Goldwasser-Micali cryptosystem

Goldwasser-Micali cryptosystem

The Goldwasser-Micali cryptosystem (GM) is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely-used definition of semantic security.

Basis

The GM cryptosystem is semantically secure based on the assumed intractability of the quadratic residuosity problem modulo a composite "N" = "pq" where "p, q" are large primes. This assumption states that given ("x", "N") it is difficult to determine whether "x" is a quadratic residue modulo "N" (i.e., "x" = "y"2 mod "N" for some "y"), when the Jacobi symbol for "x" is +1. The quadratic residue problem is easily solved given the factorization of "N", while new quadratic residues may be generated by any party, even without knowledge of this factorization. The GM cryptosystem leverages this asymmetry by encrypting individual plaintext bits as either random quadratic residues or non-residues modulo "N", all with quadratic residue symbol +1. Recipients use the factorization of "N" as a secret key, and decrypt the message by testing the quadratic residuosity of the received ciphertext values.

Because Goldwasser-Micali produces a value of size approximately "|N|" to encrypt every single bit of a plaintext, GM encryption results in substantial ciphertext expansion. To prevent factorization attacks, it is recommended that "|N|" be several hundred bits or more. Thus, the scheme serves mainly as a proof of concept, and more efficient provably-secure schemes such as Elgamal have been developed since.

Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.

cheme definition

Goldwasser-Micali consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.

The scheme relies on deciding whether a given value "x" is a square mod "N", given the factorization ("p", "q") of "N". This can be accomplished using the following procedure:

#Compute "xp" = "x" mod "p", "xq" = "x" mod "q".
#If x_p^{(p-1)/2} equiv 1pmod{p} and x_q^{(q-1)/2} equiv 1pmod{q} , then "x" is a quadratic residue mod "N".

Key generation

The modulus used in GM encryption is generated in the same manner as in the RSA cryptosystem. (See RSA, key generation for details.)

#Alice generates two distinct large prime numbers "p" and "q", randomly and independently of each other.
#Alice computes "N" = "p q".
#She then finds some non-residue "x" such that the Legendre symbols satisfy left(frac{x}{p} ight)=left(frac{x}{q} ight)=-1 and hence the Jacobi symbol left(frac{x}{N} ight) is +1. The value "x" can for example be found by selecting random values and testing the two Legendre symbols. If ("p", "q") = 3 mod 4 (i.e., "N" is a Blum integer), then the value "N"-1 is guaranteed to have the required property.

The "public key" consists of "(x, N)". The secret key is the factorization "(p, q)".

Message encryption

Suppose Bob wishes to send a message "m" to Alice:

#Bob first encodes "m" as a string of bits ("m"1, ..., "mn").
#For every bit "mi", Bob generates a random value "y" less than "N". He outputs the value c_i = y^2 x^{m_i} mod "N".

Bob sends the ciphertext ("c"1, ... , "cn").

Message decryption

Alice receives ("c"1, ... , "cn"). She can recover "m" using the following procedure:

#For each "i", using the prime factorization ("p", "q"), Alice determines whether the value "ci" is a quadratic residue; if so, "mi" = 0, otherwise "mi" = 1.

Alice outputs the message "m" = ("m"1, ... , "mn").

Security properties

There is a simple reduction from breaking this cryptosystem to the problem of determining whether a random value modulo "N" with Jacobi symbol "+1" is a quadratic residue. If an algorithm "A" breaks the cryptosystem,then to determine if a given value "x" is a quadratic residue modulo "N", we test "A" to see if it can break the cryptosystem using ("x","N") as a public key. If "x" is a non-residue, then "A" should work properly. However, if "x" is a residue, then every "ciphertext" will simply be a random quadratic residue, so"A" cannot be correct more than half of the time. Furthermore, this problem is random self-reducible, which ensures that for a given "N", every public key is just as secure as every other public key.

The GM cryptosystem has homomorphic properties, in the sense that if "c"0, "c"1 are the encryptions of bits "m"0, "m"1, then "c"0"c"1 mod "N" will be an encryption of m_0 oplus m_1. For this reason, the GM cryptosystem is sometimes used in more complex cryptographic primitives.

Notes and references

* Shafi Goldwasser and Silvio Micali. Probabilistic Encryption. Journal of Computer and System Sciences (JCSS), 28(2):270-299, April 1984. Preliminary version in: 14th Annual ACM Symposium on Theory of Computing (STOC)

ee also

*Blum-Goldwasser cryptosystem


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Blum-Goldwasser cryptosystem — The Blum Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum Goldwasser is a probabilistic, semantically secure cryptosystem with a constant size ciphertext expansion.… …   Wikipedia

  • Shafi Goldwasser — Infobox Scientist name = Shafrira Goldwasser image width = 150px caption = Shafrira Goldwasser birth date = 1958 birth place = death date = death place = residence = citizenship = nationality = ethnicity = field = Computer Science, Cryptography… …   Wikipedia

  • Benaloh cryptosystem — The Benaloh Cryptosystem is an extension of the Goldwasser Micali cryptosystem (GM) created in 1994 by Josh (Cohen) Benaloh. The main improvement of the Benaloh Cryptosystem over GM is that longer blocks of data can be encrypted at once, whereas… …   Wikipedia

  • McEliece cryptosystem — In cryptography, the McEliece cryptosystem is an asymmetric encryption algorithm developed in 1978 by Robert McEliece.[1] It was the first such scheme to use randomization in the encryption process. The algorithm has never gained much acceptance… …   Wikipedia

  • Cramer–Shoup cryptosystem — The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the… …   Wikipedia

  • Naccache–Stern cryptosystem — Note: this is not to be confused with the Naccache–Stern knapsack cryptosystem. The Naccache–Stern cryptosystem is a homomorphic public key cryptosystem whose security rests on the higher residuosity problem. The Naccache–Stern cryptosystem was… …   Wikipedia

  • Naccache–Stern knapsack cryptosystem — Note: this is not to be confused with the Naccache–Stern cryptosystem based on the higher residuosity problem. The Naccache–Stern Knapsack Cryptosystem is an atypical public key cryptosystem developed by David Naccache and Jacques Stern in 1997.… …   Wikipedia

  • Niederreiter cryptosystem — In cryptography, the Niederreiter cryptosystem is a variation of the McEliece Cryptosystem developed in 1986 by Harald Niederreiter [1]. It applies the same idea to the parity check matrix H of a linear code. Niederreiter is equivalent to… …   Wikipedia

  • Damgård–Jurik cryptosystem — The Damgård–Jurik cryptosystem[1] is a generalization of the Paillier cryptosystem. It uses computations modulo ns + 1 where n is an RSA modulus and s a (positive) natural number. Paillier s scheme is the special case with s = 1. The order φ(ns + …   Wikipedia

  • Merkle–Hellman knapsack cryptosystem — The Merkle–Hellman knapsack cryptosystem was one of the earliest public key cryptosystems invented by Ralph Merkle and Martin Hellman in 1978.[1] Although its ideas are elegant, and far simpler than RSA, it has been broken.[2] Contents 1… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”