Modern Cryptology: from public key cryptography to homomorphic - PowerPoint PPT Presentation

Modern Cryptology: from public key cryptography to homomorphic encryption 2015/12 — Yaoundé, Cameroun Damien Robert Équipe LFANT, Inria Bordeaux Sud-Ouest Institut de Mathématiques de Bordeaux Équipe MACISA, Laboratoire International de Recherche en Informatique et Mathématiques Appliquées

RSA RLWE prime case. ZK RSA Proof. Pairings Elliptic curves DLP NFS Fermat, Euler: if x ∊ ( � / N � ) ∗ then x ϕ ( n ) = 1 . RSA: n = pq . ϕ ( n ) = ( p − 1 )( q − 1 ) . If N is a product of disjoint primes, then for all x ∊ � / N � , x 1 + ϕ ( n ) = x . If N = p , then Fermat shows this work for all x � = 0 , and 0 is trivial to check. � � p i , by the CRT � / N � ≃ If N = � / p i � as a ring and we are back to the In RSA, if e is prime to ϕ ( n ) and d is its inverse, then for all x ∊ � / N � , x e d = x . Encryption: x �→ x e ; Decryption: y �→ y d . Signature: x �→ x d ; Verification: y �→ y e .

RSA Theorem NFS DLP Elliptic curves Pairings RLWE Reductions on RSA ZK . The hard part is to show that RSAEMP Proof. Given the public key ( N , e ) RSADP (Decryption Problem): from y = x e find x ; RSAKRP (Key Recovery Problem): find d such that x e d = x for all x ∊ � / N � ∗ RSAEMP (Exponent Multiple Problem): find k such that x k = 1 for all x ∊ � / N � ∗ (so k is a multiple of ( p − 1 ) ∨ ( q − 1 ) ); RSAOP (Order Problem): find ϕ ( n ) ; RSAFP (Factorisation Problem): recover p and q . RSAKRP ⇔ RSAEMP ⇔ RSAFP ⇔ RSAOP ⇒ RSADP RSAFP ⇒ RSAOP ⇒ RSAKRP ⇒ RSAEMP . The goal is to find x � = ± 1 such that x 2 = 1 . Then x − 1 ∧ n gives a ⇒ RSAFP prime factor. Write k = 2 s t , and look for a random y at x = y t , x 2 , x 2 2 , … x 2 j until we find 1 , say x 2 j 0 + 1 = 1 . Then x 2 j is a square root. The bad cases are when x = y t = 1 (but this has probability less than 1 / 4 ) and when x 2 j 0 = − 1 (but this has probability less than 1 / 2 ).

RSA As is, RSA is OW-CPA (if factorisation is hard) but malleable. NFS DLP Elliptic curves Pairings RLWE Malleability of RSA ZK We want IND-CCA2 so we need to add padding. more; ( m 1 · m 2 ) e = m e 1 · m e 2 so from several ciphertexts we can generate a lot Example of CCA2 attack: we know c = m e ; we ask to decipher a random r : m r = r d and c / r : m c / r = ( c / r ) d ( c / r looks random). We recover m = m r m c / r . RSA-OAEP: The padding is M ⊕ G ( r ) || r ⊕ H ( M ⊕ G ( r )) where r is random and H and G are two hash functions.

RSA RLWE decryption. ZK Attacks on RSA computed using Euclide’s algorithm. Pairings DLP Elliptic curves NFS Best algorithm for factorisation is NFS: 2 O ( n 1 / 3 ) ; Subexponential: Factor 2 in security needs factor 8 in key length. Small exponent: if N > m e finding m is easy. This can happen if the same message is sent to several user with public keys ( N i , e ) ; by the CRT � we recover m e mod N = N i . If e has a small order in ( � /ϕ ( N ) � ) ∗ iterating the encryption yields the If d is small, for instance let p < q < 2 p , and suppose that d < n 1 / 4 / 3 . Write e d − 1 = k ϕ ( n ) ; then for n big enough | e n − k 1 d | < 2 d 2 . k / d can then be recovered from the continued fraction of e / n which is

RSA Squares in finite fields ZK Multiplicativity: Legendre symbol: ; Elliptic curves RLWE DLP NFS Pairings Let p > 2 be a prime. ( � / p � ∗ , × ) is a cyclic group of order p − 1 ; There are ( p − 1 ) / 2 squares and ( p − 1 ) / 2 non squares; p − 1 2 = 1 (by Fermat x p − 1 = 1 If x ∊ � / p � ∗ then x is a square if and only if x for all x ∊ � / p � ∗ );   1 x is a square � x �  = − 1 x is not a square p   0 x = 0 mod p ; � x � p − 1 = x (mod p ); 2 p � x y � � x �� x � = p p q Quadratic reciprocity: p , q primes > 2 : � p �� q � p − 1 q − 1 2 . = ( − 1 ) 2 q p

RSA Jacobi symbol with the extra relations Primality test: if Extension of quadratic reciprocity: Legendre symbol multiplicatively on the bottom argument: ZK RLWE Pairings NFS DLP Elliptic curves Jacobi symbol: if n is odd, define the Jacobi symbol by extending the � � � x �� x � x = ; n 1 n 2 n 1 n 2 � m � � n � m − 1 n − 1 = ( − 1 ) ( m and n odd and coprime) 2 2 n m � − 1 � � 2 � n 2 − 1 n − 1 = ( − 1 ) = ( − 1 ) 2 , 8 ; n n ⇒ The Jacobi symbol can be computed in polynomial time; � x � n − 1 � = x then n is not prime (and if n is not prime 2 n at least half the x coprime to n will be witnesses).

