Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr Universitat Politècnica de Catalunya, Det. Matemàtica Alicada c. Jordi Girona -3, 08034, Barcelona, Sain javier.herranz@uc.edu 3 Technicolor 75 S. San Antonio Rd, Los Altos, CA 940, USA marc.joye@technicolor.com 4 ENS Lyon, Laboratoire d Informatique du Parallélisme 46 Allée d Italie, 69364 Lyon Cedex 07, France benoit.libert@ens-lyon.fr Abstract. Goldwasser and Micali (984) highlighted the imortance of randomizing the laintext for ublic-key encrytion and introduced the notion of semantic security. They also realized a crytosystem meeting this security notion under the standard comlexity assumtion of deciding quadratic residuosity modulo a comosite number. The Goldwasser-Micali crytosystem is simle and elegant but is quite wasteful in bandwidth when encryting large messages. A number of works followed to address this issue and roosed various modifications. This aer revisits the original Goldwasser-Micali crytosystem using k -th ower residue symbols. The so-obtained crytosystems aear as a very natural generalization for k (the case k corresonds exactly to the Goldwasser-Micali crytosystem). Advantageously, they are efficient in both bandwidth and seed; in articular, they allow for fast decrytion. Further, the crytosystems described in this aer inherit the useful features of the original crytosystem (like its homomorhic roerty) and are shown to be secure under a similar comlexity assumtion. As a rominent alication, this aer describes an efficient lossy tradoor function based thereon. Keywords: Public-key encrytion, quadratic residuosity, Goldwasser-Micali crytosystem, homomorhic encrytion, standard model. Introduction Encrytion is arguably one of the most fundamental crytograhic rimitives. Although it seems an easy task to identify roerties that a good encrytion scheme must fulfill, it turns out that rigorously defining the right security notion is not trivial at all. Security is context sensitive. Merely requiring that the laintext cannot be recovered from the cihertext is not enough in most alications. One may require that the knowledge of some a riori information on the laintext does not hel the adversary to obtain any new information, that is, beyond what can be obtained from the a riori information. This intuition is formally catured by the notion of semantic security, introduced in a seminal aer by Goldwasser and Micali [GM84]. They also introduced the equivalent notion of indistinguishability of encrytions, which is usually easier to work with. Given the encrytion A reliminary version of this aer aears in the roceedings of EUROCRYPT 03. Part of this work was done while this author was with Technicolor, France.
of any two equal-length (distinct) laintexts, an adversary should not be able to distinguish the corresonding cihertexts. Clearly, the latter notion is only achievable by robabilistic encrytion schemes. One such crytosystem was also resented in [GM84]. It achieves cihertext indistinguishability under the Quadratic Residuosity (QR) assumtion. Informally, this assumtion says that it is infeasible to distinguish squares from non-squares in J N (i.e., the set of elements in Z whose Jacobi symbol N is +) where N q is an RSA-tye modulus of unknown factorization. The Goldwasser-Micali crytosystem is simle and elegant. The ublic key comrises an RSA modulus N q and a non-square y J N while the rivate key is the secret factor. The encrytion of a bit m {0, } is given by c y m x mod N for a random x Z. The message m is recovered N using, by checking whether c is a square: m 0 if so, and m otherwise observe that a non-square y J N is also a non-square modulo. The encrytion of a bitstring m (m k,..., m 0 ), with m i {0, }, roceeds by forming the cihertexts c i y m i x mod N, for 0 i k. The scheme is comutationally efficient but somewhat wasteful in bandwidth as k log N bits are needed to encryt a k-bit message. Several roosals were made to address this issue. A first attemt is due to Blum and Goldwasser [BG84]. They achieve a better cihertext exansion: the cihertext has the same length as the laintext lus an integer of the size of the modulus. The scheme is roved semantically secure assuming the unredictability of the outut of the Blum-Blum-Shub s seudo-random generator [BBS8, BBS86], which resides on the factorization hardness assumtion. Details about this scheme can be found in [Gol04]. Another direction, ut forward by Benaloh and Fischer [CF85, Ben87], is to use a k-bit rime r such that r, r and r q. The scheme also requires y Z N such that yφ(n)/r (mod N), where φ(n) ( )(q ) denotes Euler s totient function. A k-bit message m (with m < r) is encryted as c y m x r mod N, where x R Z. It is recovered by searching over the entire N message sace, [0, r) {0, } k, for the element m satisfying (y φ(n)/r ) m c φ(n)/r (mod N). The scheme is shown to be secure under the rime-residuosity assumtion (which generalizes the quadratic residuosity assumtion). With the Benaloh-Fischer crytosystem, the cihertext corresonding to a k-bit message is short but the decrytion rocess is now demanding. In ractice, the scheme is therefore limited to small values of k, say k < 40. The Benaloh-Fischer crytosystem was subsequently extended by Naccache and Stern [NS98]. They observe that the decrytion can be sed u by rather considering a roduct of small (odd) rimes R i r i such that r i φ(n) but r i φ(n) for each rime r i. Given a cihertext, the laintext m is reconstructed from m i m mod r i through Chinese remaindering. The advantage is that each m i is searched in the subsace [0, r i ) instead of the entire message sace. A variant of this technique was used by Groth [Gro05]. Other generalizations and extensions of the Goldwasser-Micali crytosystem but without formal security analysis can be found in [ZMI88, KKOT90, PLW95]. In [MV04b, MV04a], Monnerat and Vaudenay develoed alications using the more general theory of characters, secifically with characters of order 4. Related crytosystems are described in [SW95,Sch98]. A different aroach was roosed by Okamoto and Uchiyama [OU98], who suggested to use moduli of the form N q. This allows encryting messages of size u to log bits. This was later extended by Paillier [Pai99] to the setting N q ; see also [CGHGN0, DJN0]. A useful alication of additive homomorhic encrytion schemes resides in the construction of lossy tradoor functions (or LTDFs in short). These functions, as introduced by Peikert and Waters [PW08], are function families wherein injective functions are comutationally indistin-
