This document provides a tutorial on how to invent a new cryptosystem by extending an existing one. It begins by outlining some basic cryptography concepts like hard problems. It then shows how to expand the Goldwasser-Micali cryptosystem by encrypting full messages instead of bits. This leads to a new cryptosystem that is homomorphic for addition and multiplication. The security and properties of the new system are analyzed, though it is noted that the system described is actually the well-known Paillier cryptosystem. The goal is to demonstrate the natural process of developing a new cryptosystem from an existing one.
1. How to invent a new cryptosystem
Mihail-Iulian Ples
, a1
Department of Computer Science, University of Bucharest, Bucharest, Romania
mihail-iulian.plesa@s.unibuc.ro
Abstract. In this article, we will see how a new cryptosystem can come
to life. The article is structured like a fun tutorial on how to invent a
secure cryptosystem. In Section 1 we will provide some basic things that
every decent cryptographer should know. In Section 2 we will see how we
can expand an existing cryptosystem. In Section 3 we will analyze our
cryptosystem and provide some mathematical proofs. The last section is
for conclusions.
Keywords: Public Key Cryptography · Paillier · Tutorial.
1 Some basic crypto stuff
In this section, we will present some basic ideas in cryptography. This section
is made up of specific prerequisites that are necessary for this paper. Although
every cryptographer should know these sorts of things, we want this paper to be
as independent as possible.
1.1 Hard problems
All public-key cryptosystems are based on some hard problems. By hard prob-
lem, we mean a problem for which no efficient solution is known. In this section,
we list some well-known hard problems used by cryptographers.
1. Prime factorization
Given N, a natural number, find all prime divisors of it. We will denote this
problem as FACT[N].
2. RSA problem
Given an RSA public key, (N, e) and a ciphertext C ≡ Pe
(mod N), find the
plaintext P. We will denote this problem as RSA[N, e].
3. Quadratic residuosity problem
Given N, an RSA modulus and an integer a, find whether there exists an
integer b such that a ≡ b2
(mod N). If such an integer exists, then we call a
a quadratic residue modulo N. We will denote this problem as QR[N, a].
4. Discrete logarithm problem
Given N, an RSA modulus and two integers a and b such that a ≡ bx
(mod N),
find the integer x. We will denote this problem as DL[N, a, b].
2. 2 Mihail Plesa
1.2 Some implications
1. FACT[N] → RSA[N, e]
An RSA modulus is generated as the product of two large primes numbers
p and q. If we know these numbers, we can easily compute Euler’s totient
function, φ(N) as in (1):
φ(N) = (p − 1)(q − 1) (1)
Given φ(N) we can calculate the inverse of e modulo φ(N):
d ≡ e−1
(mod φ(N)) (2)
Once we have d we can find the plaintext P as in (3):
P ≡ Cd
(mod N)) (3)
The explanation is simple:
Cd
= (Pe
)d
= Ped
(4)
Since ed ≡ 1 (mod φ(N)) then:
Ped
≡ Pφ(N)
≡ P1
(mod N) (5)
The basis of this argument is Euler’s theorem which states that for any
integer a such that gcd(a, N) = 1 we have:
aφ
(N) ≡ 1 (mod N) (6)
2. FACT[N] → QR[N, a]
If we know that N = pq then we can easily determine whether a is a quadratic
residue modulo N by simply checking if:
(i) (a mod p)
p−1
2 ≡ 1(mod p)
(ii) (a mod q)
q−1
2 ≡ 1(mod q)
3. FACT[N] → DL[N, a, b]
This is a little bit harder to prove in a few rows. However, we will explain
a special case of the problem that allows the calculation of the discrete log
efficiently. First of all, recall that:
(1 + N)x
=
x
0
N0
+
x
1
N1
+ . . . +
x
x
Nx
(7)
Since any term that succeeds the second term is a multiple of N2
, from (7)
results that:
(1 + N)x
≡ (1 + Nx) (mod N2
) (8)
3. How to invent a new cryptosystem 3
If the base of the discrete log is (1 + N) and we work modulo N2
we can
easily find x (the discrete log) as in (9):
x =
((1 + N)x
mod N2
) − 1
N
(9)
Note that if we work modulo N (as in most cryptosystems) we could not
find the discrete logarithm because (1 + N)x
is simply 1 modulo N.
1.3 The Goldwasser-Micali cryptosystem
The cryptosystem is based on the QR[N, a] problem. It is the first probabilistic
encryption scheme. The public key consists of an RSA modulus N generated as
the product of two large prime numbers p and q and an integer x such that x is
not a quadratic residue modulo N. The secret key consists of p and q.
To encrypt a plaintext message, m, we first encode it as a string of bits m =
(m1, m2, . . . , mn). Then for every bit mi we generate a random number yi such
that gcd(yi, N) = 1. The encrypted bit ci is calculated as ci ≡ yi
2
xmi
(mod N).
