A New Generalisation of the Goldwasser-Micali Cryptosystem Based on the Gap \(2^k\)-Residuosity Assumption

Abstract

We present a novel public key encryption scheme that enables users to exchange many bits messages by means of at least two large prime numbers in a Goldwasser-Micali manner. Our cryptosystem is in fact a generalization of the Joye-Libert scheme (being itself an abstraction of the first probabilistic encryption scheme). We prove the security of the proposed cryptosystem in the standard model (based on the gap \(2^k\)-residuosity assumption) and report complexity related facts. We also describe an application of our scheme to biometric authentication and discuss the security of our suggested protocol. Last but not least, we indicate several promising research directions.

A Optimized Decryption Algorithms

In [12], the authors provide the reader with different versions of the decryption algorithm corresponding to the Joye-Libert cryptosystem. We present slightly modified versions of [12, Algorithm 3 and 4] in Algorithms 2 and 3. The authors also propose two other optimizations [12, Algorithm 5 and 6], but their complexity is similar with Algorithm 3 and 4’s complexity. Note that these optimizations contain a typo: in line 5, Algorithm 5 and line 6, Algorithm 6 we should have \(A^{k-j} \ne C[k-j] \bmod p\) instead of \(A \ne C[k-j] \bmod p\).

For these algorithms to work we need to enhance the Setup algorithm of our proposed cryptosystem. More precisely, we generate the \(\gamma +1\) prime numbers \(p_i\) with the supplementary restriction \(p_i \not \equiv 1 \bmod 2^{k+1}\). For \(0 \le i < \gamma \), let \(p'_i = (p_i-1)/2^k\). We precompute \(D_i = y_i^{-p'_i}\) for Algorithm 2 and \(D_i[j] = D_i^{2^{j-1}} \bmod p_i\), \(1 \le j \le k-1\), for Algorithm 3 and augment the private key with these values. Remark that Algorithm 3 requires more memory than Algorithm 2.

Correctness. Let \(m_i = \sum _{w=0}^{k-1} b_w 2^w\) be the binary expansion of block \(m_i\). We define \(\alpha _i[s] = 2^{k-s} p'_i\). Note that

$$\begin{aligned} c^{\alpha _i[s]}&\equiv (x^{2^k} \cdot \prod _{v=1}^\gamma y_v^{m_v})^{\alpha _i[s]} \\&\equiv y_i^{\alpha _i[s]\sum _{w=0}^{s-1} b_w 2^w} \\&\equiv y_i^{b_{s-1}2^{k-1}p'_i} y^{\alpha _i[s] \sum _{w=0}^{s-2} b_w 2^w} \\&\equiv (-1)^{b_{s-1}} y^{\alpha _i[s] \sum _{w=0}^{s-2} b_w 2^w} \bmod p_i \end{aligned}$$

since

1. 1.

   \((x^{2^k})^{\alpha _i[s]} = x^{2^{k-s}(p_i-1)} = 1\)

2. 2.

   \(\displaystyle \displaystyle \genfrac(){}{}{y_j}{p_i}_{\!2^{k}} = 1\), where \(j\ne i\)

3. 3.

   \(\sum _{w=0}^{k-1} b_w 2^w = \left( \sum _{w=0}^{s-1} b_w 2^w \right) + 2^s \cdot \left( \sum _{w=s}^{k-1} b_w 2^{w-s}\right) \)

4. 4.

   \(\displaystyle \genfrac(){}{}{y_i}{p_i}_{\!} = -1\)

As a result, the message block \(m_i\) can be recovered bit by bit using the values \(p_i\), \(p'_i\) and the vector \(D_i\).

Table 5. Average running times for Algorithm 2.

Implementation Details. The complexities of Algorithms 2 and 3 are \(\mathcal {O}(\gamma (\lambda + \frac{k^2}{2} + \frac{3k}{2}) M(\lambda ) \lceil \displaystyle \frac{\eta }{\gamma k} \rceil )\) and \(\mathcal {O}(\gamma (\lambda + \frac{k^2}{2} + \frac{k}{2}) M(\lambda ) \lceil \displaystyle \frac{\eta }{\gamma k} \rceil )\).

We further provide the reader with benchmarks for the optimized versions of our PKE scheme (Tables 5 and 6).

Table 6. Average running times for Algorithm 3.