[Paillier密码体制]Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

文章目录

  • Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
    • 摘要
    • Carmichael函数
    • 确定合数剩余(Deciding Composite Residuosity)
    • 计算合数剩余度类
    • Paillier加密
      • 正确性:

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

原论文链接:http://link.springer.com/10.1007/3-540-48910-X_16

摘要

本文研究了一个新的计算问题,即合数剩余类问题(Composite Residuosity Class Problem)及其在公钥密码中的应用。我们提出了一种新的陷门机制,并从中导出了三种加密方案:一种陷门置换和两种计算上可与RSA相当的同态概率加密方案。我们的密码系统基于通常的模算法,在标准模型的适当假设下是可证明安全的。

Carmichael函数

我们设 n = p q n=pq n=pq,其中 p p p q q q是大素数:通常,我们将用 ϕ ( n ) \phi(n) ϕ(n)表示欧拉函数、用 λ ( n ) \lambda(n) λ(n)表示Carmichael函数,即在当前情况下 ϕ ( n ) = ( p − 1 ) ( q − 1 ) \phi(n)=(p-1)(q-1) ϕ(n)=(p1)(q1) λ ( n ) = l c m ( p − 1 , q − 1 ) \lambda(n)=lcm(p-1,q-1) λ(n)=lcm(p1,q1)。其中 ∣ Z n 2 ∗ ∣ = ϕ ( n 2 ) = n ϕ ( n ) \left|\mathbb{Z}_{n^{2}}^{*}\right|=\phi\left(n^{2}\right)=n \phi(n) Zn2=ϕ(n2)=nϕ(n)。对于任意的 w ∈ Z n 2 ∗ w \in \mathbb{Z}_{n^{2}}^{*} wZn2,有如下性质:

{ w λ = 1   m o d   n w n λ = 1   m o d   n 2 \left\{\begin{array}{l} w^{\lambda}=1 \bmod n \\ w^{n \lambda}=1 \bmod n^{2} \end{array}\right. { wλ=1modnwnλ=1modn2

可以用Carmichael定理证明:

λ ( n 2 ) = l c m ( λ ( q 2 ) , λ ( p 2 ) ) = l c m ( ϕ ( q 2 ) , ϕ ( p 2 ) ) = l c m ( q ( q − 1 ) , p ( p − 1 ) ) = p q ( l c m ( p − 1 , q − 1 ) ) = n λ ( n ) \lambda(n^2)=lcm(\lambda(q^2),\lambda(p^2))=lcm(\phi(q^2),\phi(p^2))=lcm(q(q-1),p(p-1))=pq(lcm(p-1,q-1))=n\lambda(n) λ(n2)=lcm(λ(q2),λ(p2))=lcm(ϕ(q2),ϕ(p2))=lcm(q(q1),p(p1))=pq(lcm(p1,q1))=nλ(n)

因此, w λ ( n 2 ) = w n λ ≡ 1   m o d   n 2 w^{\lambda(n^2)}=w^{n\lambda}\equiv1\bmod n^2 wλ(n2)=wnλ1modn2

确定合数剩余(Deciding Composite Residuosity)

本文首先简要介绍了合数剩余是高阶的一个自然实例,并给出了一些基本的相关事实。我们设置的独到之处在于使用平方数作为模。如前所述, n = p q n=pq n=pq是两个大素数的乘积。

Definition 1. 1 . 1. A number z z z is said to be a n-th residue modulo n 2 n^{2} n2 if there exists a a a number y ∈ Z n 2 ∗ y \in \mathbb{Z}_{n^{2}}^{*} yZn2 such that
z = y n   m o d   n 2 z=y^{n} \bmod n^{2} z=ynmodn2

由第 n n n项剩余组成的集合构成了 Z n 2 ∗ \mathbb{Z}_{n^{2}}^{*} Zn2的一个 ϕ ( n ) \phi(n) ϕ(n)阶的乘法子群。每个第 n n n项剩余 z z z都正好拥有 n n n n n n阶的根,其中只有一个是严格小于 n n n的,即 z n \sqrt[n]{z} nz mod n n n。第 n n n项剩余都可以写成 ( 1 + n ) x = 1 + x n   m o d   n 2 (1+n)^{x}=1+x n \bmod n^{2} (1+n)x=1+xnmodn2的形式。

文章推测,要找出模 n 2 n^2 n2的第n项剩余是个困难问题,记为 C R [ n ] \mathrm{CR}[n] CR[n]

Conjecture 2. 2 . 2. There exists no polynomial time distinguisher for n n n -th residues modulo n 2 , n^{2}, n2, i.e. C R [ n ] \mathrm{CR}[n] CR[n] is intractable.

