C hap ter

13

On Constructions and Security Notions of Public-key Cryptosystems

Angsuman Das

Avishek Adhikari

Department of Mathematics & Statistics St.Xavier’s College Kolkata, India.

Department of Pure Mathematics University of Calcutta Kolkata, India.

E-maii:  [email protected]

E-maii:  [email protected]

Abstract From its inception, public-key cryptosystems have been an area of active research. Various aspects of public-key encryption like constructions, security notions, adversarial models, hardness assumptions, proof-methodology, efficiency, compatibility etc have been analysed and re-analysed in the last three and half decades by numerous cryptographers. Some of them are good enough to survive while some of them, though broken, provides meaningful insights towards the subject. In this article, our aim is to provide an expository as well as technical (as far as possible, keeping in mind its brevity) overview of the subject as it has progressed over the year, along with open problems and suitable references.

Keywords:  public-key cryptosystems, cryptographic hardness assumptions, security notions. 13.1  Introduction The study of public key cryptosystems arose through the seminal paper “New Directions in Cryptography” [29] by Whitfield Diffie and Martin Hellman in 1976. The most important contribution of this paper is that they introduced the concepts of a Public Key Cryptosystem (PKC) and its associated components - one-way functions and trapdoor information. The Diffie-Hellman publication is an extremely important event - it provides the basic definitions and goals of a new field of mathematics/computer science, a field whose existence

1

2

Contemporary Topics In Mathmatics and Statistic Applications

is dependent on the then emerging age of the digital computer. Although the Diffie-Hellman Key-Exchange protocol is the genesis of a profound investigation into the notion of PKC, their scheme does not provide a complete solution to the establishment of a complete PKC. They provide only a mechanism for the exchange of keys and, by the authors’ own admission, left open the problem of establishing a working secure PKC. In 1978, a paper [68] was published by R. Rivest, A. Shamir, and L. Adleman. In that paper they described a public-key cryptosystem, which is now called by the acronym from the authors’ names, the RSA cryptosystem, including key generation and a public-key cipher, whose security rests upon the presumed difficulty of factoring integers into their prime factors. This started the metamorphosis of public-key cryptosystems. Since then, numerous public key cryptosystems have been proposed till date. Some of them have been broken, some have managed to survive the attacks till date. In fact, many suitable problems for cryptography have been proposed (e.g., one-way possibly trapdoor functions) and many cryptographic schemes have been designed, together with more or less heuristic proofs of their security relative to the intractability of various problems. Formal notions of security were just seen as theoretical properties. The simple fact that a cryptographic algorithm withstands cryptanalytic attacks for several years is often considered as a kind of validation procedure, but some schemes take a long time before being broken. However, after multiple cryptanalyses of international standards, provable security has been realized to be important and hence considered as a basic requirement for a new cryptographic protocol. The cryptographic community has earned a lot of successes in this area, but such may be divided into two categories: the production of very efficient encryption schemes with security proofs in idealised models, and the production of less-efficient encryption schemes with full proofs of security in strong models. The ultimate prize has yet to be claimed. However, we are getting closer to that important break-through. Schemes with full security proofs are getting more efficient and the efficient schemes are getting stronger security guarantees.

13.2  Existing Notions of Security The basic definitions of security have been continuously refined and revised in the literature. The first definitional approach to cryptography was not mathematically rigorous. For example, the notion of security used in the original RSA paper [68] seems to be that “there is no obvious way of recovering plaintext from ciphertext, even given the public encryption key.” The security of the RSA cryptosystem is not even tightly bound to the underlying computationally intractable problem, which is factoring a composite number. Till date, there is no efficient reduction of factorization to the RSA problem, and one could break the RSA scheme without making progress toward factoring large composite integers. The next step in making definitions for cryptosystems more practical and secure was done by Rabin, whose cryptosystem is provably related to the problem of factoring large

On Constructions and Security Notions of Public-key Cryptosystems

3

composite integers [65]. However, even this more careful construction and definition of security left something more to be desired. For example, even if an adversary could not recover the entire plaintext given a ciphertext, might it still be possible for an adversary to recover one bit of the plaintext? In the case of RSA, cryptographers have shown that all but log 2 n log 2 n log 2 n bits of the encryptions are secure (where n is the length of the encryption), while conceding that some bits are entirely insecure. Furthermore, schemes such as RSA and Rabin encrypt a given message m the same way every time i.e., deterministically. Some attacks have been suggested to exploit this fact. For instance, if Bob is encrypting the message “buy” and sending it to his stock broker, an eavesdropper (Alice) could record the message and discover through other means whether Bob told the broker to “buy” or “sell”. Then, the next time Bob tells the broker to “buy”, Alice will know exactly what Bob had in mind, and she might use this information maliciously. The solution to both of these problems-security against replay attacks and bit-by-bit security - came with the advent of probabilistic security by Goldwasser and Micali in [40]. This paper introduced the novel idea of random encryptions, or a one-to-many encryption scheme whereby a plaintext message m is randomly mapped to one of many possible encryptions of m. Furthermore, Goldwasser and Micali proposed a high standard of security. A successful adversary need not recover the entire message from the ciphertext, but rather just one bit of information about the plaintext from the ciphertext.

13.2.1  Public Key Encryption Semantics Before we can discuss about the definitions of security, it is important to establish a basic set of encryption semantics, which are true of all cryptosystems, whether secure or insecure. These semantics define the mathematical models that are used in contemporary cryptographic research. Definition 2.1:  Any encryption scheme Π = (,  ,  ) consists of three probabilistic polynomial-time algorithms with the length of their inputs: a key generation algorithm , an encryption algorithm  and a decryption algorithm  such that 1.  takes as input a security parameter k and outputs a public key-private key pair ( pk , sk ) . 2.  takes as input a message m and the public-key pk to outputs c =  pk (m), the encryption of m. 3.  takes as input the corresponding private key sk and the ciphertext c encrypted by  pk along with Pr[sk ( pk (m)) ≠ m] = f (k ) , where f (k) is a negligible function in k. Note that in the above formulation, any ciphertext c is treated as if it were output from  pk , or, alternatively, as if it were considered a “legal” ciphertext. Any c submitted to sk will be decrypted as if it were a legitimate encryption, even if it is a phony ciphertext forged by a malicious adversary. As we will discuss shortly after, certain cryptosystems refine the existing paradigm to solve this problem. In these cryptosystems, for a given

4

Contemporary Topics In Mathmatics and Statistic Applications

keypair, there is a notion of those inputs to the decryption box that were output by the encryption box (called legal ciphertexts) and those that would never be output by the encryption box (called illegal ciphertexts).

13.2.2  The Strength and Goals of Cryptographic Attack Once we have defined the most basic semantics of cryptosystem operation, we desire to define what we mean by security. One of the novel approaches of [8] is to treat the power and the goals of different cryptographic attacks completely orthogonally. That is, the goals of certain attacks are different: some might try to gain information about ciphertexts, while others might attempt to forge new ciphertexts that are related to existing ones (for instance, given  pk (m), we might desire to produce  pk (m′ ) where m′ = 2m ; such a goal is clearly possible with RSA and others). The former goal is known as distinguishability, the ability to determine properties about a message given its encryption, and the ability to distinguish between it and other encrypted messages. The latter is known as malleability. Thus, on the constructive part, either we want our cryptosystem to be either indistinguishable (IND) or non-malleable (NM). As shown in [8] and others, the two goals are closely related. There are also a few non-standard adversarial goals available in literature like Targetted Malleability (TM), Plaintext Awareness (PA) (See Section 7.1). Another issue coming up for consideration while formulating notions of security is the strength of the adversary. The weakest adversary in cryptological settings is one that can only tap a line of communication and overhear encrypted messages. But we might also imagine “stronger” attacks, such as the case in which an adversary wants to learn about messages sent with the keypair ( pk , sk ) , and has temporary access to the decryption box sk - the lunchtime attack. The relative strength of any adversary  , attempting to learn about the ciphertext c or the cryptosystem Π running with the keypair ( pk , sk ) , is given by how much access  has to the decryption oracle, sk . The more access the adversary has, the stronger his attack will be. How should we go about qualifying “how much access” an adversary has to the decryption oracle? In the first stage, according to [11], the adversary analyses the public key and tries to determine which plaintexts, when encrypted, are vulnerable to attack. In the second stage, the adversary will be presented with a challenge ciphertext c, an encryption of one of the plaintexts he found in previous stage. The adversary will then be challenged either to determine information about sk ( y ) (in the case of distinguishing), or to forge a new ciphertext c ′ so that sk (c) and sk (c ′ ) are related in some useful way (in the case of malleating). Given this paradigm for adversarial attacks, “how much access” an adversary has to the decryption box is determined by in which stage the decryption oracle, sk (c) is used. This formulation of adversaries might seem somewhat contrived, and unrelated to real-world scenarios. In reality,  does not have the liberty to choose those plaintexts on which he will later be challenged to decrypt. Rather, the adversary-in sniffing packets off of a public network-will be challenged with a ciphertext c, which could be the encryption

On Constructions and Security Notions of Public-key Cryptosystems

5

of any m in plaintext space. The theory behind this formulated attack given above is still justified. If a given scheme is secure against  who can carefully choose the space of candidate plaintexts, then it is certainly secure against the real-world adversary, who is challenged with the encryption of any m. Now, we review the existing notions of security of public key cryptosystems. These are defined in terms of game between a challenger  and an adversary  as follows: 1. Chosen Plaintext Attack (CPA): It is the weakest form of attack, in which  has no access to the decryption oracle.  can, however, make queries to the encryption box  pk bounded only by computational requirements (i.e.,  is a polynomial time algorithm). 2. Non-adaptive Chosen Ciphertext Attack (CCA1): In this attack,  is given access to the decryption oracle before she receives the challenge ciphertext c*. First formalized in [57], this attack is often called “the lunchtime attack” it may come about when an adversary gains access to sk for a short period of time (i.e., lunchtime), and submits carefully chosen queries to sk , in attempt to learn valuable properties about sk. It is important to note that certain IND-CPA secure cryptosystems are breakable under the CCA1 attack. 3. Adaptive Chosen Ciphertext Attack (CCA2): Proposed in [66], in this attack,  is given access to the decryption oracle both before and after she receives the challenge ciphertext c* , with a natural restriction in the second query phase that  cannot query the decryption oracle with the challenge ciphertext itself. Unlike CCA1, this attack is somewhat contrived and has no obvious real-world realization. However, it represents the strongest possible attack model in this setting, and proving that a scheme is secure against CCA2 is a strong testament to its overall security. It is also worth mentioning that CCA2 security (where the semantic-security and the non-malleability formulations are equivalent [8]) became the “golden standard” for security of encryption schemes in a general protocol setting. 4. Generalized Adaptive Chosen Ciphertext Attack (gCCA2): CCA2 security is indeed a very strong and useful notion. But is it necessary for an encryption scheme to be CCA2-secure in order to be adequate for use within general protocol settings? Consider an IND-CCA2 cryptosystem C and define C ′ such that eK′ (m) = eK (m) || b where b is a random bit, and eK is the encryption method from C. The decryption of messages in C can be calculated by throwing away the least significant bit and using d K from C. Despite the fact that C ′ clearly provides just as much message security as C, it is not IND-CCA2 secure. An adversary can simply flip the least significant bit of a challenge ciphertext and submit the new ciphertext to the decryption oracle to win the IND-CCA2 game. The “loss of security” provided by C ′ stems from the fact that C has been changed into a malleable cryptosystem, even though this malleability provides no additional information to an adversary. To overcome this rigidness of CCA2 notion, An et.al. in [2] proposed the notion of gCCA2. In this attack, the adversary  in the second query phase (i.e., after the

6

Contemporary Topics In Mathmatics and Statistic Applications

challenge ciphertext c* is given) is allowed to query the decryption oracle with any ciphertext c whose corresponding plaintext is not the same as that of the challenge ciphertext, c* , i.e., sk (c) ≠ sk (c* ) . Note: If C is IND-CCA2 secure, then C ′ as defined above is IND-gCCA2 secure. 5. Replayable Adaptive Chosen Ciphertext Attack (rCCA2): In essence, rCCA2 in [21] is aimed at capturing encryption schemes that are CCA2 secure “except that they allow anyone to generate new ciphertexts that decrypt to the same value as a given ciphertext.” rCCA2 is strictly weaker than CCA2 security. In fact, it is strictly weaker than the gCCA2. The rationale behind rCCA2 is that as far as an attacker in a protocol setting is concerned, generating different ciphertexts that decrypt to the same plaintext as a given ciphertext has the same effect as copying (or, “replaying”) the same ciphertext multiple times. Since replaying a ciphertext multiple times is unavoidable even for CCA2 secure encryptions, rCCA2 security would have “essentially the same effect” as CCA security.

