1 Introduction

Encryption is arguably one of the most fundamental cryptographic primitives. Although it seems an easy task to identify properties that a good encryption scheme must fulfill, it turns out that rigorously defining the right security notion is not trivial at all. Security is context sensitive. Merely requiring that the plaintext cannot be recovered from the ciphertext is not enough in most applications. One may require that the knowledge of some a priori information on the plaintext does not help the adversary to obtain any new information, that is, beyond what can be obtained from the a priori information. This intuition is formally captured by the notion of semantic security, introduced in a seminal paper by Goldwasser and Micali [20]. They also introduced the equivalent notion of indistinguishability of encryptions, which is usually easier to work with. Given the encryption of any two equal-length (distinct) plaintexts, an adversary should not be able to distinguish the corresponding ciphertexts.

Clearly, the latter notion is only achievable by probabilistic encryption schemes. One such cryptosystem was also presented in [20]. It achieves ciphertext indistinguishability under the Quadratic Residuosity (\({\mathsf {QR}}\)) assumption. Informally, this assumption says that it is infeasible to distinguish squares from nonsquares in \({\mathbb {J}}_N\) (i.e., the set of elements in \({\mathbb {Z}}_N^*\) whose Jacobi symbol is \(+1\)) where \(N = pq\) is an RSA-type modulus of unknown factorization.

The Goldwasser–Micali cryptosystem is simple and elegant. The public key comprises an RSA modulus \(N = pq\) and a nonsquare \(y \in {\mathbb {J}}_N\), while the private key is the secret factor p. The encryption of a bit \(m \in \{0,1\}\) is given by \(c = y^m\, x^2 \hbox { mod }N\) for a random \(x \in {\mathbb {Z}}_N^*\). The message m is recovered using p, by checking whether c is a square: \(m = 0\) if so, and \(m = 1\) otherwise —observe that a nonsquare \(y \in {\mathbb {J}}_N\) is also a nonsquare modulo p. The encryption of a bitstring \(m = {(m_{k-1}, \cdots , m_0)}_2\), with \(m_i \in \{0,1\}\), proceeds by forming the ciphertexts \(c_i = y^{m_i}\, x^2 \hbox { mod }N\), for \(0 \le i \le k-1\). The scheme is computationally efficient but somewhat wasteful in bandwidth as \(k\cdot \log _2 N\) bits are needed to encrypt a k-bit message. Several proposals were made to address this issue.

A first attempt is due to Blum and Goldwasser [8]. They achieve a better ciphertext expansion: The ciphertext has the same length as the plaintext plus an integer of the size of the modulus. The scheme is proved semantically secure assuming the unpredictability of the output of the Blum–Blum–Shub’s pseudorandom generator [4, 5], which resides on the factorization hardness assumption. Details about this scheme can be found in [21].

Another direction, put forward by Benaloh and Fischer [6, 11], is to use a k-bit prime r such that \(r \mid p-1\), \(r^2 \not \mid p-1\) and \(r \not \mid q-1\). The scheme also requires \(y \in {\mathbb {Z}}_N^*\) such that \(y^{\phi (N)/r} \not \equiv 1 \pmod {N}\), where \(\phi (N) = (p-1)(q-1)\) denotes Euler’s totient function. A k-bit message m (with \(m < r\)) is encrypted as \(c = y^m\,x^r \hbox { mod }N\), where \(x \in _R {\mathbb {Z}}_N^*\). It is recovered by searching over the entire message space, \([0,r) \subseteq \{0,1\}^k\), for the element m satisfying \((y^{\phi (N)/r})^m \equiv c^{\phi (N)/r} \pmod {N}\). The scheme is shown to be secure under the prime residuosity assumption (which generalizes the quadratic residuosity assumption). With the Benaloh–Fischer cryptosystem, the ciphertext corresponding to a k-bit message is short, but the decryption process is now demanding. In practice, the scheme is therefore limited to small values of k, say \(k < 40\).

The Benaloh–Fischer cryptosystem was subsequently extended by Naccache and Stern [39]. They observe that the decryption can be sped up by rather considering a product of small (odd) primes \(R = \prod _i r_i\) such that \(r_i \mid \phi (N)\) but \({r_i}^2 \not \mid \phi (N)\) for each prime \(r_i\). Given a ciphertext, the plaintext m is reconstructed from \(m_i {:}{=}m \hbox { mod }r_i\) through Chinese remaindering. The advantage is that each \(m_i\) is searched in the subspace \([0, r_i)\) instead of the entire message space. A variant of this technique was used by Groth [22].

Other generalizations and extensions of the Goldwasser–Micali cryptosystem but without formal security analysis can be found in [30, 44, 52]. In [35, 36], Monnerat and Vaudenay developed applications using the more general theory of characters, specifically with characters of order \(\le 4\). Related cryptosystems are described in [47, 49]. A different approach was proposed by Okamoto and Uchiyama [41], who suggested to use moduli of the form \(N = p^2q\). This allows encrypting messages of size up to \(\log _2 p\) bits. This was later extended by Paillier [42] to the setting \(N = p^2q^2\) (see also [12, 14]).

A useful application of additive homomorphic encryption schemes resides in the construction of lossy trapdoor functions (or LTDFs in short). These functions, as introduced by Peikert and Waters [45], are function families wherein injective functions are computationally indistinguishable from lossy functions, which lose many bits of information about their input. LTDFs have proved to be very powerful and versatile in the cryptographer’s toolbox. They notably imply chosen-ciphertext-secure public-key encryption [45], deterministic encryption [3, 7], as well as cryptosystems that retain some security in the absence of reliable randomness [2] or in the presence of selective-opening adversaries [9].

1.1 Our Contributions

New Homomorphic Cryptosystem. We suggest an improvement of the original Goldwasser–Micali cryptosystem. It can be seen as a follow-up of the earlier works due to Benaloh and Fischer [11] and Naccache and Stern [39]. Before discussing it, we quote from [39]:

“Although the question of devising new public-key cryptosystems appears much more difficult [...] we feel that research in this direction is still in order: simple yet efficient constructions may have been overlooked.”

It is striking that the generalized cryptosystem in this paper was not already proposed because, as will become apparent (cf. Sect. 3), it turns out to be a very natural generalization. Our approach consists in considering \(n^{\mathrm {th}}\)-power residues modulo N with \(n = 2^k\) (the Goldwasser–Micali system corresponds to the case \(k = 1\)). This presents many advantages. First, the resulting cryptosystem is bandwidth efficient. Only \(\log _2N\) bits are needed for encrypting a k-bit message in typical applications (e.g., using the KEM/DEM paradigm). Second, the decryption process is fast. Searches are no longer needed (not even in smaller subspaces) in the decryption algorithm as plaintext messages can be recovered bit by bit. Further, although asymptotically slower than in Paillier’s cryptosystem, the decryption process turns out to achieve comparable performance for most practical values of k (e.g., \(k \le 128\)). As a last advantage, the underlying complexity assumptions are similar to that used by Goldwasser and Micali. The proposed cryptosystem is shown to be secure under the quadratic residuosity assumption for RSA moduli \(N = pq\) such that \(p \equiv 1 \pmod {2^k}\) and \(q \equiv 3 \pmod 4\). When \(q \not \equiv 3 \pmod 4\), it assumes in addition the hardness of determining the Jacobi symbol of an element \(y \in {\mathbb {Z}}_N^*\) given a pair (xN) where \(x = y^2 \hbox { mod }N\). Although the proposed cryptosystem makes use of primes of special form, there are no known factoring algorithms taking advantage of that. Further, complexity-wise, the use of such special primes does not incur penalty with the latest prime generation algorithms. As will be seen, the time required to generate a random prime \(p \equiv 1 \pmod {2^k}\) is essentially the same as the time required to generate a random, form-free prime.

We also note that, similarly to the Goldwasser–Micali cryptosystem, our generalized cryptosystem enjoys an additive property known as homomorphic encryption. If \(c_1\) and \(c_2\) denote two ciphertexts corresponding to k-bit plaintexts \(m_1\) and \(m_2\), respectively, then \(c_1 \cdot c_2 \pmod {N}\) is an encryption of the message \({m_1 + m_2} \pmod {2^k}\). This reveals useful in several applications like voting schemes.

As another useful property, the new scheme inherits the selective-opening securityFootnote 1 [9, 15] of the Goldwasser–Micali system (in the sense of a simulation-based definition given in [9]). We actually prove its semantic security by showing that its public key is indistinguishable from a so-called lossy key for which encryptions reveal nothing about the encrypted message.

We thus believe our system to provide an interesting competitor to Paillier’s cryptosystem for certain applications. As a salient example, we show that it provides a dramatically improved lossy trapdoor function.

New Efficient Lossy Trapdoor Functions. The initial LTDF realizations [45] were based on the Decisional Diffie–Hellman (\({\mathsf {DDH}}\)) and Learning-with-Error (\({\mathsf {LWE}}\)) [46] assumptions. More efficient examples based on the Decisional Composite Residuosity (\({\mathsf {DCR}}\)) assumption were given in [7, 18, 19], while Kiltz et al.[32] showed that the RSA permutation provides a lossy function. Under the Quadratic Residuosity (\({\mathsf {QR}}\)) assumption, three distinct constructions were put forth in [18, 19, 25, 50]. Those of Freeman et al.[18, 19] and of Wee [50] must be used in combination with the results of Mol and Yilek [37] as they only lose single bits of information about the input. Hemenway and Ostrovsky [25] suggested a more efficient realization, of which Wee’s framework [50] is a generalization. While their \({\mathsf {QR}} \)-based LTDF has found applications in the design of deterministic encryption schemes [10], it is conceptually very similar to the Peikert–Waters matrix-based schemes and suffers from similarly large outputs and descriptions.

We show that our variant of the Goldwasser–Micali cryptosystem drastically improves the efficiency of the Hemenway–Ostrovsky LTDF. Specifically, it reduces both the length of the output and the description of the function. By appropriately selecting the parameters, we obtain evaluation keys and outputs consisting of a constant number of \({\mathbb {Z}}_N^*\) elements. We thus get a \({\mathsf {DDH}}/{\mathsf {QR}} \)-based LTDF, whose efficiency is competitive with Paillier-based realizations [7, 18, 19]. These improvements carry over to the deterministic encryption setting, when the Hemenway–Ostrovsky LTDF is used as a building block of the Brakerski–Segev system [10].

1.2 Outline of the Paper

In the next section, we introduce some mathematical background and review some complexity assumptions. In Sect. 3, we present our generalized cryptosystem. We prove its security in Sect. 4. Section 5 discusses certain implementation aspects. In Sect. 6, we describe our new lossy trapdoor function. Finally, we conclude in Sect. 7.

2 Background

We review some useful background and fix the notation. In particular, we define the n-th power residue symbol. We refer the reader to [26, 48, 51] for further details on (quadratic) residuosity. More information about encryption schemes can be found in textbooks in cryptography (e.g.[21, 31]).

2.1 General Notation

The set of nonnegative integers is denoted by \({\mathbb {N}}\). For any integer \(N \ge 2\), \({\mathbb {Z}}_N\) denotes the ring of integers modulo N, and \({\mathbb {Z}}_N^*\) denotes its group of units. The order of \({\mathbb {Z}}_N^*\) is \(\phi (N)\), where \(\phi \) is Euler’s totient function.

For any positive integer N and any integer a, \(a \hbox { mod }N\) represents the smallest integer in the set \(\{0,\cdots ,N-1\}\) that is congruent to a modulo N. Furthermore, for any positive odd integer N and any integer a, \(a \mathbin {\mathrm {mods}}N\) represents the absolute smallest residue of a modulo N —note the “s” ending the “mod” operator. The complete set of absolute smallest residues is \(\{-(N-1)/2, \cdots ,-1,0,1,\cdots ,(N-1)/2\}\).

