DOCSLIB.ORG

Efficient Zero-Knowledge Proofs of Knowledge for Homomorphisms

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Efficient Zero-Knowledge Proofs of Knowledge for Homomorphisms Efficient Zero-Knowledge Proofs of Knowledge for Homomorphisms Dissertation Submitted to the Fakult¨at fur¨ Elektrotechnik und Informationstechnik at the Ruhr-Universit¨at Bochum for the Degree of Doktor-Ingenieur by Endre Bangerter Bochum, Germany, July 2005 Abstract Efficient zero-knowledge proofs of knowledge for homomorphisms are a key building block in a vast number of constructions in applied cryptogra- phy. Examples are: identification-, signature-, group signature-, anonymous credential-, and identity escrow-schemes as well as voting systems, e-cash, multi-party computations, and trusted computing. This dissertation studies efficient zero-knowledge proofs of knowledge for exponentiation homomor- phisms. We prove that there are inherent efficiency limitations for existing proofs of knowledge for homomorphisms and describe novel proofs of know- ledge that overcome these efficiency limitations. All efficient zero-knowledge proofs of knowledge for homomorphisms hap- pen to be instances of the same protocol. We refer to this protocol as the Σψ-protocol. While all efficient zero-knowledge proofs of knowledge for ho- momorphisms are obtained using the Σψ-protocol, the converse is not true: the Σψ-protocol is not known to yield efficient proofs of knowledge for all practically relevant homomorphisms. It was not known whether these efficiency limitations are inherent to the Σψ-protocol or whether they are limitations that can be overcome, i.e., li- mitations which are due to the conditions under which the Σψ-protocol currently is known to be a proof of knowledge. We prove in different set- tings and for different homomorphisms that the efficiency limitations of the Σψ-protocol are inherent to the protocol, and hence cannot be overcome. In particular, for the practically important class of exponentiation ho- . x . x1 xl momorphisms ψE(x) = h and ψE(x1, . , xl) = h1 · ... · hl in hidden order groups (e.g., RSA groups or class groups) no efficient zero-knowledge proofs of knowledge were known; neither using the Σψ-protocol, nor using any other protocol. We describe novel protocols that for the first time allow to obtain efficient zero-knowledge proofs of knowledge for such homomorphisms. 3 Kurzzusammenfassung Effiziente zero-knowledge Beweise von Wissen fur¨ Homomorphismen sind Grundbausteine einer Vielzahl kryptographischer Anwendungen. Beispiele sind (anonyme) Identifikations-, (Gruppen) Signatur-, und Wahlsysteme, sowie digitales Geld, verteilte Berechnungen und so genanntes trusted com- puting. Schranken fur¨ die Effizienz solcher Beweise sind demnach von grosser praktischer Bedeutung. Diese Dissertation befasst sich mit effizienten zero-knowledge Beweisen von Wissen fur¨ Homomorphismen. Einerseits untersuchen wir die Effizienz- beschr¨ankungen bestehender Beweise von Wissen fur¨ Homomorphismen und zeigen auf, dass fur¨ solche Beweise inh¨arente und demnach prinzipiell nicht uberwindbare¨ Effizienzbeschr¨ankungen bestehen. Andererseits beschreiben wir neue Protokolle, welche diese Beschr¨ankungen zu uberwinden¨ verm¨ogen. Alle bestehenden, effizienten zero-knowledge Beweise von Wissen fur¨ Ho- momorphismen sind Instanzen eines einzigen Protokolls. Wir bezeichnen die- ses Protokoll als das Σψ-Protokoll. Der Umkehrschluss gilt hingegen nicht: das Σψ-Protokoll liefert nicht fur¨ alle praktisch bedeutsamen Homomor- phismen effiziente Beweise von Wissen. Offen war die Frage, ob diese Effizi- enzbeschr¨ankungen dem Σψ-Protokoll inh¨arent sind – oder ob sie allenfalls uberwunden¨ werden k¨onnen. Wir tragen zur Kl¨arung dieser Frage bei, indem wir beweisen, dass unter verschiedenen Voraussetzungen und fur¨ verschie- dene Homomorphismen die genannten Effizienzbeschr¨ankungen tats¨achlich protokoll-inh¨arent und demnach unuberwindbar¨ sind. Insbesondere waren fur¨ die praktisch bedeutsame