guishable from lossy functions, which lose many bits of information about their inut. LTDFs have roved to be very owerful and versatile in the crytograher s toolbox. They notably imly chosen-cihertext-secure ublic-key encrytion [PW08], deterministic encrytion [BBO07, BFO08], as well as crytosystems that retain some security in the absence of reliable randomness [BBN + 09] or in the resence of selective-oening adversaries [BHY09]. Our contributions New Homomorhic Crytosystem. We suggest an imrovement of the original Goldwasser-Micali crytosystem. It can be seen as a follow-u of the earlier works due to Benaloh and Fischer [CF85] and Naccache and Stern [NS98]. Before discussing it, we quote from [NS98]: Although the question of devising new ublic-key crytosystems aears much more difficult [... ] we feel that research in this direction is still in order: simle yet efficient constructions may have been overlooked. It is striking that the generalized crytosystem in this aer was not already roosed because, as will become aarent (cf. Section 3), it turns out to be a very natural generalization. Our aroach consists in considering n th -ower residues modulo N with n k (the Goldwasser-Micali system corresonds to the case k ). This resents many advantages. First, the resulting crytosystem is bandwidth-efficient. Only log N bits are needed for encryting a k-bit message in tyical alications (e.g., using the KEM/DEM aradigm). Second, the decrytion rocess is fast. Searches are no longer needed (not even in smaller subsaces) in the decrytion algorithm as laintext messages can be recovered bit by bit. Further, although asymtotically slower than in Paillier s crytosystem, the decrytion rocess turns out to achieve comarable erformance for most ractical values of k (e.g., k 8). As a last advantage, the underlying comlexity assumtions are similar to that used by Goldwasser and Micali. The roosed crytosystem is shown to be secure under the quadratic residuosity assumtion for RSA moduli N q such that (mod k ) and q 3 (mod 4). When q 3 (mod 4), it assumes in addition the hardness of determining the Jacobi symbol of an element y Z N given a air (x, N) where x y mod N. Although the roosed crytosystem makes use of rimes of secial form, there are no known factoring algorithms taking advantage of that. Further, comlexity-wise, the use of such secial rimes does not incur enalty with the latest rime generation algorithms. As will be seen, the time required to generate a random rime (mod k ) is essentially the same as the time required to generate a random, form-free rime. We also note that, similarly to the Goldwasser-Micali crytosystem, our generalized crytosystem enjoys an additive roerty known as homomorhic encrytion. If c and c denote two cihertexts corresonding to k-bit laintexts m and m, resectively, then c c (mod N) is an encrytion of the message m + m (mod k ). This reveals useful in several alications like voting schemes. As another useful roerty, the new scheme inherits the selective oening security5 [DNRS03, BHY09] of the Goldwasser-Micali system (in the sense of a simulation-based definition given in [BHY09]). We actually rove its semantic security by showing that its ublic key is indistinguishable from a so-called lossy key for which encrytions reveal nothing about the encryted message. 5 This notion refers to an attack scenario where the adversary is given t encrytions of ossibly correlated messages, oens t/ out of these (and thereby obtains the messages and encrytion coins) before attemting to harm the security of the remaining cihertexts. 3
We thus believe our system to rovide an interesting cometitor to Paillier s crytosystem for certain alications. As a salient examle, we show that it rovides a dramatically imroved lossy tradoor function. New Efficient Lossy Tradoor Functions. The initial LTDF realizations [PW08] were based on the Decisional Diffie-Hellman (DDH) and Learning-with-Error (LWE) [Reg09] assumtions. More efficient examles based on the Decisional Comosite Residuosity (DCR) assumtion were given in [BFO08, FGK + 0, FGK + 3] while Kiltz et al. [KOS0] showed that the RSA ermutation rovides a lossy function. Under the Quadratic Residuosity (QR) assumtion, three distinct constructions were ut forth in [HO, FGK + 0, FGK + 3, Wee]. Those of Freeman et al. [FGK + 0, FGK + 3] and of Wee [Wee] must be used in combination with the results of Mol and Yilek [MY0] as they only lose single bits of information about the inut. Hemenway and Ostrovsky [HO] suggested a more efficient realization, of which Wee s framework [Wee] is a generalization. While their QR-based LTDF has found alications in the design of deterministic encrytion schemes [BS], it is concetually very similar to the Peikert-Waters matrix-based schemes and suffers from similarly large oututs and descritions. We show that our variant of the Goldwasser-Micali crytosystem drastically imroves the efficiency of the Hemenway-Ostrovsky LTDF. Secifically, it reduces both the length of the outut and the descrition of the function. By aroriately selecting the arameters, we obtain evaluation keys and oututs consisting of a constant number of Z elements. We thus get a DDH/QR-based LTDF, N whose efficiency is cometitive with Paillier-based realizations [BFO08, FGK + 0, FGK + 3]. These imrovements carry over to the deterministic encrytion setting, when the Hemenway-Ostrovsky LTDF is used as a building block of the Brakerski-Segev system [BS]. Outline of the aer In the next section, we introduce some mathematical background and review some comlexity assumtions. In Section 3, we resent our generalized crytosystem. We rove its security in Section 4. Section 5 discusses certain imlementation asects. In Section 6, we describe our new lossy tradoor function. Finally, we conclude in Section 7. Background We review some useful background and fix the notation. In articular, we define the n-th ower residue symbol. We refer the reader to [IR90, Sho0, Yan0] for further details on (quadratic) residuosity. More information about encrytion schemes can be found in textbooks in crytograhy; e.g. [Gol04, KL07].. General notation The set of non-negative integers is denoted by N. For any integer N, Z N denotes the ring of integers modulo N, and Z N denotes its grou of units. The order of Z is φ(n), where φ is Euler s N totient function. For any ositive integer N and any integer a, a mod N reresents the smallest integer in the set {0,..., N } that is congruent to a modulo N. Furthermore, for any ositive odd integer N and any 4
integer a, a mods N reresents the absolute smallest residue of a modulo N note the s ending the mod oerator. The comlete set of absolute smallest residues is { (N )/,...,, 0,,..., (N )/}.. n th -ower residues Let N be an integer. For each integer n, we define (Z N )n {x n x Z } as the set of N n th -ower residues modulo N. If the relation a x n has no solution in Z N then a is called a nth -ower non-residue modulo N. Suose that is an odd rime. For any integer a with gcd(a, ), it is easily verified that a is a n th -ower residue modulo if and only if a gcd(n, ) (mod ). When n (and so gcd(n, ) ), this is known as Euler s criterion. It allows one to distinguish quadratic residues from quadratic non-residues. This defines the Legendre symbol: ( ) a if a is a quadratic residue modulo if a is a quadratic non-residue modulo. There are several ways to generalize the Legendre symbol (see [Lem00]). In this aer, we consider the n-th ower residue symbol for a divisor n of ( ), as resented in [Yan0, Definition.6.]. Definition. Let be an odd rime and let n such that n. Then the symbol ( ) a a n mods is called the n-th ower residue symbol modulo. n It satisfies the following roerties. Let a and b be two integers that are co-rime to. Then:. If a b (mod ) ( ) ( ) a then b n ( ) ; n. a n ; ( ) n ( ) ( 3. ab a b n n ) mods ; ( n 4. ) ( and n ( ) n. )n.3 Quadratic residuosity Let N q be the roduct of two (odd) rimes and q. For an integer ( a co-rime ( ( to N, the Jacobi a symbol is the roduct of the corresonding Legendre symbols, namely N) a a ) q). This gives rise to the multilicative grou J N of integers whose Jacobi symbol is +, J N { a Z ( N a } N). A relevant subset of J N is the set of quadratic residues modulo N, QR N { a Z ( ( N a ) a } q). The set of integers whose Jacobi symbol is is denoted by J N ; i.e., J N { a Z N ( a N 5 ) } Z N \ J N.
