Blum–Goldwasser cryptosystem

Template:Short description The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

The BG cryptosystem is semantically secure based on the assumed intractability of integer factorization; specifically, factoring a composite value ${\displaystyle N=pq}$ where ${\displaystyle p,q}$ are large primes. BG has multiple advantages over earlier probabilistic encryption schemes such as the Goldwasser–Micali cryptosystem. First, its semantic security reduces solely to integer factorization, without requiring any additional assumptions (e.g., hardness of the quadratic residuosity problem or the RSA problem). Secondly, BG is efficient in terms of storage, inducing a constant-size ciphertext expansion regardless of message length. BG is also relatively efficient in terms of computation, and fares well even in comparison with cryptosystems such as RSA (depending on message length and exponent choices). However, BG is highly vulnerable to adaptive chosen ciphertext attacks (see below).

Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.

The Blum–Goldwasser cryptosystem consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.

The public and private keys are generated as follows:

1. Choose two large distinct prime numbers ${\displaystyle p}$ and ${\displaystyle q}$ such that ${\displaystyle p\equiv 3mod4}$ and ${\displaystyle q\equiv 3mod4}$.
2. Compute ${\displaystyle n=pq}$.^[1]

Then ${\displaystyle n}$ is the public key and the pair ${\displaystyle (p,q)}$ is the private key.

A message ${\displaystyle M}$ is encrypted with the public key ${\displaystyle n}$ as follows:

1. Compute the block size in bits, ${\displaystyle h=\lfloor lo{g}_2(lo{g}_2(n))\rfloor }$.
2. Convert ${\displaystyle M}$ to a sequence of ${\displaystyle t}$ blocks ${\displaystyle m_1,m_2,\dots ,m_t}$, where each block is ${\displaystyle h}$ bits in length.
3. Select a random integer ${\displaystyle r<n}$.
4. Compute ${\displaystyle x_0=r^{2}modn}$.
5. For ${\displaystyle i}$ from 1 to ${\displaystyle t}$
   1. Compute ${\displaystyle x_i=x_{i-1}^{2}modn}$.
   2. Compute ${\displaystyle p_i=}$ the least significant ${\displaystyle h}$ bits of ${\displaystyle x_i}$.
   3. Compute ${\displaystyle c_i=m_i\oplus p_i}$.
6. Finally, compute ${\displaystyle x_{t+1}=x_t^{2}modn}$.

The encryption of the message ${\displaystyle M}$ is then all the ${\displaystyle c_i}$ values plus the final ${\displaystyle x_{t+1}}$ value: ${\displaystyle (c_1,c_2,\dots ,c_t,x_{t+1})}$.

An encrypted message ${\displaystyle (c_1,c_2,\dots ,c_t,x)}$ can be decrypted with the private key ${\displaystyle (p,q)}$ as follows:

1. Compute ${\displaystyle d_p=((p+1)/4{)}^{t+1}mod(p-1)}$.
2. Compute ${\displaystyle d_q=((q+1)/4{)}^{t+1}mod(q-1)}$.
3. Compute ${\displaystyle u_p=x^{d_p}modp}$.
4. Compute ${\displaystyle u_q=x^{d_q}modq}$.
5. Using the Extended Euclidean Algorithm, compute ${\displaystyle r_p}$ and ${\displaystyle r_q}$ such that ${\displaystyle r_{p}p+r_{q}q=1}$.
6. Compute ${\displaystyle x_0=u_q{r}_{p}p+u_p{r}_{q}qmodn}$. This will be the same value which was used in encryption (see proof below). ${\displaystyle x_0}$ can then used to compute the same sequence of ${\displaystyle x_i}$ values as were used in encryption to decrypt the message, as follows.
7. For ${\displaystyle i}$ from 1 to ${\displaystyle t}$
   1. Compute ${\displaystyle x_i=x_{i-1}^{2}modn}$.
   2. Compute ${\displaystyle p_i=}$ the least significant ${\displaystyle h}$ bits of ${\displaystyle x_i}$.
   3. Compute ${\displaystyle m_i=c_i\oplus p_i}$.
8. Finally, reassemble the values ${\displaystyle (m_1,m_2,\dots ,m_t)}$ into the message ${\displaystyle M}$.

Let ${\displaystyle p=19}$ and ${\displaystyle q=7}$. Then ${\displaystyle n=133}$ and ${\displaystyle h=\lfloor lo{g}_2(lo{g}_2(133))\rfloor =3}$. To encrypt the six-bit message ${\displaystyle 101001_2}$, we break it into two 3-bit blocks ${\displaystyle m_1=101_2,m_2=001_2}$, so ${\displaystyle t=2}$. We select a random ${\displaystyle r=36}$ and compute ${\displaystyle x_0=36^{2}mod133=99}$. Now we compute the ${\displaystyle c_i}$ values as follows:

${\displaystyle \begin{array}{cc}{x}_1& =99^{2}mod133=92=1011100_2;p_1=100_2;c_1=101_2\oplus 100_2=001_2\\ x_2& =92^{2}mod133=85=1010101_2;p_2=101_2;c_2=001_2\oplus 101_2=100_2\\ x_3& =85^{2}mod133=43\end{array}}$

So the encryption is ${\displaystyle (c_1=001_2,c_2=100_2,x_3=43)}$.