IND-rCCA2 is identical to CCA2, with the exception that the decryption oracle do not answer whenever it is asked to decrypt any ciphertext that decrypts to either m0 or m1 , the challenge plaintexts, even if this ciphertext is different from the challenge ciphertext c*. Indeed, in the IND-rCCA2 game the ability to generate new ciphertexts that decrypt to the test ciphertext does not help the adversary.

6. Detectable Adaptive Chosen Ciphertext Attack (DCCA2): Recently, Hohenberger et.al. [46] introduced a new abstraction, Detectable Chosen Ciphertext Security (DCCA2) as a tool to build CCA2 secure systems. Intuitively, this notion of DCCA2 is meant to capture systems that are not necessarily CCA2 secure, but where we can detect whether a certain query c can be useful for decrypting (or distinguishing) a challenge ciphertext c*. A system that is DCCA2 secure will be associated with a boolean function  that takes in three inputs: a public key pk, a challenge ciphertext c* and a query ciphertext c. The function will output 1 if the query c is “dangerous” for the an attacker wishing to distinguish c*. In other words, the attacker is limited to decryption queries of ciphertexts c where  ( pk , c* , c) = 0 for hallenge ciphertext c* i.e., the system is CCA2 secure if the attacker does not make dangerous queries. 7. Non-adaptive/Adaptive Illegal Ciphertext Attack (ICA1/2): As mentioned above, CCA2 attacks represents one of the strongest possible types of attack against a cryptosystem. Although it does not correspond to real world attack models, it is a useful criterion for measuring the security of a cryptosystem. If Π is secure in the sense of CCA2, then we expect it to be secure against other, more practical attacks. A perfect example of a more practical attack is one that was presented by Bleichenbacher [13]. The Bleichenbacher attack on RSA-PKCS#1 proceeds as follows: the adversary wants to find m ≡ cd ( mod n) , where c is an arbitrary ciphertext, n is the public key modulus, and d is the secret key decryption exponent. The attacker then produces a series of messages e of the form c ′ ≡ cs ( mod n) , where e is the public key encryption exponent. Based on whether or not c ′ is accepted by the decryption oracle as a legal ciphertext, the

On Constructions and Security Notions of Public-key Cryptosystems

7

adversary can narrow down the range of possible values for m. As Bleichenbacher discusses in his paper, this form of attack has immediate practical applications. Many protocols such as RSA-PCKS#1 inform the adversary over the network if it ever submits an illegal encryption, while tacitly accepting any legal encryptions. Thus, the access the adversary needs to the decryption box is much less than that given by CCA1 or CCA2 attacks. Indeed, a Bleichenbacher attack can be mounted over the Internet, and does not require an adversary to have physical access to the decryption box (as do CCA1 and CCA2). Motivated by this type of attack, a new definition of security, Illegal Ciphertext Attack (ICA) was proposed in [51]. Such a definition was aimed to bridge the gap between the practical considerations discussed in [13] and the more formal and theoretical considerations discussed in [8]. The definition of ICA closely resembles that of CCA, the major difference being that the adversary will not have access to the full decryption oracle but rather an oracle that will simply output whether or not a ciphertext is legal or illegal (a judge oracle)1. The strength of ICA will be determined by how much access an adversary has to the judge oracle. That is, we can formulate ICA1 and ICA2 in the same way that we have formulated CCA1 and CCA2. There is also a special formulation of adversarial strength called hCCA2 [64] possessing a new type of oracle (rigged oracle), which is not discussed here. We now present the formalizations of the above attacks, where the goal of the attack is for an adversary to distinguish encryptions. All the definitions are based upon the same definitional model. Namely, an experiment or game is carried out in which an adversary interacts with the cryptosystem. The adversary’s ability to succeed in the experiment is measured, and if the likelihood of her successes are sufficiently small we can conclude that the cryptosystem is secure against her attack. If all adversaries have a low probability of success, then we deem the cryptosystem secure in the general sense. In particular, the game consists of two abstract parties: the adversary,  and the challenger,  and is played as below:

• Set up:  picks ( PK , SK ) ← Key Gen and gives PK to  . • Query Phase I:  is given access to the decryption oracle DecSK (⋅) . • Challenge Phase:  flips a random coin b ← {0,1} and receives from  two plaintexts msg 0 , msg 1 .  computes c* ← EncPK ( msg b ) , and gives c* to  .

• Query Phase II:  is given access to the following “guarded” decryption oracle:

 “ guarded ” GDec SK (c) =   Dec SK (c)

ICA can be thought of as a decisional decryption oracle

if  (c, c* , msg 0, msg 1) = 1 otherwise

8

Contemporary Topics In Mathmatics and Statistic Applications

• Output Phase:  outputs a bit b′ . The | Pr[b = b′ ] − 1/ 2 | .

advantage of  in this game is

By using different predicates for  , different levels of security are obtained: Security CPA CCA1 ICA

 (c, c* , msg 0, msg 1) no decryption queries no decryption queries in 2nd phase no decryption queries, only validity of ciphertexts can be checked

CCA2

whether c = c* or not.

gCCA2 rCCA2

whether Dec SK (c)=Dec SK (c* ) or not. whether Dec SK (c) ∈{msg 0,msg 1} or not.

DCCA2

whether F (pk , c* , c)=1 or 0.

13.3  Cryptographic Hardness Assumptions Since thier inception, public-key cryptosystems have been made and broken simultaneously. The main reason behind this is that it is difficult (intuitively impossible) to construct unconditionally secure or perfectly secure cryptosystems. The next best thing that can be achieved is to reduce the hardness of breaking the cryptosystem to a “believed-to-be-hard” real problem , either compuational or decisional. Thus, one of the main task while constructing a secure cryptosystem is to look for a suitable “hard” problem to which the security can be reduced to. In this section, we review some of such hard problems available in cryptographic literature and the mathematics lying behind them. Let  and  be two problems.  ≤ P  ( polytime reduces to  ) if there exists an algorithm that is polynomial time as a function of the input length of  , that solves  by making use of an oracle that solves  .

13.3.1 Factorization Problem and RSA problem Let p and q be two large primes of same bit-size k (i.e., 2k −1 < p, q < 2k − 1) and set N = pq. The factorization problem is to find p, q with the knowledge of N, k. By Euclid’s theorem, we know that N is either prime or have prime factors. Consequently, another related problem arises, i.e., to check whether N is prime or not. In fact, this problem known as primality testing is the decisional version of the computational problem of factoring. These two problems are one of the two mostly discussed problems in number theory. As with other decisional-computational problems, it have been shown that there exists efficient (both deterministic and probabilistic) algorithms for primality testing whereas the problem of factorization is yet to find an efficient algorithm even in probabilistic sense. That is the reason why the security of RSA, Rabin and various other cryptosystems till date rely on the hardness of factorization. Two other problems closely related to the factorization problem are RSA Problem and Strong RSA Problem.

On Constructions and Security Notions of Public-key Cryptosystems

9

Definition 3.2 (RSA Problem): Given an integer n that is the product of two sufficiently large randomly chosen primes, an integer e > 1 that is relatively prime to φ(n) , and an * element a chosen randomly from  n , to compute the x ∈*n such that x e ≡ a mod n . Definition 3.3 (Strong RSA Problem): Given an integer n that is the product of two sufficiently large randomly chosen primes and an element a chosen randomly from *n , to * e compute the x ∈ n and an integer e > 1 such that x ≡ a mod n . It can be shown that

Strong RSA Problem ≤ P RSA Problem ≤ P Factorization Problem .

Another problem in this context is Super Strong RSA Problem which is discussed in Section 7.2 on pseudo-free groups.

13.3.2  Discrete Logarithm Problem & Diffie-Hellman Problem Though this class of problems were previously studied in literature, it mainly came into focus with the Diffie-Hellman paper [29]. Let G = 〈 g 〉 be a cyclic group of (prime) order p . Defintion 3.4: The (Discrete Logarithm Problem (DLP)): is to compute a from p, g , g a where a ∈R  p −1. A problem, very closely related to DLP problem is: Defintion 3.5: (Computational Diffie-Hellman Problem (CDH)): In the same setting, ab a b the CDH problem is to compute g from p, g , g , g where a, b ∈R  p −1 . (‘ ∈R ’ denotes random selection of elements.) It is clear that the CDH is no harder than the DLP. But the converse is less clear. Suppose that Eve has an algorithm that efficiently solves the CDH. Can she use it to efficiently solve the DLP, also? The answer is not known. The next very closely related problem to CDH is its decisional version: Defintion 3.6: (Decisional Diffie-Hellman Problem (DDH)):. Again in the same backa b drop, the DDH problem is to distinguish between g ab and g c , given p, g , g , g where a, b, c ∈R  p −1, i.e., to decide whether ab ≡ c mod ( p − 1) or not.

ab We again obseve that if we can solve CDH problem, we can compute g and check c whether it is equal to g , thereby solving the DDH problem. In fact, CDH is strictly harder than DDH problem. There exist some groups where it is easy to solve DDH but hard to solve CDH. Such groups are known as Gap Diffie-Hellman Groups and the problem of solving CDH in Gap Diffie-Hellman groups is known as Gap Diffie-Hellman Problem.

Theorem 3.1: DDH < P CDH ≤ P DLP. There are more variants of Diffie-Hellman problem like Strong Diffie-Hellman Problem (SDH), Square Diffie-Hellman Problem (SqDH), Inverse Diffie-Hellman Problem (IDH) (see [5] for more details) etc. which are not discussed here for brevity.

10

Contemporary Topics In Mathmatics and Statistic Applications

13.3.3  Quadratic Residuosity Problem (QRP)

3.3.1 Quadratic Residues Modulo a Prime Definition 3.7:  Given a group , an element y ∈ is a quadratic residue if there exists an x ∈ with x 2 = y. An element that is not a quadratic residue is called a quadratic non-residue. (For details and proofs of the following propositions and corollaries in this section, one may refer to [47].) Proposition 3.8: Let p > 2 be prime. Every quadratic residue in *p has exactly two square roots. Definition 3.8: Let p > 2 be prime and x ∈*p . The Jacobi symbol of x modulo p,  p ( x) is defined as follows:

if x is a quadratic residue modulo p  +1  p ( x) =   −1 if x is not a quadratic residue modulo p

Propsoition 3.2: Let p > 2 be prime. Then  p ( x) = x Definition 3.8: Let p > 2 be prime and x, y Corollary 3.8: Let

p > 2 be prime,

∈*p .

p −1 2

( mod p) . Then  p ( xy ) =  p ( x) ⋅  p ( y ) .

x, x ′ ∈p and

y, y ′ ∈p. Then

[ xx ′ mod p ] ∈p , [ yy ′ mod p ] ∈p and [ xy mod p ] ∈p , where p and p denote the sets of quadratic residues modulo p and quadratic non-residues modulo p respectively.

