The onewayness is poved by applying ou poof technique as mentioned above. Theefoe, ou secuity eduction of one-wayness is vey tight. That is, thee is almost no gap between the one-wayness and the hadness of the geneal factoing poblem. The poposed scheme is obtained fom an encyption scheme pesented by Kuosawa et al. [KIT88,KOMM01]. The semantic secuity holds unde a natual extension of RSA-Paillie assumption. That is, it is semantically secue IND-CPA) if two distibutions SMALL RSAK and LARGE RSAK ae indistinguishable, whee we define SMALL RSAK and LARGE RSAK as appopiate subsets of SMALL RSAP and LARGE RSAP, espectively. We also show a close elationship between ou assumption and RSA-Paillie assumption. This pape is oganized as follows: In Section 2, we descibe notions equied fo the secuity desciption in this pape. In Section 3, the exact secuity eduction algoithm fo Rabin-Paillie encyption scheme is pesented. In Section 4, the poposed scheme is pesented. In Section 5, we pove that the one-wayness of the poposed scheme is as had as geneal factoing poblem. In Section 6, we discuss the semantic secuity of the poposed scheme. Sec.7 includes some final comments. Related woks: Came and Shoup showed an semantically secue encyption scheme against chosen ciphetext attacks IND-CCA) unde the decision Diffie-Hellamn assumption [CS98]. They ecently showed a geneal famewok to constuct IND-CCA schemes [CS02].

3 It will be a futhe wok to develop an IND-CCA scheme whose one-wayness is equivalent to the factoing poblem in the standad model. We hope that ou esults povide us a good stating point to this challenging poblem. 2 Secuity of Encyption Schemes PPT will denote a pobabilistic polynomial time. 2.1 Encyption Scheme A public-key encyption scheme PE = K, E, D) consists of thee algoithms. The key geneation algoithm K outputs pk, sk) on input 1 l, whee pk is a public key, sk is the secet key and l is a secuity paamete. We wite pk, sk) R K. The encyption algoithm E outputs a ciphetext c on input the public key pk and a plaintext message) m; we wite c R E pk m). The decyption algoithm D outputs m o eject on input the secet key sk and a ciphetext c; we wite x D sk c), whee x = m o eject. We equie that D sk E pk m)) = m fo each plaintext m. K and E ae PPT algoithms, and D is a polynomial time algoithm. 2.2 One-Wayness The one-wayness poblem is as follows: given a public key pk and a ciphetext c, find the plaintext m such that c R E pk m). Fomally, fo an advesay A, conside an expeiment as follows. pk, sk) R K, c R E pk m), m R Apk, c). whee m is andomly chosen fom the domain of pk. Let Fo any t > 0, define Adv ow PEA) = P m = m). AdvPEt) ow = max Advow PEA), whee the maximum is ove all A who un in time t. A Definition 1. We say that PE is t, ε)-one-way if AdvPE ow t) < ε. We also say that PE is one-way if AdvPE ow A) is negligible fo any PPT advesay A. 2.3 Semantic Secuity We say that a public-key encyption scheme PE = K, E, D) is semantically secue against chosen plaintext attacks SS-CPA) if it is had to find any patial) infomation on m fom c. This notion is equivalent to indistinguishability IND- CPA), which is descibed as follows [BDPR98,Gol01].

