Article

Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups

Authors:

Maciej KoprowskiAuthors Info & Claims

EUROCRYPT '02: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology

Pages 256 - 271

Published: 02 May 2002 Publication History

Abstract

We study the problem of root extraction in finite Abelian groups, where the group order is unknown. This is a natural generalization of the problem of decrypting RSA ciphertexts. We study the complexity of this problem for generic algorithms, that is, algorithms that work for any group and do not use any special properties of the group at hand. We prove an exponential lower bound on the generic complexity of root extraction, even if the algorithm can choose the "public exponent" itself. In other words, both the standard and the strong RSA assumption are provably true w.r.t. generic algorithms. The results hold for arbitrary groups, so security w.r.t. generic attacks follows for any cryptographic construction based on root extracting. As an example of this, we revisit Cramer-Shoup signature scheme [10]. We modify the scheme such that it becomes a generic algorithm. This allows us to implement it in RSA groups without the original restriction that the modulus must be a product of safe primes. It can also be implemented in class groups. In all cases, security follows from a well defined complexity assumption (the strong root assumption), without relying on random oracles, and the assumption is shown to be true w.r.t. generic attacks.

References

[1]

Ingrid Biehl, Johannes Buchmann, Safuat Hamdy, and Andreas Meyer. A signature scheme based on the intractability of computing roots. Technical Report 1/00, Darmstadt University of Technology, 2000.

[2]

D. Boneh and R. J. Lipton. Algorithms for black-box fields and their application to cryptography. Lecture Notes in Computer Science , 1109:283-297, 1996.

[3]

D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. Lecture Notes in Computer Science , 1403:59-71, 1998.

[4]

Johannes Buchmann and H. C. Williams. A key-exchange system based on imaginary quadratic fields. Journal of Cryptology: the journal of the International Association for Cryptologic Research , 1(2):107-118, 1988.

[5]

Duncan A. Buell. The expectation of success using a Monte Carlo factoring method--some statistics on quadratic class numbers. Mathematics of Computation , 43(167):313-327, July 1984.

[6]

Marc Bütikofer. An abstraction of the Cramer-Damgård signature scheme based on tribes of q -one-way-group-homomorphisms. ETH Zürich, 1999.

[7]

H. Cohen and Jr. H.W. Lenstra. Heuristics on class groups of number fields. In Number Theory, Noordvijkerhout 1983 , volume 1068 of Lecture Notes in Math. , pages 33-62, 1984.

[8]

R. Cramer and I. Damgaard. Secure signature schemes based on interactive protocols. Lecture Notes in Computer Science , 963:297-310, 1995.

[9]

R. Cramer and I. Damgaard. Newgeneration of secure and practical RSA-Based signatures. Lecture Notes in Computer Science , 1109:173-185, 1996.

[10]

Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. In ACM Conference on Computer and Communications Security , pages 46-51, 1999.

[11]

Ivan Damgård and Maciej Koprowski. Generic lower bounds for root extraction and signature schemes in general groups (extended version). Cryptology ePrint Archive, Report 2002/013, 2002. http://eprint.iacr.org/.

[12]

Marc Fischlin. A note on security proofs in the generic model. In T. Okamoto, editor, Advances in Cryptology - ASIACRYPT' 2000 , volume 1976 of Lecture Notes in Computer Science , pages 458-469, Kyoto, Japan, 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany.

[13]

Safuat Hamdy and Bodo Möller. Security of cryptosystems based on class groups of imaginary quadratic orders. In T. Okamoto, editor, Advances in Cryptology - ASIACRYPT 2000 , pages 234-247. Springer-Verlag, 2000.

[14]

M. Jacobson. Subexponential class group computation in quadratic orders . PhD thesis, Technische Universitat Darmstadt, Darmstadt, Germany, 1999.

[15]

Tsutomu Matsumoto, Koki Kato, and Hideki Imai. Speeding up secret computations with insecure auxiliary devices. In S. Goldwasser, editor, Advances in Cryptology--CRYPTO '88 , volume 403 of Lecture Notes in Computer Science , pages 497-506. Springer-Verlag, 1990, 21-25 August 1988.

[16]

U. Maurer and S. Wolf. Lower bounds on generic algorithms in groups. Lecture Notes in Computer Science , 1403:72-84, 1998.

[17]

J. Merkle and R. Werchner. On the security of server-aided RSA protocols. Lecture Notes in Computer Science , 1431:99-116, 1998.

[18]

V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes , 55(2):165-172, 1994. Translated from Matematicheskie Zametki, 55(2):91-101, 1994.

[19]

P. Q. Nguyen and I.E. Shparlinski. On the insecurity of a server-aided RSA protocol. In C. Boyd, editor, Advances in Cryptology--Asiacrypt'2001 , volume 2248 of Lecture Notes in Computer Science , pages 21-35. Springer-Verlag, 2001.

[20]

C.-P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology: the journal of the International Association for Cryptologic Research , 4(3):161-174, 1991.

[21]

Claus Peter Schnorr. Security of DL-encryption and signatures against generic attacks - a survey. In K. Alster, H.C. Williams, and J. Urbanowicz, editors, Proceedings of Public-Key Cryptography and Computational Number Theory Conference, Warsaw, September, 2000 . Walter De Gruyter, 2002.

[22]

Claus Peter Schnorr and Markus Jakobsson. Security of discrete log cryptosystems in the random oracle + generic model. In Conference on The Mathematics of Public-Key Cryptography , The Fields Institute, Toronto, Canada, 1999.

