ISSN (Print) : 2319-5940 ISSN (Online) : 2278-1021 International Journal of Advanced Research in Computer and Communication Engineering Vol. 2, Issue 7, July 2013 Performance Analysis of Goldwasser-Micali Cryptosystem Shruthi R1, Sumana P2, Anjan K Koundinya3 Department of Computer Science and Engineering, R.V. College of Engineering, Bangalore Abstract: Probabilistic encryption is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. To be semantically secure, that is, to hide even partial information about the plaintext, an encryption algorithm must be probabilistic. The Goldwasser–Micali cryptosystem is an asymmetric key encryption algorithm developed by ShafiGoldwasser and Silvio Micali in 1982. Goldwasser-Micali has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. The aim of this paper is to outline the key concepts involved in Goldwasser-Micali encryption algorithm and compare it with RSA . The metrics used for comparison are encryption time,decryption time and size of cipher text with varying plain text sizes which are the key considerations for choosing an encryption algorithm. The reading will be recorded for drawing inferences. I. INTRODUCTION One of the drawbacks to the RSA encryption algorithm as algorithm and to compare and analyze RSA versus originally defined is that it leaks a single plaintext bit in Goldwasser-Micali algorithm. every ciphertext. This bit is the Jacobi symbol of the The paper is organised as follows, Section II discusses the plaintext, and is either “1” or “−1.” Since e is odd it is various concepts such as Homomorphic Cryptosystem, e straightforward to see that J (m/n) =J (m /n) for all valid Quadratic Residues and Jacobi symbols. Section III RSA plaintexts m. outlines the pseudocode of the Goldwasser-Micali This observation pointed to a problem in public key encryption and decryption algorithm. Section IV describes cryptography in general. It should not be possible for an the details of the implementation which includes hardware adversary to so much as even distinguish one encryption and software requirements of the test machine, from another. This problem can be formulated as an programming languages and libraries used. Section V experiment. Let an adversary choose any two different deals with the results and analysis which explains the plaintexts m1 and m2, let the encryption algorithm choose details of the comparisons that were done between RSA one of the messages randomly, encrypt it, give the and Goldwasser-Micali algorithm. Section VII is resulting ciphertext to the adversary, and then let the Conclusion which gives the outcome of the work carried adversary guess which message was encrypted. In a truly out and future enhancements. secure public key cryptosystem the adversary should be II. CONCEPTS IN GM able to guess with probability significantly greater than 1/2 A.XOR Homomorphism which message was encrypted. In RSA, the adversary can The system is homorphic in that multiplying choose a messagem1such that J(m /n) = 1 and another 1 ciphertexts is equivalent to XORing plaintexts. Note the message m such that J(m /n) =−1 and then distinguish 2 2 following congruences: correctly everytime. b +b 2 EGM(b1,r1;ɡ,N)· EGM (b2,r2;ɡ,N)≡ɡ 1 2(r1r2) (mod N) The GM cryptosystem was the first cryptosystem to provably solve this problem. It was presented by ≡EGM(b1⨁b2,r1 r2;ɡ,N)(mod N) Goldwasser and Micali along with a rigorous definition of where b1 and b2 are the bits of the input and r1 and r2 are security known as semantic security and a proof that the the random blinding factors. GM cryptosystem is semantically secure against plaintext The last equality holds because only the least bit of b1+b2 attacks. matters in determining quadratic residuosity, and ⨁ is The objectives of the paper are to give a detailed equivalent to modulo 2 addition[3]. explanation of the concepts involved in Goldwasser- B.Quadratic Residue Micali Encryption algorithm, to outline the steps involved A number is a quadratic residue modulo an odd prime p if in encryption and decryption using Goldwasser-Micali it is the square of some number modulo p. Copyright to IJARCCE www.ijarcce.com 2818 ISSN (Print) : 2319-5940 ISSN (Online) : 2278-1021 International Journal of Advanced Research in Computer and Communication Engineering Vol. 2, Issue 7, July 2013 The Legendre symbol is defined as 4. A’s public key is (푛, 푦)andA’s private key is the 0 푖푓 푥 ≡ 0 (mod p) pair (p,q). 