4 We conside an advesay B = B 1, B 2 ) as follows. In the find stage, B 1 takes a public key pk and outputs m 0, m 1, state), whee m 0 and m 1 ae two equal length plaintexts and state is some state infomation. In the guess stage, B 2 gets a challenge ciphetext c R E pk m b ) fom an oacle, whee b is a andomly chosen bit. B 2 finally outputs a bit b. We say that an encyption scheme PE is secue in the sense of IND-CPA if P b = b) 1/2 is negligible. Fomally, fo each secuity paamete l, let pk, sk) R K, m 0, m 1, state) R B 1 pk), c R E pk m b ), b R B 2 c, state). Definition 2. We say that PE is secue in the sense of indistinguishability against chosen-plaintext attack IND-CPA) if is negligible fo any PPT advesay B. Adv ind PE B) = P b = b) 1/2 If an advesay B = B 1, B 2 ) is allowed to access the decyption oacle D sk ), we denote it by B D = B1 D, B2 D ). If Adv ind PE BD ) is negligible fo any P P T advesay B D, we say that PE is secue in the sense of indistinguishability against adaptive chosen-ciphetext attack IND-CCA). 2.4 Factoing Assumptions The geneal factoing poblem is to facto n = pq, whee p and q ae two pimes such that p = q. Fomally, fo an factoing algoithm B, conside the following expeiment. Geneate two pimes p and q such that p = q andomly. Give n = pq to B. We say that B succeeds if B can output p o q. Definition 3. We say that the geneal factoing poblem is t, ε)-had if PB succeeds) < ε fo any B who uns in time t. We also say that it is had if PB succeeds) is negligible fo any PPT algoithm B. The geneal factoing assumption claims that the geneal factoing poblem is had. We say that n= pq) is a Blum intege if p and q ae pime numbes such that p = q = 3 mod 4 and p = q. The Blum-factoing poblem is defined similaly. Blum-factoing assumption claims that the Blum-factoing poblem is had. 3 Exact One-Wayness of Rabin-Paillie Scheme Galindo et al. ecently constucted Rabin-Paillie encyption scheme [GMMV03] and showed that its one-wayness is as had as factoing Blum integes, whee n = pq is called a Blum intege if p = q = 3 mod 4. Howeve, thee is a polynomially bounded gap between the difficulty of factoing and the claimed one-wayness. This is because they used the same poof technique as that of [CNS02].

5 In this section, we show that thee exists no gap between the difficulty of factoing Blum integes and the eal one-wayness of Rabin-Paillie encyption scheme. In othe wods, we pesent the exactly tight one-wayness of Rabin- Paillie encyption scheme. Ou poof is vey simple and totally elemental. In paticula, no LLL algoithm is equied which was essentially used in the pevious poofs fo RSA/Rabin- Paillie [CNS02,GMMV03]. 3.1 Rabin-Paillie Encyption Scheme Rabin-Paillie encyption scheme is descibed as follows. Let Q n = { 2 mod n 2 Z n}. We say that Z n is conjugate if /n) = 1, whee m/n) denotes Jacobi s symbol. Secet key) Two pime numbes p and q such that p = q and p = q = 3 mod 4. Public key) n= pq), e, whee e is a pime such that n /2 < e < n. Plaintext) m Z n. Ciphetext) c = 2e + mn mod n 2, 1) whee Q n is andomly chosen. Decyption) Since e is a pime such that n /2 < e < n, it satisfies that gcde, p 1) = gcde, q 1) = 1. 2) Theefoe, thee exists d such that ed = 1 mod lcmp 1, q 1). Now let E = c d mod n. Then it is easy to see that E = 2 mod n. We can find such that Q n uniquely because p = q = 3 mod 4. Finally, by substituting into eq.1), we can obtain m. In [GMMV03], the authos showed that Rabin-Paillie encyption scheme is secue in the sense of IND-CPA if n, e, En, e; 0)) and n, e, Q n 2) ae indistinguishable, whee Remaks: En, e; 0) = { 2e mod n 2 Q n }. 1. In [GMMV03], the condition on e is esticted to gcde, λn)) = 1, whee λ is Camichael s function. Howeve, fo this paamete choice, we cannot pove that the one-wayness is as had as the factoing poblem, because we cannot geneally choose such e fo a given n. In Appendix B, we also point out a flaw on thei claim fo the semantic secuity of Rabin-Paillie cyptosystem.