2.2 \(n^{\mathrm {th}}\)-Power Residues

Let \(N \ge 2\) be an integer. For each integer \(n \ge 2\), we define \(({\mathbb {Z}}_N^*)^n = \{ x^n \mid x \in {\mathbb {Z}}_N^* \}\) as the set of \(n^{\mathrm {th}}\)-power residues modulo N. If the relation \(a = x^n\) has no solution in \({\mathbb {Z}}_N^*\), then a is called a \(n^{\mathrm {th}}\)-power nonresidue modulo N.

Suppose that p is an odd prime. For any integer a with \(\gcd (a,p) = 1\), it is easily verified that a is a \(n^{\mathrm {th}}\)-power residue modulo p if and only if

$$\begin{aligned} a^{\frac{p-1}{\gcd (n,p-1)}} \equiv 1 \pmod {p}. \end{aligned}$$

When \(n = 2\) (and so \(\gcd (n,p-1) = 2\)), this is known as Euler’s criterion. It allows one to distinguish quadratic residues from quadratic nonresidues. This defines the Legendre symbol:

$$\begin{aligned} \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{p}} \right) \mathclose {}} = {\left\{ \begin{array}{ll} 1 &{} \text { if } a \text { is a quadratic residue modulo } p\\ -1 &{} \text { if } a \text { is a quadratic nonresidue modulo } p \end{array}\right. }. \end{aligned}$$

There are several ways to generalize the Legendre symbol (see [34]). In this paper, we consider the n-th power residue symbol for a divisor n of \((p-1)\), as presented in [51, Definition 1.6.21].

Definition 1

Let p be an odd prime and let \(n \ge 2\) such that \(n \mid p-1\). Then, the symbol

$$\begin{aligned} {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{p}} \right) \mathclose {}}}_{n} = a^{\frac{p-1}{n}} \mathbin {\mathrm {mods}}p \end{aligned}$$

is called the n-th power residue symbol modulo p.

It satisfies the following properties. Let a and b be two integers that are co-prime to p. Then,

  1. 1.

    If \(a \equiv b \pmod {p}\) then \( {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{p}} \right) \mathclose {}}}_{n} = {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{b}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{b}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{b}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{b}}{{p}} \right) \mathclose {}}}_{n}\);

  2. 2.

    \( {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a^n}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a^n}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a^n}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a^n}}{{p}} \right) \mathclose {}}}_{n} = 1\);

  3. 3.

    \( {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{ab}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{ab}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{ab}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{ab}}{{p}} \right) \mathclose {}}}_{n} = {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{p}} \right) \mathclose {}}}_{n} \, {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{b}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{b}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{b}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{b}}{{p}} \right) \mathclose {}}}_{n} \mathbin {\mathrm {mods}}p\);

  4. 4.

    \( {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{1}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{1}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{1}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{1}}{{p}} \right) \mathclose {}}}_{n} = 1\) and \( {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{-1}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{-1}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{-1}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{-1}}{{p}} \right) \mathclose {}}}_{n} = (-1)^{\frac{p-1}{n}}\).

2.3 Quadratic Residuosity

Let \(N = pq\) be the product of two (odd) primes p and q. For an integer a co-prime to N, the Jacobi symbol is the product of the corresponding Legendre symbols, namely \(\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{N}} \right) \mathclose {}} = \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{p}} \right) \mathclose {}} \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{q}} \right) \mathclose {}}\). This gives rise to the multiplicative group \({\mathbb {J}}_N\) of integers whose Jacobi symbol is \(+1\), \({\mathbb {J}}_N = \bigl \{ a \in {\mathbb {Z}}_N^* \mid \textstyle \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{N}} \right) \mathclose {}} = 1 \bigr \}\). A relevant subset of \({\mathbb {J}}_N\) is the set of quadratic residues modulo N, \({\mathbb {QR}}_N = \bigl \{ a \in {\mathbb {Z}}_N^* \mid \textstyle \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{p}} \right) \mathclose {}} = \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{q}} \right) \mathclose {}} = 1 \bigr \}\). The set of integers whose Jacobi symbol is \(-1\) is denoted by \(\overline{{\mathbb {J}}}_N\); i.e., \(\overline{{\mathbb {J}}}_N = \bigl \{ a \in {\mathbb {Z}}_N^* \mid \textstyle \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{a}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{a}}{{N}} \right) \mathclose {}} = -1 \bigr \} = {\mathbb {Z}}_N^* {\setminus } {\mathbb {J}}_N\).

The Quadratic Residuosity (\({\mathsf {QR}}\)) assumption says that, given a random element \(a \in {\mathbb {J}}_N\), it is hard to decide whether \(a \in {\mathbb {QR}}_N\) if the prime factors of N are unknown. To emphasize that this should hold for RSA moduli \(N = pq\) with \(p \equiv 1 \pmod {2^k}\) for some \(k \ge 1\), we refer to it as the \(k\text {-}{\mathsf {QR}}\) assumption. Formally, we have:

Definition 2

( Quadratic Residuosity Assumption, \(k\text {-}{\mathsf {QR}}\) ) Let \(\mathop {{\mathsf {RSAGen}}}\) be a probabilistic algorithm which, given a security parameter \(\kappa \), outputs primes p and q such that \(p \equiv 1 \pmod {2^k}\), and their product \(N = pq\). The Quadratic Residuosity (\(k\text {-}{\mathsf {QR}}\)) assumption asserts that the function \(\mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {D}}}(\kappa )\), defined as the distance

$$\begin{aligned} \left| \Pr [{\mathcal {D}}(x,N)=1 \mid x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {QR}}_N] - \Pr [{\mathcal {D}}(x,N)=1 \mid x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N] \right| \end{aligned}$$

is negligible for any probabilistic polynomial-time distinguisher \({\mathcal {D}}\); the probabilities are taken over the experiment of running \((N,p,q) \leftarrow \mathop {{\mathsf {RSAGen}}}(1^\kappa )\) and choosing at random \(x \in {\mathbb {QR}}_N\) and \(x \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\).

We also introduce a new assumption. The new assumption, which we call the Squared Jacobi Symbol (\({\mathsf {SJS}}\)) assumption, posits the infeasibility of determining whether \( \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{N}} \right) \mathclose {}} = 1\) or \(-1\) given (xN) where \(x = y^2 \hbox { mod }N\). Again, when the assumption is directed to RSA moduli \(N = pq\) with \(p \equiv 1 \pmod {2^k}\), we write it \(k\text {-}{\mathsf {SJS}}\). Formally, we define:

Definition 3

(Squared Jacobi Symbol Assumption, \(k\text {-}{\mathsf {SJS}}\) ) Let \(\mathop {{\mathsf {RSAGen}}}\) be a probabilistic algorithm which, given a security parameter \(\kappa \), outputs primes p and q such that \(p \equiv 1 \pmod {2^k}\), and their product \(N = pq\). The Squared Jacobi Symbol (\(k\text {-}{\mathsf {SJS}}\)) assumption asserts that the function \(\mathbf {Adv}^{k\text {-}{\mathsf {SJS}}}_{{\mathcal {D}}}(\kappa )\), defined as the distance

$$\begin{aligned} \left| \Pr [{\mathcal {D}}(y^2 \hbox { mod }N,N) = 1 \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N] - \Pr [{\mathcal {D}}(y^2 \hbox { mod }N, N) = 1 \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\overline{{\mathbb {J}}}_N]\right| \end{aligned}$$

is negligible for any probabilistic polynomial-time distinguisher \({\mathcal {D}}\); the probabilities are taken over the experiment of running \((N,p,q) \leftarrow \mathop {{\mathsf {RSAGen}}}(1^\kappa )\) and choosing at random \(y \in {\mathbb {J}}_N\) and \(y \in \overline{{\mathbb {J}}}_N\).

When \(q \equiv 3 \pmod 4\), any element \(x \in {\mathbb {QR}}_N\) has four square roots: two of Jacobi symbol \(+1\) and two of Jacobi symbol \(-1\). In that case, as detailed in Sect. 3.3, the \(k\text {-}{\mathsf {SJS}}\) assumption holds perfectly.

3 A New Public-Key Encryption Scheme

We generalize the Goldwasser–Micali cryptosystem so that it can efficiently support the encryption of larger messages while remaining additively homomorphic.

3.1 Description

The setting is basically the same as for the Goldwasser–Micali cryptosystem. The only additional requirement is that the prime p is chosen congruent to 1 modulo \(2^k\), where k denotes the bit size of the messages being encrypted. The case \(k=1\) (i.e., encryption of 1-bit messages) corresponds to the Goldwasser–Micali cryptosystem.

In more detail, our encryption scheme is the tuple \((\mathop {{\mathsf {KeyGen}}}, \mathop {{\mathsf {Encrypt}}}, \mathop {{\mathsf {Decrypt}}})\) defined as follows.

  • \(\mathop {{\mathsf {KeyGen}}}(1^\kappa )\) Given a security parameter \(\kappa \), \(\mathop {{\mathsf {KeyGen}}}\) defines an integer \(k \ge 1\), randomly generates primes p and q such that \(p \equiv 1 \pmod {2^k}\), and sets \(N = pq\). It also picks a random \(y \in {\mathbb {J}}_N{\setminus } {\mathbb {QR}}_N\). The public and private keys are \( pk = \{N, y, k\}\) and \( sk = \{ p \}\), respectively.

  • \(\mathop {{\mathsf {Encrypt}}}( pk , m)\) Let \({\mathcal {M}}= \{0,1\}^k\). To encrypt a message \(m \in {\mathcal {M}}\) (seen as an integer in \(\{0, \cdots , 2^k-1\}\)), \(\mathop {{\mathsf {Encrypt}}}\) picks a random \(x \in {\mathbb {Z}}_N^*\) and returns the ciphertext \(c = y^m \, x^{2^k} \hbox { mod }N\).

  • \(\mathop {{\mathsf {Decrypt}}}( sk , c)\) Given \(c \in {\mathbb {Z}}_N^*\) and the private key \( sk =\{p\}\), the algorithm first computes \(z = {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{c}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{c}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{c}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{c}}{{p}} \right) \mathclose {}}}_{2^{k}}\) and then finds \(m \in \{0, \cdots , 2^k-1\}\) such that the relation

    $$\begin{aligned} z = \left[ {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{p}} \right) \mathclose {}}}_{2^k}\right] ^m \mathbin {\mathrm {mods}}{p} \end{aligned}$$

    holds. A fast decryption algorithm is detailed in Sect. 3.2.

The correctness of the decryption is easily verified by observing that \(\alpha {:}{=} {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{p}} \right) \mathclose {}}}_{2^k}\) has order \(2^k\) as an element in \({\mathbb {Z}}_p^*\). Indeed, letting \(n = {\text {ord}}_p(\alpha )\) the order of \(\alpha \), we have \(n \mid 2^k\) since, by definition, \(\alpha \equiv y^{\frac{p-1}{2^k}} \pmod p\). But n cannot be equal to \(2^{k'}\) for some \(k' < k\) because \(\alpha ^{2^{k'}} \equiv 1 \pmod p\) would imply \(y^{\frac{p-1}{2}} \equiv 1 \pmod p\), which contradicts the assumption that \(y \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N \iff \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{p}} \right) \mathclose {}} = \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{q}} \right) \mathclose {}} = -1\). The decryption algorithm recovers the unique \(m \in \{0,\cdots ,2^k -1\}\) such that \(\alpha ^m \equiv z \pmod p\).

Furthermore, the scheme is homomorphic for the addition modulo \(2^k\): if \(c_1 = y^{m_1} \, {x_1}^{2^k}\) and \(c_2 = y^{m_2} \, {x_2}^{2^k}\) are ciphertexts of \(m_1\) and \(m_2\), respectively, then \(c_1 \cdot c_2 = y^{m_1+m_2} {(x_1x_2)}^{2^k} \hbox { mod }N\) is a ciphertext of \(m_1 +m_2 \pmod {2^k}\).

