Exploring Naccache-Stern Knapsack Encryption

Transcription

1 Explorng Naccache-Stern Knapsack Encrypton Érc Brer 1, Rém Géraud 2, and Davd Naccache 2 1 Ingenco Termnals 9 Avenue de la Gare f Alxan, France erc.brer@ngenco.com 2 École normale supéreure 45 rue d Ulm, f Pars cedex 05, France {rem.geraud,davd.naccache}@ens.fr Abstract. The Naccache Stern publc-key cryptosystem (NS) reles on the conjectured hardness of the modular multplcatve knapsack problem: Gven p, {v }, v m mod p, fnd the {m }. Gven ths scheme s algebrac structure t s nterestng to systematcally explore ts varants and generalzatons. In partcular t mght be useful to enhance NS wth features such as semantc securty, re-randomzablty or an extenson to hgher-resdues. Ths paper addresses these questons and proposes several such varants. 1 Introducton In 1997, Naccache and Stern (NS, [15]) presented a publc-key cryptosystem based on the conjectured hardness of the modular multplcatve knapsack problem. Ths problem s defned as follows: Let p be a modulus 3 and let v 0,..., v Z p. Gven p, v 0,..., v, and v m mod p, fnd the {m }. Gven ths scheme s algebrac structure t s nterestng to determne f varants and generalzatons can add to NS features such as semantc securty, re-randomzablty or extend t to operate on hgher-resdues. Ths paper addresses these questons and explores several such varants. 1.1 The Orgnal Naccache Stern Cryptosystem The NS cryptosystem uses the followng sub-algorthms: 3 p s usually prme but nothng prevents extendng the problem to composte RSA modul.

2 Setup: Pck a large prme p and a postve nteger n. Let P = {p 0 = 2,..., p } be the set of the n frst prmes, so that p < p (We leave asde a one-bt leakage dealt wth n [15] ths technque apples mutats mutands to the algorthm presented n ths paper). KeyGen: Pck a secret nteger s < p 1, such that gcd(p 1, s) = 1. Set v = s p mod p. The publc key s (p, n, v 0,..., v ). The prvate key s s. Encrypt: To encrypt an n-bt message m, compute the cphertext c: where m s the -th bt of m. c = Decrypt: To decrypt c, compute v m mod p m = 2 µ (c, s, p) where µ (c, s, p) {0, 1} s the functon defned by: µ (c, s, p) = gcd(p, c s mod p) 1. p 1 To ths day, NS has nether been proven secure n the usual models, nor has t been attacked. Rather, ts securty reles on the conjectured hardness of a multplcatve varant of the knapsack problem 4 : Defnton 1 (Multplcatve Knapsack Problem). Gven p, c, and a set {v }, fnd a bnary vector x such that c = v x mod p. Just as n addtve knapsacks, ths problem s NP-hard n general but can be solved effcently n some stuatons; the secret key enablng precsely to transform the cphertext nto an easly-solvable nstance. Unlke addtve knapsacks, ths multplcatve knapsack doesn t lend tself to lattce reducton attacks, whch completely break many addtve knapsack-based cryptosystems [1, 3, 5, 11 13]. Over the past years, several NS varants were publshed, these notably seek to ether ncrease effcency [6] or extend NS to polynomal rngs [11]; to the best of our knowledge, no effcent attacks aganst the orgnal NS are known. 4 Ths can also be descrbed as a modular varant of the subset product problem. 2

