Post on 04-Apr-2018
Trapdoor one-way PermutationsApplications
Outline
1 Trapdoor one-way PermutationsDefinition and ExamplesNew Provably Secure Trapdoor OW Permutations
2 ApplicationsHybrid EncryptionTrapdoor Hashing
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Informal Def. of Trapdoor OW Permutations
Definition
F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :
fi is easy to compute
f (x)x
hard
easy with trapdoor
easy
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Informal Def. of Trapdoor OW Permutations
Definition
F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :
fi is easy to compute
fi is hard to invert
f (x)x
hard
easy with trapdoor
easy
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Informal Def. of Trapdoor OW Permutations
Definition
F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :
fi is easy to compute
fi is hard to invert
a trapdoor si exists s.t. inverting fi is easy knowing si
f (x)x
hard
easy with trapdoor
easy
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Informal Def. of Trapdoor OW Permutations
Definition
F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :
fi is easy to compute
fi is hard to invert
a trapdoor si exists s.t. inverting fi is easy knowing si
and
F is easy to sample
f (x)x
hard
easy with trapdoor
easy
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Trapdoor OW Permutations in Cryptography
Used for public key encryption, digital signatures, privateinformation retrieval, . . .
↪→ of prime importance!
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Trapdoor OW Permutations in Cryptography
Used for public key encryption, digital signatures, privateinformation retrieval, . . .
↪→ of prime importance!
. . . BUT . . .
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Trapdoor OW Permutations in Cryptography
Used for public key encryption, digital signatures, privateinformation retrieval, . . .
↪→ of prime importance!
. . . BUT . . .
Existence (of OW functions) is unproven to date!
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Trapdoor OW Permutations in Cryptography
Used for public key encryption, digital signatures, privateinformation retrieval, . . .
↪→ of prime importance!
. . . BUT . . .
Existence (of OW functions) is unproven to date!
Alternative: provably secure trapdoor OW permutations
break one-wayness ⇒ solve presumably hard problem
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Trapdoor OW Permutations in Cryptography
Used for public key encryption, digital signatures, privateinformation retrieval, . . .
↪→ of prime importance!
. . . BUT . . .
Existence (of OW functions) is unproven to date!
Alternative: provably secure trapdoor OW permutations
break one-wayness ⇒ solve presumably hard problem
BUT: only a very few number of candidates known
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Famous Candidates for Trapdoor OW Functions
RSA permutation (1978)
n = pq, gcd(e, ϕ(n)) = 1
Z×
n −→ Z×
n
x 7→ xe mod n
Trapdoor:d = e−1 mod ϕ(n)
Hard problem: RSA
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Famous Candidates for Trapdoor OW Functions
RSA permutation (1978)
n = pq, gcd(e, ϕ(n)) = 1
Z×
n −→ Z×
n
x 7→ xe mod n
Trapdoor:d = e−1 mod ϕ(n)
Hard problem: RSA
Rabin (1979)
n = pq
Z×
n −→ QR(n)
x 7→ x2 mod n
Trapdoor: p, q
Hard problem: FACT
NO injection (4-to-1), but:p, q = 3 mod 4⇒ squaringmod n = pq is permutationon QR(n) (Blum-Williams)
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
New Trapdoor OW Permutations
p, q ∈ PRIMES(k), n = p2q
Definition (Set of n-th residues mod n)
N-R(n) := {x ∈ Z×
n |x = yn mod n for a y ∈ Z×
n }
Theorem
xn = yn mod n ⇐⇒ x = y mod pq.