6 2. RSA-Paillie encyption scheme is obtained by letting fo m Z n and Z n [CGHN01]. c = e 1 + mn) mod n Exactly Tight One-Wayness Suppose that thee exists a PPT algoithm that beaks the one-wayness with pobability ε. Then Galindo et al. poved that thee exists a PPT algoithm that can facto Blum integes n with pobability ε 2 see the poof of [GMMV03, Poposition 6]). In this subsection, we show that thee exists a PPT algoithm that can facto Blum integes n with pobability ε. Since the convese is clea, ou eduction is exactly tight. Scheme Factoing Pobability Galindo et al. [GMMV03] ε 2 Ou Poposed Poof ε Table 1. Factoing pobability using OW-oacle with pobability ε Lemma 1. Let n be a Blum intege. Fo any conjugate, thee exists a unique Q n such that 2 = 2 mod n. 3) Futhe, gcd, n) = p o q. Poof. Note that 1/p) = 1 and 1/q) = 1 fo a Blum intege n = pq. A conjugate Z n satisfies /n) = 1, namely I) : /p) = 1 /q) = 1 o II) : /p) = 1 /q) = 1. In the case of I), define = mod p and = mod q, then the statement of the lemma is obtained. Similaly in the case of II) we assign = mod p and = mod q. Theoem 1. Rabin-Paillie encyption scheme is t, ε)-one-way if Blum factoing poblem is t, ε)-had, whee t = t + Olog n) 3 ). Poof. Suppose that thee exists an oacle O which beaks the one-wayness of Rabin-Paillie encyption scheme with pobability ε in time t. We will show a factoing algoithm A. We show how to find and satisfying eq.3). On input n, A fist chooses a pime e such that n /2 < e < n andomly. A next chooses a conjugate Z n and a fake) plaintext m Z n andomly, and computes a fake) ciphetext c = 2e + mn mod n 2. It is clea that c is uniquely witten as c = B 0 + B 1 n mod n 2 B 0 Q n, B 1 Z n. Note that fo some

7 1. B 1 is unifomly distibuted ove Z n because m is andomly chosen fom Z n, and 2. B 0 is unifomly distibuted ove { 2e mod n Q n } fom Lemma 1. Theefoe, c is distibuted in the same way as valid ciphetexts. Now A queies c to the oacle O. O then answes a valid) plaintext m such that c = 2e + mn mod n 2 with pobability ε in time t, whee Q n. Then we have c = 2e = 2e mod n. Hence we see that 2 = 2 mod n. Theefoe, 2 is witten as 2 = 2 + yn 4) fo some y Z n with no modulus). By letting x = 2 mod n 2, we obtain that w = c mn = 2e = x + yn) e = x e + eynx e 1 mod n 2. 5) It is easy to see that Theefoe y is obtained as eyx e 1 = w xe n mod n. y = ex e 1 1 w xe ) mod n. n Substitute y into eq.4). Then we can compute a squae oot > 0 because eq.4) has no modulus. Finally we can facto n by using, ) fom Lemma 1. Ou algoithm A fo Rabin-Paillie scheme is summaized as follows. Exact OW Rabin Paillie Input: n, e), public key of Rabin-Paillie scheme Output: p, q, factoing of n 1. choose a andom Z n such that /n) = compute x = 2 mod n choose a andom fake) plaintext m Z n. 4. compute a ciphetext c = x e + mn mod n obtain a valid plaintext m = Oc) 6. compute w = c mn = 2e mod n compute u = w x e mod n 2 )/n. 8. compute y = uex e 1) ) 1 mod n. 9. compute v = 2 + ny. 10. find > 0 such that 2 = v in Z. 11. etun gcd, n).

8 4 New Encyption Scheme In this section, we popose an encyption scheme such that its one-wayness is as had as the geneal factoing poblem of n = pq not factoing Blum integes). The poposed scheme is obtained fom an encyption scheme poposed by Kuosawa et al. [KIT88,KOMM01]. 4.1 Kuosawa et al. s Encyption Scheme Kuosawa et al. s showed an encyption scheme as follows [KIT88]. Secet key) Two pime numbes p and q such that p = q. Public key) n= pq) and α such that whee α/p) denotes Legende s symbol. Plaintext) m Z n. Ciphetext) c = E, s, t) such that α/p) = α/q) = 1, 6) E = m + α mod n 7) m s = { 0 if m/n) = 1; 1 if m/n) = 1, t = { 0 if α/m mod n) > m; 1 if α/m mod n) < m. Decyption) Fom eq.7), it holds that m 2 Em + α = 0 mod n. 8) The above equation has fou oots. Howeve, we can decypt m uniquely fom s, t) due to eq.6) [KIT88,KOMM01]. Also see [KT03, Appendix E]. In [KIT88,KOMM01], it is poved that this encyption scheme is one-way unde the geneal factoing assumption. 4.2 Poposed Encyption Scheme Secet key) Two pime numbes p and q such that p = q. Public key) n= pq), e, α, whee e is a pime such that n /2 < e < n and α Z n satisfies α/p) = α/q) = 1. 9) Plaintext) m Z n. Ciphetext) c = + α ) e + mn mod n 2, 10) whee Zn is a andom element such that /n) = 1 and α/ mod n) >. We can compute 1/ mod N 2 faste than the diect method [KT03, Sec.4.3].)

