PKC 2000 18-20 january 2000 - Melbourne - Australia The Composite - - PDF document

David Pointcheval Département d ’Informatique ENS - CNRS

Public Key Cryptography

PKC ‘ 2000

18-20 january 2000 - Melbourne - Australia

David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche

The Composite Discrete Logarithm and Secure Authentication

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 2 David Pointcheval ENS-CNRS

Overview Overview

◆ Introduction ◆ Zero-Knowledge vs. Witness-Hiding ◆ The Discrete Logarithm Problem ◆ The GPS Identification Scheme ◆ The New Schemes ◆ Conclusion

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 3 David Pointcheval ENS-CNRS

Introduction Introduction

Authentication Protocols: ◆ Identification (Zero-Knowledge Proofs) ◆ Signatures (Non-Interactive Proofs) ◆ Blind Signatures (Anonymity)

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 4 David Pointcheval ENS-CNRS

Previous Work Previous Work

◆ Fiat-Shamir (SQRT), Ong-Schnorr (2k-th roots) Guillou-Quisquater (RSA), Schnorr (DL(p))

• e-th roots and discrete logarithm

⇒ high computational load

◆ PKP, SD, CLE, PPP

• combinatorial problems

⇒ high communication load

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 5 David Pointcheval ENS-CNRS

Tools: ZK vs. WI Tools: ZK vs. WI

◆ Zero-Knowledge:

(GMR 85)

no information leaked about the secret ◆ Witness Hiding/Indistinguishability:

(FS 90)

no useful information leaked about the witness (secret key)

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 6 David Pointcheval ENS-CNRS

Zero Knowledge Zero Knowledge

◆ Advantages:

• no information leaked about the secret

⇒ perfect proof of knowledge (perfect authentication)

• non-interactive version

⇒ signature schemes

(FS86 - PS96)

◆ Drawbacks:

• simulation ⇒ many iterations
• large computations/communications

One of the best: Schnorr’s protocols

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 7 David Pointcheval ENS-CNRS

Witness Indistinguishability Witness Indistinguishability

◆ Advantages:

• no useful information leaked

about the witness (secret) ⇒ the good property for authentication

• non-interactive version

⇒ signature schemes

• no simulation ⇒ only one iteration
• large computations/communications?

Candidates: Okamoto schemes (Crypto ‘92) but less efficient than Schnorr’s

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 8 David Pointcheval ENS-CNRS

The Discrete Logarithm Problem The Discrete Logarithm Problem

◆ Setting:

• n and m large numbers such that m|ϕ(n)
• g in n* of order m

◆ Secret: x in m

*

◆ Public: y=gx mod n ◆ Usually DL(p): n=p and m=q | p-1 are both large prime integers

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 9 David Pointcheval ENS-CNRS

The Composite The Composite Discrete Logarithm Discrete Logarithm

◆ Composite Modulus: DL(n)

• n hard to factor (e.g. n=pq)
• DL(n) harder than FACT(n) and DL(p)

where p is the greatest prime factor of n ⇒ DL(n) combines the two strongest problems

◆ Factorization: FACT(n)

gx = gy mod n ⇒ gcd(gx-y mod n, n) ≠ 1

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 10 David Pointcheval ENS-CNRS

New Setting: New Setting: α α α α α α α α-

• strong modulus

strong modulus

◆ α α α α-strong prime p: p=2r+1 and for any m ≤ α, gcd(m,r)=1 ◆ α α α α-strong RSA modulus n: n=pq and both p and q are α-strong primes ◆ asymmetric basis g ∈

n *:

2 divides Ordp(g) but not Ordq(g) Theorem: a collision of x→gx mod n provides the factorization of n

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 11 David Pointcheval ENS-CNRS

The Schnorr The Schnorr ’s Identification ’s Identification

◆ Common Data:

• p and q large primes such that q | p-1
• g in

p* of order q

◆ Keys: s in

q and v=g-s mod p

p v g x q es r y e p g x r

e y y e x r q

k

mod mod mod

? 2

= →  + = ∈  ← →  = ∈ and

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 12 David Pointcheval ENS-CNRS

The Schnorr The Schnorr ’s Identification ’s Identification

◆ Efficiency:

• (r, x=gr) precomputed
• just r+es mod q to do on-line

Could we do better?

p v g x q es r y e p g x r

e y y e x r q

k

mod mod mod

? 2

= →  + = ∈  ← →  = ∈

• and

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 13 David Pointcheval ENS-CNRS

The GPS Scheme The GPS Scheme

Girault (EC ‘91) - Poupard-Stern (EC ‘98)

• n=pq large RSA modulus
• g in

n* of large order (unknown)

• Keys: s in

S

and v=g-s mod n

n v g x es r y e n g x r

e y y e x r R

k

mod mod

? 2

= →  + = ∈  ← →  = ∈ and

s k - security level slog S - size of the secret slog R - size of the random

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 14 David Pointcheval ENS-CNRS

