This preview shows page 1. Sign up to view the full content.
Unformatted text preview: the ciphertext, he cannot prove that the ciphertext is the encryption of the plaintext without the private decryption key. Even if he tries exhaustive search, he can only prove that every conceivable plaintext is a possible plaintext. Under this scheme, the ciphertext will always be larger than the plaintext. You can’t get around this; it’s a result of the fact that many ciphertexts decrypt to the same plaintexts. The first probabilistic encryption scheme [625] resulted in a ciphertext so much larger than the plaintext that it was unusable. However, Manual Blum and Goldwasser have an efficient implementation of probabilistic encryption using the Blum Blum Shub (BBS) randombit generator described in Section 17.9 [199]. The BBS generator is based on the theory of quadratic residues. In English, there are two primes, p and q, that are congruent to 3 modulo 4. That’s the private key. Their product, pq =n, is the public key. (Mind your ps and qs; the security of this scheme rests in the difficulty of factoring n.) To encrypt a message, M, first choose some random x, relatively prime to n. Then compute x0 = x2 mod n Use x0 as the seed of the BBS pseudorandombit generator and use the output of the generator as a stream cipher. XOR M, one bit at a time, with the output of the generator. The generator spits out bits bi (the leastsignificant bit of xi, where xi =xi12 mod n), so M = M1 , M2 , M3 , ..., Mt C = M1 • b1 , M2 • b2 , M3 • b3 , ..., Mt • bt where t is the length of the plaintext Append the last computed value, xt, to the end of the message and you’re done. The only way to decrypt this message is to recover x0 and then set up the same BBS generator to XOR with the ciphertext. Because the BBS generator is secure to the left, the value xt is of no use to the cryptanalyst. Only someone who knows p and q can decrypt the message. In C, the algorithm to recover x0 from xt is: int x0 (int p, int q, int n, int t, int xt) { int a, b, u, v, w, z; /* we already know that gcd...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details