To decrypt, we compute

${\displaystyle \begin{array}{cc}{d}_p& =5^{3}mod18=17\\ d_q& =2^{3}mod6=2\\ u_p& =43^{17}mod19=4\\ u_q& =43^{2}mod7=1\\ (r_p,r_q)& =(3,-8)\text{ since }3\cdot 19+(-8)\cdot 7=1\\ x_0& =1\cdot 3\cdot 19+4\cdot (-8)\cdot 7mod133=99\\ \end{array}}$

It can be seen that ${\displaystyle x_0}$ has the same value as in the encryption algorithm. Decryption therefore proceeds the same as encryption:

${\displaystyle \begin{array}{cc}{x}_1& =99^{2}mod133=92=1011100_2;p_1=100_2;m_1=001_2\oplus 100_2=101_2\\ x_2& =92^{2}mod133=85=1010101_2;p_2=101_2;m_2=100_2\oplus 101_2=001_2\end{array}}$

We must show that the value ${\displaystyle x_0}$ computed in step 6 of the decryption algorithm is equal to the value computed in step 4 of the encryption algorithm.

In the encryption algorithm, by construction ${\displaystyle x_0}$ is a quadratic residue modulo ${\displaystyle n}$. It is therefore also a quadratic residue modulo ${\displaystyle p}$, as are all the other ${\displaystyle x_i}$ values obtained from it by squaring. Therefore, by Euler's criterion, ${\displaystyle x_i^{(p-1)/2}\equiv 1modp}$. Then

${\displaystyle x_{t+1}^{(p+1)/4}\equiv (x_t^2{)}^{(p+1)/4)}\equiv x_t^{(p+1)/2}\equiv x_t(x_t^{(p-1)/2})\equiv x_{t}modp}$

Similarly,

${\displaystyle x_t^{(p+1)/4}\equiv x_{t-1}modp}$

Raising the first equation to the power ${\displaystyle (p+1)/4}$ we get

${\displaystyle x_{t+1}^{((p+1)/4{)}^2}\equiv x_t^{(p+1)/4}\equiv x_{t-1}modp}$

Repeating this ${\displaystyle t}$ times, we have

${\displaystyle x_{t+1}^{(p+1)/4{)}^{t+1}}\equiv x_{0}modp}$

${\displaystyle x_{t+1}^{d_p}\equiv u_p\equiv x_{0}modp}$

And by a similar argument we can show that ${\displaystyle x_{t+1}^{d_q}\equiv u_q\equiv x_{0}modq}$.

Finally, since ${\displaystyle r_{p}p+r_{q}q=1}$, we can multiply by ${\displaystyle x_0}$ and get

${\displaystyle x_0{r}_{p}p+x_0{r}_{q}q=x_0}$

from which ${\displaystyle u_q{r}_{p}p+u_p{r}_{q}q\equiv x_0}$, modulo both ${\displaystyle p}$ and ${\displaystyle q}$, and therefore ${\displaystyle u_q{r}_{p}p+u_p{r}_{q}q\equiv x_{0}modn}$.

The Blum–Goldwasser scheme is semantically-secure based on the hardness of predicting the keystream bits given only the final BBS state ${\displaystyle y}$ and the public key ${\displaystyle N}$. However, ciphertexts of the form ${\displaystyle \overrightarrow{c},y}$ are vulnerable to an adaptive chosen ciphertext attack in which the adversary requests the decryption ${\displaystyle m^{\prime }}$ of a chosen ciphertext ${\displaystyle \overrightarrow{a},y}$. The decryption ${\displaystyle m}$ of the original ciphertext can be computed as ${\displaystyle \overrightarrow{a}\oplus m^{\prime }\oplus \overrightarrow{c}}$.

Depending on plaintext size, BG may be more or less computationally expensive than RSA. Because most RSA deployments use a fixed encryption exponent optimized to minimize encryption time, RSA encryption will typically outperform BG for all but the shortest messages. However, as the RSA decryption exponent is randomly distributed, modular exponentiation may require a comparable number of squarings/multiplications to BG decryption for a ciphertext of the same length. BG has the advantage of scaling more efficiently to longer ciphertexts, where RSA requires multiple separate encryptions. In these cases, BG may be significantly more efficient.

Template:Reflist

1. M. Blum, S. Goldwasser, "An Efficient Probabilistic Public Key Encryption Scheme which Hides All Partial Information", Proceedings of Advances in Cryptology – CRYPTO '84, pp. 289–299, Springer Verlag, 1985.
2. Menezes, Alfred; van Oorschot, Paul C.; and Vanstone, Scott A. Handbook of Applied Cryptography. CRC Press, October 1996. Template:ISBN

• Menezes, Oorschot, Vanstone, Scott: Handbook of Applied Cryptography (free PDF downloads), see Chapter 8

Template:Cryptography navbox