9 Decyption) Let E = c d mod n, whee ed = 1 mod lcmp 1, q 1). Then it is easy to see that E = + α mod n. Note that E, 0, 0) is the ciphetext of by Kuosawa et al. s encyption scheme. Theefoe we can find by decypting E, 0, 0) with the decyption algoithm. Finally, by substituting into eq.10), we can obtain m. 5 One-Wayness of the Poposed Scheme In this section, we show the one-wayness of the poposed scheme by applying ou poof technique developed in Sec.3. Ou secuity eduction is vey tight. That is, thee is almost no gap between the one-wayness and the hadness of the geneal factoing poblem. Indeed, ou poof equies only one decyption-oacle quey while the pevious poof fo RSA/Rabin-Paillie encyption scheme equies two oacle queies [CNS02,GMMV03]. 5.1 Poof of One-Wayness We say that 1. Z n is pincipal if /n) = 1 and α/ mod n) >. 2. Z n is conjugate if /n) = 1. Note that in tems of the paametes of Kuosawa et al s encyption scheme, Z n is pincipal if s, t) = 0, 0) and Z n is conjugate if s = 1. Lemma 2. Fo any conjugate, thee exists a unique pincipal such that E = + ᾱ = + α mod n. 11) Futhe, gcd, n) = p o q. Poof. Thee ae fou diffeent solutions of Kuosawa et al s encyption E coesponding to s, t) = 0, 0), 0, 1), 1, 0), 1, 1) as shown in [KIT88,KOMM01]. Also see [KT03, Appendix E].) A conjugate satisfies /p) = 1 /q) = 1 o /p) = 1 /q) = 1 fo s = 1. Define 1 = mod p 1 = α/ mod q and 2 = α/ mod p 2 = mod q. Then eithe 1 o 2 is the equied pinciple. Hence, the fome pat of this Lemma holds. Futhe, mod p = mod q o = mod p mod q holds due to α/p) = α/q) = 1. Theefoe, we can see that gcd, n) = p o q. Fom eq.11), it holds that fo some unique y Z n. + α/ = + α/ ) + yn mod n 2 12)

10 Lemma 3. Suppose that we have, y) satisfying eq.12) fo some pincipal, whee is conjugate. Then we can facto n. Poof. We show that can be computed fom y, ). Let Then we have v = + α/ ) + yn mod n 2. 2 v + α = 0 mod n 2 fom eq.12). We can solve this quadatic equation by using the Coppesmith s algoithm [Cop96] because of 0 < < n. Then we can facto n fom Lemma 2. Lemma 4. Suppose that thee exists an oacle O that beaks the one-wayness of the poposed scheme with pobability ε and in time t. Then thee exists an algoithm A which factos n fom n, e, α) with pobability ε in time t + polylog n), whee O is invoked once. Poof. We show how to find and y satisfying eq.12). On input n, e, α), A fist chooses a conjugate Z n andomly and computes x = + ᾱ mod n2. 13) It next chooses a fake) plaintext m Z n andomly and computes c = x e + mn mod n 2. It is clea that c is uniquely witten as c = B 0 +B 1 n mod n 2 fo some B 0, B 1 Z n. Note that 1) B 1 is unifomly distibuted ove Z n because m is andomly chosen fom Z n. 2) B 0 is unifomly distibuted ove { + α/) e mod n Zn is pincipal} fom Lemma 2. Theefoe, c is distibuted in the same way as valid ciphetexts. Now A queies c to the oacle O. O then answes a valid) plaintext m such that c = + α ) e + mn mod n 2 with pobability ε and in time t, whee Zn is pincipal. Then we have c = + α ) e = x e mod n. Hence we see that + α = x mod n. Theefoe, thee exists y Z n such that We then obtain that + α = x + yn mod n2. w = c mn = + α/) e = x + yn) e = x e + eynx e 1 mod n 2.

