Okamoto–Uchiyama cryptosystem – Wikipedia

The Okamoto–Uchiyama cryptosystem is a public key cryptosystem proposed in 1998 by Tatsuaki Okamoto and Shigenori Uchiyama. The system works in the multiplicative group of integers modulo n,

(Z/nZ)∗{displaystyle (mathbb {Z} /nmathbb {Z} )^{*}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/3474fa64b500c904b79e71e96883f0d591a9727a" aria-hidden="true" alt="({mathbb {Z}}/n{mathbb {Z}})^{*}" width="3668.9" height="1223.9">$ , where n is of the form p²q and p and q are large primes.

Table of Contents

Operation[edit]

Like many public key cryptosystems, this scheme works in the group

(Z/nZ)∗{displaystyle (mathbb {Z} /nmathbb {Z} )^{*}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/3474fa64b500c904b79e71e96883f0d591a9727a" aria-hidden="true" alt="({mathbb {Z}}/n{mathbb {Z}})^{*}" width="3668.9" height="1223.9">$ . This scheme is homomorphic and hence malleable.

Key generation[edit]

A public/private key pair is generated as follows:

Generate two large primes $p{displaystyle p} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" aria-hidden="true" alt="p" width="542" height="865.1">$ and $q{displaystyle q} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/06809d64fa7c817ffc7e323f85997f783dbdf71d" aria-hidden="true" alt="q" width="460.5" height="865.1">$ .
Compute $n=p2q{displaystyle n=p^{2}q} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c3d90bd9a7622ba169c142a5171f58b9e2a83282" aria-hidden="true" alt="{displaystyle n=p^{2}q}" width="3352.5" height="1295.7">$ .
Choose a random integer $g∈{2…n−1}{displaystyle gin {2dots n-1}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/67cdd41e46be5f43488e3cff76013d390a120cde" aria-hidden="true" alt="{displaystyle gin {2dots n-1}}" width="7034.8" height="1223.9">$ such that $gp−1≢1modp2{displaystyle g^{p-1}not equiv 1mod p^{2}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/c817d8670743e8373dbb46ccbfd9065518c11614" aria-hidden="true" alt="{displaystyle g^{p-1}not equiv 1mod p^{2}}" width="8191.5" height="1367.4">$ .
Compute $h=gnmodn{displaystyle h=g^{n}{bmod {n}}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/d5355281daa048d2dd27eff697b8769229c7c592" aria-hidden="true" alt="{displaystyle h=g^{n}{bmod {n}}}" width="5963.2" height="1152.1">$ .

The public key is then

(n,g,h){displaystyle (n,g,h)}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ef45dffd9dc705f0f12b66b58c9ce9d570a38dea" aria-hidden="true" alt="{displaystyle (n,g,h)}" width="3326.8" height="1223.9">$ and the private key is

(p,q){displaystyle (p,q)}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9769c58523b9b639866a2d48e657d9c26911143a" aria-hidden="true" alt="(p,q)" width="2188.2" height="1223.9">$ .

Encryption[edit]

A message

m<p{displaystyle m

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/11029ce963f8b42eec561b13da6c2d5114e67ae7" aria-hidden="true" alt="{displaystyle m<p}" width="2716.1" height="936.9">$ can be encrypted with the public key

(n,g,h){displaystyle (n,g,h)}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ef45dffd9dc705f0f12b66b58c9ce9d570a38dea" aria-hidden="true" alt="{displaystyle (n,g,h)}" width="3326.8" height="1223.9">$ as follows.

Choose a random integer $r∈{1…n−1}{displaystyle rin {1dots n-1}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/4f1c2c644d56e4a688aa7622336ecfd3087afe8c" aria-hidden="true" alt="{displaystyle rin {1dots n-1}}" width="7005.8" height="1223.9">$ .
Compute $c=gmhrmodn{displaystyle c=g^{m}h^{r}{bmod {n}}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b234ecf2b8f5836f1dc2e3eb790a54d20dcbcace" aria-hidden="true" alt="{displaystyle c=g^{m}h^{r}{bmod {n}}}" width="7012.5" height="1152.1">$ .

