# New Semantically Secure Public-Key Cryptosystems from the RSA-Primitive

## Abstract

We analyze the security of the simplified Paillier (S-Paillier) cryptosystem, which was proposed by Catalano et al. We prove that the one-wayness of the S-Paillier scheme is as intractable as the standard RSA problem. We also prove that an adversary, which breaks the semantic security, can compute the least significant bits of the nonce. This observation is interesting, because the least significant bit of the nonce is the hard core bit of the encryption function. Moreover, we proposed a novel semantically secure cryptosystem, based on the one-way function {i1-01} mod *n*, where (*e, n*) is the RSA public-key and *r*−*MSB* _{ l }(*r*) means that the *l* most significant bits of *r* are zeroed. We proved that the one-wayness of the proposed scheme is as intractable as the standard RSA problem. An adversary, which breaks the semantic security of the proposed scheme, can break the least significant bits of the nonce. These security results of the proposed scheme are similar to those of the S-Paillier cryptosystem. However, the proposed scheme is more efficient than the S-Paillier cryptosystem.

## Keywords

Encryption Scheme Random Integer Encryption Function Modular Exponentiation Choose Ciphertext Attack## References

- BDPR98.M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations among notions of security for public-key encryption schemes,” CRYPTO’98, LNCS 1462, (1998), pp.26–45.Google Scholar
- CGH01.D. Catalano, R. Gennaro, and N. Howgraw-Graham; “The bit security of Paillier’s encryption scheme and its applications,” Eurocrypt 2001, LNCS 2045, pp.229–243, 2001.CrossRefGoogle Scholar
- CGHN01.D. Catalano, R. Gennaro, N. Howgrave-Graham, and P. Nguyen; “Paillier’s cryptosystem revisited,” to appear in the ACM conference on Computer and Communication Security, 2001.Google Scholar
- Cop96.D. Coppersmith, “Finding a small root of a univariate modular equation,” EUROCRYPT’ 96, LNCS 1070, pp.155–165, 1996.Google Scholar
- CFPR96.D. Coppersmith, M. Franklin, J. Patarin, M. Reiter, “Low-exponent RSA with related messages,” EUROCRYPT’ 96, LNCS 1070, (1996), pp.1–9.Google Scholar
- CS98.R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack,” CRYPTO’98, LNCS 1462, pp.13–25, 1998.Google Scholar
- CS01.R. Cramer and V. Shoup, “Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-Key encryption,” Cryptology ePrint Archive, IACR, http://eprint.iacr.org/, 2001.
- DJ01.I. Damgård and M. Jurik; “A generalization, a simplification and some applications of Paillier’s probabilistic public-Key system,” PKC 2001, LNCS 1992, pp.119–136, 2001.Google Scholar
- FS00.R. Fischlin and C.P. Schnorr; “Stronger security proofs for RSA and Rabin bits,” Journal of Cryptology, 13 (2), pp.221–244, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
- GM84.S. Goldwasser and S. Micali; “Probabilistic encryption,” Journal of Computer and System Science, Vol.28, No.2, pp.270–299, 1984.zbMATHCrossRefMathSciNetGoogle Scholar
- MS88.S. Micali and C. Schnorr, “Efficient, perfect random number generators,” Crypto’88, LNCS 403, pp.173–199, 1988.Google Scholar
- Oka90.T. Okamoto; “A fast signature scheme based on congruential polynomial operations,” IEEE Transactions on Information Theory, IT-36, pp.47–53, 1990.CrossRefMathSciNetGoogle Scholar
- OP01.T. Okamoto and D. Pointcheval, “The Gap-Problems: a new class of problems for the security of cryptographic schemes,” PKC 2001, LNCS 1992, pp.104–118, 2001.Google Scholar
- OU98.T. Okamoto and S. Uchiyama; “A new public-key cryptosystem as secure as factoring,” Eurocrypt’98, LNCS 1403, pp.308–318, 1998.Google Scholar
- Pai99.P. Paillier; “Public-key cryptosystems based on composite degree residuosity classes,” Eurocrypt’99, LNCS 1592, pp.223–238, 1999.Google Scholar
- Poi99.D. Pointcheval, “New public key cryptosystems based on the dependent-RSA problems,” Eurocryt’99, LNCS 1592, pp. 239–254, 1999.Google Scholar
- Tak97.T. Takagi, “Fast RSA-type cryptosystems using n-adic expansion,” CRYPTO’ 97, LNCS 1294, pp.372–384, 1997.Google Scholar