3 1.2 Securty Notons A cryptosystem s semantcally secure, or equvalently IND-CPA-secure [9], f there s no adversary A capable of dstngushng between two cphertexts of plantexts of hs choosng. To capture ths noton, A starts by creatng two messages m 0 and m 1 and sends them to a challenger C. C randomly selects one of the m (hereafter m b ) and encrypts t nto a cphertext c. A s then challenged wth c and has to guess b wth probablty sgnfcantly hgher than 1/2. Gven a publc-key cryptosystem PKC = {Setup, KeyGen, Encrypt, Decrypt}, ths securty noton can be formally defned by the followng game: Defnton 2 (IND-CPA-Securty). The followng game s played: C selects a secret random bt b; A outputs two messages m 0 and m 1 ; C sends to A the cphertext c Encrypt(m b ); A outputs a guess b. A wns the game f b = b. The advantage of A n ths game s defned as: Adv IND-CPA PKC,A := Pr [b = b ] 1 2 A publc-key cryptosystem PKC s IND-CPA-secure f Adv IND-CPA PKC,A all PPT adversares A. s neglgble for IND-CPA-securty s a very basc requrement, and n some scenaros t s desrable to have stronger securty notons, capturng stronger adversares. The strongest securty noton for a publc-key cryptosystem s ndstngushablty under adaptve chosen cphertext attacks, or IND-CCA2-securty. IND-CCA2 s also defned n terms of a game, where A s furthermore gven access to an encrypton oracle and a decrypton oracle: Defnton 3 (IND-CCA2-Securty). An adversary A s gven access to an encrypton oracle O E and a decrypton oracle O D. The followng game s played: C selects a secret random bt b; A queres O E and O D and outputs two messages m 0 and m 1 ; C sends to A the cphertext c Encrypt(m b ); A queres O E and O D and outputs a guess b. A wns the game f b = b and f no query to the oracles concerned m 0 nor m 1. The advantage of A n ths game s defned as Adv IND-CCA2 PKC,A := Pr [b = b ] 1 2 A publc-key cryptosystem PKC s IND-CCA2-secure f Adv IND-CCA2 PKC,A for all PPT adversares A. s neglgble 3

4 We further remnd the syntax of a perfectly re-randomzable encrypton scheme [4, 10,16]. A perfectly re-randomzable encrypton scheme conssts n four polynomaltme algorthms (polynomal n the mplct securty parameter k): 1. KeyGen: a randomzed algorthm whch outputs a publc key pk and a correspondng prvate key sk. 2. Encrypt: a randomzed encrypton algorthm whch takes a plantext m (from a plantext space) and a publc key pk, and outputs a cphertext c. 3. ReRand: a randomzed algorthm whch takes a cphertext c and outputs another cphertext c ; c decrypts to the same message m as the orgnal cphertext c. 4. Decrypt: a determnstc decrypton algorthm whch takes a prvate key sk and a cphertext c, and outputs ether a plantext m or an error ndcator. In other words: {sk, pk} KeyGen(1 k ) Decrypt(ReRand(Encrypt(m, pk), pk), sk) = Decrypt(Encrypt(m, pk), sk) = m Note that ReRand takes only a cphertext and a publc key as nput, and n partcular, does not requre sk. 2 Hgher-Resdues Naccache-Stern The determnstc nature of NS prevents t from achevng IND-CPA-securty: Indeed, a gven message m 0 wll always produce the same cphertext c 0, so A wll always wn the game of Defnton 2. We now descrbe an NS varant that s randomzed. We then show how ths modfcaton guarantees semantc securty, and even CCA2 securty n the random oracle model, assumng the hardness of solvng the multplcatve knapsack descrbed earler. In dong so, we must be very careful not to ntroduce addtonal structure that an adversary could leverage. To make ths very vsble, we decomposed the constructon nto three steps, each step pontng out the flaws avoded n the fnal constructon. 2.1 Constructon Step 1 Because the modfed cryptosystem uses specal prme modul, algorthms Setup and KeyGen are merged nto one sngle Setup + KeyGen algorthm 5. Setup + KeyGen: Pck a large prme p such that (p 1)/2 = as s a factorngresstant RSA modulus. 5 Alternatvely, we can regard Setup as a pro forma empty algorthm. 4

5 Pck a postve nteger n. Let P = {p 0 = 2,..., p } be the set of the n frst prmes, so that Set p < p v = s p mod p Let g be a generator of F p, and l = g 2a mod p. The publc key s (p, n, l, v 0,..., v ). The prvate key s s. Encrypt: To encrypt m, pck a random nteger k [1, p 2] and compute: c = l k v m where m s the -th bt of the message m. Decrypt: To decrypt c compute mod p m = 2 µ (c, s, p). To understand why decrypton works we frst observe that Hence: c s = (l k ) s = ((g 2a ) k ) s = g k(p 1) = 1 mod p. ( l k v m ) s = (l k ) s p m mod p. And we are brought back to the orgnal NS decrypton process. The problem: The (attentve) reader could have noted at ths step that because s s large and because the p are very few, the odds that a p s an s-th resdue modulo p are neglgble. Hence, unless p s constructed n a very partcular way, key pars smply... cannot be constructed. 6 A soluton consstng n usng a specfc p and s detaled n Secton 4. The alternatve conssts n proceedng wth 2 hereafter. 2.2 Constructon Step 2 The workaround wll be the followng: Assume that we pck a v at random, rase t to the power s and get some nteger π: π = v s mod p 6 Note that ths s obvously not be an ssue wth the orgnal NS scheme. 5

