SlideShare a Scribd company logo

How to Invent a New Cryptosystem

M
MihailIulianPlea1

This document provides a tutorial on how to invent a new cryptosystem by extending an existing one. It begins by outlining some basic cryptography concepts like hard problems. It then shows how to expand the Goldwasser-Micali cryptosystem by encrypting full messages instead of bits. This leads to a new cryptosystem that is homomorphic for addition and multiplication. The security and properties of the new system are analyzed, though it is noted that the system described is actually the well-known Paillier cryptosystem. The goal is to demonstrate the natural process of developing a new cryptosystem from an existing one.

Engineering
1 of 7
Download to read offline
How to invent a new cryptosystem Mihail-Iulian Ples , a1 Department of Computer Science, University of Bucharest, Bucharest, Romania mihail-iulian.plesa@s.unibuc.ro Abstract. In this article, we will see how a new cryptosystem can come to life. The article is structured like a fun tutorial on how to invent a secure cryptosystem. In Section 1 we will provide some basic things that every decent cryptographer should know. In Section 2 we will see how we can expand an existing cryptosystem. In Section 3 we will analyze our cryptosystem and provide some mathematical proofs. The last section is for conclusions. Keywords: Public Key Cryptography · Paillier · Tutorial. 1 Some basic crypto stuff In this section, we will present some basic ideas in cryptography. This section is made up of specific prerequisites that are necessary for this paper. Although every cryptographer should know these sorts of things, we want this paper to be as independent as possible. 1.1 Hard problems All public-key cryptosystems are based on some hard problems. By hard prob- lem, we mean a problem for which no efficient solution is known. In this section, we list some well-known hard problems used by cryptographers. 1. Prime factorization Given N, a natural number, find all prime divisors of it. We will denote this problem as FACT[N]. 2. RSA problem Given an RSA public key, (N, e) and a ciphertext C ≡ Pe (mod N), find the plaintext P. We will denote this problem as RSA[N, e]. 3. Quadratic residuosity problem Given N, an RSA modulus and an integer a, find whether there exists an integer b such that a ≡ b2 (mod N). If such an integer exists, then we call a a quadratic residue modulo N. We will denote this problem as QR[N, a]. 4. Discrete logarithm problem Given N, an RSA modulus and two integers a and b such that a ≡ bx (mod N), find the integer x. We will denote this problem as DL[N, a, b].
2 Mihail Plesa 1.2 Some implications 1. FACT[N] → RSA[N, e] An RSA modulus is generated as the product of two large primes numbers p and q. If we know these numbers, we can easily compute Euler’s totient function, φ(N) as in (1): φ(N) = (p − 1)(q − 1) (1) Given φ(N) we can calculate the inverse of e modulo φ(N): d ≡ e−1 (mod φ(N)) (2) Once we have d we can find the plaintext P as in (3): P ≡ Cd (mod N)) (3) The explanation is simple: Cd = (Pe )d = Ped (4) Since ed ≡ 1 (mod φ(N)) then: Ped ≡ Pφ(N) ≡ P1 (mod N) (5) The basis of this argument is Euler’s theorem which states that for any integer a such that gcd(a, N) = 1 we have: aφ (N) ≡ 1 (mod N) (6) 2. FACT[N] → QR[N, a] If we know that N = pq then we can easily determine whether a is a quadratic residue modulo N by simply checking if: (i) (a mod p) p−1 2 ≡ 1(mod p) (ii) (a mod q) q−1 2 ≡ 1(mod q) 3. FACT[N] → DL[N, a, b] This is a little bit harder to prove in a few rows. However, we will explain a special case of the problem that allows the calculation of the discrete log efficiently. First of all, recall that: (1 + N)x = x 0 N0 + x 1 N1 + . . . + x x Nx (7) Since any term that succeeds the second term is a multiple of N2 , from (7) results that: (1 + N)x ≡ (1 + Nx) (mod N2 ) (8)
How to invent a new cryptosystem 3 If the base of the discrete log is (1 + N) and we work modulo N2 we can easily find x (the discrete log) as in (9): x = ((1 + N)x mod N2 ) − 1 N (9) Note that if we work modulo N (as in most cryptosystems) we could not find the discrete logarithm because (1 + N)x is simply 1 modulo N. 1.3 The Goldwasser-Micali cryptosystem The cryptosystem is based on the QR[N, a] problem. It is the first probabilistic encryption scheme. The public key consists of an RSA modulus N generated as the product of two large prime numbers p and q and an integer x such that x is not a quadratic residue modulo N. The secret key consists of p and q. To encrypt a plaintext message, m, we first encode it as a string of bits m = (m1, m2, . . . , mn). Then for every bit mi we generate a random number yi such that gcd(yi, N) = 1. The encrypted bit ci is calculated as ci ≡ yi 2 xmi (mod N). If mi is 0 the ci will be a quadratic residue modulo N. If mi is 1 the ci will not be a quadratic residue modulo N (because ci is the product between a quadratic residue, y2 i , and a non-quadratic residue x). To decrypt the ciphertext, which is the string of numbers c = (c1, c2, . . . , cn) generated above, we determine whether ci is a quadratic residue modulo N. We can do that easily because we know the secret key. 1.4 Carmichael’s theorem This is a very useful theorem in cryptography that states that for any coprime numbers a and n we have: aλ ≡ 1 (mod N) (10) Here, λ = lcm(p − 1, q − 1) and N = p ∗ q where p and q are both prime numbers. Some special cases that we will use later are the following equations: aλ ≡ 1 (mod N), 0 a N2 (11) aNλ ≡ 1 (mod N2 ), 0 a N2 (12) 2 Extending the Goldwasser-Micali cryptosystem An obvious problem with the Goldwasser-Micali cryptosystem is efficiency. To encrypt a plaintext message m, we have to encrypt every bit of it. In this section, we will see how to solve this problem by extending the Goldwasser-Micali scheme to a new cryptosystem. We will try to explain every step in the process intuitively. The first natural idea to solve the above problem is to encrypt the entire plaintext message m. We do not yet have reasons to change the general scheme
4 Mihail Plesa of the cryptosystem, so to encrypt the entire message, we will generate some random number y, just as in the Goldwasser-Micali cryptosystem and we will encrypt our message as c ≡ y2 xm (mod N). We can no longer use the same decryption mechanism as in the Goldwasser-Micali scheme (because m is now a number, not a bit) so we must find a way to decrypt our ciphertext. The first problem is the value of y. In the Goldwasser-Micali cryptosystem, this value is not required for decryption because the actual value of c does not matter. What matters is whether c is a quadratic residue modulo N. There are two possible scenarios: 1. We transmit the value of y along with the ciphertext. To decrypt, one can multiply the value of the ciphertext with y−2 and recover xm . 2. We use (11). We raise the ciphertext c to the λ obtaining: cλ = y2λ xmλ (13) Since y N, y2 N2 so y2λ ≡ 1 (mod N). Thus, we can recover xm by computing cλ x−λ and reducing the result modulo N. In both cases, we recovered the value of xm . Let denote this value by T. So, we know T and x and we have to determine m such that T ≡ xm (mod N). This is exactly DL[n, a, b] problem with a = T and b = x. We know from the previous section that this problem cannot be solved unless we use some special case like the one illustrated above. However, if we use some special case of the discrete log problem, we cannot transmit y because everyone will be able to find our plaintext message m by multiplying the ciphertext with y−2 and then use the special case of discrete log problem to find m. So, we must deal with y using Carmichael’s theorem. We saw that to use the special case for discrete log we must work modulo N2 . If we do this, we can no longer use (11). Likely for us, Carmichael’s theorem also generates (12) which works modulo N2 . To use (12), we must adapt our encryption scheme. Instead of encrypting the message as y2 xm (mod N) we will compute the ciphertext c as: c ≡ yN xm (mod N2 ) (14) That is because in (12) we have N in the exponent, not 2. In this way, we can recover xm by calculating cλ x−λ (mod N2 ). That works because cλ x−λ ≡ yλN xλm x−λ ≡ xλm x−λ ≡ xm (mod N2 ). Remember (12), yNλ ≡ 1 (mod N2 ). As we said above, to find the plaintext message m, we must use the special case of the discrete log problem, that is x must be equal to N + 1. Putting it all together, our encryption scheme looks like this: 1. Key generation: Just as in the Goldwasser-Micali encryption scheme, we generate an RSA modulus N as the product of two large prime numbers p and q. The public key is N (unlike Goldwasser-Micali encryption we no longer use x because in our case x = N + 1). The secret key is represented by the prime numbers p and q.
How to invent a new cryptosystem 5 2. Encryption: To encrypt a plaintext message m, we will generate a random number y modulo N such that gcd(y, N) = 1 (just like the Goldwasser-Micali scheme). The ciphertext c, will be calculated as: c ≡ yN (N + 1)m (mod N2 ) (15) 3. Decryption: To recover the plaintext message m, first we will calculate: cλ ≡ yNλ (N + 1)mλ ≡ (N + 1)mλ (mod N2 ) (16) Since this is a special case of discrete log problem, we can compute mλ as: mλ ≡ cλ − 1 N (mod N2 ) (17) From this point, we can recover the plaintext message m by computing: m ≡ cλ − 1 N (mod N2 ) λ−1 (mod N) (18) 3 The analysis of the proposed cryptosystem In the first part of this section, we will investigate the security of our cryptosys- tem. In the second part, we will explore some cryptographic proprieties of the proposed scheme. 3.1 The security of the cryptosystem All the strength of our cryptosystem lies in the assumption that given a ci- phertext, c calculated as c ≡ yN (N + 1)m (mod N2 ), nobody can efficiently calculate the plaintext, m. Although we do not have a mathematical proof that this is indeed a hard problem i.e. a problem for which a polynomial solution is not yet known, we can prove some implications between well-known hard prob- lems and this problem. We denote this problem as MP[N]: given c computed as c ≡ yN (N + 1)m (mod N2 ) find m. 1. FACT[N] → MP[N] If we know the factorization of N i.e. the primes p and q such that N = p∗q, we could easily compute λ = lcm(p − 1, q − 1) as: λ = (p − 1)(q − 1) gcd(p − 1, q − 1) (19) Given λ we can recover m using (18).
6 Mihail Plesa 2. RSA[N, e] → MP[N] Remember from (7) that (N + 1)m ≡ 1 (mod N), so yN (N + 1)m ≡ yN (mod N). If we reduce c, modulo N and denote the result by c′ we get: c′ ≡ yN (mod N) (20) Getting y given c′ is exactly the RSA[N, N] problem. So if we know how to solve RSA[N, N] we can determine y and therefore y−N . Given this infor- mation we can compute: cy−N ≡ yN y−N (N + 1)m ≡ (N + 1)m (mod N2 ) (21) If we know (N + 1)m (mod N2 ) we can find m using (9). Note, however, that we have not demonstrated that MP[N] → RSA[N, e]. That means that it is possible to find an efficient algorithm that solves the MP[N] problem without solving the RSA[N, e] problem (this is happening to other hard problems like RSA[N, e] because it is still an open problem whether RSA[N, e] → FACT[N]). We proved that some well-known hard problems imply our problem. This is not sufficient for a modern cryptographic scheme. Every descent cryptosystem should be semantically secure. That means that if we have two plaintext messages m0 and m1 and one ciphertext c (encrypting one of two messages), we could not tell whether c is the encryption of m0 or m1. In the Goldwasser-Micali scheme, if c is the encryption of m0 then cxm0 is a quadratic residue modulo N (since the Goldwasser-Micali scheme works on bits we suppose in this case that m is just one bit long). We know that QR[N, a] is a hard problem so we could not tell whether cxm0 is a quadratic residue or not. Thus, we cannot find whether c is the encryption of m0 or m1. By analogy, we can introduce a new decisional problem denoted as D − MP[N, a] very similar to QR[N, a]. D − MP[N, a] is the problem of deciding whether there exists an integer b such that a ≡ bN (mod N2 ). We cannot be sure that D − MP[N, a] is a hard problem, just as we are not sure that QR[N, a] is a hard problem (the problem has not been solved for a long time but we still do not have a mathematical proof that the problem is indeed a hard problem). The only difference between the two is that QR[N, a] has not been around for a very long time while D − MP[N, a] has just been defined. 3.2 A cool property Let c0 be the encryption m0 and c1 be the encryption of m1: c0 ≡ yN 0 (N + 1)m0 (mod N2 ) (22) c1 ≡ yN 1 (N + 1)m1 (mod N2 ) (23) If we multiply the two ciphertexts we get: cmul ≡ (y0y1)N (N + 1)m0+m1 (mod N2 ) (24)
How to invent a new cryptosystem 7 It is obvious that cmul is the encryption of the sum of the two messages. This means that our scheme is homomorphic with respect to addition. Further, if we raise c0 to the power k we get: c0 ≡ ykN 0 (N + 1)km0 (mod N2 ) (25) This is the encryption of km0 so our scheme is homomorphic with respect to constant multiplication. 4 Conclusions In this tutorial, we showed the process by which a cryptographic scheme is born. We do not invent a new cryptosystem. “Our scheme” from above is the well- known Paillier encryption scheme. We wanted to show that there is no magic in inventing a new cryptosystem. All the math behind is quite scary at first glance but the actual process is natural and intuitive. All we did was identify a problem with an existing encryption scheme and then solve that problem step by step. References 1. Hoffstein, J., Pipher, J., Silverman, J.H., Silverman, J.H.: An introduction to math- ematical cryptography, vol. 1. Springer (2008) 2. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: International conference on the theory and applications of cryptographic tech- niques. pp. 223–238. Springer (1999)

Recommended

Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyAbhijit Mondal
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1Samir Crypticus
 
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENTA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENTijcisjournal
 
Unit 3
Unit 3Unit 3
Unit 3KRAMANJANEYULU1
 
Network Security CS3-4
Network Security CS3-4 Network Security CS3-4
Network Security CS3-4 Infinity Tech Solutions
 
RSA
RSARSA
RSAObekpa Mark
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Senior Research Final Draft3
Senior Research Final Draft3Senior Research Final Draft3
Senior Research Final Draft3Coleman Gorham
 

Recommended

Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyAbhijit Mondal
 
1508.07756v1
1508.07756v11508.07756v1
1508.07756v1Samir Crypticus
 
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENTA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENTijcisjournal
 
Unit 3
Unit 3Unit 3
Unit 3KRAMANJANEYULU1
 
Network Security CS3-4
Network Security CS3-4 Network Security CS3-4
Network Security CS3-4 Infinity Tech Solutions
 
RSA
RSARSA
RSAObekpa Mark
 
Broadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackBroadcasting and low exponent rsa attack
Broadcasting and low exponent rsa attackAnkita Kapratwar
 
Senior Research Final Draft3
Senior Research Final Draft3Senior Research Final Draft3
Senior Research Final Draft3Coleman Gorham
 
RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystemAbhishek Gautam
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without PaddingDharmalingam Ganesan
 
Rsa
RsaRsa
Rsananiix21_3
 
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...decentralizeeverything
 
Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Joonyoung Yi
 
Rsa
RsaRsa
Rsananiix21_3
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2Coleman Gorham
 
An Introduction to RSA Public-Key Cryptography
An Introduction to RSA Public-Key CryptographyAn Introduction to RSA Public-Key Cryptography
An Introduction to RSA Public-Key CryptographyDavid Boyhan, JD, CIPP
 
DAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxDAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxvaishnavi339314
 
Chapter 8 v6.0
Chapter 8 v6.0Chapter 8 v6.0
Chapter 8 v6.0Savvas Dimopoulos
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemAleksandr Yampolskiy
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adlemanHossain Md Shakhawat
 
Daa notes 2
Daa notes 2Daa notes 2
Daa notes 2smruti sarangi
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn
 
A comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemA comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemIAEME Publication
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptxKokilaK25
 
Presentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_PaperPresentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_PaperNithin Cv
 
A Comparison Of Methods For Solving MAX-SAT Problems
A Comparison Of Methods For Solving MAX-SAT ProblemsA Comparison Of Methods For Solving MAX-SAT Problems
A Comparison Of Methods For Solving MAX-SAT ProblemsKarla Adamson
 
Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Mumbai Academisc
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 

More Related Content

Similar to How to Invent a New Cryptosystem

RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2Fahad Layth
 
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...decentralizeeverything
 
Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Joonyoung Yi
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2Coleman Gorham
 
