Download - A New Rabin-type Trapdoor Permutation and its Applicationssamoa/stm.pdf · A New Rabin-type Trapdoor Permutation and its Applications Katja Schmidt-Samoa TU Darmstadt STM 2005


A New Rabin-typeTrapdoor Permutation

and its Applications

Katja Schmidt-Samoa

TU Darmstadt

STM 2005

Trapdoor one-way PermutationsApplications


1 Trapdoor one-way PermutationsDefinition and ExamplesNew Provably Secure Trapdoor OW Permutations

2 ApplicationsHybrid EncryptionTrapdoor Hashing

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Informal Def. of Trapdoor OW Permutations


F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :

fi is easy to compute

f (x)x


easy with trapdoor


K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Informal Def. of Trapdoor OW Permutations


F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :

fi is easy to compute

fi is hard to invert

f (x)x


easy with trapdoor


K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Informal Def. of Trapdoor OW Permutations


F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :

fi is easy to compute

fi is hard to invert

a trapdoor si exists s.t. inverting fi is easy knowing si

f (x)x


easy with trapdoor


K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Informal Def. of Trapdoor OW Permutations


F = {fi |fi : Ai → Bi , fi is bijective} is a family of trapdoor one-waypermutations if for all i :

fi is easy to compute

fi is hard to invert

a trapdoor si exists s.t. inverting fi is easy knowing si


F is easy to sample

f (x)x


easy with trapdoor


K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Trapdoor OW Permutations in Cryptography

Used for public key encryption, digital signatures, privateinformation retrieval, . . .

↪→ of prime importance!

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Trapdoor OW Permutations in Cryptography

Used for public key encryption, digital signatures, privateinformation retrieval, . . .

↪→ of prime importance!

. . . BUT . . .

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Trapdoor OW Permutations in Cryptography

Used for public key encryption, digital signatures, privateinformation retrieval, . . .

↪→ of prime importance!

. . . BUT . . .

Existence (of OW functions) is unproven to date!

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Trapdoor OW Permutations in Cryptography

Used for public key encryption, digital signatures, privateinformation retrieval, . . .

↪→ of prime importance!

. . . BUT . . .

Existence (of OW functions) is unproven to date!

Alternative: provably secure trapdoor OW permutations

break one-wayness ⇒ solve presumably hard problem

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Trapdoor OW Permutations in Cryptography

Used for public key encryption, digital signatures, privateinformation retrieval, . . .

↪→ of prime importance!

. . . BUT . . .

Existence (of OW functions) is unproven to date!

Alternative: provably secure trapdoor OW permutations

break one-wayness ⇒ solve presumably hard problem

BUT: only a very few number of candidates known

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Famous Candidates for Trapdoor OW Functions

RSA permutation (1978)

n = pq, gcd(e, ϕ(n)) = 1

n −→ Z×


x 7→ xe mod n

Trapdoor:d = e−1 mod ϕ(n)

Hard problem: RSA

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Famous Candidates for Trapdoor OW Functions

RSA permutation (1978)

n = pq, gcd(e, ϕ(n)) = 1

n −→ Z×


x 7→ xe mod n

Trapdoor:d = e−1 mod ϕ(n)

Hard problem: RSA

Rabin (1979)

n = pq

n −→ QR(n)

x 7→ x2 mod n

Trapdoor: p, q

Hard problem: FACT

NO injection (4-to-1), but:p, q = 3 mod 4⇒ squaringmod n = pq is permutationon QR(n) (Blum-Williams)

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

New Trapdoor OW Permutations

p, q ∈ PRIMES(k), n = p2q

Definition (Set of n-th residues mod n)

N-R(n) := {x ∈ Z×

n |x = yn mod n for a y ∈ Z×

n }


xn = yn mod n ⇐⇒ x = y mod pq.

