文章目录
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
原论文链接:http://link.springer.com/10.1007/3-540-48910-X_16
摘要
本文研究了一个新的计算问题,即合数剩余类问题(Composite Residuosity Class Problem)及其在公钥密码中的应用。我们提出了一种新的陷门机制,并从中导出了三种加密方案:一种陷门置换和两种计算上可与RSA相当的同态概率加密方案。我们的密码系统基于通常的模算法,在标准模型的适当假设下是可证明安全的。
Carmichael函数
我们设 n = p q n=pq n=pq,其中 p p p和 q q q是大素数:通常,我们将用 ϕ ( n ) \phi(n) ϕ(n)表示欧拉函数、用 λ ( n ) \lambda(n) λ(n)表示Carmichael函数,即在当前情况下 ϕ ( n ) = ( p − 1 ) ( q − 1 ) \phi(n)=(p-1)(q-1) ϕ(n)=(p−1)(q−1)和 λ ( n ) = l c m ( p − 1 , q − 1 ) \lambda(n)=lcm(p-1,q-1) λ(n)=lcm(p−1,q−1)。其中 ∣ Z n 2 ∗ ∣ = ϕ ( n 2 ) = n ϕ ( n ) \left|\mathbb{Z}_{n^{2}}^{*}\right|=\phi\left(n^{2}\right)=n \phi(n) ∣∣Zn2∗∣∣=ϕ(n2)=nϕ(n)。对于任意的 w ∈ Z n 2 ∗ w \in \mathbb{Z}_{n^{2}}^{*} w∈Zn2∗,有如下性质:
{ w λ = 1 m o d n w n λ = 1 m o d n 2 \left\{\begin{array}{l} w^{\lambda}=1 \bmod n \\ w^{n \lambda}=1 \bmod n^{2} \end{array}\right. {wλ=1modnwnλ=1modn2
可以用Carmichael定理证明:
λ ( n 2 ) = l c m ( λ ( q 2 ) , λ ( p 2 ) ) = l c m ( ϕ ( q 2 ) , ϕ ( p 2 ) ) = l c m ( q ( q − 1 ) , p ( p − 1 ) ) = p q ( l c m ( p − 1 , q − 1 ) ) = n λ ( n ) \lambda(n^2)=lcm(\lambda(q^2),\lambda(p^2))=lcm(\phi(q^2),\phi(p^2))=lcm(q(q-1),p(p-1))=pq(lcm(p-1,q-1))=n\lambda(n) λ(n2)=lcm(λ(q2),λ(p2))=lcm(ϕ(q2),ϕ(p2))=lcm(q(q−1),p(p−1))=pq(lcm(p−1,q−1))=nλ(n)
因此, w λ ( n 2 ) = w n λ ≡ 1 m o d n 2 w^{\lambda(n^2)}=w^{n\lambda}\equiv1\bmod n^2 wλ(n2)=wnλ≡1modn2
确定合数剩余(Deciding Composite Residuosity)
本文首先简要介绍了合数剩余是高阶的一个自然实例,并给出了一些基本的相关事实。我们设置的独到之处在于使用平方数作为模。如前所述, n = p q n=pq n=pq是两个大素数的乘积。
Definition
1.
1 .
1. A number
z
z
z is said to be a n-th residue modulo
n
2
n^{2}
n2 if there exists
a
a
a number
y
∈
Z
n
2
∗
y \in \mathbb{Z}_{n^{2}}^{*}
y∈Zn2∗ such that
z
=
y
n
m
o
d
n
2
z=y^{n} \bmod n^{2}
z=ynmodn2
由第 n n n项剩余组成的集合构成了 Z n 2 ∗ \mathbb{Z}_{n^{2}}^{*} Zn2∗的一个 ϕ ( n ) \phi(n) ϕ(n)阶的乘法子群。每个第 n n n项剩余 z z z都正好拥有 n n n个 n n n阶的根,其中只有一个是严格小于 n n n的,即 z n \sqrt[n]{z} nz mod n n n。第 n n n项剩余都可以写成 ( 1 + n ) x = 1 + x n m o d n 2 (1+n)^{x}=1+x n \bmod n^{2} (1+n)x=1+xnmodn2的形式。
文章推测,要找出模 n 2 n^2 n2的第n项剩余是个困难问题,记为 C R [ n ] \mathrm{CR}[n] CR[n]
Conjecture 2. 2 . 2. There exists no polynomial time distinguisher for n n n -th residues modulo n 2 , n^{2}, n2, i.e. C R [ n ] \mathrm{CR}[n] CR[n] is intractable.
计算合数剩余度类
令
g
g
g是
Z
n
2
∗
\mathbb{Z}_{n^{2}}^{*}
Zn2∗中元素,
E
g
\mathcal{E}_{g}
Eg是一个映射:
Z
n
×
Z
n
∗
⟼
Z
n
2
∗
(
x
,
y
)
⟼
g
x
⋅
y
n
m
o
d
n
2
\begin{aligned} \mathbb{Z}_{n} \times \mathbb{Z}_{n}^{*} & \longmapsto \mathbb{Z}_{n^{2}}^{*} \\ (x, y) & \longmapsto g^{x} \cdot y^{n} \bmod n^{2} \end{aligned}
Zn×Zn∗(x,y)⟼Zn2∗⟼gx⋅ynmodn2
E
g
\mathcal{E}_{g}
Eg拥有一些有趣的性质,比如:
Lemma 3. If the order of
g
g
g is a nonzero multiple of
n
n
n then
E
g
\mathcal{E}_{g}
Eg is bijective.
