Upload
ella
View
42
Download
0
Tags:
Embed Size (px)
DESCRIPTION
An IND-CCA2 Public-Key Cryptosystem with Fast Decryption using Quadratic Fields - NICE-X Cryptosystem -. Dr. Tsuyoshi Takagi Darmstadt University of Technology (joint work with Prof. Buchmann and Prof. Sakurai). RSA Cryptosystem ’78. de facto standard of public-key cryptosystems. - PowerPoint PPT Presentation
Citation preview
6.12.2001 ICISC 2001 1
An IND-CCA2 Public-Key Cryptosystem with Fast Decryption using Quadratic Fields
- NICE-X Cryptosystem -
Dr. Tsuyoshi Takagi
Darmstadt University of Technology
(joint work with Prof. Buchmann and Prof. Sakurai)
6.12.2001 ICISC 2001 2
RSA Cryptosystem ’78
p, q: primes, n = pq, L = LCM(p- 1, q- 1), ed ≡ 1 mod L
e, n: public key, d: secret key, (factoring, n: 1024 bits)
M: message, M ∈{0,1,2,….,n-1}.
d: large (d>n1/2), SLOW, cubic complexity, O((log n)3).
Encryption: C ≡ Me mod n
de facto standard of public-key cryptosystems
Decryption: M ≡ Cd mod n
e: small (216+1), FAST.
6.12.2001 ICISC 2001 3
Fast decryption is desired
For the sake of high security, a secret key is stored on a smart card (tamper-free) and the decryption computation is carried out on it.
A special coprocessor is required for computing the decryption function on a smart card, which is very expensive.
Currently no public-key cryptosystems are used for a large scale market, such as cash cards or SIM cards for mobile phones
6.12.2001 ICISC 2001 4
NICE cryptosystem (Paulus,Takagi’00)
1024 bits 1536 bits 2048 bits RSA encryption 1.1 ms 3.2 ms 4.3 ms RSA decryption 118.6 ms 370.6 ms 798.5 msRSA (CRT) 36.4 ms 111.5 235.2 msNICE encryption 962.0 ms 2654.7 ms 5661.0 ms NICE decryption 1.7 ms 2.9 ms 4.3 ms
Average on 100 random keys, Celeron 500 MHz, LiDIA library, e = 216 +1.
• NICE cryptosystem is constructed over class groups of quadratic discriminants Cl(D).
• The security of NICE is based on factoring problems. • Decryption time is of quadratic complexity O((log D)2).
The decryption time is fast even for large keys.
6.12.2001 ICISC 2001 5
Efficiency of quadratic complexity
-
100
200
300
400
500
600
700
800
1024 1280 1536 1712 2048
RSARSA(CRT)NICE
ms
bits
The decryption of NICE is fast even for large keys. 1.7 ms for 1024-bit public-keys.4.3 ms for 2048-bit public-keys.
Quadratic complexityO((log D)2)
Cubic complexityO((log n)3)
6.12.2001 ICISC 2001 6
Key generation
Cl(D): the class group of quadratic discriminant D. An element of Cl(D) is represented by two integers (a,b), where b2 ≡ D mod 4a, 0 < a < (|D|/3)1/2.GoToMaxOrder: Cl(D) ⇒ Cl(-p), Inverse: Cl(-p) ⇒ Cl(D).
Cl(D), public
Cl(-p), secret
GoToMaxOrderInverse
(a,b)
(A,B)
(a’,b’) P
(1,1)
Secret keys: p, q (p,q: primes) Public keys: (1) discriminant D = -pq2, (2) kernel element P ∈ Ker(GoToMaxOrder)
Ker(GoToMaxOrder) is cyclic#Ker(GoToMaxOrder) = q±1
Pr, r ∈{0,1,..,q} is random in Ker
6.12.2001 ICISC 2001 7
Encryption: (1) M: message ideal ∈ Cl(D) with M=(a,b), a < (p/4)1/2, (2) r: random integer ∈{0,1,2,…,q-1}, (3) C = M Pr ∈ Cl(D).
Decryption: (1) K = GoToMaxOrder(C), (2) M = Inverse(K).
(1) GoToMaxOrder(C) = GoToMaxOrder(MPr) = GoToMaxOrder(M) GoToMaxOrder(Pr) = GoToMaxOrder(M)(2) Inverse(GoToMaxOrder(M)) = M for M = (a,b), a < (p/4)1/2
Encryption and Decryption
Cl(D)
Cl(-p)
C = MPr
K
M Encryption
Decryption(p/4)1/2
6.12.2001 ICISC 2001 8
Why quadratic complexity O((log D)2)?
GoToMaxOrder: Input: (a,b) of Cl(D), Output: (A,B) of Cl(-p) 1. A = a; 2. x ≡ 1/q mod a; 3. B ≡ x b mod 2a; 4. (A,B) = Reduction (A,B) 5. Return (A,B)
Inverse: Input: (A,B) of Cl(-p), Output: (a,b) of Cl(D) 1. a = A; 2. b ≡ Bq mod 2a; 3. Return (a,b)
Reduction: Input: primitive ideal (a,b), discriminant D Output: reduced ideal (a,b) 1. c = (D-b2)/4a; 2. While (-a<b≦a<c) or (0≦b≦a=c) do 2.1 find s,t such that –a≦t=b+2sa < a; 2.2 (a,b,c) = (c-s(b+t)/2,t,a); 3. If a=c and b<0 then b = -b; 4. Return (a,b)
Decryption = GoToMaxOrder + Inverse
Modular inverse: O((log D)2)
Modular multiplication: O((log D)2)
Reduction: O((log D)2) by [BB98].