13.3.3.2  Quadratic Residues Modulo a Composite We turn our attention to the quadratic residues in the group *N , where N = pq with p and q being primes. As we know that *N ≅ *p × *q , let y ↔ ( y p , yq ) be the correspondence, where y p = [ y mod p ] and yq = [ y mod q ] . Let N = pq with p, q distinct primes, and y ∈*N with y ↔ ( y p , yq ) . Then, y is a quadratic residue modulo N ⇐ y p is a quadratic residue modulo p and yq is a quadratic residue modulo q.

The above proposition characterizes the quadratic residues modulo N. Each quadratic residue y ∈*N has exactly four square roots. To see this, let y ↔ ( y p , yq ) be a quadratic residue modulo N and let x p , xq be square roots of y p and yq modulo p and q respec* tively. Then the four square roots of y are given by the elements in  N corresponding to

( x p , xq ), ( − x p , xq ), ( x p , − xq ), ( − x p , − xq ).

Let N denote the set of quadratic residues modulo N. Since squaring modulo N * is a four-to-one function, we immediately see that exactly 1/4 of the elements of  N are

On Constructions and Security Notions of Public-key Cryptosystems

11

* quadratic residues. Alternately, we could note that since y ∈ N is a quadratic residue iff y p , yq are quadratic residues, there is a one-to-one correspondence between N and p × q . Thus, the fraction of quadratic residues modulo N is



p −1 q −1 . | N | | p | ⋅ | q | 2 2 = 1, = = ( p − 1)(q − 1) 4 | *N | | *N |

in agreement with the above. We now define Jacobi symbol modulo N where N = pq a product of distinct odd primes as follows:

 N ( x) =  p ( x) ⋅  q ( x).

+1 * We define  N as the set of elements in  N having Jacobi symbol +1, and define analogously. From proposition 3.3.2, it is clear that

 N−1

If x is a quadratic residue modulo N, then  N ( x) = +1 . However,  N ( x) = +1 can also occur when  p ( x) =  q ( x) = −1; and we therefore introduce the following: +1 * N = {x ∈  N | x is not a quadratic residue modulo N , but  N ( x) = +1}

The figure below shows the structure of quadratic residues in *p and *N .

Proposition 3.6:  It is now easy to prove the following: Let N = pq with p, q distinct, odd primes. Then: * +1 1. Exactly half the elements of  N are in  N . +1 2. N is contained in  N .

+1 3. Exactly half the elements of  N are in N .

* Proposition 3.7: Let N = pq with p, q distinct, odd primes, and x, y ∈ N . Then  N ( xy ) =  N ( x) ⋅  N ( y ).

Corollary 3.8: Let N = pq  with p,  q  distinct, odd primes, and x, x ′ ∈N and y, y ′ ∈N+1. y, y ′ ∈N+1. Then: [ xx ′ mod N ] ∈N , [ yy ′ mod N ] ∈N and [ xy mod N ] ∈N+1. +1 It is not true that y, y ′ ∈N implies yy ′ ∈N . (Instead yy ′ ∈N .)

12

Contemporary Topics In Mathmatics and Statistic Applications

13.3.3.3  Quadratic Residuosity Problem In Proposition 3.3.1, we showed an efficient algorithm for deciding whether a given input x x x is a quadratic residue modulo a prime p. Proposition 3.3.2 shows an easy method to decide quadratic residuosity of x for a composite modulus N, when the factorization of N is known. When the factorization of N is unknown, however, there is no known polynomialtime algorithm for deciding quadratic residuosity. Somewhat surprisingly, a polynomialtime algorithm is known for computing  N ( x) without the factorization of N. (Using law of quadratic reciprocity and some other properties of Jacobi symbol.) This leads to a partial test for quadratic residuosity: if for a given input x, it holds that  N ( x) = −1 , then x cannot be a quadratic residue. (See Proposition 3.3.2.) This test says nothing in case  N ( x) = + 1, it is widely beleived that there doesnot exist any polynomial-time algorithm for deciding quadratic residuosity in this case. Definition 3.9: (Quadratic Residuosity Problem (QRP)): The Quadratic Residuosity +1 +1 Problem is the problem of deciding whether x ∈N or x ∈N , given a x ∈ N , when the factorization of N is not known.

13.3.4 Composite Residuosity Problem (CRP) Proposition 3.9:  Let N = p.q , where p, q are distinct odd primes of same size. Then: 1. gcd ( N , φ( N )) = 1 . 2. For any integer a ≥ 0 , we have (1 + N ) a ≡ (1 + aN ) ( mod N 2 ) . As a consequence, the order of (1 + N ) in * 2 is N. That is, (1 + N ) N ≡ 1 ( mod N 2 ) and N

(1 + N ) a ≠ 1 ( mod N 2 ) for any 1 ≤ a < N .

3.  N × *N is isomorphic to * 2 , with an isomorphism f :  N × *N → * 2 given by N

N

f (a, b) ≡ [(1 + N ) a .b N ] ( mod N 2 )

The above Proposition 3.4 shows that  N × *N ≅ * 2 . A consequence of this result is N

* that a random element y ∈* 2 corresponds to a random element (a, b) ∈  N ×  N or, in N

other words, an element (a, b) with random a ∈ N and random b ∈*N .

An element y ∈* 2 is said to be an N-th residue modulo N 2 if ∃ x ∈ * 2 with N N y ≡ x N ( mod N 2 ) . We denote the set of N-th residues modulo N 2 by Res ( N 2 ) .

Let us characterize the N-th residues in * 2 . Taking any x ∈* 2 with x ↔ (a, b) and N N raising it to the N-th power gives:

[ x N ( mod N 2 )] ↔ (a, b) N = ( N .a mod N , b N mod N ) = (0, b N mod N ).

Moreover, we claim that any element y ↔ (0, b) is an N-th residue. To see this, recall that gcd ( N , φ( N )) = 1 and so d := [ N −1 mod φ( N )] exists. So

(a,[b d mod N ]) N = ( Na mod N ,[b dN mod N ]) = (0, b) ↔ y

13

On Constructions and Security Notions of Public-key Cryptosystems

for any a ∈ N . We have thus shown that Res ( N 2 ) = {(0, b) | b ∈*N }. The above result

2 also demonstrates that the number of N-th roots of any y ∈ Res ( N ) is exactly N, and so computing N-th powers is an N-to-1 function. As a consequence, if r ← * 2 is chosen N

uniformly at random then [r N mod N 2 ] is a uniformly distributed element of Res ( N 2 ).

13.3.4.1  Composite Residuosity Problem Defintion 3.11:  (Composite Residuosity Problem (CRP)): The (Computational) Composite Residuosity Problem (CCRP) is to find the N-th root of a random element of Res ( N 2 ). Defintion 3.12: (Decisional Composite Residuosity Problem (DCRP)): The Decisional Composite Residuosity Problem (DCRP) is to distinguish a random element of * 2 from N a random element of Res ( N 2 ). Note that unlike the quadratic residuosity assumption, where N and  N+1 are disjoint sets, here Res ( N 2 ) ⊆ * 2 . Nevertheless, Res ( N 2 ) forms only a negligible fracN tion of * 2 . N

13.3.5 Subgroup Membership Problem (SMP) Let us consider multiplicative group *p of integers modulo a large prime p = 2n + 1, where n = q0 q1 and p, q0 , q1 are large distinct primes. Let k =| q0 |=| q1 | , the size of the binary representation of both q0 and q1. *p is cyclic group of order p −1, with exactly one subgroup for each positive divisor of p −1. Thus, *p has proper subgroups Gn , G2 q , G2 q , Gq , Gq , G2 and G1 , of order n, 2q0 , 2q1 , q0 , q1 , 2 and 1, respectively. Let 0

1

0

1

0

1

H = Gq × Gq , the direct product of Gq and Gq . In what follows, all operations are as1

0

sumed to be reduced modulo p except where otherwise mentioned. Lemma 3.10: [58] The groups H and Gn are isomorphic: f : H → Gn given by ( y0 , y1 ) → y0 y1 . If g 0 and g1 are generators of Gq and Gq respectively, then g = g 0 g1 is a generator of 1 0 x Gn, and any element y ∈Gn can be expressed as y = g , where x ∈ n . Thus, we can write x x y = g x = g 0 0 g1 1 , where x ≡ x0 ( mod q0 ) and x ≡ x1 ( mod q1 ). We know by virtue of the Chinese Remainder Theorem (CRT) that such a system of equations has a unique solution, namely x ≡ x0α 0 + x1α1 mod n , where α 0 ≡ q1 (q1−1 mod q0 ) and α1 ≡ q0 (q0 −1 mod q1 ). Knowledge of the factorisation of p −1 allows us to compute the inverse of f, defined in Lemma 3.10, as follows:

f −1 : Gn → H = Gq × Gq given by y → ( y 0

1

α0

α

, y 1 ).

14

Contemporary Topics In Mathmatics and Statistic Applications

No efficient (i.e., probabilistic polynomial time) algorithm that can compute inverse of f without knowledge of the factorisation of p −1 is known and thus factorization of p −1 is the trapdoor information. Based on this, a computational problem Projection Problem (PP) was proposed in [58]. Defintion 3.13:  (Projection Problem (PP)): Given y ∈Gn , the Projection Problem entails finding ( y0 , y1 ) ∈Gq × Gq such that y ≡ y0 y1 mod p. 0

1

Defintion 3.14: (Subgroup Membership Problem (SMP)): Given y ∈Gn × Gn , the Subgroup Membership Problem entails checking whether y ∈Gq × Gq or not. 0 1 Lemma 3.11:  [58] SMP ≤ P PP.

13.3.6 Other Problems There are many other computational and decisional problems that are useful in cryptography like Knapsack Problem or Subset Sum Problem, Billinear Diffie-Hellman Problem (BDH) in billinear groups, Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) in lattices etc. which are not discussed further for brevity.

13.4 The Proof Methodology: Standard Model & Random Oracle Model Now, we turn our attention towards proving the security of a public key cryptosystem Π = (,  ,  ) against an adversary with a certain power and certain goal. The standard technique for this is to show that if there exists an probabilistic polynomial-time adversary  that can win the security game defined in Section 2.2 with non-negligible probability, then we can construct an efficient algorithm  that can solve a “believed-to-be-hard” real problem  . Then Π is said to be secure against  if  is hard. This is known as standard model security. Whereas on the other hand, reducing the hardness of breaking Π to the hardness of  without any other assumption, may be difficult at times. One of the solutions to this problem is Random Oracle Model. First proposed by Bellare and Rogaway [10], the random oracle model assumes that fair players and adversaries alike have access to a shared, truly random function known as a random oracle. On input of the string x ∈{0,1}* , a random oracle R that has not been given x before will generate and output a random string r, so that R( x) = r for all subsequent queries. One way to think of a random oracle is as an ideal hash function, one that has no statistical properties that might be exploited by a malicious adversary. In the random oracle model, we prove certain things about algorithms assuming access to a perfect random oracle R. The random oracle model goes on to make an additional assumption: that ideal random oracles can be effectively approximated, for it is clear from a computational complexity perspective that they cannot exist.

On Constructions and Security Notions of Public-key Cryptosystems

15

Though this methodology have given us efficient and yet secure (in ideal sense) cryptosystems, recent analysis [19] of the random oracle model has revealed that certain cryptosystems that are provably secure in the random oracle model are in fact provably insecure in every practical implementation. Such results cast serious doubt on the strength of security attainable within the bounds of the random oracle model.

