This action might not be possible to undo. Are you sure you want to continue?

# Public Key Encryption

• Basic Principles

• RSA Encryption

•Rabin Public-Key Encryption

•ElGamal Public-Key Encryption

•McEliece Public-Key Encryption*

•Knapsack Public-Key Encryption

•Probabilistic Public-Key Encryption

Basic Principles

• Objectives of Adversary

• Types of Attacks

• Distributing Public Keys

• Message Blocking

Objectives of Adversary

• Broken: If the adversary who wishes to attack a

public-key encryption system can systematically

recover the plaintext from the ciphertext.

• Completely Broken: If the private key of the

receiver is recovered the encryption scheme is

informally said to have been completely broken!

Types of Attacks

• Chosen-Plaintext attack does not make any sense

in the PK scenario

• Indifferent Chosen-Ciphertext attack is the one in

which the adversary is given decryptions of any

ciphertexts of his choice. But these instances

should be chosen before he receives the target

ciphertext, c.

• Adaptive Chosen-Ciphertext attack is the one in

which the adversary is given the decryption...

Adaptive Chosen-Ciphertext attack contd...

• machine of A, with the precondition that the target

text c, itself would not be fed to the machine. This

weakness is perceived as a certificational

weakness against a particular scheme.

Distributing Public Keys

• The PK schemes that we discuss now assumes that

there is a means for the sender of the message to

obtain the public-key of the receiver. In the

absence of this the scheme is susceptible to

impersonation attack. Techniques of this include,

trusted channel (?), trusted public-file, online

trusted server, off-line server and certificates.

Message Blocking

• Most of the PK systems require that the input

plaintext is of a fixed size. Messages longer than

this are broken into blocks. Smaller messages are

padded. CBC is used to prevent manipulation of

the blocks.

RSA Public-Key Encryption (Topics)

• Description

– Encryption

– Decryption

RSA Public-Key Encryption (Topics contd…)

• Security of RSA

– relation to factoring

– small encryption exponent ‘e’

– forward search attack

– small decryption exponent ‘d’

– multiplicative properties

– common modulus attack

– cycling attack

– message concealing

RSA Public-Key Encryption (Topics contd…)

• RSA in practice

– recommended size of modulus

– selecting primes

– small encryption exponents

Introduction

• very first complete PK encryption scheme

• most widely used

• could be used to provide both secrecy and

authentication

• security based on intractability of the integer

factorization problem

Description:Key Generation

Each entity creates an RSA public key and

a corresponding private key through the

following steps

– Generate two large random (and distinct)

primes p and q, each roughly the same size

– Compute n = pq and u = (p-1)(q-1)

–Select a random integer e, 1< e < u, such

that gcd(u, e) = 1.

Description:Key Generation

– Use the extended Euclidean Algorithm to

compute integer d such that ed 1 mod (|)

– A’s public key is (n, e); A’s private key is d

(e, d) are called the encryption exponent

and decryption exponent respectively. n is

called the modulus

÷

Description:Encryption/Decryption

(B encrypts a message m for A, which A decrypts)

Encryption: B does the following

– Obtain A’s authentic public key (n, e)

– represent the message as an integer m in the

interval [0, n - 1]

– compute c = m

e

mod n

– send the ciphertext to A

Decryption: A does the following

– m = c

d

mod n

Security of RSA

• relation to Factoring

• small encryption exponent e

• forward search attack

• small decryption exponent d

• multiplicative properties

• common modulus attack

• cyclic attacks

• message concealing

Security of RSA:relation to factoring

• One possible approach to attack RSA is to factor

n. Once you know the factors of n, computing d

from e, is simple

• On the other hand if you know e and d, one can

factor n, predictably

• Hence the problem of computing the RSA

decryption exponent d from the public key (n, e)

and the problem of factoring n are

computationally equivalent

Security of RSA:small encryption exponent e

In order to increase the efficiency of the computation

it is desirable to use small exponent like 3. But

then one should be careful to use different moduli

for him. This is a potential case when the sender

sends the same message to more than 3 receivers

using the same moduli. Thanks to Gauss and the

Chinese Mathematicians!

