Okamoto–Uchiyama cryptosystem explained

The Okamoto–Uchiyama cryptosystem is a public key cryptosystem proposed in 1998 by Tatsuaki Okamoto and Shigenori Uchiyama. The system works in the multiplicative group of integers modulo n,

(Z/nZ)^*

, where n is of the form p²q and p and q are large primes.

Background

Let

be an odd prime. Define

\Gamma=\{x\in(Z/p²Z)^*|x\equiv1\bmodp\}

\Gamma

is a subgroup of

(Z/p²Z)^*

with

|\Gamma|=p

(the elements of

\Gamma

are

1,1+p,1+2p...1+(p-1)p

Define

L:\Gamma\toZ/pZ

L(x)=

	x-1
	p

is a homomorphism between

\Gamma

and the additive group

Z/pZ

: that is,

L(ab)=L(a)+L(b)\bmodp

. Since

is bijective, it is an isomorphism.

One can now show the following as a corollary:

Let

x\in\Gamma

such that

L(x) ≠ 0\bmodp

and

y=x^m\bmodp²

for

0\leqm<p

. Then

	L(y)
	L(x)

	y-1
	x-1

\bmodp

The corollary is a direct consequence of

L(x^m)=m ⋅ L(x)

Operation

Like many public key cryptosystems, this scheme works in the group

(Z/nZ)^*

. This scheme is homomorphic and hence malleable.

Key generation

A public/private key pair is generated as follows:

Generate two large primes

and

Compute

n=p²q

Choose a random integer

g\in\{2...n-1\}

such that

g^p-1\not\equiv1\modp²

Compute

h=gⁿ\bmodn

The public key is then

(n,g,h)

and the private key is

(p,q)

Encryption

A message

m<p

can be encrypted with the public key

(n,g,h)

as follows.

Choose a random integer

r\in\{1...n-1\}

Compute

c=g^mh^r\bmodn

.The value

is the encryption of

Decryption

An encrypted message

can be decrypted with the private key

(p,q)

as follows.

Compute

a=L(c^p-1\bmod{p^2})

Compute

b=L(g^p-1\bmod{p^2})

and

will be integers.

Using the Extended Euclidean Algorithm, compute the inverse of

modulo

b'=b^-1\bmodp

Compute

m=ab'\bmodp

.The value

is the decryption of

Example

Let

p=3

and

q=5

. Then

n=3² ⋅ 5=45

. Select

g=22

. Then

h=22⁴⁵\bmod45=37

Now to encrypt a message

m=2

, we pick a random

r=13

and compute

c=g^mh^r\bmodn=22²37¹³\bmod45=43

To decrypt the message 43, we compute

	(43²\bmod3²⁾-1
	3

	(22²\bmod3²⁾-1
	3

b'=2^-1\bmod3=2

.And finally

m=ab'=2

Proof of correctness

We wish to prove that the value computed in the last decryption step,

ab'\bmodp

, is equal to the original message

. We have

(g^mh^r)^p-1\equiv(g^mg^nr)^p-1\equiv(g^p-1)^mg^p(p-1)rpq\equiv(g^p-1)^m\modp²

So to recover

we need to take the discrete logarithm with base

g^p-1

. This can be done by applying

, as follows.

By Fermat's little theorem,

g^p-1\equiv1\bmodp

. Since

g^p-1\not\equiv1\bmodp²

one can write

g^p-1=1+pr

with

0<r<p

. Then

L(g^p-1)\not\equiv0\bmodp

and the corollary from earlier applies:

	L((g^p-1)^m)
	L(g^p-1)

\bmodp

Security

Inverting the encryption function can be shown to be as hard as factoring n, meaning that if an adversary could recover the entire message from the encryption of the message they would be able to factor n. The semantic security (meaning adversaries cannot recover any information about the message from the encryption) rests on the p-subgroup assumption, which assumes that it is difficult to determine whether an element x in

(Z/nZ)^*

is in the subgroup of order p. This is very similar to the quadratic residuosity problem and the higher residuosity problem.

References

Book: Tatsuaki . Okamoto . Shigenori . Uchiyama . A new public-key cryptosystem as secure as factoring . Advances in Cryptology – EUROCRYPT'98 . . 1403 . Springer . 1998 . 308–318 . 10.1007/BFb0054135 . 978-3-540-64518-4 .