3.2 Fast Decryption

At first glance, from the above description, it seems that the decryption process amounts to a search through the entire message space \(\{0,1\}^k\), similarly to some earlier cryptosystems. But we can do better. One of the main advantages of the proposed cryptosystem is that it provides an efficient way to recover the message. Hence, it remains practical, even for large values of k. The decryption algorithm proceeds similarly to the Pohlig-Hellman algorithm [43].

The message \(m \in \{0,1\}^k\) is viewed as a k-bit integer given by its binary expansion \(m = \sum _{i=0}^{k-1} m_i \, 2^i\), with \(m_i \in \{0,1\}\). Given \(c = y^m x^{2^k} \hbox { mod }N\), we have

$$\begin{aligned} {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{c}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{c}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{c}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{c}}{{p}} \right) \mathclose {}}}_{2^i} = {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y^m x^{2^k}}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y^m x^{2^k}}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y^m x^{2^k}}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y^m x^{2^k}}}{{p}} \right) \mathclose {}}}_{2^i} = {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y^{\sum _{j=0}^{i-1}m_j\,2^j}}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y^{\sum _{j=0}^{i-1}m_j\,2^j}}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y^{\sum _{j=0}^{i-1}m_j\,2^j}}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y^{\sum _{j=0}^{i-1}m_j\,2^j}}}{{p}} \right) \mathclose {}}}_{2^i} = {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{p}} \right) \mathclose {}}}_{2^i}^{\sum _{j=0}^{i-1}m_j\,2^j} \mathbin {\mathrm {mods}}{p} \end{aligned}$$

since \(y^m x^{2^k}= y^{\sum _{j=0}^{i-1}m_j\,2^j} \cdot \bigl (y^{\sum _{j=i}^{k-1}m_j\,2^{j-i}}x^{2^{k-i}}\bigr )^{2^i}\), for \(1 \le i \le k\). As a result, m can be recovered bit by bit using p, starting from the least significant bit. Implementation details are provided in Sect. 5.2.

3.3 Security Analysis

We focus on semantic security. The case \(k=1\) corresponds to the Goldwasser–Micali cryptosystem. Indeed, when \(k=1\), the \(2^k\)-th power residue symbol is then the classical Legendre symbol and the assumption \(p \equiv 1 \pmod {2^k}\) is trivially verified. The Goldwasser–Micali scheme has indistinguishable encryptions under the standard Quadratic Residuosity assumption.

In the general case (i.e., \(k \ge 1\)), we prove that the scheme provides indistinguishable encryptions (\({\mathsf {IND}}\)-\({\mathsf {CPA}}\) security) under the \(k\text {-}{\mathsf {QR}}\) and \(k\text {-}{\mathsf {SJS}}\) assumptions. More precisely:

Theorem 1

Let \(\kappa \) denote the security parameter. For any \({\mathsf {IND}}\)-\({\mathsf {CPA}}\) adversary \({\mathcal {A}}\) against the scheme of Sect. 3.1, there exist a \(k\text {-}{\mathsf {QR}}\) distinguisher \({\mathcal {D}}_1\) and a \(k\text {-}{\mathsf {SJS}}\) distinguisher \({\mathcal {D}}_2\) with comparable running times and such that

$$\begin{aligned} \mathbf {Adv}^{{\mathsf {ind}}\text {-}{\mathsf {cpa}}}_{{\mathcal {A}}}(\kappa ) \le \tfrac{3}{2}\, \left( (k - \tfrac{1}{3}) \cdot \mathbf {Adv}_{{\mathcal {D}}_1}^{k\text {-}{\mathsf {QR}}}(\kappa ) + (k-1)\cdot \mathbf {Adv}_{{\mathcal {D}}_2}^{k\text {-}{\mathsf {SJS}}}(\kappa ) \right) . \end{aligned}$$

Proof

The proof is given in Sect. 4.\(\square \)

When \(k=1\), the theorem reads \(\mathbf {Adv}^{{\mathsf {ind}}\text {-}{\mathsf {cpa}}}_{{\mathcal {A}}}(\kappa ) \le \mathbf {Adv}_{{\mathcal {D}}_1}^{{\mathsf {QR}}}(\kappa )\), as shown in [20].

We henceforth assume \(k \ge 2\). When \(k \ge 2\), the condition \(p \equiv 1 \pmod {2^k}\) implies \(p \equiv 1 \pmod {4}\). Depending on q, there are two possible subcases. If \(q \equiv 1 \pmod 4\) then \(-1\) is a square modulo p and modulo q. The square roots of any element of \({\mathbb {QR}}_N\) then all have the same Jacobi symbol modulo N. The hardness to distinguish among them is captured by the \(k\text {-}{\mathsf {SJS}}\) assumption.

The subcase \(q \equiv 3 \pmod 4\) is more interesting. We then have \( \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{-1}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{-1}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{-1}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{-1}}{{N}} \right) \mathclose {}} = -1\). As a consequence, by definition of the Jacobi symbol, it follows that

$$\begin{aligned} \left\{ y^2 \hbox { mod }N \mid y \in \overline{{\mathbb {J}}}_N \right\}&= \left\{ y^2 \hbox { mod }N \mid \textstyle \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{N}} \right) \mathclose {}} = -1 \right\} = \left\{ (-y)^2 \hbox { mod }N \mid \textstyle \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{-y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{-y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{-y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{-y}}{{N}} \right) \mathclose {}} = -1 \right\} \\&= \left\{ y^2 \hbox { mod }N \mid \textstyle - \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{N}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{N}} \right) \mathclose {}} = -1 \right\} \\&= \left\{ y^2 \hbox { mod }N \mid y \in {\mathbb {J}}_N \right\} . \end{aligned}$$

Since the two sets are identical, the \(k\text {-}{\mathsf {SJS}}\) assumption holds perfectly when \(q \equiv 3 \pmod 4\). This in turn leads to the following corollary.

Corollary 1

When \(q \equiv 3 \pmod 4\), for any \({\mathsf {IND}}\)-\({\mathsf {CPA}}\) adversary \({\mathcal {A}}\) against the scheme of Sect. 3.1, there exists a \(k\text {-}{\mathsf {QR}}\) distinguisher \({\mathcal {D}}\) with comparable running time and such that

$$\begin{aligned} \mathbf {Adv}^{{\mathsf {ind}}\text {-}{\mathsf {cpa}}}_{{\mathcal {A}}}(\kappa ) \le \tfrac{1}{2}\,(3k-1) \cdot \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {D}}}(\kappa ). \end{aligned}$$

Proof

First observe that the bound is valid for \(k=1\). For \(k \ge 2\), the corollary follows by letting \({\mathcal {D}}_1 = {\mathcal {D}}\) and plugging \(\mathbf {Adv}^{k\text {-}{\mathsf {SJS}}}_{{\mathcal {D}}_2}(\kappa ) = 0\) in the bound of Theorem 1.\(\square \)

The bound in Corollary 1 can be slightly tightened by a more direct proof. We have:

Theorem 2

Let \(\kappa \) denote the security parameter. For any \({\mathsf {IND}}\)-\({\mathsf {CPA}}\) adversary \({\mathcal {A}}\) against the scheme of Sect. 3.1 with \(q \equiv 3 \pmod 4\), there exists a \(k\text {-}{\mathsf {QR}}\) distinguisher \({\mathcal {D}}\) with comparable running time and such that

$$\begin{aligned} \mathbf {Adv}^{{\mathsf {ind}}\text {-}{\mathsf {cpa}}}_{{\mathcal {A}}}(\kappa ) \le \tfrac{1}{2}\,(k+1)\cdot \mathbf {Adv}_{{\mathcal {D}}}^{k\text {-}{\mathsf {QR}}}(\kappa ). \end{aligned}$$

Proof

The proof is given in appendix. \(\square \)

Comparing the security bounds offered by Theorems 1 and 2, it turns out that RSA moduli \(N = pq\) with \(p \equiv 1 \pmod {2^k}\) and \(q \equiv 3 \pmod 4\) should be preferred over RSA moduli with \(q \equiv 1 \pmod 4\). More importantly, selecting RSA moduli \(N = pq\) with \(p \equiv 1 \pmod {2^k}\) and \(q \equiv 3 \pmod 4\) presents the advantage that the security solely relies on a \({\mathsf {QR}}\)-based assumption (namely the \(k\text {-}{\mathsf {QR}}\) assumption).

Regarding the weaker notion of one wayness, it is easy to see that one wayness can be proved just under the \(k\text {-}{\mathsf {QR}}\) assumption in all cases. Let \({\mathcal {B}}\) be an adversary which returns m when given \(c = y^m x^{2^k} \hbox { mod }N\) and N (with \(x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_N^*\)). We construct a distinguisher \({\mathcal {D}}\) for the \(k\text {-}{\mathsf {QR}}\) assumption as follows. It takes as input an RSA modulus \(N=pq\) with \(p \equiv 1 \pmod {2^k}\) and an element \(w \in {\mathbb {Z}}_N^*\). Its goal is to distinguish whether \(w \in {\mathbb {QR}}_N\) or \(w \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\). To do this, \({\mathcal {D}}\) simply picks a random \(x \in {\mathbb {Z}}_N^*\), sets \(c = w x^2 \hbox { mod }N\), and feeds \({\mathcal {B}}\) with (cN). When the latter outputs a result m, \({\mathcal {D}}\) outputs the least significant bit of m. It is clear that if \(w \in {\mathbb {QR}}_N\), c is a ciphertext of an even plaintext; otherwise, c is a ciphertext of an odd plaintext. Hence, if \({\mathcal {B}}\) is a successful attacker against one wayness, \({\mathcal {D}}\) is a successful distinguisher for \(k\text {-}{\mathsf {QR}}\).

4 Security Proof

4.1 Gap \(2^k\)-Residuosity Assumption

The \(k\text {-}{\mathsf {QR}}\) assumption states that, without knowing the factorization of N, random elements of \({\mathbb {QR}}_N\) are computationally indistinguishable from random elements of \({\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\). Here, it will be convenient to consider a gap variant of the \(k\text {-}{\mathsf {QR}}\) assumption. We chose the terminology “gap” (not to be confused with computational problems which have an easy decisional counterpart [40]) by analogy with certain lattice problems, where not every instance is a yes or no instance since a gap exists between these.

Definition 4

(Gap \(2^k\)-Residuosity Assumption, \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}}\)) Let \(\mathop {{\mathsf {RSAGen}}}\) be a probabilistic algorithm which, given a security parameter \(\kappa \), outputs primes p and q such that \(p \equiv 1 \pmod {2^k}\). The Gap \(2^k\)-Residuosity problem in \({\mathbb {Z}}_N^*\) consists in distinguishing a uniform element of \(V_0\) from a uniform element of \(V_1\) given only \(N=pq\), where \(V_0\) and \(V_1\) are defined as follows:

$$\begin{aligned} V_0= \bigl \{ x \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N \bigr \} \quad \text {and}\quad V_1 = \bigl \{ y^{2^k} \hbox { mod }N \mid y \in {\mathbb {Z}}_N^* \bigr \}. \end{aligned}$$

The Gap \(2^k\)-Residuosity (\({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}}\)) assumption posits that the advantage \(\mathbf {Adv}^{{\mathsf {Gap}}2^k\text {-}{\mathsf {Res}}}_{{\mathcal {D}}}(\kappa )\), defined as the distance

$$\begin{aligned} \left| \Pr [{\mathcal {D}}(x,k,N)=1 \mid x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}V_0] - \Pr [{\mathcal {D}}(x,k,N)=1 \mid x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}V_1 ] \right| \end{aligned}$$

is negligible for any probabilistic polynomial-time distinguisher \({\mathcal {D}}\); the probabilities are taken over the experiment of running \((N,p,q) \leftarrow \mathop {{\mathsf {RSAGen}}}(1^\kappa )\) and choosing \(x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}V_0\) and \(x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}V_1\).