6 Refresh v untl π = 0 mod p where π s consdered as an element of Z. (In the worst case ths takes p trals.) Lettng y = π/p, we have: p y = v s mod p p = y 1 We wll now add the u as auxlary publc keys. v s = u v s mod p Setup + KeyGen: Pck a large prme p such that (p 1)/2 = as s a factorngresstant RSA modulus. Pck a postve nteger n. Let P = {p 0 = 2,..., p } be the set of the n frst prmes, so that p < p Generate the u, v pars as prevously descrbed so that: p = u v s mod p Let g be a generator of F p, and l = g 2a mod p. The publc key s (p, n, l, u 0,..., u, v 0,..., v ). The prvate key s s. Encrypt: To encrypt m, pck a random nteger k [1, p 2] and compute: c 0 = l k v m mod p and c 1 = where m s the -th bt of the message m. Decrypt: To decrypt c 0, c 1 compute Where m = 2 (c 0, c 1, s, p) u m (c 0, c 1, s, p) = gcd(p, c 1 c s 0 mod p) 1. p 1 To understand why decrypton works remnd that (l k ) s = 1 mod p and hence c 1 c s 0 = u m ( l k v m ) s = (l k ) s (u v s ) m = And we are brought back to the orgnal NS decrypton process. p m mod p. The problem: The (very attentve) reader could have noted that the resultng cryptosystem does not acheve semantc securty because the constructon process of c 1 s determnstc. 6

7 2.3 Constructon Step 3 The workaround s the followng: we provde the sender wth two extra elements of Z p that wll allow hm to blnd c 0, c 1. To that end, pck a random α Z p, let βα s = 1 mod p and add α, β to the publc key. The algorthms Setup + KeyGen and Decrypt reman otherwse unchanged but Encrypt now becomes: Encrypt: To encrypt m, pck a random nteger k [1, p 2] and compute: c 0 = α k v m mod p and c 1 = β k To understand why decrypton works we note that (modulo p): c 1 c s 0 = β k u m ( α k v m u m. ) s = (βα s ) k (u v s ) m = And we are brought back to the orgnal NS decrypton process. p m. 3 Securty 3.1 Semantc Securty The modfed scheme s securty essentally reles on blndng an NS cphertext usng a multplcatve factor l k = g 2ka mod p, whch belongs to the subgroup of Z p of order b. Lemma 1. Under the subgroup hdng assumpton n Z p, the scheme descrbed n Secton 2.1 s IND-CPA-secure. Recall that the subgroup-hdng assumpton [2] states that the unform dstrbuton over Z p s ndstngushable from the unform dstrbuton over one of ts subgroups. Proof. Assume that A(pk) wns the IND-CPA game wth non-neglgble advantage. Then n partcular A(pk) has non-neglgble advantage n the real-or-random game Adv R/R A := Pr[AE pk (pk) = 1] Pr[A O (pk) = 1] where E pk s an encrypton oracle and O s a random oracle. We defne B(pk, γ) as follows: Let E B (m) = γ vm mod p; B(pk, γ) returns the same result as A E B (pk) 7