11 It is easy to see that Theefoe y is obtained as eyx e 1 = w xe n mod n. y = w xe ex e 1 ) 1 mod n. n Finally we can facto n by using, y) fom Lemma 3. Ou algoithm A fo the poposed scheme is summaized as follows: OW Recipocal Paillie Input: n, e, α), public-key of the poposed scheme Output: p, q, factoing of n 1. choose a andom Z n such that /n) = compute x = + α/ mod n choose a andom fake) plaintext m Z n. 4. compute a ciphetext c = x e + mn mod n obtain a valid plaintext m = Oc) 6. compute w = c mn = + α/) e mod n compute u = w x e )/n. 8. compute y = uex e 1) ) 1 mod n. 9. compute v = + α/ ) + ny mod n. 10. solve 2 v + α = 0 mod n 2 using Coppesmith s algoithm [Cop96]. 11. etun gcd, n). Theoem 2. The poposed encyption scheme is t, ε) one-way if the geneal factoing poblem is t, ε/2)-had, whee t = t + polylog n). Poof. Suppose that thee exists a PPT algoithm that beaks the one-wayness of the poposed scheme with pobability ε in time t. Then we show a PPT algoithm which can facto n. Fo a given n, we choose a pime e such that n /2 < e < n andomly. We also choose α Zn such that α/n) = 1 andomly. It is easy to see that α satisfies eq.9) with pobability 1/2. Next apply Lemma 4 to n, e, α). Then we can facto n with pobability ε/2 in time t = t + polylog n). The poposed scheme is a combination of the scheme of Kuosawa et al. and the RSA-Paillie scheme. Anothe constuction is to encypt a message m Z/nZ as follows: c = e + α ) e + mn mod n 2, 14) whee Z n is a andom element such that e mod n/n) = 1 and α/ e mod n) >. Afte computing e mod n 2 the ecipocal encyption is applied. Howeve, the secuity analysis of this constuction is moe difficult we cannot apply the above poof technique to this scheme, because e mod n 2 is lage than n.

12 5.2 Hensel Lifting and Lage Message Space Catalano et al. poved that Hensel-RSA poblem is as had as beaking RSA fo any lifting index l [CNS02]. In this section, we define Hensel-Recipocal poblem and show that it is as had as geneal factoization fo any lifting index l. This esult implies that we can enlage the message space of the poposed encyption scheme fo m Z n 2 in such a way that c = e + mn mod n l. Suppose that we ae given a public key n, e, α) of the poposed encyption scheme and y = + α ) e mod n, whee Zn is pincipal. The Hensel-Recipocal poblem is to compute Y = + α ) e mod n l fom n, e, α, y) and l, whee Z n is pincipal and l is a positive intege. Then we can pove the following theoem See [KT03]). Theoem 3. The Hensel-Recipocal poblem is as had as geneal factoization fo any lifting index l 2. Poof. It is easy to see that we can solve the Hensel-Recipocal poblem if we can facto n. We will pove the convese. Suppose that thee exists a PPT algoithm which can solve the Hensel- Recipocal poblem with pobability ε fo some l 2. That is, the PPT algoithm can compute Y = ) + α e mod n l fom n, e, α, y) and l 2, whee Zn is pincipal. Then we can compute Y = ) + α e mod n 2. Now similaly to the poof of Lemma 4 and Theoem 2, we can facto n with pobability ε/2 in polynomial time. 6 Semantic Secuity of the Poposed Scheme In this section, we discuss the semantic secuity of the poposed scheme. Let n, e, α) be a public key of the poposed encyption scheme. 6.1 Semantic secuity Let SMALL RSAP n, e) = {n, e, x) x = e mod n 2, Z n } LARGE RSAP n, e) = {n, e, x) x = e mod n 2, Z n 2} Note that SMALL RSAP n, e) = n, and LARGE RSAP n, e) = n 2.

