当前位置:文档之家 › A Trapdoor Permutation Equivalent to Factoring

A Trapdoor Permutation Equivalent to Factoring

  • 格式:pdf
  • 大小:82.38 KB
  • 文档页数:4

下载文档原格式

  / 4

合集下载

第2章香农理论

第2章香农理论

第2章香农理论第2章香农理论1949年,克劳德·香农(Claude Shannon )在《Bell Systems Technical journal 》上发表了一篇题为“Communication Theory of Secrecy System ”(保密系统的通讯理论)的论文,这篇论文对密码学的研究产生了重大影响。

本章我们将讨论部分香农的思想。

2.1 完善保密性首先介绍两种评价密码系统安全性的基本方法。

计算安全性这种度量只关心攻破一个密码系统在计算上所做的努力。

如果用最好的算法攻破一个密码系统也至少需要N 次操作,其中N 是一个非常大的特定数字,我们就可以称这个密码系统是计算安全的。

问题在于,在这个定义下,没有一个已知的密码系统能够被证明是安全的。

在实际应用中,如果攻击一种密码系统的已知最好的方法也需要非常长的计算机时间,人们就称该密码系统是“计算安全的”(当然,这与安全性的证明有很大区别)。

另一种方法是将密码系统的安全性归结为一些研究较为成熟的被认为是不难解的问题,以此提供计算安全性的证据。

比如,人们可以证明这样一个论断:如果给定的整数n 不能被分解,则一个给定的密码系统就是安全的。

这种类型的密码系统有时被称为“可证明安全的”,但必须理解,它只是证明了安全性是和另一个问题相关,并没有完全证明是安全的。

无条件安全性这种度量考虑的是对攻击者Oscar 的计算量没有任何限制时的安全性。

即使提供了无穷的计算资源也无法攻破的密码体制被称为是无条件安全的。

当我们讨论一个密码系统的安全性时,应该指定正在考虑的攻击类型。

在第1章,我们可以看出,一旦给定足够数量的密文,移位密码、代换密码和维吉尼亚密码对惟密文攻击都不是计算上安全的。

本节我们将研究一个对惟密文攻击是无条件安全的密码体制的相关理论。

可以证明,如果用给定的密钥仅仅加密明文中的一个元素,那么上述三种密码体制都是无条件安全的。

很显然,一个密码系统的无条件安全性不能以计算复杂性的观点来研究,因为我们允许计算时间是无限的。

密码学的两大基本变换

密码学的两大基本变换

密码学的两大基本变换
在密码学中,常用的两大基本变换是代换和置换。

1. 代换(Substitution):代换是将明文中的每个字符或者每组字符替换为另一个字符或者字符组成的过程。

代换可以通过使用一个预定义的替换表或者算法来实现。

代换的目的是打乱明文的结构,增加密码的复杂性,使得密文与明文之间的关联不易被发现。

2. 置换(Transposition):置换是通过改变明文中字符或者字符组的位置来进行加密。

置换可以按照一定的规则或者算法进行,例如将明文的字符按照行列进行重新排列,或者采用某种特定的置换模式将明文中的字符重新排列。

置换的目的是改变明文中字符的位置关系,增加密文的随机性和复杂性。

ecc 陷门函数

ecc 陷门函数

ECC陷门函数中的特定函数在密码学领域中,ECC(椭圆曲线密码学)是一种基于椭圆曲线数学理论的公钥加密算法。

ECC陷门函数是一种特殊的函数,用于在ECC加密过程中引入安全漏洞,以便对加密数据进行破解或窃取。

1. ECC陷门函数的定义ECC陷门函数是指在椭圆曲线密码系统中故意引入的具有特殊性质的函数。

这些函数在正常情况下应该是难以计算或无法计算的,但通过合适的密钥或参数,可以使其变得可计算。

这种可计算性质被称为“陷门”。

2. ECC陷门函数的用途ECC陷门函数主要用于密码分析和攻击目的。

它们可以被用来破解加密数据、窃取私钥、篡改数字签名等。

•破解加密数据:通过使用正确的密钥或参数来计算陷门函数,在没有正确密钥或参数时,该计算过程变得非常困难甚至不可能。

