public-key cryptosystems based on composite degree residuosity classes author: pascal paillier...
Post on 22-Dec-2015
220 views
TRANSCRIPT
![Page 1: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/1.jpg)
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
Author: Pascal PaillierPresenter: 陳國璋
[Published in J. Stern, Ed., Advances in Cryptology- EUROCRYPT'99, vol. 1592 of Lecture Notes in Computer Science, pp. 223-238, Springer-Verlag, 1999.]
![Page 2: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/2.jpg)
Outline
Introduction Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
![Page 3: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/3.jpg)
Introduction(1/2)
兩個主要的 Trapdoor 技術 RSA Diffie-Hellman
提出新的技術 Composite Residuosity
提出新的計算性問題 Composite Residuosity Class Problem
![Page 4: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/4.jpg)
Introduction(2/2)
提出 3 個架構在上述假設的同態加密機制(Homomophic encryption schemes), 之中包含一個新的 trapdoor permutation
滿足 semantically secure, 不過 , 作者沒有證明 .
![Page 5: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/5.jpg)
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
![Page 6: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/6.jpg)
Notation and math. assumption (1/10)
p, q are two large primes. n = pq Euler phi-function: ψ(n) = (p-1)(q-1) Carmichael function: λ(n) = lcm(p-1,q-1) |Zn2*| = ψ(n2) = nψ(n) Any w∈Zn2*,
wλ = 1 mod n wnλ = 1 mod n
![Page 7: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/7.jpg)
Notation and math. assumption (2/10)
RSA[n,e] problem Extracting e-th roots modulo n where n=pq
Relation P1 P2 (resp. P1≡P2) will denoted that problem P1 is polynomial reducible to the problem P2.
n-th residue modulo n2 A number z is th n-th residue modulo n2 if there e
xist a number y such that z=ynmod n2
![Page 8: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/8.jpg)
Notation and math. assumption (3/10)
CR[n] problem deciding n-th residuosity
The CR[n] problem of deciding quadratic or higher degree residuosity, it is a random-self-reducibility problem.
There exists no polynomial time distinguisher for n-th residues modulo n2, i.e. CR[n] is intractable.
![Page 9: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/9.jpg)
Notation and math. assumption (4/10)
2
2
*
* *
2
, where the set of elements
of order and = for =1,...,
: an integer-valued function by
( , ) mod
n
g n n n
x ng
g B B Z
n B B
Z Z Z
x y g y n
![Page 10: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/10.jpg)
Notation and math. assumption (5/10)
if order(g) = kn where k is nonzero multiple of n then εg is bijective. Domain and Co-domain are the same order
nψ(n) and the function is 1-to-1. 2
*
*
, ,
we call that n-th residuosity class of with respect to ,
the unique integer s.t. ( , )
the class of is denoted [ ]
n
n n g
g
g B w Z
w g
x Z y Z x y w
w w
![Page 11: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/11.jpg)
Notation and math. assumption (6/10)
2[ ] 0 is a n-th residue modulo gw w n 2
2
*1 2 1 2 1 2
*
, , [ ] [ ] [ ] mod
the class function [ ] is a homomorphism
from ( , ) to ( , ),
g g gn
g
nn
w w Z w w w w n
w w
Z Z g
![Page 12: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/12.jpg)
Notation and math. assumption (7/10)
Class[n,g] problem computing the class function in base g. given w∈Zn2*, compute [w]g
random-self-reducible problem the bases g are independent
![Page 13: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/13.jpg)
Notation and math. assumption (8/10)
Class[n] problem composite residuosity class problem given w∈Zn2*, g∈B, compute [w]g
Class[n] Fact[n]
1 2
12 1[ ] [ ]g gg g
![Page 14: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/14.jpg)
Notation and math. assumption (9/10)
2
2
set { | 1 mod }
is multiplicative subgroup of mod
over which the function such that
1, ( ) is clearly well-defined.
n
n
S u n u n
n
L
uu S L u
n
2
* 21, ( mod ) [ ] mod nn
w Z L w n w n
![Page 15: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/15.jpg)
Notation and math. assumption (10/10)
Class[n] RSA[n,n] D-Class[n] problem
decisional Class[n] problem given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or n
ot
[ ] [ ] [ ] [ , ] [ ]CR n D Class n Class n RSA n n Fact n
![Page 16: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/16.jpg)
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
![Page 17: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/17.jpg)
Scheme 1(1/6)
New probabilistic encryption scheme
2
and random base
. . gcd( ( mod ), ) 1
( , ) as public parameters;
( , ) ( ) as private pair.