8 The scenaro B(pk, γ = g 2au ) yelds E B = E pk. The scenaro B(pk, γ = g u ) for random u gves a cphertext that s a unform value, and therefore behaves as a perfect smulator of a random oracle,.e. E B = O. Hence f A s an effcent adversary aganst our scheme, then B s an effcent solver for the subgroup-hdng problem. Note that ths part of the argument does not fundamentally rely on the orgnal NS beng secure ndeed, we may consder an encrypton scheme that produces cphertexts of the form c = x k m. Decrypton for such a cryptosystem would be trcky, as c b = m b and there are b possble roots. That s why usng NS s useful, as we do not have decrypton ambguty ssues. As we ponted out, the constructon of Secton 2.2 s not semantcally secure: ndeed, c 1 s generated determnstcally from m. Ths s addressed n Secton 2.3 by ntroducng two numbers α and β. Usng a smlar argument as n Lemma 1, we have Lemma 2. Under the DDH assumpton n Z p, and assumng that factorng (p 1)/2 s nfeasble, the scheme descrbed n Secton 2.3 s IND-CPA-secure. Note that these hypotheses can be smultaneously satsfed. 3.2 CCA2 Securty Even more nterestng s the case for securty aganst adaptve chosen-cphertext attacks (IND-CCA2) [7, 8]. The orgnal NS s naturally not IND-CCA2; nor s n fact the Step 1 varant dscussed above: ndeed t s possble to re-randomse a cphertext, whch mmedately gves a way to wn the IND-CCA2 game. To remedy ths, we leverage the fact that upon successful decrypton, we can recover the randomness l k. The dea s to choose k n some way that depends on m. If k s a determnstc functon of m only however, randomsaton s lost. Therefore we suggest the followng varant, at the cost of some bandwdth: Instead of m, we encrypt a message m r where r s a random strng. Let k H(m r) where H s a cryptographc hash functon, and use ths value of k nstead of choosng t randomly n Encrypt. Modfy Decrypt to recover l k (or α k and β k ). Upon successfully recoverng (m r), extract r, and check that l k (resp. α k and β k ) correspond to the correct value of k otherwse t ouputs. Ths approach guarantees IND-CCA2 n the random oracle model; ths can be captured as a seres of games: Game 0: Ths s the IND-CCA2 game aganst our scheme (1 or 3), nstantated wth some hash functon H. Game 1: Ths game dffers from Game 0 n replacng H by a random oracle O. In the random oracle model, ths game s computatonally ndstngushable from Game 0. 8

9 Game 2: Ths game dffers from Game 1 by the fact that the cphertext s replaced by an unformly-sampled random element of the cphertext space. The results on IND-CPA securty tell us that ths game s computatonally ndstngushable from Game 1 (under ther respectve hypotheses). 4 Generatng Strong Pseudo-Prmes n Several Bases We now backtrack and turn our attenton to generatng specfc modul allowng to mplement securely the 1 scheme of Secton 2.1. Ths bols down to descrbng how to effcently generate strong pseudo-prme numbers. In ths secton, we denote N the sought-after modulus. Usng quadratc recprocty, we frst ntroduce an algorthm generatng numbers passng Fermat s test. Then we leverage quartc recprocty to generate numbers passng Mller-Rabn s test. The pseudoprmes we need must be strong over several bases, and complexty s polynomal n the sze of the product of these bases. 4.1 Prmalty Tests A base-a Fermat prmalty test conssts n checkng that A B A mod B. Every prme passes ths test for all bases A. There are however composte numbers, known as Carmchael numbers, that also pass ths test n all bases. For nstance, 1729 = s such a number. There are an nfnty of Carmchael numbers. The Mller-Rabn prmalty test also reles on Fermat s lttle theorem. Let B 1 = 2 e m wth m odd. An nteger B passes the Mller-Rabn test f A m 1 mod B or f there exsts an e 1 such that A 2m 1 mod B. Defnton 4 (Strong pseudo-prme). A number that passes the Mller-Rabn test s sad strongly pseudo-prme n base A. An nterestng theorem [14, Proposton 2] [17] states that a composte number can only be strongly pseudo-prme for a quarter of the possble bases. 4.2 Constructng Pseudo-Prmes When p and 2p 1 are prme, Fermat s test amounts to the computng of a Jacob symbol. Indeed, Theorem 1. Let p be a prme such that q = 2p 1 s also prme. Let A QR q. Then B = pq passes Fermat s test n base A. Proof. A B (A p ) q A q A 2(p 1)+1 A mod p ( ) A A B (A q ) p A p A (q 1)/2+1 A A mod q q By the Chnese remander theorem, we fnd that A B A mod B. 9