13 It is known that RSA-Paillie encyption scheme is IND-CPA if SMALL RSAP n, e) and LARGE RSAP n, e) ae indistinguishable [CGHN01]. We call it RSA-Paillie assumption. We now define SMALL RSAK n, e, α) and LARGE RSAK n, e, α) as follows. SMALL RSAK n, e, α) = {n, e, α, x) x = + α ) e mod n 2, Zn is pincipal} LARGE RSAK n, e, α) = {n, e, α, x) x = + α ) e mod n 2, Zn 2}. Note that SMALL RSAK n, e, α) = φn)/4, and LARGE RSAK n, e, α) = φn)n/4, because + α mod n2 is a 4 : 1 mapping. Theoem 4. The poposed encyption scheme is secue in the sense of IND- CPA if two distibutions SMALL RSAK n, e, α) and LARGE RSAK n, e, α) ae indistinguishable. We call the above indistinguishability Recipocal-Paillie assumption. A poof will be given in Appendix A. 6.2 Relationship with RSA-Paillie Assumption We investigate the elationship between RSA-Paillie assumption and Recipocal- Paillie assumption. We fist genealize SMALL RSAP and LARGE RSAP so that they include α. That is, let SMALL RSAP n, e, α) = {n, e, α, x) x = e mod n 2, Z n} LARGE RSAP n, e, α) = {n, e, α, x) x = e mod n 2, Z n 2} We then define modified RSA-Paillie assumption as follows: SMALL RSAP n, e, α) and LARGE RSAP n, e, α) ae indistinguishable. We next define ecipocal assumption as follows: SMALL RSAK n, e, α) and SMALL RSAP n, e, α) ae indistinguishable. Then we have the following coollay of Theoem 4. Coollay 1. The poposed encyption scheme is secue in the sense of IND- CPA if both modified RSA-Paillie assumption and the ecipocal assumption hold. Poof. We pove that LARGE RSAK n, e, α) and LARGE RSAP n, e, α) ae indistinguishable unde the ecipocal assumption. Let O be an oacle that distinguishes two distibutions LARGE RSAK n, e, α) and LARGE RSAP n, e, α). We constuct a distinguishe D which can distinguish between SMALL RSAK n, e, α) and SMALL RSAP n, e, α). Fo n, e, α, c), D chooses a andom s Z n, and computes c = c + ns mod n 2. Then it asks n, e, α, c ) to the oacle O. Because s

14 is andomly chosen in Z n, we can show that n, e, α, c ) is unifomly distibuted in eithe LARGE RSAK n, e, α) o LARGE RSAP n, e, α). Thus the oacle O can coectly distinguish between SMALL RSAK n, e, α) and SMALL RSAP n, e, α). Theefoe SMALL RSAK SMALL RSAP LARGE RSAP LARGE RSAK, whee means indistinguishable. This implies that Recipocal-Paillie assumption holds. 7 On Chosen Ciphetext Secuity Fo chosen ciphetext secuity, we can obtain a vaiant of ou encyption scheme as follows by applying the technique of [Poi99]. c = + α ) e + mn mod n 2 ) H, m) whee H is a andom hash function and denotes concatenation. In the andom oacle model, 1) this scheme is one-way against chosen ciphetext attacks unde the geneal factoing assumption. 2) It is also IND-CCA unde the assumption given in Sec.6. In the standad model, it still emains one-way and IND-CPA against chosen plaintext attacks. In geneal, we can pove the following theoem. Theoem 5. Let PE be an encyption scheme with ciphetexts c = E pk m, ). Suppose that 1) the set of belongs to BPP and 2) thee exists a decyption algoithm which outputs not only m but also. Fo PE, conside an encyption scheme PE such that c = E pk m, ) Hm, ). If PE is one-way against chosen plaintext attacks IND-CPA, esp.), then PE is one-way against chosen ciphetext attacks IND-CCA, esp.) in the andom oacle model. PE still emains one-way against chosen plaintext attacks IND- CPA, esp.) in the standad model. The details will be given in the final pape. Refeences [BDPR98] M. Bellae, A. Desai, D. Pointcheval, and P. Rogaway, Relations among Notions of Secuity fo Public-Key Encyption Schemes, CRYPTO 98, LNCS 1462, pp.26-45, [Bon01] D. Boneh, Simplified OAEP fo RSA and Rabin Functions, CRYPTO 2001, LNCS 2139, pp , [CGHN01] D. Catalano, R. Gennao, N. Howgave-Gaham, and P. Nguyen; Paillie s cyptosystem evisited, The 8th ACM confeence on Compute and Communication Secuity, pp , 2001.

