Blum–Goldwasser cryptosystem

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

The BG cryptosystem is semantically secure based on the assumed intractability of integer factorization; specifically, factoring a composite value where are large primes. BG has multiple advantages over earlier probabilistic encryption schemes such as the Goldwasser–Micali cryptosystem. First, its semantic security reduces solely to integer factorization, without requiring any additional assumptions (e.g., hardness of the quadratic residuosity problem or the RSA problem). Secondly, BG is efficient in terms of storage, inducing a constant-size ciphertext expansion regardless of message length. BG is also relatively efficient in terms of computation, and fares well even in comparison with cryptosystems such as RSA (depending on message length and exponent choices). However, BG is highly vulnerable to adaptive chosen ciphertext attacks (see below).

Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.

Operation

edit

The Blum–Goldwasser cryptosystem consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.

Key generation

edit

The public and private keys are generated as follows:

  1. Choose two large distinct prime numbers   and   such that   and  .
  2. Compute  .[1]

Then   is the public key and the pair   is the private key.

Encryption

edit

A message   is encrypted with the public key   as follows:

  1. Compute the block size in bits,  .
  2. Convert   to a sequence of   blocks  , where each block is   bits in length.
  3. Select a random integer  .
  4. Compute  .
  5. For   from 1 to  
    1. Compute  .
    2. Compute   the least significant   bits of  .
    3. Compute  .
  6. Finally, compute  .

The encryption of the message   is then all the   values plus the final   value:  .

Decryption

edit

An encrypted message   can be decrypted with the private key   as follows:

  1. Compute  .
  2. Compute  .
  3. Compute  .
  4. Compute  .
  5. Using the Extended Euclidean Algorithm, compute   and   such that  .
  6. Compute  . This will be the same value which was used in encryption (see proof below).   can then used to compute the same sequence of   values as were used in encryption to decrypt the message, as follows.
  7. For   from 1 to  
    1. Compute  .
    2. Compute   the least significant   bits of  .
    3. Compute  .
  8. Finally, reassemble the values   into the message  .

Example

edit

Let   and  . Then   and  . To encrypt the six-bit message  , we break it into two 3-bit blocks  , so  . We select a random   and compute  . Now we compute the   values as follows:

 

So the encryption is  .

To decrypt, we compute

 

It can be seen that   has the same value as in the encryption algorithm. Decryption therefore proceeds the same as encryption:

 

Proof of correctness

edit

We must show that the value   computed in step 6 of the decryption algorithm is equal to the value computed in step 4 of the encryption algorithm.

In the encryption algorithm, by construction   is a quadratic residue modulo  . It is therefore also a quadratic residue modulo  , as are all the other   values obtained from it by squaring. Therefore, by Euler's criterion,  . Then

 

Similarly,

 

Raising the first equation to the power   we get

 

Repeating this   times, we have

 
 

And by a similar argument we can show that  .

Finally, since  , we can multiply by   and get

 

from which  , modulo both   and  , and therefore  .

Security and efficiency

edit

The Blum–Goldwasser scheme is semantically-secure based on the hardness of predicting the keystream bits given only the final BBS state   and the public key  . However, ciphertexts of the form   are vulnerable to an adaptive chosen ciphertext attack in which the adversary requests the decryption   of a chosen ciphertext  . The decryption   of the original ciphertext can be computed as  .

Depending on plaintext size, BG may be more or less computationally expensive than RSA. Because most RSA deployments use a fixed encryption exponent optimized to minimize encryption time, RSA encryption will typically outperform BG for all but the shortest messages. However, as the RSA decryption exponent is randomly distributed, modular exponentiation may require a comparable number of squarings/multiplications to BG decryption for a ciphertext of the same length. BG has the advantage of scaling more efficiently to longer ciphertexts, where RSA requires multiple separate encryptions. In these cases, BG may be significantly more efficient.

References

edit
  1. ^ RFC 4086 section "6.2.2. The Blum Blum Shub Sequence Generator"
  1. M. Blum, S. Goldwasser, "An Efficient Probabilistic Public Key Encryption Scheme which Hides All Partial Information", Proceedings of Advances in Cryptology – CRYPTO '84, pp. 289–299, Springer Verlag, 1985.
  2. Menezes, Alfred; van Oorschot, Paul C.; and Vanstone, Scott A. Handbook of Applied Cryptography. CRC Press, October 1996. ISBN 0-8493-8523-7
edit