|
|
Line 1: |
Line 1: |
| The '''Benaloh Cryptosystem''' is an extension of the [[Goldwasser-Micali cryptosystem]] (GM) created in 1994 by Josh (Cohen) Benaloh. The main improvement of the Benaloh Cryptosystem over GM is that longer blocks of data can be encrypted at once, whereas in GM each bit is encrypted individually.
| | Andrew Berryhill is what his spouse enjoys to call him and he completely digs that title. Invoicing is what I do. For years he's been residing in Mississippi and he doesn't strategy on changing it. The favorite pastime for him and his children is to perform lacross and he would by no means give it up.<br><br>my webpage :: online reader ([http://Kjhkkb.net/xe/notice/374835 http://Kjhkkb.net]) |
| | |
| ==Scheme Definition==
| |
| | |
| Like many [[Public key cryptography|public key cryptosystems]], this scheme works in the group <math>(\mathbb{Z}/n\mathbb{Z})^*</math> where ''n'' is a product of two large [[Prime number|primes]]. This scheme is [[Homomorphic encryption|homomorphic]] and hence [[Malleability (cryptography)|malleable]].
| |
| | |
| ===Key Generation===
| |
| A public/private key pair is generated as follows:
| |
| | |
| *Choose a blocksize ''r''.
| |
| *Choose large primes ''p'' and ''q'' such that ''r'' divides (''p''-1), gcd(''r'', (''p''-1)/r) = 1 and gcd(''q''-1,r) = 1.
| |
| *Set ''n'' = ''pq''
| |
| *Choose <math>y \in (\mathbb{Z}/n\mathbb{Z})^*</math> such that <math>y^{(p-1)(q-1)/r} \not \equiv 1 \mod n</math>.
| |
| | |
| The public key is then ''y'',''n'', and the private key is the two primes ''p'',''q''. | |
| | |
| ===Message Encryption===
| |
| To encrypt a message ''m'', where ''m'' is taken to be an element in <math>\mathbb{Z}/r\mathbb{Z}</math>
| |
| | |
| *Choose a random <math>u \in (\mathbb{Z}/n\mathbb{Z})^*</math>
| |
| *Set <math>E_r(m) = y^m u^r \mod n</math>
| |
| | |
| ===Message Decryption===
| |
| | |
| To understand decryption, we first notice that for any ''m'',''u'' we have
| |
| | |
| :<math>(y^m u^r)^{(p-1)(q-1)/r} \equiv y^{m(p-1)(q-1)/r} u^{(p-1)(q-1)} \equiv y^{m(p-1)(q-1)/r} \mod n</math>
| |
| | |
| Since ''m'' < ''r'' and <math>y^{(p-1)(q-1)/r} \not \equiv 1 \mod n</math>, we can conclude that <math>(y^m u^r)^{(p-1)(q-1)/r} \equiv 1 \mod n</math> if and only if ''m'' = 0.
| |
| | |
| So if <math>z = y^m u^r \mod n</math> is an encryption of ''m'', given the secret key ''p'',''q'' we can determine whether ''m''=0. If ''r'' is small, we can decrypt ''z'' by doing an exhaustive search, i.e. decrypting the messages ''y''<sup>-''i''</sup>z for ''i'' from 1 to ''r''. By precomputing values, using the [[Baby-step giant-step]] algorithm, decryption can be done in time <math>O(\sqrt{r})</math>.
| |
| | |
| ===Security===
| |
| | |
| The security of this scheme rests on the [[Higher residuosity problem]], specifically, given ''z'',''r'' and ''n'' where the factorization of ''n'' is unknown, it is computationally infeasible to determine whether ''z'' is an ''r''th residue mod ''n'', i.e. if there exists an ''x'' such that <math>z \equiv x^r \mod n</math>.
| |
| | |
| ==References==
| |
| [http://research.microsoft.com/en-us/um/people/benaloh/papers/dpe.ps Original Paper] (ps) | |
| {{Cryptography navbox | public-key}}
| |
| | |
| [[Category:Public-key encryption schemes]]
| |
Andrew Berryhill is what his spouse enjoys to call him and he completely digs that title. Invoicing is what I do. For years he's been residing in Mississippi and he doesn't strategy on changing it. The favorite pastime for him and his children is to perform lacross and he would by no means give it up.
my webpage :: online reader (http://Kjhkkb.net)