[23]

Claus Peter Schnorr and Markus Jakobsson. Security of signed ElGamal encryption. In T. Okamoto, editor, Advances in Cryptology - ASIACRYPT ' 2000 , volume 1976 of Lecture Notes in Computer Science , pages 73-89, Kyoto, Japan, 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany.

[24]

V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology: Eurocrypt '97 , pages 256-266, 1997.

Cited By

Lipmaa H(2012)Secure accumulators from euclidean rings without trusted setupProceedings of the 10th international conference on Applied Cryptography and Network Security10.1007/978-3-642-31284-7_14(224-240)Online publication date: 26-Jun-2012
https://dl.acm.org/doi/10.1007/978-3-642-31284-7_14
Bangerter ECamenisch JKrenn S(2010)Efficiency limitations for Σ-protocols for group homomorphismsProceedings of the 7th international conference on Theory of Cryptography10.1007/978-3-642-11799-2_33(553-571)Online publication date: 9-Feb-2010
https://dl.acm.org/doi/10.1007/978-3-642-11799-2_33
Jager TSchwenk J(2009)On the Analysis of Cryptographic Assumptions in the Generic Ring ModelProceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology10.1007/978-3-642-10366-7_24(399-416)Online publication date: 2-Dec-2009
https://dl.acm.org/doi/10.1007/978-3-642-10366-7_24
Show More Cited By

Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups

Recommendations

Identity-based strong designated verifier signature schemes: Attacks and new construction

A strong designated verifier signature scheme makes it possible for a signer to convince a designated verifier that she has signed a message in such a way that the designated verifier cannot transfer the signature to a third party, and no third party ...
New paradigms in signature schemes
Lower bounds on the efficiency of encryption and digital signature schemes
STOC '03: Proceedings of the thirty-fifth annual ACM symposium on Theory of computing
A central focus of modern cryptography is to investigate the weakest possible assumptions under which various cryptographic algorithms exist. Typically, a proof that a "weak" primitive (e.g., a one-way function) implies the existence of a "strong" ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

EUROCRYPT '02: Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology

May 2002

545 pages

ISBN:3540435530

Editor:
Lars R. Knudsen

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 02 May 2002

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 10 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lipmaa H(2012)Secure accumulators from euclidean rings without trusted setupProceedings of the 10th international conference on Applied Cryptography and Network Security10.1007/978-3-642-31284-7_14(224-240)Online publication date: 26-Jun-2012
https://dl.acm.org/doi/10.1007/978-3-642-31284-7_14
Bangerter ECamenisch JKrenn S(2010)Efficiency limitations for Σ-protocols for group homomorphismsProceedings of the 7th international conference on Theory of Cryptography10.1007/978-3-642-11799-2_33(553-571)Online publication date: 9-Feb-2010
https://dl.acm.org/doi/10.1007/978-3-642-11799-2_33
Jager TSchwenk J(2009)On the Analysis of Cryptographic Assumptions in the Generic Ring ModelProceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology10.1007/978-3-642-10366-7_24(399-416)Online publication date: 2-Dec-2009
https://dl.acm.org/doi/10.1007/978-3-642-10366-7_24
Aggarwal DMaurer U(2009)Breaking RSA Generically Is Equivalent to FactoringProceedings of the 28th Annual International Conference on Advances in Cryptology - EUROCRYPT 2009 - Volume 547910.1007/978-3-642-01001-9_2(36-53)Online publication date: 26-Apr-2009
https://dl.acm.org/doi/10.1007/978-3-642-01001-9_2
Rupp ALeander GBangerter EDent ASadeghi A(2008)Sufficient Conditions for Intractability over Black-Box GroupsProceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology10.1007/978-3-540-89255-7_30(489-505)Online publication date: 7-Dec-2008
https://dl.acm.org/doi/10.1007/978-3-540-89255-7_30
Pietrzak KWikström D(2007)Parallel repetition of computationally sound protocols revisitedProceedings of the 4th conference on Theory of cryptography10.5555/1760749.1760757(86-102)Online publication date: 21-Feb-2007
https://dl.acm.org/doi/10.5555/1760749.1760757
Leander GRupp A(2006)On the equivalence of RSA and factoring regarding generic ring algorithmsProceedings of the 12th international conference on Theory and Application of Cryptology and Information Security10.1007/11935230_16(241-251)Online publication date: 3-Dec-2006
https://dl.acm.org/doi/10.1007/11935230_16
Gentry CMackenzie PRamzan ZAtluri VMeadows CJuels A(2005)Password authenticated key exchange using hidden smooth subgroupsProceedings of the 12th ACM conference on Computer and communications security10.1145/1102120.1102160(299-309)Online publication date: 7-Nov-2005
https://dl.acm.org/doi/10.1145/1102120.1102160
Bangerter ECamenisch JMaurer U(2005)Efficient proofs of knowledge of discrete logarithms and representations in groups with hidden orderProceedings of the 8th international conference on Theory and Practice in Public Key Cryptography10.1007/978-3-540-30580-4_11(154-171)Online publication date: 23-Jan-2005
https://dl.acm.org/doi/10.1007/978-3-540-30580-4_11
Groth J(2005)Cryptography in subgroups of ZProceedings of the Second international conference on Theory of Cryptography10.1007/978-3-540-30576-7_4(50-65)Online publication date: 10-Feb-2005
https://dl.acm.org/doi/10.1007/978-3-540-30576-7_4
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents