Public Key Encryption

• Basic Principles
• RSA Encryption
•Rabin Public-Key Encryption
•ElGamal Public-Key Encryption
•McEliece Public-Key Encryption*
•Knapsack Public-Key Encryption
•Probabilistic Public-Key Encryption
Basic Principles
• Objectives of Adversary
• Types of Attacks
• Distributing Public Keys
• Message Blocking
Objectives of Adversary
• Broken: If the adversary who wishes to attack a
public-key encryption system can systematically
recover the plaintext from the ciphertext.

• Completely Broken: If the private key of the
receiver is recovered the encryption scheme is
informally said to have been completely broken!
Types of Attacks
• Chosen-Plaintext attack does not make any sense
in the PK scenario
• Indifferent Chosen-Ciphertext attack is the one in
which the adversary is given decryptions of any
ciphertexts of his choice. But these instances
should be chosen before he receives the target
ciphertext, c.
• Adaptive Chosen-Ciphertext attack is the one in
which the adversary is given the decryption...
Adaptive Chosen-Ciphertext attack contd...
• machine of A, with the precondition that the target
text c, itself would not be fed to the machine. This
weakness is perceived as a certificational
weakness against a particular scheme.
Distributing Public Keys
• The PK schemes that we discuss now assumes that
there is a means for the sender of the message to
obtain the public-key of the receiver. In the
absence of this the scheme is susceptible to
impersonation attack. Techniques of this include,
trusted channel (?), trusted public-file, online
trusted server, off-line server and certificates.
Message Blocking
• Most of the PK systems require that the input
plaintext is of a fixed size. Messages longer than
this are broken into blocks. Smaller messages are
padded. CBC is used to prevent manipulation of
the blocks.
RSA Public-Key Encryption (Topics)

• Description
– Encryption
– Decryption
RSA Public-Key Encryption (Topics contd…)
• Security of RSA
– relation to factoring
– small encryption exponent ‘e’
– forward search attack
– small decryption exponent ‘d’
– multiplicative properties
– common modulus attack
– cycling attack
– message concealing


RSA Public-Key Encryption (Topics contd…)
• RSA in practice
– recommended size of modulus
– selecting primes
– small encryption exponents
Introduction
• very first complete PK encryption scheme
• most widely used
• could be used to provide both secrecy and
authentication
• security based on intractability of the integer
factorization problem
Description:Key Generation
Each entity creates an RSA public key and
a corresponding private key through the
following steps
– Generate two large random (and distinct)
primes p and q, each roughly the same size
– Compute n = pq and u = (p-1)(q-1)
–Select a random integer e, 1< e < u, such
that gcd(u, e) = 1.

Description:Key Generation
– Use the extended Euclidean Algorithm to
compute integer d such that ed 1 mod (|)
– A’s public key is (n, e); A’s private key is d

(e, d) are called the encryption exponent
and decryption exponent respectively. n is
called the modulus
÷
Description:Encryption/Decryption
(B encrypts a message m for A, which A decrypts)
Encryption: B does the following
– Obtain A’s authentic public key (n, e)
– represent the message as an integer m in the
interval [0, n - 1]
– compute c = m
e
mod n
– send the ciphertext to A
Decryption: A does the following
– m = c
d
mod n
Security of RSA
• relation to Factoring
• small encryption exponent e
• forward search attack
• small decryption exponent d
• multiplicative properties
• common modulus attack
• cyclic attacks
• message concealing
Security of RSA:relation to factoring
• One possible approach to attack RSA is to factor
n. Once you know the factors of n, computing d
from e, is simple
• On the other hand if you know e and d, one can
factor n, predictably
• Hence the problem of computing the RSA
decryption exponent d from the public key (n, e)
and the problem of factoring n are
computationally equivalent
Security of RSA:small encryption exponent e
In order to increase the efficiency of the computation
it is desirable to use small exponent like 3. But
then one should be careful to use different moduli
for him. This is a potential case when the sender
sends the same message to more than 3 receivers
using the same moduli. Thanks to Gauss and the
Chinese Mathematicians!
Security of RSA:small encryption exponent e