13.5 Some Special Types of Cryptosystems 1. Deterministic and Probabilistic Encryption: Let Π = (,  ,  ) be an encryption scheme. We say that Π is deterministic if  is deterministic. The text-book (original) RSA and Rabin cryptosystems (discussed in Section 6.1 & 6.3) are examples of deterministic encryption schemes. The notion and importance of probabilistic encryption (  is probabilistic) was put forward by Goldwasser & Micali in [40]. In fact, the classical notions of data-privacy for public-key encryption schemes, namely indistinguishability or semantic security under chosen-plaintext or chosen-ciphertext attack, can only be achieved when the encryption algorithm is randomized or probabilistic. However, recent works of Bellare, O’Neil and others [7],[14] on notion and security of deterministic encryption schemes have captured interest due to its applications in searchability. 2. Anonymous Encryption and Key-privacy: The notion of anonymous encryption and key-privacy was introduced by Bellare et.al. in [6]. It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary. They proved that the ElGamal scheme provides anonymity under chosen-plaintext attack assuming the Decision Diffie-Hellman problem is hard and that the Cramer-Shoup scheme provides anonymity under chosen-ciphertext attack under the same assumption. It is worth mentioning that the notion of key-privacy is orthogonal to that of data-privacy. 3. Identity-based Encryption: Identity-based cryptography is an extension of the publickey paradigm, initially suggested by Adi Shamir [72]. Where individuals are involved, sending encrypted messages is usually a cumbersome process. Each time when a user wants to communicate with a new person, he needs to get a public key or a certificate for this person, to check that the key corresponds to an algorithm his encryption software is compatible with and finally to proceed to the encryption step. Moreover, if the person has not already set up a public key, the user needs an initial contact to ask for one. Indeed, if no one sends them encrypted mail, most people do not feel the need for a public key. Even in the case of unencrypted communications, the user already needs to learn some basic information like his telephone number, his e-mail address or a similar information before he can communicate with another person. It would be extremely nice if this basic information could replace the need for a encryption key altogether. In the identity-based framework, one could send encrypted messages to

16

Contemporary Topics In Mathmatics and Statistic Applications

anyone, without worrying about their public key. Of course, if the recipient of a message does not know his private decryption key, he cannot decrypt the messages he receives. However, this gives him a strong motivation to go and get this key. Clearly, the key ingredient to identity-based encryption is going to be the computation of these private keys. Of course, it should not be possible to efficiently compute the private key from the public identity without any additional trapdoor information. Otherwise, anyone could perform the same computation and the system would offer no security. However, being identity-based, the system cannot be based on user specific information other than their public identity.   After the invention of the identity-based cryptography paradigm by Shamir [72], it was clear that identity-based signature schemes were feasible. However, identitybased encryption (IBE) was a much more challenging task. Neither the RSA nor the Diffie-Hellman cryptosystems can easily be transformed into identity-based encryption systems. In 2001, two nice solutions were discovered. One of these two solutions discovered by Cocks [22] and later improved by Boneh, Gentry and Hamburg in [17], makes use of the properties of quadratic residues modulo RSA composite. The other solution, proposed by Boneh and Franklin [16], relies on the existence of efficiently computable bilinear pairing on some groups, mostly based on elliptic curves. The advantage of these new solutions is that their key generation is efficient, more precisely, knowing the main secret it can be performed in polynomial time. For a detailed study on constructions and security notions of IBE, readers may consult a recent book by Sarkar and Chatterjee [71]. 4. Attribute-based Encryption: Attribute-based Encryption, a generalization of identity-based encryption was introduced by Sahai and Waters in [70], where we view identities as a set of descriptive attributes. In this application a party will wish to encrypt a document to all users that have a certain set of attributes. For example, in a computer science department, the chairperson might want to encrypt a document to all of its systems faculty on a hiring committee. In this case it would encrypt to the identity “hiring-committee”,“faculty”,“systems”. Any user who has an identity that contains all of these attributes could decrypt the document. 5. Searchable Encryption: The study of searching on encrypted data in public-key setting was initiated by Boneh et.al. in [15] and subsequently explored by others. The following example motivates the need for searchable encryption: Consider user Bob who sends email to user Alice encrypted under Alice’s public key. An email gateway wants to test whether the email contains the keyword “urgent” so that it could route the email accordingly. Alice, on the other hand does not wish to give the gateway the ability to decrypt all her messages. A mechanism that enables Alice to provide a key to the gateway that enables the gateway to test whether the word “urgent” is a keyword in the email without learning anything else about the email is searchable encryption. As another example, consider a mail server that stores various messages publicly encrypted for Alice by others. Using this mechanism Alice can send the mail server a key that will enable the server to identify all messages containing some specific keyword,

On Constructions and Security Notions of Public-key Cryptosystems

17

but learn nothing else. Till date, there have been various modifications and constructions [28], [34], [77] of both pairing-based and pairing-free searchable encryption in random oracle model as well as in standard model. 6. Rerandomizable Encryption: In some particular setting, it may be necessary for even someone who does not know the secret key to change a ciphertext c into another ciphertext, c ′ ( c ≠ c ′ ) while preserving same plaintext m. Such a property is useful for privacy protecting protocols, like e-voting, e-auction etc. Encryption schemes supporting this operations are called rerandomizable. 7. Hybrid Encryption: In general, public-key cryptosystems are slower and hence costlier than their private-key counterparts. As a result, a common practice is to encrypt the secret key of private key cryptosystem using a public-key primitive and then encrypting the (probably larger) message or plaintext using the private-key system. This is known as Hybrid encryption. But, there are certain restrictions and techniques like [36], [52] on how to compose two different cryptographic primitives without compromising the resulting security. 8. Signcryption: Message confidentiality and authenticity are the two most important goals of public-key cryptography, the former being taken care of by encryption and the later by digital signatures. A natural question one can now ask is how to integrate encryption and signature schemes in an efficient way without sacrificing each scheme’s security, in other words, how to provide efficiently communicating messages with confidentiality and authenticity simultaneously as one cryptographic function. In 1997, Zheng [80] gave a positive answer to the question: He proposed a cryptographic scheme called “signcryption” which integrates the functionality of discrete log based public key encryption and digital signature schemes in a very efficient way. A factorization-based signcryption scheme was also proposed by Steinfeld and Zheng in [75]. In 2002, two independent works by An et.al. [2] and Baek et.al. [4] laid the formal security notions for signcryption schemes. A recent book by Dent and Zheng [27] discusses the motivation, notions and constructions of various signcryption schemes. 9. Deniable Encryption: Consider a situation in which the transmission of an encrypted message can be intercepted by an authority, and subsequently (say, in response to court order) the sender can be coerced to reveal the keys and random choices used in generating the ciphertext, thereby revealing the message sent. An encryption scheme is deniable if the sender can generate “plausible” keys and random choices that will satisfy the authority and at the same time keep the past communication private.   Deniable encryption [18] is a strong primitive. In particular, it yields the first solution to the problem of incoercible (“receipt-free”) voting requiring no physical security assumptions. Deniable encryption also provides a simple and elegant implementation of adaptively secure multi-party computation. 10. Questionable Encryption: Questionable Encryption [78] is a cryptographic primitive that is related to oblivious transfer. Consider a mobile agent that asymmetrically encrypts plaintext data from the host machine that it resides on and then broadcasts the

18

Contemporary Topics In Mathmatics and Statistic Applications

resulting ciphertext so that it can be obtained by the creator of the agent. The user of a questionable encryption scheme chooses to generate a real or fake public key. The choice is conveyed to the key generation algorithm which then outputs a poly-sized witness and either a real or fake key pair. If the public key is `real’ then it produces decipherable encryptions and the poly-sized witness proves this. If the key is generated to be `fake’ then it produces indecipherable encryptions (even with the private key) and the poly-sized witness proves this. Without knowledge of the witness it is intractable to distinguish between the two types of public keys. Two constructions for a questionable encryption scheme can be found in [78] and [79], the former being based on the Paillier cryptosystem and the later on Elgamal cryptosystem. 11. (Group) Homomorphic Encryption: Although malleability (discussed in Section 2.2) limits the theoretical security of a cryptosystem, it is not necessarily an undesired property. A special class of cryptosystems, called homomorphic cryptosystems, are designed specifically to allow simple calculations on ciphertexts. In most cases, homomorphic cryptosystems allow someone to take two encrypted messages (m1 ) and (m2 ) and calculate (m1 + m2 ) or (m1m2 ) without knowledge of the private key. In fact, for encryption to be useful in sophisticated applications (such as voting or mix-nets), the scheme should have features which allow computation on encrypted messages (e.g., features like rerandomizability, proxy re-encryption, searchability and different kinds of homomorphism properties). However, IND-CCA2 security rules out any such feature which operates on encrypted messages, while IND-CPA security does not exclude the possibility that a scheme may have additional “unforeseen features” that an adversary can exploit when the scheme is used in a larger application. Recent research areas in this context is to find the maximum level of security (lying between CCA2 and CPA security) that can be achieved by such cryptosystems. It is worth mentioning here that many of the cryptosystems like [32], [40], [58], [60], [61], [65], [68] etc discussed in this survey are homomorphic over abelian groups. 12. Fully Homomorphic Encryption: Fully Homomorphic Encryption is often referred to as the “holy grail” of cryptography. In this setting, anyone with encrypted messages  (m1 ),  (m2 ),,  (mn )  (m1 ),  (m2 ),,  (mn )  (m1 ),  (m2 ),,  (mn ) can compute ( f (m1 , m2 ,, mn )) ( f (m1 , m2 ,, mn )) ( f (m1 , m2 ,, mn )) without knowledge of the private key, for any efficiently computable function f f f . It remained an open problem for 35 years before Craig Gentry in [37] first realized a fully homomorphic encryption scheme using ideal lattices. Till then, it have been a hot cake in the cryptographic community and numerous efforts [30], [38], [39], [73], [74] etc. have been made to make it efficiently implementable to put into practical use. The main reason for such a high-tide is due to the fact that the existence of fully homomorphic encryption scheme implies the existence and construction of lots of important cryptographic primitives like cloud-computing, oblivious transfer, multiparty computation, searchability etc.

On Constructions and Security Notions of Public-key Cryptosystems

19

13.6  Some Classical Public-key Cryptosystems 13.6.1 The RSA Cryptosystem (1978) Although the Diffie-Hellman Key-Exchange protocol was the genesis of a profound investigation into the notion of PKC, their scheme did not provide a complete solution to the establishment of a complete PKC. They provided only a mechanism for the exchange of keys and, by the authors’ own admission, left open the problem of establishing a working secure PKC. In 1978, a paper [68] was published by R. Rivest, A. Shamir, and L. Adleman. In this paper they describe a public-key cryptosystem, including key generation and a public-key cipher, whose security rests upon the presumed difficulty of factoring integers into their prime factors. This cryptosystem, which has come to be known by the acronym from the authors’ names, the RSA cryptosystem, has stood the test of time to this day, where it is used in cryptographic applications from banking and in e-mail security to e-commerce on the Internet. We will be discussing all these applications as we progress, and we will provide the details of the RSA algorithm later. The astonishing aspect of the RSA cipher is that it rests upon mathematical developments from the eighteenth century, merely updated to our modern-day information-based computer world. In the RSA paper [68], Alice and Bob make their first appearance as sender and recipient of messages. These characters were quickly adopted by the cryptographic community and were expanded to include a family of characters, such as Eve, and a host of others whom we will meet as our horizons broaden in our travels. To set up an RSA cryptosystem, we have to multiply two very large primes and make their product N public. N is part of the public key, whereas the factors of N are kept secret and are used as the secret key. The basic idea is that the factors of N cannot be recovered from N. In fact, the security of the RSA encryption function depends on the tremendous difficulty of factoring, but the equivalence is not proven.

