HOME

TheInfoList



OR:

The Okamoto–Uchiyama cryptosystem is a
public key cryptosystem Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
proposed in 1998 by
Tatsuaki Okamoto Tatsuaki (written: , or ) is a masculine Japanese given name. Notable people with the name include: *, Japanese judoka *, Japanese Go player *, Japanese woodworker and lacquerware artist See also *TATSUAKI, a fashion label by Dan Liu Dan Liu ...
and Shigenori Uchiyama. The system works in the
multiplicative group of integers modulo n In modular arithmetic, the integers coprime (relatively prime) to ''n'' from the set \ of ''n'' non-negative integers form a group under multiplication modulo ''n'', called the multiplicative group of integers modulo ''n''. Equivalently, the ele ...
, (\mathbb/n\mathbb)^*, where ''n'' is of the form ''p''2''q'' and ''p'' and ''q'' are large
primes A prime number (or a prime) is a natural number greater than 1 that is not a product of two smaller natural numbers. A natural number greater than 1 that is not prime is called a composite number. For example, 5 is prime because the only ways ...
.


Operation

Like many public key cryptosystems, this scheme works in the group (\mathbb/n\mathbb)^*. This scheme is homomorphic and hence
malleable Ductility is a mechanical property commonly described as a material's amenability to drawing (e.g. into wire). In materials science, ductility is defined by the degree to which a material can sustain plastic deformation under tensile stres ...
.


Key generation

A public/private key pair is generated as follows: # Generate two large primes p and q. # Compute n = p^2 q. # Choose a random integer g \in \ such that g^ \not\equiv 1 \mod p^2. # Compute h = g^n \bmod n. The public key is then (n,g,h) and the private key is (p,q).


Encryption

A message m < p can be encrypted with the public key (n,g,h) as follows. # Choose a random integer r \in \. # Compute c = g^m h^r \bmod n. The value c is the encryption of m.


Decryption

An encrypted message c can be decrypted with the private key (p,q) as follows. # Compute a = \frac. # Compute b = \frac. a and b will be integers. # Using the
Extended Euclidean Algorithm In arithmetic and computer programming, the extended Euclidean algorithm is an extension to the Euclidean algorithm, and computes, in addition to the greatest common divisor (gcd) of integers ''a'' and ''b'', also the coefficients of Bézout's ide ...
, compute the inverse of b modulo p: #:b' = b^ \bmod p. # Compute m = ab' \bmod p. The value m is the decryption of c.


Example

Let p = 3 and q = 5. Then n = 3^2 \cdot 5 = 45. Select g = 22. Then h = 22^ \bmod 45 = 37. Now to encrypt a message m = 2, we pick a random r = 13 and compute c = g^m h^r \bmod n = 22^ 37^ \bmod 45 = 43. To decrypt the message 43, we compute : a = \frac = 1. : b = \frac = 2. : b' = 2^ \bmod 3 = 2. And finally m = ab' = 2.


Proof of correctness

We wish to prove that the value computed in the last decryption step, ab' \bmod p, is equal to the original message m. We have :(g^mh^r)^ \equiv (g^m g^)^ \equiv (g^)^m g^ \equiv (g^)^m \mod p^2 So to recover m we need to take the
discrete logarithm In mathematics, for given real numbers ''a'' and ''b'', the logarithm log''b'' ''a'' is a number ''x'' such that . Analogously, in any group ''G'', powers ''b'k'' can be defined for all integers ''k'', and the discrete logarithm log''b' ...
with base g^. The group :(\Z/n\Z)^* \simeq (\mathbb/p^2\mathbb)^* \times (\mathbb/q\mathbb)^*. We define ''H'' which is subgroup of \mathbb/p^2\mathbb^* and its cardinality is ''p-1'' :H = \. For any element ''x'' in (\mathbb/p^2\mathbb)^*, we have ''x''''p''−1 mod ''p''2 is in ''H'', since ''p'' divides ''x''''p''−1 − 1. The map L(x) = \frac should be thought of as a logarithm from the cyclic group ''H'' to the additive group \mathbb/p\mathbb, and it is easy to check that ''L''(''ab'') = ''L''(''a'') + ''L''(''b''), and that the ''L'' is an isomorphism between these two groups. As is the case with the usual logarithm, ''L''(''x'')/''L''(''g'') is, in a sense, the logarithm of ''x'' with base ''g''. which is accomplished by :\frac = m \mod p.


Security

The security of the ''entire'' message can be shown to be equivalent to factoring ''n''. The semantic security rests on the ''p''-subgroup assumption, which assumes that it is difficult to determine whether an element ''x'' in (\mathbb/n\mathbb)^* is in the subgroup of order ''p''. This is very similar to the
quadratic residuosity problem The quadratic residuosity problem (QRP) in computational number theory is to decide, given integers a and N, whether a is a quadratic residue modulo N or not. Here N = p_1 p_2 for two unknown primes p_1 and p_2, and a is among the numbers which are ...
and the
higher residuosity problem In cryptography, most public key cryptosystems are founded on problems that are believed to be intractable. The higher residuosity problem (also called the n th-residuosity problem) is one such problem. This problem is ''easier'' to solve than ...
.


References

* {{DEFAULTSORT:Okamoto-Uchiyama cryptosystem Public-key encryption schemes