Efficient Cryptosystems From 2 k -th Power Residue Symbols

Transcription

1 Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com Abstract. Goldwasser and Micali (1984 highlighted the imortance of randomizing the laintext for ublic-key encrytion and introduced the notion of semantic security. They also realized a crytosystem meeting this security notion under the standard comlexity assumtion of deciding quadratic residuosity modulo a comosite number. The Goldwasser- Micali crytosystem is simle and elegant but is quite wasteful in bandwidth when encryting large messages. A number of works followed to address this issue and roosed various modifications. This aer revisits the original Goldwasser-Micali crytosystem using 2 k -th ower residue symbols. The so-obtained crytosystems aear as a very natural generalization for k 2 (the case k = 1 corresonds exactly to the Goldwasser-Micali crytosystem. Advantageously, they are efficient in both bandwidth and seed; in articular, they allow for fast decrytion. Further, the crytosystems described in this aer inherit the useful features of the original crytosystem (like its homomorhic roerty and are shown to be secure under a similar comlexity assumtion. As a rominent alication, this aer describes the most efficient lossy tradoor function based on quadratic residuosity. Keywords: Public-key encrytion, quadratic residuosity, Goldwasser- Micali crytosystem, homomorhic encrytion, standard model. 1 Introduction Encrytion is arguably one of the most fundamental crytograhic rimitives. Although it seems an easy task to identify roerties that a good encrytion scheme must fulfill, it turns out that rigorously defining the right security notion is not trivial at all. Security is context sensitive. Merely requiring that the laintext cannot be recovered from the cihertext is not enough in most alications. One may require that the knowledge of some a riori information on the laintext does not hel the adversary to obtain any new information, that is, beyond what can be obtained from the a riori information. This intuition is formally catured by the notion of semantic security, introduced by Goldwasser Full version available at htt://erint.iacr.org/.

2 and Micali in their seminal aer [20]. They also introduced the equivalent notion of indistinguishability of encrytions, which is usually easier to work with. Given the encrytion of any two equal-length (distinct laintexts, an adversary should not be able to distinguish the corresonding cihertexts. Clearly, the latter notion is only achievable by robabilistic ublic-key encrytion schemes. One such crytosystem was also resented in [20]. It achieves cihertext indistinguishability under the Quadratic Residuosity (QR assumtion. Informally, this assumtion says that it is infeasible to distinguish squares from non-squares in J N (i.e., the set of elements in Z N whose Jacobi symbol is 1 where N = q is an RSA-tye modulus of unknown factorization. The Goldwasser-Micali crytosystem is simle and elegant. The ublic key comrises an RSA modulus N = q and a non-square y J N while the rivate key is the secret factor. The encrytion of a bit m {0, 1} is given by c = y m x 2 mod N for a random x Z N. The message m is recovered using, by checking whether c is a square: m = 0 if so, and m = 1 otherwise observe that a non-square y J N is also a non-square modulo. The encrytion of a string m = (m k 1,..., m 0 2, with m i {0, 1}, roceeds by forming the cihertexts c i = y mi x 2 mod N, for 0 i k 1. The scheme is comutationally efficient but somewhat wasteful in bandwidth as k log 2 N bits are needed to encryt a k-bit message. Several roosals were made to address this issue. A first attemt is due to Blum and Goldwasser [8]. They achieve a better cihertext exansion: the cihertext has the same length as the laintext lus an integer of the size of modulus. The scheme is roved semantically secure assuming the unredictability of the outut of the Blum-Blum-Shub s seudorandom generator [6, 7] which resides on the factorisation hardness assumtion. Details about this scheme can be found in [21]. Another direction, ut forward by Benaloh and Fischer [12, 5], is to use a k-bit rime r such that r 1, r 2 1 and r q 1. The scheme also requires y Z N such that yφ(n/r 1 (mod N, where φ(n = ( 1(q 1 denotes Euler s totient function. A k-bit message m (with m < r is encryted as c = y m x r mod N, where x R Z N. It is recovered by searching over the entire message sace, [0, r {0, 1} k, for the element m satisfying (y φ(n/r m c φ(n/r (mod N. The scheme is shown to be secure under the rime-residuosity assumtion (which generalizes the quadratic residuosity assumtion. With the Benaloh-Fischer crytosystem, the cihertext corresonding to a k-bit message is short but the decrytion rocess is now demanding. In ractice, the scheme is therefore limited to small values of k, say k < 40. The Benaloh-Fischer crytosystem was subsequently extended by Naccache and Stern [39]. They observe that the decrytion can be sed u by rather considering a roduct of small (odd rimes R = i r i such that r i φ(n but r i 2 φ(n for each rime r i. Given a cihertext, the laintext m is reconstructed from m i := m mod r i through Chinese remaindering. The advantage is that each m i is searched in the subsace [0, r i instead of the entire message sace. A variant of this technique was used by Groth [22].

