Exercise Sheet #3 Advanced Cryptography 2010

Advanced Cryptography http://lasecwww.epfl.ch/courses/ac10

Exercise 1 Okamoto-Uchiyama Cryptosystem

Let p be a prime number and let G be the set of all x ∈ Zp2 such that x ≡ 1 (mod p). In the previous exercise sheet, we have proven that G is a group with the multiplication of Zp2 , x−1 that |G| = p, that L : G → Zp deﬁned by L(x) = p is a group isomorphism, that p +1 is a generator of G, and that L is the logarithm with respect to the basis p +1 in G. We now deﬁne the public-key cryptosystem of Okamoto-Uchiyama 1 which was proposed in 1998.

Key Generation: We ﬁrst choose two large primes p and q greater than 2k for some ﬁxed 2 ∗ p−1 2 k and we compute n = p q. Then, we randomly choose g ∈ Zn such that g (mod p ) has the multiplicative order of p. Finally, we compute h = gn mod n. The public key is (n,g,h) and the secret key is (p, q).

k−1 ∗ Encryption: Let m ∈ N such that 0 ciphertext c is deﬁned by

c = gmhr mod n.

Decryption: One can recover the message m with

L(cp−1 mod p2) m = mod p. L(gp−1 mod p2)

Show that the decryption is well deﬁned, i.e., that L(cp−1 mod p2) and L(gp−1 mod p2) are two elements in Zp. Show that the decryption indeed recovers the original plaintext.

Exercise 2 Rabin Cryptosystem

Below, we consider the Rabin cryptosystem 2 which was proposed in 1979.

1U. Okamoto and S. Uchiyama. A new public-key cryptosystem as secure as factoring. In K. Nyberg, editor, Advances in Cryptology – Eurocrypt’98: International Conference on the Theory and Application of Crypto- graphic Techniques, Espoo, Finland, May/June 1998. Proceedings, volume 1403 of Lecture Notes in Computer Science, pages 308–318. Springer-Verlag, 1998. 2M. O. Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT, 1979.

1 Setup: Generate two primes p, q such that p ≡ q ≡ 3 (mod 4), set n = p · q and pick a uniformly distributed random element B ∈ Zn.

Public Key: Kp = (B,n)

Secret Key: Ks = (B,p,q)

Encryption: A message x ∈ Zn is encrypted by computing E(x)= x(x + B) mod n.

Decryption: Let y ∈ Zn be a ciphertext. The decrypted plaintext D(y) is one of the four B2 B square roots of 4 + y minus 2 .

1. Explain how it is possible to compute the square roots in Zn.

2. Notice that the decryption is non-deterministic. Show that we can make the decryption deterministic by adding some redundancy in the plaintext.

3. Show that if one can factorize n then one can break the Rabin cryptosystem.

4. Show that the Rabin cryptosystem can be completely broken by a chosen-ciphertext at- tack. Hint: Show how to factorize n if one can play with a decryption oracle which takes a ciphertext as an input, and outputs one of the four possible plaintexts at random.

Exercise 3 Modiﬁed Diﬃe-Hellman

After having studied the Diﬃe-Hellman protocol, a young cryptographer decides to imple- ment it. In order to simplify the implementation, he decides to use the additive group (Zp, +) ∗ instead of the multiplicative one (Zp, ·). As an experienced cryptographer, what do you think about this new protocol?

Exercise 4 Paillier Cryptosystem

In 1999, Pascal Paillier 3 proposed a trapdoor permutation that we will study in this exercise. Let p and q be two distinct odd primes such that gcd(n, (p − 1)(q − 1)) = 1, where n = p · q. Let ∗ g ∈ Zn2 such that the order of g is a multiple of n. Paillier’s trapdoor permutation is deﬁned by ∗ ∗ Fg : Zn × Zn −→ Zn2 (r, m) 7−→ rn · gm mod n2. ∗ ∗ 1. Show that the sets Zn × Zn and Zn2 have the same cardinality.

λ(n) ∗ 2. Let λ(n) be the smallest positive integer such that x mod n = 1 for any x ∈ Zn. Show that · wn λ(n) mod n2 = 1, ∗ for any w ∈ Zn2 .

