The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.
The GM cryptosystem is semantically secure based on the assumed intractability of the quadratic residuosity problem modulo a composite N = pq where p, q are large primes. This assumption states that given (x, N) it is difficult to determine whether x is a quadratic residue modulo N (i.e., x = y2 mod N for some y), when the Jacobi symbol for x is +1. The quadratic residue problem is easily solved given the factorization of N, while new quadratic residues may be generated by any party, even without knowledge of this factorization. The GM cryptosystem leverages this asymmetry by encrypting individual plaintext bits as either random quadratic residues or non-residues modulo N, all with quadratic residue symbol +1. Recipients use the factorization of N as a secret key, and decrypt the message by testing the quadratic residuosity of the received ciphertext values.
Because Goldwasser–Micali produces a value of size approximately |N| to encrypt every single bit of a plaintext, GM encryption results in substantial ciphertext expansion. To prevent factorization attacks, it is recommended that |N| be several hundred bits or more. Thus, the scheme serves mainly as a proof of concept, and more efficient provably-secure schemes such as ElGamal have been developed since.
Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.
Goldwasser–Micali consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.
The scheme relies on deciding whether a given value x is a square mod N, given the factorization (p, q) of N. This can be accomplished using the following procedure:
- Compute xp = x mod p, xq = x mod q.
- If and , then x is a quadratic residue mod N.
- Alice generates two distinct large prime numbers p and q, randomly and independently of each other.
- Alice computes N = p q.
- She then finds some non-residue x such that the Legendre symbols satisfy and hence the Jacobi symbol is +1. The value x can for example be found by selecting random values and testing the two Legendre symbols. If p, q = 3 mod 4 (i.e., N is a Blum integer), then the value N − 1 is guaranteed to have the required property.
The public key consists of (x, N). The secret key is the factorization (p, q).
Suppose Bob wishes to send a message m to Alice:
- Bob first encodes m as a string of bits (m1, ..., mn).
- For every bit , Bob generates a random value from the group of units modulo N, or . He outputs the value .
Bob sends the ciphertext (c1, ..., cn).
Alice receives (c1, ..., cn). She can recover m using the following procedure:
- For each i, using the prime factorization (p, q), Alice determines whether the value ci is a quadratic residue; if so, mi = 0, otherwise mi = 1.
Alice outputs the message m = (m1, ..., mn).
There is a simple reduction from breaking this cryptosystem to the problem of determining whether a random value modulo N with Jacobi symbol +1 is a quadratic residue. If an algorithm A breaks the cryptosystem, then to determine if a given value x is a quadratic residue modulo N, we test A to see if it can break the cryptosystem using (x,N) as a public key. If x is a non-residue, then A should work properly. However, if x is a residue, then every "ciphertext" will simply be a random quadratic residue, so A cannot be correct more than half of the time. Furthermore, this problem is random self-reducible, which ensures that for a given N, every public key is just as secure as every other public key.
The GM cryptosystem has homomorphic properties, in the sense that if c0, c1 are the encryptions of bits m0, m1, then c0c1 mod N will be an encryption of . For this reason, the GM cryptosystem is sometimes used in more complex cryptographic primitives.
- S. Goldwasser, S. Micali (1982). "Probabilistic encryption and how to play mental poker keeping secret all partial information". Proc. 14th Symposium on Theory of Computing: 365–377. doi:10.1145/800070.802212.
- S. Goldwasser, S. Micali (1984). "Probabilistic encryption". Journal of Computer and System Sciences. 28 (2): 270–299. doi:10.1016/0022-0000(84)90070-9.