n pq g B
s t L g n n
n g
p q
![Page 18: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/18.jpg)
Scheme 1 (2/6)
2
2
2
Dec:
ciphertext
( mod ) plaintext mod
( mod )
c n
L c nm n
L g n
2
Enc:
plaintext ; random number
ciphertext mod
i.e. = ( , )
(trapdoor function with as the trapdoor secret,
one-wayness iff [ ] hold)
m n
g
m n r n
c g r n
c m r
Class n
![Page 19: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/19.jpg)
Scheme 1 (3/6) One-way function
Given x, to compute f(x) = y is easy. Given y, to find x s.t. f(x) = y is hard.
One-way trapdoor f() is a one-way function. Given a secret s, given y, to find x s.t. f(x) = y is easy.
Trapdoor permutation f() is a one-way trapdoor. f() is bijective.
![Page 20: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/20.jpg)
Scheme 1 (4/6)
2
12
23 35
12
12
For example:
5*7 35; 1225
( ) 4*6 24; ( ) (4,6) 12
Take 13 s.t. gcd( (13 mod 1225),35) 1
Let 23, 19
Enc: 13 19 mod 1225 53
(53 mod 1225) Dec: mod35
(13 mod 1225)
n n
n n lcm
g L
m r
c
Lm
L
-1
24 = mod 35
33
=24 33 mod 35
=23
![Page 21: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/21.jpg)
Scheme 1 (5/6)
Scheme 1 is one-way ⇔ the Computational composite residuosity assumption(Class[n] problem) holds. Inverting our scheme is by the definition the
composite residuosity class problem.
![Page 22: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/22.jpg)
Scheme 1 (6/6) Scheme 1 is semantically secure ⇔ the D
ecisional composite residuosity assumption(CR[n] problem) holds. m0, m1: known messages. c:ciphertext of either m0 or m1. [w]g=0 iff w is the n-th residue modulo n2. c=εg(m0,r) iff cg-m0 mod n2 is the n-th residue
modulo n2. Vice-versa.
![Page 23: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/23.jpg)
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
![Page 24: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/24.jpg)
Scheme 2(1/5) New one-way trapdoor permutation
2
and random base . .
gcd( ( mod ), ) 1
( , ) as public parameters;
( , ) ( ) as private pair.
n pq g B s t
L g n n
n g
p q
![Page 25: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/25.jpg)
Scheme 2(2/5)
1
21 2
22
1 2
g
Enc:
plaintext , split
ciphertext mod
i.e. ( , )
(perumtation come from the bijectivity of ;
trapdoorness iff the factorization of n;
one-way iff [ , ] i
m n
g
m n m m nm
c g m n
c m m
RSA n n
s hard.)
![Page 26: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/26.jpg)
Scheme 2(3/5)
1
1
2
2
1 2
1
2
mod2
Dec:
ciphertext
( mod ) Step 1: mod
( mod )
(retrieves mod as Scheme 1)
Step 2: ' mod (recover mod )
Step 3: ' mod
(RSA d
m n
n
c n
L c nm n
L g n
m m n
c cg n m n
m c n
1 2
ecryption, public exponent )
plaintext
e n
m m nm
![Page 27: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/27.jpg)
Scheme 2(4/5)
2
12
23 35
1
23
For example:
5*7 35; 1225
( ) 4*6 24; ( ) (4,6) 12
Take 13 s.t. gcd( (13 mod 1225),35) 1
Let 1178 23 35*33
Enc: 13 33 mod 1225 4
Dec: 23
' 4 13 mod 35 17
n n
n n lcm
g L
m
c
m
c
135 mod12 11
2 17 mod 35 17 mod 35 33m
![Page 28: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/28.jpg)
Scheme 2(5/5)
Digital Signatures 2
1
1
*
1 2
2
1 2
1/ mod 2
2
hash functon : {0.1}
message , the signer computes the signatures ( , )
( ( ) mod ) mod
( mod )
( ( ) ) mod
( ) ? mod
based on [ , ]
k
n
s n
s n
h N Z
m s s
L h m ns n
L g n
s h m g n
h m g s n
RSA n n
![Page 29: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/29.jpg)
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
![Page 30: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/30.jpg)
Scheme 3(1/4) Cost down for decryption complexity. Restricting the ciphertext space Zn
2* to subgroup <g> of smaller order.
2
2
, 1 ,
then ,
( mod )[ ] mod
( mod )g
g B
w g
L w nw n
L g n
![Page 31: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/31.jpg)
Scheme 3(2/4)
2
Enc:
plaintext , random number
ciphertext mod
(trapdoor function with as secret key;
one-way iff [ , ])
m nr
m n r n
c g n
PDL n g
2
2
2
Dec:
ciphertext
( mod ) plaintext mod
( mod )
c n
L c nm n
L g n
![Page 32: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/32.jpg)
Scheme 3(3/4)
PDL[n,g] problem Partial discrete logarithm problem Given w∈<g>, compute [w]g
D-PDL[n,g] problem Decisional partial discrete logarithm proble
m Given w∈<g>, x∈Zn, decide whether [w]g=x.
![Page 33: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/33.jpg)
Scheme 3(4/4)
Scheme 3 is one-way ⇔ PDL[n,g] is hard. Scheme 3 is semantically secure ⇔ D-PD
L[n,g] is hard.
[ , ] [ ] and [ , ] [ ]PDL n g Class n D PDL n g CR n
![Page 34: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/34.jpg)
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
![Page 35: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/35.jpg)
Properties(1/3)
Random-Self-Reducibility A good algorithm for the average case
implies a good algorithm for the worst case.
![Page 36: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/36.jpg)
Properties(2/3)
Additive Homomorphic Properties
2
2
2 2
1 2
21 2 1 2
2
21 1 2
21
2
two encryption function
mod and mod
are additively homomorphic on Z .
, ,
( ( ) ( )mod ) mod
( ( ) mod ) mod
( ( ) mod ) mod
( ( ) mod )
( ( )
m r m nr
n
n
k
m
m
m
m g r n m g n
m m Z k N
D E m E m n m m n
D E m n km n
D E m g n m m n
D E m n
D E m
11 22
modmod )
mm nn
![Page 37: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/37.jpg)
Properties(3/3)
Self-Blinding Any ciphertext can be publicly changed into
another one without affecting the plaintext.
2 2
,
( ( ) mod ) or ( ( ) mod )
n
n nr
m Z r N
D E m r n m D E m g n m
![Page 38: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/38.jpg)
Outline
Background Notation and math. assumption Scheme 1 Scheme 2 Scheme 3 Properties Conclusion
![Page 39: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/39.jpg)
Conclusion(1/4)Scheme Main Permutation Fast
VariantRSA ElGamal
One-wayness
Class[n] RSA[n,n] PDL[n,g] RSA[n,F4] DH[p]
SemanticSecure
CR[n] none D-PDL[n,g] none DDH[p]
Plaintext size
|n| 2|n| |n| |n| |p|
Ciphertext size
2|n| 2|n| 2|n| |n| 2|p|
![Page 40: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/40.jpg)
Enc Main Permutation
Fast Variant
RSA ElGamal
|n|,|p|=512
5120 5120 4032 17 1536
|n|,|p|=768
7680 7680 5568 17 2304
|n|,|p|=1024
10240 10240 7104 17 3072
|n|,|p|=1536
15360 15360 10176 17 4608
|n|,|p|=2048
20480 20480 13248 17 6144
![Page 41: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/41.jpg)
Dec Main Permutation
Fast Variant
RSA ElGamal
|n|,|p|=512
768 1088 480 192 768
|n|,|p|=768
1152 1632 480 288 1152
|n|,|p|=1024
1536 2176 480 384 1536
|n|,|p|=1536
2304 3264 480 576 2304
|n|,|p|=2048
3072 4352 480 768 3072
![Page 42: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 陳國璋 [Published in J. Stern, Ed., Advances in](https://reader031.vdocuments.pub/reader031/viewer/2022033103/56649d7e5503460f94a61da5/html5/thumbnails/42.jpg)
Conclusion(4/4)
提出新的數論問題 Class[n] 基於 composite degree residues 的 trapd
oor 的機制 雖然並沒有提出任何證明作者的 scheme 能
抵抗 CCA ,但作者相信小小的修改 Scheme 1 與 3 就可以對抗 CCA ,並能透過 random oracle 來證明