New Assumptions and Efficient Cryptosystems from the ee-th Power Residue Symbol

The $e$-th power residue symbol $\left(\frac{\alpha}{\mathfrak{p}}\right)_e$ is a useful mathematical tool in cryptography, where $\alpha$ is an integer, $\mathfrak{p}$ is a prime ideal in the prime factorization of $p\mathbb{Z}[\zeta_e]$ with a large prime $p$ satisfying $e \mid p-1$, and $\zeta_e$ is an $e$-th primitive root of unity. One famous case of the $e$-th power symbol is the first semantic secure public key cryptosystem due to Goldwasser and Micali (at STOC 1982). In this paper, we revisit the $e$-th power residue symbol and its applications. In particular, we prove that computing the $e$-th power residue symbol is equivalent to solving the discrete logarithm problem. By this result, we give a natural extension of the Goldwasser-Micali cryptosystem, where $e$ is an integer only containing small prime factors. Compared to another extension of the Goldwasser-Micali cryptosystem due to Joye and Libert (at EUROCRYPT 2013), our proposal is more efficient in terms of bandwidth utilization and decryption cost. With a new complexity assumption naturally extended from the one used in the Goldwasser-Micali cryptosystem, our proposal is provable IND-CPA secure. Furthermore, we show that our results on the $e$-th power residue symbol can also be used to construct lossy trapdoor functions and circular and leakage resilient public key encryptions with more efficiency and better bandwidth utilization

Efficient Cryptosystems From 2k2^k-th Power Residue Symbols

Goldwasser and Micali (1984) highlighted the importance of randomizing the plaintext for public-key encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity modulo a composite number. The Goldwasser-Micali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages. A number of works followed to address this issue and proposed various modifications. This paper revisits the original Goldwasser-Micali cryptosystem using 2^k-th power residue symbols. The so-obtained cryptosystems appear as a very natural generalization for k >= 2 (the case k = 1 corresponds exactly to the Goldwasser-Micali cryptosystem). Advantageously, they are efficient in both bandwidth and speed; in particular, they allow for fast decryption. Further, the cryptosystems described in this paper inherit the useful features of the original cryptosystem (like its homomorphic property) and are shown to be secure under a similar complexity assumption. As a prominent application, this paper describes an efficient lossy trapdoor function based thereon

Threshold Cryptosystems Based on 2k2^k-th Power Residue Symbols

In this paper we introduce a novel version of the Joye-Libert cryptosystem that allows users to decrypt without knowing the factorisation of the composite modulus. Then we use our construction as a building block for a threshold decryption protocol of the homomorphic Joye-Libert encryption scheme. Finally, we present several extensions of the threshold cryptosystem

A New Generalisation of the Goldwasser-Micali Cryptosystem Based on the Gap 2k2^k-Residuosity Assumption

We present a novel public key encryption scheme that enables users to exchange many bits messages by means of \emph{at least} two large prime numbers in a Goldwasser-Micali manner. Our cryptosystem is in fact a generalization of the Joye-Libert scheme (being itself an abstraction of the first probabilistic encryption scheme). We prove the security of the proposed cryptosystem in the standard model (based on the gap $2^k$-residuosity assumption) and report complexity related facts. We also describe an application of our scheme to biometric authentication and discuss the security of our suggested protocol. Last but not least, we indicate several promising research directions

The Case of Small Prime Numbers Versus the Joye-Libert Cryptosystem

In this paper we study the effect of using small prime numbers within the Joye-Libert public key encryption scheme. We introduce two novel versions and prove their security. We further show how to choose the system\u27s parameters such that the security results hold. Moreover, we provide a practical comparison between the cryptographic algorithms we introduced and the original Joye-Libert cryptosystem

Koopman interpretation and analysis of a public-key cryptosystem: Diffie-Hellman key exchange

The security of public-key cryptosystems relies on computationally hard problems, that are classically analyzed by number theoretic methods. In this paper, we introduce a new perspective on cryptosystems by interpreting the Diffie-Hellman key exchange as a nonlinear dynamical system. Employing Koopman theory, we transfer this dynamical system into a higher-dimensional space to analytically derive a purely linear system that equivalently describes the underlying cryptosystem. In this form, analytic tools for linear systems allow us to reconstruct the secret integers of the key exchange by simple manipulations. Moreover, we provide an upper bound on the minimal required lifting dimension to obtain perfect accuracy. To demonstrate the potential of our method, we relate our findings to existing results on algorithmic complexity. Finally, we transfer this approach to a data-driven setting where the Koopman representation is learned from data samples of the cryptosystem.Comment: 8 pages. This work has been submitted to IFAC for possible publicatio