3 Other generalizations and extensions of the Goldwasser-Micali crytosystem but without formal security analysis can be found in [53, 32, 44]. More recently, Monnerat and Vaudenay develoed alications using the more general theory of characters [38, 37], secifically with characters of order 4. Related crytosystems are described in [49, 48]. Yet another, different aroach was roosed by Okamoto and Uchiyama [42], who suggested to use moduli of the form N = 2 q. This allows encryting messages of size u to log 2 bits. This was later extended by Paillier [43] to the setting N = 2 q 2. In 2005, Boneh, Goh and Nissim [10] showed an additively homomorhic system also suorting one multilication. A useful alication of additive homomorhic encrytion schemes resides in the construction of lossy tradoor functions (or LTDFs in short. These functions, as introduced by Peikert and Waters [45], are function families wherein injective functions are comutationally indistinguishable from lossy functions, which lose many bits of information about their inut. LTDFs have roved to be very owerful and versatile in the crytograher s toolbox. They notably imly chosen-cihertext-secure ublic-key encrytion [45], deterministic encrytion [2, 9] as well as crytosystems that retain some security in the absence of reliable randomness [3] or in the resence of selective-oening adversaries [4]. Our contributions New Homomorhic Crytosystem. We suggest an imrovement of the original Goldwasser-Micali crytosystem. It can be seen as a follow-u of the earlier works due to Benaloh and Fischer [12] and Naccache and Stern [39]. Before discussing it, we quote from [39]: Although the question of devising new ublic-key crytosystems aears much more difficult [... ] we feel that research in this direction is still in order: simle yet efficient constructions may have been overlooked. It is striking that the generalized crytosystem in this aer was not already roosed because, as will become aarent (cf. Section 3, it turns out to be a very natural generalization. Our aroach consists in considering n th -ower residues modulo N with n = 2 k (the Goldwasser-Micali system corresonds to the case k = 1. This resents certain advantages. First, the resulting crytosystem is bandwidth-efficient. Only log 2 N bits are needed for encryting a k-bit message in tyical alications (e.g., using the KEM/DEM aradigm. Second, the decrytion rocess is very fast, even faster than in the Naccache-Stern crytosystem. Searches are no longer needed (not even in smaller subsaces in the decrytion algorithm as laintext messages can be recovered bit by bit. Third, the underlying comlexity assumtion is similar. The roosed crytosystem is shown to be secure under the quadratic residuosity assumtion for RSA moduli N = q such that, q 1 (mod 2 k. We also note that, similarly to the Goldwasser-Micali crytosystem, our generalized crytosystem enjoys an additive roerty known as homomorhic encrytion. If c 1 and c 2 denote two cihertexts corresonding to k-bit laintexts

4 m 1 and m 2, resectively, then c 1 c 2 (mod N is an encrytion of the message m 1 + m 2 (mod 2 k. This reveals useful in several alications like voting schemes. An interesting extension would be to thresholdize it as was done in [29]. As another useful roerty, the new scheme also inherits the selective oening security 1 [16, 4] of the Goldwasser-Micali system (in the sense of a simulationbased definition given in [4]. We actually rove its semantic security by showing that its ublic key is indistinguishable from a so-called lossy key for which encrytions reveal nothing about the encryted message. We thus believe our system to rovide an interesting cometitor to Paillier s crytosystem for certain alications. As a salient examle, we show that it rovides a dramatically imroved lossy tradoor function based on a quadratic residuosity assumtion. New Efficient Lossy Tradoor Functions. The initial LTDF realizations [45] were based on the Decision Diffie-Hellman and Learning-with-Error [47] assumtions. More efficient examles based on the Comosite Residuosity assumtion were given in [9, 17, 18] while Kiltz et al. [30] showed that the RSA ermutation rovides a lossy function. Under the quadratic residuosity assumtion, three distinct constructions were ut forth in [23, 17, 18, 51]. Those of Freeman et al. [17, 18] and of Wee [51] must be used in combination with the results of Mol and Yilek [36] as they only lose single bits of information about the inut. Hemenway and Ostrovsky [23] suggested a more efficient realization, of which Wee s framework [51] is a generalization. While their QR-based LTDF has found alications in the design of deterministic encrytion schemes [11], it is concetually very similar to the Peikert-Waters matrix-based schemes and suffers from similarly large oututs and descritions. We show that our variant of the Goldwasser-Micali crytosystem drastically imroves the efficiency of the Hemenway-Ostrovsky LTDF. Secifically, it reduces the length of the outut (res. the descrition of the function by a factor of O(κ (res. O(κ 2, where κ is the security arameter. By aroriately selecting the arameters, we obtain evaluation keys and oututs consisting of a constant number of Z N elements (and thus O(κ bits, instead of O(κ2 or O(κ 3 as in the revious constructions. We thus obtain a QR-based LTDF, whose efficiency is cometitive with Paillier-based realizations [9, 17, 18]. These imrovements carry over to the deterministic encrytion setting, when the Hemenway- Ostrovsky LTDF is used as a building block of the Brakerski-Segev system [11]. 2 Background We review some useful background and fix the notation. In articular, we define the n-th ower residue symbol. We refer the reader to [25, 50, 52] for further 1 This notion refers to an attack scenario where the adversary is given t encrytions of ossibly correlated messages, oens t/2 out of these (and thereby obtains the messages and encrytion coins before attemting to harm the security of remaining cihertexts.