⇓ ⇓ ⇓ ⇓ ⇓
Theorem
If factoring n = p2q is hard, then
fN-R : N-R(n) −→ N-R(n)x 7→ xn mod n
andfpq : Z
×
pq −→ N-R(n)
x 7→ xn mod n
are trapdoor OW permutations (trapdoor: d = n−1 mod ϕ(pq))
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Definition and ExamplesNew Provably Secure Trapdoor OW Permutations
Similarities between Proposal and Rabin
Z×
n −→ N-R(n) for n = p2q
x 7→ xn mod n
Z×
n −→ QR(n) for n = pq
x 7→ x2 mod n
homomorph
p-to-1 4-to-1
non-trivial kernel element reveals fact. of n
restriction to N-R(n) is permuta-tion
restriction to QR(n) is permuta-tion (p = q = 3 mod 4)
restriction to Z×
pq is permutation no analogue known
hard to distinguish N-R(n) andZ×
n
hard to distinguish QR(n) and Z×
n
above distinction is easy of fact. of n is known
x ∈ N-R(n) ⇐⇒ xp−1 = 1 mod p2
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Hybrid Encryption
Problem
laborious key management in secret key cryptography, costlyoperations in public key cryptography
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Hybrid Encryption
Problem
laborious key management in secret key cryptography, costlyoperations in public key cryptography
Solution
public key scheme that uses efficient secret key encryption as blackbox
↪→ hybrid encryption
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Frameworks for Hybrid Encryption
Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Frameworks for Hybrid Encryption
Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)
Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Frameworks for Hybrid Encryption
Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)
Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)
Cramer/Shoup 2001: KEM/DEM framework
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Frameworks for Hybrid Encryption
Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)
Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)
Cramer/Shoup 2001: KEM/DEM framework
Abe/Kurosawa/Gennaro 2005: Tag-KEM/DEM framework
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Frameworks for Hybrid Encryption
Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)
Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)
Cramer/Shoup 2001: KEM/DEM framework
Abe/Kurosawa/Gennaro 2005: Tag-KEM/DEM framework
. . .
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
A New Tag-KEM
Key-Gen(1k): Choose p, q ∈ PRIMES(k)Compute n = p2q, d = n−1 mod ϕ(pq)Define rLen = 2k − 2Return pk = (n, rLen) and sk = (d , p, q)
KEM-Key(pk): Choose ω ∈ {0, 1, . . . , 2rLen − 1}Compute G (ω) = dk DEM-keyReturn (ω, dk)
Encappk(ω, τ): Compute c1 = ωn mod nCompute c2 = H(ω, τ) integrity-checkReturn Ψ = (c1, c2)
Decapsk(Ψ, τ): parse Ψ to c1, c2
Compute r = cd1 mod pq
If |r |2 > rLen or H(r , τ) 6= c2, return ⊥,return G (r), else
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Comparison
Scheme assumpt. encrypt decrypt pk
EPOC-2 FACT 7k/2 MM(3k) 3k/2 MM(2k) + 7k/4 MM(k) 9kEPOC-3 Gap-HR 7k/2 MM(3k) 3k/2 MM(2k) 9kProposed FACT 9k/2 MM(3k) 3k MM(k) 3k
Table: Comparison between proposed hybrid encryption scheme and
EPOC-2/3
MM(k) = multiplication modulo k-bit number (k = |p|2 = |q|2)
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Trapdoor Hashing
− blinding: hash values of differentmessages are indistinguishable
− binding: without secret key noone can find collisions
Weak altering trapdoor collisions:
uniformity: trapdoor hashes are indistinguishable from real hashes
such that: hash
hash
trap−coll
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Trapdoor Hashing
− blinding: hash values of differentmessages are indistinguishable
− binding: without secret key noone can find collisions
Strong altering trapdoor collisions:
uniformity: trapdoor hashes are indistinguishable from real hashes
such that: hash
hash
trap−coll
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Comparison
Scheme Assumption strong hash weak alt.
[BK90] DL NO ≈ 1 exp. ≈ 1 mult.
[KR00] FACT YES ≈ |m|2 mult. ≈ 5 mult.
[ST01] FACT NO 1 exp. 1 add. + bit shift
proposed FACT YES 1 exp. 1 add. + bit shift
Table: Comparison of trapdoor hash families suitable for Shamir-Tauman
online-offline signatures [ST01]
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Conclusion
invented new trapdoor permutations based on factoringn = p2q
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Conclusion
invented new trapdoor permutations based on factoringn = p2q
proposed new hybrid encryption scheme
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Conclusion
invented new trapdoor permutations based on factoringn = p2q
proposed new hybrid encryption scheme
designed new practical trapdoor hashes
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Trapdoor one-way PermutationsApplications
Hybrid EncryptionTrapdoor Hashing
Conclusion
invented new trapdoor permutations based on factoringn = p2q
proposed new hybrid encryption scheme
designed new practical trapdoor hashes
Thanks for your attention!
