In this chapter, we revisited the security reduction algorithms related to the RSA-OAEP and the RSA-Paillier cryptosystems. These algorithms exploit techniques of finding small solutions of linear modular equations. The standard algorithms for solving this task are lattice-based (Gaussian reduction) or based on continued fractions (Euclidean reduction).
We proposed an efficient alternative algorithm and showed its preferences. In the case of OAEP, we were able to enhance the advantage of the reduction proof. For RSA-Paillier, the previous solution gave qualitative results only (i. e., existence of a polynomial time reduction with non-negligible advantage). The use of our new algorithm, in contrast, provides the complete security reduction proof, including explicit bounds for time costs and the achieved advantage.
Chapter 4
A New Rabin-type Trapdoor One-way Function and Its
Applications
Public key cryptography has been invented to overcome some key management problems in open networks. Although nearly all aspects of public key cryptography rely on the existence of (trapdoor) one-way functions, only a very few candidates of this primitive have been observed yet. In this chapter, we introduce a new trapdoor one-way function based on the hardness of factoring integers of p2q-type. We point out similarities between the proposed function and Rabin-type modular squaring. Most interestingly, two novel trapdoor one-way permutations can be derived from our approach. Moreover, we develop several applications to homomorphic encryption, hybrid encryption, fail-stop signature schemes and trapdoor commitments.
4.1 Introduction
Informally, a one-way function is a function that is “easy” to compute but “hard” to invert. If there exists some token of information that makes the inversion also an easy task, then we call the function trapdoor. Trapdoor one-way functions (in particular the bijective trapdoor one-way permutations) are used as building blocks for various kind of cryptographic schemes, e. g., asymmetric encryption, digital signatures, and private information retrieval. There is no doubt that the concept of trapdoor one-way functions is of particular importance especially in public key cryptography. Nevertheless, just a relatively small number of promising candidates can be found in the literature. Promising here means that a presumed hard problem such as the factorization of large integers can be reduced to the one-wayness of the trapdoor function in question. As not even the pure existence of one-way functions can be proved today1, this kind of provably secure trapdoor one-way functions is the best alternative solution at present.
1Interestingly, the current knowledge in complexity theory does not even allow to prove the existence of one-way functions assuming P 6= N P. On the other hand, it is known that the existence of one-way functions implies P 6= N P.
39
4.1.1 Previous Work
The oldest and still best known candidate trapdoor one-way permutation is the RSA func-tion, invented 1971 by Rivest, Shamir and Adleman (see Example 2.1). RSA is defined as modular exponentiation with exponents coprime to the order of the multiplicative residue group [RSA78]. The factors of the modulus can serve as a trapdoor to invert the RSA function, but the opposite direction is unknown. Thus, RSA is not provably equivalent to factoring, and there are serious doubts that this equivalence holds indeed [BV98]. Anyway, as the RSA problem has been extensively studied for decades, nowadays inverting the RSA function is widely accepted as a hard problem itself. Slightly later, Rabin observed that the special case of modular squaring leads to the desired equivalence to factoring [Rab79].
Modular squaring, however, is not a permutation, it is four-to-one (in case of a two-factor modulus). This drawback can be overcome: squaring modulo a Blum integer2 n is a per-mutation of QR(n), where QR(n) := {x ∈ Z×n | ∃y : y2 = x mod n} denotes the group of quadratic residues modulo n. The resulting trapdoor permutation is referred to as Blum-Williams function in the literature, and an extension (exponent 2e, where e is coprime to λ(n)) is denoted Rabin-Williams function. More factorization-based trapdoor permuta-tions were proposed by Kurosawa et al. [KIT88], Paillier [Pai99a, Pai99b], and Galindo et al. [GMMV03]. A survey on trapdoor permutations including some less established candi-dates can be found in [PG97].
4.1.2 Our Contributions
In this chapter, we introduce a rather simple trapdoor one-way function equivalent to factoring integers of the shape n = p2q. As many previous candidates, our proposed trapdoor function is also a variant of the RSA function, namely in our case the public exponent is the same as the modulus n = p2q. On the domain Z×n, the function x 7→
xnmod n is p-to-one, but restricted to the subgroup of n-th residues modulo n, it is indeed a permutation. These properties are similar to those of the Blum-Williams permutation (where n-th residues are replaced by quadratic residues). Analogical to the quadratic residuosity assumption, we assume that without knowledge of the factorization of n, it is hard to distinguish n-th residues from non-residues, whereas it is efficient if the factors of n are known. However, the restricted domain has some shortcomings, which also apply to Blum-Williams and Rabin-Williams functions: in practical applications, the data has to be preprocessed into the set of n-th, resp. quadratic residues. Supposably, this is one reason why the RSA function (with domain Zn) is by far more widespread in commercial applications than Rabin-type functions. But fortunately, we can prove that for n of p2 q-type the set of n-th residues is isomorphic to Z×pq, thus our proposed trapdoor function also provides a bijection between the easy-to-handle domain Z×pqand the set of n-th residues. No such property is known for Rabin-type functions. Consequently, our trapdoor permutation can be used to encrypt arbitrary strings like keys. We provide an application in Section 4.4.
Further advantages of our trapdoor one-way function in contrast to Rabin-type modular squaring accrue from the fact that the magnitude of the kernel is larger. This provides a higher degree of freedom in finding pre-images, and therefore offers the construction of fail-stop signatures (see Section 4.5) and trapdoor commitments (see Section 4.6). Moreover, we can extend our analysis to a Paillier-like function operating in the group Z×n2 for n of
2A Blum integer is a product of two distinct primes each congruent to 3 modulo 4.