The Quadratic Residuosity (QR) assumtion says that, given a random element a J N, it is hard to decide whether a QR N if the rime factors of N are unknown. To emhasize that this should hold for RSA moduli N q with (mod k ) for some k, we refer to it as the k-qr assumtion. Formally, we have: Definition (Quadratic Residuosity Assumtion, k-qr). Let RSAGen be a robabilistic algorithm which, given a security arameter κ, oututs rimes and q such that (mod k ), and their roduct N q. The Quadratic Residuosity (k-qr) assumtion asserts that the function Adv k-qr (κ), defined as D the distance Pr[D(x, N) x R QR N ] Pr[D(x, N) x R J N \ QR N ] is negligible for any robabilistic olynomial-time distinguisher D; the robabilities are taken over the exeriment of running (N,, q) RSAGen( κ ) and choosing at random x QR N and x J N \ QR N. We also introduce a new assumtion. The new assumtion, which we call the Squared Jacobi Symbol (SJS) assumtion, osits the infeasibility of determining whether ( y N) or given (x, N) where x y mod N. Again, when the assumtion is directed to RSA moduli N q with (mod k ), we write it k-sjs. Formally, we define: Definition 3 (Squared Jacobi Symbol Assumtion, k-sjs). Let RSAGen be a robabilistic algorithm which, given a security arameter κ, oututs rimes and q such that (mod k ), and their roduct N q. The Squared Jacobi Symbol (k-sjs) assumtion asserts that the function Adv k-sjs (κ), defined D as the distance Pr[D(y mod N, N) y R J N ] Pr[D(y mod N, N) y R J N ] is negligible for any robabilistic olynomial-time distinguisher D; the robabilities are taken over the exeriment of running (N,, q) RSAGen( κ ) and choosing at random y J N and y J N. When q 3 (mod 4), any element x QR N has four square roots: two of Jacobi symbol + and two of Jacobi symbol. In that case, as detailed in Section 3.3, the k-sjs assumtion holds erfectly. 3 A New Public-Key Encrytion Scheme We generalize the Goldwasser-Micali crytosystem so that it can efficiently suort the encrytion of larger messages while remaining additively homomorhic. 3. Descrition The setting is basically the same as for the Goldwasser-Micali crytosystem. The only additional requirement is that the rime is chosen congruent to modulo k, where k denotes the bit-size of the messages being encryted. The case k (i.e., encrytion of -bit messages) corresonds to the Goldwasser-Micali crytosystem. In more detail, our encrytion scheme is the tule (KeyGen, Encryt, Decryt) defined as follows. 6
KeyGen( κ ) Given a security arameter κ, KeyGen defines an integer k, randomly generates rimes and q such that (mod k ), and sets N q. It also icks a random y J N \ QR N. The ublic and rivate keys are k {N, y, k} and sk {}, resectively. Encryt(k, m) Let M {0, } k. To encryt a message m M (seen as an integer in {0,..., k }), Encryt icks a random x Z N and returns the cihertext c ym x k mod N. Decryt(sk, c) Given c Z ( ) N and the rivate key sk {}, the algorithm first comutes z c and k then finds m {0,..., k } such that the relation [( ) ] y m z mods holds. A fast decrytion algorithm is detailed in Section 3.. k The correctness of the decrytion is easily verified by observing that α ( ) y has order k k as an element in Z. Indeed, letting n ord (α) the order of α, we have n k since, by definition, α y k (mod ). But n cannot be equal to k for some k < k because α k (mod ) would imly y (mod ), which contradicts the assumtion that y J N \ QR ( ( y y N ) q). The decrytion algorithm recovers the unique m {0,..., k } such that α m z (mod ). Furthermore, the scheme is homomorhic for the addition modulo k : if c y m x k and c y m x k are cihertexts of m and m resectively, then c c y m +m (x x ) k mod N is a cihertext of m + m (mod k ). 3. Fast decrytion At first glance, from the above descrition, it seems that the decrytion rocess amounts to a search through the entire message sace {0, } k, similarly to some earlier crytosystems. But we can do better. One of the main advantages of the roosed crytosystem is that it rovides an efficient way to recover the message. Hence, it remains ractical, even for large values of k. The decrytion algorithm roceeds similarly to the Pohlig-Hellman algorithm [PH78]. The message m {0, } k is viewed as a k-bit integer given by its binary exansion m k i0 m i i, with m i {0, }. Given c y m x k mod N, we have ( ) c i y m x k i i y j0 m j j ( ) i y j0 m j j mods i i since y m i x k y j0 m j j (y k ji m j j i ) x k i i, for i k. As a result, m can be recovered bit by bit using, starting from the least significant bit. Imlementation details are rovided in Section 5.. 3.3 Security analysis We focus on semantic security. The case k corresonds to the Goldwasser-Micali crytosystem. Indeed, when k, the k -th ower residue symbol is then the classical Legendre symbol 7
and the assumtion (mod k ) is trivially verified. The Goldwasser-Micali scheme has indistinguishable encrytions under the standard Quadratic Residuosity assumtion. In the general case (i.e., k ), we rove that the scheme rovides indistinguishable encrytions (IND-CPA security) under the k-qr and k-sjs assumtions. More recisely: Theorem. Let κ denote the security arameter. For any IND-CPA adversary A against the scheme of Section 3., there exist a k-qr distinguisher D and a k-sjs distinguisher D with comarable running times and such that Adv ind-ca A (κ) 3 ( (k 3 ) Advk-QR D (κ) + (k ) Adv k-sjs D (κ) ). Proof. The roof is given in Section 4. When k, the theorem reads Adv ind-ca (κ) Adv QR A D (κ), as shown in [GM84]. We henceforth assume k. When k, the condition (mod k ) imlies (mod 4). Deending on q, there are two ossible sub-cases. If q (mod 4) then is a square modulo and modulo q. The square roots of any element of QR N then all have the same Jacobi symbol modulo N. The hardness to distinguish among them is catured by the k-sjs assumtion. The sub-case q 3 (mod 4) ( ) is