The value

c{displaystyle c}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/86a67b81c2de995bd608d5b2df50cd8cd7d92455" aria-hidden="true" alt="c" width="433.5" height="721.6">$ is the encryption of

m{displaystyle m}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0a07d98bb302f3856cbabc47b2b9016692e3f7bc" aria-hidden="true" alt="m" width="878.5" height="721.6">$ .

Decryption[edit]

An encrypted message

c{displaystyle c}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/86a67b81c2de995bd608d5b2df50cd8cd7d92455" aria-hidden="true" alt="c" width="433.5" height="721.6">$ can be decrypted with the private key

(p,q){displaystyle (p,q)}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9769c58523b9b639866a2d48e657d9c26911143a" aria-hidden="true" alt="(p,q)" width="2188.2" height="1223.9">$ as follows.

Compute $a=(cp−1modp2)−1p{displaystyle a={frac {(c^{p-1}{bmod {p^{2}}})-1}{p}}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0b718cec55d4f85a7f99a91e54359ddb0e5d80e5" aria-hidden="true" alt="{displaystyle a={frac {(c^{p-1}{bmod {p^{2}}})-1}{p}}}" width="9923.4" height="2730.8">$ .
Compute $b=(gp−1modp2)−1p{displaystyle b={frac {(g^{p-1}{bmod {p^{2}}})-1}{p}}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/cedb958f26697007f206d33b70e6779803a74ceb" aria-hidden="true" alt="{displaystyle b={frac {(g^{p-1}{bmod {p^{2}}})-1}{p}}}" width="9871.3" height="2730.8">$ . $a{displaystyle a} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ffd2487510aa438433a2579450ab2b3d557e5edc" aria-hidden="true" alt="a" width="529.5" height="721.6">$ and $b{displaystyle b} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f11423fbb2e967f986e36804a8ae4271734917c3" aria-hidden="true" alt="b" width="429.5" height="936.9">$ will be integers.
Using the Extended Euclidean Algorithm, compute the inverse of $b{displaystyle b} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/f11423fbb2e967f986e36804a8ae4271734917c3" aria-hidden="true" alt="b" width="429.5" height="936.9">$ modulo $p{displaystyle p} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/81eac1e205430d1f40810df36a0edffdc367af36" aria-hidden="true" alt="p" width="542" height="865.1">$ :

$b′=b−1modp{displaystyle b’=b^{-1}{bmod {p}}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b1b2cc7ba8d1766b084184980be962a229e2c68e" aria-hidden="true" alt="{displaystyle b'=b^{-1}{bmod {p}}}" width="6441.8" height="1295.7">$ .
Compute $m=ab′modp{displaystyle m=ab'{bmod {p}}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e1b85b29f5483debe70f491eae6ed4d00a9abda6" aria-hidden="true" alt="{displaystyle m=ab'{bmod {p}}}" width="6415.9" height="1223.9">$ .

The value

m{displaystyle m}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0a07d98bb302f3856cbabc47b2b9016692e3f7bc" aria-hidden="true" alt="m" width="878.5" height="721.6">$ is the decryption of

c{displaystyle c}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/86a67b81c2de995bd608d5b2df50cd8cd7d92455" aria-hidden="true" alt="c" width="433.5" height="721.6">$ .

Example[edit]

Let

p=3{displaystyle p=3}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b37be793795be56f61768c16dd72a1db0569fb14" aria-hidden="true" alt="{displaystyle p=3}" width="2376.6" height="1080.4">$ and

q=5{displaystyle q=5}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1b82461fdf059d99f9dcee740b2f66abf90df3dc" aria-hidden="true" alt="{displaystyle q=5}" width="2295.1" height="1080.4">$ . Then

n=32⋅5=45{displaystyle n=3^{2}cdot 5=45}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/fed6251f155816722ce995d157245a6bf0d1a09b" aria-hidden="true" alt="{displaystyle n=3^{2}cdot 5=45}" width="6447.5" height="1152.1">$ . Select

g=22{displaystyle g=22}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/195849d752108cc393362fe02c4e5e9859c99c2b" aria-hidden="true" alt="{displaystyle g=22}" width="2815.6" height="1080.4">$ . Then

h=2245mod45=37{displaystyle h=22^{45}{bmod {4}}5=37}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b8c5ffb98e2148f0501b6b8101aa92414f23f8ca" aria-hidden="true" alt="{displaystyle h=22^{45}{bmod {4}}5=37}" width="9501.5" height="1152.1">$ .