13.6.1.1  The RSA Cryptosystem Key Gen: 1. Choose large distinct primes p and q, and compute N = p.q. N = p.q . 2. Choose e that is prime to φ( N ) . The pair (N, e) is published as the public key. 3. Compute d with ed ≡ 1 mod φ( N ) . (N, d) is used as the private key. Encryption: Given m ∈{0,1, , N − 1} , e 1. c =  (m) = m ( mod N ).

Decryption: Given c ∈ n and private key (N, d),

1. Compute m =  (c) = c d ( mod N ).

20

Contemporary Topics In Mathmatics and Statistic Applications

13.6.1.2  Some Discussions 1. Original RSA encryption is deterministic and homomorphic. As a result, it is not even IND-CPA secure. Even its one-wayness depends on a potentially stronger assumption than the factorization assumption, namely the RSA assumption. 2. However, Bellare & Rogaway in [11], showed how to transform RSA into a nonmalleable cryptosystem in random oracle model.

13.6.2 The Elgamal Cryptosystem (1985) Although the Diffie-Hellman key exchange algorithm provides a method of publicly sharing a random secret key, it does not achieve the full goal of being a public key cryptosystem, since a cryptosystem permits exchange of specific information, not just a random string of bits. The first public key cryptosystem was the RSA system of Rivest, Shamir, and Adleman, which they published in 1978. RSA was, and still is, a fundamentally important discovery. However, although RSA was historically first, the most natural development of a public key cryptosystem following the Diffie-Hellman paper is a system described by Taher ElGamal [32] in 1985. The ElGamal public key encryption algorithm is based on the discrete log problem and is closely related to Diffie-Hellman key exchange. In this section we describe the version of the ElGamal PKC that is based on the discrete logarithm prob* lem for p , but the construction works quite generally using the DLP in any group. For the ElGamal cryptosystem, Bob needs a large prime number p for which the dis* crete logarithm problem in p is difficult, and he needs an element g modulo p of large (prime) order. He may choose p and g himself, or they may have been preselected by some trusted party such as an industry panel or government agency.

13.6.2.1  The Elgamal Cryptosystem Key Gen: 1. Choose a large prime p = 2q + 1, q being prime & g ∈*p of order q .

2. Choose an element a ∈ q and compute A ≡ g a mod p . 3. Set g , A, p as public key and a, p as private key. Encryption: Given m ∈*p ,

1. Choose ephemeral key r & compute c1 = g r mod p ; c2 = mAr mod p. 2. Send ciphertext c = (c1 , c2 ) . Decryption: Given c = (c1 , c2 ) and private key a, p, 1. Compute m = (c1a ) −1 c2 mod p

On Constructions and Security Notions of Public-key Cryptosystems

21

13.6.2.2  Some Discussions 1. Elgamal encryption is probabilistic and multiplicatively homomorphic. 2. It is one-way if CDH assumption holds and IND-CPA secure if DDH assumption holds. 3. It is perhaps the most talked-about encryption scheme after RSA. In fact, in some cases, it is even more useful than RSA-type schemes.

6.3 The Rabin Cryptosystem (1979)

6.3.1  The Rabin Cryptosystem (Probabilistic, CPA-secure version) Key Gen: 1. Choose two k-bit primes p, q such that p ≡ q ≡ 3 ( mod 4) and set N = p.q . 2. Set public key as N and private key as (p, q) ( p, q ) . Encryption: Given m ∈{0,1} 1. Choose x ∈R N & compute . 2. Set ciphertext C = (c, c ′ ) . Decryption: Given C = (c, c ′ ) 2 1. Compute unique x ∈N such that x ≡ c ( mod N ) 2. Compute m = lsb( x) ⊕ c ′ . In the RSA encryption scheme, we have seen that breaking the RSA function is at most as hard as factorization, but it is not known to be as hard as factorization. (It may be even potentially easier than factorization.) Michael O. Rabin, in 1979, proposed another publickey encryption scheme [65] which is as hard as factorization of a number N = p.q . This makes the Rabin encryption scheme attractive at least from the theoretical point of view. Interestingly, the Rabin encryption scheme is (superficially, at least) very similar to the RSA encryption yet has the advantage of being based on a potentially weaker assumption. The security of the Rabin scheme is based on the fact that it is easy to compute square roots modulo a composite N if the factorization is known, yet it appears difficult to compute square roots modulo N, when the factorization of N is unknown. In fact, we will see that computing square roots modulo N is equivalent to (i.e., it is equally hard as) factorizing N. Due to this equivalence, a version of Rabin scheme can be shown to be CPA-secure based solely on the assumption that factoring is hard. The Rabin encryption scheme requires the receiver to compute modular square roots, and so we look into this matter. It is not hard to see that an algorithm for computing square

22

Contemporary Topics In Mathmatics and Statistic Applications

roots modulo a prime can be easily extended to the case of computing square roots modulo a composite N = p.q of known factorization. Let see how? Suppose, we need to find a square root of a modulo N. At first, we compute a p ≡ a ( mod p ) and aq ≡ a ( mod q ). Now, using the algorithm for computing square root modulo a prime, we find a square root x p of a p modulo p and a square root xq of aq modulo q. Now, we convert the representation ( x p , xq ) ∈  p* ×  q* to x ∈ N * with x ↔ ( x p , xq ). Thus, we get x as the required square root modulo N. Note that there are two square roots of a modulo p and two square roots of a modulo q. Thus, it is easy to modify the above algorithm to get all the four square roots of a modulo N.

13.6.3.2  Some Discussions 1. Rabin encryption is probabilistic. 2. It is IND-CPA secure iff factorization assumption holds. 3. “ The fact that RSA is more widely-used than this scheme seems to be due more to historical factors than technical ones.”- Katz & Lindell. [47] 4. Rabin vs RSA: It is worthwhile to remark on similarities and differences between the Rabin and RSA cryptosystems. At a basic level, the RSA and Rabin trapdoor permutations appear quite similar, with squaring in the case of Rabin corresponding to taking e = 2 e = 2 e = 2 in the case of RSA. (Of course, `2’ is not relatively prime to φ( N ) φ( N ) φ( N ) and so Rabin is not a special case of RSA.) In terms of security offered by each construction, we have noted that hardness of computing modular square roots is equivalent to hardness of factoring, while hardness of solving the RSA problem is not known to be implied by the hardness of factoring. The Rabin trapdoor permutation is thus based on a potentially weak assumption. It is theoretically possible that someone might develop an efficient algorithm for solving the RSA problem, yet computing square root will remain hard. More plausible is someone will propose an algorithm that solves the RSA problem in less time than it takes to factor. But, computing square roots can be never much faster than the best available algorithm for factoring N.   In terms of their efficiency, the RSA and the Rabin permutations are essentially the same. Actually, if a large exponent e is used in the case of RSA then computing e-th powers (as in RSA) is slightly slower than squaring (as in Rabin). On the other hand, a bit more care is required when working with the Rabin permutation sine it is only a permutation over a subset of  N * , in contrast to RSA which gives a permutation over all of  N *.

On Constructions and Security Notions of Public-key Cryptosystems

23

13.6.4  The Goldwasser-Micali Cryptosystem (1984) Key Generation: +1 1. Choose two k-bit primes p, q and set N = p.q and choose z ∈R N . 2. Set public key as ( N , z ) and private key as ( p, q ) .

Encryption: Given m ∈{0,1} * m 2 1. Choose x ∈R  N and compute ciphertext C = [ z ⋅ x mod N ] .

Decryption: Given a ciphertext C, 1. Determine whether C is a quadratic residue modulo N using the knowledge of p, q and Proposition 3.3.2. 2. If C is a quadratic residue, output 0; otherwise output 1.

13.6.4.1  Some Discussions 1. The Goldwasser-Micali Cryptosystem is a probabilistic cryptosystem. In the encryption stage, x is chosen randomly by the sender, as result of which the same bit may have more than one encryption. 2. Though Goldwasser-Micali Cryptosystem is not the first cryptosystem to have probabilistic encryption (Elgamal Cryptosystem, being the first), yet they were the first to point out the importance of probabilistic encryption. 3. The Goldwasser-Micali Cryptosystem is multiplicatively homomorphic, i.e.,  (m1 + m2 ) =  (m1 ). (m2 ) . 4. Choosing a random z ∈N+1 is not easy without the knowledge of p and q. Thus, this z is provided by the receiver in the initialization stage. 5. Observe that the Quadratic Residuosity Assumption is a stronger assumption than the Factorization Assumption. It follows from the fact that if one is able to factorize the composite modulus, the QR-assumption does not hold any more.

13.6.5  The Okamoto-Uchiyama Cryptosystem (1998) T. Okamoto and S. Uchiyama [60] in 1998 proposed a public key cryptosystem which is as secure as factoring n = p 2 q , where p and q are odd primes. Before describing the cryptosystem, we discuss the mathematical preliminaries:

13.6.5.1  Mathematical Preliminaries 2 Let p and q be two odd primes and set n = p q. Now let us consider the group ( / p 2)* 2 * and Γ be the Sylow-p-subgroup of ( / p 2)*. ( / p ) has a unique Sylow-p-subgroup, Γ ).

24

Contemporary Topics In Mathmatics and Statistic Applications

Proposition 6.1:  ( / p 2)* has a unique Sylow-p-subgroup, Γ ). ( / p 2)* is a cyclic group with order p ( p − 1) . Lemma 6.2:  Γ = {x ∈ ( / p 2)* | x ≡ 1 ( mod p )}.

x −1 . p Clearly, L is well-defined on Γ . Function L has a homomorphic property from multiplication to addition, i.e., we can identify L as a “logarithmic function” on Γ. We now define a  p -valued function, L, on Γ as follows: For x ∈Γ , L( x) =

Lemma 6.3:  For a, b ∈Γ , L(ab) ≡ L(a ) + L(b) ( mod p ). Also, L is an isomorphism. Corollary 6.4:  Let x ∈Γ such that L( x) ≠ 0 ( mod p ) , and y ≡ x m ( mod p 2 ) for m ∈ / p . Then,

m=

L( y ) y − 1 = ( mod p ). L( x) x − 1

Remark 6.1:  Let g be a primitive root ( mod p 2 ), then there exists r ∈( / p)* such that g p−1 = 1 + pr ( mod p 2 ) , i.e., g p−1 ∈ Γ . L( g p −1 ) =



(1 + pr ) − 1 = r ( mod p ) p

* p −1 2 * So, we obtain g = g ( mod p ) such that L( g ) ≠ 0 ( mod p )

13.6.5.2  The Okamoto-Uchiyama Cryptosystem Key Generation: For a given security parameter k, 2 1. Choose two k-bit primes p, q and set n = p q .

2. Choose g ∈R ( / n)* with order of g p = g p −1 ( mod p 2 ) is p and compute h = g n ( mod n) .

3. Set public key as (n, g , h, k ) and private key as (p, q). Note: h is a supplementary parameter for improving the efficiency of encryption, since h can be easily calculated from g and n . Encryption: Given m (0 < m < 2k −1 ) 1. Choose r ∈R  / n .

2. Compute ciphertext C = g m h r ( mod n) . Decryption: Given a ciphertext C, 1. Compute C p = C p −1 ( mod p 2 ) and m = Note: L : Γ →  p given by L( x) =

L(C p ) L( g p )

( mod p ).

x −1 where Γ = {x ∈ ( / p 2)* | x ≡ 1 ( mod p )} p

On Constructions and Security Notions of Public-key Cryptosystems

25

13.6.5.3  Some Discussions 1. Its trapdoor technique is essentially different from any other previous schemes including RSA-Rabin and Diffie-Hellman. 2. Under the most practical environment, the encryption and decryption speeds of our scheme are comparable to (around twice slower than) those of elliptic curve cryptosystems. 3. The Okamoto-Uchiyama Cryptosystem is probabilistic as well as homomorphic. 4. It is rerandomizable, i.e., anyone can change a ciphertext, C =  (m, r ) , into another r′ ciphertext, C ′ = Ch mod n , while preserving plaintext of C. 5. It can be shown that inverting the encryption function of the scheme is intractable if and only if the factoring problem is intractable. 6. It is semantically secure in standard model under the p-subgroup assumption, which is comparable to the quadratic residue and higher degree residue assumptions.