more interesting. We then have N. As a consequence, by definition of the Jacobi symbol, it follows that { } { y mod N y J ( ) } { N y y ( ) } mod N N ( y) y mod N N { ( ) } y y mod N N { y mod N y J N }. Since the two sets are identical, the k-sjs assumtion holds erfectly when q 3 (mod 4). This in turn leads to the following corollary. Corollary. When q 3 (mod 4), for any IND-CPA adversary A against the scheme of Section 3., there exists a k-qr distinguisher D with comarable running time and such that Adv ind-ca (κ) A (3k ) Advk-QR D (κ). Proof. First observe that the bound is valid for k. For k, the corollary follows by letting D D and lugging Adv k-sjs D (κ) 0 in the bound of Theorem. The bound in Corollary can be slightly tightened by a more direct roof. We have: Theorem. Let κ denote the security arameter. For any IND-CPA adversary A against the scheme of Section 3. with q 3 (mod 4), there exists a k-qr distinguisher D with comarable running time and such that Adv ind-ca (κ) A (k + ) Advk-QR D (κ). Proof. The roof is given in aendix. 8
Comaring the security bounds offered by Theorems and, it turns out that RSA moduli N q with (mod k ) and q 3 (mod 4) should be referred over RSA moduli with q (mod 4). More imortantly, selecting RSA moduli N q with (mod k ) and q 3 (mod 4) resents the advantage that the security solely relies on a QR-based assumtion (namely, the k-qr assumtion). Regarding the weaker notion of one-wayness, it is easy to see that one-wayness can be roved just under the k-qr assumtion in all cases. Let B be an adversary which returns m when given c y m x k mod N and N (with x R Z ). We construct a distinguisher D for the k-qr assumtion N as follows. It takes as inut an RSA modulus N q with (mod k ) and an element w Z N. Its goal is to distinguish whether w QR N or w J N \ QR N. To do this, D simly icks a random x Z N, sets c wx mod N, and feeds B with (c, N). When the latter oututs a result m, D oututs the least significant bit of m. It is clear that if w QR N, c is a cihertext of an even laintext; otherwise, c is a cihertext of an odd laintext. Hence if B is a successful attacker against one-wayness, D is a successful distinguisher for k-qr. 4 Security Proof 4. Ga k -residuosity assumtion The k-qr assumtion states that, without knowing the factorization of N, random elements of QR N are comutationally indistinguishable from random elements of J N \ QR N. Here, it will be convenient to consider a ga variant of the k-qr assumtion. We chose the terminology ga (not to be confused with comutational roblems which have an easy decisional counterart [OP0]) by analogy with certain lattice roblems, where not every instance is a yes or no instance since a ga exists between these. Definition 4 (Ga k -Residuosity Assumtion, Ga k -Res). Let RSAGen be a robabilistic algorithm which, given a security arameter κ, oututs rimes and q such that (mod k ). The Ga k -Residuosity roblem in Z N consists in distinguishing a uniform element of V 0 from a uniform element of V given only N q, where V 0 and V are defined as follows: V 0 { x J N \ QR N } and V { y k mod N y Z N}. The Ga k -Residuosity (Ga k -Res) assumtion osits that the advantage Adv Ga k -Res (κ), defined as D the distance Pr[D(x, k, N) x R V 0 ] Pr[D(x, k, N) x R V ] is negligible for any robabilistic olynomial-time distinguisher D; the robabilities are taken over the exeriment of running (N,, q) RSAGen( κ ) and choosing x R V 0 and x R V. The latter assumtion was indeendently considered in [ABP3] by Abdalla, Ben Hamouda and Pointcheval who used it to rovide tighter security roofs for forward-secure signatures. 9
4. Ga k -Res is imlied by k-qr and k-sjs We now investigate the relationshi between the Ga k -Residuosity assumtion and other more natural assumtions; namely, we will show that Ga k -Res is imlied by the k-qr and k-sjs assumtions. For this roof, it is useful to introduce two intermediate assumtions: the secial k-qr assumtion and the secial k-sjs assumtion. Definition 5 (Secial Quadratic Residuosity Assumtion, k-qr ). Let RSAGen be a robabilistic algorithm which, given a security arameter κ, oututs rimes and q such that (mod k ), and their roduct N q. The Secial Quadratic Residuosity (k-qr ) assumtion asserts that the function Adv k-qr (κ), defined as the distance D Pr[D(x, N) x y mod N, y R J N ] Pr[D(x, N) x R J N \ QR N ] is negligible for any robabilistic olynomial-time distinguisher D; the robabilities are taken over the exeriment of running (N,, q) RSAGen( κ ) and choosing at random y J N and x J N \ QR N. Definition 6 (Secial Squared Jacobi Symbol Assumtion, k-sjs ). Let RSAGen be a robabilistic algorithm which, given a security arameter κ, oututs rimes and q such that (mod k ), and their roduct N q. The Secial Squared Jacobi Symbol (k-sjs ) assumtion asserts that the function Adv k-sjs (κ), defined as the distance D Pr[D(y mod N, N) y R J N \ QR N ] Pr[D(y mod N, N) y R J N ] is negligible for any robabilistic olynomial-time distinguisher D; the robabilities are taken over the exeriment of running (N,, q) RSAGen( κ ) and choosing at random y J N \ QR N and y J N. Lemma. Using the revious notation, we have k-qr + k-sjs k-qr + k-sjs. More recisely, for any robabilistic olynomial-time distinguisher A against k-qr or k-sjs, A is also a distinguisher against k-qr or k-sjs and there exists a distinguisher B against k-qr with comarable running time, such that Adv k-qr A Adv k-sjs A (κ) Adv k-qr A (κ) + Advk-SJS A (κ), (κ) Adv k-sjs A (κ) + Advk-QR (κ). B Proof. Consider a robabilistic olynomial-time algorithm A taking as inut N and x J N. For x R J N, we let ɛ Pr[A(x, N) x J N \ QR N ] ɛ Pr[A(x, N) x y QR N y J N \ QR N ] ɛ Pr[A(x, N) x y QR N y QR N ] ɛ 3 Pr[A(x, N) x y QR N y J N ] Against k-qr, k-sjs, k-qr, and k-sjs, its advantage is denoted α ɛ 4 (ɛ + ɛ ) ɛ 3, α (ɛ + ɛ ) ɛ 3, α 3 ɛ (ɛ + ɛ ), α 4 ɛ ɛ 3, 0.
