Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups

We study the problem of root extraction in finite Abelian groups, where the group order is unknown. This is a natural generalization of the problem of decrypting RSA ciphertexts. We study the complexity of this problem for generic algorithms, that is, algorithms that work for any group and do not use any special properties of the group at hand. We prove an exponential lower bound on the generic complexity of root extraction, even if the algorithm can choose the "public exponent" itself. In other words, both the standard and the strong RSA assumption are provably true w.r.t. generic algorithms. The results hold for arbitrary groups, so security w.r.t. generic attacks follows for any cryptographic construction based on root extracting. As an example of this, we revisit Cramer-Shoup signature scheme [10]. We modify the scheme such that it becomes a generic algorithm. This allows us to implement it in RSA groups without the original restriction that the modulus must be a product of safe primes. It can also be implemented in class groups. In all cases, security follows from a well defined complexity assumption (the strong root assumption), without relying on random oracles, and the assumption is shown to be true w.r.t. generic attacks.

[1]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[2]  Igor E. Shparlinski,et al.  On the Insecurity of a Server-Aided RSA Protocol , 2001, ASIACRYPT.

[3]  Richard J. Lipton,et al.  Algorithms for Black-Box Fields and their Application to Cryptography (Extended Abstract) , 1996, CRYPTO.

[4]  Bodo Möller,et al.  Security of Cryptosystems Based on Class Groups of Imaginary Quadratic Orders , 2000, ASIACRYPT.

[5]  Peter,et al.  Security of Discrete Log Cryptosystems in theRandom Oracle + Generic ModelClaus , 1999 .

[6]  Henri Cohen,et al.  Heuristics on class groups of number fields , 1984 .

[7]  Johannes Merkle,et al.  On the Security of Server-Aided RSA Protocols , 1998, Public Key Cryptography.

[8]  Hideki Imai,et al.  Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[9]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[10]  Johannes A. Buchmann,et al.  A Signature Scheme Based on the Intractability of Computing Roots , 2002, Des. Codes Cryptogr..

[11]  Tsuyoshi Takagi,et al.  Reducing Logarithms in Totally Non-maximal Imaginary Quadratic Orders to Logarithms in Finite Fields , 1999, ASIACRYPT.

[12]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[13]  Marc Fischlin,et al.  A Note on Security Proofs in the Generic Model , 2000, ASIACRYPT.

[14]  Ivan Damgård,et al.  New Generation of Secure and Practical RSA-Based Signatures , 1996, CRYPTO.

[15]  Markus Jakobsson,et al.  Security of Signed ElGamal Encryption , 2000, ASIACRYPT.

[16]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[17]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[18]  Claus Peter S hnorr Security of DL-encryption and signatures against generic attacks - a survey , 2000 .

[19]  Ivan Damgård,et al.  Secure Signature Schemes Based on Interactive Protocols See Back Inner Page for a List of Recent Publications in the Brics Report Series. Copies May Be Obtained by Contacting: Secure Signature Schemes Based on Interactive Protocols , 1995 .

[20]  Ueli Maurer,et al.  Lower Bounds on Generic Algorithms in Groups , 1998, EUROCRYPT.

[21]  Duncan A. Buell The expectation of success using a Monte Carlo factoring method—some statistics on quadratic class numbers , 1984 .

[22]  Michael J. Jacobson,et al.  Subexponential class group computation in quadratic orders , 1999 .