The latter assumption was independently considered in [1] by Abdalla, Ben Hamouda, and Pointcheval who used it to provide tighter security proofs for forward-secure signatures.

4.2 \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}}\) is Implied by \(k\text {-}{\mathsf {QR}}\) and \(k\text {-}{\mathsf {SJS}}\)

We now investigate the relationship between the Gap \(2^k\)-Residuosity assumption and other more natural assumptions; namely, we will show that \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}}\) is implied by the \(k\text {-}{\mathsf {QR}}\) and \(k\text {-}{\mathsf {SJS}}\) assumptions.

For this proof, it is useful to introduce two intermediate assumptions: the “special” \(k\text {-}{\mathsf {QR}}\) assumption and the “special” \(k\text {-}{\mathsf {SJS}}\) assumption.

Definition 5

(Special Quadratic Residuosity Assumption, \(k\text {-}{\mathsf {QR}} ^\star \) ) Let \(\mathop {{\mathsf {RSAGen}}}\) be a probabilistic algorithm which, given a security parameter \(\kappa \), outputs primes p and q such that \(p \equiv 1 \pmod {2^k}\), and their product \(N = pq\). The Special Quadratic Residuosity (\(k\text {-}{\mathsf {QR}} ^\star \)) assumption asserts that the function \(\mathbf {Adv}^{k\text {-}{\mathsf {QR}} ^\star }_{{\mathcal {D}}}(\kappa )\), defined as the distance

$$\begin{aligned} \left| \Pr [{\mathcal {D}}(x,N)=1 \mid x=y^2 \hbox { mod }N , y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N ] - \Pr [{\mathcal {D}}(x,N)=1 \mid x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N ] \right| \end{aligned}$$

is negligible for any probabilistic polynomial-time distinguisher \({\mathcal {D}}\); the probabilities are taken over the experiment of running \((N,p,q) \leftarrow \mathop {{\mathsf {RSAGen}}}(1^\kappa )\) and choosing at random \(y \in {\mathbb {J}}_N\) and \(x \in {\mathbb {J}}_N{\setminus }{\mathbb {QR}}_N\).

Definition 6

(Special Squared Jacobi Symbol Assumption, \(k\text {-}{\mathsf {SJS}} ^\star \) ) Let \(\mathop {{\mathsf {RSAGen}}}\) be a probabilistic algorithm which, given a security parameter \(\kappa \), outputs primes p and q such that \(p \equiv 1 \pmod {2^k}\), and their product \(N = pq\). The Special Squared Jacobi Symbol (\(k\text {-}{\mathsf {SJS}} ^\star \)) assumption asserts that the function \(\mathbf {Adv}^{k\text {-}{\mathsf {SJS}} ^\star }_{{\mathcal {D}}}(\kappa )\), defined as the distance

$$\begin{aligned} \left| \Pr [{\mathcal {D}}(y^2 \hbox { mod }N,N) = 1 \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N{\setminus } {\mathbb {QR}}_N] - \Pr [{\mathcal {D}}(y^2 \hbox { mod }N, N) = 1 \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\overline{{\mathbb {J}}}_N]\right| \end{aligned}$$

is negligible for any probabilistic polynomial-time distinguisher \({\mathcal {D}}\); the probabilities are taken over the experiment of running \((N,p,q) \leftarrow \mathop {{\mathsf {RSAGen}}}(1^\kappa )\) and choosing at random \(y \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\) and \(y \in \overline{{\mathbb {J}}}_N\).

Lemma 1

Using the previous notation, we have \(k\text {-}{\mathsf {QR}} + k\text {-}{\mathsf {SJS}} \implies k\text {-}{\mathsf {QR}} ^\star + k\text {-}{\mathsf {SJS}} ^\star \). More precisely, for any probabilistic polynomial-time distinguisher \({\mathcal {A}}\) against \(k\text {-}{\mathsf {QR}} ^\star \) or \(k\text {-}{\mathsf {SJS}} ^\star \), \({\mathcal {A}}\) is also a distinguisher against \(k\text {-}{\mathsf {QR}} \) or \(k\text {-}{\mathsf {SJS}} \) and there exists a distinguisher \({\mathcal {B}}\) against \(k\text {-}{\mathsf {QR}} \) with comparable running time, such that

$$\begin{aligned} \mathbf {Adv}^{k\text {-}{\mathsf {QR}} ^\star }_{{\mathcal {A}}}(\kappa )&\le \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {A}}}(\kappa ) + \tfrac{1}{2} \, \mathbf {Adv}^{k\text {-}{\mathsf {SJS}}}_{{\mathcal {A}}}(\kappa ),\\ \mathbf {Adv}^{k\text {-}{\mathsf {SJS}} ^\star }_{{\mathcal {A}}}(\kappa )&\le \mathbf {Adv}^{k\text {-}{\mathsf {SJS}}}_{{\mathcal {A}}}(\kappa ) + \tfrac{1}{2} \, \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {B}}}(\kappa ). \end{aligned}$$

Proof

Consider a probabilistic polynomial-time algorithm \({\mathcal {A}}\) taking as input N and \(x \in {\mathbb {J}}_N\). For \(x \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N\), we let

$$\begin{aligned} {\left\{ \begin{array}{ll} \epsilon _1 = \Pr [{\mathcal {A}}(x,N) = 1 \mid x \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N]\\ \epsilon _2' = \Pr [{\mathcal {A}}(x,N) = 1 \mid x=y^2 \in {\mathbb {QR}}_N \wedge y \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N]\\ \epsilon _2'' = \Pr [{\mathcal {A}}(x,N) = 1 \mid x=y^2 \in {\mathbb {QR}}_N \wedge y \in {\mathbb {QR}}_N]\\ \epsilon _3 = \Pr [{\mathcal {A}}(x,N) = 1 \mid x=y^2 \in {\mathbb {QR}}_N \wedge y \in \overline{{\mathbb {J}}}_N] \end{array}\right. }. \end{aligned}$$

Against \(k\text {-}{\mathsf {QR}} \), \(k\text {-}{\mathsf {SJS}} \), \(k\text {-}{\mathsf {QR}} ^\star \), and \(k\text {-}{\mathsf {SJS}} ^\star \), its advantage is denoted

$$\begin{aligned} \alpha _1:= & {} \left| \epsilon _1 - \tfrac{1}{4}(\epsilon _2' + \epsilon _2'') - \tfrac{1}{2} \epsilon _3\right| ,\alpha _2 {:}{=}\left| \tfrac{1}{2}(\epsilon _2'+\epsilon _2'') - \epsilon _3\right| ,\alpha _3 {:}{=}\left| \epsilon _1 - \tfrac{1}{2}(\epsilon _2' + \epsilon _2'')\right| ,\\ \alpha _4:= & {} \left| \epsilon _2' - \epsilon _3\right| , \end{aligned}$$

respectively.

We have to show that if the \(k\text {-}{\mathsf {QR}} \) and \(k\text {-}{\mathsf {SJS}} \) assumptions hold then so do the \(k\text {-}{\mathsf {QR}} ^\star \) and \(k\text {-}{\mathsf {SJS}} ^\star \) assumptions. The \(k\text {-}{\mathsf {QR}} \) and \(k\text {-}{\mathsf {SJS}} \) assumptions imply that \(\alpha _1\) and \(\alpha _2\) are negligible. We also note that any significant difference between \(\epsilon _2'\) and \(\epsilon _2''\) would lead to a distinguisher against \(k\text {-}{\mathsf {QR}} \). We thus have \(|\epsilon _2' - \epsilon _2''| \le \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {B}}}(\kappa )\), with \({\mathcal {B}}\) an algorithm with running time comparable to that of \({\mathcal {A}}\).

From the definitions of \(\alpha _3\) and \(\alpha _4\), we can write

$$\begin{aligned} \alpha _3&= \left| \epsilon _1 - \tfrac{1}{2}(\epsilon _2' + \epsilon _2'')\right| = \left| \epsilon _1 - \tfrac{1}{4}(\epsilon _2' + \epsilon _2'') - \tfrac{1}{2}\epsilon _3 + \tfrac{1}{2}\epsilon _3 - \tfrac{1}{4}(\epsilon _2' + \epsilon _2'') \right| \\&\le \left| \epsilon _1 - \tfrac{1}{4}(\epsilon _2' + \epsilon _2'') - \tfrac{1}{2}\epsilon _3\right| + \left| \tfrac{1}{2}\epsilon _3 - \tfrac{1}{4}(\epsilon _2' + \epsilon _2'') \right| \\&= \alpha _1 + \tfrac{1}{2} \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {B}}}(\kappa ) \end{aligned}$$

and

$$\begin{aligned} \alpha _4&= \left| \epsilon _2' - \epsilon _3\right| = \left| \tfrac{1}{2}\epsilon _2' + \tfrac{1}{2}\epsilon _2'' - \epsilon _3 + \tfrac{1}{2}\epsilon _2' - \tfrac{1}{2}\epsilon _2''\right| \le \left| \tfrac{1}{2}(\epsilon _2' + \epsilon _2'') - \epsilon _3\right| + \left| \tfrac{1}{2}(\epsilon _2' - \epsilon _2'')\right| \\&\le \alpha _2 + \tfrac{1}{2}\alpha _1. \end{aligned}$$

The previous inequalities show that when \(\alpha _1\) and \(\alpha _2\) are negligible then so are \(\alpha _3\) and \(\alpha _4\).\(\square \)

Theorem 3

( \(k\text {-}{\mathsf {QR}} + k\text {-}{\mathsf {SJS}} \implies {\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) ) For RSA moduli \(N=pq\) with \(p \equiv 1 \pmod {2^k}\), the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption holds if the \(k\text {-}{\mathsf {QR}} \) assumption and the \(k\text {-}{\mathsf {SJS}} \) assumption hold. More precisely, for any probabilistic polynomial-time distinguisher \({\mathcal {B}}\) against the former, there exist a \(k\text {-}{\mathsf {QR}}\) distinguisher \({\mathcal {D}}_1\) and a \(k\text {-}{\mathsf {SJS}}\) distinguisher \({\mathcal {D}}_2\) with comparable running times and for which

$$\begin{aligned} \mathbf {Adv}^{{\mathsf {Gap}}2^k\text {-}{\mathsf {Res}}}_{{\mathcal {B}}}(\kappa ) \le \tfrac{3}{2}\, \left( (k - \tfrac{1}{3}) \cdot \mathbf {Adv}_{{\mathcal {D}}_1}^{k\text {-}{\mathsf {QR}}}(\kappa ) + (k-1)\cdot \mathbf {Adv}_{{\mathcal {D}}_2}^{k\text {-}{\mathsf {SJS}}}(\kappa ) \right) . \end{aligned}$$

Proof

To prove the result, we consider a sequence of distributions which will help us bridge the gap between the assumptions. More precisely, for \(0 \le i \le k-1\), we consider the subsets \(D_i\) of \({\mathbb {J}}_N\) given by

$$\begin{aligned} D_i = \bigl \{ y^{2^i} \hbox { mod }N \mid y \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N \bigr \}. \end{aligned}$$

We also need other subsets which can be seen as the complement of \(D_i\) in the set of \(2^i\)-th residues that are not \(2^{i+1}\)-th residues:

$$\begin{aligned} D_i' = \bigl \{ y^{2^i} \hbox { mod }N \mid y \in \overline{{\mathbb {J}}}_N \bigr \}. \end{aligned}$$

Finally, we define the subgroup of \(2^k\)-th residues, \(R_k = \{ y^{2^k} \hbox { mod }N \mid y \in {\mathbb {Z}}_N^* \}\).