Security of RSA:small encryption exponent e

They are problem for small messages also. One can

find the m

1/e

.

For both, salt the message

Security of RSA:forward search attack

When the message space is too small one can just

exhaustively try all the messages. Key size does

not help here. Salting is a solution here too.

Security of RSA:small decryption exponent d

If gcd(p-1, q-1) is small, as is typically the case, and

if d has up to approximately one-quarter as many

bits as n, there are multiple attacks possible for

computing d.

– Due to Wiener

– Square-root discrete logarithm algorithms such as

Pollard’s rho algorithm

Security of RSA:Multiplicative properties

The ciphertext corresponding to m1m2 mod n is c1c2

mod n. This is referred to as the homomorphic

property of RSA

One can device a cool chosen ciphertext attack

exploiting this property

A structural restrictions on the plaintext messages

can avoid this

Security of RSA:Common Modulus Attack

If a single modulus is used and different (e

i

, d

i

),

(e

j

, d

j

) pair is selected one can find the private key of

the other from its public key

If a single message were encrypted and sent to two

or more entities in the network, then an

eavesdropper can potentially recover the message

with high probability using only publicly available

information

Rabin public-key encryption

The first example of a provably-secure public key

encryption scheme.

The problem faced by the adversary to recover

plaintext is computationally equivalent to

factoring (No such equivalence for RSA)

Encryption & Decryption

1. Encryption.

Compute c = m

2

mod n.

2. Decryption

Find the four square roots m1 , m2 , m3, and m4

of c modulo n

The message sent was either m1 , m2 , m3, or

m4

Finding Square root (c mod n=pq, p÷q÷3mod4)

Using extended Euclidean algorithm find integers a,

b such that ap + bq = 1.

Compute r = c

(p+1)/4

mod p and s = c

(q+1)/4

mod q.

Compute x = (aps + bqr) mod n.

Compute y = (aps - bqr) mod n.

The four square roots of c modulo n are x, -x mod n,

y,and -y mod n.

Security of Rabin PK System

Obtaining plaintext from the ciphertext is equivalent to the

modulo square root problem

Modulo square root problem is equivalent to prime factoring

Hence Rabin system is provably secure.

Rabin PK System in practice

avoiding ambiguity

protecting against chosen ciphertext attack

ElGamal:Key Generation

Security based on the intractability of the discrete

logarithm problem and the Diffie-Hellman

problem

ElGamal:Key Generation

Generate a large random prime p and a generator o

of the multiplicative group Z

p

of the integers

modulo p

Select a random integer a, 1sas p-2, and compute

o

a

mod p

A’s public key is (p; o ; o

a

), private key is a.

ElGamal:Encryption&Decryption

Encryption

Select a random integer k, 1s ksp-2.

Compute ¸ = k mod p and o = m .(o

a

)

k

mod p.

Ciphertext c = (¸; o)

Decryption

m = ¸

p-1-a

.

o

mod p

ElGamal:In Practice

Traffic Reduction

All entities could use the same p and generator o

Computation Speed-up

Speeding up the computation using Addition Chain

Exponentiation

Tradeoff

Large moduli p is required in this case

ElGamal:In Practice

Encryption involves two exponentiation. The process

can be sped up by selecting exponents having low

Hamming Weights (Beware of the Baby Step-

Giant Step Algorithm, choose large enough

exponent)

Message expansion by a factor of 2

Inherently randomized encryption

Security related to Diffie Hellman problem

(Intractability of discrete logarithm problem)

Different encryptions should use different k

Knapsack public-key encryption

Based on Subset-Sum problem (NP-complete)

• Merkle-Hellman Knapsack problem

• Chor-Rivest Knapsack problem

Merkle-Hellman Knapsack Encryption

Attempts to disguise a superincreasing subset sum

problem, by a permutation and a modular

multiplication

Merkle-Hellman:Key Generation

n is a fixed system parameter

Choose a superincreasing sequence (b

1

, b

2

,…,b

n

)

and modulus M such that M > b

1

+ b

2

+…+ b

n

Select W, 1sWsM-1, gcd(W, M) =1

Select a random permutation t of the integers {1, 2,

…,n}

Compute a

i

= Wb

t(i)

mod M for i = {1, 2,…,n}

public key is (a

1

, a

2

,…, a

n

); A’s private key is (t ,

M, W, (b

1

, b

2

,…, b

n

))

Merkle-Hellman:Encryption, Decryption

Encryption

Represent the message m as a binary string of length

n, m = m

1

m

2

...m

n

.

