Rotation around a fixed axis

From formulasearchengine
Revision as of 13:32, 15 January 2014 by en>Incnis Mrsi (Reverted edits by Jjalexand (talk) to last version by 117.222.47.190)
Jump to navigation Jump to search

The Blum-Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum-Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum Blum Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

The BG cryptosystem is semantically secure based on the assumed intractability of integer factorization; specifically, factoring a composite value N=pq where p,q are large primes. BG has multiple advantages over earlier probabilistic encryption schemes such as the Goldwasser-Micali cryptosystem. First, its semantic security reduces solely to integer factorization, without requiring any additional assumptions (e.g., hardness of the quadratic residuosity problem or the RSA problem). Secondly, BG is efficient in terms of storage, inducing a constant-size ciphertext expansion regardless of message length. BG is also relatively efficient in terms of computation, and fares well even in comparison with cryptosystems such as RSA (depending on message length and exponent choices). However, BG is highly vulnerable to adaptive chosen ciphertext attacks (see below).

Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.

Scheme definition

Note that the following description is a draft, and may contain errors!

Blum-Goldwasser consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.

Key generation

To allow for decryption, the modulus used in Blum-Goldwasser encryption should be a Blum integer. This value is generated in the same manner as an RSA modulus, except that the prime factors (p,q) must be congruent to 3 mod 4. (See RSA, key generation for details.)

  1. Alice generates two large prime numbers p and q such that pq, randomly and independently of each other, where pq3 mod 4.[1]
  2. Alice computes N=pq.

The public key is N. The private key is the factorization (p,q). [1]

  1. Alice keeps the private key secret.
  1. Alice gives N to Bob.

Message encryption

Suppose Bob wishes to send a message m to Alice:

  1. Bob first encodes m as a string of L bits (m0,,mL1).
  2. Bob selects a random element r, where 1<r<N, and computes x0=r2modN.
  3. Bob uses the BBS pseudo-random number generator to generate L random bits b=(b0,,bL1) (the keystream), as follows:
    1. For i=0 to L:
    2. Set bi equal to the least-significant bit of xi.
    3. Increment i.
    4. Compute xi=(xi1)2modN.
  4. Bob computes the ciphertext bits using the bits from the BBS as a stream cipher keystream, XORing the plaintext bits with the keystream:
    1. For i=0 to L1:
    2. c=mb
  1. Bob sends a message to Alice -- the enciphered bits and the final xL value (c0,,cL1),xL.

(The value xL is equal to xL=x02LmodN. )

To improve performance, the BBS generator can securely output up to O(loglogN) of the least-significant bits of xi during each round. See Blum Blum Shub for details.

Message decryption

Alice receives (c0,,cL1),y. She can recover m using the following procedure:

  1. Using the prime factorization (p,q), Alice computes rp=y((p+1)/4)Lmodp and rq=y((q+1)/4)Lmodq.
  2. Compute the initial seed x0=(q(q1modp)rp+p(p1modq)rq)modN
  3. From x0, recompute the bit-vector b using the BBS generator, as in the encryption algorithm.
  4. Compute the plaintext by XORing the keystream with the ciphertext: m=cb.

Alice recovers the plaintext m=(m0,,mL1).

Security and efficiency

The Blum-Goldwasser scheme is semantically-secure based on the hardness of predicting the keystream bits given only the final BBS state y and the public key N. However, ciphertexts of the form c,y are vulnerable to an adaptive chosen ciphertext attack in which the adversary requests the decryption m of a chosen ciphertext a,y. The decryption m of the original ciphertext can be computed as amc.

Depending on plaintext size, BG may be more or less computationally expensive than RSA. Because most RSA deployments use a fixed encryption exponent optimized to minimize encryption time, RSA encryption will typically outperform BG for all but the shortest messages. However, as the RSA decryption exponent is randomly distributed, modular exponentiation may require a comparable number of squarings/multiplications to BG decryption for a ciphertext of the same length. BG has the advantage of scaling more efficiently to longer ciphertexts, where RSA requires multiple separate encryptions. In these cases, BG may be significantly more efficient.

References

43 year old Petroleum Engineer Harry from Deep River, usually spends time with hobbies and interests like renting movies, property developers in singapore new condominium and vehicle racing. Constantly enjoys going to destinations like Camino Real de Tierra Adentro.

  1. M. Blum, S. Goldwasser, "An Efficient Probabilistic Public Key Encryption Scheme which Hides All Partial Information", Proceedings of Advances in Cryptology - CRYPTO '84, pp. 289–299, Springer Verlag, 1985.
  2. Menezes, Alfred; van Oorschot, Paul C.; and Vanstone, Scott A. Handbook of Applied Cryptography. CRC Press, October 1996. ISBN 0-8493-8523-7

External links

Template:Cryptography navbox

  1. 1.0 1.1 RFC 4086 section "6.2.2. The Blum Blum Shub Sequence Generator"