5 details on (quadratic residuosity. More information about encrytion schemes can be found in textbooks in crytograhy; e.g. [21, 28]. 2.1 n th -ower residues Let N N. For each integer n 2, we define (Z N n = {x n x Z N } the set of n th -ower residues modulo N. If the relation a = x n has no solution in Z N then a is called a n th -ower non-residue modulo N. Suose that is an odd rime. For any integer a with gcd(a, = 1, it is easily verified that a is a n th -ower residue modulo if and only if 1 a gcd(n, 1 1 (mod. When n = 2 (and so gcd(n, 1 = 2, this is known as Euler s criterion. It allows one to distinguish quadratic residues from quadratic non-residues. This defines the Legendre symbol. There are several ways to generalize the Legendre symbol (see [33]. In this aer, we consider the n-th ower residue symbol for a divisor n of ( 1, as resented in [52, Definition ]. Definition 1. Let be an odd rime and let n 2 such that n 1. Then the symbol ( a = a 1 n mods n is called the n-th ower residue symbol modulo, where a 1 n mods reresents the absolute smallest residue of a 1 n modulo (namely, the comlete set of absolute smallest residues are: ( 1/2,..., 1, 0, 1,..., ( 1/ Quadratic residuosity Let N = q be the roduct of two (odd rimes and q. For an integer a co-rime to N, the Jacobi symbol is the roduct of the corresonding Legendre symbols, namely ( ( a N = a a ( q. This gives rise to the multilicative grou JN of integers whose Jacobi symbol is 1, J N = {a Z N ( a N = 1}. A relevant subset of J 2 N is the set of quadratic residues modulo N, QR N = {a Z N ( ( a = a q = 1}. 2 The Quadratic Residuosity (QR assumtion says that, given a random element a J N, it is hard to decide whether a QR N if the rime factors of N are unknown. To emhasize that this should hold for moduli N = q with, q 1 (mod 2 k, we will refer to it as the k-qr assumtion. Formally, we have: Definition 2 (Quadratic Residuosity Assumtion. Let RSAGen be a robabilistic algorithm which, given a security arameter κ, oututs rimes, q such that q 1 (mod 2 k, and their roduct N = q. The Quadratic Residuosity (QR assumtion asserts that the function Adv QR D (1κ, defined as the distance Pr[D(x, N = 1 x R QR N ] Pr[D(x, N = 1 x R J N \ QR N ]

6 is negligible for any robabilistic olynomial-time distinguisher D; the robabilities are taken over the exeriment of running (N,, q RSAGen(1 κ and choosing at random x QR N and x J N \ QR N. 3 A New Public-Key Encrytion Scheme We generalize the Goldwasser-Micali crytosystem so that it can efficiently suort the encrytion of larger messages while remaining additively homomorhic. 3.1 Descrition The setting is basically the same as for the Goldwasser-Micali crytosystem. The only additional requirement is that rimes and q are chosen congruent to 1 modulo 2 k where k denotes the bit-size of the messages being encryted. In more detail, our encrytion scheme is the tule (KeyGen, Encryt, Decryt defined as follows. KeyGen(1 κ Given a security arameter κ, KeyGen defines an integer k 1, randomly generates rimes, q 1 (mod 2 k, and sets N = q. It also icks y J N \QR N. The ublic and rivate keys are k = {N, y, k} and sk = {}. Encryt(k, m Let M = {0, 1} k. To encryt a message m M (seen as an integer in {0,..., 2 k 1}, Encryt icks a random x Z N and returns the cihertext c = y m x 2k mod N. Decryt(sk, c Given c Z N and the rivate key sk = {}, the algorithm first comutes z = ( c and then finds m {0,..., 2 2k 1} such that the relation k [( ] m y = z (mods 2 k holds. An efficient method to recover message m in a bit-by-bit fashion is detailed in the next section ( 3.2. The correctness is easily verified by observing that α := ( y has order 2 2k as an k element in Z. Indeed, letting n = ord (α the order of α, we have n 2 k since, by definition, α y 1 2 k (mod. But n cannot be equal to 2 k for some k < k because α 2k 1 (mod would imly y (mod, which contradicts the assumtion that y J N \ QR N ( ( y = y q = 1. The decrytion algorithm recovers the unique m {0,..., 2 k 1} such that α m z (mod. Remark 1. We notice that the case k = 1 corresonds to the Goldwasser-Micali crytosystem. Indeed, the 2 k -th ower residue symbol is then the classical Legendre symbol and the assumtion, q 1 (mod 2 k is trivially verified.

7 3.2 Fast decrytion At first glance, from the above descrition, it seems that the decrytion rocess amounts to a search through the entire message sace {0, 1} k, similarly to some earlier crytosystems. But we can do better. One of the main advantages of the roosed crytosystem is that it rovides an efficient way to recover the message. Hence, it remains ractical, even for large values of k. The decrytion algorithm roceeds similarly to the Pohlig-Hellman algorithm [46] and is detailed below. Algorithm 1 Decrytion algorithm Inut: Cihertext c, rivate key (and ublic-key elements y and k Outut: Plaintext m = (m k 1,..., m 0 2 1: m 0; B 1 2: for i = 1 to k do 3: z ( c 2 i; t ( y m mods 2 i 4: if (t z then m m + B 5: B 2B 6: end for 7: return m The message m {0, 1} k is viewed as a k-bit integer given by its binary exansion m = k 1 i=0 m i 2 i, with m i {0, 1}. Given c = y m x 2k mod N, we have ( c = 2 i ( y m x 2k 2 i = ( y i 1 j=0 mj 2j 2 i = ( y i 1 j=0 mj 2j 2 i (mods since y m x 2k = y i 1 j=0 mj 2j (y k 1 2 j=i mj 2j i i x 2k i, for 1 i k. As a result, m can be recovered bit by bit using, starting from the rightmost bit. The algorithm uses an accumulator B which contains the successive owers of Security analysis We rove that the scheme rovides indistinguishable encrytions under the k-qr assumtion. The case k = 1 corresonds to the Goldwasser-Micali crytosystem and the standard Quadratic Residuosity assumtion. So, we henceforth assume k( 2. In this case, since, q 1 (mod 2 k, we know that, q 1 (mod 4 and 1 ( = 1 q = 1. This imlies that the square roots of an element in QRN all have the same Jacobi symbol. The k-qr assumtion states that, without knowing the factorization of N, random elements of QR N are comutationally indistinguishable from random elements of J N \ QR N. Here, it will be convenient to consider a ga variant of the k-qr assumtion. We chose the terminology ga (not to be confused with comutational roblems which have an easy decisional counterart [41] by

