1. 2. 3. 4. 5. 6. 7. Prepare and submit a summary of the contents of the paper you have chosen in the first part of this project. The submission should be written in IEEE Proceedings Manuscripts style: two columns, single-spaced. You may find a template file at URL:https://www.ieee.org/conferences/publishing/templates.html. It should not be more than 3 pages long (including references and figures) and should follow Term Research Project Report Guidelines organization laid out the course outline In your report pay special attention to the “Conclusion” and/or “Recommendation” sections of your paper, as your ability to independently analyze and critique the paper will form a major part of the evaluation. Ensure that you have at least one or two paragraphs that gives your independent opinion on the contents of the paper. Copying the sentences in your chosen paper verbatim into your summary is plagiarism. Ensure that you write your summary using your own words. Your submission will be judged based on the following criteria: Format/Organization Content Clarity Technical Depth Originality Prepare a one slide brochure, summarizing the main points of the paper, what it does, the applications, importance. Your final submission should include your summary report, the brochure and the original paper that you summarized. JOURNAL OF COMPUTER AND SYSTEM SCIENCES 28, 270-299 (1984) Probabilistic SHAFI GOLDWASSER Laboratory Encryption * AND SILVIO MICALI of Computer Science, Massachusetts Cambridge, Massachusetts Institute 02139 of Technology, Received February 3, 1983; revised November 8, 1983 A new probabilistic model of data encryption is introduced. For this model, under suitable complexity assumptions, it is proved that extracting any information about the cleartext from the cyphertext is hard on the average for an adversary with polynomially bounded computational resources. The proof holds for any message space with any probability distribution. The first implementation of this model is presented. The security of this implementation is proved under the intractability assumption of deciding Quadratic Residuosity modulo composite numbers whose factorization is unknown. 1. INTRODUCTION This paper proposes an encryption scheme that possesses the following property: Whatever is efficiently computable about the cleartext given the cyphertext, is also efJiciently computable without the cyphertext. The security of our encryption scheme is based on complexity theory. Thus, when we say that it is “impossible” for an adversary to compute any information about the cleartext from the cyphertext we mean that it is not computationally feasible. The relatively young field of complexity theory has not yet been able to prove a nonlinear lower bound for even one natural NP-complete problem. At the same time, despite the enormous mathematical effort, some problems in number theory have for centuries refused any “domestication.” Thus, for concretely implementing our scheme, we assume the intractability of some problems in number theory such as factoring or deciding quadratic residuosity with respect to composite moduli. In this context, proving that a problem is hard means to prove it equivalent to one of the above mentioned problems. In other words, any threat to the security of the concrete implementation of our encryption scheme will result in an efficient algorithm for deciding quadratic residuosity modulo composite integers. * This research was done when both authors were students at the University of California at Berkeley and supported in part by NSF Grant MCS 82-04506. The preparation of this manuscript was done when the first author was at the Laboratory of Computer Science at MIT and supported by a Bantrell fellowship and an IBM faculty development award, and the second author was at the Computer Science Department at the University of Toronto. 270 0022-0000/84 $3.00 Copyright 0 1984 by Academic Press, Inc. All rights of reproduction in any form reserved. PROBABILISTIC 1.1. Deterministic Encryption: ENCRYPTION 271 The Trapdoor Function Model Our encryption scheme benefits from the ideas of DifIie and Hellman [9], Rivest, Shamir, and Adleman [21], and Rabin [20]. Diffie and Hellman [9] introduced the idea of a public key cryptosystem, which is based on the intractability of some underlying computational problem. Intuitively, the idea is to find an encryption function E which is easy to compute but difficult to invert unless some secret information, the trapdoor, is known. Such a function is called a trapdoor function. To encrypt a message m, anyone simply evaluates E(m), but only those who know the trapdoor information can compute m from E(m). The two implementations of a trapdoor function most relevant and inspiring for this paper are the RSA function [21], due to Rivest, Shamir, and Adleman, and its particularization suggested by Rabin [ 201. 1.2. Basic Objections to the Trapdoor Function Model We point out two basic weaknesses of this approach: (I) The fact that f is a trapdoor function does not rule out the possibility of computing x from f (x) when x is of a special form. Usually messages do not consist of numbers chosen at random but possess more structure. Such structural information may help in decoding. For example, a function f, which is hard to invert on a generic input, could conceivably be easy to invert on the ASCII representations of English sentences. (2) The fact that f is a trapdoor function does not rule out the possibility of easily computing some partial information about x (even every other bit of x) from f(x). Encrypting messages in a way that ensures the secrecy of all partial information is an important goal in cryptography. Assume we want to use encryption to play card games over the telephone. If the suit or color of a card could be compromised the whole game should be invalid. Indeed Lipton [ 171 has pointed out that one bit of information about cards to remain hidden can be easily computed in the SRA implementation of Mental Poker [22]. Though no one knows how to break the RSA or the Rabin scheme, in none of these schemes is it proved that decoding is hard without any assumptions made on the message space. Rabin shows that, in this scheme, decoding is hard for an adversary if the set of possible messages has some density property. We discuss this further in Section 2. 1.3. Probabilistic Encryption: The New Model In this paper we switch from a deterministic framework to a probabilistic framework. This enables us to deal with the problems that arose with the trapdoor function model, without imposing any probability structure on the messages we would like to send. 272 GOLDWASSER AND MICALI We replace the notion of a trapdoor function with the notion of an unapproximable trapdoor predicate. Briefly, the predicate B is trapdoor and unapproximable if anyone can select an x such that B(x) = 0 or y such that B(y) = 1, but only those who know the trapdoor information can, given z, compute the value of B(z). When the trapdoor information is unknown, an adversary with polynomially bounded computational resources can not decide the value of B(z) better than guessing at random (see Section 3 for formal definition). We replace deterministic block encryption by probabilistic encryption of single bits, where there are many different encodings of a “1” and many different encodings of a “0.” To encrypt each message we make use of a fair coin. Thus the encoding of each message will depend on the message plus the result of a sequence of coin tosses. More specifically, a binary message will be encrypted bit-by-bit as follows: a “0” is encoded by randomly selecting an x such that B(x) = 0 and a “1” is encoded by randomly selecting an x such that B(x) = 1. Consequently, there are many possible encodings for each message. However, messages are always uniquely decodable. Two properties of the new model are: (1) Decoding is easy for the legal receiver of a message, who knows the trapdoor information, but provably hard for an adversary. Therefore the spirit of a trapdoor function is maintained. In addition, in our scheme, we do not impose any restrictions on the message space. The security of the scheme is proved for messages belonging to any message space with any probability distribution. (2) No information adversary. about an encrypted message can be obtained by an Let g: M+ V be a nonconstant function m. Assume that the message space M has some probability distribution. Accordingly, let pv = prob(g(m) = v 1m E M) for each v E V, and let fi E V be such that pG = rnaxUEr,pv. Then, without any special ability, an adversary given the cyphertext, can always guess the value of g over the cleartext and be correct with probability pE. We prove that for a probabilistic encryption scheme, an adversary, given the cyphertext, cannot guess the value of g over the cleartext with probability better than pa. Note that g needs not be polynomially computable, or even recursive. Thus, our encryption model passes a polynomially bounded version of Shannon’s perfect secrecy definition; see Subsection 7.3. This property enabled Goldwasser and Micali [ 11) to device a scheme for Mental Poker for which, under the Quadratic Residuosity Assumption, no partial information about cards that should remain hidden can be easily computed. 1.4. Concrete Implementation of the New Model We introduce Quadratic Residuosity modulo composite integers whose factorization is unknown (see Section 6 for precise definition), as the first example of an unapproximable trapdoor predicate. Thus we introduce a new probabilistic public key cryptosystem that is secure in a very strong probabilistic sense if and only if PROBABILISTIC 213 ENCRYPTION deciding quadratic residuosity with composite moduli is hard (see Section 4). The security offered by this Public Key Cryptosystems extends to all partial information about encrypted messages, to ail possible message spaces and to all possible probability distributions for the message space (see Section 5 for formal definition of security). Another example of such predicates, has appeared in a Goldwasser, Micah, and Tong [ 121 and in Goldwasser [ 131. The predicate they propose is unapproximable if and only if factoring composite numbers is hard. Using the construction of Section 4, we can build a public key cryptosystem based on the predicate they propose. Again, any threat to the security of this last cryptosystem, will result in an efficient factoring algorithm. In [26], Yao shows that unapproximable trapdoor predicates exist if one-to-one trapdoor functions exist. 