resectively. We have to show that if the k-qr and k-sjs assumtions hold then so do the k-qr and k-sjs assumtions. The k-qr and k-sjs assumtions imly that α and α are negligible. We also note that any significant difference between ɛ and ɛ would lead to a distinguisher against k-qr. We thus have ɛ ɛ Advk-QR (κ), with B an algorithm with running time comarable to that of A. B From the definitions of α 3 and α 4, we can write and α 3 ɛ (ɛ + ɛ ) ɛ 4 (ɛ + ɛ ) ɛ 3 + ɛ 3 4 (ɛ + ɛ ) ɛ 4 (ɛ + ɛ ) ɛ 3 + ɛ 3 4 (ɛ + ɛ ) α + Advk-QR (κ) B α 4 ɛ ɛ 3 ɛ + ɛ ɛ 3 + ɛ ɛ α + α. (ɛ + ɛ ) ɛ 3 + (ɛ ɛ ) The revious inequalities show that when α and α are negligible then so are α 3 and α 4. Theorem 3 (k-qr + k-sjs Ga k -Res). For RSA moduli N q with (mod k ), the Ga k -Res assumtion holds if the k-qr assumtion and the k-sjs assumtion hold. More recisely, for any robabilistic olynomial-time distinguisher B against the former, there exist a k-qr distinguisher D and a k-sjs distinguisher D with comarable running times and for which ( (k Adv Ga k -Res B (κ) 3 3 ) Advk-QR D (κ) + (k ) Adv k-sjs D (κ) ). Proof. To rove the result, we consider a sequence of distributions which will hel us bridge the ga between the assumtions. More recisely, for 0 i k, we consider the subsets D i of J N given by D i { y i mod N y J N \ QR N }. We also need other subsets which can be seen as the comlement of D i in the set of i -th residues that are not i+ -th residues: D i { y i mod N y J N }. Finally we define the subgrou of k -th residues, R k {y k mod N y Z N }. If we consider the sets V 0 and V (resented in Definition 4), we have V 0 D 0 and V R k. The roof will actually roceed by showing the comutational indistinguishability of the (uniform) distributions induced by the corresonding subsets. Namely, unless either the k-qr assumtion or the k-sjs assumtion is false, we will rove D 0 c D c c D D c c D c D k c D k, where the c denotes comutationally indistinguishable distributions. Finally, we also rove that D k c R k unless the k-qr assumtion is false. Remark. Note that we abuse notation by using D i, D i, R k both for subsets and for the uniform distributions over them. Also, it is imortant to see that:
if y R J N \ QR N then y i R D i ; if y R J N then y i R D i ; if y R Z N then yk R R k. Claim. If k-qr holds, for each i {,..., k }, no robabilistic olynomial-time adversary can distinguish the distributions of D i and D i. Proof (of Claim ). Let D be a distinguisher that can tell aart D i and D with non-negligible i advantage ε. We show that D imlies a k-qr distinguisher B,i with advantage ε for RSA moduli N q with (mod k ). Our distinguisher B,i takes as inut an RSA modulus N q with (mod k ) and an element w Z which is drawn from one of the two distributions N dist 0 {y mod N y R J N }, dist {y y R J N \ QR N }. Its task is to decide if w is in dist 0 or in dist. To this end, B,i chooses a random element z R J N. It then defines x z i w i mod N and feeds D with (x, i, N). When the distinguisher D halts, B,i oututs whatever D oututs. First assume that w y dist 0, for some y R J N. We have x (z y) i mod N. Further, since z R J N, we have z y J N and thus x R D i. Now assume that w R J N \ QR N. In this case, we clearly have x R D i because x (z w) i mod N and z w J N \ QR N. Claim. If k-sjs holds, for each i {,..., k }, no robabilistic olynomial-time adversary can distinguish the distributions of D i and D i. Proof (of Claim ). Let D be a distinguisher with non-negligible advantage ε between D i and D i. We show that D imlies a k-sjs distinguisher B,i with advantage ε for RSA moduli N q with (mod k ). Given w Z which is drawn from one of the two N distributions dist 0 {y mod N y R J N \ QR N }, dist {y mod N y R J N }, B,i constructs x w i mod N which is used to feed the distinguisher D. When the latter oututs a result, B,i roduces the same outut. It is clear that, if w R dist 0 (res. w R dist ), then x R D i (res. x R D i ). Hence, if D is a successful distinguisher, so is B,i. Claim 3. If k-qr holds, no robabilistic olynomial-time adversary can distinguish the distributions of D k and R k. Proof (of Claim 3). Let D be an algorithm that can distinguish D k and R k with non-negligible advantage. We build a k-qr distinguisher B 3 out of D with the same advantage. Algorithm B 3 takes as inut N q with (mod k ) as well as an element w J N with the goal of deciding whether w QR N or w J N \ QR N. To do this, B 3 simly defines x w k mod N and feeds D with (x, k, N). When D halts and oututs b {0, }, B 3 oututs the same bit. It is easy to see that, if w R QR N then w y mod N for a random y R Z, and so N x (y k mod N) R R k see Remark. If w R J N \ QR N, we immediately have x R D k.