They are problem for small messages also. One can
find the m
1/e
.
For both, salt the message
Security of RSA:forward search attack
When the message space is too small one can just
exhaustively try all the messages. Key size does
not help here. Salting is a solution here too.
Security of RSA:small decryption exponent d
If gcd(p-1, q-1) is small, as is typically the case, and
if d has up to approximately one-quarter as many
bits as n, there are multiple attacks possible for
computing d.
– Due to Wiener
– Square-root discrete logarithm algorithms such as
Pollard’s rho algorithm
Security of RSA:Multiplicative properties
The ciphertext corresponding to m1m2 mod n is c1c2
mod n. This is referred to as the homomorphic
property of RSA

One can device a cool chosen ciphertext attack
exploiting this property

A structural restrictions on the plaintext messages
can avoid this
Security of RSA:Common Modulus Attack
If a single modulus is used and different (e
i
, d
i
),
(e
j
, d
j
) pair is selected one can find the private key of
the other from its public key

If a single message were encrypted and sent to two
or more entities in the network, then an
eavesdropper can potentially recover the message
with high probability using only publicly available
information
Rabin public-key encryption
The first example of a provably-secure public key
encryption scheme.

The problem faced by the adversary to recover
plaintext is computationally equivalent to
factoring (No such equivalence for RSA)


Encryption & Decryption
1. Encryption.
Compute c = m
2
mod n.

2. Decryption
Find the four square roots m1 , m2 , m3, and m4
of c modulo n
The message sent was either m1 , m2 , m3, or
m4
Finding Square root (c mod n=pq, p÷q÷3mod4)
Using extended Euclidean algorithm find integers a,
b such that ap + bq = 1.
Compute r = c
(p+1)/4
mod p and s = c
(q+1)/4
mod q.
Compute x = (aps + bqr) mod n.
Compute y = (aps - bqr) mod n.
The four square roots of c modulo n are x, -x mod n,
y,and -y mod n.
Security of Rabin PK System
Obtaining plaintext from the ciphertext is equivalent to the
modulo square root problem

Modulo square root problem is equivalent to prime factoring

Hence Rabin system is provably secure.

Rabin PK System in practice

avoiding ambiguity

protecting against chosen ciphertext attack


ElGamal:Key Generation
Security based on the intractability of the discrete
logarithm problem and the Diffie-Hellman
problem
ElGamal:Key Generation
Generate a large random prime p and a generator o
of the multiplicative group Z
p
of the integers
modulo p

Select a random integer a, 1sas p-2, and compute
o
a
mod p

A’s public key is (p; o ; o
a
), private key is a.
ElGamal:Encryption&Decryption

Encryption
Select a random integer k, 1s ksp-2.
Compute ¸ = k mod p and o = m .(o
a
)
k
mod p.
Ciphertext c = (¸; o)

Decryption
m = ¸
p-1-a
.

o

mod p

ElGamal:In Practice
Traffic Reduction
All entities could use the same p and generator o

Computation Speed-up
Speeding up the computation using Addition Chain
Exponentiation

Tradeoff
Large moduli p is required in this case
ElGamal:In Practice
Encryption involves two exponentiation. The process
can be sped up by selecting exponents having low
Hamming Weights (Beware of the Baby Step-
Giant Step Algorithm, choose large enough
exponent)
Message expansion by a factor of 2
Inherently randomized encryption
Security related to Diffie Hellman problem
(Intractability of discrete logarithm problem)
Different encryptions should use different k
Knapsack public-key encryption

Based on Subset-Sum problem (NP-complete)

• Merkle-Hellman Knapsack problem
• Chor-Rivest Knapsack problem
Merkle-Hellman Knapsack Encryption
Attempts to disguise a superincreasing subset sum
problem, by a permutation and a modular
multiplication

Merkle-Hellman:Key Generation
n is a fixed system parameter
Choose a superincreasing sequence (b
1
, b
2
,…,b
n
)
and modulus M such that M > b
1
+ b
2
+…+ b
n