If we consider the sets \(V_0\) and \(V_1\) (presented in Definition 4), we have \(V_0=D_0\) and \(V_1=R_k\). The proof will actually proceed by showing the computational indistinguishability of the (uniform) distributions induced by the corresponding subsets. Namely, unless either the \(k\text {-}{\mathsf {QR}} ^\star \) assumption or the \(k\text {-}{\mathsf {SJS}} ^\star \) assumption is false, we will prove

$$\begin{aligned} D_0 \mathop {\approx }\limits ^{\scriptscriptstyle c}D_1' \mathop {\approx }\limits ^{\scriptscriptstyle c}D_1 \mathop {\approx }\limits ^{\scriptscriptstyle c}D_2' \mathop {\approx }\limits ^{\scriptscriptstyle c}D_2 \mathop {\approx }\limits ^{\scriptscriptstyle c}\cdots \mathop {\approx }\limits ^{\scriptscriptstyle c}D_{k-1}' \mathop {\approx }\limits ^{\scriptscriptstyle c}D_{k-1}, \end{aligned}$$

where the \(\mathop {\approx }\limits ^{\scriptscriptstyle c}\) denotes computationally indistinguishable distributions. Finally, we also prove that \(D_{k-1} \mathop {\approx }\limits ^{\scriptscriptstyle c}R_k\) unless the \(k\text {-}{\mathsf {QR}} \) assumption is false. \(\square \)

Remark 1

Note that we abuse notation by using \(D_i, D'_i,R_k\) both for subsets and for the uniform distributions over them. Also, it is important to see that:

  • if \(y \in _R {\mathbb {J}}_N{\setminus } {\mathbb {QR}}_N\) then \(y^{2^i} \in _R D_i\);

  • if \(y \in _R \overline{{\mathbb {J}}}_N\) then \(y^{2^i} \in _R D'_i\);

  • if \(y \in _R {\mathbb {Z}}_N^*\) then \(y^{2^k} \in _R R_k\).

Claim 1. If \(k\text {-}{\mathsf {QR}} ^\star \) holds, for each \(i \in \{1,\cdots ,k-1\}\), no probabilistic polynomial-time adversary can distinguish the distributions of \(D_{i-1}\) and \(D_i'\).

Proof (of Claim 1)

Let \({\mathcal {D}}\) be a distinguisher that can tell apart \(D_{i-1}\) and \(D_{i}'\) with nonnegligible advantage \(\varepsilon \). We show that \({\mathcal {D}}\) implies a \(k\text {-}{\mathsf {QR}} ^\star \) distinguisher \({\mathcal {B}}_{1,i}\) with advantage \(\varepsilon \) for RSA moduli \(N=pq\) with \(p \equiv 1 \pmod {2^k}\).

Our distinguisher \({\mathcal {B}}_{1,i}\) takes as input an RSA modulus \(N=pq\) with \(p \equiv 1 \pmod {2^k}\) and an element \(w\in {\mathbb {Z}}_N^*\) which is drawn from one of the two distributions

$$\begin{aligned} {{\mathsf {dist}}}_0 = \{ y^2 \hbox { mod }N \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N \} , \qquad {{\mathsf {dist}}}_1 = \{ y \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N \}. \end{aligned}$$

Its task is to decide if w is in \({\mathsf {dist}}_0\) or in \({\mathsf {dist}}_1\). To this end, \({\mathcal {B}}_{1,i}\) chooses a random element \(z \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\overline{{\mathbb {J}}}_N\). It then defines \(x=z^{2^i} w^{2^{i-1}} \hbox { mod }N\) and feeds \({\mathcal {D}}\) with (xiN). When the distinguisher \({\mathcal {D}}\) halts, \({\mathcal {B}}_{1,i}\) outputs whatever \({\mathcal {D}}\) outputs.

  • First assume that \(w = y^2 \in {\mathsf {dist}}_0\), for some \(y \in _R {\mathbb {J}}_N\). We have \(x = (zy)^{2^i} \hbox { mod }N\). Further, since \(z \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\overline{{\mathbb {J}}}_N\), we have \(zy \in \overline{{\mathbb {J}}}_N\) and thus \(x \in _R D_i'\).

  • Now assume that \(w \in _R {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\). In this case, we clearly have \(x \in _R D_{i-1}\) because \(x=(z^2 w)^{2^{i-1}} \hbox { mod }N\) and \(z^2 w \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\). \(\square \)

Claim 2. If \(k\text {-}{\mathsf {SJS}} ^\star \) holds, for each \(i \in \{1,\cdots ,k-1\}\), no probabilistic polynomial-time adversary can distinguish the distributions of \(D_i'\) and \(D_{i}\).

Proof (of Claim 2)

Let \({\mathcal {D}}\) be a distinguisher with nonnegligible advantage \(\varepsilon \) between \(D_{i}\) and \(D_{i}'\). We show that \({\mathcal {D}}\) implies a \(k\text {-}{\mathsf {SJS}} ^\star \) distinguisher \({\mathcal {B}}_{2,i}\) with advantage \(\varepsilon \) for RSA moduli \(N=pq\) with \(p \equiv 1 \pmod {2^k}\). Given \(w \in {\mathbb {Z}}_N^*\) which is drawn from one of the two distributions

$$\begin{aligned} {\mathsf {dist}}_0=\{ y^2 \hbox { mod }N \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N \} , \qquad {\mathsf {dist}}_1=\{ y^2 \hbox { mod }N \mid y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\overline{{\mathbb {J}}}_N \} , \end{aligned}$$

\({\mathcal {B}}_{2,i}\) constructs \(x=w^{2^{i-1}} \hbox { mod }N\) which is used to feed the distinguisher \({\mathcal {D}}\). When the latter outputs a result, \({\mathcal {B}}_{2,i}\) produces the same output. It is clear that, if \(w \in _R {\mathsf {dist}}_0\) (resp. \(w \in _R {\mathsf {dist}}_1\)), then \(x \in _R D_i\) (resp. \(x \in _R D_i'\)). Hence, if \({\mathcal {D}}\) is a successful distinguisher, so is \({\mathcal {B}}_{2,i}\). \(\square \)

Claim 3. If \(k\text {-}{\mathsf {QR}} \) holds, no probabilistic polynomial-time adversary can distinguish the distributions of \(D_{k-1}\) and \(R_k\).

Proof (of Claim 3)

Let \({\mathcal {D}}\) be an algorithm that can distinguish \(D_{k-1}\) and \(R_{k}\) with nonnegligible advantage. We build a \(k\text {-}{\mathsf {QR}} \) distinguisher \({\mathcal {B}}_3\) out of \({\mathcal {D}}\) with the same advantage.

Algorithm \({\mathcal {B}}_3\) takes as input \(N=pq\) with \(p \equiv 1 \pmod {2^k}\) as well as an element \(w \in {\mathbb {J}}_N\) with the goal of deciding whether \(w \in {\mathbb {QR}}_N\) or \(w \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\). To do this, \({\mathcal {B}}_3\) simply defines \(x = w^{2^{k-1}} \hbox { mod }N\) and feeds \({\mathcal {D}}\) with (xkN). When \({\mathcal {D}}\) halts and outputs \(b\in \{0,1\}\), \({\mathcal {B}}_3\) outputs the same bit.

It is easy to see that, if \(w \in _R {\mathbb {QR}}_N\) then \( w = y^{2} \hbox { mod }N\) for a random \(y \in _R {\mathbb {Z}}_N^*\), and so \(x = (y^{2^k} \hbox { mod }N) \in _R R_k\) —see Remark 1. If \(w \in _R {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\), we immediately have \(x \in _R D_{k-1}\). \(\square \)

To conclude the proof of the theorem, we remark that, if a probabilistic polynomial-time distinguisher \({\mathcal {B}}\) exists for the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption (i.e., if ), then

  • either , contradicting \(k\text {-}{\mathsf {QR}} \) (Claim 3); or

  • there exists \(1 \le i \le k-1\) such that or . The above arguments show that either situation would contradict the \(k\text {-}{\mathsf {QR}} ^\star \) assumption (Claim 1) or the \(k\text {-}{\mathsf {SJS}} ^\star \) assumption (Claim 2)—or by Lemma 1, the \(k\text {-}{\mathsf {QR}} \) assumption or the \(k\text {-}{\mathsf {SJS}} \) assumption.

More precisely, to get the bound given in Theorem 3, we consider \({\mathcal {B}}'_{2,i}\) the adversary “\({\mathcal {B}}\)” defined in Lemma 1 when “\({\mathcal {A}}={\mathcal {B}}_{2,i}\)”, and we define the distinguisher \({\mathcal {D}}_1\) (resp. \({\mathcal {D}}_2\)) as follows: it picks \((\alpha ,i) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathcal {P}}_1\) (resp. \((\alpha ,i) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathcal {P}}_2\)), where \({\mathcal {P}}_1\) and \({\mathcal {P}}_2\) are probability distributions defined as:

$$\begin{aligned} \Pr _{(X,Y) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathcal {P}}_1}[(X,Y) = (\alpha ,i)]&= {\left\{ \begin{array}{ll} \frac{2}{3k-1} &{}\text { if } \alpha =1 \text { and } i \in \{1,\cdots ,k-1\}\\ \frac{1}{3k-1} &{}\text { if } \alpha =2 \text { and } i \in \{1,\cdots ,k-1\} \\ \frac{2}{3k-1} &{}\text { if } \alpha =3 \end{array}\right. }\\ {and} \Pr _{(X,Y) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathcal {P}}_2}[(X,Y) = (\alpha ,i)]&= {\left\{ \begin{array}{ll} \frac{1}{3k-3} &{}\text { if } \alpha =1 \text { and } i \in \{1,\cdots ,k-1\} \\ \frac{2}{3k-3} &{}\text { if } \alpha =2 \text { and } i \in \{1,\cdots ,k-1\} \\ \end{array}\right. }. \end{aligned}$$

Then, \({\mathcal {D}}_1\) runs \({\mathcal {B}}_{1,i}\) when \(\alpha =1\), \({\mathcal {B}}'_{2,i}\) when \(\alpha =2\), and \({\mathcal {B}}_3\) when \(\alpha =3\), and outputs what this latter adversary outputs. Similarly, \({\mathcal {D}}_2\) runs \({\mathcal {B}}_{\alpha ,i}\), and outputs what this latter adversary outputs.

Using Lemma 1, we have:

$$\begin{aligned} \mathbf {Adv}^{{\mathsf {Gap}}2^k\text {-}{\mathsf {Res}}}_{{\mathcal {B}}}(\kappa )&\le \sum _{i=1}^{k-1} \mathbf {Adv}^{k\text {-}{\mathsf {QR}} ^\star }_{{\mathcal {B}}_{1,i}}(\kappa ) + \sum _{i=1}^{k-1} \mathbf {Adv}^{k\text {-}{\mathsf {SJS}} ^\star }_{{\mathcal {B}}_{2,i}}(\kappa ) + \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {B}}_{3}}(\kappa ) \\&\le \left( \sum _{i=1}^{k-1} \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {B}}_{1,i}}(\kappa ) + \frac{1}{2}\,\sum _{i=1}^{k-1} \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {B}}'_{2,i}}(\kappa ) + \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {B}}_{3}}(\kappa ) \right) \\&\qquad + \left( \frac{1}{2}\,\sum _{i=1}^{k-1} \mathbf {Adv}^{k\text {-}{\mathsf {SJS}}}_{{\mathcal {B}}_{1,i}}(\kappa ) + \sum _{i=1}^{k-1} \mathbf {Adv}^{k\text {-}{\mathsf {SJS}}}_{{\mathcal {B}}_{2,i}}(\kappa ) \right) \\&= \frac{3k-1}{2} \, \mathbf {Adv}^{k\text {-}{\mathsf {QR}}}_{{\mathcal {D}}_1}(\kappa ) + \frac{3k-3}{2} \, \mathbf {Adv}^{k\text {-}{\mathsf {SJS}}}_{{\mathcal {D}}_2}(\kappa ). \end{aligned}$$

In addition, we note that \({\mathcal {D}}_1\) and \({\mathcal {D}}_2\) have comparable running times to \({\mathcal {B}}\).\(\square \)

We remark that the assumption \(p\equiv 1 \pmod {2^k}\) is never directly used in the proof. The assumption \(p\equiv 1 \pmod {2^k}\) is just needed for the correctness of our encryption scheme. The security proof actually holds for any kind of modulus N for which the \({\mathsf {QR}} \) and the \({\mathsf {SJS}} \) assumptions hold —the \(k\text {-}{\mathsf {QR}} \) and the \(k\text {-}{\mathsf {SJS}} \) assumptions are just the \({\mathsf {QR}} \) and the \({\mathsf {SJS}} \) assumptions for moduli \(N=pq\) such that \(p\equiv 1 \pmod {2^k}\).

