Lec5 - Probabilistic Encryption Sheng Zhong 1 Need for...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
1 Probabilistic Encryption Sheng Zhong
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Need for Randomness Recall all the cryptosystems we described are not semantically secure. Because they are all deterministic. If we want stronger security guarantee, we need to add randomness to cryptosystem. Thus we study probabilistic public key cryptosystem.
Background image of page 2
3 Goldwasser-Micali Cryptosystem (1) First probabilistic public key cryptosystem. The security is based on hardness of deciding whether a residue class has square root mod n. Cleartext space: {0,1} Ciphertext space: Zn*. n is a blum integer.
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 Goldwasser-Micali Cryptosystem (2) Public key: n. Private key: p (and q). Encryption: If m=0, c=r 2 mod n where r is picked at random from Zn*. If m=1, c=-r 2 mod n where r is picked at random from Zn*.
Background image of page 4
5 Goldwasser-Micali Cryptosystem (3) Decryption: Decide whether c is a quadratic residue mod n. A quadratic residue is a residue class that has square root mod n. If c is a quadratic residue, then m=0. Otherwise, m=1.
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Why does the decryption work? (1) Clearly, when m=0, c is a quadratic residue. So we need to show that when m=1, c is a quadratic non-residue. Assume c=-r 2 is a quadratic residue. Then -r 2 =s 2 (mod n). This is equivalent to -1 =(s/r) 2 (mod n).
Background image of page 6
7 Why does the decryption work? (2) Clearly, -1 =(s/r) 2 (mod n) implies -1 =(s/r) 2 (mod p). So -1 is a quadratic residue mod p. Thus (-1) (p+1)/4 should be its square root mod p. Since p=3 (mod 4), (-1) (p+1)/4 = either 1 or -1. But 1 and -1 are not square roots of -1. Contradiction.
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
How does the decryption work? It is still missing how we decide whether c is a quadratic residue mod n. But we note that c=r 2 (mod n) if and only if c=r 2 (mod p) and c=r 2 (mod q). We have an algorithm to compute the square root r if c is a quadratic residue. If c is not a quadratic residue, we can still use the above algorithm, but clearly when we square the output we won’t get back c. So we only need to apply the algorithm, square the
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 33

Lec5 - Probabilistic Encryption Sheng Zhong 1 Need for...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online