Compute the integer c = m

1

a

1

+ m

2

a

2

+...+ m

n

a

n

Decryption

Compute d = (W

-1

c) mod M

Find integers r

1

, r

2

,…,r

n

, r

i

e{0, 1}, such that

d = r

1

b

1

+ r

2

b

2

+...+ r

n

b

n

The message bits are m

i

= r

t(i)

, i = 1, 2,…, n.

Merkle-Hellman:In practice

Known polynomial-time algorithm for breaking the

basic Merkle-Hellman scheme

Reducing subset-sum problem of finding a short

vector in a lattice

Chor-Rivest Knapsack Encryption

The only knapsack public key encryption scheme that

does not use some form of Modular Multiplication

to disguise a subset-sum problem

Chor-Rivest: Key Generation

Finite field F

q

of characteristic p,where q = p

h

, p>h,

and for which the discrete logarithm problem is

feasible.

Select a random monic irreducible polynomial f(x) of

degree h over Z

p

. The elements of F

q

will be

represented as polynomials in Z

p[x]

of degree less

than h, with multiplication performed modulo f(x).

Select a random primitive element g(x) of field F

q

For each ground field element i e Z

p

, find the

discrete logarithm a

i

= log

g(x)

(x+i) of the field

element (x + i) to the base g(x).

Chor-Rivest: Key Generation

Select a random permutation H on the set of integers

{0, 1, 2,…, p-1}

Select a random integer d, 0 s d s p

h

-2.

Compute c

i

= (a

H(i)

+ d) mod(p

h

-1) , 0 s i s p-1.

A’s public key is ((c0, c1,…, c

p-1

), p, h); A’s private

key is (f(x), g(x), H , d).

Chor-Rivest: Encryption

Represent the message m as a binary string of

length ¸lg bin(p, h) ¸

Consider m as the binary representation of an

integer. Transform this integer into a binary

vector M = (M

0

, M

1

,…,M

p-1

) of length p

having exactly h 1’s as follows

( ) n

Chor-Rivest: Encryption

i. Set l = i

ii. For i from 1 to p do the following:

If m > bin(p-i, l),

then set M

i-1

= 1, m = m - bin(p-i,

l)

l = l - 1

otherwise,

M

i-1

= 0

Chor-Rivest: Encryption

Compute c =

Probabilistic Public-Key Encryption

Deterministic Encryption Systems

– The same message gets encrypted to the same ciphertext

– In RSA, 0 and 1 gets encrypted to themselves

– In RSA, adversary can get one bit info (Jacobi Symbol)

from the encrypted message

– Random Padding (The resulting schemes are generally

not provably Secure!!)

Probabilistic Public-Key Encryption

PPKE Utilizes randomness to attain provable

security

Polynomially Secure: If given two messages m1, m2

and their encryptions, adversary can’t map them

with a probability significantly greater than ½

A PK scheme is semantically secure, if any

information about plaintext that an adversary can

compute in polynomial time with the ciphertext,

could be computed without the ciphertext too.

Probabilistic Public-Key Encryption

Perfect Secrecy Vs. Semantic Security

PPKE Schemes

Goldwasser-Micali Probabilistic Encryption

Blum-Goldwasser probabilistic Encryption

Goldwasser-Micali Probabilistic Encryption

Semantically secure assuming the intractability of

the quadratic residuosity problem

Key Generation

Select two large random (and distinct) primes p and

q, each roughly the same size.

Compute n = pq.

Select a y e Z

n

such that y is a quadratic non-residue

modulo n and the Jacobi symbol (y/n) = 1

Public Key is (n, y); A’s private key is the pair (p, q)

Encryption

Represent the message m as a binary string

m = m

1

, m

2

,…, m

t

of length t.

For i from 1 to t do:

i. Pick an x e Z

n*

at random

ii. If m

i

= 1, then set c

i

÷ yx

2

mod n; otherwise

set c

i

÷ x

2

mod n.

Send the t-tuple c = (c

1

, c

2

,…, c

t

)

Decryption

For i from 1 to t do:

i. Compute the Legendre symbol e

i

= (c

i

/p)

ii. If e

i

= 1 then set m

i

÷ 0; otherwise m

i

÷1

The decrypted message is m = m

1

m

2

…m

t

Proof that decryption works

If a message bit m

i

is 0, then c

i

= x

2

mod n is a

quadratic residue modulo n. If a message bit

is 1, then the c

i

is also a pseudosquare

modulo n

Now these cases holds equivalently to p

Security et. al.

Quadratic Residuosity problem: Given an odd

composite integer n and a e J

n

, decide

whether or not a is a quadratic residue

modulo n

When n is of the form pq, a e J

n

iff, (a/p) = 1

Message expansion by a factor of lgn. But

some amount of message expansion is

unavoidable in probabilistic schemes

Blum-Goldwasser probabilistic Encryption

One of the most efficient PPKE scheme

Comparable to RSA in terms of speed and

message expansion

Semantically secure assuming intractability of

integer factorization

Key Generation

Select two large random (and distinct) primes p, q,

each congruent to 3 modulo 4.

Compute n = pq.

Compute integers a and b such that ap + bq = 1.

Public key is n; Private key is (p, q, a, b)

Encryption

k = ¸lgn¸ and h = ¸lgk¸. Represent the message m as

a string m = m

1

m

2

…m

t

of length t, where each

m

i

is a binary string of length h

Select as a seed x

0

, a random quadratic residue

modulo n.

For i from 1 to t do the following:

i. Compute x

i

= x

2

i-1

modn

ii. Let p

i

be the h least significant bits of x

i

iii. Compute c

i

= p

i

©m

i

Compute x

t+1

= x

2

t

mod n

Ciphertext c = (c

1

, c

2

,…, c

t

, x

t+1

)

Decryption

Compute d

1

= ((p + 1)/4)

t+1

mod (p - 1)

Compute d

2

= ((q + 1)/4)

t+1

mod (q - 1).

Compute u = x

d

1

t+1

mod p

Compute v = x

d

2

t+1

mod q

Compute x

0

= vap + ubq mod n.

For i from 1 to t do the following:

i. Compute x

i

= x

2

i-1

mod n

ii. Let p

i

be the h least significant bits of x

i

iii. Compute m

i

= p

i

©c

i

Security et. al.

Computing the h least significant bits of x

t+1

is hard

and hence semantically secure

The ciphertext is only a constant number of bits

bigger than the plaintext, namely k+1 (the size in

bits of the integer x

t+1

)

Encryption process is efficient, 1 modular

multiplication to encrypt h bits of plaintext

Basic Principles

• • • • Objectives of Adversary Types of Attacks Distributing Public Keys Message Blocking

Objectives of Adversary

• Broken: If the adversary who wishes to attack a public-key encryption system can systematically recover the plaintext from the ciphertext.

• Completely Broken: If the private key of the receiver is recovered the encryption scheme is informally said to have been completely broken!

Types of Attacks

• Chosen-Plaintext attack does not make any sense in the PK scenario • Indifferent Chosen-Ciphertext attack is the one in which the adversary is given decryptions of any ciphertexts of his choice. But these instances should be chosen before he receives the target ciphertext, c. • Adaptive Chosen-Ciphertext attack is the one in which the adversary is given the decryption...

**Adaptive Chosen-Ciphertext attack contd...
**

• machine of A, with the precondition that the target text c, itself would not be fed to the machine. This weakness is perceived as a certificational weakness against a particular scheme.

online trusted server. trusted channel (?). trusted public-file.Distributing Public Keys • The PK schemes that we discuss now assumes that there is a means for the sender of the message to obtain the public-key of the receiver. In the absence of this the scheme is susceptible to impersonation attack. Techniques of this include. off-line server and certificates. .