15 [CNS02] D. Catalano, P. Nguyen, and J. Sten, The Hadness of Hensel Lifting: The Case of RSA and Discete Logaithm, ASIACRYPT 2002, LNCS 2501, pp , [Cop96] D. Coppesmith, Finding a Small Root of a Univaiate Modula Equation, EUROCRYPT 96, LNCS 1070, pp , [CS98] R. Came and V. Shoup, A Pactical Public-Key Cyptosystem Povably Secue against Adaptive Chosen Ciphetext Attacks, CRYPTO 98, LNCS 1462, pp.13-25, [CS02] R. Came and V. Shoup, Univesal Hash Poofs and a Paadigm fo Adaptive Chosen Ciphetext Secue Public-Key Encyption, EUROCRYPT 2002, LNCS 2332, pp.45-64, [FOPS01] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Sten, RSA-OAEP is Secue unde the RSA Assumption, CRYPTO 2001, LNCS 2139, pp , [GMMV03] D. Galindo, S. Molleví, P. Moillo, J. Villa, A Pactical Public Key Cyptosystem fom Paillie and Rabin Schemes, PKC 2003, LNCS 2567, pp , [Gol01] O. Goldeich, Foundations of Cyptogaphy: Basic Tools, Cambidge Univesity Pess, [KIT88] K. Kuosawa, T. Itoh, M. Takeuchi, Public Key Cyptosystem using a Recipocal Numbe with the Same Intactability as Factoing a Lage Numbe, CRYP- TOLOGIA, XII, pp , [KT03] K. Kuosawa and T. Takagi, Some RSA-based Encyption Schemes with Tight Secuity Reduction, A long vesion of this pape, IACR epint achive, 2003/157, available fom [KOMM01] K. Kuosawa, W. Ogata, T. Matsuo, S. Makishima, IND-CCA Public Key Schemes Equivalent to Factoing n=pq, PKC 2001, LNCS 1992, pp36-47, [OU98] T.Okamoto and S.Uchiyama, A New Public Key Cyptosystem as Secue as Factoing, Euocypt 98, LNCS 1403, pp , 1998/ [Poi99] D.Pointcheval, New Public Key Cyptosystems based on the Dependent-RSA Poblems, Euocypt 99, LNCS 1592, pp , [ST02] K. Sakuai, T. Takagi, New Semantically Secue Public-Key Cyptosystems fom the RSA-Pimitive, PKC 2002, LNCS 2274, pp.1-16, [Sho01] V. Shoup, OAEP Reconsideed, CRYPTO 2001, LNCS 2139, pp , [Tak97] T. Takagi, Fast RSA-Type Cyptosystems using N-adic Expansion, CRYPTO 97, LNCS 1294, pp , A Semantic Secuity of the Poposed Scheme A.1 Basic Result Let ZEROn, e, α) be the set of ciphetexts fo m = 0 and ALLn, e, α) be the set of ciphetexts fo all m Z n. That is, ZEROn, e, α) = { + α ) e mod n 2 Zn is pincipal} ALLn, e, α) = { + α ) e + mn mod n 2 m Z n and Zn is pincipal}.

16 Define Recipocal 0 n, e, α) = {n, e, α, x) x ZEROn, e, α)} Recipocal ALL n, e, α) = {n, e, α, x) x ALLn, e, α)} Note that we have Recipocal 0 n, e, α) = SMALL RSAK n, e, α) fom thei definition. Theoem 6. The poposed encyption scheme is secue in the sense of IND- CPA if and only if Recipocal 0 n, e, α) and Recipocal ALL n, e, α) ae indistinguishable. Poof. Suppose that thee exists an advesay B = B 1, B 2 ) which beaks ou encyption scheme in the sense of IND-CPA, whee B 1 woks in the find stage and B 2 woks in the guess stage. We will show a distinguishe D which can distinguish between two distibutions Recipocal 0 n, e, α) and Recipocal ALL n, e, α). Let n, e, α, x) be the input to D, whee x ZEROn, e, α) o x ALLn, e, α). 1. D gives pk = n, e, α) to B Then B 1 outputs m 0, m 1, state). 3. D chooses a bit b andomly and computes c b = x + m b n mod n 2. D gives c b, state) to B B 2 outputs a bit b. 5. D outputs 0 if b = b. Othewise, D outputs 1. Let P 0 denote the pobability that D = 0 fo x ZEROn, e, α) and P ALL denote the pobability that D = 0 fo x ALLn, e, α). Now if x ALLn, e, α), then c b is unifomly distibuted ove ALLn, e, α) fo both b = 0 and 1. Theefoe, it is clea that P ALL = 1/2. On the othe hand, if x ZEROn, e, α), then c b is a valid ciphetext of m b. Theefoe, fom ou assumption and fom Def.2, we obtain that is non-negligible. Hence P 0 1/2 = P b = b) 1/2 P 0 P ALL is non-negligible because P ALL = 1/2. This means that D can distinguish between Recipocal 0 n, e, α) and Recipocal ALL n, e, α). Next suppose that thee exists a distinguishe D which is able to distinguish between Recipocal 0 n, e, α) and Recipocal ALL n, e, α). We will show an advesay B = B 1, B 2 ) which beaks ou encyption scheme in the sense of

