|
|
(One intermediate revision by one other user not shown) |
Line 1: |
Line 1: |
| The '''Goldwasser–Micali (GM) cryptosystem ''' is an [[asymmetric key encryption algorithm]] developed by [[Shafi Goldwasser]] and [[Silvio Micali]] in 1982. GM has the distinction of being the first [[probabilistic encryption|probabilistic]] public-key encryption scheme which is [[provably secure]] under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of [[semantic security]].
| | Hi there. Allow me begin by introducing the author, her name is Myrtle Cleary. Body developing is what my family and I enjoy. Since she was 18 she's been operating as a receptionist but her promotion by no means comes. His family members lives in South Dakota but his wife desires them to transfer.<br><br>my homepage [http://srgame.co.kr/qna/21862 srgame.co.kr] |
| | |
| ==Basis==
| |
| The GM cryptosystem is [[semantic security|semantically secure]] based on the assumed intractability of the [[quadratic residuosity problem]] modulo a composite ''N'' = ''pq'' where ''p, q'' are large [[prime number|primes]]. This assumption states that given (''x'', ''N'') it is difficult to determine whether ''x'' is a quadratic residue modulo ''N'' (i.e., ''x'' = ''y''<sup>2</sup> mod ''N'' for some ''y''), when the [[Jacobi symbol]] for ''x'' is +1. The quadratic residue problem is easily solved given the factorization of ''N'', while new quadratic residues may be generated by any party, even without knowledge of this factorization. The GM cryptosystem leverages this asymmetry by encrypting individual plaintext bits as either random quadratic residues or non-residues modulo ''N'', all with quadratic residue symbol +1. Recipients use the factorization of ''N'' as a [[secret key]], and decrypt the message by testing the quadratic residuosity of the received ciphertext values.
| |
| | |
| Because Goldwasser–Micali produces a value of size approximately |''N''| to encrypt every single bit of a plaintext, GM encryption results in substantial [[ciphertext expansion]]. To prevent [[factorization]] attacks, it is recommended that |''N''| be several hundred bits or more. Thus, the scheme serves mainly as a proof of concept, and more efficient provably-secure schemes such as [[ElGamal encryption|Elgamal]] have been developed since.
| |
| | |
| Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.
| |
| | |
| ==Scheme definition==
| |
| | |
| Goldwasser–Micali consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.
| |
| | |
| The scheme relies on deciding whether a given value ''x'' is a square mod ''N'', given the factorization (''p'', ''q'') of ''N''. This can be accomplished using the following procedure:
| |
| | |
| #Compute ''x<sub>p</sub>'' = ''x'' mod ''p'', ''x<sub>q</sub>'' = ''x'' mod ''q''.
| |
| #If <math>x_p^{(p-1)/2} \equiv 1\pmod{p}</math> and <math>x_q^{(q-1)/2} \equiv 1\pmod{q}</math>, then ''x'' is a quadratic residue mod ''N''.
| |
| | |
| ===Key generation===
| |
| | |
| The modulus used in GM encryption is generated in the same manner as in the [[RSA (algorithm)|RSA]] cryptosystem. (See [[RSA (algorithm)|RSA]], key generation for details.)
| |
| | |
| #Alice generates two distinct large [[prime number]]s ''p'' and ''q'', randomly and independently of each other.
| |
| #Alice computes ''N'' = ''p q''.
| |
| #She then finds some non-residue ''x'' such that the [[Legendre symbol]]s satisfy <math>\left(\frac{x}{p}\right)=\left(\frac{x}{q}\right)=-1</math> and hence the [[Jacobi symbol]] <math>\left(\frac{x}{N}\right)</math> is +1. The value ''x'' can for example be found by selecting random values and testing the two Legendre symbols. If ''p'', ''q'' = 3 mod 4 (i.e., ''N'' is a [[Blum integer]]), then the value ''N'' − 1 is guaranteed to have the required property.
| |
| | |
| The ''public key'' consists of (''x'', ''N''). The secret key is the factorization (''p'', ''q'').
| |
| | |
| === Message encryption ===
| |
| | |
| Suppose Bob wishes to send a message ''m'' to Alice:
| |
| | |
| #Bob first encodes ''m'' as a string of bits (''m''<sub>1</sub>, ..., ''m<sub>n</sub>'').
| |
| #For every bit ''<math>m_i</math>'', Bob generates a random value ''<math>y_i</math>'' from the group of units modulo ''N'', or ''<math>\gcd(y_i,N) = 1</math>''. He outputs the value <math>c_i = y_i^2 x^{m_i}\pmod{N}</math>.
| |
| | |
| Bob sends the ciphertext (''c''<sub>1</sub>, ..., ''c''<sub>''n''</sub>).
| |
| | |
| === Message decryption ===
| |
| | |
| Alice receives (''c''<sub>1</sub>, ..., ''c''<sub>''n''</sub>). She can recover ''m'' using the following procedure:
| |
| | |
| #For each ''i'', using the prime factorization (''p'', ''q''), Alice determines whether the value ''c''<sub>''i''</sub> is a quadratic residue; if so, ''m''<sub>''i''</sub> = 0, otherwise ''m''<sub>''i''</sub> = 1.
| |
| | |
| Alice outputs the message ''m'' = (''m''<sub>1</sub>, ..., ''m''<sub>''n''</sub>).
| |
| | |
| === Security properties ===
| |
| | |
| There is a simple [[reduction (complexity)|reduction]] from breaking this cryptosystem to the problem of determining whether a random value modulo ''N'' with Jacobi symbol ''+1'' is a quadratic residue. If an algorithm ''A'' breaks the cryptosystem,
| |
| then to determine if a given value ''x'' is a quadratic residue modulo ''N'', we test ''A'' to see if it can break the cryptosystem using (''x'',''N'') as a public key. If ''x'' is a non-residue, then ''A'' should work properly. However, if ''x'' is a residue, then every "ciphertext" will simply be a random quadratic residue, so
| |
| ''A'' cannot be correct more than half of the time. Furthermore, this problem is [[Random self-reducibility|random self-reducible]], which ensures that for a given ''N'', every public key is just as secure as every other public key.
| |
| | |
| The GM cryptosystem has [[homomorphic encryption|homomorphic properties]], in the sense that if ''c''<sub>0</sub>, ''c''<sub>1</sub> are the encryptions of bits ''m''<sub>0</sub>, ''m''<sub>1</sub>, then ''c''<sub>0</sub>''c''<sub>1</sub> mod ''N'' will be an encryption of <math>m_0 \oplus m_1</math>. For this reason, the GM cryptosystem is sometimes used in more complex cryptographic primitives.
| |
| | |
| ==References==
| |
| | |
| * {{cite journal |author=S. Goldwasser, S. Micali |title=Probabilistic encryption and how to play mental poker keeping secret all partial information |journal=Proc. 14th Symposium on Theory of Computing |year=1982 |pages=365–377 |doi=10.1145/800070.802212}}
| |
| * {{cite journal |author=S. Goldwasser, S. Micali |title=Probabilistic encryption |journal=Journal of Computer and System Sciences |volume=28 |issue=2 |year=1984 |pages=270–299 |doi=10.1016/0022-0000(84)90070-9}}
| |
| | |
| ==See also==
| |
| *[[Blum–Goldwasser cryptosystem]]
| |
| | |
| {{Cryptography navbox | public-key}}
| |
| | |
| {{DEFAULTSORT:Goldwasser-Micali cryptosystem}}
| |
| [[Category:Public-key encryption schemes]]
| |
Hi there. Allow me begin by introducing the author, her name is Myrtle Cleary. Body developing is what my family and I enjoy. Since she was 18 she's been operating as a receptionist but her promotion by no means comes. His family members lives in South Dakota but his wife desires them to transfer.
my homepage srgame.co.kr