The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.
The GM cryptosystem is semantically secure based on the assumed intractability of the quadratic residuosity problem modulo a composite N = pq where p, q are large primes. This assumption states that given (x, N) it is difficult to determine whether x is a quadratic residue modulo N (i.e., x = y2 mod N for some y), when the Jacobi symbol for x is +1. The quadratic residue problem is easily solved given the factorization of N, while new quadratic residues may be generated by any party, even without knowledge of this factorization. The GM cryptosystem leverages this asymmetry by encrypting individual plaintext bits as either random quadratic residues or non-residues modulo N, all with quadratic residue symbol +1. Recipients use the factorization of N as a secret key, and decrypt the message by testing the quadratic residuosity of the received ciphertext values.
Because Goldwasser–Micali produces a value of size approximately |N| to encrypt every single bit of a plaintext, GM encryption results in substantial ciphertext expansion. To prevent factorization attacks, it is recommended that |N| be several hundred bits or more. Thus, the scheme serves mainly as a proof of concept, and more efficient provably-secure schemes such as ElGamal have been developed since.
Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.
Goldwasser–Micali consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.
The scheme relies on deciding whether a given value x is a square mod N, given the factorization (p, q) of N. This can be accomplished using the following procedure:
(p-1)/2 | |
x | |
p |
\equiv1\pmod{p}
(q-1)/2 | |
x | |
q |
\equiv1\pmod{q}
The modulus used in GM encryption is generated in the same manner as in the RSA cryptosystem. (See RSA, key generation for details.)
\left( | x | \right)=\left( |
p |
x | |
q |
\right)=-1
\left( | x |
N |
\right)
The public key consists of (x, N). The secret key is the factorization (p, q).
Suppose Bob wishes to send a message m to Alice:
mi
yi
\gcd(yi,N)=1
ci=
2 | |
y | |
i |
mi | |
x |
\pmod{N}
Bob sends the ciphertext (c1, ..., cn).
Alice receives (c1, ..., cn). She can recover m using the following procedure:
Alice outputs the message m = (m1, ..., mn).
There is a simple reduction from breaking this cryptosystem to the problem of determining whether a random value modulo N with Jacobi symbol +1 is a quadratic residue. If an algorithm A breaks the cryptosystem,then to determine if a given value x is a quadratic residue modulo N, we test A to see if it can break the cryptosystem using (x,N) as a public key. If x is a non-residue, then A should work properly. However, if x is a residue, then every "ciphertext" will simply be a random quadratic residue, soA cannot be correct more than half of the time. Furthermore, this problem is random self-reducible, which ensures that for a given N, every public key is just as secure as every other public key.
The GM cryptosystem has homomorphic properties, in the sense that if c0, c1 are the encryptions of bits m0, m1, then c0c1 mod N will be an encryption of
m0 ⊕ m1