10 From Gauss quadratc recprocty theorem, f q 1 mod 4 we can take q 1 mod A whch guarantees that A QR q. To make 2 a quadratc resdue modulo q we must have q ±1 mod 8. It s therefore easy to construct numbers that pass Fermat s test n a prescrbed lst of bases. 4.3 Constructng Strong Pseudo-prmes In ths secton we seek to generate numbers that are strongly pseudo-prme n base, where s prme. Let p denote a prme number such that q = 2p 1 s also prme, and N = pq. We have the followng equatons: N 1 0 mod p 1 N 1 q 1 mod q 1 2 n 1 p 1 mod p n 1 3 q 1 mod q From there on, we wll use the notaton ( ) to denote the quartc resdue symbol. Theorem 2. Let p be a prme such that q = 2p 1 1 mod 8 s also prme. Let A be an nteger such that ( ) ( ) ( ) A A A = 1, = +1, and = 1. p q q 4 Then N = pq passes the Mller-Rabn test n base A. Proof. Note that f A (N 1)/2 1 mod N, then n passes the Mller-Rabn test n base a. It then suffces to compute ths quantty modulo p and q respectvely: ( ) A A (N 1)/2 A (p 1)/2 1 mod p p ( ) 3 A A (N 1)/2 A 3(q 1)/4 1 mod q. p Bases > 5. Let 7 be a prme number. We consder here the case p 5 mod 8,.e. q 9 mod 16. We wll leverage the followng classcal result: Theorem 3. Let q be a prme number, q = A 2 + B 2 1 mod 8 wth B even. Let be a prme number such that (p/) = 1, then ( ) B ( ), or 2 = 1 A and = 1, or q ) 4 A µb where µ λ 2 mod and = ( λ(λ+1) 10

11 We wll also need the followng easy lemmata: Lemma 3. Let 7 be a prme number, there s at least an nteger Λ such that ( ) Λ = ( ) 2 Λ = 1. Proof. Let { ( ) ( ) } 2 s 1 = # F, = +1, = +1, { ( ) ( ) } 2 s 2 = # F, = +1, = 1, { ( ) ( ) } 2 s 3 = # F, = 1, = +1, { ( ) ( ) } 2 s 4 = # F, = 1, = 1,. Then t s clear that s 1 + s 2 + s 3 + s 4 = 2. The quantty s 1 + s 2 corresponds to the number of quadratc resdues modulo, except maybe 2. Therefore, ( s 1 + s 2 = 2 2 ) 1. By symmetry between and 2, we have s 2 = s 3. We also have From that we get the value of s 4 : { ( ) } (2 ) s 2 + s 3 = # F, = 1 { ( ) } 2/ 1 = # F, = 1 { ( ) } u = # u F, u 1, = 1 ( ) 1 + = 1. 2 ( + 2 s 4 = 2 ) ( 4 ) 1 2. Therefore, for every 7, s 4 > 0. 11

12 Choosng such an, we denote λ the nteger such that = 1 + 1/λ mod. Then, ( ) ( ) 1 + 1/λ 1 1/λ = = 1 ( ) ( ) (λ + 1)λ (λ 1)λ = = 1 ( λ 2 ) ( ) ( ) 1 (λ + 1)λ (λ 1)λ = = 1. Let µ be such that µ = λ 2. We can thus construct λ and µ so that the thrd possblty of Theorem 3 s never satsfed. Lemma 4. Let 7 be a prme number, there s at least an nteger x such that (x/) = 1 and (2x 1/) = +1. Proof. As for the prevous lemma, we show that there are 1 4 such values of x, whch strctly postve for 7. ( + 2 ( 2 ) ( ) ) 1 2 For such an x, we wrte y = 2x 1 = z 2 mod, A = z/λ mod, and B = A µ. We then have A 2 + B 2 = (1 + µ 2 )A 2 = λ 2 A 2 = z 2 = y mod If q = A 2 + B 2 1 mod 8 s prme, wth B even, A A mod, and B B mod, then we see that the condtons of Theorem 3 are not satsfed, hence (/q) 4 = 1. Furthermore, q y mod so that (/q) = +1. If we assume that p = (q + 1)/2 s prme, and that p 5 mod 8, then the condtons of Theorem 2 are satsfed. Indeed, p x mod so that (/p) = (x/) = 1. Thus we generated a pseudo-prme n base. All n all, the results from ths secton are captured by the followng theorem. Theorem 4. Let 7 be a prme number. There are ntegers A, A such that N = pq s strongly pseudo-prme n base, provded that q = A 2 + B 2 B s even A A mod B B mod q 9 mod 16 p = (q 1)/2 q s prme p s prme 12