1.5. Related Work Blum and Micali in [5] showed the first example of an unapproximable predicate which is not trapdoor. Their predicate is unapproximable if and only if the discrete logarithm problem is hard. The quadratic residuosity predicate is not only an example of an unapproximable trapdoor predicate, but possesses other properties which make it particularly attractive for protocol design. It has been widely used since we first proposed it in [lo]. The first protocol that uses this predicate was suggested by Goldwasser and Micali in [ 111. They design a protocol for two players to play mental poker over the telephone, so that no player can obtain any partial information about cards not in his hand. Other works in which this predicate has proved useful are: Blum, Blum, and Shub’s implementation [4] of a cryptographically strong pseudo random bit generator [5], Brassard’s [7] implementation of authentication tags, Luby, Micali, and Rackoff s [ 191 method for simultaneously exchanging a secret bit, and Vazirani and Vazirani’s [25] implementation of one bit disclosures. 2. SURVEY OF PUBLIC KEY CRYPTOSYSTEMS BASED ON TRAPDOOR FUNCTIONS All the number theoretic notation used in this section will be defined in Section 3. 2.1. What Is a Public Key Cryptosystem? The concept of a Public Key Cryptosystem was introduced by Diffie and Hellman in their ingenious paper [9]. Let M be a finite message space, let {A, B,...} be users, and let m E M denote a message. Let E,: M + M be A’s encryption function, which is ideally bijective, and D, be A’s decryption function such that D,(E,(m)) = m for all m E M. In a Public Key Cryptosystem E, is placed in a public file, and user A keeps D, private. D, should be difficult to compute knowing only E,. To send message m 274 GOLDWASSERAND MICALI to A, B takes EA from the public file, computes EA(m) and sends this message to A. A easily computes DA(EA(m)) to obtain m. 2.2. The RSA Scheme and the Rabin Scheme Two implementations of such encryption functions E, are the RSA function 1211 of Rivest et al. and the Rabin function [20]. The key idea in both the RSA scheme and the Rabin scheme’ consists in the selection of an appropriate number theoretic trapdoor function. In the RSA scheme, user A selects n, the product of two large distinct primes p, and pz and a number s such that s and q(n) are relatively prime, where o is the Euler totient function. A puts rr and s in a public file and keeps the factorization of n private. Let Zz = (x E N: 1 c/d: just find vertices u and v in C such that In(u) - n(u)1 > E; then consider (cog,..., ok), a minimum length vertex-walk from u to v and look at the pairs (wl, cc,+ i). In our case, every vertex v of the hypercube is a d-bit word. The label n(v) is the frequency with which the line-tapper outputs 1 on the probabilistic encryptions of u. We quickly approximate these frequencies by sampling. Then we find two adjacent words s and t with a jump in their associated frequency, and use s and t to approximate the UTP on which the system is based. THEOREM 5.1. Each probabilistic public key cryptosystem is polynomially Proof of Theorem 5.1. secure. Let B={Bi:Qi-t{O,l}IiES,andkEN’} be an unapproximable trapdoor predicate. Let n be a PPKC that on inputs k and MG outputs i E S, and u(i) with probability l/l S,I. This specifies a probabilistic encryption algorithm E, as specified in Subsection 4.3. Recall, that Tk, the linetapper, is a poly(k) size circuit which upon receiving as input i and a probabilistic encoding of m in Mk encoded using B,, outputs either a 0 or a 1. Let f;:,, be the frequency with which Tk outputs a 1 when given as input all the probabilistic encodings of m using Bi. Let P, and P, be polynomials. For k E N set 1 Ek=Pl(k) and 1 G’k= P,(k) and let Fk be a message-finder. Let N” be an infinite subset of N’. Assume that for a fraction qk of the i E S, Fk outputs two messages mf and mf such that If;,,; -.&,;I > &k’ (*I PROBABILISTIC 285 ENCRYPTION Then we will show that for all k E N”, there is a probabilistic poly(k, 6-i) time Turing machine G with oracles Fk and T, that with probability 1 -S, (sJ54)approximates Bi for a fraction r,~,J2of the i E S,. Consequently, as the size of Tk is bounded by a polynomial in k, if also the size of F, were bounded by a polynomial in k, G could easily be converted, for each k E N”, into a poly(k) size circuit C, that (s,J5l,)-approximates Bi for at least a fraction t7J2 of the i E S,. This would contradict the unapproximability of B. Thus, the size of F, must grow faster than any polynomial in k and II is polynomially secure. The Hamming distance between a and b E {0, 1)‘” is the number of bits in which a and b differ, and we say that a and b are adjacent if the distance between them is 1. We proceed to construct the Turing machine G. Let flfk denote the set of all I,-long sequences of elements of Qi. On input i E S, and y E Qi, G guesses B,(y) as follows: 1. It calls the oracle F, with input i to find mf and rni, in M, such that Part I&d, -fi,rn;l > &k. (*> Let A be the distance between mf and ml. Let a,, a,,..., a,, be a sequence of I,-bit strings such that a, = m,, ad = m, and aj is adjacent to aj,, for 0 ,< j < A. As ].