On the security of RSA textbook signature scheme on Paillier ciphertext

Similar documents
CS408 Cryptography & Internet Security

Applied Cryptography and Computer Security CSE 664 Spring 2018

RSA (algorithm) History

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

RSA. Public Key CryptoSystem

Asymmetric Primitives. (public key encryptions and digital signatures)

ASYMMETRIC CRYPTOGRAPHY

Practical Threshold Signatures with Linear Secret Sharing Schemes

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Public Key Algorithms

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

Public Key Encryption. Modified by: Dr. Ramzi Saifan

Chapter 11 : Private-Key Encryption

An efficient semantically secure elliptic curve cryptosystem based on KMOV

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Channel Coding and Cryptography Part II: Introduction to Cryptography

Efficient identity-based GQ multisignatures

CSC 5930/9010 Modern Cryptography: Digital Signatures

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Chapter 3 Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

- 0 - CryptoLib: Cryptography in Software John B. Lacy 1 Donald P. Mitchell 2 William M. Schell 3 AT&T Bell Laboratories ABSTRACT

Research, Universiti Putra Malaysia, Serdang, 43400, Malaysia. 1,2 Department of Mathematics, Faculty of Sciences, Universiti Putra Malaysia,

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Public-key encipherment concept

Lecture 6: Overview of Public-Key Cryptography and RSA

*E. Madhusudhana Reddy & M.Padmavathamma Department of Computer Science, S.V.University, Tirupati

Secure Multiparty Computation

Chapter 9. Public Key Cryptography, RSA And Key Management

Public Auditing on Shared Data in the Cloud Using Ring Signature Mechanism

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Public Key Cryptography

Applied Cryptography and Network Security

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

ALIKE: Authenticated Lightweight Key Exchange. Sandrine Agagliate, GEMALTO Security Labs

Public-Key Cryptography

Distributed ID-based Signature Using Tamper-Resistant Module

Public Key Algorithms

What did we talk about last time? Public key cryptography A little number theory

Katz, Lindell Introduction to Modern Cryptrography

CS669 Network Security

Threshold Paillier and Naccache-Stern Cryptosystems Based on Asmuth-Bloom Secret Sharing

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Algorithmic number theory Cryptographic hardness assumptions. Table of contents

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Verifiably Encrypted Signature Scheme with Threshold Adjudication

Study Guide to Mideterm Exam

RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.

Overview. Public Key Algorithms I

The Beta Cryptosystem

International Journal of Advance Engineering and Research Development A SURVEY ON HOMOMORPHIC ENCRYPTION TECHNIQUES IN CLOUD COMPUTING

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Lecture 2 Applied Cryptography (Part 2)

Code-Based Cryptography McEliece Cryptosystem

RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Homomorphic Encryption

Introduction to Cryptography Lecture 7

Applications of The Montgomery Exponent

A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004

Algorithms (III) Yijia Chen Shanghai Jiaotong University

New Public Key Cryptosystems Based on the Dependent RSA Problems

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.

Cryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44

Public Key Cryptography and the RSA Cryptosystem

Chapter 9 Public Key Cryptography. WANG YANG

Public-Key Cryptanalysis

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Improved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space

Cryptography and Network Security. Sixth Edition by William Stallings

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cryptographic protocols

Lecture 15: Public Key Encryption: I

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Some Stuff About Crypto

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Random Oracles - OAEP

Brief Introduction to Provable Security

Cryptanalysis of Brenner et al. s Somewhat Homomorphic Encryption Scheme

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Part VI. Public-key cryptography

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

McEliece Cryptosystem in real life: security and implementation

Enhanced Asymmetric Public Key Cryptography based on Diffie-Hellman and RSA Algorithm

Solutions to exam in Cryptography December 17, 2013

Public Key Cryptography

Provable Partial Key Escrow

Cryptographic Hash Functions

Analysis of Partially and Fully Homomorphic Encryption

A Tour of Classical and Modern Cryptography

Keywords Security, Cryptanalysis, RSA algorithm, Timing Attack

Introduction to Cryptography Lecture 7

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Key Exchange. Secure Software Systems

Transcription:

