6.12.2001 ICISC 2001 1

An IND-CCA2 Public-Key Cryptosystem with Fast Decryption using Quadratic Fields

- NICE-X Cryptosystem -

Dr. Tsuyoshi Takagi

Darmstadt University of Technology

(joint work with Prof. Buchmann and Prof. Sakurai)

6.12.2001 ICISC 2001 2

RSA Cryptosystem ’78

p, q: primes, n = pq, L = LCM(p－ 1, q－ 1), ed ≡ 1 mod L

e, n: public key, d: secret key, (factoring, n: 1024 bits)

M: message, M ∈{0,1,2,….,n-1}.

d: large (d>n1/2), SLOW, cubic complexity, O((log n)3).

Encryption: C ≡ Me mod n

de facto standard of public-key cryptosystems

Decryption: M ≡ Cd mod n

e: small (216+1), FAST.

6.12.2001 ICISC 2001 3

Fast decryption is desired

For the sake of high security, a secret key is stored on a smart card (tamper-free) and the decryption computation is carried out on it.

A special coprocessor is required for computing the decryption function on a smart card, which is very expensive.

Currently no public-key cryptosystems are used for a large scale market, such as cash cards or SIM cards for mobile phones

6.12.2001 ICISC 2001 4

NICE cryptosystem (Paulus,Takagi’00)

1024 bits 1536 bits 2048 bits RSA encryption 1.1 ms 3.2 ms 4.3 ms RSA decryption 118.6 ms 370.6 ms 798.5 msRSA (CRT) 36.4 ms 111.5 235.2 msNICE encryption 962.0 ms 2654.7 ms 5661.0 ms NICE decryption 1.7 ms 2.9 ms 4.3 ms

Average on 100 random keys, Celeron 500 MHz, LiDIA library, e = 216 +1.

• NICE cryptosystem is constructed over class groups of quadratic discriminants Cl(D).

• The security of NICE is based on factoring problems. • Decryption time is of quadratic complexity O((log D)2).

The decryption time is fast even for large keys.

6.12.2001 ICISC 2001 5

Efficiency of quadratic complexity

-

100

200

300

400

500

600

700

800

1024 1280 1536 1712 2048

RSARSA(CRT)NICE

ms

bits

The decryption of NICE is fast even for large keys. 1.7 ms for 1024-bit public-keys.4.3 ms for 2048-bit public-keys.

Quadratic complexityO((log D)2)

Cubic complexityO((log n)3)

6.12.2001 ICISC 2001 6

Key generation

Cl(D): the class group of quadratic discriminant D. An element of Cl(D) is represented by two integers (a,b), where b2 ≡ D mod 4a, 0 < a < (|D|/3)1/2.GoToMaxOrder: Cl(D) ⇒ Cl(-p), Inverse: Cl(-p) ⇒ Cl(D).

Cl(D), public

Cl(-p), secret

GoToMaxOrderInverse

(a,b)

(A,B)

(a’,b’) P

(1,1)

Secret keys: p, q (p,q: primes) Public keys: (1) discriminant D = -pq2, (2) kernel element P ∈ Ker(GoToMaxOrder)

Ker(GoToMaxOrder) is cyclic#Ker(GoToMaxOrder) = q±1

Pr, r ∈{0,1,..,q} is random in Ker

6.12.2001 ICISC 2001 7

Encryption: (1) M: message ideal ∈ Cl(D) with M=(a,b), a < (p/4)1/2, (2) r: random integer ∈{0,1,2,…,q-1}, (3) C = M Pr ∈ Cl(D).

Decryption: (1) K = GoToMaxOrder(C), (2) M = Inverse(K).

(1) GoToMaxOrder(C) = GoToMaxOrder(MPr) = GoToMaxOrder(M) GoToMaxOrder(Pr) = GoToMaxOrder(M)(2) Inverse(GoToMaxOrder(M)) = M for M = (a,b), a < (p/4)1/2

Encryption and Decryption

Cl(D)

Cl(-p)

C = MPr

K

M Encryption

Decryption(p/4)1/2

6.12.2001 ICISC 2001 8

Why quadratic complexity O((log D)2)?

GoToMaxOrder: Input: (a,b) of Cl(D), Output: (A,B) of Cl(-p) 1. A = a; 2. x ≡ 1/q mod a; 3. B ≡ x b mod 2a; 4. (A,B) = Reduction (A,B) 5. Return (A,B)

Inverse: Input: (A,B) of Cl(-p), Output: (a,b) of Cl(D) 1. a = A; 2. b ≡ Bq mod 2a; 3. Return (a,b)

Reduction: Input: primitive ideal (a,b), discriminant D Output: reduced ideal (a,b) 1. c = (D-b2)/4a; 2. While (-a<b≦a<c) or (0≦b≦a=c) do 2.1 find s,t such that –a≦t=b+2sa < a; 2.2 (a,b,c) = (c-s(b+t)/2,t,a); 3. If a=c and b<0 then b = -b; 4. Return (a,b)

Decryption = GoToMaxOrder + Inverse

Modular inverse: O((log D)2)

Modular multiplication: O((log D)2)

Reduction: O((log D)2) by [BB98].