&,I -fi,,+] > &k there must exist x, 0 < x f A - 1, such that ]fi,,,-fi,a,+,] > .sk/lk. Assign Ri and 0fk the uniform probability distribution. By the trapdoor property of B, in probabilistic poly(k, 8-l) time, such a, and a,,, can be correctly found with probability greater than 1 - 6 by means of a Monte Carlo experiment. For notational convenience, let s = a, and t = a,, 1. Compute fi,, and &. As s = (s, ,..., s!,) and t = (tl ,..., tr,) are adjacent, they differ in exactly one location. Call this location d. Part 2. Assume, without loss of generality, that&,, >J,l. Case 1. sd= 1, t,=o. Then, pick x = (x, , xz ,..., xl,) E Sik at random among all the elements e = (e, ,..., e,J in Qfl such that Bi(ej) = sj = tj for j # d and ed = y. (Recall that y is the input of G.) ifT,(x)=lthenG[y]=l else if T,(x) = 0 then G[ y ] = 0. Case 2. s,=O and t,= 1. Proceed as in Case 1, but set G[y] = 1 - Tk[x]. This completes the description of G. Let us prove that, if s and t have been correctly found, for a fraction qk/2 of the i’s in Sk, for y E Q,, Pr(G[yl=Bi[.Y])> k + -$. k 571/28/2 1 286 GOLDWASSER AND MICALI Remark 5.1. As B is unapproximable, by Remark 3.1, for all sufficiently large k, for a fraction 1 -(qJ2) of the iES,,, ]@]/]Qi] > $- (eJ41,J and ]fl!]/]Q,] > f - (sJ4lJ. Thus, for a fraction greater than ~~(1 - (~$2)) > (vJ2) of the i’s in S,, Fk outputs an mf and rni such that I&;--f;,,,;] > ek; AND both ]0:]/]~2~] and 1~2:]/] R,] are greater than 4 - (sJ41J. The i-signature(x), where x = (xl ,..., xl,) E @, will denote the binary string B,(x,) -a- B,(x,,). Then, for such i, in Case 1, Pr(Gbl=Bi(Y)> = c=O,l 2 PWbl = c IB;(Y)= ~1WBi(Y>EC)) [Pr(G[y]=lIB,(y)=1]+Pr(G[yl=OI B,(Y) = O)l = (f-$1 [Pr(T,[x] = 1 ] i-signature(x) = s] + Pr[ T,[x] = 0 ( i-signature(x) = t]] In Case 2, following a similar proof, again G will (sk/51k)-approximate Bi. 1 5.2. Semantic Security In this section we define our second criteria of security for a public key cryptosystem, called Semantic Security. Informally, a system is semantically secure if whatever an eavesdropper can compute about the cleartext given the cyphertext, he can also compute without the cyphertext. We prove that every polynomially secure public key cryptosystem is semantically secure. Thus probabilistic PKCs are semantically secure. Thus, our encryption scheme passes a polynomially bounded version of Shannon’s [23] perfect secrecy definition: Restricting our attention to adversaries with polynomially bounded resources available for the analysis of intercepted messages, the a posteriori probabilities of an intercepted cryptogram representing various messages, are the same as the a priori probabilities of the same messages before interception. Informal Setting Let f be any function defined on a message space M. Thus f need not be fast computable or even recursive. We say that f(m) constitutes information about the PROBABILISTIC ENCRYPTION 287 message m EM. In practice, typical f’s of interest are the identity function, a Boolean predicate, a hashing function, etc. We want that extracting any information about messages from their encoding should be hard even if the probability distribution associated with the message space is known. Let M be a message space and f be a function defined on M. For all m EM, let pm= Prob(x=m]xEM). Consider the image f(M). Define p”= a value in f(M) that achieves the maximum max,Ev(CmEf-~cUj PA and vM probability. Let E be an encryption algorithm. Consider the following three games. Let E be known to an adversary. GAME 1. Randomly pick m EM (each x E M has probability px of being picked). In this game an adversary is asked to guess the value off(m) without being told what m is. If the adversary always guesses U” he would be right with probability p”. There is no strategy for the adversary that would give him a better winning probability. GAME 2. Randomly pick m E M. Compute one encryption a E E(m). Give a to the adversary. Now, ask the adversary to guessf(m). GAME 3. Let the adversary pick a function fE defined on M. Randomly pick m E M. Compute one encryption a E E(m). Give a to the adversary. Now, ask the adversary to guess f,(m). Informally, we say that ZZ is a semantically secure public key cryptosystem if the adversary cannot win Game 3 with higher probability than Game 1. Formal Setting DEFINITION (Semantically secure public-key cryptosystems). Let 17 be a public key cryptosystem. Let MG be a message generator. As before M, = MG[k]. For all m E M,, p, will denote the probability that MG will output m on input k. Let fMG = {f, : M, + V/E E lI(k, MG), k E N) be a set of functions on MG. For each E E @, MG) letp, = max,Ey(C,,,EfF~ P,). Let C be a circuit that on input E E Z7(k, MG) and a E E(m), where m E M, outputs a string y. Let P, Q be polynomials. We say that C (P, Q, k)-computes fMG from 17 if the Prob( y =fE(m) 1m E Mk, a E E(m)) > pE + (l/Q(k)) for all E belonging to a subset S g l7(k, MG) having probability at least l/P(k). Let P, Q be polynomials. Let C,QTpdenote the size of a smallest size circuit C that (P, Q, k)-computes f,, from 17. We say that n is semantically secure if for all MG, for allf,, , for all P, Q, CE3” grows faster than any polynomial in k. THEOREM secure. 