13 Base = 2. In that case the followng theorem apples. Theorem 5. The nteger N = pq s strongly pseudo-prme n base 2 provded that q = A 2 + B 2 A 3 mod 8 B 4 mod 8 p = (q 1)/2 q s prme p s prme Proof. From the condtons of Theorem 5, q 9 mod 16 and q 5 mod 8, whch proves that 2 s a square modulo q and not modulo p, as t s not of the form α β 2. Bases = 3 and = 5. In both cases, we cannot fnd p and q such that the base s a square modulo q and not modulo p. As we wll see n the next secton ths s not too much of a problem n practce. We can n any case ensure that the base s a quartc resdue modulo q, usng for nstance the followng choces: A 3 = 1, B 3 = 0, A 5 = 1, B 5 = Combnng Bases Consder a set P of prme numbers, whch wll be used as bases. For each P, we construct a, b as descrbed n the prevous secton, usng ether the general constructon (for 7) or the specfc constructons (for = 2, 3, 5). Then we nvoke the Chnese remander theorem, to get three ntegers a P, b P, and m P such that N = pq s strongly pseudo-prme n all bases of P (except maybe 3 and 5), provded that q = A 2 + B 2 B s even A A P mod m P B B P mod m P q 9 mod 16 p = (q 1)/2 q s prme p s prme In fact, runnng the algorthm several tmes eventually yelds an nteger N that s also strongly pseudo-prme n bases 3 and 5. 13

14 4.5 Numercal Example Consder P = {p 1 = 2,..., p 46 } the set of all prmes smaller than 200. We get: A P = B P = m P = From these we get the followng number N, whch s strongly pseudo-prme over all the bases n P: p = q = N = Ths N can hence be used as the mssng modulus needed to nstantate a Step 1 NS varant. 14

15 5 Extensons 5.1 Usng Composte Modul In the 2/3 varants of our scheme, one mght be tempted to replace p tself by an RSA modulus n, where φ(n) = 2ab. Indeed, the orgnal NS constructon allows for such a choce. Dong so, however, would mmedately leak nformaton about the factorsaton of n: Indeed, gcd(g a 1, n) = p. There s a workaround: Frst we choose p and q so that (p 1)/2 and (q 1)/2 are RSA modul,.e. p 1 = 2s 1 s 2 and q 1 = 2r 1 r 2, wth large s 1, s 2, r 1, r 2. Then we set n = pq, a = s 1 r 1, and b = 2s 2 r 2. Therefore φ(n) = 2ab as before, but the GCD attack mentoned above does not apply, and the modfed 2/3 Naccache-Stern cryptosystem works. 5.2 Bandwdth Improvements The dea descrbed n ths paper s fully compatble wth the modfcatons ntroduced n [6] to mprove encrypton bandwdth. But there s even more: An nterestng observaton s that, upon decrypton, t s possble to recover both the message m and the whtenng x k. Ths s unlke most randomzed encrypton schemes, where the random nonce s lost. Thus we may contemplate storng some nformaton n k, thereby augmentng somewhat the total nformaton contaned n a cphertext. Alternatvely, x k may also be used as key materal f NS s used (n a hybrd mode) as a key transfer mechansm. For nstance, gven a message m = m 1 m 2, we may encrypt m 1 k usng the blndng m k 2 wth odd k. Upon decrypton, one recovers k, and computes the k-th root of the blndng factor m k 2 such a root s unque wth overwhelmng probablty thereby reconstructng the whole message. One nontrval research drecton s to provde, n the message m, hnts that make solvng the dscrete log modulo p easer and thereby embed drectly nformaton n k. References 1. Adleman, L.M.: On breakng the terated Merkle-Hellman publc-key cryptosystem. In: Chaum, D., Rvest, R.L., Sherman, A.T. (eds.) Advances n Cryptology CRYPTO 82. pp Plenum Press, New York, USA, Santa Barbara, CA, USA (1982) 2. Boneh, D., Goh, E.J., Nssm, K.: Evaluatng 2-DNF formulas on cphertexts. In: Klan, J. (ed.) TCC 2005: 2nd Theory of Cryptography Conference. Lecture Notes n Computer Scence, vol. 3378, pp Sprnger, Hedelberg, Germany, Cambrdge, MA, USA (Feb 10 12, 2005) 3. Brckell, E.F.: Breakng terated knapsacks. In: Blakley, G.R., Chaum, D. (eds.) Advances n Cryptology CRYPTO 84. Lecture Notes n Computer Scence, vol. 196, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 19 23, 1984) 15

