On-Line/Off-Line DCR-Based Homomorphic Encryption and Applications

Abstract

On-line/off-line encryption schemes enable the fast encryption of a message from a pre-computed coupon. The paradigm was put forward in the case of digital signatures.

This work introduces a compact public-key additively homomorphic encryption scheme. The scheme is semantically secure under the decisional composite residuosity (DCR) assumption. Compared to Paillier cryptosystem, it merely requires one or two integer additions in the on-line phase and no increase in the ciphertext size. This work also introduces a compact on-line/off-line trapdoor commitment scheme featuring the same fast on-line phase. Finally, applications to chameleon signatures are presented.

Appendices

Public-Key Encryption

A public-key encryption scheme (see e.g. [16, Chapter 8]) is a tuple of three polynomial-time algorithms, \(({\textsf{KeyGen}}, {\textsf{Enc}}, {\textsf{Dec}})\):

• Key generation. The key generation algorithm \({\textsf{KeyGen}}\) is a probabilistic algorithm that takes on input a security parameter \(\kappa \) and outputs a pair of public and private key: \(( pk , sk ) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\textsf{KeyGen}}(1^\kappa )\).

• Encryption. Let \(\mathcal {M}\) denote the message space. The encryption algorithm \({\textsf{Enc}}\) is a randomized algorithm that takes on input a public key \( pk \) and a plaintext \(m \in \mathcal {M}\), and returns a ciphertext C. We write \(c \leftarrow {\textsf{Enc}}_ pk (m)\).

• Decryption. The decryption algorithm \({\textsf{Dec}}\) takes on input secret key \( sk \) (matching \( pk \)) and ciphertext C. It returns the corresponding plaintext m or a special symbol \(\bot \) indicating that the ciphertext is invalid. We write \(m\leftarrow {\textsf{Dec}}_ sk (C)\) if C is a valid ciphertext and \(\bot \leftarrow {\textsf{Dec}}_ sk (C)\) if it is not.

It is required that for all \(( pk , sk ) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\textsf{KeyGen}}(1^\kappa )\), \({\textsf{Dec}}_ sk \bigl ({\textsf{Enc}}_ pk (m)\bigr ) = m\) for any message \(m \in \mathcal {M}\).

Security Proofs

1.1 One-Wayness

One-wayness is the minimal security requirement an encryption scheme must meet: An adversary should not be able to recover the plaintext given its encryption.

The cryptosystem of Sect. 3.1 fulfills this requirement under the Hensel Lifting assumption [8].

Assumption 1

(Hensel Lifting). Let \(\kappa \) be a security parameter. Let also \({\textsf{RSAgen}}(1^\kappa )\) be a probabilistic polynomial-time algorithm that generates two equal-size primes p and q. The Composite Residuosity assumption conjectures that for all probabilistic polynomial-time algorithms \(\mathcal {B}\),

$$\begin{aligned} \Pr \bigl [\mathcal {B}(N,y) = x^N \bmod N^2 \mid (p,q) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\textsf{RSAgen}}(1^\kappa ); N \leftarrow pq; \\ x {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}(\mathbb {Z}/N\mathbb {Z})^*; y \leftarrow x^N \bmod N\bigr ] \end{aligned}$$

is negligible in \(\kappa \).

The proof is by reduction. We assume that there exists an adversary \(\mathcal {A}\) against the one-wayness property of the scheme. We will use this adversary to break the Hensel Lifting assumption. Consider the following algorithm \(\mathcal {B}\) receiving as an input a challenge \((\hat{N},\hat{y})\) where \(\hat{N} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\textsf{RSAgen}}(1^\kappa )\) and \(\hat{y} = \hat{x}^{N} \bmod N\) with \(\hat{x} {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}(\mathbb {Z}/N\mathbb {Z})^*\):

1. 1.

   \(\mathcal {B}\) sets \(N = \hat{N}\) and defines \( pk = N\). It also sets \(u = \hat{y}\), draws \(v {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\{0,1, \dots , N-1\}\), and lets \(C = (u,v)\). It gives public key \( pk \) and challenge ciphertext C to \(\mathcal {A}\).

2. 2.