5.2. Each polynomially secure public key cryptosystem is semantically 288 GOLDWASSER AND MICALI Proof: Let ZZ be a polynomially secure public key cryptosystem. Assume for contradiction that Z7 is not semantically secure. Then there are a message generator MG, a set of functions for MG, fhlG = {f,}, polynomials P,, P, and Q, an infinite subset N’ E N and a sequence of circuits {C,} such that: (1) C, has less than P,(k) gates, (2) the subset S, G D(k, MG) has probability greater than l/P(k), and (3) for all E E S, on inputs E and a E E(m), where m E MG[k], C will output f,(m) with probability (taken over the input a) greater than pE + (l/Q(k)). For the remaining part of the proof, k will belong to N’ and i to S,. Let sk = l/Q(k) andp, = mwEy Cmsf,-+vj PmLet c,Y denote the probability that C, outputs y on inputs E and a E E(m). Then, rJm,fE(m)is the probability that C, correctly evaluates fE on inputs E and a E E(m). Thus, what we assumed for contradiction can be expressed as Pick p from Mk and fix it for the rest of the proof. Define #s messages m such that lr”,,“-e,“I>$ for some Mk to be the set of 2,E V. We observe the following two lemmas. A. For all constants c > 0, there exists a probabilistic algorithm that on input i E Sk and $1 : (a,-&] >Prob And inversely, for a u such that I a, - /I,1 > 3&i/40, the LEMMA B. Cm& Pm > %JlO* Let V, = {U E VI rp,v > EJ6}, V4 = {V E V ] rflAU< EJ6}, and, respectively, M, = {m E Mk - ~7 I rr,fE(m) > EJ6} and M., = M, - M- M,. M, includes all messages m & li? such that&(m) E V, and M, includes all messages m G?E such that f,(m) is not in V3. Clearly, I= I V,] < 6/ek. Denote the values in I’, as {u, ,..., u!}. Then, ProoJ PE +‘k< c mEMk Pd&~, GOLDWASSER 290 which (since Vm & li?, I$,,+, t ... + C AND MICALI - r$fECmt( < &i/10) is less than or equal to Pm (C,u,tf) +($t$-) rnGf,-'(u,) 13&, edlO. 1 Lemmas A and B imply that for all k E N’ there exists a poly(k) circuit Fk such that on input E E S, Fk produces two messages m, and m, in Mk and a value v in fel(Mk) such that (r$,,” - rEz,vl > &i/20. Fk works as follows. On inputs E it randomly picks a ,U in Mk. Then, it randomly generates an element { in Mk. (With probability at least ~/lo, Lemma B tells us that $20 with high probability. If such a v is not found, it is probably because c was not in li? after all, and we pick another c until success comes after an expected polynomial number of trials. If v is found, set m, = < and m2 = ,u. Now, define T,Ji, X] = 1 if Ck[i, x] = v and 0 otherwise. Then Tk is a poly(k) linetapper that (&220)-distinguishes the two messages m, and m2 found by Fk. This contradicts the hypothesis that IZ was a polynomially secure public key cryptosystem. I PROBABILISTIC ENCRYPTION 291 6. THE QUADRATIC RESIDUOSITY PROBLEM (QRP) We introduce a new trapdoor number theoretic predicate based on the quadratic residuosity assumption. Let x and y be integers. The symbol (x, y) will denote the greatest common divisor of x and n. The symbol Prob(X) will denote the probability of the event X. Let N denote the set of positive integers and n E N. Let Z,* = {x ] 1 < x < n - 1 and (x, n) = 1). 6.1. Background and Notation Given q E Z$, is q =x2 mod n solvable? If. n is prime, then the answer to this question is easily computed [ 161: yes if qCn-“‘* mod n = 1 and no if q@-‘)‘* mod n = -1. If a solution exists, q is said to be a quadratic residue mod n. Otherwise q is said to be a quadratic nonresidue mod n. In this section, p1 and p2 will be odd, distinct primes and n=p,p,. Then, q = x2 mod n is solvable if and only if both q = x2 modp, and q = x2 modp, are solvable. Thus, if the factorization of n is known, the solvability of q = x2 mod n is easily decidable. LEMMA 1. Given the prime factorization of a composite integer n, deciding whether q E Z,*, is a quadratic residue mod n can be done in O(l n I”) time. Some information about deciding whether a number is a quadratic residue mod n, when the factorization of n is unknown, can be obtained from the Jacobi symbol. Let p be an odd prime and q E Z:, then the Jacobi symbol (q/p) equals 1 if q is a quadratic residue modp and -1 otherwise. The Jacobi symbol (q/n), is defined as (q/n) = (q/p,)(q/pJ. Despite the fact that the Jacobi symbol (q/n) is defined through the factorization of n, (q/n) is computable in polynomial