# Lec5 - Probabilistic Encryption Sheng Zhong 1 Need for...

This preview shows pages 1–9. Sign up to view the full content.

1 Probabilistic Encryption Sheng Zhong

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
2 Need for Randomness Recall all the cryptosystems we described are not semantically secure. Because they are all deterministic. If we want stronger security guarantee, we need to add randomness to cryptosystem. Thus we study probabilistic public key cryptosystem.
3 Goldwasser-Micali Cryptosystem (1) First probabilistic public key cryptosystem. The security is based on hardness of deciding whether a residue class has square root mod n. Cleartext space: {0,1} Ciphertext space: Zn*. n is a blum integer.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
4 Goldwasser-Micali Cryptosystem (2) Public key: n. Private key: p (and q). Encryption: If m=0, c=r 2 mod n where r is picked at random from Zn*. If m=1, c=-r 2 mod n where r is picked at random from Zn*.
5 Goldwasser-Micali Cryptosystem (3) Decryption: Decide whether c is a quadratic residue mod n. A quadratic residue is a residue class that has square root mod n. If c is a quadratic residue, then m=0. Otherwise, m=1.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
6 Why does the decryption work? (1) Clearly, when m=0, c is a quadratic residue. So we need to show that when m=1, c is a quadratic non-residue. Assume c=-r 2 is a quadratic residue. Then -r 2 =s 2 (mod n). This is equivalent to -1 =(s/r) 2 (mod n).
7 Why does the decryption work? (2) Clearly, -1 =(s/r) 2 (mod n) implies -1 =(s/r) 2 (mod p). So -1 is a quadratic residue mod p. Thus (-1) (p+1)/4 should be its square root mod p. Since p=3 (mod 4), (-1) (p+1)/4 = either 1 or -1. But 1 and -1 are not square roots of -1. Contradiction.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
How does the decryption work? It is still missing how we decide whether c is a quadratic residue mod n. But we note that c=r 2 (mod n) if and only if c=r 2 (mod p) and c=r 2 (mod q). We have an algorithm to compute the square root r if c is a quadratic residue. If c is not a quadratic residue, we can still use the above algorithm, but clearly when we square the output we won’t get back c. So we only need to apply the algorithm, square the
This is the end of the preview. Sign up to access the rest of the document.

## This note was uploaded on 09/27/2010 for the course CSE 664 taught by Professor Shengzhong during the Spring '10 term at SUNY Buffalo.

### Page1 / 33

Lec5 - Probabilistic Encryption Sheng Zhong 1 Need for...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online