Security analysis and improvement of a double-trapdoor encryption scheme

Abstract

At Asia Crypt’03, Bresson et al. proposed a probabilistic public-key encryption scheme with a double-trapdoor decryption mechanism. In this paper, we provide security analysis of it, and point out three insecurities of the encryption scheme. It suffers from (adaptive) chosen ciphertext attacks (CCA) and can be broken in three different ways. By constructing proper ciphertexts, the adversary can calculate the user’s private key or factorize the modulus after getting the decrypted plaintexts, so she can decrypt all the plaintexts encrypted under this encryption scheme. To overcome these insecurities, we suggest a simple method to improve the encryption scheme against active attacks and prevent the adversary from getting important or private information, and strengthen its security.

Introduction

Since the discovery of public-key cryptography by Diffie and Hellman [7], the most important research topics are the design and analysis of practical and provably secure cryptosystems. Many new schemes have been proposed and many have been broken [1], [3], [19], [20].

Most successful public-key cryptosystems require large prime numbers. The difficulty of factorization of integers with large prime factors forms the ground of RSA [16]. Its variants such as Rabin-Williams [14], [22], LUC’s scheme [21] or elliptic curve versions of RSA like KMOV [10] are all based on the difficulty of factorization. Also the difficulty of the discrete logarithm problem forms the ground of Diffie–Hellman type schemes like ElGamal [8], elliptic curve cryptosystem, DSS and McCurley [11].

With most modern cryptography, the ability to keep encrypted information secret is based not on the cryptographic algorithm, which is widely known, but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encrypted information. Decryption with the correct key is simple. Decryption without the correct key is very difficult, and in most cases impossible for all practical purposes.

In 1999, Paillier proposed a probabilistic public-key encryption scheme based on the intractability of composite residuosity in $Z_{N^2}^{\ast }$ [13], and it has gained especially much attention in public-key cryptography. Many researchers have studied its generalization, efficiency improvement and security analysis [4], [6], [9].

Based on the study of Paillier cryptosystem by Catalano et al. [5], Bresson et al. proposed a new encryption scheme with two decryption methods at Asia Crypt’03 [2].

Along the other axis there are several different attacks. In order of increasing strength these are chosen plaintext attack (CPA) and chosen ciphertext attack (CCA) consisting of non-adaptive chosen ciphertext attack (CCA1), and adaptive chosen ciphertext attack (CCA2). Under CPA the adversary can obtain ciphertexts of plaintexts of her choice. In the public key setting, giving the adversary the public key suffices to capture this type of attacks. Under CCA1, formalized by Naor and Yung [12], the adversary gets, in addition to the public key, access to an oracle for the decryption function. The adversary may use this decryption function only for the period of time preceding her being given the challenge ciphertext y. (The term non-adaptive refers to the fact that queries to the decryption oracle cannot depend on the challenge y.) Colloquially this attack has also been called a lunchtime, lunch-break, or midnight attack. Under CCA2, due to Rackoff and Simon [15], the adversary again has (in addition to the public key) access to an oracle for the decryption function, but this time she may use this decryption function even on ciphertexts chosen after obtaining the challenge ciphertext y, the only restriction being that the adversary may not ask for the decryption of y itself. (The attack is called adaptive because queries to the decryption oracle can depend on the challenge y.)

Our goal in this paper is to provide security analysis of the double-trapdoor encryption scheme, and point out its insecurities, which must be avoided with concrete chosen ciphertext attacks.

There are three insecurities as follows:

• If the first decryption method is used, the adversary construct a ciphertext of her choice, after getting the decrypted plaintext she can calculate the user’s private key, so she can decrypt all the plaintexts encrypted under this encryption scheme.

• If the second decryption method is used, by constructing two ciphertexts of her choice and after two decryption oracle queries, the adversary can also calculate the user’s private key, and therefore can decrypt all the plaintexts encrypted under this encryption scheme.

• In [2, Sections 2.2 and 4.2], Bresson et al. suggested, for simplicity, choosing the public parameter g such that g^λ(N) mod N² = 1 + lN, where l = 1 and λ(N) = lcm(p − 1, q − 1) is Carmichael Number, but they did not point out the potential insecurities if such parameter is used. In this paper, we point out in a general form that when choosing such public parameter g, the value l (0 ⩽ l ⩽ N − 1) should not be known to the adversary. Otherwise, after two chosen ciphertext attacks, the adversary can calculate λ(N) and consequently factorize the modulus integer N.

The rest of the paper is organized as follows: We briefly introduce the encryption scheme proposed by Bresson et al. in Section 2. Security analysis of that scheme is presented in Section 3. Section 4 proposes an optional method to improve Bresson’s encryption scheme with simple efficiency and security analysis. Section 5 summarizes this paper.