. Smaller messages are padded.Message Blocking • Most of the PK systems require that the input plaintext is of a fixed size. CBC is used to prevent manipulation of the blocks. Messages longer than this are broken into blocks.

RSA Public-Key Encryption (Topics) • Description – Encryption – Decryption .

RSA Public-Key Encryption (Topics contd…) • Security of RSA – – – – – – – – relation to factoring small encryption exponent ‘e’ forward search attack small decryption exponent ‘d’ multiplicative properties common modulus attack cycling attack message concealing .

RSA Public-Key Encryption (Topics contd…) • RSA in practice – recommended size of modulus – selecting primes – small encryption exponents .

Introduction • very first complete PK encryption scheme • most widely used • could be used to provide both secrecy and authentication • security based on intractability of the integer factorization problem .

e) = 1. .Description:Key Generation Each entity creates an RSA public key and a corresponding private key through the following steps – Generate two large random (and distinct) primes p and q. such that gcd(F. each roughly the same size – Compute n = pq and F = (p-1)(q-1) –Select a random integer e. 1< e < F.

e). n is called the modulus . A’s private key is d (e. d) are called the encryption exponent and decryption exponent respectively.Description:Key Generation – Use the extended Euclidean Algorithm to compute integer d such that ed 1 mod (f) – A’s public key is (n.

e) – represent the message as an integer m in the interval [0.Description:Encryption/Decryption (B encrypts a message m for A. which A decrypts) Encryption: B does the following – Obtain A’s authentic public key (n. n .1] – compute c = me mod n – send the ciphertext to A Decryption: A does the following – m = cd mod n .

Security of RSA • • • • • • • • relation to Factoring small encryption exponent e forward search attack small decryption exponent d multiplicative properties common modulus attack cyclic attacks message concealing .

e) and the problem of factoring n are computationally equivalent . computing d from e.Security of RSA:relation to factoring • One possible approach to attack RSA is to factor n. one can factor n. predictably • Hence the problem of computing the RSA decryption exponent d from the public key (n. Once you know the factors of n. is simple • On the other hand if you know e and d.

But then one should be careful to use different moduli for him. This is a potential case when the sender sends the same message to more than 3 receivers using the same moduli.Security of RSA:small encryption exponent e In order to increase the efficiency of the computation it is desirable to use small exponent like 3. Thanks to Gauss and the Chinese Mathematicians! .

One can find the m1/e .Security of RSA:small encryption exponent e They are problem for small messages also. salt the message . For both.

Key size does not help here. . Salting is a solution here too.Security of RSA:forward search attack When the message space is too small one can just exhaustively try all the messages.

– Due to Wiener – Square-root discrete logarithm algorithms such as Pollard’s rho algorithm . as is typically the case. q-1) is small. there are multiple attacks possible for computing d.Security of RSA:small decryption exponent d If gcd(p-1. and if d has up to approximately one-quarter as many bits as n.

This is referred to as the homomorphic property of RSA One can device a cool chosen ciphertext attack exploiting this property A structural restrictions on the plaintext messages can avoid this .Security of RSA:Multiplicative properties The ciphertext corresponding to m1m2 mod n is c1c2 mod n.

di).Security of RSA:Common Modulus Attack If a single modulus is used and different (ei. dj) pair is selected one can find the private key of the other from its public key If a single message were encrypted and sent to two or more entities in the network. then an eavesdropper can potentially recover the message with high probability using only publicly available information . (ej.

Rabin public-key encryption The first example of a provably-secure public key encryption scheme. The problem faced by the adversary to recover plaintext is computationally equivalent to factoring (No such equivalence for RSA) .

2. Compute c = m2 mod n. m2 . Encryption. Decryption Find the four square roots m1 .Encryption & Decryption 1. or m4 . and m4 of c modulo n The message sent was either m1 . m2 . m3. m3.

Finding Square root (c mod n=pq. pq3mod4) Using extended Euclidean algorithm find integers a. Compute x = (aps + bqr) mod n. -x mod n.bqr) mod n. Compute r = c (p+1)/4 mod p and s = c (q+1)/4 mod q. . b such that ap + bq = 1. y. The four square roots of c modulo n are x. Compute y = (aps .and -y mod n.