Klasse von Exponen- . x . x1 xl tiations-Homomorphismen ψE(x) = h und ψE(x1, . , xl) = h1 · ... · hl in Gruppen unbekannter Ordnung (wie z.B., RSA- oder Klassengruppen) bis- her keine zero-knowledge Beweise von Wissen bekannt – weder mittels des Σψ-Protokolls, noch mittels anderer Protokolle. Wir beschreiben neue Pro- tokolle, die erstmalig effiziente zero-knowledge Beweise von Wissen fur¨ Ex- ponentiations-Homomorphismen in Gruppen unbekannter Ordnung liefern. Damit haben wir nicht nur gezeigt, dass fur¨ bisherige Protokolle unuber-¨ windbare Effizienzbeschr¨ankungen bestehen, sondern verm¨ogen diese mittels neuer Protokolle zu uberwinden.¨ 4 Acknowledgments I am profoundly grateful to Jan Camenisch and Ahmad Sadeghi for sup- porting me and without whom creating this thesis would not have been possible. I am also indebted to J¨org Schwenk for being one of the referees of this thesis and for taking on the time consuming work arising from this role, and to Ueli Maurer for proposing the topic of this thesis. Many thanks to Dieter Sommer and Markus Rohe who have proof read parts of this thesis and helped me to improve the text with their insightful comments. This thesis was elaborated at the IBM Zurich Research Lab between 2001 and 2004 and at the University of Bochum during winter 2005. I would like to take the opportunity to thank the following people from these in- stitutions: Michael Waidner, Birgit Pfitzmann, Matthias Schunter, Michael Backes, Christopher Giblin, Thomas Gross, Gunter¨ Karjoth, Irmgard Kuhn,¨ Luke O’Connor, Christof Paar, Jonathan Poritz, Andy Rupp, Els Van Her- reweghen, Christian Cachin, Andreas Wespi, Morton Swimmer. 5 Contents 1 Introduction page 9 1.1 Results 11 1.1.1 Efficiency limitations of the Σψ-protocol 12 1.1.2 Efficient proofs of knowledge for exponentiation homomorphisms in hidden order groups 13 1.2 Outline 14 2 Basic concepts 15 2.1 Some notation 15 2.2 Complexity theory 16 2.2.1 Algorithms and reducibility 16 2.2.2 Two-party protocols 21 2.3 Group theory 21 2.3.1 Notation and basic facts 22 2.3.2 Computational aspects 24 2.3.3 Concrete groups and homomorphisms used in cryptography 30 2.3.4 A note on the presentation 36 2.4 Zero-knowledge proofs 37 2.4.1 Definitions 38 2.4.2 Some fundamental results 43 3 Pseudo-preimages and related computational problems 45 3.1 Definition and basic facts 46 3.2 Pseudo-preimage problem 47 3.2.1 Solvable instances of the pseudo-preimage problem 47 3.2.2 Hardness of the pseudo-preimage problem 50 3.3 Pseudo-preimage generation problem 53 6 Contents 7 4 The Σψ-protocol 61 4.1 Protocol definitions and the zero-knowledge property 63 4.2 Proof of knowledge property 67 4.2.1 A note on pseudo-preimage extractors 72 4.3 Knowledge error and efficiency of the Σψ-protocol 73 4.3.1 Efficiency analysis 74 4.3.2 Efficiency limitations and the minimal standard knowledge error 76 4.4 Interactive proofs 77 4.5 The Damgaard-Fujisaki scheme 80 5 On the optimality of the standard knowledge extractor of the Σψ-protocol 85 5.1 Definition of lower bound on the knowledge error 87 5.2 Lower bounds in the generic model 89 5.2.1 Model 91 5.2.2 Pseudo-random functions 95 5.2.3 Results 96 5.3 Lower bounds in the plain model 99 5.3.1 Lower bounds for power homomorphisms 99 5.3.2 Lower bounds for exponentiation homomorphisms 102 5.4 Proof of Theorem 5.1 110 5.4.1 Preliminaries 111 ∗ 5.4.2 Definition of cheating prover P and DK(k) 114 5.4.3 Non-triviality and uniformity 115 5.4.4 Hardness 115 5.4.5 Evaluation of bounds in the simulated world 120 6 Efficient proofs of knowledge for exponentiation homo- morphisms 125 6.1 Auxiliary information in the common input 127 6.2 The Σψ-protocol in the auxiliary setting 128 6.2.1 Sketch of basic idea 128 6.2.2 Formalization of basic idea 129 6.2.3 Application to exponentiation homomorphisms in hidden order groups 132 + + 6.3 The Σψ - and the Σψ -WS-protocol 138 6.3.1 Proofs of knowledge in the auxiliary string model 138 + 6.3.2 The Σψ -protocol 140 + 6.3.3 The Σψ -WS-protocol 149 6.4 Comparison 154 8 Contents 7 Concluding remarks 156 Bibliography 158 1 Introduction Zero-knowledge proofs of knowledge are a key building block for a large num- ber of results in theoretical and in applied cryptography. A zero-knowledge proof of knowledge allows a prover to demonstrate to a verifier that it knows a solution of a search problem, whereas the verifier learns nothing about the solution. More precisely, a proof of knowledge is a protocol between a prover and a verifier. The common protocol input is an instance of a search pro- blem, and the prover’s input is a solution of the problem. At the end of the protocol execution the verifier either accepts or rejects. If a prover succeeds in getting the verifier to accept with a probability larger than some thres- hold probability (the knowledge error), then the verifier can be asserted that the prover “knows a solution” of the problem instance at hand. “Knowing a solution” means that an algorithm (the knowledge extractor) exists that, given the prover as a black-box, computes the desired solution. The notions of zero-knowledge and proof of knowledge origin in a seminal paper by Goldwasser, Micali, and Rackoff [GMR85]. The notion of zero- knowledge was formally introduced in the context of so called interactive proofs (an interactive proof allows a prover to demonstrate the validity of an assertion to a verifier), while the idea of a proof of knowledge was coined, but not formalized. Subsequently, formal definitions of a proof of knowledge were given by Tompa and Woll [TW87] and Feige, Fiat, and Shamir [FFS88]. A more refined definition, which is the commonly used definition nowadays, was later proposed by Bellare and Goldreich [BG92]. Fundamental results of theoretical cryptography by Goldreich, Micali, and Wigderson [GMW86] and by Brassard, Chaum, and Crepeau [BCC88] describe generic techniques that yield zero-knowledge proofs of knowledge for all NP search problems.
Load more

Recommended publications
  • Cryptography for Efficiency: New Directions In
    Abstract of \Cryptography for Efficiency: New Directions in Authenticated Data Structures" by Charalampos Papamanthou, Ph.D., Brown University, May 2011. Cloud computing has emerged as an important new computational and storage medium and is increasingly being adopted both by companies and individuals as a means of reducing operational and maintenance costs. However, remotely-stored sensitive data may be lost or modified and third-party computations may not be performed correctly due to errors, op- portunistic behavior, or malicious attacks. Thus, while the cloud is an attractive alternative to local trusted computational resources, users need integrity guarantees in order to fully adopt this new paradigm. Specifically, they need to be assured that uploaded data has not been altered and outsourced computations have been performed correctly. Tackling the above problems requires the design of protocols that, on the one hand, are provably secure and at the same time remain highly efficient, otherwise the main purpose of adopting cloud computing, namely efficiency and scalability, is defeated. It is therefore essential that expertise in cryptography and efficient algorithmics be combined to achieve these goals. This thesis studies techniques allowing the efficient verification of data integrity and computations correctness in such adversarial environments. Towards this end, several new authenticated data structures for fundamental algorithmics and computation problems, e.g., hash table queries and set operations, are proposed. The main novelty of this work lies in employing advanced cryptography such as lattices and bilinear maps, towards achieving high efficiency, departing from traditional hash-based primitives. As such, the proposed techniques lead to efficient solutions that introduce minimal asymptotic overhead and at the same time enable highly-desirable features such as optimal verification mechanisms and par- allel authenticated data structures algorithms.