⇓ ⇓ ⇓ ⇓ ⇓


If factoring n = p2q is hard, then

fN-R : N-R(n) −→ N-R(n)x 7→ xn mod n

andfpq : Z


pq −→ N-R(n)

x 7→ xn mod n

are trapdoor OW permutations (trapdoor: d = n−1 mod ϕ(pq))

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Definition and ExamplesNew Provably Secure Trapdoor OW Permutations

Similarities between Proposal and Rabin

n −→ N-R(n) for n = p2q

x 7→ xn mod n

n −→ QR(n) for n = pq

x 7→ x2 mod n


p-to-1 4-to-1

non-trivial kernel element reveals fact. of n

restriction to N-R(n) is permuta-tion

restriction to QR(n) is permuta-tion (p = q = 3 mod 4)

restriction to Z×

pq is permutation no analogue known

hard to distinguish N-R(n) andZ×


hard to distinguish QR(n) and Z×


above distinction is easy of fact. of n is known

x ∈ N-R(n) ⇐⇒ xp−1 = 1 mod p2

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Hybrid Encryption


laborious key management in secret key cryptography, costlyoperations in public key cryptography

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Hybrid Encryption


laborious key management in secret key cryptography, costlyoperations in public key cryptography


public key scheme that uses efficient secret key encryption as blackbox

↪→ hybrid encryption

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Frameworks for Hybrid Encryption

Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Frameworks for Hybrid Encryption

Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)

Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Frameworks for Hybrid Encryption

Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)

Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)

Cramer/Shoup 2001: KEM/DEM framework

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Frameworks for Hybrid Encryption

Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)

Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)

Cramer/Shoup 2001: KEM/DEM framework

Abe/Kurosawa/Gennaro 2005: Tag-KEM/DEM framework

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Frameworks for Hybrid Encryption

Fujisaki/Okamoto 1998: two generic conversions (EPOC-1/2)

Okamoto/Pointcheval 2001: REACT conversion (EPOC-3)

Cramer/Shoup 2001: KEM/DEM framework

Abe/Kurosawa/Gennaro 2005: Tag-KEM/DEM framework

. . .

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

A New Tag-KEM

Key-Gen(1k): Choose p, q ∈ PRIMES(k)Compute n = p2q, d = n−1 mod ϕ(pq)Define rLen = 2k − 2Return pk = (n, rLen) and sk = (d , p, q)

KEM-Key(pk): Choose ω ∈ {0, 1, . . . , 2rLen − 1}Compute G (ω) = dk DEM-keyReturn (ω, dk)

Encappk(ω, τ): Compute c1 = ωn mod nCompute c2 = H(ω, τ) integrity-checkReturn Ψ = (c1, c2)

Decapsk(Ψ, τ): parse Ψ to c1, c2

Compute r = cd1 mod pq

If |r |2 > rLen or H(r , τ) 6= c2, return ⊥,return G (r), else

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing


Scheme assumpt. encrypt decrypt pk

EPOC-2 FACT 7k/2 MM(3k) 3k/2 MM(2k) + 7k/4 MM(k) 9kEPOC-3 Gap-HR 7k/2 MM(3k) 3k/2 MM(2k) 9kProposed FACT 9k/2 MM(3k) 3k MM(k) 3k

Table: Comparison between proposed hybrid encryption scheme and


MM(k) = multiplication modulo k-bit number (k = |p|2 = |q|2)

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Trapdoor Hashing

− blinding: hash values of differentmessages are indistinguishable

− binding: without secret key noone can find collisions

Weak altering trapdoor collisions:

uniformity: trapdoor hashes are indistinguishable from real hashes

such that: hash



K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing

Trapdoor Hashing

− blinding: hash values of differentmessages are indistinguishable

− binding: without secret key noone can find collisions

Strong altering trapdoor collisions:

uniformity: trapdoor hashes are indistinguishable from real hashes

such that: hash



K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing


Scheme Assumption strong hash weak alt.

[BK90] DL NO ≈ 1 exp. ≈ 1 mult.

[KR00] FACT YES ≈ |m|2 mult. ≈ 5 mult.

[ST01] FACT NO 1 exp. 1 add. + bit shift

proposed FACT YES 1 exp. 1 add. + bit shift

Table: Comparison of trapdoor hash families suitable for Shamir-Tauman

online-offline signatures [ST01]

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing


invented new trapdoor permutations based on factoringn = p2q

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing


invented new trapdoor permutations based on factoringn = p2q

proposed new hybrid encryption scheme

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing


invented new trapdoor permutations based on factoringn = p2q

proposed new hybrid encryption scheme

designed new practical trapdoor hashes

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Trapdoor one-way PermutationsApplications

Hybrid EncryptionTrapdoor Hashing


invented new trapdoor permutations based on factoringn = p2q

proposed new hybrid encryption scheme

designed new practical trapdoor hashes

Thanks for your attention!