13.6.6 The Paillier Cryptosystem (1999) The Paillier Cryptosystem [61] rests on a novel computational problem, namely the Composite Residuosity Problem. For the mathematical background of this scheme and the hardness assumption, readers are referred to section 3.4.

13.6.6.1  The Paillier Cryptosystem Key Generation: 1. Choose two primes p, q of same length n such that N = pq relative to which the DCRP is hard in * 2 . N

2. Set N as the public key and p, q as the private key. Encryption: Given public key N and a message m ∈ N , 1. Choose r ∈R *N .

2. Output the ciphertext c := [(1 + N ) m .r N mod N 2 ].

(We remark that it does not make any difference whether the sender chooses random r ← *N or random r ← * 2 , since in either case the distribution of [r N mod N 2 ] N is the same). Decryption: Given private key 〈 N , φ( N )〉 and a ciphertext c, 1. Compute cˆ := [c φ( N ) mod N 2 ] . 2. Compute mˆ := (cˆ − 1) / N . (Note that this is carried out over the integers.) −1 3. Compute m := [mˆ .φ( N ) mod N ] .

26

Contemporary Topics In Mathmatics and Statistic Applications

13.6.6.2  Some Discussions 1. The Paillier encryption scheme is more efficient than the Goldwasser-Micali cryptosystem, as well as the provably secure RSA and Rabin schemes. 2. Perhaps more importantly, the Paillier encryption scheme possesses some nice additive homomorphic properties. 3. The Paillier Cryptosystem is probabilistic as well as rerandomizable. 4. It can be shown that the encryption function is one-way if the computational composite residuosity problem is intractable. 5. It is semantically secure under the decisional composite residuosity assumption in standard model. 6. We remark, however, that it relies on a newer and less studied hardness assumption.

13.6.7  The Gonzalez-Boyd-Dawson (GBD) Cryptosystem (2001) The Gonzalez-Boyd-Dawson (GBD) Cryptosystem [58] is based on a particular instance of subgroup membership problem. For the mathematical background of this scheme and the hardness assumption, readers are referred to section 3.5.

6.7.1 The GBD Cryptosystem Key Generation: Let k be the security parameter. 1. Choose a prime p = 2n + 1 where n = q0 q1 with qi also prime such that | qi |= k . 2. Select two elements gi of order qi in *p . Since the factorisation of n is known it can be done easily. gi is thus a generator of Gq .

3. α i = q1−i (q1−i −1 mod qi ) .

i

4. The public key { p, g 0 , g1} , and the corresponding private key is {α 0 , α1} . Encryption: Given m ∈Gn 1. Choose two random integers ri , 1 ≤ ri ≤ n . r

2. Compute vi = gi i . Thus vi is an element of Gq . 3. Compute ci = mv1−i . 4. The ciphertext is then c = (c0 , c1 ). Decryption: Given c = (c0 , c1 ), 1. Compute mi = ci

αi

and m = m0 m1.

i

On Constructions and Security Notions of Public-key Cryptosystems

27

6.7.2 Some Discussions 1. The GBD Cryptosystem is probabilistic, multiplicatively homomorphic as well as rerandomizable. 2. It can be shown that the encryption function is one-way if the Projection Problem is intractable. 3. It is semantically secure i.e., IND-CPA secure under the Subgroup Membership Assumption in standard model. So far we have discussed some of the classical cryptosystems which are IND-CPA secure under various hardness assumptions. Now, we turn our attention towards those cryptosystems which are IND-CCA2 secure. The first natural question which arises at this point is that whether we should discard the cryptosystems discussed earlier in order to get INDCCA2 security. The answer is no. Fujisaki & Okamoto came up with a solution in [35], where it have been shown that any cryptosystem that is IND-CPA secure in standard model can be converted into another cryptosystem that is IND-CCA2 secure in random oracle model. Later on, various other conversions like [49], [59], [63] were also proposed that enhances the security of a cryptosystem from CPA (or even weaker) to CCA2 one. Even some generic conversions from other cryptographic primitives to CCA2 cryptosystem were proposed in [20], [48] etc. We now turn our attention to schemes that can be proven secure in the standard model. The approaches of constructing encryption schemes secure in the standard model tend to fall several categories. The one approach is to use a “double-and-add” technique, in which a message is encrypted twice (using two weak encryption schemes) and a checksum value is added to the ciphertext. The first attempt to prove the security of a scheme against chosen ciphertext attacks was given by Naor and Yung [57]. Their approach was to encrypt a message twice using two independent IND-CPA secure encryption schemes, and then to provide a non-interactive zero-knowledge (NIZK) proof that the two ciphertexts were encryptions of the same message. The Naor-Yung result only produced an encryption scheme that was IND-CCA1 secure. The first IND-CCA2 secure public-key encryption scheme was proposed by Dolev, Dwork and Naor [31] in 1991. Their approach was extended by Sahai [69] in 1999 to cover IND-CCA2 attacks by using a slightly more powerful NIZK proof system. It is not going to be possible, due to space constraints, to fully explain the technical details of this scheme. However, we will give an overview of the scheme. Suppose (,  ,  ) is an IND-CPA secure encryption scheme. The Sahai encryption scheme works as follows:

28

Contemporary Topics In Mathmatics and Statistic Applications

• Key generation: Generate two independent key pairs ( pk1 , sk1 ) →  (1k ) and •

( pk2 , sk2 ) → (1k ) and a random string σ (for use by the NIZK proof). The public key is pk = ( pk1 , pk2 , σ) and the private key is sk = ( sk1 , sk2 ) . Encryption: To encrypt a message m, compute C1 →  ( pk1 , m) and C2 →  ( pk2 , m) and give a NIZK proof π that C1 and C2 are encryptions of the same message (using the random string σ ). The ciphertext is (C1 , C2 , π) .

• Decryption: To decrypt a message, first check the proof π. If the proof fails, then output ⊥ . Otherwise, output m → ( sk1 , C1 ).

This is a wonderful theoretical result, but, due to the theoretical nature of the NIZK proof system used in the construction, the construction is not practical.

13.6.8  The Cramer-Shoup Cryptosystem (1998) In 1998, Cramer & Shoup [23] constructed the first practical public-key cryptosystem (described in next section) that is IND-CCA2 secure in standard model if DDH assumption holds. In fact, the scheme is a careful and witty modification of the Elgamal cryptoystem.

13.6.8.1 Mathematical Preliminaries There are several equivalent formulations of the Decisional Diffie-Hellman Problem. The one that is used here is the following. Let  be a group of large prime order q. The DiffieHellman decision problem is to effectively distinguish these two following distributions: •

DDH ( , 2 ) Distribution: Choose generators g1 , g 2 ∈R  and choose v ∈R M . Outv v put ( g1 , g 2 , g1 , g 2 ) .

• Rand ( , 2 ) Distribution: Choose generators g1 , g 2 ∈R  and choose v1 , v2 ∈R M . v

v

Output ( g1 , g 2 , g1 1 , g 2 2 ) .

The DDH assumption states that there does not exist any polynomial-time algorithm to solve the DDH problem in . An algorithm that solves the Diffie-Hellman decision problem is a statistical test that can effectively distinguish these two distributions. That is, given a quadruple coming from one of the two distributions, it should output 0 or 1, and there should be a non-negligible difference between (a) the probability that it outputs a 1 given an input from Rand (, 2), and (b) the probability that it outputs a 1 given an input from DDH( , 2 ). The DiffieHellman decision problem is hard if there is no such polynomial-time statistical test.

On Constructions and Security Notions of Public-key Cryptosystems

29

13.6.8.2  The Cramer-Shoup Cryptosystem Key Generation: For a security parameter k, 1. Choose a group G of prime order q where | q |= k . 2. Choose g1 , g 2 ∈R G and x1 , x2 , y1 , y2 , z ∈R  q and a hash function H. x

x

y

y

3. Compute c = g1 1 g 2 2 ; d = g1 1 g 2 2 ; h = g1z . 4. The public-key is {g1 , g 2 , c, d , h, H } & the private-key is {x1 , x2 , y1 , y2 , z} . Encryption: Given m ∈G 1. Choose r ∈R  q

2. Compute u1 = g1r , u2 = g 2 r , e = h r m, α = H (u1 , u2 , e), v = c r d rα .

3. The ciphertext is C = (u1 , u2 , e, v) . Decryption: Given C = (u1 , u2 , e, v) ,

x + y1α x2 + y2α u2 z e / u1

1. Compute α = H (u1 , u2 , e) and check if u1 1 2. If not, output “REJECT” else output m =

= v or not.

13.6.8.3  Proof of Security We will be highlighting the sketch of the proof (for details, see [23]) and the main theorem in this context. The Cramer-Shoup cryptosystem is secure against adaptive chosen ciphertext attack assuming that the hash function H is chosen from a universal one-way family and the Diffie-Hellman decision problem is hard in the group . To prove the theorem, we will assume that there is an adversary that can break the cryptosystem, and that the hash family is universal one-way, and show how to use this adversary to construct a statistical test for the Diffie-Hellman decision problem. For the statistical test, we are given ( g1 , g 2 , u1 , u2 ) coming from either the distribution Rand (, 2) or DDH(, 2). At a high level, our construction works as follows. We build a simulator that simulates the joint distribution consisting of adversary’s view in its attack on the cryptosystem, and the hidden bit b generated by the generated oracle (which is not a part of the adversary’s view). We will show that if the input comes from DDH( , 2 ), the simulation will be nearly perfect, and so the adversary will have a non-negligible advantage in guessing the hidden bit b. We will also show that if the input comes from Rand ( , 2 ), then the adversary’s view is essentially independent of b, and therefore the adversary’s advantage is negligible. This immediately implies a statistical test distinguishing Rand( , 2 ) from DDH( , 2 ): run the simulator and adversary together, and if the simulator outputs b and the adversary outputs b ′, the distinguisher outputs 1 if b = b ′, and 0 otherwise.

30

Contemporary Topics In Mathmatics and Statistic Applications

The theorem now follows immediately from the following two lemmas. When the simulator’s input comes from DDH(, 2), the joint distribution of the adversary’s view and the hidden bit b is is statistically indistinguishable from that in the actual attack. When the simulator’s input comes from Rand( , 2 ), the distribution of the hidden bit b is (essentially) independent from the adversary’s view.

13.6.8.4  Some Discussions 1. The Cramer-Shoup Cryptosystem is probabilistic and NOT homomorphic. (As we know that homomorphic schemes cannot achieve IND-CCA2 security) 2. The use of hash function in the scheme can also be avoided maintaining the same level of security. 3. A lite version of this scheme can be shown to be IND-CCA1 secure. 4. This paradigm is a major breakthrough in provable security area.

13.6.9 Some Other Cryptosystems Apart from the cryptosystems discussed earlier, there are many others like McEliece Cryptosystem (beased on algebraic coding theory) [54] by McEliece in 1978, Multivariate Cryptosystems (based on factoring multivariate polynomials) [53] by Matsumoto and Imai in 1988, NTRU [44] by Hoffstein, Pipher and Silverman in 1998, Lattice-based Cryptosystem (based on SVP) [1] by Ajtai and Dwork in 1999, Group-based Cryptography [3] by Anshel, Anshel and Goldfeld in 1999 etc.

13.7 Some Related Topics 13.7.1  Plaintext Awareness Plaintext awareness is a simple idea with a complicated explanation. An encryption scheme is plaintext aware if it is impossible for a user to create a valid ciphertext without knowing the underlying message. This effectively makes a decryption oracle useless to the attacker -any valid ciphertext he submits to the decryption oracle will return a message that he already knows. If he submits a ciphertext to the decryption oracle for which he does not know the underlying message, then the decryption oracle will return ⊥ . This leads to the central theorem of plaintext awareness: that a scheme which is IND-CPA secure and plaintext aware is IND-CCA2 secure. The difficulty with this idea is formalising what it means to say that a user “knows” an underlying message. The first attempt to produce a formal definition for plaintext awareness was given in the random oracle model [11] but had the disadvantage that it could only be realised in the random oracle model. It took several years before a definition compatible with the standard model was found.

On Constructions and Security Notions of Public-key Cryptosystems

31

The first attempt to provide a standard-model definition of plaintext awareness was given by Herzog, Liskov and Micali [42]. In their model, if a sender wishes to send a message to a receiver, then both the sender and the receiver must have a public key. Furthermore, the sender must register their public key with some trusted registration authority in a process that includes a zero-knowledge proof of knowledge for the private key. Now, whenever the sender wants to send a message, it forms two ciphertexts-an encryption of the message using the receiver’s public key and an encryption of the message using the sender’s own public key-and provides a NIZK proof that the ciphertexts are the encryption of the same message. The receiver decrypts the ciphertext by checking the validity of the NIZK proof and decrypting the component that was encrypted using their public key. The plaintext awareness of the scheme can be easily shown: since the NIZK proves that the encryptions are identical, we know that both ciphertexts are the encryption of the same message. Furthermore, since the sender has proven knowledge of the private key, we know that the sender can decrypt the component of the ciphertext encrypted using the sender’s public key and recover the message. Hence, we can conclude that the sender “knows” the message. Though this is an interesting idea, but it is never really been adopted to prove the security of practical schemes. The requirement that the sender must have a registered public key creates the need for a huge public-key infrastructure which is unlikely to exist in practice. Furthermore, the scheme still makes use of arbitrary zero-knowledge proofs of knowledge and NIZK proof systems, which are impractical. In 2004, Bellare and Palacio [9] introduced a new standard-model definition for plaintext awareness. Their definition has several advantages over the definition of Herzog, Liskov and Micali. In particular, Bellare and Palacio’s definition does not require a sender to register a key. It is also compatible with earlier definitions in the random oracle model, in the sense that a scheme proven plaintext aware using the random-oracle-based definition of plaintext awareness is also plaintext aware using the standard-model-based definition of plaintext awareness (although the proof of this fact uses the random oracle model). Bellare and Palacio [9] prove that any scheme that is IND-CPA secure and plaintext aware in this model is necessarily IND-CCA2 secure. Teranishi and Ogata in [76] proved that a scheme that is one-way and plaintext aware in this model is necessarily IND-CCA2 secure. There are weaker models for plaintext awareness that are similar to this model, and their relationships to the full security model have been well explored by Bellare and Palacio [9] and by Birkett and Dent [12]. The first scheme that was proven fully plaintext aware in the standard model was the Cramer-Shoup encryption scheme [26]. This proof relies heavily on the Diffie-Hellman Knowledge assumption first introduced by Damgard [24].

13.7.2  Pseudo-Free Groups The notion of pseudo-free groups was first informally introduced by Hohenberger [45]. She used such groups to study the transitive signature schemes, and studied their variants

32

Contemporary Topics In Mathmatics and Statistic Applications

where inversion is not efficiently computable, at least by the adversary. After her works, the notion of pseudo-free groups is formalized by Rivest, and he presented an explicit definition [67]. He showed that the pseudo-freeness is a very strong assumption, and it implies many other computational assumptions typically used in cryptography, like the hardness of the computing discrete logarithms, the RSA assumption, and the strong RSA assumption. Informally, we say that a finite group G is pseudo-free if a probabilistic polynomialtime adversary can not efficiently produce an equation E and a solution to E in G where E has no solution in the “corresponding free group”. In other words, it is computationally hard to find a solution of a “non-trivial” equation over a pseudo-free group. Though, we do not go into the definition and technical details of pseudo-free groups, interested readers may look into an expository article by Hirano and Tanaka [43]. But the question which we want to raise here is that why should we formulate and study such a strong assumption? Doesn’t this go against the traditional style of making only the minimal complexity-theoretic assumptions necessary for a cryptographic scheme or protocol? The reasons for such a strong assumption was justified by Rivest as follows:

• Making stronger assumptions may make proofs easier (this is especially useful for pedagogic purposes).

• It may turn out that the pseudo-freeness is not a “stronger” assumption after all - it may be implied by simpler assumptions, perhaps more standard ones.

• Reasoning in a free group can be quite simple and intuitive, so assuming pseudo-fr eness allows one to capture “natural” security proofs in a plausible framework. (This was Hohenberger’s motivation.)

• It seems quite plausible that *n , where n the product of two sufficiently large n ran-

domly chosen primes, is pseudo-free. This is known as Super Strong RSA Assumption. (In fact, Micciancio in [55] solved the conjecture posed by Rivest and showed that the RSA group is pseudo-free under the strong RSA assumption, at least when n = pq is the product wo safe primes, i.e., Super Strong RSA Assumption is implied by Strong RSA Assumption. He also showed that no adversary can efficiently compute an unsatisfiable system of equations together with a solution in the given pseudo-free group.)

But many cryptographic assumptions except for the RSA assumption do not hold in the definition proposed by Rivest. The reason is that the equation chosen by an adversary contain no integer-valued exponent variables. For this reason, we cannot adapt the definition to several cryptographic assumptions which contain both element-valued variables and integer-valued exponent variables (like the strong RSA problem). Rivest probably supposed that we may not need the notion of exponent variables since the adversary can choose himself equations. But to exploit or use the concept of pseudo-freeness in other scenarios, it was necessary to modify the definition of pseudo-freeness accordingly. Certain variations of pseudo-freeness and related discussions can be found in [43].

On Constructions and Security Notions of Public-key Cryptosystems

33

13.7.3 Lossy Trapdoor Functions A new general primitive called lossy trapdoor functions (LTDF) was introduced by Peikert and Waters in [62] to develop a new approach for constructing several important cryptographic primitives, including (injective) trapdoor functions, collision-resistant hash functions, oblivious transfer, and chosen ciphertext-secure cryptosystems. These results resolve some long-standing open problems in cryptography. They give the first known injective trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCA-secure cryptosystem based solely on the worst-case complexity of lattice problems. This approach is centred around the idea of losing information. Specifically, LTDF is a public function f that is created to behave in one of two ways. The first way matches the usual completeness condition for an (injective) trapdoor function: given a suitable trapdoor for f, the entire input x can be efficiently recovered from f ( x) . In the second way, f statistically loses a significant amount of information about its input, i.e., f ’s image is significantly smaller than its domain. Finally, the two behaviours are indistinguishable: given just the description of f, no efficient adversary can tell whether f is injective or lossy. Some more advances and constructions of lossy trapdoor functions can be found in [33], [56] etc.

13.8 Open Problems Though public-key cryptosystems have been studied and analysed for more than three and half decades, there are a lot of questions which are stil open and yet to be answered. Some of them are related to efficiency and feasibility of constructions, some are entirely theoretic e.g., involving security notions and adversarial models, and some involves both. As, it is impossible to list all of them in this survey, only a few of them are discussed here.

• Though the Cramer-Shoup Construction provided an efficient as well as IND-CCA2

secure scheme in standard model, the search for more efficient IND-CCA2 security in standard model is still on.

• Gentry, in [37], resolved a long-time open problem of constructing a fully-homomorphic encryption scheme. But, in view of key-size, the scheme is not at all practical. Even after various attempts to make it more practical, the current state of art is quite far from applying it to real-life application. So, it is a good problem to design a practical fully-homomorphic cryptosystem.

• Several security notions are standardised in literature for different adversarial models

like CPA, CCA, CCA2, PA, ICA, gCCA, rCCA, HCCA etc. Among the above, only HCCA is targeted towards securing homomorphic cryptosystems. But, this notion of security is quite non-standard and not applicable in general sense to any homomorphic cryptosystem. Thus, an appropriate security notion for homomorphic cryptosystems is another area of further research.

34

Contemporary Topics In Mathmatics and Statistic Applications

• In [63], authors demonstrated a generic conversion of an one-way cryptosystem to an

IND-CCA2 secure one in random oracle model. But such a generic conversion is not known till date in standard model.

13.9 Conclusion In this survey, we have tried to give an overview of motivation, constructions and security notions of public-key encryption schemes that have been developed since its inception. Some constructions have been broken, some are still alive without any proper security proof, and some of them are proved to be secure under certain assumptions. Some of them are provably secure in standard model with difficult realization while some are efficient and practical with security based on random oracle model. Moreover, various cryptographic hardness assumptions that exist in literature and different types of encryptions have been discussed. Finally, certain general primitives useful in constructing secure cryptosystems have been highlighted.

13.10 Acknowledgement The authors are thankful to Sabyasachi Dutta for several fruitful discussion sessions on this article. Also, the authors would like to thanks the authors of few existing expository articles, surveys like [25], [41], [50] and [51] that have been of great use and ready reference while compiling this survey.

References [1]

M. Ajtai and C. Dwork: A public-key cryptosystem with worst-case/average-case equivalence, STOC ‘97, 284-293, ACM, New York, 1999.

[2]

J.H. An, Y. Dodis and T. Rabin: On the security of joint signature and encryption, EUROCRYPT 2002, LNCS 2332, 83-107.

[3]

I. Anshel, M. Anshel and D. Goldfeld: An algebraic method for public-key cryptography, Math. Res. Lett. 6 (1999), 287-291.

[4]

J. Baek, R. Steinfeld and Y. Zheng: Formal Proofs for the Security of Signcryption, Journal of Cryptology (2007) 20: 203-235, Springer, 2007.

[5]

F. Bao, R.H. Deng and H.F. Zhu: Variations of Diffie-Hellman Problem, ICICS 2003, LNCS 2836, pp- 301-312, Springer, 2003.

[6]

M. Bellare, A. Boldyreva, A. Desai and D. Pointcheval : Key-Privacy in Public-Key Encryption, ASIACRYPT 2001, LNCS 2248, pp- 566-582, Springer, 2001.

[7]

M. Bellare, A. Boldyreva and A. O’Neil: Deterministic and Efficiently Searchable Encryption, CRYPTO 2007, LNCS 4622, pp- 535-552, Springer, 2007.

On Constructions and Security Notions of Public-key Cryptosystems

35

[8]

M. Bellare, A. Desai, D. Pointcheval and P. Rogaway: Relations among notions of security for public-key encryption schemes, CRYPTO 98, LNCS 1462, pp-26-45, Springer, 1998.

[9]

M. Bellare and A. Palacio: Towards plaintext-aware public-key encryption without random oracles, ASIACRYPT 2004, LNCS 3329, 48-62, Springer, 2004.

[10]

M. Bellare and P. Rogaway: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols, Proc. of the 1st CCS, 62-73, ACM Press, New York, 1993.

[11]

M. Bellare and P. Rogaway: Optimal asymmetric encryption - how to encrypt with RSA, EUROCRYPT 1994, LNCS 950, Springer, 1994.

[12]

J. Birkett and A. W. Dent: Relations among notions of plaintext awareness, PKC 2008, LNCS 4939, 47-64, Springer, 2008.

[13]

D. Bleichenbacher: Chosen ciphertext attacks against protocols based on the RSA encryption standard PCKS#1, Crypto ‘98, LNCS, Springer-Verlag, 1998.

[14]

A. Boldyreva, S. Fehr and A. O’Neil: On Notions of Security for Deterministic Encryption and Efficient Constructions without Random Oracles, CRYPTO 2008, LNCS 5157, pp335-359, Springer, 2008.