计算合数剩余度类

g g g Z n 2 ∗ \mathbb{Z}_{n^{2}}^{*} Zn2中元素, E g \mathcal{E}_{g} Eg是一个映射:
Z n × Z n ∗ ⟼ Z n 2 ∗ ( x , y ) ⟼ g x ⋅ y n   m o d   n 2 \begin{aligned} \mathbb{Z}_{n} \times \mathbb{Z}_{n}^{*} & \longmapsto \mathbb{Z}_{n^{2}}^{*} \\ (x, y) & \longmapsto g^{x} \cdot y^{n} \bmod n^{2} \end{aligned} Zn×Zn(x,y)Zn2gxynmodn2
E g \mathcal{E}_{g} Eg拥有一些有趣的性质,比如:

Lemma 3. If the order of g g g is a nonzero multiple of n n n then E g \mathcal{E}_{g} Eg is bijective.
如果 g g g n n n的一个非零倍数,那么 E g \mathcal{E}_{g} Eg是双射的。

Definition 4. Assume that g ∈ B . g \in \mathcal{B} . gB. For w ∈ Z n 2 ∗ , w \in \mathbb{Z}_{n^{2}}^{*}, wZn2, we call n n n -th residuosity class of w w w with respect to g g g the unique integer x ∈ Z n x \in \mathbb{Z}_{n} xZn for which there exists y ∈ Z n ∗ y \in \mathbb{Z}_{n}^{*} yZn such that
E g ( x , y ) = w \mathcal{E}_{g}(x, y)=w Eg(x,y)=w

Lemma 5. [ w ] g = 0 [w]_{g}=0 [w]g=0 if and only if w is a n-th residue modulo n 2 n^{2} n2. Furthermore,
∀ w 1 , w 2 ∈ Z n 2 ∗ [ w 1 w 2 ] g = [ w 1 ] g + [ w 2 ] g   m o d   n \forall w_{1}, w_{2} \in \mathbb{Z}_{n^{2}}^{*} \quad\left[w_{1} w_{2}\right]_{g}=\left[w_{1}\right]_{g}+\left[w_{2}\right]_{g} \bmod n w1,w2Zn2[w1w2]g=[w1]g+[w2]gmodn
that is, the class function w ↦ [ w ] g w \mapsto[w]_{g} w[w]g is a homomorphism from ( Z n 2 ∗ , × ) \left(\mathbb{Z}_{n^{2}}^{*}, \times\right) (Zn2,×) to ( Z n , + ) \left(\mathbb{Z}_{n},+\right) (Zn,+) for any g ∈ B g \in \mathcal{B} gB

L ( u ) = u − 1 n \mathrm{L}(u)=\frac{u-1}{n} L(u)=nu1

Paillier加密

Encryption :
g = n + 1 g=n+1 g=n+1 Z n 2 ∗ \mathbb{Z}_{n^{2}}^{*} Zn2的一个生成元
plaintext m < n mm<n
select a random r < n rr<n
 ciphertext  c = g m ⋅ r n   m o d   n 2 \text { ciphertext } c=g^{m} \cdot r^{n} \bmod n^{2}  ciphertext c=gmrnmodn2
Decryption :
ciphertext c < n 2 cc<n2
 plaintext  m = L ( c λ   m o d   n 2 ) L ( g λ   m o d   n 2 )   m o d   n \text { plaintext } m=\frac{\mathrm{L}\left(c^{\lambda} \bmod n^{2}\right)}{\mathrm{L}\left(g^{\lambda} \bmod n^{2}\right)} \bmod n  plaintext m=L(gλmodn2)L(cλmodn2)modn

正确性:

c λ   m o d   n 2 = g m λ r n λ ≡ g m λ   m o d   n 2 = ( 1 + n ) m λ   m o d   n 2 = 1 + n m λ   m o d   n 2 c^\lambda \bmod n^2=g^{m\lambda}r^{n\lambda}\equiv g^{m\lambda}\bmod n^2=(1+n)^{m\lambda}\bmod n^2=1+nm\lambda \bmod n^2 cλmodn2=gmλrnλgmλmodn2=(1+n)mλmodn2=1+nmλmodn2
g λ   m o d   n 2 = ( 1 + n ) λ   m o d   n 2 = 1 + λ n   m o d   n 2 g^{\lambda}\bmod n^2=(1+n)^{\lambda}\bmod n^2=1+\lambda n\bmod n^2 gλmodn2=(1+n)λmodn2=1+λnmodn2

L ( c λ   m o d   n 2 ) = m λ   m o d   n 2 \mathrm{L}(c^{\lambda} \bmod n^{2})=m\lambda\bmod n^2 L(cλmodn2)=mλmodn2
L ( g λ   m o d   n 2 ) = λ   m o d   n 2 \mathrm{L}(g^{\lambda}\bmod n^2)=\lambda \bmod n^2 L(gλmodn2)=λmodn2

所以,

m = L ( c λ   m o d   n 2 ) L ( g λ   m o d   n 2 )   m o d   n m=\frac{\mathrm{L}\left(c^{\lambda} \bmod n^{2}\right)}{\mathrm{L}\left(g^{\lambda} \bmod n^{2}\right)} \bmod n m=L(gλmodn2)L(cλmodn2)modn

你可能感兴趣的:(密码学,抽象代数,安全)