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
The KEM/DEM Framework
Cramer/Shoup 2001
KEM (Key Encapsulation Mechanism)
Encapsulation
a random key dk isgenerated
dk is encrypted to cwith public KEM-key
Decapsulation
c is decrypted withsecret KEM-key
cf. public key encryption scheme without messages
DEM (Data Encapsulation Mechanism)
cf. secret key encryption scheme
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
The KEM/DEM Framework, cont’d
Generic method
Encryption
dk← [ KEM-Keypk
τ ← [ DEM-Encdk(m)
Ψ← [ Encappk(dk)
Return (Ψ, τ)
Decryption
dk←[ Decapsk(Ψ)
m←[ DEM-Decdk(τ)
Return m
Security
CCA-secure KEM + CCA-secure DEM = CCA secure KEM/DEM
adversary with adaptive oracle access to Decapsk cannot distinguishif a given DEM key is encapsulated in challenge or not. Restriction:Decapsk must not be queried on challenge.
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
The Tag-KEM/DEM Framework
Abe/Kurosawa/Gennaro 2005
Tag-KEM (Key Encapsulation Mechanism)
Encapsulation
a random key dk isgenerated
dk is encrypted to cwith public KEM-keyand the tag
Decapsulation
c is decrypted withsecret KEM-key and thetag
DEM (Data Encapsulation Mechanism)
cf. secret key encryption scheme
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
The Tag-KEM/DEM Framework, cont’d
Generic method
Encryption
dk← [ KEM-Keypk
τ ← [ DEM-Encdk(m)
Ψ← [ Encappk(dk, τ)
Return (Ψ, τ)
Decryption
dk←[ Decapsk(Ψ, τ)
m←[ DEM-Decdk(τ)
Return m
Security
CCA-secure tag-KEM: adversary with adaptive oracle access toDecapsk cannot distinguish if a given DEM key is encapsulated inchallenge or not. Restriction: Decapsk must not be queried onchallenge (Ψ, τ). Queries (Ψ, τ ′ 6= τ) are ok↪→ integrity of tag↪→ DEM is required to be secure against passive attacks only
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
On-line/Off-line Signatures
Ordinary signatures:
sign
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
On-line/Off-line Signatures
Ordinary signatures:
sign
On-line/off-line signatures:
off−line phase
sign
on−line phase
precomputation
Invented 1996 by Even/Goldreich/Micali
Improved Construction 2001 by Shamir/Tauman
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Shamir-Tauman On-line Off-line Signatures
Key generation:
hash
3. publish
hash
2. generate hash keys1. generate sign keys
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Shamir-Tauman On-line Off-line Signatures
Key generation:
hash
3. publish
hash
2. generate hash keys1. generate sign keys
Off-line phase:
hashdummycoinsdummy
message
2. sign hash1. create hash
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Shamir-Tauman On-line Off-line Signatures
Key generation:
hash
3. publish
hash
2. generate hash keys1. generate sign keys
Off-line phase:
hashdummycoinsdummy
message
2. sign hash1. create hash
On-line phase:
trap−coll
Signature:
message tobe signed
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Shamir-Tauman On-line Off-line Signatures, cont’d
Efficiency
overhead: weakly trapdoor altering (on-line)
↪→ weak trapdoor altering should be extremely fast
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Shamir-Tauman On-line Off-line Signatures, cont’d
Efficiency
overhead: weakly trapdoor altering (on-line)
↪→ weak trapdoor altering should be extremely fast
Security
weakly secure signature scheme + weak trapdoor hash⇒strongly secure on-line/off-line signature scheme
even weaklier secure signature scheme + strong trapdoor hash⇒strongly secure on-line/off-line signature scheme
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
Shamir-Tauman On-line Off-line Signatures, cont’d
Efficiency
overhead: weakly trapdoor altering (on-line)
↪→ weak trapdoor altering should be extremely fast
Security
weakly secure signature scheme + weak trapdoor hash⇒strongly secure on-line/off-line signature scheme
even weaklier secure signature scheme + strong trapdoor hash⇒strongly secure on-line/off-line signature scheme
Conclusion
We need strong trapdoor hash with extremely fast weak trapdooraltering.
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation
J. F. Boyar and S. A. Kurtz.A discrete logarithm implementation of perfect zero-knowledgeblobs.Journal of Cryptology, 2(2):63–76, 1990.
H. Krawczyk and T. Rabin.Chameleon signatures.In NDSS. The Internet Society, 2000.
A. Shamir and Y. Tauman.Improved online/offline signature schemes.In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notesin Computer Science, pages 355–367. Springer, 2001.
K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation