The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.
The BG cryptosystem is semantically secure based on the assumed intractability of integer factorization; specifically, factoring a composite value
N=pq
p,q
Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.
The Blum–Goldwasser cryptosystem consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.
The public and private keys are generated as follows:
p
q
p\equiv3\bmod{4}
q\equiv3\bmod{4}
n=pq
n
(p,q)
A message
M
n
h=\lfloorlog2(log2(n))\rfloor
M
t
m1,m2,...,mt
h
r<n
x0=r2\bmod{n}
i
t
xi=
| 2 | |
| x | |
| i-1 |
\bmod{n}
pi=
h
xi
ci=mi ⊕ pi
xt+1=
| 2 | |
| x | |
| t |
\bmod{n}
M
ci
xt+1
(c1,c2,...,ct,xt+1)
An encrypted message
(c1,c2,...,ct,x)
(p,q)
dp=((p+1)/4)t+1\bmod{(p-1)}
dq=((q+1)/4)t+1\bmod{(q-1)}
up=
| dp | |
| x |
\bmod{p}
uq=
| dq | |
| x |
\bmod{q}
rp
rq
rpp+rqq=1
x0=uqrpp+uprqq\bmod{n}
x0
xi
i
t
xi=
| 2 | |
| x | |
| i-1 |
\bmod{n}
pi=
h
xi
mi=ci ⊕ pi
(m1,m2,...,mt)
M
Let
p=19
q=7
n=133
h=\lfloorlog2(log2(133))\rfloor=3
1010012
m1=1012,m2=0012
t=2
r=36
x0=362\bmod133=99
ci
\begin{align} x1&=992\bmod133=92=10111002; p1=1002; c1=1012 ⊕ 1002=0012\\ x2&=922\bmod133=85=10101012; p2=1012; c2=0012 ⊕ 1012=1002\\ x3&=852\bmod133=43 \end{align}
So the encryption is
(c1=0012,c2=1002,x3=43)
To decrypt, we compute
\begin{align} dp&=53\bmod18=17\\ dq&=23\bmod6=2\\ up&=4317\bmod19=4\\ uq&=432\bmod7=1\\ (rp,rq)&=(3,-8)since3 ⋅ 19+(-8) ⋅ 7=1\\ x0&=1 ⋅ 3 ⋅ 19+4 ⋅ (-8) ⋅ 7\bmod133=99\\ \end{align}
It can be seen that
x0
\begin{align} x1&=992\bmod133=92=10111002; p1=1002; m1=0012 ⊕ 1002=1012\\ x2&=922\bmod133=85=10101012; p2=1012; m2=1002 ⊕ 1012=0012 \end{align}
We must show that the value
x0
In the encryption algorithm, by construction
x0
n
p
xi
| (p-1)/2 | |
| x | |
| i |
\equiv1\mod{p}
| (p+1)/4 | |
| x | |
| t+1 |
\equiv
| 2) | |
| (x | |
| t |
(p+1)/4)\equiv
| (p+1)/2 | |
| x | |
| t |
\equivxt(x
| (p-1)/2 | |
| t |
)\equivxt\mod{p}
| (p+1)/4 | |
| x | |
| t |
\equivxt-1\mod{p}
(p+1)/4
| ((p+1)/4)2 | |
| x | |
| t+1 |
\equiv
| (p+1)/4 | |
| x | |
| t |
\equivxt-1\mod{p}
t
| (p+1)/4)t+1 | |
| x | |
| t+1 |
\equivx0\mod{p}
| dp | |
| x | |
| t+1 |
\equivup\equivx0\mod{p}
| dq | |
| x | |
| t+1 |
\equivuq\equivx0\mod{q}
Finally, since
rpp+rqq=1
x0
x0rpp+x0rqq=x0
uqrpp+uprqq\equivx0
p
q
uqrpp+uprqq\equivx0\mod{n}
The Blum–Goldwasser scheme is semantically-secure based on the hardness of predicting the keystream bits given only the final BBS state
y
N
{\vecc},y
m\prime
{\veca},y
m
{\veca} ⊕ m\prime ⊕ {\vecc}
Depending on plaintext size, BG may be more or less computationally expensive than RSA. Because most RSA deployments use a fixed encryption exponent optimized to minimize encryption time, RSA encryption will typically outperform BG for all but the shortest messages. However, as the RSA decryption exponent is randomly distributed, modular exponentiation may require a comparable number of squarings/multiplications to BG decryption for a ciphertext of the same length. BG has the advantage of scaling more efficiently to longer ciphertexts, where RSA requires multiple separate encryptions. In these cases, BG may be significantly more efficient.