If mi is 0 the ci will be a quadratic residue modulo N. If mi is 1 the ci
will not be a quadratic residue modulo N (because ci is the product between a
quadratic residue, y2
i , and a non-quadratic residue x).
To decrypt the ciphertext, which is the string of numbers c = (c1, c2, . . . , cn)
generated above, we determine whether ci is a quadratic residue modulo N. We
can do that easily because we know the secret key.
1.4 Carmichael’s theorem
This is a very useful theorem in cryptography that states that for any coprime
numbers a and n we have:
aλ
≡ 1 (mod N) (10)
Here, λ = lcm(p − 1, q − 1) and N = p ∗ q where p and q are both prime
numbers. Some special cases that we will use later are the following equations:
aλ
≡ 1 (mod N), 0 a N2
(11)
aNλ
≡ 1 (mod N2
), 0 a N2
(12)
2 Extending the Goldwasser-Micali cryptosystem
An obvious problem with the Goldwasser-Micali cryptosystem is efficiency. To
encrypt a plaintext message m, we have to encrypt every bit of it. In this section,
we will see how to solve this problem by extending the Goldwasser-Micali scheme
to a new cryptosystem. We will try to explain every step in the process intuitively.
The first natural idea to solve the above problem is to encrypt the entire
plaintext message m. We do not yet have reasons to change the general scheme
4. 4 Mihail Plesa
of the cryptosystem, so to encrypt the entire message, we will generate some
random number y, just as in the Goldwasser-Micali cryptosystem and we will
encrypt our message as c ≡ y2
xm
(mod N). We can no longer use the same
decryption mechanism as in the Goldwasser-Micali scheme (because m is now a
number, not a bit) so we must find a way to decrypt our ciphertext.
The first problem is the value of y. In the Goldwasser-Micali cryptosystem,
this value is not required for decryption because the actual value of c does not
matter. What matters is whether c is a quadratic residue modulo N. There are
two possible scenarios:
1. We transmit the value of y along with the ciphertext. To decrypt, one can
multiply the value of the ciphertext with y−2
and recover xm
.
2. We use (11). We raise the ciphertext c to the λ obtaining:
cλ
= y2λ
xmλ
(13)
Since y N, y2
N2
so y2λ
≡ 1 (mod N). Thus, we can recover xm
by
computing cλ
x−λ
and reducing the result modulo N.
In both cases, we recovered the value of xm
. Let denote this value by T. So,
we know T and x and we have to determine m such that T ≡ xm
(mod N).
This is exactly DL[n, a, b] problem with a = T and b = x. We know from the
previous section that this problem cannot be solved unless we use some special
case like the one illustrated above. However, if we use some special case of the
discrete log problem, we cannot transmit y because everyone will be able to find
our plaintext message m by multiplying the ciphertext with y−2
and then use
the special case of discrete log problem to find m. So, we must deal with y using
Carmichael’s theorem. We saw that to use the special case for discrete log we
must work modulo N2
. If we do this, we can no longer use (11). Likely for us,
Carmichael’s theorem also generates (12) which works modulo N2
. To use (12),
we must adapt our encryption scheme. Instead of encrypting the message as
y2
xm
(mod N) we will compute the ciphertext c as:
c ≡ yN
xm
(mod N2
) (14)
That is because in (12) we have N in the exponent, not 2. In this way, we
can recover xm
by calculating cλ
x−λ
(mod N2
). That works because cλ
x−λ
≡
yλN
xλm
x−λ
≡ xλm
x−λ
≡ xm
(mod N2
). Remember (12), yNλ
≡ 1 (mod N2
).
As we said above, to find the plaintext message m, we must use the special
case of the discrete log problem, that is x must be equal to N + 1. Putting it all
together, our encryption scheme looks like this:
1. Key generation:
Just as in the Goldwasser-Micali encryption scheme, we generate an RSA
modulus N as the product of two large prime numbers p and q. The public
key is N (unlike Goldwasser-Micali encryption we no longer use x because
in our case x = N + 1). The secret key is represented by the prime numbers
p and q.
5. How to invent a new cryptosystem 5
2. Encryption:
To encrypt a plaintext message m, we will generate a random number y
modulo N such that gcd(y, N) = 1 (just like the Goldwasser-Micali scheme).
The ciphertext c, will be calculated as:
c ≡ yN
(N + 1)m
(mod N2
) (15)
3. Decryption:
To recover the plaintext message m, first we will calculate:
cλ
≡ yNλ
(N + 1)mλ
≡ (N + 1)mλ
(mod N2
) (16)
Since this is a special case of discrete log problem, we can compute mλ as:
mλ ≡
cλ
− 1
N
(mod N2
) (17)
From this point, we can recover the plaintext message m by computing:
m ≡
cλ
− 1
N
(mod N2
)
λ−1
(mod N) (18)
3 The analysis of the proposed cryptosystem
In the first part of this section, we will investigate the security of our cryptosys-
tem. In the second part, we will explore some cryptographic proprieties of the
proposed scheme.