An Introduction to RSA Public-Key Cryptography
An Introduction to RSA Public-Key CryptographyAn Introduction to RSA Public-Key Cryptography
An Introduction to RSA Public-Key CryptographyDavid Boyhan, JD, CIPP
 
DAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxDAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxvaishnavi339314
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemAleksandr Yampolskiy
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA EncryptionNathan F. Dunn
 
A comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemA comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemIAEME Publication
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptxKokilaK25
 
Presentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_PaperPresentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_PaperNithin Cv
 
A Comparison Of Methods For Solving MAX-SAT Problems
A Comparison Of Methods For Solving MAX-SAT ProblemsA Comparison Of Methods For Solving MAX-SAT Problems
A Comparison Of Methods For Solving MAX-SAT ProblemsKarla Adamson
 
Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Mumbai Academisc
 

Similar to How to Invent a New Cryptosystem (20)

RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2RSA-W7(rsa) d1-d2
RSA-W7(rsa) d1-d2
 
Rsa cryptosystem
Rsa cryptosystemRsa cryptosystem
Rsa cryptosystem
 
RSA without Padding
RSA without PaddingRSA without Padding
RSA without Padding
 
Rsa
RsaRsa
Rsa
 
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...
1982 - Probabilistic Encryption & How To Play Mental Poker Keeping Secret All...
 
Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)
 
Rsa
RsaRsa
Rsa
 
RSA final notation change2
RSA final notation change2RSA final notation change2
RSA final notation change2
 
An Introduction to RSA Public-Key Cryptography
An Introduction to RSA Public-Key CryptographyAn Introduction to RSA Public-Key Cryptography
An Introduction to RSA Public-Key Cryptography
 
DAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptxDAA - UNIT 4 - Engineering.pptx
DAA - UNIT 4 - Engineering.pptx
 
Chapter 8 v6.0
Chapter 8 v6.0Chapter 8 v6.0
Chapter 8 v6.0
 
Spreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape ProblemSpreading Rumors Quietly and the Subgroup Escape Problem
Spreading Rumors Quietly and the Subgroup Escape Problem
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
Daa notes 2
Daa notes 2Daa notes 2
Daa notes 2
 
The Mathematics of RSA Encryption
The Mathematics of RSA EncryptionThe Mathematics of RSA Encryption
The Mathematics of RSA Encryption
 
A comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystemA comparative analysis of the possible attacks on rsa cryptosystem
A comparative analysis of the possible attacks on rsa cryptosystem
 
01 - DAA - PPT.pptx
01 - DAA - PPT.pptx01 - DAA - PPT.pptx
01 - DAA - PPT.pptx
 
Presentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_PaperPresentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_Paper
 
A Comparison Of Methods For Solving MAX-SAT Problems
A Comparison Of Methods For Solving MAX-SAT ProblemsA Comparison Of Methods For Solving MAX-SAT Problems
A Comparison Of Methods For Solving MAX-SAT Problems
 
Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)Implementation of bpsc stegnography ( synopsis)
Implementation of bpsc stegnography ( synopsis)
 

Recently uploaded

result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduitsrknatarajan
 

Recently uploaded (20)

result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
UNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular ConduitsUNIT-II FMM-Flow Through Circular Conduits
UNIT-II FMM-Flow Through Circular Conduits
 

How to Invent a New Cryptosystem

  • 1. How to invent a new cryptosystem Mihail-Iulian Ples , a1 Department of Computer Science, University of Bucharest, Bucharest, Romania mihail-iulian.plesa@s.unibuc.ro Abstract. In this article, we will see how a new cryptosystem can come to life. The article is structured like a fun tutorial on how to invent a secure cryptosystem. In Section 1 we will provide some basic things that every decent cryptographer should know. In Section 2 we will see how we can expand an existing cryptosystem. In Section 3 we will analyze our cryptosystem and provide some mathematical proofs. The last section is for conclusions. Keywords: Public Key Cryptography · Paillier · Tutorial. 1 Some basic crypto stuff In this section, we will present some basic ideas in cryptography. This section is made up of specific prerequisites that are necessary for this paper. Although every cryptographer should know these sorts of things, we want this paper to be as independent as possible. 1.1 Hard problems All public-key cryptosystems are based on some hard problems. By hard prob- lem, we mean a problem for which no efficient solution is known. In this section, we list some well-known hard problems used by cryptographers. 1. Prime factorization Given N, a natural number, find all prime divisors of it. We will denote this problem as FACT[N]. 2. RSA problem Given an RSA public key, (N, e) and a ciphertext C ≡ Pe (mod N), find the plaintext P. We will denote this problem as RSA[N, e]. 3. Quadratic residuosity problem Given N, an RSA modulus and an integer a, find whether there exists an integer b such that a ≡ b2 (mod N). If such an integer exists, then we call a a quadratic residue modulo N. We will denote this problem as QR[N, a]. 4. Discrete logarithm problem Given N, an RSA modulus and two integers a and b such that a ≡ bx (mod N), find the integer x. We will denote this problem as DL[N, a, b].
  • 2. 2 Mihail Plesa 1.2 Some implications 1. FACT[N] → RSA[N, e] An RSA modulus is generated as the product of two large primes numbers p and q. If we know these numbers, we can easily compute Euler’s totient function, φ(N) as in (1): φ(N) = (p − 1)(q − 1) (1) Given φ(N) we can calculate the inverse of e modulo φ(N): d ≡ e−1 (mod φ(N)) (2) Once we have d we can find the plaintext P as in (3): P ≡ Cd (mod N)) (3) The explanation is simple: Cd = (Pe )d = Ped (4) Since ed ≡ 1 (mod φ(N)) then: Ped ≡ Pφ(N) ≡ P1 (mod N) (5) The basis of this argument is Euler’s theorem which states that for any integer a such that gcd(a, N) = 1 we have: aφ (N) ≡ 1 (mod N) (6) 2. FACT[N] → QR[N, a] If we know that N = pq then we can easily determine whether a is a quadratic residue modulo N by simply checking if: (i) (a mod p) p−1 2 ≡ 1(mod p) (ii) (a mod q) q−1 2 ≡ 1(mod q) 3. FACT[N] → DL[N, a, b] This is a little bit harder to prove in a few rows. However, we will explain a special case of the problem that allows the calculation of the discrete log efficiently. First of all, recall that: (1 + N)x = x 0 N0 + x 1 N1 + . . . + x x Nx (7) Since any term that succeeds the second term is a multiple of N2 , from (7) results that: (1 + N)x ≡ (1 + Nx) (mod N2 ) (8)
  • 3. How to invent a new cryptosystem 3 If the base of the discrete log is (1 + N) and we work modulo N2 we can easily find x (the discrete log) as in (9): x = ((1 + N)x mod N2 ) − 1 N (9) Note that if we work modulo N (as in most cryptosystems) we could not find the discrete logarithm because (1 + N)x is simply 1 modulo N. 1.3 The Goldwasser-Micali cryptosystem The cryptosystem is based on the QR[N, a] problem. It is the first probabilistic encryption scheme. The public key consists of an RSA modulus N generated as the product of two large prime numbers p and q and an integer x such that x is not a quadratic residue modulo N. The secret key consists of p and q. To encrypt a plaintext message, m, we first encode it as a string of bits m = (m1, m2, . . . , mn). Then for every bit mi we generate a random number yi such that gcd(yi, N) = 1. The encrypted bit ci is calculated as ci ≡ yi 2 xmi (mod N). If mi is 0 the ci will be a quadratic residue modulo N. If mi is 1 the ci will not be a quadratic residue modulo N (because ci is the product between a quadratic residue, y2 i , and a non-quadratic residue x). To decrypt the ciphertext, which is the string of numbers c = (c1, c2, . . . , cn) generated above, we determine