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

The KEM/DEM Framework

Cramer/Shoup 2001

KEM (Key Encapsulation Mechanism)


a random key dk isgenerated

dk is encrypted to cwith public KEM-key


c is decrypted withsecret KEM-key

cf. public key encryption scheme without messages

DEM (Data Encapsulation Mechanism)

cf. secret key encryption scheme

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

The KEM/DEM Framework, cont’d

Generic method


dk← [ KEM-Keypk

τ ← [ DEM-Encdk(m)

Ψ← [ Encappk(dk)

Return (Ψ, τ)


dk←[ Decapsk(Ψ)

m←[ DEM-Decdk(τ)

Return m


CCA-secure KEM + CCA-secure DEM = CCA secure KEM/DEM

adversary with adaptive oracle access to Decapsk cannot distinguishif a given DEM key is encapsulated in challenge or not. Restriction:Decapsk must not be queried on challenge.

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

The Tag-KEM/DEM Framework

Abe/Kurosawa/Gennaro 2005

Tag-KEM (Key Encapsulation Mechanism)


a random key dk isgenerated

dk is encrypted to cwith public KEM-keyand the tag


c is decrypted withsecret KEM-key and thetag

DEM (Data Encapsulation Mechanism)

cf. secret key encryption scheme

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

The Tag-KEM/DEM Framework, cont’d

Generic method


dk← [ KEM-Keypk

τ ← [ DEM-Encdk(m)

Ψ← [ Encappk(dk, τ)

Return (Ψ, τ)


dk←[ Decapsk(Ψ, τ)

m←[ DEM-Decdk(τ)

Return m


CCA-secure tag-KEM: adversary with adaptive oracle access toDecapsk cannot distinguish if a given DEM key is encapsulated inchallenge or not. Restriction: Decapsk must not be queried onchallenge (Ψ, τ). Queries (Ψ, τ ′ 6= τ) are ok↪→ integrity of tag↪→ DEM is required to be secure against passive attacks only

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

On-line/Off-line Signatures

Ordinary signatures:


K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

On-line/Off-line Signatures

Ordinary signatures:


On-line/off-line signatures:

off−line phase


on−line phase


Invented 1996 by Even/Goldreich/Micali

Improved Construction 2001 by Shamir/Tauman

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Shamir-Tauman On-line Off-line Signatures

Key generation:


3. publish


2. generate hash keys1. generate sign keys

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Shamir-Tauman On-line Off-line Signatures

Key generation:


3. publish


2. generate hash keys1. generate sign keys

Off-line phase:



2. sign hash1. create hash

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Shamir-Tauman On-line Off-line Signatures

Key generation:


3. publish


2. generate hash keys1. generate sign keys

Off-line phase:



2. sign hash1. create hash

On-line phase:



message tobe signed

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Shamir-Tauman On-line Off-line Signatures, cont’d


overhead: weakly trapdoor altering (on-line)

↪→ weak trapdoor altering should be extremely fast

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Shamir-Tauman On-line Off-line Signatures, cont’d


overhead: weakly trapdoor altering (on-line)

↪→ weak trapdoor altering should be extremely fast


weakly secure signature scheme + weak trapdoor hash⇒strongly secure on-line/off-line signature scheme

even weaklier secure signature scheme + strong trapdoor hash⇒strongly secure on-line/off-line signature scheme

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

Shamir-Tauman On-line Off-line Signatures, cont’d


overhead: weakly trapdoor altering (on-line)

↪→ weak trapdoor altering should be extremely fast


weakly secure signature scheme + weak trapdoor hash⇒strongly secure on-line/off-line signature scheme

even weaklier secure signature scheme + strong trapdoor hash⇒strongly secure on-line/off-line signature scheme


We need strong trapdoor hash with extremely fast weak trapdooraltering.

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation

J. F. Boyar and S. A. Kurtz.A discrete logarithm implementation of perfect zero-knowledgeblobs.Journal of Cryptology, 2(2):63–76, 1990.

H. Krawczyk and T. Rabin.Chameleon signatures.In NDSS. The Internet Society, 2000.

A. Shamir and Y. Tauman.Improved online/offline signature schemes.In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notesin Computer Science, pages 355–367. Springer, 2001.

K. Schmidt-Samoa A New Rabin-type Trapdoor Permutation