4.3 Semantic Security

It is not hard to see that the semantic security of the scheme is equivalent to the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption. From Theorem 3, we thus obtain the result announced in Theorem 1. Namely, for any \({\mathsf {IND}}\)-\({\mathsf {CPA}}\) adversary \({\mathcal {A}}\), there exist a \(k\text {-}{\mathsf {QR}}\) distinguisher \({\mathcal {D}}_1\) and a \(k\text {-}{\mathsf {SJS}}\) distinguisher \({\mathcal {D}}_2\) such that

$$\begin{aligned} \mathbf {Adv}^{{\mathsf {ind}}\text {-}{\mathsf {cpa}}}_{{\mathcal {A}}}(\kappa ) \le \tfrac{3}{2}\, \left( (k - \tfrac{1}{3}) \cdot \mathbf {Adv}_{{\mathcal {D}}_1}^{k\text {-}{\mathsf {QR}}}(\kappa ) + (k-1)\cdot \mathbf {Adv}_{{\mathcal {D}}_2}^{k\text {-}{\mathsf {SJS}}}(\kappa ) \right) . \end{aligned}$$

Proof (of Theorem 1)

The proof proceeds by simply changing the distribution of the public key. Under the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption, instead of picking y uniformly in \( {\mathbb {J}}_N{\setminus }{\mathbb {QR}}_N\), we can choose it in the subgroup of \(2^k\)-th residues without the adversary noticing. However, in this case, the ciphertext carries no information about the message and the \({\mathsf {IND}}\)-\({\mathsf {CPA}}\) security follows.\(\square \)

Interestingly, the security proof implicitly shows that, like the original Goldwasser–Micali system, our scheme is a lossy encryption scheme [9] (i.e., it admits an alternative distribution of public keys for which encryptions statistically hide the plaintext), which provides security guarantees against selective-opening attacks [15]. Moreover, for a lossy key (yN), there exists an efficient algorithm that opens a given ciphertext c to any arbitrary plaintext m (by using the factorization of N to find random coins that explain c as an encryption of m). It implies that our scheme satisfies the simulation-based definition [9] of selective-opening security.

5 Implementation and Performance

We tackle here some implementation aspects. We explain how to select the parameters involved in the system setup and key generation. We present fast decryption algorithms. Finally, we discuss the ciphertext expansion and give a comparison with previous schemes.

5.1 Parameter Selection

The key generation (cf. Sect. 3.1) requires a prime p such that \(p \equiv 1 \pmod {2^k}\) for some \(k \ge 1\) and a random element \(y \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\), where \(N = pq\). The condition \(y \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\) is equivalent to \(\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{p}} \right) \mathclose {}} = \mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{q}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{q}} \right) \mathclose {}} = -1\). Since a random nonzero element modulo p has a probability of exactly \(\frac{1}{2}\) of being a quadratic nonresidue modulo p (and similarly modulo q), a suitable y is likely to be obtained after just a few trials. Efficient algorithms for generating a prime p lying in a prescribed interval \([p_{\min }, p_{\max }]\) can be found in [28, 29]. They can be adapted to accommodate the extra condition \(p \equiv 1 \pmod {2^k}\) without increasing the time complexity, as a random number congruent to 1 modulo \(2^k\) in \([p_{\min }, p_{\max }]\) is prime with approximatively the same probability than a random odd number in \([p_{\min }, p_{\max }]\), thanks to Dirichlet’s theorem. We describe such a variant below.

The goal is to produce a prime \(p = 1 +2^k r\) for some \(r \in [r_{\min }, r_{\max }]\), where \(r_{\min } = \lceil (p_{\min }-1)/2^k \rceil \) and \(r_{\max } = \lfloor (p_{\max }-1)/2^k \rfloor \). Let \(\Pi = 3 \cdot 5 \cdot 7 \cdots \le r_{\max } - r_{\min } + 1\) denote a product of small odd primes. The algorithm will construct candidate primes that are automatically co-prime to \(\Pi \). The first step is to generate a random unit \(\upsilon \in {\mathbb {Z}}_{\Pi }^*\) (e.g., using the efficient algorithm presented in [28, § 2.2]). Define \(\vartheta _0 = - \Bigl (\tfrac{1}{2^k} + r_{\min }\Bigr ) \hbox { mod }\Pi \). A candidate p is then formed as

$$\begin{aligned} p \leftarrow 1 + 2^k(r_{\min } + \vartheta ) \quad \text { for some} \vartheta \in _R [0, r_{\max } - r_{\min }] \text { such that } \vartheta \equiv \vartheta _0 + \upsilon \pmod \Pi \end{aligned}$$

and tested for primality. If candidate p is not prime, \(\upsilon \) is updated as \(\upsilon \leftarrow 2\upsilon \hbox { mod }\Pi \) and the process is reiterated. Since \(\Pi \) is odd, \(2 \in {\mathbb {Z}}_\Pi ^*\) and thus \(\upsilon \) remains in \({\mathbb {Z}}_\Pi ^*\) after the updating step. Moreover, reducing candidate p modulo \(\Pi \), we get \(p \equiv 1 + 2^k(r_{\min } + \vartheta ) \equiv 1 + 2^k(r_{\min } + \vartheta _0 + \upsilon ) \equiv 2^k\upsilon \pmod \Pi \) and thus \(p \in {\mathbb {Z}}_\Pi ^*\) since \(\upsilon \in {\mathbb {Z}}_\Pi ^*\) and \(2^k \in {\mathbb {Z}}_\Pi ^*\). Equivalently, \(p \in {\mathbb {Z}}_\Pi ^*\) means that candidate p is such that \(\gcd (p, p_i) = 1\) for all primes \(p_i\) dividing \(\Pi \) (and p is also odd by construction).

A powerful LLL-based technique due to Coppersmith bounds the size of k to at most \(\frac{1}{2}\log _2p\) bits as, otherwise, the factors of N would be revealed [13, Theorem 5]. Going beyond polynomial-time attacks, one should add an extra security margin to take into account exhaustive searches [38]. RSA moduli being balanced (i.e., \(\frac{1}{2}\log _2p = \frac{1}{4}\log _2 N\)), we so end up with the upper bound

$$\begin{aligned} k < \tfrac{1}{4}\log _2 N - \kappa \end{aligned}$$

where \(\kappa \) is the security parameter.

In practice, this restriction on k is not a limitation because, as described in the next section, long messages can be encrypted using the KEM/DEM paradigm. For example, using ECRYPT 2 recommendations [17], for \(\kappa =128\) bits of security, a symmetric key of \(k=128\) bits has to be used for the KEM/DEM paradigm, and a 3248-bit modulus N has to be used to ensure factorization is hard. These parameters do not take into account the tightness of the reduction. If we take it into account, when \(q \equiv 3 \pmod {4}\), according to Theorem 2, a factor \((k+1)/2 \approx 64 = 2^6\) is lost in the reduction. Assuming that the best way to solve the quadratic residuosity consists in factorizing the modulus N, a 3584-bit modulus has to be used, as this corresponds to \((128+6)\) bits of security for factorization, according to [17]. Note that the choice of parameters \(k = 128\) and \(|N|_2 = 3584\) satisfies the relation \(k < \tfrac{1}{4} \log _2N - \kappa \).

5.2 Optimized Decryption Algorithms

In its most basic version, the decryption requires O(k) full modular exponentiations in \({\mathbb {Z}}_p^*\) in order to compute higher power residue symbols. This section shows that a suitable preprocessing phase allows increasing the decryption speed.

The RSA modulus used in the proposed cryptosystem is of the form \(N = pq\) with \(p \equiv 1 \pmod {2^k}\). Hence, we can write \(p = 2^{K}\,p'+1\) for some integer \(K \ge k\) and some odd integer \(p'\). Now, given the public key \( pk = \{N, y,k\}\), consider the ciphertext \(c = y^m \, x^{2^k} \hbox { mod }N\) of message \(m = \sum _{i=0}^{k-1}m_i\,2^i\) with \(m_i \in \{0,1\}\). If, for \(1 \le j \le k\), we define \(\Lambda _j = 2^{K-j}p'\) then

$$\begin{aligned} c^{\Lambda _j}&\equiv \bigl (y^m\,x^{2^k}\bigr )^{\Lambda _j} \equiv y^{m\,\Lambda _j}\,x^{2^{K+k-j}p'} \equiv y^{m\,\Lambda _j \hbox { mod }2^K p'} \equiv y^{m\,\Lambda _j \hbox { mod }2^j\Lambda _j}\\&\equiv y^{\Lambda _j(m \hbox { mod }2^j)} \equiv y^{\Lambda _j\left( m_{j-1}2^{j-1} + (m \hbox { mod }2^{j-1})\right) } \equiv \Bigl (y^{\frac{p-1}{2} }\Bigr )^{m_{j-1}} \, y^{\Lambda _j(m \hbox { mod }2^{j-1})}\\&\equiv (-1)^{m_{j-1}} \, y^{\Lambda _j (m \hbox { mod }2^{j-1})}\pmod p. \end{aligned}$$

So, letting \(C = c^{2^{K-k}p'} \hbox { mod }p\) and \(Y = y^{2^{K-k}p'} \hbox { mod }p\), the previous relation becomes \(\left( \frac{C}{Y^{m \hbox { mod }2^{j-1}}}\right) ^{2^{k-j}} \equiv (-1)^{m_{j-1}} \pmod p\). Starting at \(j=1\) and iterating until \(j = k\), it yields a decryption algorithm producing one bit of plaintext m per iteration (i.e., bit \(m_{j-1}\)).

To further speed up the decryption, observing that \(Y = y^{2^{K-k}p'} \hbox { mod }p\) is independent of the ciphertext, its value —or better its inverse— can be precomputed. The private key now consists of the pair (pD) where \(D = y^{-2^{K-k}p'} \hbox { mod }p\). As one bit of plaintext m is correctly obtained per iteration, there is no need to fully recompute \(D^{m \hbox { mod }2^{j-1}} \hbox { mod }p\) at iteration j. Rather, it can be obtained more efficiently from the value of the previous iteration as

$$\begin{aligned} D^{m \hbox { mod }2^{j-1}} \hbox { mod }p = {\left\{ \begin{array}{ll} D^{m \hbox { mod }2^{j-2}} \hbox { mod }p &{} \text { if } m_{j-1} = 0\\ D^{m \hbox { mod }2^{j-2}}D^{2^{j-1}} \hbox { mod }p &{} \text { if } m_{j-1} = 1 \end{array}\right. }. \end{aligned}$$

We thus obtain:

figure a

Variable \(\mathsf {m}\) in the for-loop contains the lowest part of the plaintext m, and variable \(\mathsf {B}\) contains the successive powers of 2. Further, the for-loop is only performed until iteration \(k-1\) to save a couple of operations. As a variant, we remark that \(\mathsf {D}\) can be initialized to \(y^{-(p-1)/2^k} \hbox { mod }p\) (Line 1 in Algorithm 1) instead of being explicitly included in the private key.

As described, the for-loop in Algorithm 1 on average involves \(\sum _{j=1}^{k-1} (k-j) = \frac{(k-1)k}{2}\) modular squarings for the successive evaluation of \(\mathsf {z}\), \(\frac{k-1}{2}\) modular multiplications for the evaluation of \(\mathsf {C}\), and \((k-1)\) modular squarings for updating \(\mathsf {D}\).