time even when the factorization of n is not known! It is easy to see, from the above definitions that if (q/n) = -1 then q must be a quadratic nonresidue mod n. In fact, q must be a quadratic nonresidue either modp, or mod p2. However, if (q/n) = + 1, then either q is a quadratic residue mod n or q is a quadratic nonresidue modulo both the prime factors of n. In this paper we are interested in those elements of Zz whose Jacobi symbol is $1. Thus we introduce the set. ZA = {x ] x E Z,* and (x/n) = 1 }. Let us count the number of elements of Zi ‘. See [ 161 for proofs. FACT 1. Let p be an odd prime. Then Zp* is a cyclic group. FACT 2. Let g be a generator for Z f, then gs mod p is a quadratic residue if and only ifs is even. 292 GOLDWASSER AND MICALI COROLLARY 3. Half of the numbers in Zf are quadratic residues and harf are quadratic nonresidues. FACT 4. Let n =pI pz (pl and pz are distinct odd primes). Then hav of the numbers in Z,* have Jacobi symbol equal to -1 and thus are quadratic nonresidues. The Jacobi symbol of the rest of the numbers is 1. Exactly half of these latter ones are quadratic residues mod n. 6.2. The Quadratic Residuosity Assumption Let n be a composite integer, and q an element of Zi ‘. The Quadratic Residuosity Problem with parameters q and n is to decide whether q is a quadratic residue mod n. If the factorization of n is not known, then there is no known efficient procedure for solving the quadratic residuosity problem with parameters n and q in Zi ‘. This decision problem is a well-known hard problem in Number Theory. It is one of the main four algorithmic problems discussed by Gauss [8] in his “Disquisitiones Arithmeticae” (1801). A polynomial solution for it would imply a polynomial solution to other open problems in Number Theory. One example is deciding whether a composite integer n, is the product of 2 or 3 primes (see open problems 9 and 15 in Adleman [2]). In order to formally state the intractability assumption of the Quadratic Residuosity Problem, let us introduce the predicate Q, and the set of hard composite numbers Hk. For all x E Zf,, the predicate Q, is defined as: Q,(x) = 1 =o if x is a quadratic residue mod n, if x is a quadratic nonresidue mod n. Hk will denote the set of hard composite integers: Let p, and pz denote primes. The elements of Hk constitute the hardest inputs for any known factoring algorithm. Quadratic Residuosity Assumption (QRA) Let P, be a fixed polynomials. For each integer k, let C be a circuit with two 2k-bit inputs and one Boolean output. Let C, be the minimum size of circuits C such that for a fraction l/P,(k) of the n E Hk, C[n, x] = Q,(x) for all x E Zi’. Then, for all polynomials Q, for all sufficiently large k: C, > Q(k). Next, we show that under the QRA, computing Q,(X) is hard not only for some special x E Zi, but is hard on the average. PROBABILISTIC ENCRYPTION 293 6.3. A Number Theoretic Result We recall that a circuit C[.] e-approximates the predicate B: 0 + (0, I} if C[x] = B[x] for at least a fraction j t E of the x E Q. Let us recall the weak law of large numbers: Weak Law of Large Numbers Let Y, , Y, ,..., y, be r independent O-l variables such that yi = 1 with probability p, and S, = CL= r yi, then for real numbers w, 6 > 0, r > 1/46w2 implies that Prob(](S,/r) -p 1> w) < 6. Notice that r is bounded by a polynomial in w- ’ and 6- ‘. 1. Theorem 1 shows that deciding Quadratic Residuosity mod n is either “everywhere hard” or “everywhere easy.” The main idea of this theorem is “how to collect a stochastic advantage,” namely, how to turn an oracle that answers most questions correctly, but you do not know which ones, into an oracle that answer every question correctly with arbitrarily high probability. Remarks About Theorem THEOREM 1. Fix polynomial P, and P,, and let O[., -1: N x N-+ {0, 1) be an oracle. Let S be the set of hard integers n such that 0 [e, n] (l/P,(I n I))-approximates Q, . Then there is a probabilistic poly(] n 1) algorithm with oracle 0 that, for any n E S and any x E Zf,, with probability greater than 1 - (l/P,(lnl)) correctly decides whether x is a quadratic residue mod n. Proof: Let n E S. Take Zj with the uniform probability distribution. For notational simplicity let E = l/P,(I n 1) and 6 = l/P,(I n I). Then, Prob(O[q, n] = Q,(q) ] q E Z:) > f + E. Let, a = Prob(O[q, n] = 1 ] Q,(q) = l), and /I = Prob(O[q, n] = 1 I Q,(q)= 0). The Prob(O[q, n] = Q,(q) I q E ZA) = ia t f(1 - /I) > 5 t E. Therefore, a -P > 2~ but a can be much less than f t E. We first need to get a good estimate for a. Construct a sample of r quadratic residues chosen at random in Zz (the value of r will be defined later on). This can be easily done by picking s, ,,,., s, at random in Z,* and squaring them modulo n. Initialize a counter C to 0. For i = 1 to r, ask the oracle for the value O[sf mod n, n]. Increment C each time that the oracle answers 1 (i.e., “quadratic residue”). Let I,V= s/2. If r is chosen to be suitably large, r = 1/6y/‘, the weak law of large numbers assures that C/r is a good (e/2)-estimate for a: i.e., C/r