   \(\mathcal {A}\) returns a plaintext m—remark here that all ciphertexts are valid.

3. 3.

   From the received m, \(\mathcal {B}\) outputs \(Y {:}{=} u + Nu(v-m) \mod N^2\).

Observe that \(u = \hat{x}^N \bmod N\) and, if \(m = {\textsf{Dec}}_ sk (C)\), that \(v - m \equiv \varUpsilon _{\!N}(\hat{x}^N \bmod N^2) \pmod N\). As a result, we have \(Y \equiv (\hat{x}^N \bmod N) + N \Bigl \lfloor \frac{\hat{x}^N \bmod N^2}{N} \Bigr \rfloor \equiv \hat{x}^N \pmod {N^2}\).

In turn, as shown in [8, Theorem 2], we get that the one-wayness of the cryptosystem holds under the Computational Composite Residuosity (CCR) assumption.

Assumption 2

(Computational Composite Residuosity [17]). Let \(\kappa \) be a security parameter and let \({\textsf{RSAgen}}(1^\kappa )\) be a probabilistic polynomial-time algorithm that generates two equal-size primes p and q. The CCR assumption conjectures that for all probabilistic polynomial-time algorithms \(\mathcal {B}\),

$$ \Pr \left[ \mathcal {B}(N,y,g) = c \mathrel {\Bigg \vert } \begin{array}{@{}l@{}} (p,q) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\textsf{RSAgen}}(1^\kappa ); N \leftarrow pq;\\ g {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}(\mathbb {Z}/N^2\mathbb {Z})^* \text { s.t. } \text {ord}(g) \propto N; c{\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\{0,1, \dots , N-1\};\\ x {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}(\mathbb {Z}/N^2\mathbb {Z})^*; y \leftarrow g^c x^N \bmod N^2 \end{array}\right] $$

is negligible in \(\kappa \).

1.2 Semantic Security

We now show that the cryptosystem of Sect. 3.1 is semantically secure [12] under the Decisional Composite Residuosity (DCR) assumption.

Assumption 3

(Decisional Composite Residuosity [17]). Let \(\kappa \) be a security parameter and let \({\textsf{RSAgen}}(1^\kappa )\) be a probabilistic polynomial-time algorithm that generates two equal-size primes p and q. Consider the distributions \(\text {dist}_0(\kappa )\) and \(\text {dist}_1(\kappa )\) given by

$$ \text {dist}_0(\kappa ) = \bigl \{(N,R) \mid N \leftarrow pq \text { with } (p,q) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\textsf{RSAgen}}(1^\kappa ) \wedge R {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}(\mathbb {Z}/N^2\mathbb {Z})^* \bigr \} $$

and

$$\begin{aligned} \text {dist}_1(\kappa ) = \bigl \{(N,R) \mid N \leftarrow pq \text { with } (p,q) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}{\textsf{RSAgen}}(1^\kappa ) {}\\ \wedge \, R \leftarrow r^N \bmod N^2 \text { with } r {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}(\mathbb {Z}/N^2\mathbb {Z})^* \bigr \}. \end{aligned}$$

The DCR assumption conjectures that for all probabilistic polynomial-time algorithms \(\mathcal {B}\), the function

$$ \Bigl | \Pr \bigl [\mathcal {B}(N,R) = 1 \mid (N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_0(\kappa )\bigr ] - \Pr \bigl [\mathcal {B}(N,R) = 1 \mid (N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_1(\kappa ) \bigr ]\Bigr | $$

is negligible in \(\kappa \).

The semantic security game between a challenger \(\mathcal {B}\) and an adversary \(\mathcal {A}\) proceeds as follows. The challenger is given a DCR challenge \((N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_\beta (\kappa )\) with \(\beta {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\{0,1\}\). Its goal is to tell if \(\beta = 0\) or \(\beta = 1\). For this purpose, \(\mathcal {B}\) has access to adversary \(\mathcal {A}\). The advantage of \(\mathcal {A}\) in breaking the semantic security of the cryptosystem (i.e., to correctly recover b) is denoted by \(\text {adv}_\mathcal {A}^{\text {IND-CPA}}(\kappa )\). We need to show that this advantage is negligible.