To conclude the roof of the theorem, we remark that, if a robabilistic olynomial-time distinguisher B exists for the Ga k c -Res assumtion (i.e., if D 0 R k ), then c either D k R k, contradicting k-qr (Claim 3); or there exists i k such that D i c D i or D i c D i. The above arguments show that either situation would contradict the k-qr assumtion (Claim ) or the k-sjs assumtion (Claim ) or by Lemma, the k-qr assumtion or the k-sjs assumtion. More recisely, to get the bound given in Theorem 3, we consider B the adversary B defined,i in Lemma when A B,i, and we define the distinguisher D (res. D ) as follows: it icks (α, i) R P (res. (α, i) R P ), where P and P are robability distributions defined as: and 3k if α and i {,..., k } Pr [(X, Y) (α, i)] (X,Y) P R 3k if α and i {,..., k } 3k if α 3 Pr [(X, Y) (α, i)] (X,Y) P R 3k 3 if α and i {,..., k } 3k 3 if α and i {,..., k } Then D runs B,i when α, B,i when α, and B 3 when α 3, and oututs what this latter adversary oututs. Similarly, D runs B α,i, and oututs what this latter adversary oututs. Using Lemma, we have: k Adv Ga k -Res (κ) B i k Adv k-qr B,i (κ) + i Adv k-sjs B,i (κ) + Adv k-qr B 3 (κ) k Adv k-qr B,i (κ) + k Adv k-qr (κ) + Adv k-qr B B,i 3 (κ) + i i k k Adv k-sjs B,i (κ) + Adv k-sjs B,i (κ) i i 3k Adv k-qr D (κ) + 3k 3 Adv k-sjs D (κ). In addition, we note that D and D have comarable running times to B. We remark that the assumtion (mod k ) is never directly used in the roof. The assumtion (mod k ) is just needed for the correctness of our encrytion scheme. The security roof actually holds for any kind of modulus N for which the QR and the SJS assumtions hold the k-qr and the k-sjs assumtions are just the QR and the SJS assumtions for moduli N q such that (mod k ). 4.3 Semantic security It is not hard to see that the semantic security of the scheme is equivalent to the Ga k -Res assumtion. From Theorem 3, we thus obtain the result announced in Theorem. Namely, for any IND-CPA adversary A, there exist a k-qr distinguisher D and a k-sjs distinguisher D such that Adv ind-ca A (κ) 3 ( (k 3 ) Advk-QR D 3 (κ) + (k ) Adv k-sjs D (κ) )..
Proof (of Theorem ). The roof roceeds by simly changing the distribution of the ublic key. Under the Ga k -Res assumtion, instead of icking y uniformly in J N \ QR N, we can choose it in the subgrou of k -th residues without the adversary noticing. However, in this case, the cihertext carries no information about the message and the IND-CPA security follows. Interestingly, the security roof imlicitly shows that, like the original Goldwasser-Micali system, our scheme is a lossy encrytion scheme [BHY09] (i.e., it admits an alternative distribution of ublic keys for which encrytions statistically hide the laintext), which rovides security guarantees against selective-oening attacks [DNRS03]. Moreover, for a lossy key (y, N), there exists an efficient algorithm that oens a given cihertext c to any arbitrary laintext m (by using the factorization of N to find random coins that exlain c as an encrytion of m). It imlies that our scheme satisfies the simulation-based definition [BHY09] of selective-oening security. 5 Imlementation and Performance We tackle here some imlementation asects. We exlain how to select the arameters involved in the system set-u and key generation. We resent fast decrytion algorithms. Finally, we discuss the cihertext exansion and give a comarison with revious schemes. 5. Parameter selection The key generation (cf. Section 3.) requires a rime such that (mod k ) for some k and ( a random ( element y J N \ QR N, where N q. The condition y J N \ QR N is equivalent y y ) to ) q. Since a random nonzero element modulo has a robability of exactly of being a quadratic non-residue modulo (and similarly modulo q), a suitable y is likely to be obtained after just a few trials. Efficient algorithms for generating a rime lying in a rescribed interval [ min, max ] can be found in [JPV00, JP06]. They can be adated to accommodate the extra condition (mod k ) without increasing the time comlexity, as a random number congruent to modulo k in [ min, max ] is rime with aroximatively the same robability than a random odd number in [ min, max ], thanks to Dirichlet s theorem. We describe such a variant below. The goal is to roduce a rime + k r for some r [r min, r max ], where r min ( min )/ k and r max ( max )/ k. Let Π 3 5 7 r max r min + denote a roduct of small odd rimes. The algorithm will construct candidate rimes that are automatically co-rime to Π. The first ste is to generate a random ( unit υ Z (for examle using the efficient algorithm resented ) Π in [JP06,.]). Define ϑ 0 + r k min mod Π. A candidate is then formed as + k (r min + ϑ) for some ϑ R [0, r max r min ] such that ϑ ϑ 0 + υ (mod Π) and tested for rimality. If candidate is not rime, υ is udated as υ υ mod Π and the rocess is re-iterated. Since Π is odd, Z Π and thus υ remains in Z after the udating ste. Moreover, Π reducing candidate modulo Π, we get + k (r min + ϑ) + k (r min + ϑ 0 + υ) k υ (mod Π) and thus Z Π since υ Z Π and k Z Π. Equivalently, Z means that candidate is such Π that gcd(, i ) for all rimes i dividing Π (and is also odd by construction). A owerful LLL-based technique due to Coersmith bounds the size of k to at most log bits as, otherwise, the factors of N would be revealed [Co97, Theorem 5]. Going beyond olynomial-time 4
