|
|
Line 1: |
Line 1: |
| The '''Blum-Goldwasser''' (BG) cryptosystem is an [[asymmetric key encryption algorithm]] proposed by [[Manuel Blum]] and [[Shafi Goldwasser]] in 1984. Blum-Goldwasser is a [[probabilistic encryption|probabilistic]], [[semantic security|semantically secure]] cryptosystem with a constant-size [[ciphertext expansion]]. The encryption algorithm implements an XOR-based [[stream cipher]] using the [[Blum Blum Shub]] (BBS) pseudo-random number generator to generate the [[keystream]]. Decryption is accomplished by manipulating the final state of the BBS generator using the [[private key]], in order to find the initial seed and reconstruct the keystream.
| | Hello and welcome. My title is Figures Wunder. My day occupation is a meter reader. One of the extremely best things in the world for me is to do aerobics and now I'm attempting to earn money with it. For many years he's been residing in North Dakota and his family enjoys it.<br><br>my web-site [http://torontocartridge.com/uncategorized/the-ideal-way-to-battle-a-yeast-infection/ torontocartridge.com] |
| | |
| The BG cryptosystem is [[semantic security|semantically secure]] based on the assumed intractability of [[integer factorization]]; specifically, factoring a composite value <math>N = pq</math> where <math>p, q</math> are large [[prime number|primes]]. BG has multiple advantages over earlier probabilistic encryption schemes such as the [[Goldwasser-Micali cryptosystem]]. First, its semantic security reduces solely to integer factorization, without requiring any additional assumptions (e.g., hardness of the [[quadratic residuosity problem]] or the [[RSA problem]]). Secondly, BG is efficient in terms of storage, inducing a constant-size [[ciphertext expansion]] regardless of message length. BG is also relatively efficient in terms of computation, and fares well even in comparison with cryptosystems such as RSA (depending on message length and exponent choices). However, BG is highly vulnerable to adaptive chosen ciphertext attacks (see below).
| |
| | |
| Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.
| |
| | |
| ==Scheme definition==
| |
| | |
| '''Note that the following description is a draft, and may contain errors!'''
| |
| | |
| Blum-Goldwasser consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.
| |
| | |
| ===Key generation===
| |
| | |
| To allow for decryption, the modulus used in Blum-Goldwasser encryption should be a [[Blum integer]]. This value is generated in the same manner as an [[RSA (algorithm)|RSA]] modulus, except that the prime factors <math>(p, q)</math> must be congruent to 3 mod 4. (See [[RSA (algorithm)|RSA]], key generation for details.)
| |
| | |
| #Alice generates two large [[prime number]]s <math>p \,</math> and <math>q \,</math> such that <math>p \ne q</math>, randomly and independently of each other, where <math>p \equiv q \equiv 3</math> mod <math>4</math>.<ref name="rfc4086">
| |
| RFC 4086
| |
| section "6.2.2. The Blum Blum Shub Sequence Generator"
| |
| </ref>
| |
| #Alice computes <math>N = p q</math>.
| |
| | |
| The ''public key'' is <math>N</math>. The private key is the factorization <math>(p, q)</math>.
| |
| <ref name="rfc4086" />
| |
| | |
| #Alice keeps the private key secret.
| |
| | |
| #Alice gives <math>N</math> to Bob.
| |
| | |
| === Message encryption ===
| |
| | |
| Suppose Bob wishes to send a message ''m'' to Alice:
| |
| | |
| #Bob first encodes <math>m</math> as a string of <math>L</math> bits <math>(m_0, \dots, m_{L-1})</math>.
| |
| #Bob selects a random element <math>r</math>, where <math>1 < r < N</math>, and computes <math>x_0 = r^2~mod~N</math>.
| |
| #Bob uses the BBS pseudo-random number generator to generate <math>L</math> random bits <math>{\vec b} = (b_0, \dots, b_{L-1})</math> (the keystream), as follows:
| |
| ##For <math>i=0</math> to <math>L</math>:
| |
| ##Set <math>b_i</math> equal to the least-significant bit of <math>x_i</math>.
| |
| ##Increment <math>i</math>.
| |
| ##Compute <math>x_i = (x_{i-1})^2~mod~N</math>.
| |
| #Bob computes the ciphertext bits using the bits from the BBS as a [[stream cipher]] keystream, XORing the plaintext bits with the keystream:
| |
| ##For <math>i=0</math> to <math>L-1</math>:
| |
| ## <math>{\vec c} = {\vec m} \oplus {\vec b}</math>
| |
| | |
| # Bob sends a message to Alice -- the enciphered bits and the final <math>x_L</math> value <math>(c_0, \dots, c_{L-1}), x_L</math>.
| |
| (The value <math>x_L</math> is equal to <math>x_L = x_{0}^{2^{L}}~mod~N</math>. )
| |
| | |
| To improve performance, the BBS generator can securely output up to <math>O(log log N)</math> of the least-significant bits of <math>x_i</math> during each round. See [[Blum Blum Shub]] for details.
| |
| | |
| === Message decryption ===
| |
| | |
| Alice receives <math>(c_0, \dots, c_{L-1}), y</math>. She can recover <math>m</math> using the following procedure:
| |
| | |
| #Using the prime factorization <math>(p, q)</math>, Alice computes <math>r_p = y^{((p+1)/4)^{L}}~mod~p</math> and <math>r_q = y^{((q+1)/4)^{L}}~mod~q</math>.
| |
| #Compute the initial seed <math>x_0=(q(q^{-1}~{mod}~p)r_p + p(p^{-1}~{mod}~q)r_q)~{mod}~N</math>
| |
| #From <math>x_0</math>, recompute the bit-vector <math>{\vec b}</math> using the BBS generator, as in the encryption algorithm.
| |
| #Compute the plaintext by XORing the keystream with the ciphertext: <math>{\vec m} = {\vec c} \oplus {\vec b}</math>.
| |
| | |
| Alice recovers the plaintext <math>m=(m_0, \dots, m_{L-1})</math>.
| |
| | |
| == Security and efficiency ==
| |
| | |
| The Blum-Goldwasser scheme is [[semantically-secure]] based on the hardness of predicting the keystream bits given only the final BBS state <math>y</math> and the public key <math>N</math>. However, ciphertexts of the form <math>{\vec c}, y</math> are vulnerable to an [[adaptive chosen ciphertext attack]] in which the adversary requests the decryption <math>m^{\prime}</math> of a chosen ciphertext <math>{\vec a}, y</math>. The decryption <math>m</math> of the original ciphertext can be computed as <math>{\vec a} \oplus m^{\prime} \oplus {\vec c}</math>.
| |
| | |
| Depending on plaintext size, BG may be more or less computationally expensive than RSA. Because most RSA deployments use a fixed encryption exponent optimized to minimize encryption time, RSA encryption will typically outperform BG for all but the shortest messages. However, as the RSA decryption exponent is randomly distributed, modular exponentiation may require a comparable number of squarings/multiplications to BG decryption for a ciphertext of the same length. BG has the advantage of scaling more efficiently to longer ciphertexts, where RSA requires multiple separate encryptions. In these cases, BG may be significantly more efficient.
| |
| | |
| == References ==
| |
| {{reflist}}
| |
| #M. Blum, S. Goldwasser, "An Efficient Probabilistic Public Key Encryption Scheme which Hides All Partial Information", Proceedings of ''Advances in Cryptology - CRYPTO '84'', pp. 289–299, Springer Verlag, 1985.
| |
| #Menezes, Alfred; van Oorschot, Paul C.; and Vanstone, Scott A. ''Handbook of Applied Cryptography''. CRC Press, October 1996. ISBN 0-8493-8523-7
| |
| | |
| ==External links==
| |
| * [http://www.cacr.math.uwaterloo.ca/hac/ Menezes, Oorschot, Vanstone, Scott: ''Handbook of Applied Cryptography'' (free PDF downloads), see Chapter 8]
| |
| {{Cryptography navbox | public-key}}
| |
| | |
| {{DEFAULTSORT:Blum-Goldwasser cryptosystem}}
| |
| [[Category:Public-key encryption schemes]]
| |
Hello and welcome. My title is Figures Wunder. My day occupation is a meter reader. One of the extremely best things in the world for me is to do aerobics and now I'm attempting to earn money with it. For many years he's been residing in North Dakota and his family enjoys it.
my web-site torontocartridge.com