Lietuvos matematikos rinkinys ISSN 0132-2818 Proc. of the Lithuanian Mathematical Society, Ser. A Vol. 57, 2016 DOI: 10.15388/LMR.A.2016.16 pages 86 90 On the security of RSA textbook signature scheme on Paillier ciphertext Aleksejus Mihalkovich, Eligijus Sakalauskas Department of Fundamental Sciences, Kaunas University of Technology Studentų str. 48, Kaunas, Lithuania E-mail: aleksejus.michalkovic@ktu.lt, eligijus.sakalauskas@ktu.lt Abstract. In this paper we consider Pailler encryption and RSA textbook signature. We show that due to valuable homomorphic property these algorithms can be used together to obtain a valid signature on a certain combination of ciphertexts. Our goal is to show that this combination of algorithms provide security against chosen plaintext and chosen ciphertext attacks. Keywords: security analysis, e-signature, asymmetric encryption. 1 Introduction Nowadays many algorithms of asymmetric encryption and digital signature are known. In our paper we consider two homomorphic cryptographic primitives, namely Pailler encryption and RSA textbook signature. The considered cryptographic primitives possess a homomorphic property. This valuable property allows us to apply these algorithms to distinct messages and obtain a valid result for a combination of these messages (sum or product). Another important similarity between two protocols is the fact, that both algorithms use an integer n, which is a product of two primes p and q. Due to this similarity we are able to link these two algorithms together, i.e. we use Pailler encryption on the message m to obtain a ciphertext c, which is then signed using RSA textbook signature. This combination of two schemes can be used to create e-money or in e-voting. Though is was previously shown in [3], that RSA textbook signature scheme is existentially forgeable, we consider the resistance of the combination of it with Pailler encryption to chosen plaintext and chosen ciphertext attacks (CPA and CCA respectively). 2 Mathematical background In this section we provide brief overview of cryptographic primitives mentioned above. Note however, that we shall be using the Carmichael function λ( ) in stead of Euler totient function φ( ). The following steps are performed once and are used in both cryptographic primitives: Generate two large distinct primes p and q of the roughly same size; Compute n = pq and λ(n) = lcm(p 1,q 1).

On the security of RSA textbook signature scheme on Paillier ciphertext 87 2.1 Pailler encryption In Pailler asymmetric encryption protocol the public key PuK = n, and the private key PrK = λ(n). Assume, that a message to be encrypted is encoded by an integer m. The encryption is performed as follows [4]: Select a random number r Z n 2; Compute the ciphertext c = (1+n) m r n mod n 2. Note, that c Z n 2. Note, that since the multiplicative order ord n 2(1+n) = n it is reasonable to turn a message to an integer m Z n. The plaintext message m is computed using an identity: m = cλ(n) mod n 2 1 λ 1 (n) mod n. n Note, that division is performed over set of integers Z. 2.2 RSA textbook signature scheme The main idea of this paper is to link two cryptographic primitives by using the same value n for both Pailler encryption and RSA textbook signature. The steps to execute the latter are presented below [5]: 2.2.1 Key generation algorithm Select a random integer e, 1 < e < λ(n), such that gcd(e,λ(n)) = 1. It reasonable to consider values of e having a short bit-length and small Hamming weight. A common value of e is 2 16 +1; Find a value of d satisfying the congruence ed 1 mod λ(n), i.e. compute the modular multiplicative inverse of e modulo λ(n). The public key PuK = (n,e), and the private key PrK = d. 2.2.2 Signature generation Compute the signature s = c d mod n. Note, that s Z n. 2.2.3 Signature verification Let s Z n be a signature to be verified. Compute c = s e mod n; Verify if c = c. The output of the verification function Ver RSA (s) is Yes if the identity holds and No otherwise. Liet. matem. rink. Proc. LMS, Ser. A, 57, 2016, 86 90.

88 A. Mihalkovich, E. Sakalauskas 2.3 Homomorphic properties A useful feature of the Paillier cryptosystem is its homomorphic property [4]: Enc Pai (m 1 ) Enc Pai (m 2 ) = Enc Pai ( (m1 +m 2 ) mod n ) = Enc Pai (m), when m = (m 1 +m 2 ) mod n, for all m,m 1,m 2 Z n, where Enc Pai (m) denotes the Paillier encryption of the message m. The proof of this relation can be found in [4]. Due to this property Paillier encryption scheme allows computations (multiplications) to be performed on ciphertext values, as the product of ciphertexts corresponds to the sum of plaintexts. Furthermore, RSA signature scheme also has a homomorphic property: Sig RSA (c 1 ) Sig RSA (c 2 ) = Sig RSA ( (c1 c 2 ) mod n ) = Sig RSA (c), when c = (c 1 c 2 ) mod n 2, for all c,c 1,c 2 Z n 2, where Sig RSA(c) denotes the RSA signature on the ciphertext c. The proof of this property follows directly from the definition of RSA signature. Hence, the product of two signatures is equal to the signature on the product of ciphertexts. The main advantage of homomorphic property of both algorithms is the fact that users can combine their messagesm 1, m 2, etc. to obtain a ciphertext of a sum of these messages without actual knowledge of the whole message m = k m k. Furthermore, users can also obtain a valid signature on a product of ciphertexts c 1, c 2 without actual knowledge of the whole ciphertext c = k c k. 3 Security proof Let us assume that the message m is encrypted using Pailler algorithm obtaining ciphertext c which is signed by RSA signature. According to [3, 4], we assume, that Paillier encryption scheme is indistinguishable encryption under a chosen-plaintext attack if random encryption number r is chosen as random element in Z n. We assume, that in this case Paillier encryption is performed correctly and we will follow this assumption. Then ciphertext c corresponding to the message m is uniformly distributed in Z n if r is uniformly distriuted in 2 Z n. In [1], authors introduced RSA Full Domain Hash (FDH) function, which can be applied for signing with RSA signature scheme. It was shown in [1] and [2] that this scheme is provably secure, i.e. existentially unforgeable under adaptive chosenmessage attacks in the random oracle model, assuming that inverting RSA is hard, i.e. extracting a root modulo a composite integer, is hard. We now prove the following proposition: Proposition 1 If Paillier encryption and RSA signature has the same modulus n and message m Z n, then ciphertext c = Enc Pai (m) obtained by Paillier encryption taken modulo n, is in RSA FDH, i.e. c z mod n, z Z n. Proof. It is clear, that z Z n, since gcd(z,n) = 1 iff gcd(c,n2 ) = 1. Hence the composition of function f( ) and Enc Pai (m) represents the following mapping