푥 = 1 푖푓 푥 푖푠 푎 푞푢푎푑푟푎푡푖푐 푟푒푠푖푑푢푒 푚표푑푢푙표 푝 B. Goldwasser-Micali probabilistic public-key encryption 푝 B encrypts a message m for A, which A decrypts.[4] −1 푖푓 푥 푖푠 푎 푞푢푎푑푟푎푡푖푐 푛표푛 푟푒푠푖푑푢푒 푚표푑푢푙표 푝 1. Encryption: B should do the following: 푥 푝−1 By Euler’s criterion, we compute = 푥 2 (푚표푑 푝). 푝 (a) Obtain A’s authentic public key (푛, 푦). In the case of composite modulus, the Jacobi symbol is (b) Represent the message m as a binary string m = used instead of the Legendre symbol.[3] m m …m of length t. C.Jacobi Symbol 1 2 t For N = pq, where p and q are odd primes, the Jacobi (c) For i from 1 to t do: * symbol is i. Pick an푥 belongs to Zn at random. 2 ii. If mi = 1 then set ci ← y 푥 mod 푛, otherwise set 0 푖푓 gcd 푥, 푁 > 1 2 ci ← 푥 mod n. (d) Send the t -tuple c=(c1, c2,… ct) to A. 푥 푥 푥 = 1 푖푓 = 푁 푝 푞 2. Decryption: To recover plaintext m from c, A 푥 푥 −1 푖푓 = − 푝 푞 should do the following (a) For i from 1 to t do: 푥 푥 Lemma: 푥is a quadratic residue modulo N if = = 푝 푞 i. Compute the Legendre symbol 푐 2 푖 1. If 푥is a quadratic residue modulo N then it is a ei = ( ) 푝 quadratic residue modulo N. ii. If ei = 1 then set mi ← 0; otherwise set mi ← 1 2 2 Proof : If 푥 ϵ QR(N) then 푥 = 푦 + 푘푁 = 푦 + 푘푝푞 for (b) The decrypted message is m = m1 m2…mt.[4] some y, 푘, so 푥 ≡ 푦2 (푚표푑 푝) and 푥 푚표푑 푝 ϵ QR(p). 푥 푥 C. Proof that Decryption works The same holds for q, so = = 1. Given 푥 such that 푝 푞 2 If a message bit mi is 0, then ci = 푥 mod푛is a quadratic 푥 푥 = = 1, we know that there exist a and b such that 푎2 푝 푞 residue modulo 푛. If a message bit mi is 1, then since y is a 2 ≡ 푥 푚표푑 푝 and 푏2≡ 푥 푚표푑 푞 . By the Chinese Remainder pseudosquare modulo n, ci = y푥 mod 푛 is also a Theorem, there exists a푦such that푦 ≡푎 푚표푑 푝 and 푦 ≡ pseudosquare modulo 푛. ci is a quadratic residue modulo 푛 푏 푚표푑 푞 . Since,푦2 ≡ 푥 (푚표푑 푝)and 푦2 ≡ 푥 푚표푑 푞 , we if and only if ci is a quadratic residue modulo p, or 푐 2 equivalently ( 푖) =1. Since A knows p, she can compute know that 푦 ≡ 푥 (푚표푑 푁), and therefore 푥 ϵ QR(N). If 푥 푝 ϵ QR(N2) then 푥 = 푦2 + 푘푁2 for some y, 푘, so 푥 푚표푑 푁ϵ this legendre symbol and hence recover the message bit QR(N).[3] mi[4]. III.GM Algorithm D. Security of Goldwasser-Micali probabilistic Encryption There is a simple reduction from breaking this A. Key generation for Goldwasser-Micali probabilistic cryptosystem to the problem of determining whether a encryption random value modulo N with Jacobi symbol +1 is a Each entity creates a public key and corresponding private quadratic residue. If an algorithm A breaks the key. Each entity A should do the following[4]: cryptosystem, then to determine if a given value x is a quadratic residue modulo N, we test A to see if it can break 1. Select two large random and distinct primes p the cryptosystem using (x,N) as a public key. If x is a non- and q, each roughly the same size. residue, then A should work properly. However, if x is a 2. Compute푛 = 푝푞. residue, then every "ciphertext" will simply be a random quadratic residue, so A cannot be correct more than half of 3. Select 푦ϵZn such that 푦is a quadratic non-residue 푦 the time. Furthermore, this problem is random self- modulo푛and the Jacobi sumbol ( ) = 1(y is a 푛 reducible, which ensures that for a given N, every public pseudosquare modulo푛). key is just as secure as every other public key. Copyright to IJARCCE www.ijarcce.com 2819 ISSN (Print) : 2319-5940 ISSN (Online) : 2278-1021 International Journal of Advanced Research in Computer and Communication Engineering Vol. 2, Issue 7, July 2013 The GM cryptosystem has homomorphic ofGoldwasser-Micali cryptosystem. The parameters properties, in the sense that if c0, c1 are the encryptions of considered to evaluate the performance are plaintext size bits m0, m1, then c0c1 mod N will be an encryption versus ciphertext size, encryption time, decryption time of m0⨁m1. For this.reason, the GM cryptosystem is and time to generate Jacobi symbols. sometimes used in more complex cryptographic A. Encryption Time * 2 primitives. Since 푥 is selected at random from Zn , 푥 The graph of time taken for encryption against size of 2 mod 푛 is a random quadratic residue modulo 푛, and y푥 plaintext in bytes has been plotted as shown in figure 1.