Okamoto–Uchiyama cryptosystem - Alchetron, the free social encyclopedia

The Okamoto–Uchiyama cryptosystem was discovered in 1998 by Tatsuaki Okamoto and Shigenori Uchiyama. The system works in the multiplicative group of integers modulo n, ( Z / n Z ) ∗ , where n is of the form p²q and p and q are large primes.

Scheme definition

Like many public key cryptosystems, this scheme works in the group ( Z / n Z ) ∗ . A fundamental difference of this cryptosystem is that here n is a of the form p²q, where p and q are large primes. This scheme is homomorphic and hence malleable.

Key generation

A public/private key pair is generated as follows:

Generate large primes p and q and set n = p 2 q .

Choose g ∈ ( Z / n Z ) ∗ such that g p − 1 ≠ 1 mod p 2 .

Let h = gⁿ mod n.

The public key is then (n, g, h) and the private key is the factors (p, q).

Message encryption

To encrypt a message m, where m is taken to be an element in 2 k − 1

Select r ∈ Z / n Z at random. Set

Message decryption

If we define L ( x ) = x − 1 p , then decryption becomes

m = L ( C p − 1 mod p 2 ) L ( g p − 1 mod p 2 ) mod p

How the system works

The group

( Z / n Z ) ∗ ≃ ( Z / p 2 Z ) ∗ × ( Z / q Z ) ∗ .

The group ( Z / p 2 Z ) ∗ has a unique subgroup of order p, call it H. By the uniqueness of H, we must have

H = { x : x p ≡ 1 mod p } .

For any element x in ( Z / p 2 Z ) ∗ , we have x^p−1 mod p² is in H, since p divides x^p−1 − 1.

The map L should be thought of as a logarithm from the cyclic group H to the additive group Z / p Z , and it is easy to check that L(ab) = L(a) + L(b), and that the L is an isomorphism between these two groups. As is the case with the usual logarithm, L(x)/L(g) is, in a sense, the logarithm of x with base g.

We have

( g m h r ) p − 1 = ( g m g n r ) p − 1 = ( g p − 1 ) m g p ( p − 1 ) r p q = ( g p − 1 ) m mod p 2 .

So to recover m we just need to take the logarithm with base g^p−1, which is accomplished by

L ( ( g p − 1 ) m ) L ( g p − 1 ) = m mod p .

Security

The security of the entire message can be shown to be equivalent to factoring n. The semantic security rests on the p-subgroup assumption, which assumes that it is difficult to determine whether an element x in ( Z / n Z ) ∗ is in the subgroup of order p. This is very similar to the quadratic residuosity problem and the higher residuosity problem.

References

Okamoto–Uchiyama cryptosystem Wikipedia

(Text) CC BY-SA

Contents