Analysis and Design of Public Key Cryptographic Schemes

Transcription

1 Analysis and Design of Public Key Cryptographic Schemes by Ron Steinfeld, Dissertation Submitted by Ron Steinfeld for fulfillment of the Requirements for the Degree of Doctor of Philosophy (0190) in the School of Network Computing at Monash University Monash University January, 2003

2 c Copyright by Ron Steinfeld 2003

3 To my Parents iii

4 Contents List of Tables... List of Figures... Abstract... Acknowledgments... x xii xiii xvi 1 Introduction InformationSecurityandModernCryptology SecurityPropertiesofCryptographicSchemes PrimitiveCryptographicAssumptions Security Analysis of Cryptographic Schemes: Necessary and Sufficient Assumptions Efficiency: Resource Requirements of Cryptographic Schemes SummaryofThesisChapters ChaptersonDesignandAnalysisofCrypto.Schemes A Signcryption Scheme Based on Integer Factorization ContentExtractionSignatures Attacks on Public-Key Encryption and Signcryption Schemes Chapters on Analysis of Primitive Cryptographic Problems The LSBS-RSA Assumption Attacks on Hidden Number Chinese Remaindering Problems 10 2 A Signcryption Scheme Based on Integer Factorization iv

5 2.1 Introduction RelatedWork ContentsofThisChapter PreliminaryDefinitionsandResults GeneralNotation SecurityNotionsforSigncryptionSchemes HistoricalBackground ContentsofThisSection AbstractDefinitionofaSigncryptionScheme Unforgeability Notions: Two-User Setting Unforgeability Notions: Multi-User Setting Confidentiality Notions: Two-User Setting Confidentiality Notions: Multi-User Setting Analysis in TU Setting does not Suffice for MU Security Cryptographic Assumptions The Factorization Problem Fact The Strong Ambiguous Discrete Log Problem SADL The Hidden Subgroup Generator Problem HSG The Strong Symmetric Random-Power Diffie-Hellman Problem SSRP DH Security Notion for Symmetric Encryption Schemes Probabilistic Lemmas Definition of Factoring-Based Signcryption Scheme SCF EfficiencyandPracticalIssues CommunicationOverhead Computational Cost ChoiceofParameters CommonParameterGeneration Trusted Authority SecurityAnalysis Unforgeability Analysis for Scheme SCF Confidentiality Analysis for Scheme SCF v

6 3 Content Extraction Signatures Introduction ContentsofthisChapter Preliminaries GeneralNotations StandardCryptographicPrimitives DigitalSignatureSchemes MessageCommitmentSchemes Collision-Resistant Hash Functions RSA-BasedSignatures TheRSATrapdoorOne-WayFunction TheFDH-RSASignatureScheme TheFDH-MERSignatureScheme Generic Conversion from a Weak Unforgeability notion to full CES-Unforgeability Background TheEmergingNeed VirtuesofContentExtractionSignatures SubdocumentPresentation RelatedWork RequirementsandDefinitionofContentExtractionSignatures DocumentModelandRelatedTerminology DefinitionofaContentExtractionSignature FunctionalRequirementsfromaCES SecurityRequirementsfromaCES Unforgeability Privacy ProposedContentExtractionSignatureSchemes SchemesbasedonGeneralCryptographicPrimitives Scheme CommitVector (CV) A Variant: Scheme HashTree (HT) SchemesBasedonRSA vi

7 Scheme RSAProd (RSAP) A Variant: Scheme MERSAProd (MERP) PerformanceSummary Active Attacks on Public-Key Encryption and Signcryption Schemes Introduction PreliminaryDefinitions Notation AsymmetricEncryptionSchemes Message Authentication Code (MAC) Schemes SymmetricEncryptionSchemes Zheng soriginalsigncryptionscheme GapProblems Strong Diffie-Hellman Assumption TheGapDiffieHellmanProblem(GDH) The Strong Discrete Logarithm Problem (SDL) AttacksonPublic-KeyEncryptionSchemes Background The One-Way Plaintext Checking Attack (OW-PCA) Assumption TheTransforms CCAKEM1 and CCAKEM TransformCCAKEM TransformCCAKEM TheChosen-CiphertextAttacks OutlineoftheAttacks An Underlying Weakness Property Enabling the Attacks Attack on CCAKEM1 if the underlying KEM is not OW-PCA Attack on CCAKEM2 if the underlying KEM is not OW-PCA AttacksonZheng soriginalsigncryptionscheme Background The Attack on Unforgeability of Zheng s Signcryption Scheme Analogous Attacks on Confidentiality vii

8 5 The LSBS-RSA Assumption Introduction AMotivatingApplication RelatedWork ContentsoftheChapter Preliminaries TheRSATrapdoorOne-WayFunction Lattice-BasedAlgorithms Square-RootsModuloaPowerof Factoring α-lsbsrsamoduli RelationtotheStandardRSAFactoringProblem Relation to the One-Wayness of α-lsbsrsa Leakage of α LS-bits of p and 2α LS bits of p + q Partial Key Exposure Attacks on α-lsbs RSA (β >0) PKE with Low Public Exponent (Small γ) Analysis of Generalized Boneh-Durfee-Frankel Attack (β > n/4+α) An intractability result for β 2α PKE with Large Public Exponent (γ n/6) First Attack (α n/8, min(β,γ) n/2 2α) Second Attack (e prime, α n/12, min(β,γ) n/4 α) ApplicationtoServer-AidedSignatureGeneration DefinitionofSASG TheProtocol Efficiency Security Practical Generation of α-lsbsrsamoduli Attacks on Chinese Remaindering Problems Introduction Preliminaries GeneralNotations viii