is a good approximation to how well the oracle “guesses” Q, if the inputs are only quadratic residues. We are now ready to describe a procedure for determining the quadratic residuosity of any element in ZA. Let q be an element of Zi that we want to test for 294 GOLDWASSER AND MICALI quadratic residuosity. Randomly generate r quadratic residues, x1,..., x,, in 2: and compute yi = qxi mod n for i = l,..., r. Notice that (1) if q is a quadratic residue, then the yi)s are random quadratic residues, (2) if q is a quadratic nonresidue in Zi, then the yi)s are random quadratic nonresidues. Let us postpone the proof of (1) and (2) and assume, for the time being, that they are true. Initialize a counter (? to 0. For i= 1 to k call the oracle to get the value 0[ yi, n]. Increment c every time that the oracle answers 1. Output “q is a quadratic residue mod n” if [(C/r) - (E/r)1 < E and “q is a quadratic nonresidue mod n” otherwise. Since the Prob (If- a / ( z’ 1 q is a quadratic residue and Prob (I$- /? 1 < -2s 1 q is a quadratic nonresidue then Prob(answering q is a quadratic nonresidue 1q is a quadratic nonresidue) =Prob (I:--:1 Prob(iG-a/ 1. output x. We now prove that, with probability greater than 1 - (l/P,(k)), algorithm A, computes x such that C[n,x, .] (l/P,(k))-approximates Q,(e). Let a, = Prob(C[n, x, q] = 0 ] Q,(q) = 0) and /?, = Prob(C[n, x, q] = 0 1Q,(q) = 1). Then, as f: = 1 and f f = 0 for some i > 1, then for all sufftciently large k, the weak law of large numbers assures us that 1a, - p,] > (1/2P,(k)). By Theorem 1, this implies that C[n, x, +] P,(k)-approximates Q,(.). Finally, about AI’s running time. Note that, if in a given iteration of the algorithm we draw an x from S, and one of the e,‘s is a quadratic nonresidue, thenf; = 1 and f; = 0 and the algorithm terminates. Thus, the expected number of iterations performed by algorithm A, is Cl- W’Y P,(k) * PROBABILISTIC ENCRYPTION 297 As each iteration, can be performed in probabilistic poly(k) time, A i runs in expected polynomial in k time. This proves part (1). Part (2) follows from Corollary 1, and standard transformations of probabilistic algorithms into circuits. Part (3) follows easily from part (2). I COROLLARY 2. Let P,, P,, and P, be fixed polynomials. For each k E N let E, G H, contdin a fraction l/P,(k) of the integers in H,. For each n E E,, let S, be a l/P,(k) fraction of the quadratic nonresidues in ZL. Let C, be the size of the smallest Q,. Then, circuit C[., a, a] that on inputs n E E, and s E S,, (l/P,(k))-approximates for all polynomials Q, for all sunciently large k: C, > Q(k). What this corollary says is that, assuming the QRA, when user B is presented with (n, y) where n E H, and y a quadratic nonresidue in ZL and x E Z’i, he cannot guess Q,(x) with probability greater than 4. 6.4. A Special Property of Quadratic Residuosity Let n E H, and a = (x1,..., x,J be a probabilistic encryption of a k-bit message m using the predicate Q,. Given a, anyone, without knowing the factorization of n, can reencrypt m. In fact he could choose, with uniform probability, another probabilistic encryption of m by simply multiplying each xi by a different, randomly selected, quadratic residue mod n. This property has been used by Luby, Micali, and Rackoff in [ 191 for fairly exchanging a secret bit. 7. FINAL REMARKS 7.1. Circuits versus Turing Machines Let A be a user in a public key cryptosystem and k the number of bits in the description of the encryption algorithm E, put by A in the Public File. Assume one (finally) proves that, for all polynomial time Turing machines M, there exists a constant k,, such that for all k > k,, inverting EA on some message space requires n(2fi) steps. As a passive eavesdropper is entitled to choose M after E, has been put in the public file, what k should A choose? It is to remove this difficulty that we have chosen circuit complexity as a complexity measure. It should be noticed that such choice is not needed for proving our theorems. Intractability with respect to probabilistic polynomial time Turing machines could have been assumed and all the theorems would have been proved in essentially the same way. 298 GOLDWASSERAND MICALI 1.2. Other Types of Adversaries In a public key cryptosystem, getting hold of the cyphertext by eavesdropping and trying, by computing, to decrypt it, is the most obvious attack. However it is not the only one! Goldwasser, Micali, and Tong [9], show how in the Diffie and Hellman model of a public key cryptosystem, an adversary can, being a user, break the security of the scheme by communicating. They proposed a modification of the Diffie and Hellman model and show that the new model is secure against line tappers and even against chosen cyphertext attack. 