    [Show full text]
  • Universit`A Di Pisa Post Quantum Cryptography
    Universit`adi Pisa Facolt`a di Scienze Matematiche, Fisiche e Naturali Corso di Laurea Magistrale in Fisica Anno Accademico 2013/2014 Elaborato Finale Post Quantum Cryptography Candidato: Relatori: Antonio Vaira Prof. Oliver Morsch Ing. Cristiano Borrelli Alla mia mamma Abstract I started my experience with cryptography within the Airbus environment working on this master thesis. I have been asked to provide a framework, or in other words, a big picture about present-day alternatives to the most used public key crypto-system, the RSA, that are supposed to be quantum resistant. The final application of my work eventually resulted in recommendations on how to handle the quantum threat in the near future. This was quite a complex task to accomplish because it involves a huge variety of topics but by physical background was really helpful in facing it. Not because of specific and previous knowledge but for the mathematical toolsacquired during the studies and especially for that attitude that belongs to out category that make us, physicist problem solver in a large variety of fields. Indeed I also tried to go a bit further with my studies. I took one of the most promising algorithm on my opinion, but not well known yet so unfeasible for a recommendation and therefore an implementation in the close future, and I tried to figure out how to enhance it from both a security and an operational point of view (how to increase the correctness ratio of the decryption and the speed of the cryptographic operations). It followed a period of time in which I improved my skills with few computing languages and in the end I decided to implement a toy model at a high level using an interface that already implements all the mathematical and algebraical structures used to build the model.
    [Show full text]
  • Private Searching on Streaming Data∗
    J. Cryptology (2007) 20: 397–430 DOI: 10.1007/s00145-007-0565-3 © 2007 International Association for Cryptologic Research Private Searching on Streaming Data∗ Rafail Ostrovsky Department of Computer Science and Department of Mathematics, University of California, Los Angeles, CA 90095, U.S.A. [email protected] William E. Skeith III Department of Mathematics, University of California, Los Angeles, CA 90095, U.S.A. [email protected] Communicated by Dan Boneh Received 1 September 2005 and revised 16 July 2006 Online publication 13 July 2007 Abstract. In this paper we consider the problem of private searching on streaming data, where we can efficiently implement searching for documents that satisfy a secret criteria (such as the presence or absence of a hidden combination of hidden keywords) under various cryptographic assumptions. Our results can be viewed in a variety of ways: as a generalization of the notion of private information retrieval (to more general queries and to a streaming environment); as positive results on privacy-preserving datamining; and as a delegation of hidden program computation to other machines. Key words. Code obfuscation, Public-key program obfuscation, Program obfus- cation, Crypto-computing, Software security, Database security, Public-key encryp- tion with special properties, Private information retrieval, Privacy-preserving keyword search, Secure algorithms for streaming data, Privacy-preserving datamining, Secure delegation of computation, Searching with privacy, Mobile code. 1. Introduction 1.1. Data Filtering for the Intelligence Community As our motivating example, we examine one of the tasks of the intelligence community, which is to collect “potentially useful” information from huge streaming sources of ∗ An abridged version appeared at CRYPTO 2005.
    [Show full text]
  • Short Group Signatures
    An extended abstract of this paper is to appear in Advances in Cryptology—CRYPTO 2004, Springer-Verlag. Short Group Signatures Dan Boneh∗ Xavier Boyen Hovav Shacham [email protected] [email protected] [email protected] Abstract We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1 Introduction Group signatures, introduced by Chaum and van Heyst [17], provide anonymity for signers. Any member of the group can sign messages, but the resulting signature keeps the identity of the signer secret. Often there is a third party that can undo the signature anonymity (trace) using a special trapdoor [17, 2]. Some systems support revocation [14, 4, 35, 19], where group membership can be selectively disabled without affecting the signing ability of unrevoked members. Currently, the most efficient constructions [2, 14, 4] are based on the Strong-RSA assumption introduced by Baric and Pfitzmann [5]. These signatures are usually much longer than RSA signatures of comparable security. A number of recent projects require properties provided by group signatures. One such project is the Trusted Computing effort [34] that, among other things, enables a desktop PC to prove to a remote party what software it is running via a process called attestation.
    [Show full text]
  • The Cramer-Shoup Strong-RSA Signature Scheme Revisited
    The Cramer-Shoup Strong-RSA Signature Scheme Revisited Marc Fischlin Johann Wolfgang Goethe-University Frankfurt am Main, Germany marc @ mi.informatik.uni-frankfurt.de http://www.mi.informatik.uni-frankfurt.de/ Abstract. We discuss a modification of the Cramer-Shoup strong-RSA signature scheme. Our proposal also presumes the strong RSA assump- tion (and a collision-intractable hash function for long messages), but |without loss in performance| the size of a signature is almost halved compared to the original scheme. We also show how to turn the signature scheme into a \lightweight" anonymous (but linkable) group identifica- tion protocol without random oracles. 1 Introduction Cramer and Shoup [CS00] have presented a signature scheme which is secure against adaptive chosen-message attacks under the strong RSA (aka. flexible RSA) assumption, and which does not rely on the random oracle model. For a 1024-bit RSA modulus and a 160-bit (hash value of a) message a signature has about 2200 bits. Cramer and Shoup also discuss a variation of their scheme which, in addition to the strong RSA assumption, requires the discrete-log as- sumption and which produces signatures of roughly half the length (about 1350 bits). Here, we show that we can achieve the same signature size under the strong RSA assumption only, even with a slightly improved performance than in the original strong-RSA-only case or the discrete-log & strong-RSA case. Our signature scheme also has the feature that for short messages, e.g., of 120 bits, a collision-intractable (or universal one-way) hash function becomes obsolete.
    [Show full text]
  • Short Group Signatures
    An extended abstract of this paper is to appear in Advances in Cryptology—CRYPTO 2004, Springer-Verlag. Short Group Signatures Dan Boneh∗ Xavier Boyen Hovav Shacham [email protected] [email protected] [email protected] Abstract We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1 Introduction Group signatures, introduced by Chaum and van Heyst [14], provide anonymity for signers. Any member of the group can sign messages, but the resulting signature keeps the identity of the signer secret. In some systems there is a third party that can trace the signature, or undo its anonymity, using a special trapdoor. Some systems support revocation [12, 4, 30, 15] where group membership can be selectively disabled without affecting the signing ability of unrevoked members. Currently, the most efficient constructions [2, 12, 4] are based on the Strong-RSA assumption introduced by Baric and Pfitzman [5]. In the last two years a number of projects have emerged that require the properties of group signatures. The first is the Trusted Computing effort [29] that, among other things, enables a desktop PC to prove to a remote party what software it is running via a process called attestation.
    [Show full text]
  • A Weak-Randomizer Attack on RSA-OAEP with E = 3
    A Weak-Randomizer Attack on RSA-OAEP with e = 3 Daniel R. L. Brown∗ July 6, 2005 Abstract Coppersmith's heuristic algorithm for finding small roots of bivariate modular equations can be applied against low-exponent RSA-OAEP if its randomizer is weak. An adversary that knows the randomizer can recover the entire plaintext message, provided it is short enough for Coppersmith's algorithm to work. In practice, messages are symmetric cipher keys and these are potentially short enough for certain sets of key sizes. Weak randomizers could arise in constrained smart cards or in kleptographic implementations. Because RSA's major use is transporting symmetric keys, this attack is a potential concern. In this respect, OAEP's design is more fragile than necessary, because a secure randomizer is critical to prevent a total loss of secrecy, not just a loss of semantic security or chosen-ciphertext security. Countermeasures and more robust designs that have little extra performance cost are proposed and discussed. 1 Introduction Evidence exists that RSA encryption when the public exponent e = 3 is weaker than the general problem of inverting the raw RSA function with e = 3 at random values. Examples are Copper- smith's [Cop96] and Hastad's broadcast attack. (Boneh [Bon99] surveys some of these results.) Security proofs aim to rule out unforeseen attacks by reducing security to a hard problem. The RSA-OAEP encryption scheme [BR94] has a proof that reduces its security to the problem of in- verting the RSA function. The proof applies even if e = 3, so therefore RSA-OAEP avoids the attacks mentioned above.