Security of Rabin PK System Obtaining plaintext from the ciphertext is equivalent to the modulo square root problem Modulo square root problem is equivalent to prime factoring Hence Rabin system is provably secure. .

Rabin PK System in practice avoiding ambiguity protecting against chosen ciphertext attack .

ElGamal:Key Generation Security based on the intractability of the discrete logarithm problem and the Diffie-Hellman problem .

1a p-2.ElGamal:Key Generation Generate a large random prime p and a generator of the multiplicative group Zp of the integers modulo p Select a random integer a. a). . . private key is a. and compute a mod p A’s public key is (p.

ElGamal:Encryption&Decryption Encryption Select a random integer k.(a)k mod p. ) Decryption m = p-1-a. 1 kp-2. Ciphertext c = (. mod p . Compute = k mod p and = m .

ElGamal:In Practice Traffic Reduction All entities could use the same p and generator Computation Speed-up Speeding up the computation using Addition Chain Exponentiation Tradeoff Large moduli p is required in this case .

ElGamal:In Practice Encryption involves two exponentiation. choose large enough exponent) Message expansion by a factor of 2 Inherently randomized encryption Security related to Diffie Hellman problem (Intractability of discrete logarithm problem) Different encryptions should use different k . The process can be sped up by selecting exponents having low Hamming Weights (Beware of the Baby StepGiant Step Algorithm.

Knapsack public-key encryption Based on Subset-Sum problem (NP-complete) • Merkle-Hellman Knapsack problem • Chor-Rivest Knapsack problem .

Merkle-Hellman Knapsack Encryption Attempts to disguise a superincreasing subset sum problem. by a permutation and a modular multiplication .

(b1 .bn) and modulus M such that M > b1 + b2 +…+ bn Select W.…. A’s private key is ( .n} Compute ai = Wb (i) mod M for i = {1. b2. an). W. gcd(W.Merkle-Hellman:Key Generation n is a fixed system parameter Choose a superincreasing sequence (b1. 2.…. b2. 1WM-1. …. bn)) . a2.….…. M) =1 Select a random permutation of the integers {1. 2. M.n} public key is (a1.

+ mnan Decryption Compute d = (W-1c) mod M Find integers r1. ri {0.+ rnbn The message bits are mi = r(i). . such that d = r1b1 + r2b2 +... 2..Merkle-Hellman:Encryption. Compute the integer c = m1a1 + m2a2 +. Decryption Encryption Represent the message m as a binary string of length n.mn. r2. n.…. i = 1.rn.…. m = m1m2... 1}..

Merkle-Hellman:In practice Known polynomial-time algorithm for breaking the basic Merkle-Hellman scheme Reducing subset-sum problem of finding a short vector in a lattice .

Chor-Rivest Knapsack Encryption The only knapsack public key encryption scheme that does not use some form of Modular Multiplication to disguise a subset-sum problem .

where q = ph. find the discrete logarithm ai = log g(x) (x+i) of the field element (x + i) to the base g(x).Chor-Rivest: Key Generation Finite field Fq of characteristic p. ph. The elements of Fq will be represented as polynomials in Zp[x] of degree less than h. Select a random monic irreducible polynomial f(x) of degree h over Zp. and for which the discrete logarithm problem is feasible. Select a random primitive element g(x) of field Fq For each ground field element i Zp. . with multiplication performed modulo f(x).

c1. 0 i p-1. p. . A’s private key is (f(x). 1. d). p-1} Select a random integer d.…. Compute ci = (a (i) + d) mod(ph -1) .…. g(x). 2.Chor-Rivest: Key Generation Select a random permutation on the set of integers {0. 0 d ph -2. cp-1). . h). A’s public key is ((c0.

M1.Mp-1) of length p having exactly h 1’s as follows .….Chor-Rivest: Encryption Represent the message m as a binary string of length lg bin(p. Transform this integer into a binary vector M = (M0. h) n ) Consider m as the binary representation of an integer.