6.12.2001 ICISC 2001 9

Number-theoretic problems

(1)QFDLP: quadratic field discrete logarithm problem - for G,A CL(D), solving discrete logarithm x s.t. G∈ x = A.

(2)FP: factoring D = -pq2.(3)SKEP: the smallest kernel-equivalent problem - for A CL(D), computing the ideal I s.t. N(I) is the smallest, ∈ GoToMaxOrder(A) = GoToMaxOrder(I), (4)DKP: decisional kernel problem

Theorem: QFDLP => FP => SKEP => DKP

6.12.2001 ICISC 2001 10

m: the messages

(d: secret key )

Security Results for NICE

One-wayness Adversary

E(m): ciphertexts

e: public key

(1) The one-wayness of NICE cryptosystem is as hard as solving the SKEP(2) The semantic security of the NICE cryptosystem is as hard as solving the DKP

6.12.2001 ICISC 2001 11

Semantically Secure

(2) Algorithm A2, on input m0, m1, c =E(mb), guesses b (guess stage).

(1) Algorithm A1, on input pk, finds two message m0, m1 (find stage).

e: public keym1: message

m0: message

ciphertext of m0 or m1

A1

A2b

randomencryption c=E(mb)

6.12.2001 ICISC 2001 12

Chosen Ciphertext Attack

1999, Jaulmes and Joux proposed a CCA against NICE.

Decryption oracle

ciphertext C

Decryption of Cp,q

Fact: Ideal I s.t. N(I)<|D|1/2 is reduced or reduced after one reduction.(1)Choose two ideals A1,A2 s.t. 2(k-2)/2<N(Ai)<2(k-1)/2, where k is the bit-length of p. (2)Ask the ideal Ai to the decryption oracle, and obtain ideal Bi for i=1,2. Let A1=(a1,b1), A2=(a2,b2), B1=(c1,d1), B2=(c1,d1), then we have relations: c1 = (x1

2 +p)/4 and c2 = (x22 + p)/4, where x1,x2 are unknown.

(3)Solve (x2-x1)(x2+x1)=4(c2-c1), and find p.

6.12.2001 ICISC 2001 13

NICE-X Cryptosystem

(1)The NICE-X cryptosystem is Semantically Secure against Chosen Ciphertext Attack (IND-CCA2) in the random oracle model under the SKEP.

(2)The NICE-X cryptosystem inherits the fast decryption. - Its overhead from NICE is only the computation of hash functions.

6.12.2001 ICISC 2001 14

NICE-X CryptosystemHash functions, g: Ker → {0,1}k1, h: {0,1}k1×Ker → {0,1}k2.

Encryption: R: random ideal ∈ Cl(D) with R=(a,b), R ∈ SI(D),Q: random ideal ∈ Kernel(D), C = RQ, B = m xor g(Q), H = h(m,Q)(C,B,H) is the cipher text of a message m ∈ {0,1}k1

Decryption: R = Inverse(GoToMaxOrder(C)), Check R∈ SI(D), Q = C R-1, m = B xor g(Q), Check H = h(m,Q), if not reject.

Semantically Secure against Chosen Ciphertext Attack (IND-CCA2)

6.12.2001 ICISC 2001 15

Encryption of NICE-X

random Q in Kernel(D) message mrandom R in SI(D)

C = RQ B = m + g(Q) H = h(m,Q)

g(Q)

+

D: public key (quadratic discriminant) SI(D), Kernel(D): special subsets of class group Cl(D)g,h: one-way hash functions

C=RQg(Q)

h(m,Q)

SKEP = to compute R,Q for a given C.

6.12.2001 ICISC 2001 16

Decryption of NICE-X

Q

message m

R

C B H

g(Q) +

g(Q)

secret key Check H’=HIf not, Reject

Ciphertext (C,B,H) = (RQ, m+g(Q), h(m,Q))

H’ = h(m,Q)

h(m,Q)Check R in SI(D)If not, Reject

6.12.2001 ICISC 2001 17

NICE-X is IND-CCA2 under SKEP

Let A be a CCA adversary of the NICE-X cryptosystem with advantage ε, with time t, qG queries to the hash function G, qH queries to the hash function H, qD queries to the decryption oracle D. Then there is an algorithm for solving SKEP with at least (ε/2)(1 – qD/2k2), time at most t + (qH + qG)k + (qH + qG) TE, TE is the encryption time of the NICE-X cryptosystem, in the random oracle model.

Point: we can check Q is random mask of C by N(CQ-1)<2k/2.

6.12.2001 ICISC 2001 18

References

(1) S. Paulus, T. Takagi, “A New Public-key Cryptosystem over the Quadratic Order with Quadratic Decryption Time”, Journal of Cryptology, 13, pp.263-272, 2000.

(2) M. Hartmann, S. Paulus, T. Takagi, “NICE - New Ideal Coset Encryption -”, Workshop on Cryptographic Hardware and Embedded Systems (CHES), LNCS 1717, pp. 328-339, 1999.

(3) J. Buchmann, K. Sakurai, T. Takagi, “An IND-CCA2 Public-Key Cryptosystem with Fast Decryption”, 4th International Conference on Information Security and Cryptology, ICISC'01, LNCS 2288, pp.51-71, 2002.

You can download them from the following homepae: http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/ttakagi.html