RSA ZK NFS DLP Elliptic curves Pairings RLWE Digression: Miller-Rabin Miller-Rabin primality test If n is prime and n − 1 = d 2 t , then for all a prime to n either a d = 1 mod n or a d 2 u = − 1 mod n (for 0 � u � t − 1 ) for any odd composite n , at least 3 / 4 of the bases a are witnesses for the compositeness of n .

RSA Heads or tails Alice answers “real square” or “false square”; ZK Computing Heads or tails: RLWE NFS DLP Pairings Elliptic curves Let n = pq be an RSA number, by the CRT ( � / n � ∗ , × ) = ( � / p � ∗ × � / q � ∗ , × ) ; � x �� x � � x � � x � = so if x is prime to n , = 1 when x is a square n p q n modulo n (=square modulo p and square modulo q ) or when x is neither a square modulo p and q ; � x � n : polynomial time; Deciding if x is a real square (and computing the square root) or false square: factorisation of n x �→ x 2 is a one way trapdoor function! � x � Bob choose n = pq and sends x such that = 1 ; n Bob sends p and q so Alice can verify if she was right or not.

RSA Zero Knowledge identification catched, Bob will ask for several rounds (30); Bob either chooses ZK Zero Knowledge identification: RLWE Pairings Elliptic curves DLP NFS Secret key of Alice: p , q , s mod n = pq ; Public key of Alice: n = pq , r = s 2 ; Alice chooses a random u mod n , computes z = u 2 and sends t = z r = u 2 s 2 to Bob; To check z : he asks u to Alice and checks that z = u 2 ; To check t : he asks us to Alice and checks that t = ( us ) 2 . A liar will either produce a false u or a false t and has 1 / 2 chances to be To always give the correct answer mean that Alice knows the secret s or is very lucky (probability 1 / 2 30 ).

RSA ZK NFS DLP Elliptic curves Pairings RLWE Fermat factor?) We want to get a factor of a composite number n (see primality tests); If n = x 2 − y 2 then n = ( x − y )( x + y ) ; More generally if x 2 = y 2 mod n then x − y ∧ n may be a non trivial factor (Exercice: if n = pq what is the probability to get a non trivial

RSA ZK NFS DLP Elliptic curves Pairings RLWE Smooth numbers n is B -smooth if n can be written as a product of integer � B ; Canfield-Erdös-Pomerance: The probability that a number x � n is B -smooth is u − u ( 1 + o ( 1 ) log B and when log n ǫ < u < log n 1 − ǫ . where u = log n Subexponential functions: L x ( α , β ) = exp ( β log α x loglog 1 − α x ) ; The probability for a number of size L x ( α , β ) to be L x ( γ , δ ) -smooth is L x ( α − γ , − β ( α − γ ) /µ + o ( 1 )) . Example: a number of size n = L n ( 1 ) is L n ( 1 / 2 ) smooth with probability L n ( 1 / 2 ) ;

RSA RLWE ZK Collect enough relations to use linear algebra so that a suitable product Linear and Quadratic Sieves for the quadratic field. Pairings Elliptic curves DLP NFS Dixon Linear Sieve: Generate squares modulo n : y = x 2 mod n where y is B -smooth with B = L n ( 1 / 2 ) ⇒ time L n ( 1 / 2 ) to find them; of y is a square; Pomerance Quadratic Sieve: let m = ⌈ n 1 / 2 ⌉ . Generate the y by ( m + a ) 2 = ( m 2 − n ) + a 2 + 2 am mod n . The y are of size � n rather than n so the probability to be B -smooth is much higher; � A detailed complexity analysis give a complexity of L n ( 1 / 2, 2 ) � ( B = L n ( 1 / 2,1 / 2 ) ) for the linear sieve and L n ( 1 / 2,1 ) ( B = L n ( 1 / 2,1 / 2 ) )

RSA ZK group of unity, taking square roots in number fields)… In practice very complex (obstructions from the class group and the numbers; Use sieves (lattice sieving or line sieving) to generate the smooth Linear algebra on the relations to get two squares; commutative diagram); Generate smooth numbers in two number fields to get relations (see Invented by Pollard and Lenstra; General Number field sieve RLWE Pairings Elliptic curves DLP NFS See for example CADO-NFS for an open-source implementation. Heuristic Complexity L n ( 1 / 3, ( 64 / 9 ) 1 / 3 ) ;

RSA ZK NFS DLP Elliptic curves Pairings RLWE Discrete Logarithm Definition (DLP) use the DLP for public key cryptography. representation. Let G = 〈 g 〉 be a cyclic group of prime order. Let x ∊ � and h = g x . The discrete logarithm log g ( h ) is x . O ( � p ) (in a generic group). So we can Exponentiation: O ( log p ) . DLP: � ⇒ We want to find secure groups with efficient addition law and compact