whether ci is a quadratic residue modulo N. We can do that easily because we know the secret key. 1.4 Carmichael’s theorem This is a very useful theorem in cryptography that states that for any coprime numbers a and n we have: aλ ≡ 1 (mod N) (10) Here, λ = lcm(p − 1, q − 1) and N = p ∗ q where p and q are both prime numbers. Some special cases that we will use later are the following equations: aλ ≡ 1 (mod N), 0 a N2 (11) aNλ ≡ 1 (mod N2 ), 0 a N2 (12) 2 Extending the Goldwasser-Micali cryptosystem An obvious problem with the Goldwasser-Micali cryptosystem is efficiency. To encrypt a plaintext message m, we have to encrypt every bit of it. In this section, we will see how to solve this problem by extending the Goldwasser-Micali scheme to a new cryptosystem. We will try to explain every step in the process intuitively. The first natural idea to solve the above problem is to encrypt the entire plaintext message m. We do not yet have reasons to change the general scheme
  • 4. 4 Mihail Plesa of the cryptosystem, so to encrypt the entire message, we will generate some random number y, just as in the Goldwasser-Micali cryptosystem and we will encrypt our message as c ≡ y2 xm (mod N). We can no longer use the same decryption mechanism as in the Goldwasser-Micali scheme (because m is now a number, not a bit) so we must find a way to decrypt our ciphertext. The first problem is the value of y. In the Goldwasser-Micali cryptosystem, this value is not required for decryption because the actual value of c does not matter. What matters is whether c is a quadratic residue modulo N. There are two possible scenarios: 1. We transmit the value of y along with the ciphertext. To decrypt, one can multiply the value of the ciphertext with y−2 and recover xm . 2. We use (11). We raise the ciphertext c to the λ obtaining: cλ = y2λ xmλ (13) Since y N, y2 N2 so y2λ ≡ 1 (mod N). Thus, we can recover xm by computing cλ x−λ and reducing the result modulo N. In both cases, we recovered the value of xm . Let denote this value by T. So, we know T and x and we have to determine m such that T ≡ xm (mod N). This is exactly DL[n, a, b] problem with a = T and b = x. We know from the previous section that this problem cannot be solved unless we use some special case like the one illustrated above. However, if we use some special case of the discrete log problem, we cannot transmit y because everyone will be able to find our plaintext message m by multiplying the ciphertext with y−2 and then use the special case of discrete log problem to find m. So, we must deal with y using Carmichael’s theorem. We saw that to use the special case for discrete log we must work modulo N2 . If we do this, we can no longer use (11). Likely for us, Carmichael’s theorem also generates (12) which works modulo N2 . To use (12), we must adapt our encryption scheme. Instead of encrypting the message as y2 xm (mod N) we will compute the ciphertext c as: c ≡ yN xm (mod N2 ) (14) That is because in (12) we have N in the exponent, not 2. In this way, we can recover xm by calculating cλ x−λ (mod N2 ). That works because cλ x−λ ≡ yλN xλm x−λ ≡ xλm x−λ ≡ xm (mod N2 ). Remember (12), yNλ ≡ 1 (mod N2 ). As we said above, to find the plaintext message m, we must use the special case of the discrete log problem, that is x must be equal to N + 1. Putting it all together, our encryption scheme looks like this: 1. Key generation: Just as in the Goldwasser-Micali encryption scheme, we generate an RSA modulus N as the product of two large prime numbers p and q. The public key is N (unlike Goldwasser-Micali encryption we no longer use x because in our case x = N + 1). The secret key is represented by the prime numbers p and q.
  • 5. How to invent a new cryptosystem 5 2. Encryption: To encrypt a plaintext message m, we will generate a random number y modulo N such that gcd(y, N) = 1 (just like the Goldwasser-Micali scheme). The ciphertext c, will be calculated as: c ≡ yN (N + 1)m (mod N2 ) (15) 3. Decryption: To recover the plaintext message m, first we will calculate: cλ ≡ yNλ (N + 1)mλ ≡ (N + 1)mλ (mod N2 ) (16) Since this is a special case of discrete log problem, we can compute mλ as: mλ ≡ cλ − 1 N (mod N2 ) (17) From this point, we can recover the plaintext message m by computing: m ≡ cλ − 1 N (mod N2 ) λ−1 (mod N) (18) 3 The analysis of the proposed cryptosystem In the first part of this section, we will investigate the security of our cryptosys- tem. In the second part, we will explore some cryptographic proprieties of the proposed scheme. 