Benaloh cryptosystem

Last updated September 10, 2020

The Benaloh Cryptosystem is an extension of the Goldwasser-Micali cryptosystem (GM) created in 1985 by Josh (Cohen) Benaloh. The main improvement of the Benaloh Cryptosystem over GM is that longer blocks of data can be encrypted at once, whereas in GM each bit is encrypted individually.^[1]^[2]^[3]

Scheme Definition

Like many public key cryptosystems, this scheme works in the group $(\mathbb {Z} /n\mathbb {Z} )^{*}$ where n is a product of two large primes. This scheme is homomorphic and hence malleable.

Key Generation

Given block size r, a public/private key pair is generated as follows:

Choose large primes p and q such that $r\vert (p-1),\operatorname {gcd} (r,(p-1)/r)=1,$ and $\operatorname {gcd} (r,(q-1))=1$
Set $n=pq,\phi =(p-1)(q-1)$
Choose $y\in \mathbb {Z} _{n}^{*}$ such that $y^{\phi /r}\not \equiv 1\mod n$ .

Note: If r is composite, it was pointed out by Fousse et al. in 2011^[4] that the above conditions (i.e., those stated in the original paper) are insufficient to guarantee correct decryption, i.e., to guarantee that

D(E(m))=m

in all cases (as should be the case). To address this, the authors propose the following check: let

r=p_{1}p_{2}\dots p_{k}

be the prime factorization of r. Choose

y\in \mathbb {Z} _{n}^{*}

such that for each factor

p_{i}

, it is the case that

y^{\phi /p_{i}}\neq 1\mod n

.

Set $x=y^{\phi /r}\mod n$

The public key is then $y,n$ , and the private key is $\phi ,x$ .

Message Encryption

To encrypt message $m\in \mathbb {Z} _{r}$ :

Choose a random $u\in \mathbb {Z} _{n}^{*}$
Set $E_{r}(m)=y^{m}u^{r}\mod n$

Message Decryption

To decrypt a ciphertext $c\in \mathbb {Z} _{n}^{*}$ :

Compute $a=c^{\phi /r}\mod n$
Output $m=\log _{x}(a)$ , i.e., find m such that $x^{m}\equiv a\mod n$

To understand decryption, first notice that for any $m\in \mathbb {Z} _{r}$ and $u\in \mathbb {Z} _{n}^{*}$ we have:

a=(c)^{\phi /r}\equiv (y^{m}u^{r})^{\phi /r}\equiv (y^{m})^{\phi /r}(u^{r})^{\phi /r}\equiv (y^{\phi /r})^{m}(u)^{\phi }\equiv (x)^{m}(u)^{0}\equiv x^{m}\mod n

To recover m from a, we take the discrete log of a base x. If r is small, we can recover m by an exhaustive search, i.e. checking if $x^{i}\equiv a\mod n$ for all $0\dots (r-1)$ . For larger values of r, the Baby-step giant-step algorithm can be used to recover m in $O({\sqrt {r}})$ time and space.

Security

The security of this scheme rests on the Higher residuosity problem, specifically, given z,r and n where the factorization of n is unknown, it is computationally infeasible to determine whether z is an rth residue mod n, i.e. if there exists an x such that $z\equiv x^{r}\mod n$ .

Related Research Articles

In number theory, the Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.

Shor's algorithm is a polynomial-time quantum computer algorithm for integer factorization. Informally, it solves the following problem: Given an integer $, find its prime factors. It was invented in 1994 by the American mathematician Peter Shor.$

Root of unity Number that has an integer power equal to 1

In mathematics, a root of unity, occasionally called a de Moivre number, is any complex number that yields 1 when raised to some positive integer power $n$ . Roots of unity are used in many branches of mathematics, and are especially important in number theory, the theory of group characters, and the discrete Fourier transform.

In mathematics, specifically number theory, Dirichlet characters are certain arithmetic functions which arise from completely multiplicative characters on the units of $. Dirichlet characters are used to define Dirichlet L -functions, which are meromorphic functions with a variety of interesting analytic properties.$

The Rabin cryptosystem is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the difficulty of integer factorization. However the Rabin cryptosystem has the advantage that it has been mathematically proven to be computationally secure against a chosen-plaintext attack as long as the attacker cannot efficiently factor integers, while there is no such proof known for RSA. It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs; if each output is a ciphertext, extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext.

The Paillier cryptosystem, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based.

Hidden Fields Equations (HFE), also known as HFE trapdoor function, is a public key cryptosystem which was introduced at Eurocrypt in 1996 and proposed by (in French) Jacques Patarin following the idea of the Matsumoto and Imai system. It is based on polynomials over finite fields $of different size to disguise the relationship between the private key and public key. HFE is in fact a family which consists of basic HFE and combinatorial versions of HFE. The HFE family of cryptosystems is based on the hardness of the problem of finding solutions to a system of multivariate quadratic equations since it uses private affine transformations to hide the extension field and the private polynomials. Hidden Field Equations also have been used to construct digital signature schemes, e.g. Quartz and Sflash.$

The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.

The Blum–Goldwasser (BG) cryptosystem is an asymmetric key encryption algorithm proposed by Manuel Blum and Shafi Goldwasser in 1984. Blum–Goldwasser is a probabilistic, semantically secure cryptosystem with a constant-size ciphertext expansion. The encryption algorithm implements an XOR-based stream cipher using the Blum-Blum-Shub (BBS) pseudo-random number generator to generate the keystream. Decryption is accomplished by manipulating the final state of the BBS generator using the private key, in order to find the initial seed and reconstruct the keystream.

Schoof's algorithm is an efficient algorithm to count points on elliptic curves over finite fields. The algorithm has applications in elliptic curve cryptography where it is important to know the number of points to judge the difficulty of solving the discrete logarithm problem in the group of points on an elliptic curve.

In cryptography the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1979. The Rabin signature algorithm was one of the first digital signature schemes proposed, and it is the only one to relate the hardness of forgery directly to the problem of integer factorization. The Rabin signature algorithm is existentially unforgeable in the random oracle model assuming the integer factorization problem is intractable. The Rabin signature algorithm is also closely related to the Rabin cryptosystem.

The Naccache–Stern cryptosystem is a homomorphic public-key cryptosystem whose security rests on the higher residuosity problem. The Naccache–Stern cryptosystem was discovered by David Naccache and Jacques Stern in 1998.

In cryptography, most public key cryptosystems are founded on problems that are believed to be intractable. The higher residuosity problem is one such problem. This problem is easier to solve than integer factorization, so the assumption that this problem is hard to solve is stronger than the assumption that integer factorization is hard.

The Okamoto–Uchiyama cryptosystem is a public key cryptosystem proposed in 1998 by Tatsuaki Okamoto and Shigenori Uchiyama. The system works in the multiplicative group of integers modulo n, $, where n is of the form p 2 q and p and q are large primes.$

In mathematics, particularly in the area of number theory, a modular multiplicative inverse of an integer $a$ is an integer $x$ such that the product $ax$ is congruent to 1 with respect to the modulus $m$ . In the standard notation of modular arithmetic this congruence is written as

Learning with errors (LWE) is the computational problem of inferring a linear $-ary function over a finite ring from given samples some of which may be erroneous. The LWE problem is conjectured to be hard to solve, and thus be useful in cryptography.$

In mathematics, elliptic curve primality testing techniques, or elliptic curve primality proving (ECPP), are among the quickest and most widely used methods in primality proving. It is an idea put forward by Shafi Goldwasser and Joe Kilian in 1986 and turned into an algorithm by A. O. L. Atkin the same year. The algorithm was altered and improved by several collaborators subsequently, and notably by Atkin and François Morain, in 1993. The concept of using elliptic curves in factorization had been developed by H. W. Lenstra in 1985, and the implications for its use in primality testing followed quickly.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Coppersmith's attack describes a class of cryptographic attacks on the public-key cryptosystem RSA based on the Coppersmith method. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of the secret key is available.

The Wiener's attack, named after cryptologist Michael J. Wiener, is a type of cryptographic attack against RSA. The attack uses the continued fraction method to expose the private key d when d is small.

References

↑ Cohen, Josh; Ficsher, Michael (1985). A Robust and Verifiable Cryptographically Secure Election Scheme (PDF). Proceedings of 26th IEEE Symposium on Foundations of Computer Science. pp. 372–382.
↑ Benaloh, Josh (1987). Verifiable Secret-Ballot Elections (Ph.D. thesis) (PDF).
↑ Benaloh, Josh (1994). Dense Probabilistic Encryption (PDF). Workshop on Selected Areas of Cryptography. pp. 120–128.
↑ Fousse, Laurent; Lafourcade, Pascal; Alnuaimi, Mohamed (2011). "Benaloh's Dense Probabilistic Encryption Revisited". arXiv: 1008.2991 [cs.CR].

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[COHEN-FISCHER-1] Cohen, Josh; Ficsher, Michael (1985). A Robust and Verifiable Cryptographically Secure Election Scheme (PDF). Proceedings of 26th IEEE Symposium on Foundations of Computer Science. pp. 372–382.

[BENALOH-THESIS-2] Benaloh, Josh (1987). Verifiable Secret-Ballot Elections (Ph.D. thesis) (PDF).

[BENALOH-DPE-3] Benaloh, Josh (1994). Dense Probabilistic Encryption (PDF). Workshop on Selected Areas of Cryptography. pp. 120–128.

[ACRYPT-4] Fousse, Laurent; Lafourcade, Pascal; Alnuaimi, Mohamed (2011). "Benaloh's Dense Probabilistic Encryption Revisited". arXiv: 1008.2991 [cs.CR].