    [Show full text]
  • Eurocrypt'2000 Conference Report
    Eurocrypt'2000 Conference Report May 15–18, 2000 Bruges Richard Graveman Telcordia Technologies Morristown, NJ USA [email protected] Welcome This was the nineteenth annual Eurocrypt conference. Thirty-nine out of 150 papers were accepted, and there were two invited talks along with the traditional rump session. About 480 participants from 39 countries were present. Bart Preneel was Program Chair. The Proceedings were published by Springer Verlag as Advances in Cryptology— Eurocrypt'98, Lecture Notes in Computer Science, Volume 1807, Bart Preneel, editor. Session 1: Factoring and Discrete Logarithm, Chair: Bart Preneel Factorization of a 512-bit RSA Modulus, Stefania Cavallar (CWI, The Netherlands), Bruce Dodson (Lehigh University, USA), Arjen K. Lenstra (Citibank, USA), Walter Lioen (CWI, The Netherlands), Peter L. Montgomery (Microsoft Research, USA and CWI, The Netherlands), Brian Murphy (The Australian National University, Australia), Herman te Riele (CWI, The Netherlands), Karen Aardal (Utrecht University, The Netherlands), Jeff Gilchrist (Entrust Technologies Ltd., Canada), Gérard Guillerm (École Polytechnique, France), Paul Leyland (Microsoft Research Ltd., UK), Joël Marchand (École Polytechnique/CNRS, France), François Morain (École Polytechnique, France), Alec Muffett (Sun Microsystems, UK), Chris and Craig Putnam (USA), Paul Zimmermann (Inria Lorraine and Loria, France) The authors factored the RSA challenge number RSA-512 with the general number field sieve (NFS). The algorithm has four steps: polynomial selection, sieving, linear algebra, and square root extraction. For N known to be composite, two irreducible polynomials with a common root mod N are needed. f1 (of degree 5 in this case) should have many roots modulo small primes as well as being as small as possible.
    [Show full text]
  • Unique Signature with Short Output from CDH Assumption
    Unique Signature with Short Output from CDH Assumption Shiuan-Tzuo Shen, Amir Rezapour, and Wen-Guey Tzeng Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan fvink,rezapour,[email protected] Abstract. We give a simple and efficient construction of unique signa- ture on groups equipped with bilinear map. In contrast to prior works, our proof of security is based on computational Diffie-Hellman problem in the random oracle model. Meanwhile, the resulting signature consists of only one group element. Due to its simplicity, security and efficiency, our scheme is suitable for those situations that require to overcome com- munication bottlenecks. Moreover, the unique signature is a building block for designing chosen-ciphertext secure cryptosystems and verifi- able random functions, which have found many interesting applications in cryptographic protocol design. Keywords: Unique signature, strongly unforgeable signature, verifiable unpre- dictable function, verifiable random function, bilinear map, random oracle model 1 Introduction Since the invention of public key cryptography, various attempts have been made to design a provably secure cryptosystem. A remarkable proof of security is a polynomial time reduction from solving a standard mathematical problem (weak assumption) to the problem of breaking a cryptosystem in a standard model. For example, factoring big integers and computing discrete logarithms in prime order groups are two standard mathematical problems for cryptographic pro- tocol design. Unlike traditional signature schemes, unique signature, a.k.a. ver- ifiable unpredictable function (VUF), is a function from the message space to the signature space under the given public key. This particular property ensures that each message would have only "one" possible signature.
    [Show full text]
  • RSA–REACT: an Alternative to RSA–OAEP
    Second NESSIE Workshop (september 12 { 13, 2001, Egham, UK). RSA{REACT: An Alternative to RSA{OAEP Tatsuaki Okamoto1 and David Pointcheval2 1 NTT Labs, 1-1 Hikarino-oka, Yokosuka-shi, 239-0847 Japan E-mail: [email protected] 2 D´ept d'Informatique, ENS { CNRS, 45 rue d'Ulm, 75230 Paris Cedex 05, France E-mail: [email protected] { URL: http://www.di.ens.fr/users/pointche Abstract. The last few months, several new results appeared about the OAEP con- struction, and namely the RSA{OAEP cryptosystem. Whereas OAEP was believed to provide the highest security level (IND-CCA2), with an efficient exact security level, the effective security result had been showed to be incomplete. Nevertheless, the particular instantiation with RSA (which is anyway almost the sole application) had been eventu- ally proven secure, but the security reduction appears to be quite inefficient. Therefore, with respect to the provable security result, RSA{OAEP with a 1024-bit modulus just provides a 240 security level. Several alternatives have been recently proposed, but most of them face the same prob- lem with a quadratic time security reduction. Excepted the recent generic conversion, called REACT, which admits a linear time reduction. Consequently, RSA{REACT ap- pears to be the best alternative to RSA{OAEP, granted the high security level, even with real world parameters. RSA{REACT with a 1024-bit modulus indeed guarantees a 280 security level (IND-CCA2 under the RSA assumption). Furthermore, the full construction is already proven secure when integrating symmetric encryption, which guarantees the security of the overall communication.