The GPS Scheme The GPS Scheme

◆ Poupard-Stern:

• no adversary can succeed but with

negligible probability over g and e. Otherwise she can break DL(n)

• it is statistically zero-knowledge

if S > Ord(g) and S.2k/R negligible

n v g x es r y e n g x r

e y y e x r R

k

mod mod

? 2

= →  + = ∈  ← →  = ∈

• and

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 15 David Pointcheval ENS-CNRS

The GPS Scheme The GPS Scheme

◆ Advantages:

• high security level: DL(n)
• just r+es to do on-line

no more modular reduction

◆ Drawbacks:

• zero-knowledge: several iterations
• S > Ord(g) (for any g): S > λ(n)

and R >> S.2k ⇒ large parameters (S and R) and large secret key (s)

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 16 David Pointcheval ENS-CNRS

New Scheme (New Setting) New Scheme (New Setting)

• n=pq large 2k-strong RSA modulus
• g asymmetric basis in

n* of large order

• Keys: s in

S

and v=g-s mod n

n v g x es r y e n g x r

e y y e x r R

k

mod mod

? 2

= →  + = ∈  ← →  = ∈ and

sk - security level s log S - size of the secret s log R - size of the random

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 17 David Pointcheval ENS-CNRS

Properties Properties

◆ Statement: this protocol is

• a proof of knowledge of s ( = -loggv)

relative to FACT(n)

• statistically witness-indistinguishable

if S > Ord(g) and S.2k/R negligible

n v g x es r y e n g x r

e y y e x r R

k

mod mod

? 2

= →  + = ∈  ← →  = ∈ and

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 18 David Pointcheval ENS-CNRS

Efficiency Efficiency

◆ Drawbacks:

• lower security level: FACT(n)

but isn’t that enough…?

◆ Advantages:

• still just r+es to do on-line (no modular reduction)
• witness-indistinguishable:

⇒ ⇒ ⇒ ⇒ only one iteration with large k

• still S > Ord(g) and R >> S.2k

but Ord(g) can be small (160 bits) ⇒ ⇒ ⇒ ⇒ small secret key and numbers

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 19 David Pointcheval ENS-CNRS

More Concrete Efficiency More Concrete Efficiency

◆ Practical sizes:

• security parameter: k=24
• n a 1024-bit 2k-strong RSA modulus
• g of 160-bit long order
• the secret key s is less than S=2168
• information leakage: 2k’ = R/2k.S = 264

◆ Computations:

• Mult(24,168) and Add(256,192)

◆Communications:

• only 360 bits (45 bytes)

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 20 David Pointcheval ENS-CNRS

Signature Signature

◆ Data:

• n=pq large 2k-strong RSA modulus
• g asymmetric basis in

n* of large order

• Keys: s in

S and v=g-s mod n

◆ Signature:

• r∈

R and x = gr mod n

• e = H(m,x)
• y = r + es

→ signature of m = (e,y)

◆ Verification:

e = H(m, gyve mod n)

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 21 David Pointcheval ENS-CNRS

Security Properties Security Properties

Statement: if S > Ord(g), then

• an existential forgery
• under an adaptively

chosen-message attack

• in the random oracle model

is harder than factorization

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 22 David Pointcheval ENS-CNRS

Blind Signature Blind Signature

• n=pq large 2k-strong RSA modulus
• g asymmetric basis in

n* of large order

• Keys: s in

S and v=g-s mod n

{ }

n v g x es r y e e m n xhv n g h n g x r

e y y k k e M x r R

k

mod ) , H( mod 2 ,..., 2 mod mod

? 2

= →  + = ∈ γ − ε = α = ε = α − ∈ γ  ← = ∈ β →  = ∈

γ β

until and

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 23 David Pointcheval ENS-CNRS

Security Properties Security Properties

Properties: this protocol is

• a statistically blind signature

if R/M is negligible

• statistically witness-indistinguishable

if S > Ord(g) and S.2k/R is negligible (two witnesses → factorization of n)

⇒ a “one-more” forgery

• under a parallel attack
• in the random oracle model

is harder than the factorization of n

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 24 David Pointcheval ENS-CNRS

Parameters Parameters

Scheme GPS New ID New Sign. Modulus |n=pq|=1024 bits with |p|=|q|=512 Ord(g) 1022 bits 160 bits Security (k) 24 24 128 Information leakage (k’) 64 S R 1030 bits 1118 bits 168 bits 256 bits 168 bits 360 bits Size 1222 bits 360 bits 488 bits Security = DL(n) >Fact(n) >Fact(n)

The Composite Discrete Logarithm and Secure Authentication - PKC ‘2000 - 25 David Pointcheval ENS-CNRS

Conclusion Conclusion

◆ New setting for GPS schemes:

• very efficient identification (precomputation)
• very efficient signature (“on the fly”)
• very small secret key (less than 200 bits)
• security relative to factorization (at least)

(and then security of Schnorr’s schemes)

◆ New blind signature scheme

• very efficient for the signer
• with security relative to factorization