On the security of RSA textbook signature scheme on Paillier ciphertext

In this paper we consider Pailler encryption and RSA textbook signature. We show that due to valuable homomorphic property these algorithms can be used together to obtain a valid signature on a certain combination of ciphertexts. Our goal is to show that this combination of algorithms provide security against chosen plaintext and chosen ciphertext attacks.


Introduction
Nowadays many algorithms of asymmetric encryption and digital signature are known.In our paper we consider two homomorphic cryptographic primitives, namely Pailler encryption and RSA textbook signature.The considered cryptographic primitives possess a homomorphic property.This valuable property allows us to apply these algorithms to distinct messages and obtain a valid result for a combination of these messages (sum or product).
Another important similarity between two protocols is the fact, that both algorithms use an integer n, which is a product of two primes p and q.Due to this similarity we are able to link these two algorithms together, i.e. we use Pailler encryption on the message m to obtain a ciphertext c, which is then signed using RSA textbook signature.This combination of two schemes can be used to create e-money or in e-voting.
Though is was previously shown in [3], that RSA textbook signature scheme is existentially forgeable, we consider the resistance of the combination of it with Pailler encryption to chosen plaintext and chosen ciphertext attacks (CPA and CCA respectively).

Mathematical background
In this section we provide brief overview of cryptographic primitives mentioned above.Note however, that we shall be using the Carmichael function λ(•) in stead of Euler totient function φ(•).The following steps are performed once and are used in both cryptographic primitives: • Generate two large distinct primes p and q of the roughly same size; • Compute n = pq and λ(n) = lcm(p − 1, q − 1).

Pailler encryption
In Pailler asymmetric encryption protocol the public key P uK = n, and the private key P rK = λ(n).
Assume, that a message to be encrypted is encoded by an integer m.The encryption is performed as follows [4]: Note, that since the multiplicative order ord n 2 (1 + n) = n it is reasonable to turn a message to an integer m ∈ Z n .
The plaintext message m is computed using an identity: Note, that division is performed over set of integers Z.

RSA textbook signature scheme
The main idea of this paper is to link two cryptographic primitives by using the same value n for both Pailler encryption and RSA textbook signature.The steps to execute the latter are presented below [5]:

Key generation algorithm
• Select a random integer e, 1 < e < λ(n), such that gcd(e, λ(n)) = 1.It reasonable to consider values of e having a short bit-length and small Hamming weight.A common value of e is 2 16 + 1; • Find a value of d satisfying the congruence ed ≡ 1 mod λ(n), i.e. compute the modular multiplicative inverse of e modulo λ(n).
The public key P uK = (n, e), and the private key P rK = d.

Signature generation
Compute the signature s = c d mod n.Note, that s ∈ Z * n .

Signature verification
Let s ∈ Z * n be a signature to be verified.
• Compute c = s e mod n; • Verify if c = c.The output of the verification function Ver RSA (s) is "Yes" if the identity holds and "No" otherwise.

Homomorphic properties
A useful feature of the Paillier cryptosystem is its homomorphic property [4]: The proof of this relation can be found in [4].Due to this property Paillier encryption scheme allows computations (multiplications) to be performed on ciphertext values, as the product of ciphertexts corresponds to the sum of plaintexts.
Furthermore, RSA signature scheme also has a homomorphic property: , where Sig RSA (c) denotes the RSA signature on the ciphertext c.
The proof of this property follows directly from the definition of RSA signature.Hence, the product of two signatures is equal to the signature on the product of ciphertexts.
The main advantage of homomorphic property of both algorithms is the fact that users can combine their messages m 1 , m 2 , etc. to obtain a ciphertext of a sum of these messages without actual knowledge of the whole message m = k m k .Furthermore, users can also obtain a valid signature on a product of ciphertexts c 1 , c 2 without actual knowledge of the whole ciphertext c = k c k .