如果
g
g
g是
n
n
n的一个非零倍数,那么
E
g
\mathcal{E}_{g}
Eg是双射的。
Definition 4. Assume that
g
∈
B
.
g \in \mathcal{B} .
g∈B. For
w
∈
Z
n
2
∗
,
w \in \mathbb{Z}_{n^{2}}^{*},
w∈Zn2∗, we call
n
n
n -th residuosity class of
w
w
w with respect to
g
g
g the unique integer
x
∈
Z
n
x \in \mathbb{Z}_{n}
x∈Zn for which there exists
y
∈
Z
n
∗
y \in \mathbb{Z}_{n}^{*}
y∈Zn∗ such that
E
g
(
x
,
y
)
=
w
\mathcal{E}_{g}(x, y)=w
Eg(x,y)=w
Lemma 5.
[
w
]
g
=
0
[w]_{g}=0
[w]g=0 if and only if w is a n-th residue modulo
n
2
n^{2}
n2. Furthermore,
∀
w
1
,
w
2
∈
Z
n
2
∗
[
w
1
w
2
]
g
=
[
w
1
]
g
+
[
w
2
]
g
m
o
d
n
\forall w_{1}, w_{2} \in \mathbb{Z}_{n^{2}}^{*} \quad\left[w_{1} w_{2}\right]_{g}=\left[w_{1}\right]_{g}+\left[w_{2}\right]_{g} \bmod n
∀w1,w2∈Zn2∗[w1w2]g=[w1]g+[w2]gmodn
that is, the class function
w
↦
[
w
]
g
w \mapsto[w]_{g}
w↦[w]g is a homomorphism from
(
Z
n
2
∗
,
×
)
\left(\mathbb{Z}_{n^{2}}^{*}, \times\right)
(Zn2∗,×) to
(
Z
n
,
+
)
\left(\mathbb{Z}_{n},+\right)
(Zn,+) for any
g
∈
B
g \in \mathcal{B}
g∈B
L ( u ) = u − 1 n \mathrm{L}(u)=\frac{u-1}{n} L(u)=nu−1
Paillier加密
Encryption :
g
=
n
+
1
g=n+1
g=n+1是
Z
n
2
∗
\mathbb{Z}_{n^{2}}^{*}
Zn2∗的一个生成元
plaintext
m
<
n
m<n
m<n
select a random
r
<
n
r<n
r<n
ciphertext
c
=
g
m
⋅
r
n
m
o
d
n
2
\text { ciphertext } c=g^{m} \cdot r^{n} \bmod n^{2}
ciphertext c=gm⋅rnmodn2
Decryption :
ciphertext
c
<
n
2
c<n^{2}
c<n2
plaintext
m
=
L
(
c
λ
m
o
d
n
2
)
L
(
g
λ
m
o
d
n
2
)
m
o
d
n
\text { plaintext } m=\frac{\mathrm{L}\left(c^{\lambda} \bmod n^{2}\right)}{\mathrm{L}\left(g^{\lambda} \bmod n^{2}\right)} \bmod n
plaintext m=L(gλmodn2)L(cλmodn2)modn
正确性:
c
λ
m
o
d
n
2
=
g
m
λ
r
n
λ
≡
g
m
λ
m
o
d
n
2
=
(
1
+
n
)
m
λ
m
o
d
n
2
=
1
+
n
m
λ
m
o
d
n
2
c^\lambda \bmod n^2=g^{m\lambda}r^{n\lambda}\equiv g^{m\lambda}\bmod n^2=(1+n)^{m\lambda}\bmod n^2=1+nm\lambda \bmod n^2
cλmodn2=gmλrnλ≡gmλmodn2=(1+n)mλmodn2=1+nmλmodn2
g
λ
m
o
d
n
2
=
(
1
+
n
)
λ
m
o
d
n
2
=
1
+
λ
n
m
o
d
n
2
g^{\lambda}\bmod n^2=(1+n)^{\lambda}\bmod n^2=1+\lambda n\bmod n^2
gλmodn2=(1+n)λmodn2=1+λnmodn2
L
(
c
λ
m
o
d
n
2
)
=
m
λ
m
o
d
n
2
\mathrm{L}(c^{\lambda} \bmod n^{2})=m\lambda\bmod n^2
L(cλmodn2)=mλmodn2
L
(
g
λ
m
o
d
n
2
)
=
λ
m
o
d
n
2
\mathrm{L}(g^{\lambda}\bmod n^2)=\lambda \bmod n^2
L(gλmodn2)=λmodn2
所以,
m = L ( c λ m o d n 2 ) L ( g λ m o d n 2 ) m o d n m=\frac{\mathrm{L}\left(c^{\lambda} \bmod n^{2}\right)}{\mathrm{L}\left(g^{\lambda} \bmod n^{2}\right)} \bmod n m=L(gλmodn2)L(cλmodn2)modn