Select W, 1sWsM-1, gcd(W, M) =1
Select a random permutation t of the integers {1, 2,
…,n}
Compute a
i
= Wb
t(i)
mod M for i = {1, 2,…,n}
public key is (a
1
, a
2
,…, a
n
); A’s private key is (t ,
M, W, (b
1
, b
2
,…, b
n
))
Merkle-Hellman:Encryption, Decryption
Encryption
Represent the message m as a binary string of length
n, m = m
1
m
2
...m
n
.
Compute the integer c = m
1
a
1
+ m
2
a
2
+...+ m
n
a
n

Decryption
Compute d = (W
-1
c) mod M
Find integers r
1
, r
2
,…,r
n
, r
i
e{0, 1}, such that
d = r
1
b
1
+ r
2
b
2
+...+ r
n
b
n
The message bits are m
i
= r
t(i)
, i = 1, 2,…, n.
Merkle-Hellman:In practice
Known polynomial-time algorithm for breaking the
basic Merkle-Hellman scheme

Reducing subset-sum problem of finding a short
vector in a lattice
Chor-Rivest Knapsack Encryption
The only knapsack public key encryption scheme that
does not use some form of Modular Multiplication
to disguise a subset-sum problem
Chor-Rivest: Key Generation
Finite field F
q
of characteristic p,where q = p
h
, p>h,
and for which the discrete logarithm problem is
feasible.
Select a random monic irreducible polynomial f(x) of
degree h over Z
p
. The elements of F
q
will be
represented as polynomials in Z
p[x]
of degree less
than h, with multiplication performed modulo f(x).
Select a random primitive element g(x) of field F
q

For each ground field element i e Z
p
, find the
discrete logarithm a
i
= log
g(x)
(x+i) of the field
element (x + i) to the base g(x).
Chor-Rivest: Key Generation
Select a random permutation H on the set of integers
{0, 1, 2,…, p-1}

Select a random integer d, 0 s d s p
h
-2.

Compute c
i
= (a
H(i)
+ d) mod(p
h
-1) , 0 s i s p-1.

A’s public key is ((c0, c1,…, c
p-1
), p, h); A’s private
key is (f(x), g(x), H , d).
Chor-Rivest: Encryption
Represent the message m as a binary string of
length ¸lg bin(p, h) ¸


Consider m as the binary representation of an
integer. Transform this integer into a binary
vector M = (M
0
, M
1
,…,M
p-1
) of length p
having exactly h 1’s as follows

( ) n
Chor-Rivest: Encryption
i. Set l = i
ii. For i from 1 to p do the following:
If m > bin(p-i, l),
then set M
i-1
= 1, m = m - bin(p-i,
l)
l = l - 1
otherwise,
M
i-1
= 0

Chor-Rivest: Encryption
Compute c =
Probabilistic Public-Key Encryption
Deterministic Encryption Systems
– The same message gets encrypted to the same ciphertext
– In RSA, 0 and 1 gets encrypted to themselves
– In RSA, adversary can get one bit info (Jacobi Symbol)
from the encrypted message

– Random Padding (The resulting schemes are generally
not provably Secure!!)
Probabilistic Public-Key Encryption
PPKE Utilizes randomness to attain provable
security
Polynomially Secure: If given two messages m1, m2
and their encryptions, adversary can’t map them
with a probability significantly greater than ½

A PK scheme is semantically secure, if any
information about plaintext that an adversary can
compute in polynomial time with the ciphertext,
could be computed without the ciphertext too.
Probabilistic Public-Key Encryption
Perfect Secrecy Vs. Semantic Security

PPKE Schemes

Goldwasser-Micali Probabilistic Encryption
Blum-Goldwasser probabilistic Encryption

Goldwasser-Micali Probabilistic Encryption
Semantically secure assuming the intractability of
the quadratic residuosity problem
Key Generation
Select two large random (and distinct) primes p and
q, each roughly the same size.
Compute n = pq.
Select a y e Z
n
such that y is a quadratic non-residue
modulo n and the Jacobi symbol (y/n) = 1
Public Key is (n, y); A’s private key is the pair (p, q)
Encryption

Represent the message m as a binary string
m = m
1
, m
2
,…, m
t
of length t.
For i from 1 to t do:
i. Pick an x e Z
n*
at random
ii. If m
i
= 1, then set c
i
÷ yx
2
mod n; otherwise
set c
i
÷ x
2
mod n.
Send the t-tuple c = (c
1
, c
2
,…, c
t
)
Decryption


For i from 1 to t do:
i. Compute the Legendre symbol e
i
= (c
i
/p)
ii. If e
i
= 1 then set m
i
÷ 0; otherwise m
i
÷1
The decrypted message is m = m
1
m
2
…m
t

Proof that decryption works


If a message bit m
i
is 0, then c
i
= x
2
mod n is a
quadratic residue modulo n. If a message bit
is 1, then the c
i
is also a pseudosquare
modulo n

Now these cases holds equivalently to p


Security et. al.
Quadratic Residuosity problem: Given an odd
composite integer n and a e J
n
, decide
whether or not a is a quadratic residue
modulo n

When n is of the form pq, a e J
n
iff, (a/p) = 1

Message expansion by a factor of lgn. But
some amount of message expansion is
unavoidable in probabilistic schemes
Blum-Goldwasser probabilistic Encryption


One of the most efficient PPKE scheme
Comparable to RSA in terms of speed and
message expansion
Semantically secure assuming intractability of
integer factorization

Key Generation
Select two large random (and distinct) primes p, q,
each congruent to 3 modulo 4.
Compute n = pq.
Compute integers a and b such that ap + bq = 1.
Public key is n; Private key is (p, q, a, b)
Encryption
k = ¸lgn¸ and h = ¸lgk¸. Represent the message m as
a string m = m
1
m
2
…m
t
of length t, where each
m
i
is a binary string of length h
Select as a seed x
0
, a random quadratic residue
modulo n.
For i from 1 to t do the following:
i. Compute x
i
= x
2
i-1
modn
ii. Let p
i
be the h least significant bits of x
i

iii. Compute c
i
= p
i
©m
i

Compute x
t+1
= x
2
t
mod n
Ciphertext c = (c
1
, c
2
,…, c
t
, x
t+1
)
Decryption
Compute d
1
= ((p + 1)/4)
t+1
mod (p - 1)
Compute d
2
= ((q + 1)/4)
t+1
mod (q - 1).
Compute u = x
d
1
t+1
mod p
Compute v = x
d
2
t+1
mod q
Compute x
0
= vap + ubq mod n.
For i from 1 to t do the following:
i. Compute x
i
= x
2
i-1
mod n
ii. Let p
i
be the h least significant bits of x
i

iii. Compute m
i
= p
i
©c
i
Security et. al.
Computing the h least significant bits of x
t+1
is hard
and hence semantically secure
The ciphertext is only a constant number of bits
bigger than the plaintext, namely k+1 (the size in
bits of the integer x
t+1
)
Encryption process is efficient, 1 modular
multiplication to encrypt h bits of plaintext

Basic Principles
• • • • Objectives of Adversary Types of Attacks Distributing Public Keys Message Blocking

Objectives of Adversary
• Broken: If the adversary who wishes to attack a public-key encryption system can systematically recover the plaintext from the ciphertext.
• Completely Broken: If the private key of the receiver is recovered the encryption scheme is informally said to have been completely broken!

Types of Attacks
• Chosen-Plaintext attack does not make any sense in the PK scenario • Indifferent Chosen-Ciphertext attack is the one in which the adversary is given decryptions of any ciphertexts of his choice. But these instances should be chosen before he receives the target ciphertext, c. • Adaptive Chosen-Ciphertext attack is the one in which the adversary is given the decryption...

Adaptive Chosen-Ciphertext attack contd...
• machine of A, with the precondition that the target text c, itself would not be fed to the machine. This weakness is perceived as a certificational weakness against a particular scheme.

online trusted server. trusted channel (?). trusted public-file.Distributing Public Keys • The PK schemes that we discuss now assumes that there is a means for the sender of the message to obtain the public-key of the receiver. In the absence of this the scheme is susceptible to impersonation attack. Techniques of this include. off-line server and certificates. .

. Smaller messages are padded.Message Blocking • Most of the PK systems require that the input plaintext is of a fixed size. CBC is used to prevent manipulation of the blocks. Messages longer than this are broken into blocks.

RSA Public-Key Encryption (Topics) • Description – Encryption – Decryption .

RSA Public-Key Encryption (Topics contd…) • Security of RSA – – – – – – – – relation to factoring small encryption exponent ‘e’ forward search attack small decryption exponent ‘d’ multiplicative properties common modulus attack cycling attack message concealing .

RSA Public-Key Encryption (Topics contd…) • RSA in practice – recommended size of modulus – selecting primes – small encryption exponents .

Introduction • very first complete PK encryption scheme • most widely used • could be used to provide both secrecy and authentication • security based on intractability of the integer factorization problem .

e) = 1. .Description:Key Generation Each entity creates an RSA public key and a corresponding private key through the following steps – Generate two large random (and distinct) primes p and q. such that gcd(F. each roughly the same size – Compute n = pq and F = (p-1)(q-1) –Select a random integer e. 1< e < F.

e). n is called the modulus . A’s private key is d (e. d) are called the encryption exponent and decryption exponent respectively.Description:Key Generation – Use the extended Euclidean Algorithm to compute integer d such that ed  1 mod (f) – A’s public key is (n.

e) – represent the message as an integer m in the interval [0.Description:Encryption/Decryption (B encrypts a message m for A. which A decrypts) Encryption: B does the following – Obtain A’s authentic public key (n. n .1] – compute c = me mod n – send the ciphertext to A Decryption: A does the following – m = cd mod n .

Security of RSA • • • • • • • • relation to Factoring small encryption exponent e forward search attack small decryption exponent d multiplicative properties common modulus attack cyclic attacks message concealing .

e) and the problem of factoring n are computationally equivalent . computing d from e.Security of RSA:relation to factoring • One possible approach to attack RSA is to factor n. one can factor n. predictably • Hence the problem of computing the RSA decryption exponent d from the public key (n. Once you know the factors of n. is simple • On the other hand if you know e and d.

But then one should be careful to use different moduli for him. This is a potential case when the sender sends the same message to more than 3 receivers using the same moduli.Security of RSA:small encryption exponent e In order to increase the efficiency of the computation it is desirable to use small exponent like 3. Thanks to Gauss and the Chinese Mathematicians! .

One can find the m1/e .Security of RSA:small encryption exponent e They are problem for small messages also. salt the message . For both.

Key size does not help here. . Salting is a solution here too.Security of RSA:forward search attack When the message space is too small one can just exhaustively try all the messages.

– Due to Wiener – Square-root discrete logarithm algorithms such as Pollard’s rho algorithm . as is typically the case. q-1) is small. there are multiple attacks possible for computing d.Security of RSA:small decryption exponent d If gcd(p-1. and if d has up to approximately one-quarter as many bits as n.

This is referred to as the homomorphic property of RSA One can device a cool chosen ciphertext attack exploiting this property A structural restrictions on the plaintext messages can avoid this .Security of RSA:Multiplicative properties The ciphertext corresponding to m1m2 mod n is c1c2 mod n.

di).Security of RSA:Common Modulus Attack If a single modulus is used and different (ei. dj) pair is selected one can find the private key of the other from its public key If a single message were encrypted and sent to two or more entities in the network. then an eavesdropper can potentially recover the message with high probability using only publicly available information . (ej.

Rabin public-key encryption The first example of a provably-secure public key encryption scheme. The problem faced by the adversary to recover plaintext is computationally equivalent to factoring (No such equivalence for RSA) .

2. Compute c = m2 mod n. m2 . Encryption. Decryption Find the four square roots m1 .Encryption & Decryption 1. or m4 . and m4 of c modulo n The message sent was either m1 . m2 . m3. m3.

Finding Square root (c mod n=pq. pq3mod4) Using extended Euclidean algorithm find integers a. Compute x = (aps + bqr) mod n. -x mod n.bqr) mod n. Compute r = c (p+1)/4 mod p and s = c (q+1)/4 mod q. . b such that ap + bq = 1. y. The four square roots of c modulo n are x. Compute y = (aps .and -y mod n.

Security of Rabin PK System Obtaining plaintext from the ciphertext is equivalent to the modulo square root problem Modulo square root problem is equivalent to prime factoring Hence Rabin system is provably secure. .

Rabin PK System in practice avoiding ambiguity protecting against chosen ciphertext attack .

ElGamal:Key Generation Security based on the intractability of the discrete logarithm problem and the Diffie-Hellman problem .

1a p-2.ElGamal:Key Generation Generate a large random prime p and a generator  of the multiplicative group Zp of the integers modulo p Select a random integer a. a).  . . private key is a. and compute a mod p A’s public key is (p.

ElGamal:Encryption&Decryption Encryption Select a random integer k.(a)k mod p. ) Decryption m =  p-1-a. 1 kp-2. Ciphertext c = (.  mod p . Compute  = k mod p and  = m .

ElGamal:In Practice Traffic Reduction All entities could use the same p and generator  Computation Speed-up Speeding up the computation using Addition Chain Exponentiation Tradeoff Large moduli p is required in this case .

ElGamal:In Practice Encryption involves two exponentiation. choose large enough exponent) Message expansion by a factor of 2 Inherently randomized encryption Security related to Diffie Hellman problem (Intractability of discrete logarithm problem) Different encryptions should use different k . The process can be sped up by selecting exponents having low Hamming Weights (Beware of the Baby StepGiant Step Algorithm.

Knapsack public-key encryption Based on Subset-Sum problem (NP-complete) • Merkle-Hellman Knapsack problem • Chor-Rivest Knapsack problem .

Merkle-Hellman Knapsack Encryption Attempts to disguise a superincreasing subset sum problem. by a permutation and a modular multiplication .

(b1 .bn) and modulus M such that M > b1 + b2 +…+ bn Select W.…. A’s private key is ( .n} Compute ai = Wb (i) mod M for i = {1. b2. an). W. gcd(W.Merkle-Hellman:Key Generation n is a fixed system parameter Choose a superincreasing sequence (b1. 2.…. b2. 1WM-1. …. bn)) . a2.….…. M) =1 Select a random permutation  of the integers {1. 2. M.n} public key is (a1.

+ mnan Decryption Compute d = (W-1c) mod M Find integers r1. ri {0.+ rnbn The message bits are mi = r(i). . such that d = r1b1 + r2b2 +... 2..Merkle-Hellman:Encryption. Compute the integer c = m1a1 + m2a2 +. Decryption Encryption Represent the message m as a binary string of length n.mn. r2. n.…. i = 1.rn.…. m = m1m2... 1}..

Merkle-Hellman:In practice Known polynomial-time algorithm for breaking the basic Merkle-Hellman scheme Reducing subset-sum problem of finding a short vector in a lattice .

Chor-Rivest Knapsack Encryption The only knapsack public key encryption scheme that does not use some form of Modular Multiplication to disguise a subset-sum problem .

where q = ph. find the discrete logarithm ai = log g(x) (x+i) of the field element (x + i) to the base g(x).Chor-Rivest: Key Generation Finite field Fq of characteristic p. ph. The elements of Fq will be represented as polynomials in Zp[x] of degree less than h. Select a random monic irreducible polynomial f(x) of degree h over Zp. and for which the discrete logarithm problem is feasible. Select a random primitive element g(x) of field Fq For each ground field element i  Zp. . with multiplication performed modulo f(x).

c1. 0  i  p-1. p. . A’s private key is (f(x). 1. d). p-1} Select a random integer d.…. Compute ci = (a (i) + d) mod(ph -1) .…. g(x). 2.Chor-Rivest: Key Generation Select a random permutation  on the set of integers {0. 0  d  ph -2. cp-1).  . h). A’s public key is ((c0.

M1.Mp-1) of length p having exactly h 1’s as follows .….Chor-Rivest: Encryption Represent the message m as a binary string of length lg bin(p. Transform this integer into a binary vector M = (M0. h)  n ) Consider m as the binary representation of an integer.

Set l = i ii. m = m . l).bin(p-i. Mi-1= 0 . then set Mi-1= 1. For i from 1 to p do the following: If m  bin(p-i. l) l=l-1 otherwise.Chor-Rivest: Encryption i.

Chor-Rivest: Encryption Compute c = .

Probabilistic Public-Key Encryption Deterministic Encryption Systems – The same message gets encrypted to the same ciphertext – In RSA. 0 and 1 gets encrypted to themselves – In RSA. adversary can get one bit info (Jacobi Symbol) from the encrypted message – Random Padding (The resulting schemes are generally not provably Secure!!) .

Probabilistic Public-Key Encryption PPKE Utilizes randomness to attain provable security Polynomially Secure: If given two messages m1. could be computed without the ciphertext too. . if any information about plaintext that an adversary can compute in polynomial time with the ciphertext. m2 and their encryptions. adversary can’t map them with a probability significantly greater than ½ A PK scheme is semantically secure.

Probabilistic Public-Key Encryption Perfect Secrecy Vs. Semantic Security PPKE Schemes Goldwasser-Micali Probabilistic Encryption Blum-Goldwasser probabilistic Encryption .

y). q) . Select a y  Zn such that y is a quadratic non-residue modulo n and the Jacobi symbol (y/n) = 1 Public Key is (n. A’s private key is the pair (p. Compute n = pq.Goldwasser-Micali Probabilistic Encryption Semantically secure assuming the intractability of the quadratic residuosity problem Key Generation Select two large random (and distinct) primes p and q. each roughly the same size.

otherwise set ci  x2 mod n. c2. For i from 1 to t do: i. If mi = 1.…. m2. Send the t-tuple c = (c1. ct) .….Encryption Represent the message m as a binary string m = m1. mt of length t. Pick an x  Zn* at random ii. then set ci yx2 mod n.

Compute the Legendre symbol ei = (ci/p) ii. If ei = 1 then set mi  0. otherwise mi 1 The decrypted message is m = m1m2…mt .Decryption For i from 1 to t do: i.

If a message bit is 1. then the ci is also a pseudosquare modulo n Now these cases holds equivalently to p . then ci = x2 mod n is a quadratic residue modulo n.Proof that decryption works If a message bit mi is 0.

al. But some amount of message expansion is unavoidable in probabilistic schemes .Security et. (a/p) = 1 Message expansion by a factor of lgn. decide whether or not a is a quadratic residue modulo n When n is of the form pq. Quadratic Residuosity problem: Given an odd composite integer n and a  Jn. a  Jn iff.

Blum-Goldwasser probabilistic Encryption One of the most efficient PPKE scheme Comparable to RSA in terms of speed and message expansion Semantically secure assuming intractability of integer factorization .

each congruent to 3 modulo 4. q. a. Compute n = pq. q. Compute integers a and b such that ap + bq = 1.Key Generation Select two large random (and distinct) primes p. Private key is (p. Public key is n. b) .

Compute ci = pimi Compute xt+1 = x2t mod n Ciphertext c = (c1. where each mi is a binary string of length h Select as a seed x0 . Compute xi = x2i-1modn ii. xt+1) . a random quadratic residue modulo n. For i from 1 to t do the following: i. Let pi be the h least significant bits of xi iii.Encryption k = lgn and h = lgk.…. Represent the message m as a string m = m1m2…mt of length t. c2. ct.

Decryption Compute d1 = ((p + 1)/4) t+1 mod (p .1) Compute d2 = ((q + 1)/4) t+1 mod (q . Compute u = xd1t+1 mod p Compute v = xd2t+1 mod q Compute x0 = vap + ubq mod n. Let pi be the h least significant bits of xi iii. Compute xi = x2i-1mod n ii. For i from 1 to t do the following: i. Compute mi = pici .1).

Security et. al. Computing the h least significant bits of xt+1 is hard and hence semantically secure The ciphertext is only a constant number of bits bigger than the plaintext. namely k+1 (the size in bits of the integer xt+1) Encryption process is efficient. 1 modular multiplication to encrypt h bits of plaintext .

Sign up to vote on this title
UsefulNot useful