On the security of RSA textbook signature scheme on Paillier ciphertext 89 f ( Enc Pai (m) ) : Z n Z n Z n and this function range is equal to RSA domain. Now we have to show that if Paillier encryption is correct, then for any m Z n, value z is uniformly distributed in Z n for distinct uniform values of r. This comes from the following two facts: Pailler encryption function Enc Pai (m) is a bijection and hence the value of c is distributed uniformly in Z n 2; Since there are exactly n distinct values of c less than n 2 that give the same residue modulo n, the values of z are uniformly distributed in Z n. Hence function f is an n-to-1 mapping Z n 2 Z n and the composition f(enc Pai (m)) can be interpreted as a H-function and as a artificial random oracle if random number r in correct Paillier encryption scheme can be treated as random. This implies that element z as a function of r is strongly universal as defined by Wegman and Carter in [7]. In [6] Vaudenay defines this property as a perfect 1-wise decorrelation (as denoted by the author). Vaudenay showed in [6], that in this case our scheme is secure against chosen plaintext attack (CPA) and chosen ciphertext attack (CCA) respectively (Theorem 7). Hence we have proved, the following proposition: Proposition 2 If Paillier encryption and RSA signature have the same modulus n and message m Z n, then RSA signature s on ciphertext c is existentially unforgeable under CPA in the random oracle model. The security of RSA signature now relies on the multiplicative order of z, which is denoted by ord n (z). To simplify the security analysis, we can use Sophie Germain primes p and q (hence p = 2p + 1 and q = 2q + 1 are primes) to construct the modulus n. In this case the maximal multiplicative order of Z n is defined by the value of the Carmichael function λ(n) = 2p q. The latter expression is also the canonical representation of λ(n), i.e. only 8 distinct divisors of λ = λ(n) exist. Hence there are only 8 possible values of ord n (z), since, due to Lagrange theorem, ord n (z) divides λ. To ensure security of RSA signature we have to exclude small values of λ, i.e. 1 and 2, which is possible by checking if the following congruences hold: c 1 mod n, z 2 1 mod n. In case of at least one correct identity the ciphertext c has to be recalculated, i.e. Pailler encryption algorithm is executed with a different value of r. We assume, that none of latter congruences hold. In this case an element z generates a significantly large subgroup z of cardinality ord n (z). 4 Conclusions In this paper we considered Pailler asymmetric encryption and RSA texbook signature. We have shown that by using the same modulus n we obtain a ciphertext c, Liet. matem. rink. Proc. LMS, Ser. A, 57, 2016, 86 90.

90 A. Mihalkovich, E. Sakalauskas which reduced modulo n is in RSA FDH. Hence the operation of reduction modulo n can be interpreted as a hash function. Furthermore, since RSA FDH is existentially unforgeable, we have shown that a combination of considered algorithms provides security against CPA in random oracle model. References [1] M. Bellare and Ph. Rogaway. The exact security of digital signatures-how to sign with rsa and rabin. In Advances in Cryptology-Eurocrypt 96, pp. 399 416. Springer, 1996. [2] J. Coron. On the exact security of full domain hash. In Advances in Cryptology-CRYPTO 2000, pp. 229 235. Springer, 2000. [3] J. Katz and Y. Lindell. Introduction to Modern Cryptography. CRC Press, 2014. [4] P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology-EUROCRYPT 99, pp. 223 238. Springer, 1999. [5] R. Rivest, Shamir A and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Comm. ACM, 21(2):120 126, 1978. [6] S. Vaudenay. Decorrelation: a theory for block cipher security. J. Crypt., 16(4):249 286, 2003. [7] M.N. Wegman and J.L. Carter. New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci., 22(3):265 279, 1981. REZIUMĖ Apie RSA parašo ant Pajė šifrogramos saugumą A. Mihalkovich, E. Sakalauskas Darbe nagrinėjamas Pajė asimetrinis šifravimas ir RSA parašas. Kadangi abu algoritmai turi homomorfiškumo savybę, tai šie algoritmai gali būti panaudoti kartu teisėtam parašui ant tam tikros šifrogramų kambinacijos gauti. Mūsų tikslas yra parodyti, jog šių algoritmų kombinacija užtkrina atsparumą pasirinktos žinutės ir pasirinktos šifrogramos atakoms. Raktiniai žodžiai: saugumo analizė, elektroninis parašas, asimetrinis šifravimas.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback