An Alternative Scheme

An alternative construction of a public-key encryption scheme is presented in Con-struction 5.3.18. Rather than encrypting each plaintext bit (or block of bits) by an independently selected element in the domain of the trapdoor permutation (as done in Construction 5.3.13), we select only one such element (for the entire plaintext) and generate from it additional bits, one per each bit of the plaintext. These additional bits are determined by successive applications of the trapdoor permutation, and only the last result is included in the ciphertext. In a sense, the construction of this encryption scheme augments the construction of a pseudorandom generator based on one-way permutations (i.e., Construction 3.4.4).

Construction 5.3.18 (a public-key encryption scheme): Let{pα}, I, S, F, B, and b be as in Construction 5.3.13. We use the notation pⁱ⁺¹_α (x)= pα( p_αⁱ(x)) and p_α⁻⁽ⁱ⁺¹⁾(x)=

p_α⁻¹( p_α⁻ⁱ(x)).

Key-generation: The key-generation algorithm consists of selecting at random a per-mutation p_α together with a trapdoor, exactly as in Construction 5.3.13. That is, G(1ⁿ)= I (1ⁿ), which means that the index-trapdoor pair generated by I is associ-ated with the key-pair of G.

Encryption: To encrypt a stringσ, using the encryption-key α, the encryption algorithm randomly selects an element, r , in the domain of p_α and produces the ciphertext ( p^|σ|_α (r ),σ ⊕ G^{(|σ |)}α (r )), where

G^()_α (r )^def= b(r) · b(pα(r ))· · · b(p^−1_α (r )) (5.10) That is, E_α(σ ) = (p_α^{|σ |}(S(α)), σ ⊕ G^{(|σ |)}α (S(α))).

Decryption: To decrypt the ciphertext (y,ς), using the decryption-key τ, the decryption algorithm just computesς ⊕ G^(|ς|)α ( p^−|ς|_α (y)), where the inverse is computed using the trapdoorτ of pα. That is, D_τ(y,ς) = ς ⊕ G^(|ς|)α ( p^−|ς|_α (y)).

We stress that this encryption scheme is a full-fledged one (rather than a block-cipher).

Its bandwidth tends to 1 with the length of the plaintext; that is, a plaintext of length

 = poly(n) is encrypted via a ciphertext of length m + , where m denotes the length of the description of individual elements in the domain of p_α. Clearly, for every possible (α, τ) output of G (and r ← S(α)), it holds that

D_τ(E_α(σ )) = Dτ( p^{|σ |}_α (r ) , σ ⊕ G^(|σ|)_α (r ))

= (σ ⊕ G^{(|σ |)}_α (r ))⊕ G^{(|σ |)}_α ( p^{−|σ ⊕G}_α ^{(|σ|)α (r )|}( p^{|σ |}_α (r )))

= σ ⊕ G^{(|σ |)}_α (r )⊕ G^(|σ|)_α (r ) = σ

5.3 CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

The security of this public-key encryption scheme follows from the (non-uniform) one-way feature of the collection{pα}, but here we restrict the sampling algorithm S to produce almost uniform distribution over the domain (so that this distribution is preserved under successive applications of p_α).

Proposition 5.3.19: Suppose that b is a (non-uniformly strong) hard-core of the trap-door collection {pα}. Furthermore, suppose that this trapdoor collection utilizes a domain sampling algorithm S so that the statistical difference between S(α) and the uniform distribution over the domain of p_α is negligible in terms of |α|. Then Construction 5.3.18 constitutes a secure public-key encryption scheme.

Proof: Again, we prove single-message ciphertext-indistinguishability. It suffices to show that for every σ, the distributions (α, p^{|σ |}_α (S(α)), σ ⊕ G^{(|σ |)}α (S(α))) and (α, p^|σ|_α (S(α)), σ ⊕ s) are indistinguishable, where s ∈ {0, 1}^{|σ |} is uniformly dis-tributed, independently of anything else. The latter claim holds by a minor extension to Proposition 3.4.6: This proposition refers to the case where S(α) is uniform over the domain of p_α, but can be extended to the case in which there is a negligible statistical difference between the distributions.

Details: We need to prove that for every polynomial  and every sequence of pairs (σn^,σn^)∈ {0, 1}^(n)× {0, 1}^(n), the distributions D^_n^def= (α, p^(n)α (S(α)), σn^⊕ G⁽_α^(n))(S(α))) and Dn^

def= (α, pα^(n)(S(α)), σn^⊕ G⁽α^(n))(S(α))) are indistinguishable, whereα ← I1(1ⁿ). We prove this in two steps:

1. We first prove that for every sequence of σn’s, the distributions Dn def= (α, p^(n)α (S(α)), σn⊕ G⁽α^(n))(S(α))) and Rn

def= (α, p^(n)α (S(α)), σn⊕ U(n)) are indistinguishable, where U_(n)denotes a random variable uniformly distributed over{0, 1}^(n)andα ← I1(1ⁿ).

Suppose first that S(α) is uniform over the domain of pα. Then the indistin-guishability of {Dn}n∈N and {Rn}n∈N follows directly from Proposition 3.4.6 (as adapted to circuits): The adapted form refers to the indistinguishability of (α, p^(n)α (S(α)), G^((n))α (S(α))) and (α, p^(n)α (S(α)), U(n)), and yields the desired claim by noting that σn can be incorporated in the prospective distinguisher.

The extension (to the case that S(α) has negligible statistical difference to the uniform distribution over the domain of p_α) is straightforward.

2. Applying the previous item to D_n^ and R_n^{ def}= (α, pα^(n)(S(α)), σn^⊕ U(n)), we conclude that{Dn^}n∈N and{Rn^}n∈N are indistinguishable. Similarly,{D^n}n∈N

and {R^n}n∈N, where R^_n^def= (α, p^(n)α (S(α)), σn^⊕ U(n)), are indistinguishable.

Furthermore,{Rn^}n∈N and{R^n}n∈N are identically distributed. Thus,{Dn^}n∈N

and{D^n}n∈Nare indistinguishable.

The proposition follows.

An instantiation. Assuming that factoring Blum Integers (i.e., products of two primes each congruent to 3 (mod 4)) is hard, one may use the modular squaring function (which induces a permutation over the quadratic residues modulo the product of these

integers) in the role of the trapdoor permutation used in Construction 5.3.18. This yields a secure public-key encryption scheme with efficiency comparable to that of plain RSA (see further discussion latter in this section).

Construction 5.3.20 (the Blum-Goldwasser Public-Key Encryption Scheme): Consult Appendix A in Volume 1 for the relevant number-theoretic background, and note that for P≡ 3 (mod 4) the number (P + 1)/4 is an integer. For simplicity, we present a block-cipher with arbitrary block-length (n) ≤ poly(n); a full-fledged encryption scheme can be derived by an easy modification (see Exercise 27 ).

Key-generation: The key-generation algorithm consists of selecting at random two n-bit primes, P and Q, each congruent to 3 mod 4, and outputting the pair (N , (P, Q)), where N = P · Q.

Actually, for sake of efficiency, the key-generator also computes d_P = ((P + 1)/4)^(n) mod P− 1 (in {0, ..., P − 2}) d_Q = ((Q + 1)/4)^(n) mod Q− 1 (in {0, ..., Q − 2})

c_P = Q · (Q⁻¹mod P) (in{0, ..., N − Q}) c_Q = P · (P⁻¹mod Q) (in{0, ..., N − P})

It outputs the pair (N , T ), where N serves as the encryption-key and T = (P, Q, N , cP, dP, cQ, dQ) serves as decryption-key.

Encryption: To encrypt the messageσ ∈ {0, 1}^(n), using the encryption-key N : 1. Uniformly select s₀ ∈ {1, ..., N}.

(Note that if GCD(s0, N )= 1, then s0² mod N is a uniformly distributed quadratic residue modulo N .)

2. For i= 1, .., (n) + 1, compute si ← si²−1mod N and bi = lsb(si), where lsb(s) is the least-significant bit of s.

The ciphertext is (s_(n)+1,ς), where ς = σ ⊕ b1b₂· · · b(n).

Decryption: To decrypt the ciphertext (r,ς) using the decryption-key T = (P, Q, N , c_P, d_P, c_Q, d_Q), one first retrieves s₁ and then computes the b_i’s as in the Encryption procedure. Instead of successively extracting modular square roots

(n) times, we extract the 2^(n)-th root, which can be done as efficiently as extracting a single square root. Extracting the 2^(n)-th root modulo N is done by extracting the corresponding root modulo P and modulo Q (by raising to power d_Pmodulo P and d_Q modulo Q, respectively) and combining the results via the Chinese Reminder Theorem:

1. Let s^← r^dP mod P, and s^← r^dQ mod Q.

2. Let s₁← cP· s^+ cQ· s^mod N .

3. For i = 1, ..., (n), compute bi = lsb(si) and si+1← s_i²mod N . The plaintext isς ⊕ b1b₂· · · b(n).

5.3 CONSTRUCTIONS OF SECURE ENCRYPTION SCHEMES

Again, one can easily verify that this construction constitutes an encryption scheme:

The main fact to verify is that the value of s₁ as reconstructed in the decryption stage equals the value used in the encryption stage. This follows by combining the Chinese Reminder Theorem with the fact that for every quadratic residue s mod N , it holds that s ≡ (s^2(n) mod N )^dP (mod P) and s≡ (s^2(n) mod N )^dQ (mod Q).

Details:Recall that for a prime P ≡ 3 (mod 4), and every quadratic residue r, we have r^(P+1)/2≡ r (mod P). Thus, for every quadratic residue s (modulo N) and every, we have

(s^2mod N )^dP ≡

s^2mod N

((P+1)/4)^

(mod P)

≡ s^((P+1)/2) (mod P)

≡ s (mod P)

Similarly, (s^2mod N )^dQ ≡ s (mod Q). Finally, observing that cP and cQare as in the Chinese Reminder Theorem,²⁰ we conclude that s1as recovered in Step 2 of the decryption process equals s1as first computed in Step 2 of the encryption process.

Encryption amounts to(n) + 1 modular multiplications, whereas decryption amounts to(n) + 2 such multiplications and 2 modular exponentiations (relative to half-sized moduli). Counting modular exponentiations with respect to n-bit moduli as O(n) (i.e., at least n, typically 1.5n, and at most 2n) modular multiplications (with respect to n-bit moduli), we conclude that the entire encryption–decryption process requires work comparable to 2(n) + 3n modular multiplications. For comparison to (Ran-domized) RSA, note that encrypting/decrypting (n)-bit messages (in Randomized RSA) amounts to(n)/n modular exponentiations, and so the total work is compa-rable to 2· ((n)/n) · 1.5n = 3(n) modular multiplications (for general exponent e, or ((n)/n) · (2 + 1.5n) ≈ 1.5(n) modular multiplications in case e = 3).

The security of the Blum-Goldwasser scheme (i.e., Construction 5.3.20) follows immediately from Proposition 5.3.19 and the fact that the least-significant bit (i.e., lsb) is a hard-core for the modular squaring function. Recalling that inverting the latter is computationally equivalent to factoring, we get:

Corollary 5.3.21: Suppose that factoring is infeasible in the sense that for every