17 IND-CPA, whee B 1 woks in the find stage and B 2 woks in the guess stage. On input pk = n, e, α), B 1 outputs m 0 = 0 and m 1 Z n, whee m 1 is andomly chosen fom Z n. Fo a given ciphetext c b, B 2 gives n, e, α, c b ) to D, whee c b is a ciphetext of m b. Note that c 0 is andomly chosen fom ZEROn, e, α) and c 1 is andomly chosen fom ALLn, e, α). Theefoe, D can distinguish them fom ou assumption. Hence B 2 can distinguish them. A.2 Extended Result Lemma 5. Recipocal ALL n, e, α) = LARGE RSAK n, e, α). Poof. Fist suppose that n, e, α, c) LARGE RSAK n, e, α). Then c = + α ) e mod n 2 fo some Zn. Decypt c by ou decyption algoithm. Then we can find 2 m Z n and a pincipal Zn such that c = + α ) e + mn mod n 2. Theefoe n, e, α, c) Recipocal ALL n, e, α). This means that LARGE RSAK n, e, α) Recipocal ALL n, e, α). Next suppose that n, e, α, c) Recipocal ALL n, e, α). Then c = + α ) e + mn mod n 2 fo some m Z n and a pincipal Zn. We will show that thee exists u Zn 2 such that c = u + α ) e mod n 2 15) u and u mod n is pincipal. The above equation holds if and only if whee ed = 1 mod φn)n. Fo y p such that u 2 c d u + α = 0 mod n 2, 16) 2 c d + α) + py p 2 c d ) = 0 mod p 2, let u p = + py p mod p 2. Then it is easy to see that Similaly fo y q such that u 2 p c d u p + α = 0 mod p 2. 2 c d + α) + qy q 2 c d ) = 0 mod q 2,

18 let u q = + qy q mod q 2. Then Now conside u such that u 2 q c d u q + α = 0 mod p 2. u = u p mod p 2, u = u q mod q 2. Then u satisfies eq.16). Theefoe u satisfies eq.15). This means that c LARGE RSAK n, e, α). Hence Consequaently A.3 Poof of Theoem 4 Recipocal ALL n, e, α) LARGE RSAK n, e, α). LARGE RSAK n, e, α) = Recipocal ALL n, e, α). Fom Theoem 6 and Lemma 5, the poposed encyption scheme is IND-CPA if if Recipocal 0 n, e, α) and LARGE RSAK n, e, α) ae indistinguishable. Fom the definition we have Recipocal 0 n, e, α) = SMALL RSAK n, e, α). B Flaw on the Semantic Secuity of Rabin-Paillie Let SMALL QR n, e) = {n, e, x) x = 2e mod n 2, Q n } LARGE QR n, e) = {n, e, x) x = 2e mod n 2, Q n 2} Rabin-Paillie encyption scheme is IND-CPA if and only if SMALL QR n, e) and LARGE QR n, e) ae indistinguishable [GMMV03, Poposition 9]. Galindo et al. futhe claimed that SMALL QR n, e) and LARGE QR n, e) ae indistinguishable if SMALL RSAP n, e) and LARGE RSAP n, e) ae indistinguishable RSA-Paillie is IND-CPA unde this condition) and QRn) and QN Rn, +) ae indistinguishable, whee QRn) = {n, x) x Q n } { QNRn, +) = x n, x) x Zn, n) } = 1 in [GMMV03, Poposition 11]. Howeve, this claim is wong. In the poof, they say that D 1 and D 2 ae indistinguishable, whee D 1 = {x x = e mod n 2, Q n } D 2 = {x x = e mod n 2, Z n}. Howeve, we can distinguish them easily by computing x n).

Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q

Secret Exponent Attacks on RSA-type Schemes with Moduli N = p r q Secet Exponent Attacks on RSA-type Schemes with Moduli N = p q Alexande May Faculty of Compute Science, Electical Engineeing and Mathematics Univesity of Padebon 33102 Padebon, Gemany alexx@uni-padebon.de