1.3. The Relationship between Shannon’s Perfect Secrecy Definition Security and Semantic Let us describe Shannon’s definition of “perfect secrecy” in [23]. Consider an adversary with unlimited time and manpower available for analysis of intercepted cryptograms. Let the set of all possible messages be finite. These messages have a priori probabilities and are encoded and sent across the wire. When an adversary intercepts an encoded message, he can calculate the a posteriori probabilities for the various messages. Perfect secrecy is achieved if for all encoded messages the a posteriori probabilities are equal to the a priori probabilities. Thus intercepting the message gives the adversary no information. In this paper, we defined a polynomially bounded version of Shannon’s perfect secrecy, called semantic security. Semantic security means that when the adversary has only polynomially bounded resources available, intercepting the encoded message gives him no new information. Moreover, there exists no function defined on the message set that the adversary can compute after intercepting the encoded message which he could not compute without intercepting the message. For further discussion see [26]. ACKNOWLEDGMENTS Our most sincere thanks go to Manuel Blum and Richard Karp, who supervised this research, for their encouragement and wonderful ideas which they so readily shared with us. We are particularly grateful to Zvi Galil, Mike Luby, Charles Rackoff, and Ron Rivest for their generous help in clarifying the ideas and presentation in this paper. Many thanks are also due to Steve Cook, Faith Fich, Jeff Shallit, Mike Sipser, and the referee for many ideas, comments, and criticism on both form and content. Vijai Vazirani helped in the claim of Subsection 2.3.1. REFERENCES 1. L. ADLEMAN, K. MANDERS, AND G. MILLER, On taking roots in finite fields, in “Proceedings of the 18th Annual IEEE Symposium on Foundations of Computer Science,” pp. 175-177, 1977. 2. L. ADLEMAN, On distinguishing prime numbers from composite numbers, in “Proceedings of the 2lst IEEE Symposium on the Foundations of Computer Science,” pp. 387408, Syracuse, N.Y., 1980. PROBABILISTIC ENCRYPTION 299 3. M. BLUM, Coin flipping by telephone, in “Proceedings of the IEEE, Spring Comp-Con, pp. 133-137, 1982. 4. L. BLUM, M. BLUM, AND M. SHUB, “A Simple Secure Pseudo-Random Number Generator,” CRYPTO, 1982. 5. M. BLUM AND S. MICALI, How to generate cryptographically strong sequences of pseudo random bits, in “Proceedings of the 23rd IEEE on the Foundations of Computer Science,” Chicago, Ill., 1982. 6. G. BRASSARD, Relativized cryptography, in “Proceedings of the 20th IEEE Symposium on the Foundations of Computer Science,” pp. 383-391, San Juan, Puerto Rico, 1979. 7. G. BRASSARD, On computationally secure authentication tags requiring short secret shared keys, CRYPTO, 1982. 8. C. F. GAUSS, “Disquisitiones Arithmeticae,” 1801, translated by A. Arthur and S. J. Clark, Yale Univ. Press, New Haven, 1966. 9. W. DIFFIE AND M. E. HELLMAN, New direction in cryptography, IEEE Trans. Inform. Theory IT22 (6) (1976), 644-654. 10. S. GOLDWASSER AND S. MICALI, “A Bit by Bit Secure Public Key Cryptosystem,” Memorandum No. UCB/ERL M81/88, University of California, Berkeley, December 1981. 11. S. GOLDWASSER AND S. MICALI, Probabilistic encryption & how to play mental poker, keeping secret all partial information, in “Proceeding of 14th STOC Conference,” San Francisco, 1982. 12. S. GOLDWASSER, S. MICALI, AND P. TONG, Why and how to establish a private code in a public network, in “Proceedings of the 23rd Symposium on Foundations of Computer Science,” Chicago, Ill., 1982. 13. S. GOLDWASSER, “Probabilistic Encryption: Theory and Applications,” Ph.D. thesis, Univ. of California at Berkeley, 1983. 14. S. GOLDWASSER, S. MICALI, AND A. YAO, Strong signature schemes and authentication, in “Proceedings, 15th STOC,” Boston, Mass., 1983. 15. K. R. GUY, How to factor a number, in “Proceedings of Fifth Manitoba Conference on Numerical Math.,” pp. 49-89, 1975. 16. D. KNUTH, “The Art of Computer Programming,” Vol. 2, 2nd ed., Addison-Wellesley, Reading, Mass., 1981. 17. R. LIPTON, How to cheat at mental poker, in “Proceeding of the AMS Short Course on Cryptology,” January 1981. 18. G. MILLER, Riemann’s hypothesis and tests for primality, Ph.D. thesis, U.C. Berkeley, 1975. 19. M. LUBY, S. MICALI, AND C. RACKOFF, How to simultaneously exchange a secret bit by flipping a symmetrically-biased coin, FOCS 1983. 20. M. RABIN, Digitalized signatures and public-key functions as intractable as factorization, MIT/ LCS/TR-212, Technical Memo MIT, 1979. 21. R. RIVEST, A. SHAMIR, AND L. ADLEMAN, A method for obtaining digital signatures and public key cryptosystems, Communications of the ACM, February 1978. 22. A. SHAMIR, R. RIVEST, AND L. ADLEMAN, “Mental Poker,” MIT Technical Report, 1978. 23. C. E. SHANNON, Communication theory of secrecy systems, Bell System Tech. J. 28 (1949), 656-715. 24. D. SHANKS, “Solved and Unsolved Problems in Number Theory,” Chelsea, New York, 1978. 25. V. VAZIRANI AND U. VAZIRANI, Secure one-bit disclosures using a pseudo random number generator, in “Proceedings, FOCS,” 1983. 26. A. YAO, On the theory and application of trapdoor functions, in “Proceedings of the 23rd Symposium on the Foundations of Computer Science,” Chicago, III., November 1982. 
Purchase answer to see full attachment