8 analogy with certain lattice roblems, where not every instance is a yes or no instance since a ga exists between these. Definition 3 (Ga 2 k -Residuosity Assumtion. Let N = q be the roduct of two large rimes and q with, q 1 (mod 2 k. The Ga 2 k -Residuosity (Ga-2 k -Res roblem in Z N is to distinguish the distribution of the following two sets given only N = q: V 0 = {x J N \ QR N } and V 1 = {y 2k mod N y Z N}. The Ga 2 k -Residuosity assumtion osits that the advantage Adv Ga-2k -Res D (1 κ of any PPT distinguisher D, defined as the distance Pr[D(x, k, N = 1 x R V 0 ] Pr[D(x, k, N = 1 x R V 1 ] where robabilities are taken over all coin tosses, is negligible. The latter assumtion was indeendently considered by Abdalla, Ben Hamouda and Pointcheval [1] who used it to rovide tighter security roofs for forwardsecure signatures. Our result thus imlies that their tighter reduction holds under the more standard k-qr assumtion. In the above definition, we exlicitly give k to the distinguisher and remark that this information should be of little hel considering that it can always be guessed with non-negligible robability. Also observe that from, q 1 (mod 2 k, it follows that 2 k N 1. Theorem 1 (k-qr = Ga-2 k -Res. The Quadratic Residuosity assumtion imlies the Ga 2 k -Residuosity assumtion. More recisely, for any PPT distinguisher B 0 against the former, there exists a QR distinguisher B 1 with comarable running time and for which Adv Ga-2k -Res B 0 (1 κ 4 k Adv k-qr B 1 (1 κ. Proof. The roof is given in the full version of the aer. It is not hard to see that the semantic security of the scheme is equivalent to the Ga-2 k -Res assumtion. We thus obtain the following theorem as a corollary. Theorem 2. The scheme is semantically secure under the k-qr assumtion. More recisely, for any IND-CPA adversary A, we have a k-qr distinguisher B such that Adv ind-ca A (1 κ 4 k Adv k-qr (B. Proof. The roof roceeds by simly changing the distribution of the ublic key. Under the Ga-2 k -Res assumtion, instead of icking y uniformly in J N \ QR N, we can choose it in the subgrou of 2 k -th residue without the adversary noticing. However, in this case, the cihertext carries no information about the message and the IND-CPA adversary has no advantage. Interestingly, the roof of Theorem 2 imlicitly shows that, like the original Goldwasser-Micali system, our scheme is a lossy encrytion scheme [4] (i.e., it admits an alternative distribution of ublic keys for which encrytions statistically

9 hide the laintext, which rovides security guarantees against selective-oening attacks [16]. Moreover, for a lossy key (y, N, there exists an efficient algorithm that oens a given cihertext c to any arbitrary laintext m (by finding random coins that exlain c as an encrytion of m. It imlies that our scheme satisfies the simulation-based definition [4] of selective-oening security. 4 Imlementation and Performance We detail here some imlementation asects. We exlain how to select the arameters involved in the system set-u and key generation. Finally, we discuss the cihertext exansion and give a comarison with revious schemes. 4.1 Parameter selection The key generation (cf. 3.1 requires two rimes and q such that, q 1 (mod 2 k and an element y J N \ QR N, where N = q. The condition y J N \ QR N is equivalent to ( ( y = y q = 1. So, we need to generate an element y Z N such that (i y mod is rimitive in Z, and (ii y mod q is rimitive in Z q. Finding a rimitive element modulo a rime number is not difficult when the factorization of 1 is known. Therefore, we suggest to select rime as a k-quasi-safe rime, that is, = 2 k + 1 for some rime (likewise for rime q, we take q = 2 k q + 1 for some rime q. An efficient algorithm for generating k-quasi-safe rimes is discussed in [27, Section 4.2]. Consider now the rimitive 2 k -th root of unity ζ 2 k = e 2iπ/2k with i = 1. It generates a cyclic grou of order 2 k under multilication. In our case, the key observation is that, when is 2 k -quasi-safe rime, if y is a square modulo then ζ 2 k y is not. Indeed, we have ( ζ2 k y = ( ζ2 k ( y ζ 2 k 1 2 ( ( y y (e iπ = since is odd. This leads to the following algorithm. ( y (mod Algorithm 2 Generation of y Inut: Modulus N = q (with = 2 k + 1 and q = 2 k q + 1, rimes, q,, q, and integer k 1 Outut: y J N \ QR N 1: Pick at random y Z and y q Z q 2: if ( y = 1 then y ζ 2 k y mod 3: if ( y q q = 1 then yq ζ 2 k y q mod q 4: Set y y + ( 1 (y q y mod q 5: return y

10 The rimes and q are chosen so that, q 1 (mod 2 k. Sharing common factors for ( 1 and (q 1 was used already in several other systems; see e.g. [19, 34]. Letting r denote a common factor of ( 1 and (q 1, a baby-ste giant-ste aroach develoed by McKee and Pinch [35] can factor RSA modulus N = q in essentially O(N 1/4 /r oerations. In our case, we have r = 2 k. For security it is therefore necessary that 1 4 log 2 N k > κ, or equivalently, k < 1 4 log 2 N κ where κ is the security arameter. A owerful LLL-based technique due to Coersmith [13, 14] also bounds the size of k to at most 1 2 min(log 2, log 2 q bits as, otherwise, the factors of N would be revealed. Going beyond olynomial-time attacks, one should add an extra security margin to take into account exhaustive searches [40]. RSA moduli 1 being balanced (i.e., 2 min(log 2, log 2 q = 1 4 log 2 N, we so end u with the same uer bound as for the McKee-Pinch s aroach: k < 1 4 log 2 N κ. In ractice, this restriction on k is not a limitation because, as described in the next section, long messages can be encryted using the KEM/DEM aradigm. For examle, a secific arameter choice is k = 128 and log 2 N = Cihertext exansion Hybrid encrytion allows designing efficient asymmetric schemes, as suggested by Shou in the ISO standard for ublic-key encrytion [26]. An asymmetric crytosystem is used to encryt a secret key that is then used to encryt the actual message. This is the so-called KEM/DEM aradigm. The next table comares the cihertext exansion in the encrytion of k-bit messages for different generalized Goldwasser-Micali crytosystems. Only crytosystems with a formal security analysis are considered. Further, the value of k is assumed to be relatively small (e.g., 128 or 256 as the message being encryted is tyically a symmetric key (for examle a 128- or 256-bit AES key in a KEM/DEM construction. Table 1. Cihertext exansion in a tyical encrytion Encrytion scheme Assumtion Cihertext size Goldwasser-Micali [20] Quadratic Residuosity (QR k log 2 N Benaloh-Fisher [12] Prime residuosity (PR k log 2 r log2 N Naccache-Stern [39] Prime residuosity (PR log 2 N Okamoto-Uchiyama [42] -subgrou log 2 N Paillier [43] N-th residuosity 2 log 2 N This aer Quadratic residuosity (k-qr log 2 N It aears that the Goldwasser-Micali crytosystem has the higher cihertext exansion but its semantic security relies on the standard quadratic residuosity

11 assumtion. The cihertext exansion of Benaloh-Fischer crytosystem is similar to that of Naccache-Stern crytosystem for small messages; i.e., when k log 2 r. For larger messages, the Naccache-Stern crytosystem should be referred. It also offers the further advantage of roviding a faster decrytion rocedure. The same is true for the Okamoto-Uchiyama crytosystem. The Paillier crytosystem roduces twice larger cihertexts. The encrytion scheme roosed in this aer has the same cihertext exansion as in the Naccache-Stern crytosystem. Moreover, its decrytion algorithm is fast (it is even faster than in the Naccache-Stern crytosystem, requires less memory, and the security relies on a quadratic residuosity assumtion. 5 More Efficient Lossy Tradoor Functions from the k-quadratic Residuosity Assumtion In this section, we show that our homomorhic crytosystem allows constructing a lossy tradoor function based on the k-qr assumtion with much shorter oututs and keys than in revious QR-based examles. In comarison with the function of Hemenway and Ostrovsky [23], it comresses function values by a factor of k when we work with a modulus N = q such that q 1 (mod 2 k. Moreover, the size of the evaluation key is decreased by a factor of O(k 2 while increasing the lossiness by 2k more bits. Finally, our inversion tradoor has constant size, whereas [23] uses a tradoor of size O(n to recover n-bit inuts. Our function also comares favorably with the QR-based function of Freeman et al. [17, 18], which only loses a single bit. In fact, by aroriately tuning our construction, we obtain the first QRbased lossy tradoor function with short oututs and keys that loses many inut bits. Among known lossy tradoor functions based on traditional numbertheoretic assumtions [45, 9, 17, 18, 30, 23, 36], this aears as a rare efficiency tradeoff. To the best of our knowledge, it has only been achieved under the Comosite Residuosity assumtion [9, 17, 18] so far. Interestingly, our LTDF rovides similar efficiency imrovements to the QRbased deterministic encrytion scheme of Brakerski and Segev [11], which also builds on the Hemenway-Ostrovsky LTDF. Note that the scheme of [11] is imortant in the deterministic encrytion literature since it is one of the only known schemes roviding security in the auxiliary inut setting in the standard model. 5.1 Descrition and security analysis We start by recalling the following definition. Definition 4 ([45]. Let κ N be a security arameter and n : N N, l : N R be non-negative functions of κ. A collection of (n, l-lossy tradoor functions (LTDF is a tule of efficient algorithms (InjGen, LossyGen, Eval, Invert with the following secifications.

12 Samling an injective function: Given a security arameter κ, the randomized algorithm InjGen(1 κ oututs the index ek of an injective function of the family and an inversion tradoor t. Samling a lossy function: Given a security arameter κ, the robabilistic algorithm LossyGen(1 κ oututs the index ek of a lossy function. Evaluation: Given the index of a function ek roduced by either InjGen or LossyGen and an inut x {0, 1} n, the evaluation algorithm Eval oututs F ek (x such that: If ek is an outut of InjGen, then F ek ( is an injective function. If ek was roduced by LossyGen, then F ek ( has image size 2 n l. In this case, the value n l is called residual leakage. Inversion: For any air (ek, t roduced by InjGen and any inut x {0, 1} n, the inversion algorithm Invert returns F 1 ek (t, F ek(x = x. Security: The two ensembles {ek (ek, t InjGen(1 κ } κ N and {ek ek LossyGen(1 κ } κ N are comutationally indistinguishable. Our construction goes as follows. Samling an injective function. Given a security arameter κ, let l N (κ and k(κ be security arameters determined by κ. Let also n(κ be the desired inut length. Algorithm InjGen defines m = n/k (we assume that k divides n for simlicity and conducts the following stes. 1. Generate a modulus N = q > 2 l N such that = 2 k +1 and q = 2 k q +1 for rimes, q and odd co-rime integers, q. Choose y R J N \ QR N. 2. For each i {1,..., m}, ick h i in the subgrou of order q, by setting 2 h i = g k R i mod N for a randomly chosen g i Z N. R 3. Choose r 1,..., r m Z q and comute a matrix Z = ( Z i,j i,j {1,...,m} given by Z = y z1,1 h 1 r 1 mod N y z1,m h m r 1 mod N.. y zm,1 r h m 1 mod N y zm,m r h m m mod N, where (z i,j i,j {1,...,m} denotes the identity matrix. The evaluation key is ek := ( N, (Z i,j i,j {1,...,m} and the tradoor is t :=. Samling a lossy function. The rocess followed by LossyGen is identical to the above one but the matrix (z i,j i,j {1,...,m} is relaced by the all-zeroes m m matrix. Evaluation. Given ek = ( N, (Z i,j i,j {1,...,m}, algorithm Eval arses the inut x {0, 1} n as a vector of k-bit blocks x = (x 1,..., x m, with x i Z 2 k for each i. Then, it comutes and returns ỹ = (y 1,..., y m, with y j Z N, where ( m m x ỹ = Z i x i,1 mod N,..., Z i i,m mod N = i=1 i=1 (y m m i=1 zi,1xi h i=1 rixi 1 mod N,..., y m m i=1 zi,mxi h i=1 rixi m mod N.

13 Inversion. Given t = and ỹ = (y 1,..., y m Z m N, Invert alies the decrytion algorithm of 3.2 to each y j, for j = 1 to m. Observe that when (z ij i,j {1,...,m} is the identity matrix, ( [ y (y ] j xj 2 k (mod. From the 2 k resulting vector of laintexts x = (x 1,..., x m Z m 2 k, it recovers the inut x {0, 1} n. The Hemenway-Ostrovsky construction of [23] is slightly different in that, as in the DDH-based construction of Peikert and Waters [45], the evaluation key includes a vector of the form G = (g r1,..., g rm T, where g QR N, and the tradoor is t = (log g (h 1,..., log g (h m. In their scheme, the evaluation algorithm additionally comutes m i=1 (gri xi while the inversion algorithm does not use the factorization of N but rather erforms a coordinate-wise ElGamal decrytion. Here, exlicitly using the factorization of N in the inversion algorithm makes it ossible to rocess k-bit blocks at once. Theorem 3. The above construction is a (n(κ, n(κ log 2 ( q -LTDF if the k-qr assumtion holds. Proof. The roof is given in the full version of the aer. It is worth noting that, with N = q such that q 1 (mod 2 k, a side effect of working in the subgrou of odd order is an imroved lossiness. Indeed, we lose n log 2 ( q bits in comarison with n log 2 φ(n in [23]. Using the techniques of Peikert and Waters [45], it is easy to construct an equally efficient all-but-one tradoor function roviding the same amount of lossiness under the QR assumtion. A difference is that, in order to enable inversion, the resulting all-but-one function handles k/2 bits (instead of k in each chunk. The details are given in the full version of the aer. More imortantly, the dimension m of the matrix and the outut vector can be reduced to a fairly small constant, as illustrated below. 5.2 Efficiency Here, we consider chosen-cihertext security as the targeted alication. By combining the lossy and all-but-one tradoor function, a CCA-secure encrytion scheme can be obtained using the construction of [45]. We argue that m = O(1 suffices for this urose. Recall that the scheme of [45] combines a airwise indeendent hash function H : {0, 1} n {0, 1} τ, an (n, l-lossy function and an (n, l -all-but-one function such that l+l n+ν and τ ν 2 log 2 (1/ε, for some ν ω(log n and where ε is the statistical distance in the modified Leftover Hash Lemma used in [15]. If we choose ε 2 κ and τ = k in order to encryt k-bit messages, we can set ν = k + 2κ. Setting l = l = n log 2 ( q, the constraint l + l n + ν translates into n 2 log 2 ( q ν. If we set k = 1 4 log 2 N κ, we have log 2 ( q = log 2 φ(n 2k 4(k + κ 2k = 2k + 4κ, which yields n 3k + 6κ. If k > κ, it is sufficient to set n 9k. If we take into account the fact that our all-but-one function rocesses blocks of k/2 bits, we find that m = 2n/k = 18 suffices here.

