The Hardness of Hensel Lifting: The Case of RSA and Discrete Logarithm (original) (raw)
2002, Lecture Notes in Computer Science
At ACM CCS '01, Catalano et al. proposed a mix of the RSA cryptosystem with the Paillier cryptosystem from Eurocrypt '99. The resulting scheme, which we call RSAP, is a probabilistic cryptosystem which is both semantically secure under an appropriate decisional assumption and as efficient as RSA, but without the homomorphic property of the Paillier scheme. Interestingly, Sakurai and Takagi presented at PKC '02 a proof that the one-wayness of RSAP was equivalent to the RSA assumption. However, we notice in this paper that the above proof is not completely correct (it works only in the case when a perfect oracle-i.e. an oracle that always provides correct answers-is given). We fix the proof by presenting a new proof based on low-dimensional lattices. The new proof, inspired by the work of Sakurai and Takagi, is somewhat related to Hensel lifting and the N-adic decomposition of integer exponentiation. Roughly speaking, we consider the problem of computing f (x) mod M given f (x) mod M and an exponent > 1. By studying the case f (x) = x e and M is an RSA-modulus, we deduce that the one-wayness of RSAP is indeed equivalent to the RSA assumption, and we are led to conjecture that the one-wayness of the original Paillier scheme may not be equivalent to the RSA assumption with exponent N. By analogy, we also study the discrete logarithm case, namely when f (x) = g x and M is a prime, and we show that the corresponding problem is curiously equivalent to the discrete logarithm problem in the subgroup spanned by g.
Sign up for access to the world's latest research.
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Related papers
Generalization of a Variant of Paillier's Public-Key Cryptosystem
2007
We propose a generalization of a variant of Paillier Cryptosystem that is an additive homomorphic Cryptosystem, meaning that one can combine cipher texts into a new cipher text that is the encryption of the sum of the messages of the original cipher texts.
The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme
Journal of Cryptology, 2003
We introduce a new class of computational problems which we call the "one-more-RSA-inversion" problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems respectively, have polynomially-equivalent computational complexity. We show how this leads to a proof of security for Chaum's RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for "one-more-discrete-logarithm" problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.
On the security of RSA textbook signature scheme on Paillier ciphertext
Lietuvos matematikos rinkinys
In this paper we consider Pailler encryption and RSA textbook signature. We show that due to valuable homomorphic property these algorithms can be used together to obtain a valid signature on a certain combination of ciphertexts. Our goal is to show that this combination of algorithms provide security against chosen plaintext and chosen ciphertext attacks.
A Practical Public Key Cryptosystem from Paillier and Rabin Schemes
2003
We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standard model. The scheme is obtained from a modi.cation of the so called RSA-Paillier [5] scheme. This modification is reminiscent of the ones applied by Rabin [22] and Williams [25] to the well-known RSA cryptosystem. Thanks to the special properties of such schemes, we obtain efficiency similar to that of RSA cryptosystem, provably secure encryption (since recovering plaintext from ciphertext is as hard as factoring) and indistinguishability against plaintext attacks. We also construct a new trapdoor permutation based on factoring, which has interest on its own. Semantic security of the scheme is based on an appropiate decisional assumption, named as Decisional Small 2e-Residues assumption. The robustness of this assumption is also discussed. Compared to Okamoto-Uchiyama's scheme [18], the previous IND-CPA cryptosystem in the standard model with onewayness based on factoring, our scheme is drastically more efficient in encryption, and presents higher bandwith, achieving the same expansion factor as Paillier or El Gamal schemes. We believe the new scheme could be an interesting starting point to develop efficient IND-CCA schemes in the standard model with one-wayness based on factoring.
A new and optimal chosen-message attack on RSA-type cryptosystems
Lecture Notes in Computer Science, 1997
Chosen-message attack on RSA is usually considered as an inherent property of its homomorphic structure. In this paper, we show that nonhomomorphic RSA-type cryptosystems are also susceptible to a chosen-message attack. In particular, we prove that only one message is needed to mount a successful chosen-message attack against the Lucas-based systems and Demytko's elliptic curve system.
A New Attack on Three Variants of the RSA Cryptosystem
Lecture Notes in Computer Science, 2016
In 1995, Kuwakado, Koyama and Tsuruoka presented a new RSAtype scheme based on singular cubic curves y 2 ≡ x 3 + bx 2 (mod N) where N = pq is an RSA modulus. Then, in 2002, Elkamchouchi, Elshenawy and Shaban introduced an extension of the RSA scheme to the field of Gaussian integers using a modulus N = P Q where P and Q are Gaussian primes such that p = |P | and q = |Q| are ordinary primes. Later, in 2007, Castagnos's proposed a scheme over quadratic fields quotients with an RSA modulus N = pq. In the three schemes, the public exponent e is an integer satisfying the key equation ed − k p 2 − 1 q 2 − 1 = 1. In this paper, we apply the continued fraction method to launch an attack on the three schemes when the private exponent d is sufficiently small. Our attack can be considered as an extension of the famous Wiener attack on RSA.
Primeless factoring-based cryptography
Factoring-based public-key cryptosystems have an overall complexity which is dominated by the key-production algorithm, which requires the generation of prime numbers. This is most inconvenient in settings where the key-generation is not an one-off process, e.g., secure delegation of computation or EKE password-based key exchange protocols. To this end, we extend the Goldwasser-Micali (GM) cryptosystem to a provably secure system, denoted SIS, where the generation of primes is bypassed. By developing on the correct choice of the parameters of SIS, we align SIS's security guarantees (i.e., resistance to factoring of moduli, etc.) to those of other well-known factoring-based cryptosystems. Taking into consideration different possibilities to implement the fundamental operations, we explicitly compare and contrast the asymptotic complexity of well-known public-key cryptosystems (e.g., GM and/or RSA) with that of SIS's. The latter shows that once we are ready to accept an increase in the size of the moduli, SIS offers a generally lower asymptotic complexity than, e.g., GM or even RSA (when scaling correctly the number of encrypted bits). This would yield most significant speed-ups to applications like the aforementioned secure delegation of computation or protocols where a fresh key needs to be generated with every new session, e.g., EKE password-based key exchange protocols.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.