Remark 2

The decryption can even be made slightly faster. The condition \(\mathsf {z} \ne 1\) is equivalent to \(\mathsf {z} \equiv -1 \pmod p\). Instead of iteratively evaluating \(\mathsf {z} \leftarrow \mathsf {C}^{2^{k-j}} \hbox { mod }p\) for \(1 \le j \le k-1\), we can set \(\mathsf {z}\) to \(\mathsf {C}\) and successively square it, \(\mathsf {z} \leftarrow \mathsf {z}^2 \hbox { mod }p\), until it becomes congruent to \(-1 \pmod p\). We then update \(\mathsf {C}\) by multiplying it by the corresponding power of D and redo the process until \(\mathsf {C}\) becomes equal to 1. On average, this halves the number of squarings for the successive evaluations of \(\mathsf {z}\). Furthermore, the modular squarings for updating \(\mathsf {D}\) can be saved by precomputing the different powers of D. This saves \((k-1)\) modular squarings. The total number of operations in the for-loop then boils down to \(\frac{(k-1)k}{4}\) squarings plus \(\frac{k-1}{2}\) multiplications (on average), modulo p.

5.3 Ciphertext Expansion

Hybrid encryption allows designing efficient asymmetric schemes, as suggested by Shoup in the ISO 18033-2 standard for public-key encryption [27]. An asymmetric cryptosystem is used to encrypt a secret key that is then used to encrypt the actual message. This is the so-called KEM/DEM paradigm.

Table 1 compares the ciphertext expansion in the encryption of k-bit messages for different generalized Goldwasser–Micali cryptosystems. Only cryptosystems with a formal security analysis are considered. Further, the value of k is assumed to be relatively small (e.g., 128 or 256) as the “message” being encrypted is typically a symmetric key (e.g., a 128- or 256-bit AES key) in a KEM/DEM construction.

Table 1 Ciphertext expansion in a typical encryption
Full size table

It appears that the Goldwasser–Micali cryptosystem has the highest ciphertext expansion, but its semantic security relies on the standard quadratic residuosity assumption (i.e., RSA moduli \(N = pq\) involves form-free primes). The ciphertext expansion of the Benaloh–Fischer cryptosystem is similar to that of the Naccache–Stern cryptosystem for small messages; i.e., when \(k \le \log _2 r\). For larger messages, the Naccache–Stern cryptosystem should be preferred. It also offers the further advantage of providing a faster decryption procedure. The same is true for the Okamoto–Uchiyama cryptosystem and the Paillier cryptosystem. These two latter cryptosystems are particularly suited to encrypt very large messages (i.e., up to \(\tfrac{1}{2}\log _2N\) bits for the Okamoto–Uchiyama cryptosystem and up to \(\log _2N\) bits for the Paillier cryptosystem).

The encryption scheme proposed in this paper has the same ciphertext expansion as in the Naccache–Stern cryptosystem. Moreover, its decryption algorithm is fast (no searches are needed), requires less memory, and the security relies on a quadratic residuosity assumption (i.e., \(k\text {-}{\mathsf {QR}}\)) when \(q \equiv 3 \pmod 4\). When \(q \equiv 1 \pmod 4\), it additionally requires the \(k\text {-}{\mathsf {SJS}}\) assumption.

6 More Efficient Lossy Trapdoor Functions from the \(\varvec{k}\)-Quadratic Residuosity Assumption

In this section, we show that our homomorphic cryptosystem allows constructing a lossy trapdoor function based on the \(k\text {-}{\mathsf {QR}}\), \(k\text {-}{\mathsf {SJS}}\) and \({\mathsf {DDH}}\) assumptions (or on the \(k\text {-}{\mathsf {QR}}\) and \({\mathsf {DDH}}\) assumptions) with much shorter outputs and keys than in previous \({\mathsf {QR}}\)-based or \({\mathsf {DDH}}\)-based examples.

In comparison with the function of Hemenway and Ostrovsky [25], for example, its output is k times smaller when working with a modulus \(N=pq\) with \(p \equiv 1 \pmod {2^k}\). Moreover, the size of the evaluation key is decreased by a factor of \(O(k^2)\) while increasing the lossiness by more than k bits. Finally, our inversion trapdoor has constant size, whereas [25] uses a trapdoor of size O(n) to recover n-bit inputs. Our function also compares favorably with the \({\mathsf {QR}} \)-based function of Freeman et al.[18, 19], which only loses a single bit.

In fact, by appropriately tuning our construction, we obtain the first lossy trapdoor function with short outputs, description and trapdoor that loses many input bits and relies on another assumption than Paillier’s. Among known lossy trapdoor functions based on traditional number-theoretic assumptions [7, 18, 19, 25, 32, 37, 45], this appears as a rare efficiency tradeoff. To the best of our knowledge, it has only been achieved under the Composite Residuosity assumption [7, 18, 19] so far.

Interestingly, our LTDF provides similar efficiency improvements to the \({\mathsf {QR}} \)-based deterministic encryption scheme of Brakerski and Segev [10], which also builds on the Hemenway–Ostrovsky LTDF. Note that the scheme of [10] is important in the deterministic encryption literature since it is one of the only known schemes providing security in the auxiliary input setting in the standard model.

6.1 Description and Security Analysis

We start by recalling the following definition.

Definition 7

([45]) Let \(\kappa \in {\mathbb {N}}\) be a security parameter and \(n : {\mathbb {N}}\rightarrow {\mathbb {N}}\), \(\ell :{\mathbb {N}}\rightarrow {\mathbb {R}}\) be nonnegative functions of \(\kappa \). A collection of \((n,\ell )\)-lossy trapdoor functions (LTDF) is a tuple of efficient algorithms \(({\mathsf {InjGen}},{\mathsf {LossyGen}},{\mathsf {Eval}},{\mathsf {Invert}})\) with the following specifications.

  • Sampling an injective function: Given a security parameter \(\kappa \), the randomized algorithm \({\mathsf {InjGen}}(1^\kappa )\) outputs the index \( ek \) of an injective function of the family and an inversion trapdoor t.

  • Sampling a lossy function: Given a security parameter \(\kappa \), the probabilistic algorithm \({\mathsf {LossyGen}}(1^\kappa )\) outputs the index \( ek \) of a lossy function.

  • Evaluation: Given the index of a function \( ek \) —produced by either \({\mathsf {InjGen}}\) or \({\mathsf {LossyGen}}\)— and an input \(x \in \{0,1\}^n\), the evaluation algorithm \({\mathsf {Eval}}\) outputs \(F_{ ek }(x)\) such that:

    • If \( ek \) is an output of \({\mathsf {InjGen}}\), then \(F_{ ek }(\cdot )\) is an injective function.

    • If \( ek \) was produced by \({\mathsf {LossyGen}}\), then \(F_{ ek }(\cdot )\) has image size \(2^{n-\ell }\). In this case, the value \(n-\ell \) is called residual leakage.

  • Inversion: For any pair \(( ek ,t)\) produced by \({\mathsf {InjGen}}\) and any input \(x \in \{0,1\}^n\), the inversion algorithm \({\mathsf {Invert}}\) returns \(F_{ ek }^{-1}(t,F_{ ek }(x))=x\).

  • Security: The two ensembles \(\{ ek \mid ( ek ,t) \leftarrow {\mathsf {InjGen}}(1^{\kappa })\}_{\kappa \in {\mathbb {N}}}\) and \(\{ ek \mid ek \leftarrow {\mathsf {LossyGen}}(1^{\kappa })\}_{\kappa \in {\mathbb {N}}}\) are computationally indistinguishable.

Our construction goes as follows.

  • Sampling an injective function. Given a security parameter \(\kappa \), let \(\ell _N {:}{=}\ell _N(\kappa )\) and \(k {:}{=}k(\kappa )\) be parameters determined by \(\kappa \). Let also \(n {:}{=}n(\kappa )\) be the desired input length. Algorithm \({\mathsf {InjGen}}\) defines \(m=n/k\) (we assume that k divides n for simplicity) and conducts the following steps.

    1. 1.

      Generate an \(\ell _N\)-bit RSA modulus \(N=pq\) such that \(p=2^K p'+1\) and \(q=2^L q'+1\), for odd prime integers p, q, \(p'\), \(q'\) and with \(K = k\) and \(L \in \{1,\cdots ,k\}\). Choose \(y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\) at random.

    2. 2.

      For each \(i \in \{1,\ldots ,m\}\), pick \(h_i\) in the subgroup of \(2^k\)-residues, \(R_k = \{ w^{2^k} \hbox { mod }N \mid w \in {\mathbb {Z}}_N^* \}\) (of order \(p'q'\)), by setting \(h_i={g_i}^{2^{k}} \hbox { mod }N\) for a randomly chosen \(g_i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_N^*\).

    3. 3.

      Choose \(r_1,\cdots ,r_m \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_{p'q'}\) and compute a matrix \(Z= \bigl (Z_{i,j} \bigr )_{i,j\in \{1,\cdots ,m\}}\) given by

      $$\begin{aligned} Z = \begin{pmatrix} y^{z_{1,1}} \cdot {h_1}^{r_1} \hbox { mod }N &{} \ldots &{} \ldots &{} y^{z_{1,m}} \cdot {h_m}^{r_1} \hbox { mod }N \\ \vdots &{} &{} &{} \vdots \\ y^{z_{m,1}} \cdot {h_1}^{r_m} \hbox { mod }N &{} \ldots &{} \ldots &{} y^{z_{m,m}} \cdot {h_m}^{r_m} \hbox { mod }N \end{pmatrix} , \end{aligned}$$

      where \((z_{i,j})_{i,j \in \{1,\cdots , m\}}\) denotes the identity matrix.

    The evaluation key is \( ek {:}{=}\big (N,(Z_{i,j})_{i,j \in \{1,\cdots ,m\}}\big )\), and the trapdoor is \(t{:}{=}\{ p,y\}\).

  • Sampling a lossy function. The process followed by \({\mathsf {LossyGen}}\) is identical to the above one, but the matrix \((z_{i,j})_{i,j \in \{1,\cdots , m\}}\) is replaced by the all-zeroes \(m \times m\) matrix.

  • Evaluation. Given \( ek =\big (N,(Z_{i,j})_{i,j \in \{1,\cdots ,m\}}\big )\), algorithm \({\mathsf {Eval}}\) parses the input \(x \in \{0,1\}^n\) as a vector of k-bit blocks \(\tilde{x}=(x_1,\cdots ,x_m)\), with \(x_i \in {\mathbb {Z}}_{2^k}\) for each i. Then, it computes and returns \(\tilde{y} = (y_1, \cdots , y_m)\), with \(y_j \in {\mathbb {Z}}_N^*\), where

    $$\begin{aligned} \tilde{y}&= \Bigl (\prod _{i=1}^m{Z_{i,1}}^{x_i} \hbox {mod} N, \cdots , \prod _{i=1}^m{Z_{i,m}}^{x_i} \hbox {mod} N\Bigr )\\&= \Bigl (y^{\sum _{i=1}^m z_{i,1}x_i } \cdot {h_1}^{\sum _{i=1}^m r_ix_i} \hbox {mod} N , \cdots , y^{\sum _{i=1}^m z_{i,m}x_i} \cdot {h_m}^{\sum _{i=1}^m r_ix_i} \hbox {mod} N \Bigr ). \end{aligned}$$

  • Inversion. Given \(t= \{p,y\}\) and \(\tilde{y} = (y_1,\cdots ,y_m) \in {\mathbb {Z}}_N^m\), \({\mathsf {Invert}}\) applies the decryption algorithm of Sect. 3.2 to each \(y_j\), for \(j=1\) to m. Observe that when \((z_{i,j})_{i,j\in \{1,\cdots ,m\}}\) is the identity matrix, \( {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y_j}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y_j}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y_j}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y_j}}{{p}} \right) \mathclose {}}}_{2^k} = \left[ {\mathchoice{\mathopen {}\left( \genfrac{}{}{1.0pt}0{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}1{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}2{{y}}{{p}} \right) \mathclose {}}{\mathopen {}\left( \genfrac{}{}{1.0pt}3{{y}}{{p}} \right) \mathclose {}}}_{2^k}\right] ^{x_j} \mathbin {\mathrm {mods}}{p}\). From the resulting vector of plaintexts \(\tilde{x}=(x_1,\cdots ,x_m) \in {{\mathbb {Z}}_{2^k}}^{m}\), it recovers the input \(x\in \{0,1\}^n\).