9 6.2.2 AlgebraicNumberFields Lattices TheHidden-FieldChineseRemainderingProblem Background Algorithm NumericalExperiments The Lee-Norm Noisy Chinese Remaindering Problem Background TheLNN-CRPDecodingProblem LocalizationofSolutions DecodingAlgorithmforLNN-CRP The Lee-Norm Multiplier Noisy Chinese Remaindering Problem Background DecodingProblem UniquenessofSolutions DecodingAlgorithmforLNMN-CRP Conclusion Chapter Chapter Chapter Chapter Chapter Vita References ix

10 List of Tables 2.1 Comparison of Communication overhead of proposed signcryption scheme SCF with RSA based Signature-Then-Encryption (with small public exponents and CRT decryption) and with original signcryption scheme SCS Ratio comparison of computation costs for sender (SC) and recipient (USC)of proposed signcryption scheme SCF with RSA based Signature-Then-Encryption (using small public exponents and CRT decryption) and with original signcryption scheme SCS Comparison of signer computation time for proposed CES schemes. Column Saving Ratio gives estimated ratio of sign time of the trivial multiple signature scheme denoted Trivial to the sign time of each scheme. Column Typ. Saving (n = 100) evaluates this saving ratio for a typical example with n =100submessages(seetext) Comparison of verifier computation time for proposed CES schemes. Column Saving Ratio gives estimated ratio of verify time of the trivial multiple signature scheme denoted Trivial to the verify time of each scheme. Column Typ. Saving (n = 100) evaluates this saving ratio for a typical example with n = 100 and m =99(seetext) Comparison of signature length (signer to user communication) for proposed CES schemes. Column Saving Ratio gives estimated ratio of signature length of the trivial multiple signature scheme denoted Trivial to the signature length of each scheme. Column Typ. Saving (n = 100) evaluates this saving ratio for a typical example with n =100(seetext) Comparison of extracted signature length (user to verifier communication) for proposed CES schemes. Column Saving Ratio gives estimated ratio of extracted signature length of the trivial multiple signature scheme denoted Trivial to the extracted signature length of each scheme. Column Typ. Saving (n = 100) evaluates this saving ratio for a typical example with n = 100 and m =99(seetext) x

11 6.1 Experimentalresults xi

12 List of Figures 3.1 Anexampleofamultipartyinteraction Definition of transformed CES scheme CES 2 = T WO (CES 1 ) Areal-lifeapplicationforContentExtractionSignatures Definition of CES Scheme CV Definition of CES scheme HT Definition of CES scheme RSAP Definition of CES scheme MERP Definition of Zheng s Original Signcryption scheme ZSC DecodingAlgorithmforLNN-CRP Decoding Algorithm for LNMN-CRP xii

13 Analysis and Design of Public Key Cryptographic Schemes Ron Steinfeld, PhD Monash University, 2003 Supervisor: Prof. Yuliang Zheng Associate Supervisor 1: A. Prof. Igor E. Shparlinski Associate Supervisor 2: A. Prof. Jan Newmarch Abstract This thesis studies topics in the security of cryptographic schemes and primitive cryptographic problems. In Chapter 2, we propose the first signcryption scheme whose security is based on the hardness of integer factorization, giving a partial solution to an open problem posed by Zheng in his original paper on discrete-log based signcryption schemes [120]. We give a rigorous security analysis of the unforgeability and confidentiality of our scheme, in the random oracle model, with respect to powerful multi-user attack models. We show that with a suitable choice of parameters, our scheme has the novel feature that its multi-user unforgeability can be proven assuming only the hardness of the underlying factorization problem (whereas Zheng s original scheme [120] requires a strong gap assumption to achieve the same property). Our scheme s multi-user confidentiality is proven, in the random oracle model, assuming the hardness of a variant of the Gap Diffie-Hellman assumption in a subgroup of Z N, where N is an RSA modulus, which is conjectured to be as hard as factoring N. The efficiency of our scheme is worse than Zheng s original signcryption scheme but better than the most efficient RSA sign-then-encrypt variant. In chapter 3, we introduce a new type of digital signature called a Content Extraction Signature (CES). A CES allows the owner, Bob, of a document signed by Alice, to produce an extracted signature on selected extracted portions of the original document, which can be publicly verified to originate from Alice while hiding the unextracted (removed) document portions from the verifier. This is achieved with improved computation and/or communication efficiency over the simple multiple-signature solution. We propose four CES schemes with various performance tradeoffs and prove their unforgeability and privacy properties with respect to known primitive cryptographic assumptions. In Chapter 4, we present active attacks on public-key encryption and signcryption schemes, which establish strong gap assumptions as necessary for their security under active attacks. The results suggest a criterion for identifying a weakness property in schemes which gives rise to the attacks. xiii