    [Show full text]
  • Toward Real-Life Implementation of Signature Schemes from the Strong RSA Assumption
    Toward Real-life Implementation of Signature Schemes from the Strong RSA Assumption Ping Yu and Rui Xue State Key Laboratory of Information Security Institute of Software, Chinese Academy of Sciences Beijing, China 100190, yuping,[email protected] Abstract. This paper introduces our work on performance improvement of sig- nature schemes based on the strong RSA assumption for the purpose of real-life implementation and deployment. Many signature schemes based on the strong RSA assumption have been proposed in literature. The main advantage of these schemes is that they have security proofs in the standard model, while the tra- ditional RSA scheme can only be demonstrated secure in the Random Oracle Model. However, the downside is the loss of efficiency among these schemes. Almost all these schemes double the computational cost of signature generation in the RSA scheme. So far the research in this area is more focusing on theoretical aspect. In this paper, we introduce techniques which greatly improve the perfor- mance of available schemes, and obtain a state-of-the-art signature scheme in the strong RSA family. In a typical setting where the RSA modulus is 1024 bits, it needs only one exponentiation calculation at the cost of about 160 modular mul- tiplications, and a 162-bit prime number generation. This cost is even lower than the RSA signature scheme. Our work brings the current theoretical results into real-life implementation and deployment. Keywords: Digital Signature, Efficiency, Real-life Implementation, Strong RSA Assumption. 1 Introduction The digital signature concept is a fundamental primitive in modern cryptog- raphy.
    [Show full text]
  • Section 5 Public Key Crypto Topics: RSA, ECC, Cas Administrivia
    Section 5 Public Key Crypto Topics: RSA, ECC, CAs Administrivia ● Homework 2 due next Wednesday (02-10) ○ Individual assignment ○ Hands-on cryptography ● Final Project checkpoint #1 due next next Wednesday (02-17) ○ Group members’ names and UWNetIDs ○ Presentation topic RSA: Review, Practice, and Future Public Key Cryptography Review Alice wants to send Bob an encrypted message ● Goal: Confidentiality ● Problem: Eve can intercept key Public Key Cryptography Review Solution: public key cryptography (aka asymmetric cryptography) ● Public-private keypair ● Alice encrypts using Bob’s public key ● Bob decrypts using Bob’s private key RSA Cryptosystem Review Key generation: ● Generate large primes p, q ● Compute N=pq and φ(N)=(p-1)(q-1) ● Choose e coprime to φ(N) ○ Typically e=3 or e=216+1=65537 ● Find (unique) d such that ed ≡ 1 (mod φ(N)) Adi Shamir, Ron Rivest, Len Adleman [Photo from Dan Wright] Public key = (e, N); Private key = (d, N) Encryption of m: c = me mod N Decryption of c: cd mod N = (me mod N)d mod N = m1 mod N = m RSA Practice Public key: N = 33, e = 7 Cryptograms: Step 1: Find φ(N) Step 2: Find the decryption key, d - ed ≡ 1 (mod φ(N)) Step 3: Decrypt the cryptogram - cd mod N = m - ‘A’ = 1, ‘B’ = 2, ... Cowabunga! RSA-2048: RSA Strength “RSA problem”: decrypt only using the public key ● Factoring N is hard ● No known efficient algorithm ● Trapdoor function: easy to go forward, hard to go back RSA Factoring Challenge (1991-2007) ● Cash prizes for factoring large N values (up to $200,000 (!)) ● Only the smallest 23 of 54 factored so far..
    [Show full text]