3.1 The security of the cryptosystem
All the strength of our cryptosystem lies in the assumption that given a ci-
phertext, c calculated as c ≡ yN
(N + 1)m
(mod N2
), nobody can efficiently
calculate the plaintext, m. Although we do not have a mathematical proof that
this is indeed a hard problem i.e. a problem for which a polynomial solution is
not yet known, we can prove some implications between well-known hard prob-
lems and this problem. We denote this problem as MP[N]: given c computed as
c ≡ yN
(N + 1)m
(mod N2
) find m.
1. FACT[N] → MP[N]
If we know the factorization of N i.e. the primes p and q such that N = p∗q,
we could easily compute λ = lcm(p − 1, q − 1) as:
λ =
(p − 1)(q − 1)
gcd(p − 1, q − 1)
(19)
Given λ we can recover m using (18).
6. 6 Mihail Plesa
2. RSA[N, e] → MP[N]
Remember from (7) that (N + 1)m
≡ 1 (mod N), so yN
(N + 1)m
≡
yN
(mod N). If we reduce c, modulo N and denote the result by c′
we
get:
c′
≡ yN
(mod N) (20)
Getting y given c′
is exactly the RSA[N, N] problem. So if we know how to
solve RSA[N, N] we can determine y and therefore y−N
. Given this infor-
mation we can compute:
cy−N
≡ yN
y−N
(N + 1)m
≡ (N + 1)m
(mod N2
) (21)
If we know (N + 1)m
(mod N2
) we can find m using (9).
Note, however, that we have not demonstrated that MP[N] → RSA[N, e]. That
means that it is possible to find an efficient algorithm that solves the MP[N]
problem without solving the RSA[N, e] problem (this is happening to other hard
problems like RSA[N, e] because it is still an open problem whether RSA[N, e] →
FACT[N]).
We proved that some well-known hard problems imply our problem. This is
not sufficient for a modern cryptographic scheme. Every descent cryptosystem
should be semantically secure. That means that if we have two plaintext messages
m0 and m1 and one ciphertext c (encrypting one of two messages), we could not
tell whether c is the encryption of m0 or m1. In the Goldwasser-Micali scheme,
if c is the encryption of m0 then cxm0
is a quadratic residue modulo N (since
the Goldwasser-Micali scheme works on bits we suppose in this case that m is
just one bit long). We know that QR[N, a] is a hard problem so we could not
tell whether cxm0
is a quadratic residue or not. Thus, we cannot find whether c
is the encryption of m0 or m1.
By analogy, we can introduce a new decisional problem denoted as D −
MP[N, a] very similar to QR[N, a]. D − MP[N, a] is the problem of deciding
whether there exists an integer b such that a ≡ bN
(mod N2
). We cannot be sure
that D − MP[N, a] is a hard problem, just as we are not sure that QR[N, a] is
a hard problem (the problem has not been solved for a long time but we still do
not have a mathematical proof that the problem is indeed a hard problem). The
only difference between the two is that QR[N, a] has not been around for a very
long time while D − MP[N, a] has just been defined.
3.2 A cool property
Let c0 be the encryption m0 and c1 be the encryption of m1:
c0 ≡ yN
0 (N + 1)m0
(mod N2
) (22)
c1 ≡ yN
1 (N + 1)m1
(mod N2
) (23)
If we multiply the two ciphertexts we get:
cmul ≡ (y0y1)N
(N + 1)m0+m1
(mod N2
) (24)
7. How to invent a new cryptosystem 7
It is obvious that cmul is the encryption of the sum of the two messages. This
means that our scheme is homomorphic with respect to addition.
Further, if we raise c0 to the power k we get:
c0 ≡ ykN
0 (N + 1)km0
(mod N2
) (25)
This is the encryption of km0 so our scheme is homomorphic with respect to
constant multiplication.
4 Conclusions
In this tutorial, we showed the process by which a cryptographic scheme is born.
We do not invent a new cryptosystem. “Our scheme” from above is the well-
known Paillier encryption scheme. We wanted to show that there is no magic in
inventing a new cryptosystem. All the math behind is quite scary at first glance
but the actual process is natural and intuitive. All we did was identify a problem
with an existing encryption scheme and then solve that problem step by step.
References
1. Hoffstein, J., Pipher, J., Silverman, J.H., Silverman, J.H.: An introduction to math-
ematical cryptography, vol. 1. Springer (2008)
2. Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes.
In: International conference on the theory and applications of cryptographic tech-
niques. pp. 223–238. Springer (1999)