attacks, one should add an extra security margin to take into account exhaustive searches [Ngu09]. RSA moduli being balanced (i.e., log 4 log N), we so end u with the uer bound k < 4 log N κ where κ is the security arameter. In ractice, this restriction on k is not a limitation because, as described in the next section, long messages can be encryted using the KEM/DEM aradigm. For examle, using ECRYPT recommendations [ECR], for κ 8 bits of security, a symmetric key of k 8 bits has to be used for the KEM/DEM aradigm, and a 348-bit modulus N has to be used to ensure factorization is hard. These arameters do not take into account the tightness of the reduction. If we take it into account, when q 3 (mod 4), according to Theorem, a factor (k + )/ 64 6 is lost in the reduction. Assuming that the best way to solve the quadratic residuosity consists in factorizing the modulus N, a 3584-bit modulus has to be used, as this corresonds to (8 + 6) bits of security for factorization, according to [ECR]. Note that the choice of arameters k 8 and N 3584 satisfies the relation k < 4 log N κ. 5. Otimized decrytion algorithms In its most basic version, the decrytion requires O(k) full modular exonentiations in Z in order to comute higher ower residue symbols. This section shows that a suitable re-rocessing hase allows increasing the decrytion seed. The RSA modulus used in the roosed crytosystem is of the form N q with (mod k ). Hence, we can write K + for some integer K k and some odd integer. Now, given the ublic key k {N, y, k}, consider the cihertext c y m x k mod N of message m k i0 m i i with m i {0, }. If, for j k, we define Λ j K j then c Λ j ( y m x ) k Λ j y m Λ j x K+k j y m Λ j mod K y m Λ j mod j Λ j y Λ j (m mod j) ( y Λ j(m j j +(m mod j ) )) m j y y Λ j (m mod j ) ( ) m j y Λ j (m mod j ) (mod ). ( So, letting C c K k mod and Y y K k mod, the revious relation becomes ) k j C Y m mod j ( ) m j (mod ). Starting at j and iterating until j k, it yields a decrytion algorithm roducing one bit of laintext m er iteration (i.e., bit m j ). To further seed-u the decrytion, observing that Y y K k mod is indeendent of the cihertext, its value or better its inverse can be re-comuted. The rivate key now consists of the air (, D) where D y K k mod. As one bit of laintext m is correctly obtained er iteration, there is no need to fully recomute D m mod j mod at iteration j. Rather, it can be obtained more efficiently from the value of the revious iteration as D m mod j mod D m mod j mod if m j 0 D m mod j D j mod if m j. 5
We thus obtain: Algorithm Decrytion algorithm Inut: Cihertext c, rivate key (, D) with D y ( )/k mod, and ublic-key element k Outut: Plaintext m (m k,..., m 0 ) : m 0; B ; D D : C c ( )/k mod 3: for j to k do 4: z C k j mod 5: if (z ) then m m + B; C C D mod 6: B B; D D mod 7: end for 8: if (C ) then m m + B 9: return m Variable m in the for-loo contains the lowest art of the laintext m and variable B contains the successive owers of. Further, the for-loo is only erformed until iteration k to save a coule of oerations. As a variant, we remark that D can be initialized to y ( )/k mod (Line in Alg. ) instead of being exlicitly included in the rivate key. As described, the for-loo in Alg. on average involves k j (k j) (k )k modular squarings for the successive evaluation of z, k modular multilications for the evaluation of C, and (k ) modular squarings for udating D. Remark. The decrytion can even be made slightly faster. The condition z is equivalent to z (mod ). Instead of iteratively evaluating z C k j mod for j k, we can set z to C and successively square it, z z mod, until it becomes congruent to (mod ). We then udate C by multilying it by the corresonding ower of D and redo the rocess until C becomes equal to. On average, this halves the number of squarings for the successive evaluations of z. Furthermore, the modular squarings for udating D can be saved by re-comuting the different owers of D. This saves (k ) modular squarings. The total number of oerations in the for-loo then boils down to (k )k 4 squarings lus k multilications (on average), modulo. 5.3 Cihertext exansion Hybrid encrytion allows designing efficient asymmetric schemes, as suggested by Shou in the ISO 8033- standard for ublic-key encrytion [ISO06]. An asymmetric crytosystem is used to encryt a secret key that is then used to encryt the actual message. This is the so-called KEM/DEM aradigm. The next table comares the cihertext exansion in the encrytion of k-bit messages for different generalized Goldwasser-Micali crytosystems. Only crytosystems with a formal security analysis are considered. Further, the value of k is assumed to be relatively small (e.g., 8 or 56) as the message being encryted is tyically a symmetric key (for examle a 8- or 56-bit AES key) in a KEM/DEM construction. It aears that the Goldwasser-Micali crytosystem has the highest cihertext exansion but its semantic security relies on the standard quadratic residuosity assumtion (i.e., RSA moduli 6
Table. Cihertext exansion in a tyical encrytion Encrytion scheme Assumtion Cihertext size Goldwasser-Micali [GM84] Quadratic residuosity (QR) k log N Benaloh-Fisher [CF85] Prime residuosity (PR) k log r log N Naccache-Stern [NS98] Prime residuosity (PR) log N Okamoto-Uchiyama [OU98] -subgrou log N Paillier [Pai99] N-th residuosity log N This aer when q (mod 4) Quadratic residuosity (k-qr) + Squared Jacobi symbol (k-sjs) log N This aer when q 3 (mod 4) Quadratic residuosity (k-qr) log N N q involves form-free rimes). The cihertext exansion of the Benaloh-Fischer crytosystem is similar to that of the Naccache-Stern crytosystem for small messages; i.e., when k log r. For larger messages, the Naccache-Stern crytosystem should be referred. It also offers the further advantage of roviding a faster decrytion rocedure. The same is true for the Okamoto-Uchiyama crytosystem and the Paillier crytosystem. These two latter crytosystems are articularly suited to encryt very large messages (i.e., u to log N bits for the Okamoto-Uchiyama crytosystem and u to log N bits for the Paillier crytosystem). The encrytion scheme roosed in this aer has the same cihertext exansion as in the Naccache-Stern crytosystem. Moreover, its decrytion algorithm is fast (no searches are needed), requires less memory, and the security relies on a quadratic residuosity assumtion (i.e., k-qr) when q 3 (mod 4). When q (mod 4), it additionally requires the k-sjs assumtion. 6 More Efficient Lossy Tradoor Functions from the k-quadratic Residuosity Assumtion In this section, we show that our homomorhic crytosystem allows constructing a lossy tradoor function based on the k-qr, k-sjs and DDH assumtions (or on the k-qr and DDH assumtions) with much shorter oututs and keys than in revious QR-based or DDH-based examles. In comarison with the function of Hemenway and Ostrovsky [HO], for examle, its outut is k times smaller when working with a modulus N q with (mod k ). Moreover, the size of the evaluation key is decreased by a factor of O(k ) while increasing the lossiness by more than k bits. Finally, our inversion tradoor has constant size, whereas [HO] uses a tradoor of size O(n) to recover n-bit inuts. Our function also comares favorably with the QR-based function of Freeman et al. [FGK + 0, FGK + 3], which only loses a single bit. In fact, by aroriately tuning our construction, we obtain the first lossy tradoor function with short oututs, descrition and tradoor that loses many inut bits and relies on another assumtion than Paillier s. Among known lossy tradoor functions based on traditional number-theoretic assumtions [PW08,BFO08,FGK + 0,FGK + 3,KOS0,HO,MY0], this aears as a rare efficiency tradeoff. To the best of our knowledge, it has only been achieved under the Comosite Residuosity assumtion [BFO08, FGK + 0, FGK + 3] so far. Interestingly, our LTDF rovides similar efficiency imrovements to the QR-based deterministic encrytion scheme of Brakerski and Segev [BS], which also builds on the Hemenway-Ostrovsky LTDF. Note that the scheme of [BS] is imortant in the deterministic encrytion literature since it 7
is one of the only known schemes roviding security in the auxiliary inut setting in the standard model. 6. Descrition and security analysis We start by recalling the following definition. Definition 7 ([PW08]). Let κ N be a security arameter and n : N N, l : N R be non-negative functions of κ. A collection of (n, l)-lossy tradoor functions (LTDF) is a tule of efficient algorithms (InjGen, LossyGen, Eval, Invert) with the following secifications. Samling an injective function: Given a security arameter κ, the randomized algorithm InjGen( κ ) oututs the index ek of an injective function of the family and an inversion tradoor t. Samling a lossy function: Given a security arameter κ, the robabilistic algorithm LossyGen( κ ) oututs the index ek of a lossy function. Evaluation: Given the index of a function ek roduced by either InjGen or LossyGen and an inut x {0, } n, the evaluation algorithm Eval oututs F ek (x) such that: If ek is an outut of InjGen, then F ek ( ) is an injective function. If ek was roduced by LossyGen, then F ek ( ) has image size n l. In this case, the value n l is called residual leakage. Inversion: For any air (ek, t) roduced by InjGen and any inut x {0, } n, the inversion algorithm Invert returns F ek (t, F ek(x)) x. Security: The two ensembles {ek (ek, t) InjGen( κ )} κ N and {ek ek LossyGen( κ )} κ N are comutationally indistinguishable. Our construction goes as follows. Samling an injective function. Given a security arameter κ, let l N l N (κ) and k k(κ) be arameters determined by κ. Let also n n(κ) be the desired inut length. Algorithm InjGen defines m n/k (we assume that k divides n for simlicity) and conducts the following stes.. Generate an l N -bit RSA modulus N q such that K + and q L q +, for odd rime integers, q,, q and with K k and L {,..., k}. Choose y R J N \ QR N at random.. For each i {,..., m}, ick h i in the subgrou of k -residues, R k {w k mod N w Z N } (of order q ), by setting h i g k R i mod N for a randomly chosen g i Z N. R 3. Choose r,..., r m Z q and comute a matrix Z ( ) Z i,j i,j {,...,m} given by Z y z, r h mod N...... y z,m r h m mod N.., y z m, r h m mod N...... y z m,m r h m m mod N where (z i,j ) i,j {,...,m} denotes the identity matrix. The evaluation key is ek ( N, (Z i,j ) i,j {,...,m} ) and the tradoor is t {, y}. 8
Samling a lossy function. The rocess followed by LossyGen is identical to the above one but the matrix (z i,j ) i,j {,...,m} is relaced by the all-zeroes m m matrix. Evaluation. Given ek ( ) N, (Z i,j ) i,j {,...,m}, algorithm Eval arses the inut x {0, } n as a vector of k-bit blocks x (x,..., x m ), with x i Z k for each i. Then, it comutes and returns ỹ (y,..., y m ), with y j Z N, where ( m x ỹ Z i i, mod N,..., i m ) x Z i i,m mod N i ( y m i z i,x i h m i r i x i mod N,..., y m i z i,m x i h m m i r i x i mod N ). Inversion. Given t {, y} and ỹ (y,..., y m ) Z m, Invert alies the decrytion algorithm of N Section 3. to each y j, for j to m. Observe that when (z i,j ) i,j {,...,m} is the identity matrix, ( yj ) k [( y ) k ] x j recovers the inut x {0, } n. mods. From the resulting vector of laintexts x (x,..., x m ) Z k m, it The Hemenway-Ostrovsky construction of [HO] is slightly different in that, as in the DDHbased construction of Peikert and Waters [PW08], the evaluation key includes a vector of the form G (g r,..., g r m ) T, where g QR N, and the tradoor is t (log g (h ),..., log g (h m )). In their scheme, the evaluation algorithm additionally comutes m i (gr i ) x i while the inversion algorithm does not use the factorization of N but rather erforms a coordinate-wise ElGamal decrytion. Here, exlicitly using the factorization of N in the inversion algorithm makes it ossible to rocess k-bit blocks at once. In addition, it allows for a very short inversion tradoor: the inversion algorithm only needs y and the factorization of N. We first recall the DDH assumtion before giving the security theorem for our new construction. Definition 8 (Decision Diffie-Hellman, DDH). Given a security arameter κ, let G g be a (multilicatively written) grou of order n. The Decision Diffie-Hellman (DDH) assumtion for G asserts that the function Adv DDH (κ), defined as the distance D Pr[D(g, ga, g b, g ab ) a, b R Z n ] Pr[D(g, g a, g b, g c ) a, b, c R Z n ] is negligible for any robabilistic olynomial-time distinguisher D; the robabilities are taken over the exeriment of selecting at random a generator g of G and choosing at random a Z n, b Z n and c Z n. Theorem 4. Let l(κ) n(κ) log ( q ). The above construction is a (n(κ), l(κ)-ltdf if the Ga k -Res assumtion holds and if the DDH assumtion holds in the subgrou R k of k -th residues. We recall that N q, with K + and q L q +. Therefore, we have: n(κ) log (N/ K+L ) < l(κ) < n(κ) log (N/ K+L ) +. Proof (of Theorem 4). We first rove that lossy functions are indistinguishable from injective functions. To this end, we consider a sequence of hybrid exeriments. We first define an exeriment Ex 0 which is an exeriment where the key generation algorithm oututs the descrition of an injective function with the difference that y is chosen as a k -th residue instead of being drawn as y R J N \QR N. Clearly, 9