Now to encrypt a message

m=2{displaystyle m=2}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/b32de1b0dc05f6e525ad6a3e8ddeeb4321fd79e5" aria-hidden="true" alt="m = 2" width="2713.1" height="936.9">$ , we pick a random

r=13{displaystyle r=13}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/85b2138eeb067844e38c31eb1ef091398d5d1e14" aria-hidden="true" alt="{displaystyle r=13}" width="2786.6" height="936.9">$ and compute

c=gmhrmodn=2223713mod45=43{displaystyle c=g^{m}h^{r}{bmod {n}}=22^{2}37^{13}{bmod {4}}5=43}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/69e7632dc27c40e50be6a7296647dc9229c8acae" aria-hidden="true" alt="{displaystyle c=g^{m}h^{r}{bmod {n}}=22^{2}37^{13}{bmod {4}}5=43}" width="17392.4" height="1295.7">$ .

To decrypt the message 43, we compute

a=(432mod32)−13=1{displaystyle a={frac {(43^{2}{bmod {3}}^{2})-1}{3}}=1} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/d93af6117601974c97c23ff133d1a5fa3bebed47" aria-hidden="true" alt="{displaystyle a={frac {(43^{2}{bmod {3}}^{2})-1}{3}}=1}" width="11415.9" height="2587.3">

.

b=(222mod32)−13=2{displaystyle b={frac {(22^{2}{bmod {3}}^{2})-1}{3}}=2} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/7c9d927a331383134bb7b29d7869645694f77882" aria-hidden="true" alt="{displaystyle b={frac {(22^{2}{bmod {3}}^{2})-1}{3}}=2}" width="11315.9" height="2587.3">

.

b′=2−1mod3=2{displaystyle b’=2^{-1}{bmod {3}}=2} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/5d6586be534fac0cb4996f909fc3e9267dc10d0a" aria-hidden="true" alt="{displaystyle b'=2^{-1}{bmod {3}}=2}" width="8344.4" height="1152.1">

.

And finally

m=ab′=2{displaystyle m=ab’=2}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/d3199b8eb490732e3edcb304a8db129069ab66b1" aria-hidden="true" alt="{displaystyle m=ab'=2}" width="5300.9" height="1080.4">$ .

Proof of correctness[edit]

We wish to prove that the value computed in the last decryption step,

ab′modp{displaystyle ab'{bmod {p}}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/170f03765a430149984bec305e3b21cd624b1f0c" aria-hidden="true" alt="{displaystyle ab'{bmod {p}}}" width="4203.4" height="1223.9">$ , is equal to the original message

m{displaystyle m}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0a07d98bb302f3856cbabc47b2b9016692e3f7bc" aria-hidden="true" alt="m" width="878.5" height="721.6">$ . We have

(gmhr)p−1≡(gmgnr)p−1≡(gp−1)mgp(p−1)rpq≡(gp−1)mmodp2{displaystyle (g^{m}h^{r})^{p-1}equiv (g^{m}g^{nr})^{p-1}equiv (g^{p-1})^{m}g^{p(p-1)rpq}equiv (g^{p-1})^{m}mod p^{2}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/1864240be5911614d1be8fc4ba16dfa6fe3d23ce" aria-hidden="true" alt="{displaystyle (g^{m}h^{r})^{p-1}equiv (g^{m}g^{nr})^{p-1}equiv (g^{p-1})^{m}g^{p(p-1)rpq}equiv (g^{p-1})^{m}mod p^{2}}" width="27955.7" height="1439.2">

So to recover

m{displaystyle m}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/0a07d98bb302f3856cbabc47b2b9016692e3f7bc" aria-hidden="true" alt="m" width="878.5" height="721.6">$ we need to take the discrete logarithm with base

gp−1{displaystyle g^{p-1}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/9f6ef7f8e9cef5e652bda593f02940c0466a0022" aria-hidden="true" alt="{displaystyle g^{p-1}}" width="1841.9" height="1295.7">$ .

The group

(Z/nZ)∗≃(Z/p2Z)∗×(Z/qZ)∗{displaystyle (mathbb {Z} /nmathbb {Z} )^{*}simeq (mathbb {Z} /p^{2}mathbb {Z} )^{*}times (mathbb {Z} /qmathbb {Z} )^{*}} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/342377a44374fe6dcfe4cbe6746968e9c66db9df" aria-hidden="true" alt="(mathbb{Z } /nmathbb{Z } )^{*}simeq ({mathbb {Z}}/p^{2}{mathbb {Z}})^{*}times ({mathbb {Z}}/q{mathbb {Z}})^{*}" width="13780.6" height="1367.4">

.

We define H which is subgroup of

Z/p2Z∗{displaystyle mathbb {Z} /p^{2}mathbb {Z} ^{*}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/a7657e3ad6837012c240d630efcc474d38f521dd" aria-hidden="true" alt="{displaystyle mathbb {Z} /p^{2}mathbb {Z} ^{*}}" width="3246.8" height="1367.4">$ and its cardinality is p-1

H={x:xp−1modp2=1+rp,0<r<p}{displaystyle H={x:x^{p-1}mod p^{2}=1+rp,0 <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/e0305546d68ee727b1716e2d7f5e5bf38c67b301" aria-hidden="true" alt="{displaystyle H={x:x^{p-1}mod p^{2}=1+rp,0&lt;r&lt;p}}" width="19658.9" height="1367.4">

.

For any element x in

(Z/p2Z)∗{displaystyle (mathbb {Z} /p^{2}mathbb {Z} )^{*}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/d00bccc8bb25cdc7d74ea794f0c6f8797206948b" aria-hidden="true" alt="({mathbb {Z}}/p^{2}{mathbb {Z}})^{*}" width="4025.8" height="1367.4">$ , we have x^p−1 mod p² is in H, since p divides x^p−1 − 1.

The map

L(x)=x−1p{displaystyle L(x)={frac {x-1}{p}}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/49b03cb894a2752a038a013fd8820cba00e1fa8f" aria-hidden="true" alt="L(x)={frac {x-1}{p}}" width="6023" height="2443.8">$ should be thought of as a logarithm from the cyclic group H to the additive group

Z/pZ{displaystyle mathbb {Z} /pmathbb {Z} }

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/57869a3a3c4c431cc49c4c7ab1d9c7ea692b517b" aria-hidden="true" alt="{mathbb {Z}}/p{mathbb {Z}}" width="2339" height="1223.9">$ , and it is easy to check that L(ab) = L(a) + L(b), and that the L is an isomorphism between these two groups. As is the case with the usual logarithm, L(x)/L(g) is, in a sense, the logarithm of x with base g.

which is accomplished by

L((gp−1)m)L(gp−1)=mmodp.{displaystyle {frac {Lleft((g^{p-1})^{m}right)}{L(g^{p-1})}}=mmod p.} <img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/ede2393e843acc832ac1f0bb174bab73ab711b5a" aria-hidden="true" alt="{frac {Lleft((g^{{p-1}})^{m}right)}{L(g^{{p-1}})}}=mmod p." width="12019" height="2946.1">

^{[further explanation needed]}

Security[edit]

The security of the entire message can be shown to be equivalent to factoring n.^{[clarification needed]} The semantic security rests on the p-subgroup assumption, which assumes that it is difficult to determine whether an element x in

(Z/nZ)∗{displaystyle (mathbb {Z} /nmathbb {Z} )^{*}}

$<img src="https://wikimedia.org/api/rest_v1/media/math/render/svg/3474fa64b500c904b79e71e96883f0d591a9727a" aria-hidden="true" alt="({mathbb {Z}}/n{mathbb {Z}})^{*}" width="3668.9" height="1223.9">$ is in the subgroup of order p. This is very similar to the quadratic residuosity problem and the higher residuosity problem.

Okamoto–Uchiyama cryptosystem – Wikipedia

Operation[edit]

Key generation[edit]

Encryption[edit]

Decryption[edit]

Example[edit]

Proof of correctness[edit]

Security[edit]

References[edit]

Recent Posts

Recent Comments

Archives

Categories

Meta