Analysis and Decoding of Linear Lee-Metric Codes with Application to Code-Based Cryptography

Lee-metric codes are defined over integer residue rings endowed with the Lee metric. Even though the metric is one of the oldest metric considered in coding-theroy and has interesting applications in, for instance, DNA storage and code-based cryptography, it received relatively few attentions compared to other distances like the Hamming metric or the rank metric. Hence, codes in the Lee metric are still less studied than codes in other metrics. Recently, the interest in the Lee metric increased due to its similarities with the Euclidean norm used in lattice-based cryptosystem. Additionally, it is a promising metric to reduce the key sizes or signature sizes in code-based cryptosystem. However, basic coding-theoretic concepts, such as a tight Singleton-like bound or the construction of optimal codes, are still open problems. Thus, in this thesis we focus on some open problems in the Lee metric and Lee-metric codes. Firstly, we introduce generalized weights for the Lee metric in different settings by adapting the existing theory for the Hamming metric over finite rings. We discuss their utility and derive new Singleton-like bounds in the Lee metric. Eventually, we abandon the classical idea of generalized weights and introduce generalized distances based on the algebraic structure of integer residue rings. This allows us to provide a novel and improved Singleton-like bound in the Lee metric over integer residue rings. For all the bounds we discuss the density of their optimal codes. Originally, the Lee metric has been introduced over a $q$-ary alphabet to cope with phase shift modulation. We consider two channel models in the Lee metric. The first is a memoryless channel matching to the Lee metric under the decoding rule ``decode to the nearest codeword''. The second model is a block-wise channel introducing an error of fixed Lee weight, motivated by code-based cryptography where errors of fixed weight are added intentionally. We show that both channels coincide in the limit of large block length, meaning that their marginal distributions match. This distribution enables to provide bounds on the asymptotic growth rate of the surface and volume spectrum of spheres and balls in the Lee metric, and to derive bounds on the block error probability of the two channel models in terms of random coding union bounds. As vectors of fixed Lee weight are also of interest to cryptographic applications, we discuss the problem of scalar multiplication in the Lee metric in the asymptotic regime and in a finite-length setting. The Lee weight of a vector may be increased or decreased by the product with a nontrivial scalar. From a cryptographic view point this problem is interesting, since an attacker may be able to reduce the weight of the error and hence reduce the complexity of the underlying problem. The construction of a vector with constant Lee weight using integer partitions is analyzed and an efficient method for drawing vectors of constant Lee weight uniformly at random from the set of all such vectors is given. We then focus on regular LDPC code families defined over integer residue rings and analyze their performance with respect to the Lee metric. We determine the expected Lee weight enumerator for a random code in fixed regular LDPC code ensemble and analyze its asymptotic growth rate. This allows us to estimate the expected decoding error probability. Eventually, we estimate the error-correction performance of selected LDPC code families under belief propagation decoding and symbol message passing decoding and compare the performances. The thesis is concluded with an application of the results derived to code-based cryptography. Namely, we apply the marginal distribution to improve the yet known fastest Lee-information set decoding algorithm

Minimum-Knowledge Interactive Proofs for Decision Problems

Interactive communication of knowledge from the point of view of resource-bounded computational complexity is studied. Extending the work of Goldwasser, Micali, and Rackof [Proc. 17th Annual ACM Symposium on the Theory of Computing, 1985, pp. 291““304; .,18 (1989), pp. 186““208], the authors define a protocol transferring the result of any fixed computation to be minimum-knowledge if it communicates no additional knowledge to the recipient besides the intended computational result. It is proved that such protocols may be combined in a natural way so as to build more complex protocols. A protocol is introduced for two parties, a prover and a verifier, with the following properties:(1) Following the protocol, the prover gives to the verifier a proof of the value, 0 or 1, of a particular Boolean predicate, which is (assumed to be) hard for the verifier to compute. Such a deciding “interactive proof-system“ extends the interactive proof-systems of [op. cit.], which are used only to confirm that a certain predicate has value 1. (2) The protocol is minimum-knowledge. (3) The protocol is result-indistinguishable: an eavesdropper, overhearing an execution of the protocol, does not learn the value of the predicate that is proved. The value of the predicate is a cryptographically secure bit, shared by the two parties to the protocol. This security is achieved without the use of encryption functions, all messages being sent in the clear. These properties enable one to define a cryptosystem in which each user receives exactly the knowledge he is supposed to receive, and nothing more

New Number-Theoretic Cryptographic Primitives

This paper introduces new $p^r q$-based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat--Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli $n_i = p_i^2 q_i$ and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the $n_i$\u27s match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. Given of their very unique design the proposed signature schemes seem to be overlooked missing species in the corpus of known signature algorithms