3. Bijectivity. In this part, we prove that the function Fg is bijective.

3P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In J. Stern, editor, Advances in Cryptology – Eurocrypt’99: International Conference on the Theory and Application of Crypto- graphic Techniques, Prague, Czech Republic, May 1999. Proceedings, volume 1592 of Lecture Notes in Computer Science, pages 223–238. Springer-Verlag, 1999.

2 (a) Argue why it suﬃces to show the injectivity of Fg to prove that it is bijective. (b) Show that

λ(n)(m2−m1) 2 Fg(r1, m1)= Fg(r2, m2) ⇒ g ≡ 1 (mod n ).

4. We consider now a variant of this scheme called the RSA-Paillier cryptosystem (see 4 and 5) which is deﬁned as follows.

s Key Generation: Let s be an integer. Pick two diﬀerent odd primes p and q of size 2 −1 bits, an element e ∈ Zn such that gcd(e, λ(n)) = 1. Set n = pq and d = e mod λ(n). Public Key: (e, n) Secret Key: (d,n) ∗ Encryption: To encrypt a message m ∈ Zn, we pick a random r ∈ Zn and compute the ciphertext c = re(1 + mn) mod n2.

(a) Evaluate the complexity of the key generation and encryption algorithms in terms of s. (b) Explain how the decryption algorithm works. (c) Evaluate the complexity of the decryption algorithm in terms of s.

Exercise 5 Naccache-Stern Cryptosystem

The aim of this exercise is to study the Naccache-Stern cryptosystem proposed in 1998 6. We ﬁrst give the description of this cryptosystem.

Key Generation: Let n = pq be a modulus of two large odd primes p and q such that p = 2au + 1 and q = 2bv + 1, where a and b are also two large distinct primes and where u and v are chosen as follows. Consider 10 small (e.g., about 10 bits) odd pairwise distinct 5 10 ∗ primes r1,r2,...,r10 and set u = Qi=1 ri and v = Qi=6 ri. Set also σ = uv. Let g ∈ Zn be an element which generates a subgroup whose order is a multiple of σab.

Public Key: Kp = (n, g)

Secret Key: Ks = (p, q)

Note that a, b, and the ri’s can easily be found from p and q. So, these elements are implicitly in the secret key.

4D. Catalano, R. Gennaro, N. Howgrave-Graham, and P. Q. Nguyen. Paillier’s cryptosystem revisited. In Proceedings of the 8th ACM conference on Computer and Communications Security, Philadelphia, PA, U.S.A., pages 206–214. ACM Press, 2001. 5D. Catalano, P. Q. Nguyen, and J. Stern. The hardness of Hensel lifting: The case of RSA and discrete logarithm. In Y. Zheng, editor, Advances in Cryptology - Asiacrypt’02: 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, December 2002, Proceedings, volume 2501 of Lecture Notes in Computer Science, pages 299–310. Springer-Verlag, 2002. 6D. Naccache and J. Stern. A new public-key cryptosystem based on higher residues. In Proceedings of the 5th ACM conference on Computer and Communications Security, San Francisco, California, U.S.A., pages 59–66. ACM Press, 1998.

3 Encryption: Let m be an integer lying in {1, 2,...,σ}. We encrypt m by computing gm mod n. In practice, since the sender of m does not know σ, he encrypts messages that are smaller than a lower bound of σ.

1. What is the impact on the security of this cryptosystem if we set a = b = 1 in the key generation?

2. Devise an algorithm which generates n.

3. What is the asymptotic complexity of this algorithm expressed in terms of the size of p, q and of a, b? Assume that p and q have the same size denoted by ℓ1 (in bits) and a and b have the same size denoted by ℓ2 (in bits). ∗ 4. Show that the size of the largest cyclic subgroup of Zn is equal to 2abσ. ∗ ∗ Hint: Take a generator g1 of Zp and a generator g2 of Zq. 5. Let H be a commutative group of order t such that t = cd, where c is a prime number and d is a positive integer coprime with c. Let h ∈ H. Prove that if hd 6= 1, then the order of h is a multiple of c. Hint: Try a proof by contradiction! ∗ 6. Deduce an algorithm for testing whether a given element g ∈ Zn has order at least σab or not.

7. Show that the encryption function deﬁned on {1, 2,...,σ}⊂ N is injective.

8. Using the secret key Ks, show how we can retrieve the message m from the ciphertext c = gm mod n. Hint: Adapt the algorithm of Pohlig-Hellman.