[Paillier密码体制]Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
文章目录
- Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
-
- 摘要
- Carmichael函数
- 确定合数剩余(Deciding Composite Residuosity)
- 计算合数剩余度类
- Paillier加密
-
- 正确性:
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
原论文链接:http://link.springer.com/10.1007/3-540-48910-X_16
摘要
本文研究了一个新的计算问题,即合数剩余类问题(Composite Residuosity Class Problem)及其在公钥密码中的应用。我们提出了一种新的陷门机制,并从中导出了三种加密方案:一种陷门置换和两种计算上可与RSA相当的同态概率加密方案。我们的密码系统基于通常的模算法,在标准模型的适当假设下是可证明安全的。
Carmichael函数
我们设 n = p q n=pq n=pq,其中 p p p和 q q q是大素数:通常,我们将用 ϕ ( n ) \phi(n) ϕ(n)表示欧拉函数、用 λ ( n ) \lambda(n) λ(n)表示Carmichael函数,即在当前情况下 ϕ ( n ) = ( p − 1 ) ( q − 1 ) \phi(n)=(p-1)(q-1) ϕ(n)=(p−1)(q−1)和 λ ( n ) = l c m ( p − 1 , q − 1 ) \lambda(n)=lcm(p-1,q-1) λ(n)=lcm(p−1,q−1)。其中 ∣ Z n 2 ∗ ∣ = ϕ ( n 2 ) = n ϕ ( n ) \left|\mathbb{Z}_{n^{2}}^{*}\right|=\phi\left(n^{2}\right)=n \phi(n) ∣∣Zn2∗∣∣=ϕ(n2)=nϕ(n)。对于任意的 w ∈ Z n 2 ∗ w \in \mathbb{Z}_{n^{2}}^{*} w∈Zn2∗,有如下性质:
{ w λ = 1 m o d n w n λ = 1 m o d n 2 \left\{\begin{array}{l} w^{\lambda}=1 \bmod n \\ w^{n \lambda}=1 \bmod n^{2} \end{array}\right. { wλ=1modnwnλ=1modn2
可以用Carmichael定理证明:
λ ( n 2 ) = l c m ( λ ( q 2 ) , λ ( p 2 ) ) = l c m ( ϕ ( q 2 ) , ϕ ( p 2 ) ) = l c m ( q ( q − 1 ) , p ( p − 1 ) ) = p q ( l c m ( p − 1 , q − 1 ) ) = n λ ( n ) \lambda(n^2)=lcm(\lambda(q^2),\lambda(p^2))=lcm(\phi(q^2),\phi(p^2))=lcm(q(q-1),p(p-1))=pq(lcm(p-1,q-1))=n\lambda(n) λ(n2)=lcm(λ(q2),λ(p2))=lcm(ϕ(q2),ϕ(p2))=lcm(q(q−1),p(p−1))=pq(lcm(p−1,q−1))=nλ(n)
因此, w λ ( n 2 ) = w n λ ≡ 1 m o d n 2 w^{\lambda(n^2)}=w^{n\lambda}\equiv1\bmod n^2 wλ(n2)=wnλ≡1modn2
确定合数剩余(Deciding Composite Residuosity)
本文首先简要介绍了合数剩余是高阶的一个自然实例,并给出了一些基本的相关事实。我们设置的独到之处在于使用平方数作为模。如前所述, n = p q n=pq n=pq是两个大素数的乘积。
Definition 1. 1 . 1. A number z z z is said to be a n-th residue modulo n 2 n^{2} n2 if there exists a a a number y ∈ Z n 2 ∗ y \in \mathbb{Z}_{n^{2}}^{*} y∈Zn2∗ such that
z = y n m o d n 2 z=y^{n} \bmod n^{2} z=ynmodn2
由第 n n n项剩余组成的集合构成了 Z n 2 ∗ \mathbb{Z}_{n^{2}}^{*} Zn2∗的一个 ϕ ( n ) \phi(n) ϕ(n)阶的乘法子群。每个第 n n n项剩余 z z z都正好拥有 n n n个 n n n阶的根,其中只有一个是严格小于 n n n的,即 z n \sqrt[n]{z} nz mod n n n。第 n n n项剩余都可以写成 ( 1 + n ) x = 1 + x n m o d n 2 (1+n)^{x}=1+x n \bmod n^{2} (1+n)x=1+xnmodn2的形式。
文章推测,要找出模 n 2 n^2 n2的第n项剩余是个困难问题,记为 C R [ n ] \mathrm{CR}[n] CR[n]
Conjecture 2. 2 . 2. There exists no polynomial time distinguisher for n n n -th residues modulo n 2 , n^{2}, n2, i.e. C R [ n ] \mathrm{CR}[n] CR[n] is intractable.