14 As it turns out, when the Peikert-Waters construction [45, 4.3] of CCAsecure encrytion is instantiated with our lossy and all-but-one tradoor functions, it only requires a constant number of exonentiations while retaining constant-size ublic keys and cihertexts. With the excetion of [24] (which relies on a weaker assumtion, to the best of our knowledge, it yields the only known CCA-secure QR-based crytosystem combining the aforementioned efficiency roerties. U to now, the most efficient chosen-cihertext-secure crytosystem strictly based on the QR assumtion was the one of Kiltz et al.[31], where O(κ exonentiations are needed to encryt and the ublic key contains O(κ grou elements. On the other hand, our construction requires more secific moduli than [31]. 6 Conclusion This aer introduced a new generalization of the Goldwasser-Micali crytosystem. The so-obtained crytosystems are shown to be secure under the quadratic residuosity assumtion. Further, they enjoy a number of useful features including fast decrytion, otimal cihertext exansion, and homomorhic roerty. We believe that our roosal is the most natural yet efficient generalization of the Goldwasser-Micali crytosystem. It kees the nice attributes and roerties of the original scheme while imroving the overall erformance. When alied to the Peikert-Waters framework for building lossy tradoor functions, it yields a ractical construction based on quadratic residuosity, with comanion deterministic encrytion scheme and CCA-secure crytosystem. Acknowledgments We are grateful to the anonymous reviewers for EUROCRYPT 2013 for their useful comments. References 1. M. Abdalla, F. Ben Hamouda, and D. Pointcheval. Tighter reductions for forwardsecure signature schemes. In K. Kurosawa and G. Hanaoka, editors, Public Key Crytograhy PKC 2013, volume 7778 of LNCS, ages Sringer-Verlag, M. Bellare, A. Boldyreva, and A. O Neill. Deterministic and efficiently searchable encrytion. In A. Menezes, editor, Advances in Crytology CRYPTO 2007, volume 4622 of LNCS, ages Sringer-Verlag, M. Bellare, Z. Brakerski, M. Naor, T. Ristenart, G. Segev, H. Shacham, and S. Yilek. Hedged ublic-key encrytion: How to rotect against bad randomness. In M. Matsui, editor, Advances in Crytology ASIACRYPT 2009, volume 5912 of LNCS, ages Sringer-Verlag, 2009.

15 4. M. Bellare, D. Hofheinz, and S. Yilek. Possibility and imossibility results for encrytion and commitment secure under selective oening. In A. Joux, editor, Advances in Crytology EUROCRYPT 2009, volume 5479 of LNCS, ages Sringer-Verlag, J. D. C. Benaloh. Verifiable Secret-Ballot Elections. PhD thesis, Yale University, New Haven, CT, USA, L. Blum, M. Blum, and M. Shub. Comarison of two seudo-random number generators. In D. Chaum, R. L. Rivest, and A. T. Sherman, editors, Advances in Crytology: Proceedings of CRYPTO 82, ages Plenum Press, L. Blum, M. Blum, and M. Shub. A simle unredictable seudo-random number generator. SIAM J. Comut., 15(2: , M. Blum and S. Goldwasser. An efficient robabilistic ublic-key encrytion scheme which hides all artial information. In G. R. Blakley and D. Chaum, editors, Advances in Crytology CRYPTO 84, volume 196 of LNCS, ages Sringer-Verlag, A. Boldyreva, S. Fehr, and A. O Neill. On notions of security for deterministic encrytion, and efficient constructions without random oracles. In D. Wagner, editor, Advances in Crytology CRYPTO 2008, volume 5157 of LNCS, ages Sringer-Verlag, D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on cihertexts. In J. Kilian, editor, Theory of Crytograhy Conference (TCC 2005, volume 3378 of LNCS, ages Sringer-Verlag, Z. Brakerski and G. Segev. Better security for deterministic ublic-key encrytion: The auxiliary-inut setting. In P. Rogaway, editor, Advances in Crytology CRYPTO 2011, volume 6841 of LNCS, ages Sringer-Verlag, J. D. Cohen and M. J. Fischer. A robust and verifiable crytograhically secure election scheme. In 26th Annual Symosium on Foundations of Comuter Science (FOCS 85, ages IEEE Comuter Society, D. Coersmith. Finding a small root of a bivariate integer equation: Factoring with high bits known. In U. Maurer, editor, Advances in Crytology EURO- CRYPT 96, volume 1070 of LNCS, ages Sringer-Verlag, D. Coersmith. Small solutions to olynomial equations, and low exonent RSA vulnerabilities. J. Crytology, 10(4: , Y. Dodis, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In C. Cachin and J. Camenisch, editors, Advances in Crytology EUROCRYPT 2004, volume 3027 of LNCS, ages Sringer-Verlag, C. Dwork, M. Naor, O. Reingold, and L. Stockmeyer. Magic functions. Journal of the ACM, 50(6: , D. M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, and G. Segev. More constructions of lossy and correlation-secure tradoor functions. In P. Q. Nguyen and D. Pointcheval, editors, Public Key Crytograhy PKC 2010, volume 6056 of LNCS, ages Sringer-Verlag, D. M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, and G. Segev. More constructions of lossy and correlation-secure tradoor functions. J. Crytology, M. Girault. An identity-based identification scheme based on discrete logarithms modulo a comosite number. In I. B. Damgård, editor, Advances in Crytology EUROCRYPT 90, volume 473 of LNCS, ages Sringer-Verlag, S. Goldwasser and S. Micali. Probabilistic encrytion. J. Comut. Syst. Sci., 28(2: , 1984.