[15]

D. Boneh, G. Di Crescenzo, R. Ostrovsky and G. Persiano: Public Key Encryption with Keyword Search, EUROCRYPT 2004, LNCS 3027, 506-522, Springer, 2004.

[16]

D. Boneh & M.K. Franklin, Identity based encryption from the Weil pairing, CRYPTO 2001, LNCS 2139, 213-229. Springer-Verlag, 2001. Full version: SIAM Journal on Computing, 32 (2003), 586–615.

[17]

D. Boneh, C. Gentry & M. Hamburg, Space-efficient identity based encryption without pairings, FOCS 2007, 647-657. IEEE Computer Society Press, 2007.

[18]

R. Canetti, C. Dwork, M. Naor and R. Ostrovsky: Deniable Encryption, CRYPTO 1997, LNCS 1294, 90-104, Springer, 1997.

[19]

R. Canetti, O. Goldreich and S. Halevi: The random oracle methodology, revisited, STOC ‘98, 209-218. ACM Press, 1998.

[20]

R. Canetti, S. Halevi and J. Katz: Chosen-ciphertext security from identity-based encryption, EUROCRYPT 2004, LNCS 3027, 207-222, Springer, 2004.

[21]

R. Canetti, H. Krawczyk and J.B. Nielsen: Relaxing Chosen-Ciphertext Security, CRYPTO 2003, LNCS 2729, 565-582, Springer, 2003.

[22]

C. Cocks: An identity based encryption scheme based on quadratic residues, Cryptography and Coding, LNCS 2260, 360-363. Springer-Verlag, 2001.

[23]

R. Cramer and V. Shoup: A Practical Public-key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack, CRYPTO ‘98, LNCS 1462, 13-25.

[24]

I. Damgard: Towards practical public key systems secure against chosen ciphertext attacks, CRYPTO ‘91, LNCS 576, 445-456, Springer, 1991.

[25]

A.W. Dent: A Brief History of Provably-Secure Public-Key Encryption, AFRICACRYPT 2008, LNCS 5023, 357-370, Springer, 2008.

36

Contemporary Topics In Mathmatics and Statistic Applications

[26]

A.W. Dent: The Cramer-Shoup encryption scheme is plaintext aware in the standard model, EUROCRYPT 2006, LNCS 4004, 289-307, Springer, 2006.

[27]

A.W. Dent and Y. Zheng (Eds.): Practical Signcryption, Springer, 2010.

[28]

G. Di Crescenzo and V. Saraswat: Public Key Encryption with Searchable Keywords Based on Jacobi Symbols, INDOCRYPT 2007, LNCS 4859, 282-296, Springer, 2007.

[29]

W. Diffie and M. Hellman: New directions in cryptography. IEEE Trans. Inform. Theory IT-22, (Nov. 1976), 644-654.

[30]

M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan: Fully homomorphic encryption over the integers, EUROCRYPT 2010, LNCS 6110, 24-43, Springer, 2010.

[31]

D. Dolev, C. Dwork and M. Naor: Non-malleable cryptography, 23rd Annual ACM Symposium on Theory of Computing, pages 542–552, 1991.

[32]

T.Elgamal: A Public Key Cryptosystem And A Signature Scheme Based On Discrete Logarithms., IEEE Trans. on Information Theory, IT-31, 4, pp.469-472 (1985).

[33]

D.M.Freeman, O. Goldreich, E. Kiltz, A. Rosen and G. Segev: More Constructions of Lossy and Correlation-Secure Trapdoor Functions, PKC 2010, LNCS 6056, 279-295, Springer, 2010

[34]

T. Fuhr and P. Paillier: Decryptable Searchable Encryption, ProvSec 2007, LNCS 4784, 228-236, Springer, 2007.

[35]

E. Fujisaki and T. Okamoto: How to Enhance the Security of Public-Key Encryption at Minimum Cost, PKC ‘99, LNCS 1560, (Springer-Verlag, Berlin, 1999), 53--68.

[36]

E. Fujisaki and T. Okamoto: Secure Integration of Assymetric and Symmetric Encryption Schemes, CRYPTO ‘99, LNCS 1666, 537-554, Springer-Verlag, 1999.

[37]

C. Gentry: Fully Homomorphic Encryption Using Ideal Lattices, STOC 2009, 169-178, ACM, 2009.

[38]

C. Gentry: Toward basing fully homomorphic encryption on worst-case hardness, CRYPTO 2010, LNCS 6223, 116-137, Springer, 2010.

[39]

C. Gentry and S. Halevi: Implementing Gentry’s Fully-Homomorphic Encryption Scheme, EUROCRYPT 2011, LNCS 6632, 129-148, Springer-Verlag, 2011.

[40]

S. Goldwasser & S. Micali: Probabilistic Encryption, Journal of Computer and System Sciences, 28(2), 270-299, Academic Press, 1984.

[41]

K. Henry: The Theory and Applications of Homomorphic Cryptography, Masters Thesis, Waterloo, 2008.

[42]

J. Herzog, M. Liskov and S. Micali: Plaintext awareness via key registration, CRYPTO 2003, LNCS 2729, 548-564, Springer, 2003.

[43]

T. Hirano and K. Tanaka: Variations on Pseudo-Free Groups, Research Reports on Mathematical and Computing Sciences, Department of Mathematical and Computing Sciences, Tokyo Institute of Technology, January 2007, C-239.

[44]

J. Hoffstein, J. Pipher, and J. H. Silverman: NTRU: a ring-based public key cryptosystem. In Algorithmic Number Theory (Portland, OR, 1998), LNCS 1423, pages 267-288. Springer, Berlin, 1998.

On Constructions and Security Notions of Public-key Cryptosystems

37

[45]

S. Hohenberger: The cryptographic impact of groups with infeasible inversion, Master’s thesis, EECS Dept., MIT, June 2003.

[46]

S. Hohenberger, A. Lewko and B. Waters: Detecting Dangerous Queries: A New Approach for Chosen Ciphertext Security, EUROCRYPT 2012 (to appear), Available at Eprint archive: http://eprint.iacr.org/2012/006.

[47]

J. Katz and Y. Lindell: Introduction to Modern Cryptography, Chapman & Hall/CRC, 2008.

[48]

E. Kiltz: Chosen-ciphertext security from tag-based encryption, TCC 2006, LNCS 3876, 581-600, Springer, 2006.

[49]

E. Kiltz and J. Malone-Lee: A General Construction of IND-CCA2 Secure Public Key Encryption. Cryptography and Coding, LNCS, 2003, Volume 2898/2003, 152-166.

[50]

N. Koblitz and A.J. Menezes: A Survey of Public-Key Cryptosystems, SIAM Review (2004), Volume 46, Issue 4, 599-634, SIAM Publications, 2004.

[51]

M. Krohn: On the definitions of cryptographic security: Chosen-Ciphertext attack revisited, Senior Thesis, Harvard University, 1999.

[52]

K. Kurosawa and Y. Desmedt: A New Paradigm of Hybrid Encryption Scheme, CRYPTO 2004, LNCS 3152, 426-442, Springer, 2004.

[53]

T. Matsumoto and H. Imai: Public quadratic polynomial-tuples for efficient signature verification and message-encryption, EUROCRYPT 1988, LNCS 330, 419-445, Springer, 1988.

[54]

R.J. McEliece: A Public-Key Cryptosystem Based On Algebraic Coding Theory, Jet Propulsion Laboratory DSN Progress Report 42-44, 114-116, 1978.

[55]

D. Miccancio: The RSA group is pseudo-free, EUROCRYPT 2005, LNCS 3494, 505-521, Springer, 2005.

[56]

P. Mol and S. Yilek: Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions, PKC 2010, LNCS 6056, 296-311, Springer, 2010.

[57]

M. Naor and M. Yung: Public-key cryptosystems provably secure against chosen ciphertext attacks, In Proceedings of the 22nd Annual Symposium on Theory of Computing, ACM, 1990.

[58]

J.M.G. Nieto, C. Boyd and E. Dawson: A Public Key Cryptosystem Based on a Subgroup Membership Problem, Designs, Codes and Cryptography, 36, 2005, 301-316.

[59]

T. Okamoto and D. Pointcheval: REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform, CT-RSA 2001, LNCS 2020, 2000, 159-174.

[60]

T. Okamoto and S. Uchiyama: A New Public-Key Cryptosystem as Secure as Factoring, Eurocrypt ‘98, LNCS 1403, (Springer-Verlag, Berlin, 1998), 308-318.

[61]

P. Paillier: Public-Key Cryptosystems Based On Composite Degree Residuosity Classes, Eurocrypt ‘99, LNCS, volume 1592, 223-238, Springer, 1999.

[62]

C. Peikert and B. Waters: Lossy trapdoor functions and their applications, STOC 2008.

38

Contemporary Topics In Mathmatics and Statistic Applications

[63]

D. Pointcheval: Chosen-Ciphertext Security for Any One-Way Cryptosystem, PKC 2000, LNCS 1751, 129-146, Springer, 2000.

[64]

M. Prabhakaran and M. Rosulek: Homomorphic Encryption with CCA Security, ICALP(2) 2008, 667-678.

[65]

M. Rabin: Digitalized signatures and public key functions as intractable as factorization, Technical Report TR-212, MIT/LCS, 1979.

[66]

C. Rackoff and D. Simon: Noninteractive zero-knowledge proof of knowledge and chosen ciphertext attack, 22nd Annual ACM Symposium on Theory of Computing, 427-437, 1990.

[67]

R.L. Rivest: On the notion of pseudo-free groups, TCC 2004, LNCS 2951, 505-521, 2004.

[68]

R.L. Rivest, A. Shamir and L. Adleman: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, Communications of the ACM, Vol.21, No.2, 120-126 (1978).

[69]

A. Sahai: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security, FOCS ‘99, IEEE Computer Society, 1999.

[70]

A. Sahai and B. Waters: Fuzzy identity-based encryption, EUROCRYPT 2005, LNCS 3494, 457-473, Springer, 2005.

[71]

P. Sarkar and S. Chatterjee: Identity-Based Encryption, Springer, 2011. ISBN 978-1-44199382-3

[72]

A. Shamir: Identity-based cryptosystems and signature schemes, CRYPTO ‘84, LNCS 196, 47-53, Springer-Verlag, 1985.

[73]

N.P. Smart and F. Vercauteren: Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes , PKC 2010, LNCS 6056, 420-443, Springer-Verlag, 2010.

[74]

D. Stehle and R. Stenfield: Faster fully homomorphic encryption, ASIACRYPT 2010, LNCS 6477, 377-394, Springer, 2010.

[75]

R. Stenfield and Y. Zheng: A Signcryption Scheme Based on Integer Factorization, ISW 2000, LNCS 1975, 308-322, Springer, 2000.

[76]

I. Teranishi and W. Ogata: Relationship between standard model plaintext awareness and message hiding, ASIACRYPT 2006, LNCS 4284, 226-240, Springer, 2006.

[77]

G. Yang, C.H. Tan, Q. Huang and D.S. Wong: Probabilistic Public Key Encryption with Equality Test, CT-RSA 2010, LNCS 5985, 119-131, Springer, 2010.

[78]

A. Young and M. Yung: Questionable Encryption and Its Applications, MyCrypt ‘05, LNCS 3715, 210-221, Springer, 2005.

[79]

A. Young and M. Yung: Hiding Information Hiding, IH 2006, LNCS 4437, 161-171, Springer, 2007.

[80]

Y. Zheng: Digital Signcryption or How to Achieve Cost (Signature & Encryption)  Cost (Signature) + Cost (Encryption), CRYPTO ‘97, LNCS 1294, 165-179, Springer, 1997.