16 4. Canett, R., Krawczyk, H., Nelsen, J.B.: Relaxng chosen-cphertext securty. In: Boneh, D. (ed.) Advances n Cryptology CRYPTO Lecture Notes n Computer Scence, vol. 2729, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 17 21, 2003) 5. Chee, Y.M., Joux, A., Stern, J.: The cryptoanalyss of a new publc-key cryptosystem based on modular Knapsacks. In: Fegenbaum, J. (ed.) Advances n Cryptology CRYPTO 91. Lecture Notes n Computer Scence, vol. 576, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 11 15, 1992) 6. Chevaller-Mames, B., Naccache, D., Stern, J.: Lnear bandwdth Naccache-Stern encrypton. In: Ostrovsky, R., Prsco, R.D., Vscont, I. (eds.) SCN 08: 6th Internatonal Conference on Securty n Communcaton Networks. Lecture Notes n Computer Scence, vol. 5229, pp Sprnger, Hedelberg, Germany, Amalf, Italy (Sep 10 12, 2008) 7. Cramer, R., Shoup, V.: A practcal publc key cryptosystem provably secure aganst adaptve chosen cphertext attack. In: Krawczyk, H. (ed.) Advances n Cryptology CRYPTO 98. Lecture Notes n Computer Scence, vol. 1462, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 23 27, 1998) 8. Fujsak, E., Okamoto, T., Pontcheval, D., Stern, J.: RSA-OAEP s secure under the RSA assumpton. Journal of Cryptology 17(2), (Mar 2004) 9. Goldwasser, S., Mcal, S.: Probablstc encrypton and how to play mental poker keepng secret all partal nformaton. In: Lews, H.R., Smons, B.B., Burkhard, W.A., Landweber, L.H. (eds.) Proceedngs of the 14th Annual ACM Symposum on Theory of Computng, May 5-7, 1982, San Francsco, Calforna, USA. pp ACM (1982) 10. Groth, J.: Rerandomzable and replayable adaptve chosen cphertext attack secure cryptosystems. In: Naor, M. (ed.) TCC 2004: 1st Theory of Cryptography Conference. Lecture Notes n Computer Scence, vol. 2951, pp Sprnger, Hedelberg, Germany, Cambrdge, MA, USA (Feb 19 21, 2004) 11. Herold, G., Meurer, A.: New attacks for knapsack based cryptosystems. In: Vscont, I., Prsco, R.D. (eds.) SCN 12: 8th Internatonal Conference on Securty n Communcaton Networks. Lecture Notes n Computer Scence, vol. 7485, pp Sprnger, Hedelberg, Germany, Amalf, Italy (Sep 5 7, 2012) 12. Joux, A., Stern, J.: Cryptanalyss of another knapsack cryptosystem. In: Ima, H., Rvest, R.L., Matsumoto, T. (eds.) Advances n Cryptology ASIACRYPT 91. Lecture Notes n Computer Scence, vol. 739, pp Sprnger, Hedelberg, Germany, Fujyoshda, Japan (Nov 11 14, 1993) 13. Lenstra Jr., H.W.: On the Chor-Rvest knapsack cryptosystem. Journal of Cryptology 3(3), (1991) 14. Moner, L.: Evaluaton and comparson of two effcent probablstc prmalty testng algorthms. Theoretcal Computer Scence 12(1), (1980) 15. Naccache, D., Stern, J.: A new publc-key cryptosystem. In: Fumy, W. (ed.) Advances n Cryptology EUROCRYPT 97. Lecture Notes n Computer Scence, vol. 1233, pp Sprnger, Hedelberg, Germany, Konstanz, Germany (May 11 15, 1997) 16. Prabhakaran, M., Rosulek, M.: Rerandomzable RCCA encrypton. In: Menezes, A. (ed.) Advances n Cryptology CRYPTO Lecture Notes n Computer Scence, vol. 4622, pp Sprnger, Hedelberg, Germany, Santa Barbara, CA, USA (Aug 19 23, 2007) 17. Rabn, M.O.: Probablstc algorthm for testng prmalty. Journal of number theory 12(1), (1980) 16