16 21. O. Golreich. Foundations of Crytograhy, volume II. Cambridge University Press, J. Groth. Crytograhy in subgrous of Z n. In J. Kilian, editor, Theory of Crytograhy Conference (TCC 2005, volume 3378 of LNCS, ages Sringer- Verlag, B. Hemenway and R. Ostrovsky. Lossy tradoor functions from smooth homomorhic hash roof systems. Electronic Colloquium on Comutational Comlexity (ECCC, D. Hofheinz and E. Kiltz. Practical chosen cihertext secure encrytion from factoring. In A. Joux, editor, Advances in Crytology EUROCRYPT 2009, volume 5479 of LNCS, ages Sringer-Verlag, K. Ireland and M. Rosen. A Classical Introduction to Modern Number Theory, volume 84 of Graduate Texts in Mathematics. Sringer-Verlag, 2nd edition, ISO/IEC Information technology Security techniques Encrytion algorithms Part 2: Asymmetric cihers. International Organization for Standardization, May M. Joye and P. Paillier. Fast generation of rime numbers on ortable devices: An udate. In L. Goubin and M. Matsui, editors, Crytograhic Hardware and Embedded Systems CHES 2006, volume 4249 of LNCS, ages Sringer- Verlag, J. Katz and Y. Lindell. Introduction to Modern Crytograhy. CRC Press, J. Katz and M. Yung. Threshold crytosystems based on factoring. In Y. Zheng, editor, Advances in Crytology ASIACRYPT 2002, volume 2501 of LNCS, ages Sringer-Verlag, E. Kiltz, A. O Neill, and A. Smith. Instantiability of RSA-OAEP under chosenlaintext attack. In T. Rabin, editor, Advances in Crytology CRYPTO 2010, volume 6223 of LNCS, ages Sringer-Verlag, E. Kiltz, K. Pietrzak, M. Stam, and M. Yung. A new randomness extraction aradigm for hybrid encrytion. In A. Joux, editor, Advances in Crytology EUROCRYPT 2009, volume 5479 of LNCS, ages Sringer-Verlag, K. Kurosawa, Y. Katayama, W. Ogata, and S. Tsujii. General ublic key residue crytosytems and mental oker rotocols. In I. B. Damgård, editor, Advances in Crytology EUROCRYPT 90, volume 473 of LNCS, ages Sringer- Verlag, F. Lemmermeyer. Recirocity Laws. Sringer Monograhs in Mathematics. Sringer-Verlag, C. H. Lim and P. J. Lee. Security and erformance of served-aided RSA comutation rotocols. In D. Coersmith, editor, Advances in Crytology CRYPTO 95, volume 963 of LNCS, ages Sringer-Verlag, J. McKee and R. Pinch. Further attacks on server-aided RSA crytosystems. Unublished manuscrit, P. Mol and S. Yilek. Chosen-cihertext security from slightly lossy tradoor functions. In P. Q. Nguyen and D. Pointcheval, editors, Public Key Crytograhy PKC 2010, volume 6056 of LNCS, ages Sringer-Verlag, J. Monnerat and S. Vaudenay. Generic homomorhic undeniable signatures. In P. J. Lee, editor, Advances in Crytology ASIACRYPT 2004, volume 3329 of LNCS, ages Sringer-Verlag, J. Monnerat and S. Vaudenay. Undeniable signatures based on characters: How to sign with one bit. In F. Bao et al., editors, Public Key Crytograhy PKC 2004, volume 2947 of LNCS, ages Sringer-Verlag, 2004.

17 39. D. Naccache and J. Stern. A new ublic key crytosystem based on higher residues. In ACM Conference on Comuter and Communications Security 1998 (CCS 98, ages ACM Press, P. Q. Nguyen. Public-key crytanalysis. In I. Luengo, editor, Recent Trends in Crytograhy, Contemorary Mathematics. AMS RSME, T. Okamoto and D. Pointcheval. The ga-roblems: A new class of roblems for the security of crytograhic schemes. In K. Kim, editor, Public Key Crytograhy (PKC 2001, volume 1992 of LNCS, ages Sringer-Verlag, T. Okamoto and S. Uchiyama. A new ublic-key crytosystem as secure as factoring. In K. Nyberg, editor, Advances in Crytology EUROCRYPT 98, volume 1403 of LNCS, ages Sringer-Verlag, P. Paillier. Public-key crytosystems based on comosite degree residuosity classes. In J. Stern, editor, Advances in Crytology EUROCRYPT 99, volume 1592 of LNCS, ages Sringer-Verlag, S. J. Park, B. Y. Lee, and D. H. Won. A robabilistic encrytion using very high residuosity and its alications. In Global Telecommunications Conference (GLOBECOM 95, ages IEEE Press, C. Peikert and B. Waters. Lossy tradoor functions and their alications. In C. Dwork, editor, 40th Annual ACM Symosium on Theory of Comuting (STOC 2008, ages ACM Press, S. H. Pohlig and M. E. Hellman. An imroved algorithm for comuting logarithms over GF ( and its crytograhic significance. IEEE Tran. Inf. Theory, 24(1: , O. Regev. On lattices, learning with errors, random linear codes, and crytograhy. In 37th Annual ACM Symosium on Theory of Comuting (STOC 2005, ages ACM Press, R. Scheidler. A ublic-key crytosystem using urely cubic fields. J. Crytology, 11(2: , R. Scheidler and H. C. Williams. A ublic-key crytosystem utilizing cyclotomic fields. Des. Codes Crytograhy, 6(2: , V. Shou. A Comutational Introduction to Number Theory and Algebra. Cambridge University Press, 2nd edition, H. Wee. Dual rojective hashing and its alications - Lossy tradoor functions and more. In D. Pointcheval and T. Johansson, editors, Advances in Crytology EUROCRYPT 2012, volume 7237 of LNCS, ages Sringer-Verlag, S. Y. Yan. Number Theory for Comuting. Sringer-Verlag, 2nd edition, Y. Zheng, T. Matsumoto, and H. Imai. Residuosity roblem and its alications to crytograhy. Trans. IEICE, E-71(8: , 1988.