Security proof
Let us assume that the message m is encrypted using Pailler algorithm obtaining ciphertext c which is signed by RSA signature.
According to [3,4], we assume, that Paillier encryption scheme is indistinguishable encryption under a chosen-plaintext attack if random encryption number r is chosen as random element in Z * n .We assume, that in this case Paillier encryption is performed correctly and we will follow this assumption.Then ciphertext c corresponding to the message m is uniformly distributed in Z * n 2 if r is uniformly distriuted in Z * n .In [1], authors introduced RSA Full-Domain-Hash (FDH) function, which can be applied for signing with RSA signature scheme.It was shown in [1] and [2] that this scheme is provably secure, i.e. existentially unforgeable under adaptive chosenmessage attacks in the random oracle model, assuming that inverting RSA is hard, i.e. extracting a root modulo a composite integer, is hard.
We now prove the following proposition: This implies that element z as a function of r is strongly universal as defined by Wegman and Carter in [7].In [6] Vaudenay defines this property as a perfect 1-wise decorrelation (as denoted by the author).Vaudenay showed in [6], that in this case our scheme is secure against chosen plaintext attack (CPA) and chosen ciphertext attack (CCA) respectively (Theorem 7).Hence we have proved, the following proposition: The security of RSA signature now relies on the multiplicative order of z, which is denoted by ord n (z).To simplify the security analysis, we can use Sophie Germain primes p′ and q′ (hence p = 2p′ + 1 and q = 2q′ + 1 are primes) to construct the modulus n.In this case the maximal multiplicative order of Z * n is defined by the value of the Carmichael function λ(n) = 2p′q′.The latter expression is also the canonical representation of λ(n), i.e.only 8 distinct divisors of λ = λ(n) exist.Hence there are only 8 possible values of ord n (z), since, due to Lagrange theorem, ord n (z) divides λ.To ensure security of RSA signature we have to exclude small values of λ, i.e. 1 and 2, which is possible by checking if the following congruences hold: In case of at least one correct identity the ciphertext c has to be recalculated, i.e.Pailler encryption algorithm is executed with a different value of r.We assume, that none of latter congruences hold.In this case an element z generates a significantly large subgroup z of cardinality ord n (z).

Conclusions
In this paper we considered Pailler asymmetric encryption and RSA texbook signature.We have shown that by using the same modulus n we obtain a ciphertext c, which reduced modulo n is in RSA FDH.Hence the operation of reduction modulo n can be interpreted as a hash function.Furthermore, since RSA FDH is existentially unforgeable, we have shown that a combination of considered algorithms provides security against CPA in random oracle model.
where Enc Pai (m) denotes the Paillier encryption of the message m.

Proposition 1
If Paillier encryption and RSA signature has the same modulus n and message m ∈ Z n , then ciphertext c = Enc Pai (m) obtained by Paillier encryption taken modulo n, is in RSA FDH, i.e. c ≡ z mod n, z ∈ Z * n .Proof.It is clear, that z ∈ Z * n , since gcd(z, n) = 1 iff gcd(c, n 2 ) = 1.Hence the composition of function f (•) and Enc Pai (m) represents the following mapping f Enc Pai (m) : Z n × Z * n → Z * n and this function range is equal to RSA domain.Now we have to show that if Paillier encryption is correct, then for any m ∈ Z n , value z is uniformly distributed in Z * n for distinct uniform values of r.This comes from the following two facts: • Pailler encryption function Enc Pai (m) is a bijection and hence the value of c is distributed uniformly in Z * n 2 ; • Since there are exactly n distinct values of c less than n 2 that give the same residue modulo n, the values of z are uniformly distributed in Z * n .Hence function f is an n-to-1 mapping Z * n 2 → Z * n and the composition f (Enc Pai (m)) can be interpreted as a H-function and as a artificial random oracle if random number r in correct Paillier encryption scheme can be treated as random.⊓ ⊔

Proposition 2
If Paillier encryption and RSA signature have the same modulus n and message m ∈ Z n , then RSA signature s on ciphertext c is existentially unforgeable under CPA in the random oracle model.