6.12.2001 ICISC 2001 9
Number-theoretic problems
(1)QFDLP: quadratic field discrete logarithm problem - for G,A CL(D), solving discrete logarithm x s.t. G∈ x = A.
(2)FP: factoring D = -pq2.(3)SKEP: the smallest kernel-equivalent problem - for A CL(D), computing the ideal I s.t. N(I) is the smallest, ∈ GoToMaxOrder(A) = GoToMaxOrder(I), (4)DKP: decisional kernel problem
Theorem: QFDLP => FP => SKEP => DKP
6.12.2001 ICISC 2001 10
m: the messages
(d: secret key )
Security Results for NICE
One-wayness Adversary
E(m): ciphertexts
e: public key
(1) The one-wayness of NICE cryptosystem is as hard as solving the SKEP(2) The semantic security of the NICE cryptosystem is as hard as solving the DKP
6.12.2001 ICISC 2001 11
Semantically Secure
(2) Algorithm A2, on input m0, m1, c =E(mb), guesses b (guess stage).
(1) Algorithm A1, on input pk, finds two message m0, m1 (find stage).
e: public keym1: message
m0: message
ciphertext of m0 or m1
A1
A2b
randomencryption c=E(mb)
6.12.2001 ICISC 2001 12
Chosen Ciphertext Attack
1999, Jaulmes and Joux proposed a CCA against NICE.
Decryption oracle
ciphertext C
Decryption of Cp,q
Fact: Ideal I s.t. N(I)<|D|1/2 is reduced or reduced after one reduction.(1)Choose two ideals A1,A2 s.t. 2(k-2)/2<N(Ai)<2(k-1)/2, where k is the bit-length of p. (2)Ask the ideal Ai to the decryption oracle, and obtain ideal Bi for i=1,2. Let A1=(a1,b1), A2=(a2,b2), B1=(c1,d1), B2=(c1,d1), then we have relations: c1 = (x1
2 +p)/4 and c2 = (x22 + p)/4, where x1,x2 are unknown.
(3)Solve (x2-x1)(x2+x1)=4(c2-c1), and find p.
6.12.2001 ICISC 2001 13
NICE-X Cryptosystem
(1)The NICE-X cryptosystem is Semantically Secure against Chosen Ciphertext Attack (IND-CCA2) in the random oracle model under the SKEP.
(2)The NICE-X cryptosystem inherits the fast decryption. - Its overhead from NICE is only the computation of hash functions.
6.12.2001 ICISC 2001 14
NICE-X CryptosystemHash functions, g: Ker → {0,1}k1, h: {0,1}k1×Ker → {0,1}k2.
Encryption: R: random ideal ∈ Cl(D) with R=(a,b), R ∈ SI(D),Q: random ideal ∈ Kernel(D), C = RQ, B = m xor g(Q), H = h(m,Q)(C,B,H) is the cipher text of a message m ∈ {0,1}k1
Decryption: R = Inverse(GoToMaxOrder(C)), Check R∈ SI(D), Q = C R-1, m = B xor g(Q), Check H = h(m,Q), if not reject.
Semantically Secure against Chosen Ciphertext Attack (IND-CCA2)
6.12.2001 ICISC 2001 15
Encryption of NICE-X
random Q in Kernel(D) message mrandom R in SI(D)
C = RQ B = m + g(Q) H = h(m,Q)
g(Q)
+
D: public key (quadratic discriminant) SI(D), Kernel(D): special subsets of class group Cl(D)g,h: one-way hash functions
C=RQg(Q)
h(m,Q)
SKEP = to compute R,Q for a given C.
6.12.2001 ICISC 2001 16
Decryption of NICE-X
Q
message m
R
C B H
g(Q) +
g(Q)
secret key Check H’=HIf not, Reject
Ciphertext (C,B,H) = (RQ, m+g(Q), h(m,Q))
H’ = h(m,Q)
h(m,Q)Check R in SI(D)If not, Reject
6.12.2001 ICISC 2001 17
NICE-X is IND-CCA2 under SKEP
Let A be a CCA adversary of the NICE-X cryptosystem with advantage ε, with time t, qG queries to the hash function G, qH queries to the hash function H, qD queries to the decryption oracle D. Then there is an algorithm for solving SKEP with at least (ε/2)(1 – qD/2k2), time at most t + (qH + qG)k + (qH + qG) TE, TE is the encryption time of the NICE-X cryptosystem, in the random oracle model.
Point: we can check Q is random mask of C by N(CQ-1)<2k/2.
6.12.2001 ICISC 2001 18
References
(1) S. Paulus, T. Takagi, “A New Public-key Cryptosystem over the Quadratic Order with Quadratic Decryption Time”, Journal of Cryptology, 13, pp.263-272, 2000.
(2) M. Hartmann, S. Paulus, T. Takagi, “NICE - New Ideal Coset Encryption -”, Workshop on Cryptographic Hardware and Embedded Systems (CHES), LNCS 1717, pp. 328-339, 1999.
(3) J. Buchmann, K. Sakurai, T. Takagi, “An IND-CCA2 Public-Key Cryptosystem with Fast Decryption”, 4th International Conference on Information Security and Cryptology, ICISC'01, LNCS 2288, pp.51-71, 2002.
You can download them from the following homepae: http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/ttakagi.html