3.1 The security of the cryptosystem All the strength of our cryptosystem lies in the assumption that given a ci- phertext, c calculated as c ≡ yN (N + 1)m (mod N2 ), nobody can efficiently calculate the plaintext, m. Although we do not have a mathematical proof that this is indeed a hard problem i.e. a problem for which a polynomial solution is not yet known, we can prove some implications between well-known hard prob- lems and this problem. We denote this problem as MP[N]: given c computed as c ≡ yN (N + 1)m (mod N2 ) find m. 1. FACT[N] → MP[N] If we know the factorization of N i.e. the primes p and q such that N = p∗q, we could easily compute λ = lcm(p − 1, q − 1) as: λ = (p − 1)(q − 1) gcd(p − 1, q − 1) (19) Given λ we can recover m using (18).
  • 6. 6 Mihail Plesa 2. RSA[N, e] → MP[N] Remember from (7) that (N + 1)m ≡ 1 (mod N), so yN (N + 1)m ≡ yN (mod N). If we reduce c, modulo N and denote the result by c′ we get: c′ ≡ yN (mod N) (20) Getting y given c′ is exactly the RSA[N, N] problem. So if we know how to solve RSA[N, N] we can determine y and therefore y−N . Given this infor- mation we can compute: cy−N ≡ yN y−N (N + 1)m ≡ (N + 1)m (mod N2 ) (21) If we know (N + 1)m (mod N2 ) we can find m using (9). Note, however, that we have not demonstrated that MP[N] → RSA[N, e]. That means that it is possible to find an efficient algorithm that solves the MP[N] problem without solving the RSA[N, e] problem (this is happening to other hard problems like RSA[N, e] because it is still an open problem whether RSA[N, e] → FACT[N]). We proved that some well-known hard problems imply our problem. This is not sufficient for a modern cryptographic scheme. Every descent cryptosystem should be semantically secure. That means that if we have two plaintext messages m0 and m1 and one ciphertext c (encrypting one of two messages), we could not tell whether c is the encryption of m0 or m1. In the Goldwasser-Micali scheme, if c is the encryption of m0 then cxm0 is a quadratic residue modulo N (since the Goldwasser-Micali scheme works on bits we suppose in this case that m is just one bit long). We know that QR[N, a] is a hard problem so we could not tell whether cxm0 is a quadratic residue or not. Thus, we cannot find whether c is the encryption of m0 or m1. By analogy, we can introduce a new decisional problem denoted as D − MP[N, a] very similar to QR[N, a]. D − MP[N, a] is the problem of deciding whether there exists an integer b such that a ≡ bN (mod N2 ). We cannot be sure that D − MP[N, a] is a hard problem, just as we are not sure that QR[N, a] is a hard problem (the problem has not been solved for a long time but we still do not have a mathematical proof that the problem is indeed a hard problem). The only difference between the two is that QR[N, a] has not been around for a very long time while D − MP[N, a] has just been defined. 3.2 A cool property Let c0 be the encryption m0 and c1 be the encryption of m1: c0 ≡ yN 0 (N + 1)m0 (mod N2 ) (22) c1 ≡ yN 1 (N + 1)m1 (mod N2 ) (23) If we multiply the two ciphertexts we get: cmul ≡ (y0y1)N (N + 1)m0+m1 (mod N2 ) (24)
  • 7. How to invent a new cryptosystem 7 It is obvious that cmul is the encryption of the sum of the two messages. This means that our scheme is homomorphic with respect to addition. Further, if we raise c0 to the power k we get: c0 ≡ ykN 0 (N + 1)km0 (mod N2 ) (25) This is the encryption of km0 so our scheme is homomorphic with respect to constant multiplication. 4 Conclusions In this tutorial, we showed the process by which a cryptographic scheme is born. We do not invent a new cryptosystem. “Our scheme” from above is the well- known Paillier encryption scheme. We wanted to show that there is no magic in inventing a new cryptosystem. All the math behind is quite scary at first glance but the actual process is natural and intuitive. All we did was identify a problem with an existing encryption scheme and then solve that problem step by step. References 1. Hoffstein, J., Pipher, J., Silverman, J.H., Silverman, J.H.: An introduction to math- ematical cryptography, vol. 1. Springer (2008) 2. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: International conference on the theory and applications of cryptographic tech- niques. pp. 223–238. Springer (1999)