The Bit Security of Paillier's Encryption Scheme and Its Applications

At EuroCrypt'99, Paillier proposed a new encryption scheme based on higher residuosity classes. The new scheme was proven to be one-way under the assumption that computing N-residuosity classes in ZN2* is hard. Similarly the scheme can be proven to be semantically secure under a much stronger decisional assumption: given w ∈ ZN2 it is hard to decide if w is an N-residue or not. In this paper we examine the bit security of Paillier's scheme. We prove that, if computing residuosity classes is hard, then given a random w it is impossible to predict the least significant bit of its class significantly better than at random. This immediately yields a way to obtain semantic security without relying on the decisional assumption (at the cost of several invocations of Paillier's original function). In order to improve efficiency we then turn to the problem of simultaneous security of many bits. We prove that Paillier's scheme hides n - b (up to O(n)) bits if one assumes that computing the class c of a random w remains hard even when we are told that c < 2b. We thoroughly examine the security of this stronger version of the intractability of the class problem. An important theoretical implication of our result is the construction of the first trapdoor function that hides super-logarithmically (up to O(n)) many bits. We generalize our techniques to provide sufficient conditions for a trapdoor function to have this property.

[1]  Adi Shamir,et al.  The Discrete Logarithm Modulo a Composite Hides O(n) Bits , 1993, J. Comput. Syst. Sci..

[2]  Claus-Peter Schnorr,et al.  Stronger Security Proofs for RSA and Rabin Bits , 1997, EUROCRYPT.

[3]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[4]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[5]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[6]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[7]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[8]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[9]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[10]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[11]  Manuel Blum,et al.  An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information , 1985, CRYPTO.

[12]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[13]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[14]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[15]  Sarvar Patel,et al.  An Efficient Discrete Log Pseudo Random Generator , 1998, CRYPTO.

[16]  Josh Benaloh Verifiable secret-ballot elections , 1987 .