Suppose that \(\mathcal {B}\) runs as follows:

1. 1.

   \(\mathcal {B}\) sets the public key \( pk = N\) and gives it to \(\mathcal {A}\).

2. 2.

   Let \(\mathcal {M}= \{0, \dots , N-1\}\). \(\mathcal {A}\) selects a pair of equal-length messages \(m_0, m_1 \in \mathcal {M}\), \(m_0 \ne m_1\).

3. 3.

   \(\mathcal {B}\) chooses at random \(b {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\{0,1\}\) and returns to \(\mathcal {A}\) the challenge ciphertext \(C^* {:}{=} \bigl (R \bmod N, (m_b + \varUpsilon _{\!N}(R)) \bmod N\bigr )\) as the encryption of \(m_b\).

4. 4.

   \(\mathcal {A}\) returns its guess \(b' \in \{0,1\}\) that \(C^*\) is the encryption of \(m_{b'}\).

5. 5.

   \(\mathcal {B}\) outputs 1 if \(b' = b\), and 0 otherwise.

There are two cases to consider:

• Case I: \((N,R) \in \text {dist}_0(\kappa )\). In this case, R is uniform over \((\mathbb {Z}/N^2\mathbb {Z})^*\). As a consequence, \(u^* {:}{=} R \bmod N\) is a uniformly random value in \((\mathbb {Z}/N\mathbb {Z})^*\) and \(v^* {:}{=} (m_b + \varUpsilon _{\!N}(R)) \bmod N\) is a uniformly random value in \(\mathbb {Z}/N\mathbb {Z}\) since \(\varUpsilon _{\!N}(R)\) is uniform over \(\mathbb {Z}/N\mathbb {Z}\). Message \(m_b\) is therefore completely hidden from the view of \(\mathcal {A}\). Hence, we get \(\Pr [\mathcal {B}(N,R) = 1] = \tfrac{1}{2}\).

• Case II: \((N,R) \in \text {dist}_1(\kappa )\). In this case, \(\mathcal {B}\) perfectly emulates the semantic security game. Indeed, we have \(R = r^N \bmod N^2\) with \(r \leftarrow (\mathbb {Z}/N^2\mathbb {Z})^*\), which is equivalent to \(R = {r}^N \bmod N^2\) where \( {r} {:}{=} r \bmod N\) satisfies \( {r} \in [1, N)\) and \(\gcd ( {r},N) = 1\). We so get

  $$ \Bigl |\Pr [\mathcal {B}(N,R) = 1] - \tfrac{1}{2} \Bigr | = \Bigl | \Pr [b' = b] - \tfrac{1}{2} \Bigr | = \text {adv}_\mathcal {A}^{\text {IND-CPA}}(\kappa ). $$

Under the DCR assumption, we know that \(\mathcal {B}\) cannot distinguish \(\text {dist}_0(\kappa )\) from \(\text {dist}_1(\kappa )\)—with non-negligible probability. Combining the above two cases, we so deduce that

$$\begin{aligned} \text {adv}_\mathcal {A}^{\text {IND-CPA}}(\kappa )&= \Bigl |\Pr \bigl [\mathcal {B}(N,R) = 1 \mid (N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_1(\kappa )\bigr ] - \tfrac{1}{2} \Bigr |\\&= \Bigl | \Bigl (\Pr \bigl [\mathcal {B}(N,R) = 1 \mid (N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_1(\kappa )\bigr ] - \tfrac{1}{2}\Bigr ) {}\\&-\Bigr (\overbrace{\Pr \bigl [\mathcal {B}(N,R) = 1 \mid (N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_0(\kappa ) \bigr ] - \tfrac{1}{2}}^{\smash {=0\text {(Case~I)}}}\Bigr )\Bigr |\\&= \Bigl | \Pr \bigl [\mathcal {B}(N,R) = 1 \mid (N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_0(\kappa )\bigr ] {}\\& - \Pr \bigl [\mathcal {B}(N,R) = 1 \mid (N,R) {\mathop {\leftarrow }\limits ^{\scriptscriptstyle \$}}\text {dist}_1(\kappa ) \bigr ]\Bigr |\\&= \text {negl}(\kappa ). \end{aligned}$$