Abstract
We study the problem of root extraction in finite Abelian groups, where the group order is unknown. This is a natural generalization of the problem of decrypting RSA ciphertexts. We study the complexity of this problem for generic algorithms, that is, algorithms that work for any group and do not use any special properties of the group at hand. We prove an exponential lower bound on the generic complexity of root extraction, even if the algorithm can choose the “public exponent” itself. In other words, both the standard and the strong RSA assumption are provably true w.r.t. generic algorithms. The results hold for arbitrary groups, so security w.r.t. generic attacks follows for any cryptographic construction based on root extracting. As an example of this, we revisit Cramer-Shoup signature scheme [10]. We modify the scheme such that it becomes a generic algorithm. This allows us to implement it in RSA groups without the original restriction that the modulus must be a product of safe primes. It can also be implemented in class groups. In all cases, security follows from a well defined complexity assumption (the strong root assumption), without relying on random oracles, and the assumption is shown to be true w.r.t. generic attacks.
Part of the work done while visiting IBM Zurich Research Laboratory.
Basic Research in Computer Science, Centre of the Danish National Research Foundation.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ingrid Biehl, Johannes Buchmann, Safuat Hamdy, and Andreas Meyer. A signature scheme based on the intractability of computing roots. Technical Report 1/00, Darmstadt University of Technology, 2000.
D. Boneh and R. J. Lipton. Algorithms for black-box fields and their application to cryptography. Lecture Notes in Computer Science, 1109:283–297, 1996.
D. Boneh and R. Venkatesan. Breaking RSA may not be equivalent to factoring. Lecture Notes in Computer Science, 1403:59–71, 1998.
Johannes Buchmann and H. C. Williams. A key-exchange system based on imaginary quadratic fields. Journal of Cryptology: the journal of the International Association for Cryptologic Research, 1(2):107–118, 1988.
Duncan A. Buell. The expectation of success using a Monte Carlo factoring method—some statistics on quadratic class numbers. Mathematics of Computation, 43(167):313–327, July 1984.
Marc Bütikofer. An abstraction of the Cramer-Damgård signature scheme based on tribes of q-one-way-group-homomorphisms. ETH Zürich, 1999.
H. Cohen and Jr. H.W. Lenstra. Heuristics on class groups of number fields. In Number Theory, Noordvijkerhout 1983, volume 1068 of Lecture Notes in Math., pages 33–62, 1984.
R. Cramer and I. Damgaard. Secure signature schemes based on interactive protocols. Lecture Notes in Computer Science, 963:297–310, 1995.
R. Cramer and I. Damgaard. New generation of secure and practical RSA-Based signatures. Lecture Notes in Computer Science, 1109:173–185, 1996.
Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. In ACM Conference on Computer and Communications Security, pages 46–51, 1999.
Ivan Damgård and Maciej Koprowski. Generic lower bounds for root extraction and signature schemes in general groups (extended version). Cryptology ePrint Archive, Report 2002/013, 2002. http://eprint.iacr.org/.
Marc Fischlin. A note on security proofs in the generic model. In T. Okamoto, editor, Advances in Cryptology-ASIACRYPT’ 2000, volume 1976 of Lecture Notes in Computer Science, pages 458–469, Kyoto, Japan, 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany.
Safuat Hamdy and Bodo Möller. Security of cryptosystems based on class groups of imaginary quadratic orders. In T. Okamoto, editor, Advances in Cryptology-ASIACRYPT 2000, pages 234–247. Springer-Verlag, 2000.
M. Jacobson. Subexponential class group computation in quadratic orders. PhD thesis, Technische Universitat Darmstadt, Darmstadt, Germany, 1999.
Tsutomu Matsumoto, Koki Kato, and Hideki Imai. Speeding up secret computations with insecure auxiliary devices. In S. Goldwasser, editor, Advances in Cryptology—CRYPTO’ 88, volume 403 of Lecture Notes in Computer Science, pages 497–506. Springer-Verlag, 1990, 21–25 August 1988.
U. Maurer and S. Wolf. Lower bounds on generic algorithms in groups. Lecture Notes in Computer Science, 1403:72–84, 1998.
J. Merkle and R. Werchner. On the security of server-aided RSA protocols. Lecture Notes in Computer Science, 1431:99–116, 1998.
V. I. Nechaev. Complexity of a determinate algorithm for the discrete logarithm. Mathematical Notes, 55(2):165–172, 1994. Translated from Matematicheskie Zametki, 55(2):91–101, 1994.
P. Q. Nguyen and I.E. Shparlinski. On the insecurity of a server-aided RSA protocol. In C. Boyd, editor, Advances in Cryptology—Asiacrypt’2001, volume 2248 of Lecture Notes in Computer Science, pages 21–35. Springer-Verlag, 2001.
C.-P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology: the journal of the International Association for Cryptologic Research, 4(3):161–174, 1991.
Claus Peter Schnorr. Security of DL-encryption and signatures against generic attacks-a survey. In K. Alster, H.C. Williams, and J. Urbanowicz, editors, Proceedings of Public-Key Cryptography and Computational Number Theory Conference, Warsaw, September, 2000. Walter De Gruyter, 2002.
Claus Peter Schnorr and Markus Jakobsson. Security of discrete log cryptosystems in the random oracle + generic model. In Conference on The Mathematics of Public-Key Cryptography, The Fields Institute, Toronto, Canada, 1999.
Claus Peter Schnorr and Markus Jakobsson. Security of signed ElGamal encryption. In T. Okamoto, editor, Advances in Cryptology-ASIACRYPT’ 2000, volume 1976 of Lecture Notes in Computer Science, pages 73–89, Kyoto, Japan, 2000. International Association for Cryptologic Research, Springer-Verlag, Berlin Germany.
V. Shoup. Lower bounds for discrete logarithms and related problems. In Advances in Cryptology: Eurocrypt’ 97, pages 256–266, 1997.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Damgård, I., Koprowski, M. (2002). Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups. In: Knudsen, L.R. (eds) Advances in Cryptology — EUROCRYPT 2002. EUROCRYPT 2002. Lecture Notes in Computer Science, vol 2332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46035-7_17
Download citation
DOI: https://doi.org/10.1007/3-540-46035-7_17
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43553-2
Online ISBN: 978-3-540-46035-0
eBook Packages: Springer Book Archive