14 In Chapter 5, we study security properties of a special variant of the RSA trapdoor one-way function primitive [92] called Least-Significant Bit Symmetric-RSA (LSBS-RSA), in which the prime factors of the RSA modulus share a large number of least-significant bits. It is shown that low public-exponent LSBS-RSA is inherently resistant to Partial Key Exposure (PKE) attacks leaking least-significant bits of the secret exponent, and in particular that the Boneh-Durfee-Frankel PKE attack [21] on low public-exponent RSA becomes less effective for LSBS-RSA than for standard RSA. An application to server-aided signature generation is proposed. In Chapter 6, we present efficient attacks based on lattice-reduction algorithms, against variants of the classical Chinese Remaindering Problem of recovering an integer from its residues modulo primes, to which the classical Chinese remaindering algorithm does not apply. In the first variant, the integer to be recovered is in a hidden algebraic number field, whereas in the other two variants only most-significant bits of the residues are provided. xiv

15 Analysis and Design of Public Key Cryptographic Schemes Declaration I declare that this thesis is my own work and has not been submitted in any form for another degree or diploma at any university or other institute of tertiary education. Information derived from the published and unpublished work of others has been acknowledged in the text and a list of references is given. Ron Steinfeld January 21, 2003 xv

16 Acknowledgments I would like to thank my supervisor Prof. Yuliang Zheng for his continued guidance and encouragement from the time I first came to his office in 1999 as an interested undergraduate. I thank my co-supervisor A. Prof. Igor Shparlinski for his constant (remote) availability for guidance and enthusiastic feedback on my work on Lattice-based algorithms. I d like to thank my third co-supervisor A. Prof. Jan Newmarch for his encouragement and understanding since the middle of 2001, even though my work was not closely aligned with his fields of interest. Many thanks go to my friend and colleague Joonsang Baek, who has been a great source of inspiration and encouragement, and an excellent co-researcher to develop and discuss ideas with. Equally, I would like to thank my friend and colleague Laurence Bull for our fruitful discussions and enjoyable collaborative work on Content Extraction Signatures. Many of the results in this thesis have been presented in preliminary form in international conferences and the comments given by the referees of these conferences have been helpful to improve the presentation of these results. In particular, I would like to thank the anonymous referees of papers presented at ISW 2000 [113], CT-RSA 2001 [114], ICISC 2001 [112], PKC 2002 [8], ACISP 2002 [111], and ANTS V [108]. Finally, I cannot express in words how valuable the support of my mother, father, and sister has been throughout. I thank them very much. Ron Steinfeld Monash University January 2003 xvi

17 1 Chapter 1 Introduction 1.1 Information Security and Modern Cryptology This thesis studies topics in the field of cryptology. In this chapter we give a brief overview of modern cryptology and its relation to information security. We then summarize the contribution of the thesis in this context. The rapid global adoption of computer networks and the Internet as an important business and personal communication medium in the past decade has dramatically increased the potential for information security breaches. An information security breach occurs when a malicious network user, or attacker, gains unauthorized read access (confidentiality breach) or write access (integrity breach) to information transmitted across the network or stored in network computers by other honest network users. The goal of information security engineering is to design information and communication systems which achieve confidentiality and integrity for the information of network users. Cryptology is the science which aims to develop tools for engineering secure information systems these tools comprise mainly of algorithms and protocols called Cryptographic Schemes. In order to make a cryptographic scheme a useful tool for information system engineers, the modern cryptologist should specify the following features of the scheme: (1) The precise security properties provided by the scheme. (2) Any unproven primitive cryptographic assumptions which are necessary and/or sufficient for the scheme to provide its claimed security properties. (3) The resource requirements of the scheme. In the following, we give some background on these topics.

18 Security Properties of Cryptographic Schemes In the early days of modern cryptology, when Diffie and Hellman published their classical paper on public-key cryptosystems [35], security properties of cryptosystems were left at the intuitive level and were not precisely defined. It was felt that the security requirements are obvious and need not be carefully defined (e.g. an encryption scheme should simply prevent the attacker from recovering the plaintext ). However, as the field evolved and various subtle attacks on specific cryptosystems were devised, it became clear that there are usually many possible definitions of security for a cryptographic scheme, depending on the precise capability and goal of the attacker. A scheme which is secure in the sense of one definition may be completely insecure in the sense of another definition. For example, in the case of encryption schemes, the textbook RSA cryptosystem as described originally in [92], is considered secure in the one-wayness sense of confidentiality (which, roughly speaking, prevents an attacker from recovering the whole message from a given ciphertext) but is completely insecure in the sense of semantic security [49] due leakage of partial information on the message, and is also completely insecure in the sense of chosen-ciphertext attacks [89], where the attacker has access to a decryption box which can be used to decrypt any ciphertext except the ciphertext which the attacker is challenged to decrypt. Thus, in modern cryptology, it is considered important to precisely define the security properties provided by a cryptographic scheme. This involves specifying an attackmodel for the scheme. The attack model specifies the knowledge of the attacker (information available), resources of the attacker (time, storage space, possible interactions with attacked users) and goal of the attacker (exactly what constitutes a security breach) which the scheme can withstand. A scheme which withstands attacks in the specified model is said to have the associated security property, also called a security notion Primitive Cryptographic Assumptions Following the pioneering work of Shannon [100] on the possibilities and limitations of information theoretic cryptography, and even more so after the discovery of public-key cryptography [35], it became evident that most practical cryptographic schemes must rely on computational complexity (hardness) assumptions for their security. We call such assumptions primitive cryptographic assumptions. The most famous such assumption is the existence of one-way functions [35] which can be easily evaluated, but require a much larger effort to invert. Practical concrete examples are the well known RSA [92] or Discrete-Log [35] one-way assumptions. Unfortunately, the current state of the art in the theory of computational complexity is such that one cannot hope to prove the truth of these computational hardness assumptions (at least until the famous P = NP question is resolved, see [45] for further discussion).

19 Thus with the current state of the art, the best that can be done at present in the area of primitive cryptographic assumptions is to study the validity of these assumptions by attempting to devise attacks against them using the best known techniques. Once a primitive assumption has been studied for many years by many researchers, confidence in its truth improves, and it becomes a good candidate as the basis for the security of cryptographic schemes (see below). Examples of assumptions in this category are the integer factorization and discrete-logarithm assumptions [87, 70]. Alternatively, assumptions may be found false and such an outcome ensures that insecure schemes based on these false assumptions are avoided. An example of such an assumption which was found false is the super-increasing knapsack problem, first proposed in [72] and found to be false in [99]. Furthermore, studies of primitive assumptions may also give insight which can lead to new assumptions with improved properties. The last two chapters of this thesis study primitive cryptographic assumptions Security Analysis of Cryptographic Schemes: Necessary and Sufficient Assumptions The initial design of a cryptographic scheme is usually done in an intuitive manner to base its security heuristically on a certain, ideally well studied and trusted, primitive cryptographic assumption that is, the assumption that a certain primitive cryptographic problem is computationally hard (see Section 1.1.2). The meaning of heuristic here is usually that, on first inspection, it appears to the designer that any attack which breaks the scheme in the sense of the attack model corresponding to the desired security notion (see Section 1.1.1) seems to require breaking the underlying primitive problem. Sufficient Assumptions: Provable Security. However, as was repeatedly shown in numerous examples of broken schemes in the literature, there is always a dangerous possibility that the designer overlooked some clever attack on the scheme which bypasses the need to solve the hard primitive problem and yet still manages to break the scheme under the specified attack model. Therefore, to increase confidence in the security of the scheme, it is desirable to analyze the scheme and demonstrate sufficient primitive assumptions which are provably guaranteed to imply the security of the scheme in the sense of the selected security notion (ideally these primitive assumptions correspond to the trusted primitive assumption which the scheme s security was heuristically designed to be based on). This is the core idea of the so-called provable security methodology of modern cryptography. The proof of such a result involves a computational reduction as used in the theory of computational complexity, which shows how any efficient attack algorithm against the scheme in the sense of the selected security notion, can be used (as a black box ) to construct an efficient algorithm for breaking the primitive problem. In the first two chapters of this thesis we use this approach to prove sufficient primitive assumptions for the security of certain cryptographic schemes (see Section 1.2).

20 The Random Oracle Model. In recent years, as the provable-security approach was beginning to be applied to the analysis of practical schemes, it was found that a major stumbling block to providing security proofs for these schemes involved the modelling of one-way cryptographic hash functions. Such functions were used in many practical schemes, both for the purpose of collision-resistant compression (hashing) of information before the application of a digital signature, as well as for producing authentication tags for checking validity of ciphertexts and other cryptographic values without leaking information on the secret hashed value via the hash function output. It was found that security proofs can be given for many such schemes, thus validating their design, by modelling the hash functions as truly random functions in a black box, allowing the users (and attackers) to evaluate the function inside the box at any chosen points (which suffices for the use of the functions in the schemes concerned), but without allowing the attacker to look inside the box to see the full function. This model has become known as the random oracle model since it was popularized in [16], having been first suggested in [40]. The analysis of schemes in the first three chapters of this thesis is done assuming the random oracle model for the underlying hash functions. In practice, it is not usually possible to use a random oracle to implement the hash functions concerned, and one uses concrete functions with a publicly known algorithm, such as SHA- 1[75] instead. In this case, because the attacker knows the full description of the hash function, the security proofs in the random oracle model are no longer applicable. However, they at least provide strong evidence that no attacks exist which treat the hash function as a random black-box function, and all known attacks on practical schemes fall in this category. We refer the reader to [45, 10] for further discussion on provable security and the random oracle model. Necessary Assumptions: Security Limits. Before investing effort in attempting to use the provable security approach to find sufficient assumptions for the security of a scheme, it is advisable to try to identify the strongest necessary assumptions for the security of the scheme under the specified attack model. Such necessary assumptions provide an upper bound on the security that one can hope the scheme to achieve. If the necessary assumptions are found to be stronger assumptions than desired, there is no point to invest effort in trying to find sufficient assumptions for security. Necessary assumptions are found by looking for attacks on the scheme which run efficiently if the assumptions concerned are false. They are especially useful if they exploit the full resources of the attack model. In the third chapter of this thesis, we provide strong necessary conditions on the security of certain schemes, which make use of the active attack model used to analyze these schemes Efficiency: Resource Requirements of Cryptographic Schemes The efficiency of a cryptographic scheme is determined by its resource requirements, such as computational costs, communication costs, storage costs, and complexity of implementation.

21 The study of efficient implementation of cryptographic schemes is a large area, but is not studied in detail in this thesis. However, efficiency is a major motivation in the design of all the cryptographic schemes discussed in the thesis and the tradeoffs of efficiency with security are considered throughout the thesis Summary of Thesis Chapters In this section we summarize the background to and main results of the thesis chapters Chapters on Design and Analysis of Crypto. Schemes A Signcryption Scheme Based on Integer Factorization Related Publications. A preliminary version of the results in this chapter was published in [113]. Relevant security models for signcryption were published in [8]. Background. Public-key encryption schemes, first proposed by Diffie and Hellman in their classical paper [35], are the main tools for achieving confidential communication over electronic networks. Digital signatures, also introduced in [35], are the main tools for achieving integrity of communication. In many practical applications, both confidentiality and integrity are required. The conventional approach to achieve these two goals simultaneously is the sign-then-encrypt approach, in which a signature scheme is used to achieve integrity and an encryption scheme is used to achieve confidentiality. However, this approach suffers a major inefficiency because two costly separate cryptographic operations must be performed. A Signcryption Scheme is a general cryptographic scheme introduced in 1996 by Zheng [120] which efficiently combines the functionalities of a public-key encryption scheme and a digital signature scheme. The security of Zheng s original schemes relies on the computational intractability, or hardness, of the Discrete-Logarithm Problem, which is a well known hard problem in cryptography since it was first used in the classical Diffie-Hellman key exchange scheme [35]. However, since algorithmic breakthroughs may cause the discrete-logarithm problem to be broken, it is very important to also establish signcryption schemes based on other hard problems which may not be affected by breakthroughs in algorithms for discrete-logarithms. One such a problem is the integer factorization problem, which is also a very well known hard problem in cryptography since the publication of the RSA public-key system [92]. In this thesis we present the first signcryption scheme based on the integer factorization problem. Our main results in this chapter can be summarized as follows. Definition of Security Models for General Signcryption Schemes. We define a range of precise security notions for both unforgeability and confidentiality of general signcryption schemes, which extends and unifies the ones previously proposed by the author

22 and other researchers. These notions are later used in the analysis of our factoring-based signcryption scheme. Our range of notions depends on: (1) The total number of system users (Two-User or Multi-User): (2) The identity of the Attacker (Second-Party Insider, Third-Party Insider, Outsider). All our Signcryption unforgeability notions are extensions of the standard notion of existential unforgeability under adaptive chosen message attack (CMA) which is the strongest accepted notion of unforgeability for normal digital signature schemes. Similarly, all our Signcryption confidentiality notions are extensions of the standard notion of Indistinguishability under chosen ciphertext attack (IND-CCA) which is the strongest accepted notion of confidentiality for normal public-key encryption schemes. Our strongest unforgeability notion, namely the Multi-User Setting, Second-Party Attacker unforgeability notion (CMA-MU-SP), considers very powerful attackers which are however, realistic in a multi-user setting. These attackers can query the attacked sender s signcryption oracle to obtain signcryptexts by the sender not only on adaptively-chosen messages (as in the standard CMA unforgeability notion) but also with adaptively-chosen recipient public keys we say that the attacker has access to a Flexible Signcryption Oracle(FSO). Similarly, our strongest third-party confidentiality notion, namely the Multi-User, Third- Party confidentiality notion (INDCCA-MU-TP) allows the attacker not only to adaptively choose signcryptexts to be unsigncrypted by the attacked recipient (as in standard IND- CCA confidentiality notion), but also allows adaptively chosen sender s public key to be used in the unsigncryption of these signcryptexts we say that the attacker has access to a Flexible Unsigncryption Oracle (FUO) (in addition, the attacker still has access to the sender s FSO). We show that, contrary to claims in the literature, the Multi-User security for a signcryption scheme is not in general easily achieved by a simple generic transformation of a Two- User-secure Signcryption scheme. In particular this does not hold for Zheng s original signcryption scheme and the factoring-based signcryption scheme presented in this chapter. New Signcryption Scheme Based on Integer Factorization. We propose the first signcryption scheme based on the hardness of integer factorization. The scheme can be considered an efficient combination of a composite modulus variant [85] of the Schnorr signature [96] with a composite-modulus variant of the El-Gamal encryption scheme [37]. We concretely analyze the multi-user unforgeability and confidentiality of the scheme, using the random oracle model [16] for the underlying cryptographic hash functions. Unforgeability of the Factoring-Based Signcryption Scheme. We prove that with a proper choice of parameters, our factoring-based signcryption scheme has the novel feature that it achieves multi-user unforgeability, in the sense of our strongest multi-user unforgeability notion CMA MU SP+, assuming only the hardness of the underlying factorization problem (no gap assumption required). This is an interesting contrast with Zheng s 6

23 original discrete-log based scheme, which requires in general a strong gap-type assumption ( Strong Discrete-Log Assumption ) to achieve multi-user unforgeability in the sense of CMA MU SP+, as shown in a later chapter of this thesis. Confidentiality of the Factoring-Based Signcryption Scheme. We prove that our factoring-based signcryption scheme achieves multi-user confidentiality, in the sense of our strongest useful multi-user confidentiality notion INDCCA MU TP, assuming the hardness of the underlying factorization problem, the passive one-time confidentiality of the underlying symmetric encryption scheme, and the hardness of a variant of the Gap Diffie- Hellman (GDH) problem in a subgroup of Z N (for N an RSA modulus) called the Strong Symmetric Random Power Diffie-Hellman (SSRP DH) Problem. The current state of the art leads to the conjecture that the hardness of SSRP DH, and hence the confidentiality of our scheme, follows from the hardness of the underlying factorization problem Content Extraction Signatures Related Publications. A preliminary version of the results in this chapter was published in [112]. Background. We introduce a new type of digital signature scheme, called a Content Extraction Signature (CES), which allows the owner Bob of a document signed by Alice to extract (without cooperation with Alice) a signature on a selected portion of the original document. The resulting extracted signature can be verified by any third-party Cathy without revealing any information on the unextracted document portions. The signature should be more efficient than a simple multiple-signature solution to the problem. Our main results in this chapter can be summarized as follows. Functional and Security Requirements for CES. We define precise unforgeability and privacy security notions for the new signature, which differ from those of standard signatures. Our unforgeability notion holds even for powerful chosen message attacks, analogous to the chosen-message security notions for standard digital signatures. Our privacy notion ensures that no information is leaked to the verifier on the content of the original document portions which were not extracted and passed on to the verifier. Four CES Schemes. We propose four CES schemes and prove their security with respect to the above security notions under known cryptographic assumptions. Two of our schemes are based on general cryptographic primitives and achieve significant computation savings over the multiple signature scheme. Our two other schemes are based on RSA and achieve significant savings in communication overhead over the multiple signature scheme. The computation and communication costs of the schemes are compared.

24 Attacks on Public-Key Encryption and Signcryption Schemes Related Publications. A preliminary version of some of the results in this chapter was published in [111]. Background. Recently, several very efficient public-key encryption schemes (namely DHIES [1] and REACT [82] in its many concrete implementations) were proposed and proven to be secure under chosen-ciphertext attack, assuming a stronger assumption than just the one-wayness of the underlying public-key primitive, namely the One-Wayness under a Plaintext Checking Attack (OW-PCA). An important and natural question in understanding the security of these schemes is the following: Is the strong OW-PCA assumption really necessary to achieve chosen-ciphertext security, or is One-Wayness enough but was not proved to be enough? A similar question is relevant for the unforgeability of Zheng s original signcryption scheme [120], whose unforgeability in the multi-user Flexible Signcryption Oracle setting was proven [9] based on the Strong Discrete-Log assumption. Is this strong assumption necessary? In this chapter we answer the questions raised above. Our main results in this chapter can be summarized as follows. Necessity of OW-PCA Assumption for the Security of a Class of Public-Key Encryption Schemes. We present chosen-ciphertext attacks which prove that OW-PCA is indeed necessary to achieve chosen-ciphertext security for a general class of encryption schemes including DHIES and REACT. In particular, this implies that the Gap Diffie- Hellman assumption is necessary for the security of DHIES and Diffie-Hellman version of REACT. Necessity of Strong Assumptions for the Multi-User Security of Signcryption Schemes. We present an attack in the multi-user setting on the unforgeability of Zheng s original signcryption scheme, which shows that the Strong Discrete Log assumption is necessary for the unforgeability of the scheme. Although the Strong Discrete Log problem (in which the attacker has access to a Decision Diffie-Hellman oracle) appears as hard as the classical Discrete Log problem, proving the computational equivalence of these problems is an open problem. Thus our result shows an interesting contrast with the factoringbased signcryption scheme SCF presented in this thesis, whose multi-user unforgeability was proven with respect to a factoring assumption, without any decision oracle available to the attacker. We also explain how the attack can be used to show the necessity of strong assumptions for the confidentiality of both Zheng s original signcryption scheme and the factoring-based SCF scheme. These assumptions are almost as strong as the assumptions proved to be sufficient for the confidentiality of these schemes in the multi-user setting.

25 Chapters on Analysis of Primitive Cryptographic Problems The LSBS-RSA Assumption Related Publications. A preliminary version of some of the results in this chapter was published in [114]. Background. The RSA public-key primitive has enjoyed very wide applicability in cryptography since its initial publication in 1978 [92]. For this reason, the security of RSA has been extensively analyzed under various attack scenarios. A research area of particular interest is the investigation of certain special variants of RSA which are attractive for increasing computational efficiency. Such studies are increasingly important in due to the low computational power of modern portable devices which need to perform cryptographic operations, such as smart cards and mobile phones. In this chapter, we study security properties of the RSA primitive under the following conditions: (1) The prime factors p and q of the public RSA modulus N = pq have exactly α equal least-significant bits, that is, p q = r 2 α for some odd integer r. We call an RSA modulus N with this property an α-least-significant-bit-symmetric modulus, or α-lsbs for short. (2) The β least-significant bits of the RSA secret exponent d are available to the attacker (e.g. they are included as part of the public-key). For this reason, this setting is called a Partial Key Exposure (PKE) attack scenario. (3) The RSA public-exponent e has bit length γ. We refer to the above RSA system as (α, β, γ)-lsbs RSA. We will refer to the standard RSA system obtained when no bits of the secret exponent d are revealed as just α-lsbs RSA. When the length γ of the public exponent e is a small constant, we call the system a Low Public Exponent system. When γ is a constant fraction of the modulus length n, we call the system a Large Public Exponent system. We investigate the security of (α, β, γ)-lsbs RSA as a function of the system parameters (α, β, γ). As is usually the case in cryptography, our goal is two-way: (1) To understand which regions of the parameter space are insecure and must be avoided, and (2) To identify regions which appear secure and can lead to improved efficiency of RSA implementations. In the latter case, we call the cryptographic assumption that (α, β, γ)-lsbs RSA is a trapdoor one-way function, the (α, β, γ)-lsbs RSA assumption. Our main results in this chapter can be summarized as follows. Analysis of Intractability of Boneh-Durfee-Frankel PKE Attack for Low Public Exponents. We analyze a PKE attack due to Boneh, Durfee and Franklin [21] for low public exponents in the general case of (α, β, γ) LSBS RSA (Boneh, Durfee and Franklin

26 analyzed only the case of (1,β,γ)-LSBS RSA). We show that when β = n/4, the runningtime of the attack is exponential in the number of shared LS bits α, and hence intractable for even moderately large α. The attack gives a lower bound on the insecurity of (α, β) LSBS RSA. Reduction Between (α, β)-lsbs and α-lsbs RSA for Low Public Exponents. We give a reduction which complements the above attack and gives an upper bound on the insecurity of (α, β)-lsbs RSA (one wayness with β LS bits of d revealed) in terms of the insecurity of α-lsbs RSA (one-wayness with an α-lsbs modulus but without any bits of the secret exponent d explicitly revealed). The reduction shows that for low public exponents, when the number of bits β is less than twice the number of shared LS bits α, the one-wayness of (α, β)-lsbs RSA follows from the assumption that α-lsbs RSA is one-way. Thus, as long as γ is small, it is safe to reveal the 2α LS bits of d. PKE Attacks for Large Public Exponents. We show that, unlike the low-exponent case, for large public exponents it is very dangerous to reveal LS bits of d in an α-lsbs system with large α. This is an interesting contrast to the case of random RSA moduli (where α is a small constant with high probability) treated in [21], where no non-trivial attack is known given LS bits of d for large public exponents. Our best result is an attack for to factor N given only β = n/6 LS bits of the secret exponent d when e is a prime of length γ = n/6, and the number of shared bits α = n/12. Application to Server-Aided Signatures. We motivate the study of the security of LSBS-RSA by giving a practical application - namely fast server-aided RSA signature generation Attacks on Hidden Number Chinese Remaindering Problems Related Publications. A preliminary version of some of the results in this chapter was published in [108]. Background. Motivated by the search for new number-theoretic one-way functions, in this chapter we consider several natural computational problems which are potentially harder variants of the classical Chinese Remaindering Problem (CRP): Given the residues a i a mod p i (for i =1,...,m)ofa hiddennumber a Z K modulo sufficiently many known primes p 1,...,p m, recover the hidden number a. It is well known that the CRP is solvable in polynomial time using the Chinese Remainder Theorem and Euclid s algorithm. We investigate whether several variants of the problem to which the classical CRP algorithm cannot be applied are still easy or are hard and can be used to construct a one-way function. Our main results in this chapter can be summarized as follows. Chinese Remaindering for Algebraic Numbers in a Hidden Field. We consider a variant of the CRP, called Hidden Field Chinese Remainder Problem (HFCRP). In this variant, the hidden number a is an algebraic number of degree n > 1, generalizing the classical CRP in which a is a rational integer (algebraic number of degree 1). Moreover,

27 the particular algebraic number field IK of degree n over the rationals which contains a is kept hidden from the attacker. Since the classical CRP algorithm no longer applies to this problem, one can hope that the problem is hard. However, we present an attack algorithm that shows that even in this HFCRP setting, the hidden number a can still be recovered in time polynomial in the algebraic degree n when sufficiently many residues of a are given. Our algorithm makes use of lattice basis reduction techniques. We present a rigorous proof of correctness for our algorithm, and experimental results for the practical performance of our algorithm. Noisy Chinese Remaindering in the Lee Norm. We consider two noisy variants of the chinese remaindering problem. In the first problem, called the Lee Norm Noisy Chinese Remaindering Problem (LNN- CRP), the attacker is given only approximations â i of the hidden number residues a i a mod p i for i =1,...,m, where the approximation errors e i =â i a i mod p i are small in absolute value (equivalently the error vector (e 1,...,e m ) has small Lee Norm). In the second problem, called the Lee Norm Multiplier Noisy Chinese Remaindering Problem (LNMN-CRP), the attacker is given approximations â i of random multiples t i a mod p i of the hidden number residue a i a mod p i for i =1,...,m, where the random multipliers t i Z pi are known, and the approximations errors e i =â i t i a i mod p i are small in absolute value (equivalently the error vector (e 1,...,e m ) has small Lee Norm). We give polynomial-time algorithms for both the LNN-CRP and LNMN-CRP problems, using lattice basis reduction techniques, when sufficiently many approximations are given and the approximation error is small enough. For the LNN-CRP problem, we prove that for a random choice of the primes p i, approximations which provide only O( log K) MS bits of each residue suffice for our algorithm to recover the hidden number a with overwhelming probability in polynomial-time. Similarly, for the LNMN-CRP problem, we prove that for any fixed set of primes {p 1,...,p m }, but over a random choice of the multipliers {t 1,...,t m },onlyo( log K) MS bits of each residue suffice for our algorithm to recover the hidden number a with overwhelming probability in polynomial-time. Consequently, we conclude that both the LNN-CRP and LNMN-CRP problems are easy in the sense that the fraction of MS-bits of the residues required to recover the hidden number in polynomial time approaches zero as the security parameter log K increases. 11

28 12 Chapter 2 A Signcryption Scheme Based on Integer Factorization 2.1 Introduction Confidentiality and non-repudiatable origin authenticity of transmitted information are important requirements in many applications of cryptography. The conventional approach to meeting these goals is the sign-then-encrypt technique, where the message originator produces a digital signature on the message using his secret key and then encrypts the signed message with the recipient s public key. Several years ago, Zheng [120] introduced a public-key cryptographic primitive called signcryption, which achieves both confidentiality and non-repudiatable origin authenticity at a lower computational and communication overhead cost than the sign-then-encrypt technique. The security of Zheng s original signcryption schemes relies on the hardness of the classical Discrete Logarithm problem (DL) in a subgroup of the group Z p,forp prime. These signcryption schemes are currently regarded as secure because there is no known efficient algorithm for solving DL. However, the fact that DL is currently not a provably difficult problem, and hence vulnerable to algorithmic breakthroughs, motivates the search for signcryption schemes based on other difficult problems which are computationally independent of DL. Consistent with this approach, Zheng posed, in his original paper [120], the open problem of finding a signcryption scheme based on the integer factorization problem, which appears to be computationally independent of DL. In this chapter, we give a partial solution to Zheng s open problem. We propose the first signcryption scheme based on the hardness of integer factorization. We conjecture that, assuming the symmetric cipher and one-way hash functions used by our scheme have no individual weaknesses, any security break of our scheme is harder than factoring an RSA composite integer N. To support this claim, we provide a detailed security analysis of the unforgeability and confidentiality of our scheme.

29 13 We call our proposal a partial solution to Zheng s problem for the following reasons: (1) Our scheme s unforgeability is proven with respect to a non-standard factorization problem, due to the additional knowledge of the element g Z N whose order is large but typically much smaller than the modulus to be factored N. However, with a suitable choice of parameters, the problem appears to be as hard as the standard RSA modulus factorization problem, and indeed the same assumption has been previously made in the literature [85]. (2) Our scheme s confidentiality is proven with respect to a variant of the Gap Diffie- Hellman [81] problem in a subgroup of Z N. Although current knowledge supports the conjecture that this problem is as hard as the above factorization problem, proving this conjecture is currently an open problem. (3) The generation of the common public parameters of our scheme requires knowledge of (p, q), the factors of N. Therefore our security analysis does not apply against the authority generating the common parameters, which consequently must be trusted by all users to not be a potential attacker and to not reveal (p, q) to any potential attacker. Note, however, that this constraint is much weaker than that imposed by identity schemes based on factorization (e.g. the Fiat-Shamir [40] scheme) since in our scheme (p, q) need not be kept by the trusted authority for generating secret keys for new users. Our main results in this chapter can be summarized as follows. Definition of Security Models for General Signcryption Schemes. We define a range of precise security notions for both unforgeability and confidentiality of general signcryption schemes, which extends and unifies the ones previously proposed by the author and other researchers. These notions are later used in the analysis of our factoring-based signcryption scheme. Our range of notions depends on: (1) The total number of system users (Two-User or Multi-User): (2) The identity of the Attacker (Second-Party Insider, Third-Party Insider, Outsider). All our Signcryption unforgeability notions are extensions of the standard notion of existential unforgeability under adaptive chosen message attack (CMA) which is the strongest accepted notion of unforgeability for normal digital signature schemes. Similarly, all our Signcryption confidentiality notions are extensions of the standard notion of Indistinguishability under chosen ciphertext attack (IND-CCA) which is the strongest accepted notion of confidentiality for normal public-key encryption schemes. Our strongest unforgeability notion, namely the Multi-User Setting, Second-Party Attacker unforgeability notion (CMA-MU-SP), considers very powerful attackers which are however, realistic in a multi-user setting. These attackers can query the attacked sender s signcryption oracle to obtain signcryptexts by the sender not only on adaptively-chosen messages (as in the standard CMA unforgeability notion) but also with adaptively-chosen recipient