•窃取私钥:通过使用特定的密钥或参数来计算陷门函数,并结合其他攻击手段,可以推导出私钥的值。

•篡改数字签名:通过使用特定的密钥或参数来计算陷门函数,可以伪造有效的数字签名,从而破坏认证和完整性。

3. ECC陷门函数的工作方式ECC陷门函数的工作方式取决于具体实现和设计。

下面介绍两种常见的ECC陷门函数:3.1. 可计算离散对数问题(CDLP)在ECC中,离散对数问题是一种基于椭圆曲线上的点运算,其难度决定了该椭圆曲线的安全性。

正常情况下,计算离散对数是一项复杂且耗费大量计算资源的任务。

然而,在引入CDLP陷门函数后,存在一个特殊参数(称为“后门”),使得在知道该参数时可以快速计算出离散对数。

这个后门参数只有攻击者或有权方知道,并且不会在正常使用过程中被泄露。

3.2. 可逆性问题另一种常见的ECC陷门函数是可逆性问题。

在正常情况下,计算该函数是困难甚至不可能的。

但在知道特定密钥或参数时,可以将该函数转化为易于计算的形式。

这种可逆性问题的存在使得攻击者可以在掌握特定密钥或参数的情况下,轻松地计算出陷门函数的结果,从而破解或窃取加密数据。

4. ECC陷门函数的安全性ECC陷门函数在密码学中被广泛讨论和研究。

密码学的演变历史(1)

密码学的演变历史(1)

2013-8-3
Cryptography and Network Security - 2
5/59
密码学基本术语 Terminologies




Cryptology(保密学),源自希腊语(Greek) Kryptós: hidden; logos: word, 是密码学和密码处理过程的研究。 Cryptography: The Science and Study of Secret Writing,密码 编码学 Cryptanalysis: The Science and Study of Secret Breaking,密码 破译学 Cipher: A secret method of writing 加密方法 Encipher (encipherment), encryption: 将明文转换成密文的过程 Decipher (decipherment), decryption: 将密文还原成明文的过程 Plaintext (cleartext): 原始的可读数据,明文 Ciphertext (Cryptogram): 加密后的不可解读之文件,密文 Key: 密钥,对加密与解密过程进行控制的参数 E(m): Encryption Transformation 加密变换 D(c): Decryption Transformation 解密变换
系统应该是实际上安全的(practical secure),截获密文或 已知明文-密文对时,要决定密钥或任意明文在计算上是 不可行的。 加密解密算法适用于密钥空间中的所有元素。 系统易于实现,使用方便。 系统的安全性不依赖于对加密体制或加密算法的保密,而 依赖于密钥。 系统的使用不应使通信网络的效率过分降低。

全国密码学术竞赛单选题

全国密码学术竞赛单选题

全国密码学术竞赛单选题1.希尔密码是由数学家(A)提出来的。

A.Lester HillB.Charles WheatstoneC.Lyon PlayfairD.Blaise de Vigenere2.利用椭圆曲线实现ElGamal 密码体制,设椭圆曲线是E11(1,6),生成元G=(2,7),接收方A的私钥钥nA=7,公钥PA= (7, 2),发送方B 欲发送消息Pm=(10,9),选择随机数k=3,求密文Cm=(C)。

A.{ (2,3), (5, 2) }B. { (3,2), (6, 2) }C.{ (8,3), (10, 2) }D.{ (6,5), (2, 10) }3.最佳放射逼近分析方法是一种(D)的攻击方法A.选择密文攻击B.唯密文攻击C.选择明文攻击D.已知明文攻击4.凯撒密码体制是一种加法密码,现有凯撒密码表,其密钥为k=3,将密文mldrbxnhsx解密后,明文为(C)。

A.jiaoyukepxB.ijaoyukepuC.jiaoyukepuD.aojuyukepu5.1980年Asmuth和Bloom根据(D)提出了(t,n)-门限方案/doc/29941224.html,grange内插多项式B.离散对数问题C.背包问题D.中国剩余定理6.用推广的Euclid 算法求67 mod 119 的逆元(A)。

A.16.0B.32.0C.24.0D.33.07.电子认证服务提供者应当妥善保存与认证相关的信息,信息保存期限至少为电子签名认证证书失效后_____。

(A)A.五年B.十年C.十五年D.二十年8.重合指数法对(C)算法的破解最有效。

A.置换密码B.单表代换密码C.多表代换密码D.序列密码9.字母频率分析法对(A)算法最有效。

A.置换密码B.单表代换密码C.多表代换密码D.序列密码10.RSA算法的安全理论基础是(B)。

A.离散对数难题B.整数分解难题C.背包难题D.代换和置换。

3. number theory_20169161360385

3. number theory_20169161360385

10
RSA Cryptography
N = 4559, d = 3397

2853 0116 1478 2150 3906 4256 1445 2462
11
RSA Cryptography
N = 4559, d = 3397

2853 0116 1478 2150 3906 4256 1445 2462 28533397 mod 4559, 01163397 mod 4559, …
Discrete Mathematics and Its Application
Number Theory
RSA Cryptography
Most internet shopping sites offer a “secure connection” option that allows shoppers to disclose personal information such as credit card, address, etc. without fear that a snoop on the communication will be able to tell what‟s happening:
20
Divides, Factor, Multiple

Let a,bZ with a0.
Defn.: a|b “a divides b” : ( cZ: b=ac) “There is an integer c such that c times a equals b.”


Example: 312 True, but 37 False.


To specify when an integer evenly divides another integer Read as “3 divides 12”

量子信息物理学:量子信息处理


1 0
,
σ2
=
0i
−0i
,
σ3
=
1 0
−01
σ1 =| 0〉〈1| + |1〉〈0 | σ 2 = −i | 0〉〈1| +i |1〉〈0 |
|
0
〉〈
0
|
=
1 0
0 0
=
1 2
(I

3
)
|
1
〉〈
1
|
=
0 0
10
=
1 2
(I
−σ3)
|
0〉〈
1
|
=
0 0
10
=
1 2
(σ 1
+

2
)
|
1〉〈0
|
=
0 1
Trace操作
对于混合态
意味着对于各种量子态的测量输出总的概率为1
Trace操作性质
矩阵对角元求和
a00 a01 a02
Tr
a10
a11
a12
=
a00
+
a11
+
a22
a20 a21 a22
特性 Tr[xA + yB] = xTr[A]+ yTr[B] Tr[AB] = Tr[BA]
Tr[ ABC] = Tr[CAB]
可分离态
量子纠缠
LOCC操作 “local operations and classical communication” 局域操作: unitary dynamic actions, measurements, and all other local manipulations 经典通信: exchange information via classical communication

加扰算法原理

加扰算法原理加扰算法原理是一种用于数据保护的加密算法。

加扰算法通过对原始数据进行转换和混淆,使其变得不可读,从而保护数据的机密性和完整性。

加扰算法的原理基于数学运算和逻辑操作。

其核心思想是将待加密的数据与密钥进行混合,通过一系列的算法操作,产生加密的输出结果。

只有拥有正确的密钥,才能对加密数据进行解密还原,否则无法获取原始数据的内容。

加扰算法通常涉及到以下几个重要的组成部分:1. 初始置换(Initial Permutation):将待加密的数据按照特定规则重新排列,以增加数据的随机性和复杂性。

2. 子密钥生成(Subkey Generation):根据密钥生成一系列的子密钥,用于在加密和解密过程中进行特定的运算。

3. 轮函数(Round Function):使用子密钥对数据进行一系列的运算和变换,包括置换、替代、混淆等,以增加算法的复杂度和安全性。

4. 轮密钥加(Round Key Addition):将生成的子密钥与数据进行逐比特的异或运算,进一步增加数据的混淆性。

5. 最终置换(Final Permutation):对加密完成的数据进行最终的排列和调整,以保证解密后的数据与原始数据一致。

通过上述步骤的组合和迭代,加扰算法可以实现较高强度的数据保护,从而用于保护重要的隐私数据和敏感信息。

不同的加扰算法具有不同的设计思路和特点,常见的加扰算法包括DES、AES等。

需要注意的是,加扰算法虽然可以提供一定程度的数据保护,但并不能完全防止被破解或攻击。

为了进一步提高数据的安全性,还需要配合安全的密钥管理和其他安全措施,以建立更为完善的数据保护体系。

密码学陷门函数

密码学陷门函数密码学陷门函数(cryptographic trapdoor function)是一种特殊的密码学函数,它可以在正常情况下很容易计算,但是逆向计算则相当困难。

陷门函数在密码学中起到了重要的作用,用于构建各种加密算法和协议。

陷门函数通常是基于数学难题的,例如大素数因子分解、离散对数问题、椭圆曲线离散对数等。

这些数学问题在正常情况下难以解决,需要耗费大量的计算资源和时间。

通过将这些数学问题巧妙地转化为陷门函数,可以在计算上轻松地进行加密和解密操作。

例如,RSA加密算法就是基于大素数分解问题的陷门函数。

该算法的公钥由两个大素数的乘积组成,私钥则由两个大素数和一些其他参数组成。

加密操作只需要用公钥对消息进行加密,而解密操作则需要使用私钥对密文进行解密。

通过充分利用大素数分解的困难性,RSA算法能够提供高度的安全性。

另一个常见的陷门函数是离散对数问题。

离散对数问题是在有限域上求解指数运算的反函数的问题,即给定g、h和p,求解x的值,使得g^x ≡ h (mod p)。

目前没有已知的高效算法能够在多项式时间内解决离散对数问题,因此可以将其作为陷门函数来构建各种加密算法。

除了上述问题,椭圆曲线密码学也是一种常用的陷门函数。

椭圆曲线密码学利用了椭圆曲线上的点运算的困难性来构建加密算法和数字签名算法。

椭圆曲线上的加法和乘法运算需要使用复杂的数学运算,因此可以将其作为陷门函数来构建安全的密码系统。

陷门函数在密码学中起到了至关重要的作用。

它们不仅可以用于加密和解密操作,还可以用于数字签名、密钥交换和零知识证明等各种密码学协议。

在设计密码系统时,选择合适的陷门函数是至关重要的,需要考虑到数学问题的难度、计算复杂性、安全性等多个因素。

总结起来,密码学陷门函数是一种特殊的密码学函数,可以在正常情况下容易计算,但逆向计算却非常困难。

它们通常基于数学难题,如大素数分解、离散对数问题和椭圆曲线离散对数等。

陷门函数在密码学中起着至关重要的作用,被广泛应用于加密算法、数字签名、密钥交换和零知识证明等领域。

对称加密算法_AES英文版2

Symmetric-key Cryptography of AESLixinShanghai University of Electric Power School of computer science and technology, Shanghai Pudong New Area1543101883@Symmetric-key algorithms are a class of algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext. The keys may be identical or there may be a simple transformation to go between the two keys. The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. This requirement that both parties have access to the secret key is one of the main drawbacks of symmetric key encryption, in comparison to public-key encryption.2, the advanced encryption algorithm AES[2]Advanced Encryption Standard (Advanced Encryption Standard, AES), in cryptography is also called Rijndael encryption method, is the United States federal government adopted a block encryption standard. This standard is used to replace the original DES, have been various analysis and widely used all over the world. After five years of the selection process, the advanced encryption standard by the United States National Institute of standards and Technology (NIST) released in November 26, 2001 in FIPS PUB 197, and in May 26, 2002 of become effective standard. On 2006, the advanced encryption standard has become the most popular symmetric key encryption algorithm. The algorithm for the Belgian cryptographer Joan Daemen and Vincent Rijmen designed, combining the two author's name, the name to Rijndael, contributors to the advanced encryption standard selection process.(Rijndael "Rhine Doll" pronunciation.).2.1 introduction to AlgorithmsAlthough AES still has different view, but on the whole, AES as a new generation of data encryption standard convergence of strong security, high performance, high efficiency, ease of use and flexibility. AES is designed with three key length: 128192256 bits, in relative terms, 128 of AES than DES key 56 key 1021 times.2.2 algorithm principle and process[3]Clear data packet length for 128 or 16 bytes, key length can be 16,24, or 32 bytes (128192 or 256).According to the length of the key, the algorithm referred to as AES-128, AES-192, AES-256.The password by N wheel, wherein the wheel based on the key length: 16 bytes 24 bytes 10 round key is a key corresponding to the 12 round, 14 round, 32 byte keys.The last round only contains three transform, in the first round in front of an initial single transform (add round key), can be seen as 0 wheel.Clear data packet length for 128 or 16 bytes, key length can be 16,24, or 32 bytes(128192 or 256).According to the length of the key, the algorithm referred to as AES-128, AES-192, AES-256.The password by N wheel, wherein the wheel based on the key length: 16 bytes 24 bytes 10 round key is a key corresponding to the 12 round, 14 round, 32 byte keys.The last round only contains three transform, in the first round in front of an initial single transform (add round key), can be seen as 0 wheel.(1) it is not a Feistel structure.The structure of Feistel is a block cipher, generally divided into one of 64 groups, one group of left and right part, general for the 16 iterations, each iteration after the exchange of left and right position, can conduct their own design: packet size key length round number sub key generation wheel function(2) the input key is extended by 44 32 bit words consisting of an array of w[i].(3) consists of 4 distinct phases, including a replacement and three place:Bytes instead of (SubBytes): S box with a completion packet bytes into bytes instead of.Line shift (ShiftRows): a simple replacement.Column (MixColumns): confusion with domain GF (28) of the arithmetical properties of a place.Add round key (AddRoundKey): current packet and extended key part is the bitwise XOR.(4) the algorithm structure is simple.On encryption and decryption operations, the algorithm consists of add round key start, followed by 9 rounds of iterations, each round contains all 4 phases instead, followed by a tenth round of three stages.(5) only add round key stages using a secret key.(6) add round key is XOR, the other three stages to provide diffusion and confusion, nonlinear function, this method is very effective and very safe.(7) for each phase are inverse.(8) the decryption algorithm in the reverse mode using the extended key.But the AES decryption and encryption algorithms are not the same.(9) when all four phase inversion, it is easy to prove that the decryption function can recover the original plaintext.(10) the process of encryption and decryption of the last round only contains three stages.1, bytes instead of transformationSimple table lookup operation.AES defines a S box, which is a 16X16 byte matrix, contains 8 bits can represent the number 256 a replacement. Bytes: S box mapping: the 4 bytes of high as row value, low 4 bits for the column value, to these ranks value as index from S box position corresponding to the removed elements as output. For example, sixteen hexadecimal number {95} corresponding to the S box of 9 rows and 5 columns in the S box, the value of {2A}, so {95} is substituted for the {2A}.Inverse S box with a similar, backstepping .2, the row shift transform4X4 state first row of matrix unchanged, second rows of circular shift left one byte,third left circular shift of two bytes, fourth rows of three byte circular shift to left.3, the column obfuscationEach column of each byte is mapped to a new value, this value is 4 bytes in the column by function transformation.4, add round key transformationIn the add round key transformation, 128 state matrix according to a 128 position with the round key XOR. Reverse round key with transform and positive add round key transform, because the XOR operation is its own inverse.5, the key expansionInput key directly copied to the array of the first extended key words. Then, each with four characters to fill the remainder of the extended key array. In the extended key array, each new word w[i] relies on the w[i-1] and w[i-4].In four cases, three using the xor. On the w array subscript is multiple of 4 element uses a more complex functions to calculate the.The G function:1, word cycle function is to make one word in 4 byte shift left one byte, the input word is [B0, B1, B2, B3] transform into [B1, B2, B3, B0].2, word instead of the S box to the input word in each byte instead.3, the results with round or different constant Rcon[j].Wheel constant:Wheel constant is a word, the word to the right of three bytes for a total of 0.Thus the words and Rcon dissimilarity or, only with the word the left byte or different. Each round of the round constants are different, the definition for the Rcon[j]= (RC[j], 0,0,0), whereRC[1]=1, RC[j]=2, RC[j-1].The value of RC[j] to sixteen hexadecimal representation for:Equivalent inverse cipherAES encryption algorithm and encryption algorithm is different. In spite of encryption and decryption key expansion of the form is the same, but in the decryption transform in different order.Two improvements to enable decryption algorithm structure and algorithm structure of the same. In the encryption process, the wheel structure for bytes instead, shift rows, columns of confusion, add round key. In the standard in the decryption process, the wheel structure for retrograde transposition, Inverse Substitute Bytes, add round key column, reverse confusion. Therefore, in deciphering round in the first two stages should be exchanged, after the two stages also need to exchange.Reverse line shift effect in state byte order, but not change the byte content, also do not depend on the byte content to its transformation. Reverse bytes instead of state byte content, but do not change the byte order also do not depend on the byte sequence to its transformation. Therefore, the two operation can exchange. For a given state S: Reverse migration [reverse bytes instead of (S)] = reverse bytes instead of [reversemigration (S)]Add round key and reverse column confusion does not change the state byte order. If we take the key as a word sequence, then add round key and reverse column confused every time on the state column operation. The two operation on the column input is linear. For a given state of S and given wheel key W:Reverse column (S W confusion) =[reverse column confusion (S)] [column reverse confusion (W)]Note:(1) for calculating the round key is used in the reverse column obfuscating transformations, can use the corresponding reverse column transform algorithm instead of the four array, which can save the space of 4K.And, due to the reverse column transform in the AES implementation in the round key generation using, for the algorithm not to add / solution performance impact.(2) wheel constant cycle of 51 (from before 52 generation wheel constant known), and the AES algorithm with a maximum before the 14 round constants.2.4 Algorithm and ApplicationRijndael algorithm is flexible, simple, against multiple cipher analysis advantages, its goal is to develop into can be safely used for commercial, political and military encryption algorithm. In addition, the AES algorithm for hardware implementation of speed is about 3 times the software implementation, it is to realize with hardware encryption provides a very good opportunity. With the rapid development of network technology, network data encryption requirements increasing, the application of AES in a first embodiment of network information safety in the field.The application of the wireless networkAs wireless communication channel than the wired network is more open, the security requirements of higher. In order to guarantee the security of the data transfer, some wireless networks using AES. For example, ZigBee technology, to ensure that the MAC frame integrality, confidentiality, authenticity and consistency, the MAC layer is encrypted using the AES algorithm, and generates a series of security mechanism.Application of electronic commerceIn respect of electronic business affairs , mainly AES in e-commerce platform of cryptographic protocols and transaction security protocol. For example, the application of AES in SSL (Secure Sockets Layer secure socket layer) protocol. Through the AES encrypted data and transmits to each other. The receiver can use the AES key to get specific real-time data. The typical research include: AES and RSA hybrid encryption system using the NTRU public key cipher system; distribution of AES key; AES and ECC (elliptic curve cryptography) combination of encryption system.Application of AES softwareIn AES software, the application field of contains voice, video information encryption, data encryption. Nowadays multimedia information encryption problems highlighted. Because the multimedia information data is very big, directly to its encryption efficiency is low. So, we should consider not only the data encryption algorithm using AES method, and corresponding design on multimedia information encryption process. About AES in the application database, mainly in how data input, output in generation, distribution andmanagement of the key data encryption and security strategy.AES Hardware ApplicationIn AES hardware implementation, the main direction of RF IC card data security, smart card and hard disk data encryption etc. The RF IC card application scope is very broad, such as bus IC card, campus card.Reference[1] Internet Baidu Encyclopedia /view/7591.htm.2012/12/5.[2] John Savard's description of the AES algorithm/crypto/co040401.htm.2012/12/5.[3] [the]William Stallins; King Zhang Yi Yang Min Du Ruiying Deng, cryptography and network security P105-127.[4]E.Biham,A.Shamir.Differential cryptanalysis of DES-like cryptosystems[J].Journal of Cryptology,1 991,4(1):3—72.[5] E.Biham,A.Shamir.Defferential fault analysis of secret key cryptosytems[A].In:Advances in Cryptology·CRYPTO’97[C].Lecture Notes in ComputerScience 1294,Berlin:Springer-Verlag,1 997:5 1 3-525.[6] M.Mitsuru.Linear cryptanalysis method for DES cipher[A].In:Advances inCryptology—EUROCRYPT’93[C].Lecture Notes in Computer Science 765,Berlin:Springer-Verlag,1 994:386-397.[7] J.-S.Coron,P Kocher,D.Naccache.Statistics and secret leakage[A].YFrankel(Ed).In:Financial Cryptography-FC 2000,LNCS[C].LNCS 1 962,Berlin:Springer-Verlag,200 1:1 57~1 73.[8] Wen Congjian computer science and technology AES differential - algebraic attack on 2009:16 ~ 22.。

  1. 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
  2. 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
  3. 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。

ATrapdoorPermutationEquivalenttoFactoring[PublishedinH.ImaiandY.Zheng,Eds.,Public-KeyCryptography,vol.1560ofLectureNotesinComputerScience,pp.219–222,Springer-Verlag,1999.]

PascalPaillier1,21GemplusCardInternational,CryptographyDepartment

34rueGuynemer,92447Issy-les-Moulineaux,Francepascal.paillier@gemplus.com2ENST,ComputerScienceDepartment

46rueBarrault,75634ParisCedex13paillier@inf.enst.fr

Abstract.InEurocrypt’98[1],Okamotoetal.exhibitedanewtrapdoorfunctionbasedontheuseofaspecialmoduli(p2q)allowingeasydiscretelogarithmcomputations.Theauthorsprovedthatthescheme’sresistancetochosen-plaintextattacksisequivalenttofactoringn.Unfortunately,theproposedschemesuffersfromnotbeingapermutation(theexpansionrateis∼=3),andhencecannotbeusedforpublic-keysignatures.

Inthispaper,weshowhowtorefinethefunctionintoatrapdoorper-mutationthatcanbeusedforsignatures.Interestingly,ourvariantstillremainsequivalenttofactoringandseemstobethesecondknowntrap-doorpermutation(Rabin-Williams’scheme[3]beingthefirst)provablyassecureasaprimitiveproblem.

1TheOkamoto-UchiyamaCryptosystemInEurocrypt’98,OkamotoandUchiyamaproposedanewpublic-keycryptosys-tembasedontheabilityofcomputingdiscretelogarithmsinaparticularsub-group.Namely,ifpisalargeprimeandγp⊂Z∗p2is

γp={xthenγphasagroupstructurewithrespecttothemultiplicationmodulop2and󰀖γp=p.Thefunctionlog(.):γp−→Zpwhichassociates(x−1)/ptoxisclearlywell-definedonγpandpresentsinterestinghomomorphicproperties.Inparticular,

∀x,y∈γplog(xymodp2)=log(x)+log(y)modpwhereby,asastraightforwardgeneralization,∀g∈γp,m∈Zplog(gmmodp2)=mlog(g)modp.2PascalPaillierKeySetup.Generatetwok-bitprimespandq(typically3k=1023)andsetn=p2q.Randomlyselectandpublishanumberg

gp=gp−1modp2isoforderpinZ∗p2andkeepgpsecret(notethatgp∈γp).Similarly,chooseg󰀃

h=g󰀃nmodn.Thetriple(n,g,h)formsthepublickey.Thesecretkeyis(p,q).Encryption.Pickrmby:c=gmhrmodn.

Decryption.Proceedasfollows:1.c󰀃=cp−1modp2=gm(p−1)g󰀃nr(p−1)=gmpmodp2,2.m=log(c󰀃)log(gp)−1modp.

Wereferthereaderto[1]forathoroughdescriptionofthescheme.Althoughprovablyequivalenttofactoring[5]asfaraschosen-plaintextattacksarecon-cerned,theschemesuffersfromthefactthatciphertextsareaboutthreetimeslongerthanplaintexts.Asaresult,itisimpossibletouse[1]’strapdoorasasignaturescheme.

Thenextsectionshowshowtoextendtheschemetoatrapdoorpermutation[4]overZ∗n.Interestingly,thesecurityanalysispresentedinsection3showsthatthenewencryptionfunctionisstillassecureasfactoring.

2TheNewTrapdoorFunctionUsingthesamenotationsasbefore,letthemessagebe3k−2-bitlonganddefinem=m1||m2wherem1<2k−1,m2<22k−1and||standsforconcatenation.Theencryptionprocedureisasfollows.

Encryption.Splitmintom1andm2andencryptby:

c=gm1mn2modn.Thispresentsanexpensionrateof:

ρ=log()2n3k,ATrapdoorPermutationEquivalenttoFactoring3whichisverycloseto1forcommonvaluesofk.Decryption.Computec󰀃=cp−1modp2=gm1pmodp2,andm1=log(c󰀃)log(gp)−1modp,

asin[1]and1.deducemn2modpq=g−m1cmodpq2.obtainm2modpq=(mn2modpq)n−1mod(p−1)(q−1)modpq3.concludebym=m1||m2.

3EquivalencetoFactoringInthissection,weprovetheone-waynessofourencryptionfunctionunderthefactoringassumption:

Theorem1.Invertingthenewencryptionfunctionisequivalenttofactoringn.Proof(Sketch).AssumingthatthereexistsaprobabilisticpolynomialtimeTur-ingmachineMwhichdecryptsciphertextsforagiven(n,g)withanon-negligibleprobability,wetransformMintoaPPTmachineM󰀃thatfactorsnwithnon-negligibleprobability.Wedirectlyre-usetheproofargumentsfromTheorem6of[1]forshowingthestatisticalclosenessofdistributionsofciphertexts.FeedingMwithgzmodnforrandom(k+1)-bitnumbersz,weneedasinglecorrectanswerm=m1||m2torecoveranontrivialfactorofnbygcd(z−m1,n).󰀍󰀌

Alternatively,theencryptionanddecryptionfunctionscanbeusedfordigitalsignaturesaswell.Toachievethis,asignercomputesthesignatures=s1||s2ofthemessagemsuchthat

gs1sn2=h(m)modn,wherehisacollision-freeone-wayhashfunction.Notehoweverthatsinces1∈Zp

ands2∈Z∗pq,someinformationaboutpandqwillleakoutateachsignature.

Namely,collectingNsignatures(ofarbitrarymessages)willallowanattackertorecoverO(log(N))bitsofp.Wethereforerecommandtoregularlyre-generatethescheme’sparameters,possiblyaccordingtoaninternalcounter.Itisworthwhilenoticingthatourschemepresentsunderlyinghomomorphicpropertieswhichcouldbeusefulfordesigningdistributedcryptographicproto-cols(multi-signatures,secretsharing,thresholdcryptographyandsoforth).

4FurtherResearchOkamoto-Uchiyama’strapdoortechniqueisinherentlynewinthesensethatitprofoundlydiffersfromRSAandDiffie-Hellman.Itmakesnodoubtthatthistechniquecouldbedeclinedinvariouswaysfordesigningnewpublic-keycryp-tosystemsinnearfuture.