Set l = i ii. m = m . l).bin(p-i. Mi-1= 0 . then set Mi-1= 1. For i from 1 to p do the following: If m bin(p-i. l) l=l-1 otherwise.Chor-Rivest: Encryption i.

Chor-Rivest: Encryption Compute c = .

Probabilistic Public-Key Encryption Deterministic Encryption Systems – The same message gets encrypted to the same ciphertext – In RSA. 0 and 1 gets encrypted to themselves – In RSA. adversary can get one bit info (Jacobi Symbol) from the encrypted message – Random Padding (The resulting schemes are generally not provably Secure!!) .

Probabilistic Public-Key Encryption PPKE Utilizes randomness to attain provable security Polynomially Secure: If given two messages m1. could be computed without the ciphertext too. . if any information about plaintext that an adversary can compute in polynomial time with the ciphertext. m2 and their encryptions. adversary can’t map them with a probability significantly greater than ½ A PK scheme is semantically secure.

Probabilistic Public-Key Encryption Perfect Secrecy Vs. Semantic Security PPKE Schemes Goldwasser-Micali Probabilistic Encryption Blum-Goldwasser probabilistic Encryption .

y). q) . Select a y Zn such that y is a quadratic non-residue modulo n and the Jacobi symbol (y/n) = 1 Public Key is (n. A’s private key is the pair (p. Compute n = pq.Goldwasser-Micali Probabilistic Encryption Semantically secure assuming the intractability of the quadratic residuosity problem Key Generation Select two large random (and distinct) primes p and q. each roughly the same size.

otherwise set ci x2 mod n. c2. For i from 1 to t do: i. If mi = 1.…. m2. Send the t-tuple c = (c1. ct) .….Encryption Represent the message m as a binary string m = m1. mt of length t. Pick an x Zn* at random ii. then set ci yx2 mod n.

Compute the Legendre symbol ei = (ci/p) ii. If ei = 1 then set mi 0. otherwise mi 1 The decrypted message is m = m1m2…mt .Decryption For i from 1 to t do: i.

If a message bit is 1. then the ci is also a pseudosquare modulo n Now these cases holds equivalently to p . then ci = x2 mod n is a quadratic residue modulo n.Proof that decryption works If a message bit mi is 0.

al. But some amount of message expansion is unavoidable in probabilistic schemes .Security et. (a/p) = 1 Message expansion by a factor of lgn. decide whether or not a is a quadratic residue modulo n When n is of the form pq. Quadratic Residuosity problem: Given an odd composite integer n and a Jn. a Jn iff.

Blum-Goldwasser probabilistic Encryption One of the most efficient PPKE scheme Comparable to RSA in terms of speed and message expansion Semantically secure assuming intractability of integer factorization .

each congruent to 3 modulo 4. q. a. Compute n = pq. q. Compute integers a and b such that ap + bq = 1.Key Generation Select two large random (and distinct) primes p. Private key is (p. Public key is n. b) .

Compute ci = pimi Compute xt+1 = x2t mod n Ciphertext c = (c1. where each mi is a binary string of length h Select as a seed x0 . Compute xi = x2i-1modn ii. xt+1) . a random quadratic residue modulo n. For i from 1 to t do the following: i. Let pi be the h least significant bits of xi iii.Encryption k = lgn and h = lgk.…. Represent the message m as a string m = m1m2…mt of length t. c2. ct.

Decryption Compute d1 = ((p + 1)/4) t+1 mod (p .1) Compute d2 = ((q + 1)/4) t+1 mod (q . Compute u = xd1t+1 mod p Compute v = xd2t+1 mod q Compute x0 = vap + ubq mod n. Let pi be the h least significant bits of xi iii. Compute xi = x2i-1mod n ii. For i from 1 to t do the following: i. Compute mi = pici .1).

Security et. al. Computing the h least significant bits of xt+1 is hard and hence semantically secure The ciphertext is only a constant number of bits bigger than the plaintext. namely k+1 (the size in bits of the integer xt+1) Encryption process is efficient. 1 modular multiplication to encrypt h bits of plaintext .