计算合数剩余度类
令 g g g是 Z n 2 ∗ \mathbb{Z}_{n^{2}}^{*} Zn2∗中元素, E g \mathcal{E}_{g} Eg是一个映射:
Z n × Z n ∗ ⟼ Z n 2 ∗ ( x , y ) ⟼ g x ⋅ y n m o d n 2 \begin{aligned} \mathbb{Z}_{n} \times \mathbb{Z}_{n}^{*} & \longmapsto \mathbb{Z}_{n^{2}}^{*} \\ (x, y) & \longmapsto g^{x} \cdot y^{n} \bmod n^{2} \end{aligned} Zn×Zn∗(x,y)⟼Zn2∗⟼gx⋅ynmodn2
E g \mathcal{E}_{g} Eg拥有一些有趣的性质,比如:
Lemma 3. If the order of g g g is a nonzero multiple of n n n then E g \mathcal{E}_{g} Eg is bijective.
如果 g g g是 n n n的一个非零倍数,那么 E g \mathcal{E}_{g} Eg是双射的。
Definition 4. Assume that g ∈ B . g \in \mathcal{B} . g∈B. For w ∈ Z n 2 ∗ , w \in \mathbb{Z}_{n^{2}}^{*}, w∈Zn2∗, we call n n n -th residuosity class of w w w with respect to g g g the unique integer x ∈ Z n x \in \mathbb{Z}_{n} x∈Zn for which there exists y ∈ Z n ∗ y \in \mathbb{Z}_{n}^{*} y∈Zn∗ such that
E g ( x , y ) = w \mathcal{E}_{g}(x, y)=w Eg(x,y)=w
Lemma 5. [ w ] g = 0 [w]_{g}=0 [w]g=0 if and only if w is a n-th residue modulo n 2 n^{2} n2. Furthermore,
∀ w 1 , w 2 ∈ Z n 2 ∗ [ w 1 w 2 ] g = [ w 1 ] g + [ w 2 ] g m o d n \forall w_{1}, w_{2} \in \mathbb{Z}_{n^{2}}^{*} \quad\left[w_{1} w_{2}\right]_{g}=\left[w_{1}\right]_{g}+\left[w_{2}\right]_{g} \bmod n ∀w1,w2∈Zn2∗[w1w2]g=[w1]g+[w2]gmodn
that is, the class function w ↦ [ w ] g w \mapsto[w]_{g} w↦[w]g is a homomorphism from ( Z n 2 ∗ , × ) \left(\mathbb{Z}_{n^{2}}^{*}, \times\right) (Zn2∗,×) to ( Z n , + ) \left(\mathbb{Z}_{n},+\right) (Zn,+) for any g ∈ B g \in \mathcal{B} g∈B
L ( u ) = u − 1 n \mathrm{L}(u)=\frac{u-1}{n} L(u)=nu−1
Paillier加密
Encryption :
g = n + 1 g=n+1 g=n+1是 Z n 2 ∗ \mathbb{Z}_{n^{2}}^{*} Zn2∗的一个生成元
plaintext m < n m
select a random r < n r
ciphertext c = g m ⋅ r n m o d n 2 \text { ciphertext } c=g^{m} \cdot r^{n} \bmod n^{2} ciphertext c=gm⋅rnmodn2
Decryption :
ciphertext c < n 2 c
plaintext m = L ( c λ m o d n 2 ) L ( g λ m o d n 2 ) m o d n \text { plaintext } m=\frac{\mathrm{L}\left(c^{\lambda} \bmod n^{2}\right)}{\mathrm{L}\left(g^{\lambda} \bmod n^{2}\right)} \bmod n plaintext m=L(gλmodn2)L(cλmodn2)modn
正确性:
c λ m o d n 2 = g m λ r n λ ≡ g m λ m o d n 2 = ( 1 + n ) m λ m o d n 2 = 1 + n m λ m o d n 2 c^\lambda \bmod n^2=g^{m\lambda}r^{n\lambda}\equiv g^{m\lambda}\bmod n^2=(1+n)^{m\lambda}\bmod n^2=1+nm\lambda \bmod n^2 cλmodn2=gmλrnλ≡gmλmodn2=(1+n)mλmodn2=1+nmλmodn2
g λ m o d n 2 = ( 1 + n ) λ m o d n 2 = 1 + λ n m o d n 2 g^{\lambda}\bmod n^2=(1+n)^{\lambda}\bmod n^2=1+\lambda n\bmod n^2 gλmodn2=(1+n)λmodn2=1+λnmodn2
L ( c λ m o d n 2 ) = m λ m o d n 2 \mathrm{L}(c^{\lambda} \bmod n^{2})=m\lambda\bmod n^2 L(cλmodn2)=mλmodn2
L ( g λ m o d n 2 ) = λ m o d n 2 \mathrm{L}(g^{\lambda}\bmod n^2)=\lambda \bmod n^2 L(gλmodn2)=λmodn2
所以,
m = L ( c λ m o d n 2 ) L ( g λ m o d n 2 ) m o d n m=\frac{\mathrm{L}\left(c^{\lambda} \bmod n^{2}\right)}{\mathrm{L}\left(g^{\lambda} \bmod n^{2}\right)} \bmod n m=L(gλmodn2)L(cλmodn2)modn