The Hemenway–Ostrovsky construction of [25] is slightly different in that, as in the \({\mathsf {DDH}}\)-based construction of Peikert and Waters [45], the evaluation key includes a vector of the form \(G=(g^{r_1},\ldots ,g^{r_m})^T\), where \(g \in {\mathbb {QR}}_N\), and the trapdoor is \(t=(\log _g(h_1),\cdots ,\log _g(h_m))\). In their scheme, the evaluation algorithm additionally computes \(\prod _{i=1}^m {(g^{r_i})}^{x_i}\), while the inversion algorithm does not use the factorization of N but rather performs a coordinate-wise ElGamal decryption. Here, explicitly using the factorization of N in the inversion algorithm makes it possible to process k-bit blocks at once. In addition, it allows for a very short inversion trapdoor: The inversion algorithm only needs y and the factorization of N.

Another important difference with the Hemenway–Ostrovsky construction is the following: In [25], as \(K=L=k=1\), y can be chosen as a primitive \(2^k\)-root of unity, namely \(y=-1\). In that case, indistinguishability between lossy keys and normal keys can directly be proven under the \({\mathsf {QR}} \) assumption: Basically, \(h_i\) is indistinguishable from a random element in \({\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\) and so \({h_i}^{r_j}\) masks \(y^{z_{i,j}}\) completely, if \(h_{i'} \in {\mathbb {QR}}\) for all \(i' \ne i\) and if \(r_{j}\) is taken from \({\mathbb {Z}}_{\phi (N)}\) (see [25] for details). However, when \(k\ge 2\), there does not seem to be a way to generate a \(2^k\)-root of unity without knowing the factorization of N [23], and thus, we take instead a random element \(y \in {\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\). The previous proof does not work anymore, and we need to rely on the \({\mathsf {DDH}}\) assumption in addition to the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption, to prove indistinguishability between lossy keys and normal keys.

We first recall the \({\mathsf {DDH}}\) assumption before giving the security theorem for our new construction.

Definition 8

(Decision Diffie–Hellman, \({\mathsf {DDH}}\)) Given a security parameter \(\kappa \), let \({\mathbb {G}}= \langle g\rangle \) be a (multiplicatively written) group of order n. The Decision Diffie–Hellman (\({\mathsf {DDH}}\)) assumption for \({\mathbb {G}}\) asserts that the function \(\mathbf {Adv}^{{\mathsf {DDH}}}_{{\mathcal {D}}}(\kappa )\), defined as the distance

$$\begin{aligned} \Bigl | \Pr [{\mathcal {D}}(g,g^a,g^b, g^{ab})=1 \mid a,b \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_n] - \Pr [{\mathcal {D}}(g,g^a,g^b,g^c)=1 \mid a,b,c \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_n] \Bigr | \end{aligned}$$

is negligible for any probabilistic polynomial-time distinguisher \({\mathcal {D}}\); the probabilities are taken over the experiment of selecting at random a generator g of \({\mathbb {G}}\) and choosing at random \(a \in {\mathbb {Z}}_n\), \(b \in {\mathbb {Z}}_n\) and \(c \in {\mathbb {Z}}_n\).

Theorem 4

Let \(\ell (\kappa ) = n(\kappa ) - \log _2(p'q')\). The above construction is a \((n(\kappa ), \ell (\kappa )\)-LTDF if the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption holds and if the \({\mathsf {DDH}}\) assumption holds in the subgroup \(R_k\) of \(2^k\)-th residues.

We recall that \(N=pq\), with \(p = 2^K p' + 1\) and \(q = 2^L q' + 1\). Therefore, we have:

$$\begin{aligned} n(\kappa )-\log _2(N/2^{K+L}) < \ell (\kappa ) < n(\kappa )-\log _2(N/2^{K+L})+1. \end{aligned}$$

Proof (of Theorem 4)

We first prove that lossy functions are indistinguishable from injective functions. To this end, we consider a sequence of hybrid experiments. We first define an experiment \(\mathbf {Exp}_0\) which is an experiment where the key generation algorithm outputs the description of an injective function with the difference that y is chosen as a \(2^k\)-th residue instead of being drawn as \(y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\). Clearly, under the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption, \(\mathbf {Exp}_0\) is computationally indistinguishable from an experiment where the adversary is given the description of an injective function. Note that although \(p'q'\) is used to generate the values \(r_j\), using the approximate value \(N/2^{K+L}\) instead of \(p'q'\) is statistically indistinguishable. Thus, knowing the factorization of N is not necessary in these experiments, and the \({\mathsf {Gap}}2^k\text {-}{\mathsf {Res}} \) assumption can be applied.

Next, for each \(i^\star \in \{1,\cdots ,m \}\) we define experiment \(\mathbf {Exp}_{i^\star }\) as an experiment where \(y \in _R R_{k}\) and the key generation algorithm outputs a matrix \((Z_{i,j})_{i,j}\) which encrypts a hybrid matrix \((z_{i,j})_{i,j}\) whose first \(i^\star \) columns all contain zeroes, whereas the last \(m-i^\star \) columns are those of the \(m \times m\) identity matrix.

Claim. If the \({\mathsf {DDH}}\)  assumption holds in the subgroup \(R_k\) of \(2^k\)-th residues, for each \(i^\star \in \{1,\cdots ,m \}\), experiment \(\mathbf {Exp}_{i^\star }\) is computationally indistinguishable from Experiment \(\mathbf {Exp}_{i^\star -1}\). \(\square \)

Proof

The claim is proved in the same way as a similar claim about the \({\mathsf {DDH}}\)-based LTDF of Peikert and Waters [45]. Since y lives in the cyclic subgroup \(R_k\) of \(2^k\)-th residues, we are free to invoke the \({\mathsf {DDH}}\) assumption in \(R_k\). Concretely, given a \({\mathsf {DDH}}\) challenge \((g, g^a, g^b, \gamma ) \in (R_k)^4\), the goal is to distinguish if \(\gamma = g^{ab}\) or \(\gamma \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}R_k\). Let \({\mathcal {B}}\) be an adversary that can tell apart \(\mathbf {Exp}_{i^\star }\) from \(\mathbf {Exp}_{i^\star -1}\) with advantage

$$\begin{aligned}&\mathbf {Adv}_{\mathcal {B}}^{\mathop {{\mathsf {Exp}}}(i^\star , i^\star -1)}(\kappa ) {:}{=} \Bigl |\Pr \bigl [{\mathcal {B}}\bigl (y,(Z_{i,j})_{i,j}\bigr ) = 1 \mid (y,(Z_{i,j})_{i,j}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbf {Exp}_{i^\star }\bigr ]\\&\quad {}- \Pr \bigl [{\mathcal {B}}\bigl (y,(Z_{i,j})_{i,j}\bigr ) = 1 \mid (y,(Z_{i,j})_{i,j}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbf {Exp}_{i^\star -1}\bigr ]\Bigr |. \end{aligned}$$

Our distinguisher \({\mathcal {D}}\) is defined as follows. The public key is generated by setting \(h_{i^\star } = g^a\) and \(h_j=g^{\alpha _j}\), with \(\alpha _j \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_{p'q'}\) for each \(j \ne i^\star \). The evaluation key is generated by setting the entry \((i^\star ,i^\star )\) of the matrix as \(Z_{i^\star ,i^\star } = y^\beta \gamma \) for a random bit \(\beta \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\{0,1\}\), while the rest of the \(i^\star \)-th row is obtained by setting \(Z_{i^\star ,j}=(g^b)^{\alpha _j}\). The rest of rows of matrix \((Z_{i,j})_{i,j}\), different from the \(i^\star \)-th one, are generated by choosing the exponents faithfully, namely for each \(i \ne i^\star \): \(Z_{i,j} = {h_j}^{r_i}\) for each \(j\ne i\), \(Z_{j,j} = {h_j}^{r_j}\) for each \(j < i^\star \) and \(Z_{j,j} = y\cdot {h_j}^{r_j}\) for each \(j > i^\star \), with \(r_j \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_{p'q'}\) for each \(j \ne i^\star \). Element \(y \in R_k\) and matrix \((Z_{i,j})_{i,j}\) are given to \({\mathcal {B}}\), which returns its guess \(\beta '\) on the running experiment. Distinguisher \({\mathcal {D}}\) outputs 1 if \(\beta ' = \beta \) and 0 otherwise.

Suppose first that \(\gamma = g^{ab}\). Then, it is clear that the evaluation key given to \({\mathcal {B}}\) is distributed as in Experiment \(\mathbf {Exp}_{i^\star }\) when \(\beta = 0\) and as in Experiment \(\mathbf {Exp}_{i^\star -1}\) when \(\beta = 1\). Hence, we have \(\Pr [{\mathcal {D}}(g,g^a,g^b,\gamma ) = 1 \mid \gamma = g^{ab}] = \Pr [\beta ' = \beta \mid \gamma = g^{ab}] = \tfrac{1}{2} \Pr \bigl [{\mathcal {B}}\bigl (y,(Z_{i,j})_{i,j}\bigr ) = 0 \mid (y,(Z_{i,j})_{i,j}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbf {Exp}_{i^\star }\bigr ] + \tfrac{1}{2} \Pr \bigl [{\mathcal {B}}\bigl (y,(Z_{i,j})_{i,j}\bigr ) = 1 \mid (y,(Z_{i,j})_{i,j}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbf {Exp}_{i^\star -1}\bigr ] = \tfrac{1}{2} \bigl (1-\Pr \bigl [{\mathcal {B}}\bigl (y,(Z_{i,j})_{i,j}\bigr ) = 1 \mid (y,(Z_{i,j})_{i,j}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbf {Exp}_{i^\star }\bigr ]\bigr ) + \tfrac{1}{2} \Pr \bigl [{\mathcal {B}}\bigl (y,(Z_{i,j})_{i,j}\bigr ) = 1 \mid (y,(Z_{i,j})_{i,j}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbf {Exp}_{i^\star -1}\bigr ] = \tfrac{1}{2} \pm \mathbf {Adv}_{\mathcal {B}}^{\mathop {{\mathsf {Exp}}}(i^\star , i^\star -1)}(\kappa )\). If now \(\gamma \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}R_k\) then \(\mathbf {Exp}_{i^\star }\) and \(\mathbf {Exp}_{i^\star -1}\) are equally distributed. This implies that \(\Pr [{\mathcal {D}}(g,g^a,g^b,\gamma )=1 \mid \gamma \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}R_k] = \Pr [\beta ' = \beta \mid \gamma \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}R_k] = 1/2\). Consequently, we get \(\bigl |\Pr [{\mathcal {D}}(g,g^a,g^b,\gamma ) = 1 \mid \gamma = g^{ab}] - \Pr [{\mathcal {D}}(g,g^a,g^b,\gamma )=1 \mid \gamma \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}R_k]\bigr | = \mathbf {Adv}_{\mathcal {B}}^{\mathop {{\mathsf {Exp}}}(i^\star , i^\star -1)}(\kappa )\), which should be negligible under the \({\mathsf {DDH}}\) assumption. \(\square \)

The proof now follows by remarking that, in lossy functions, the output is entirely determined by \(\sum _{i=1}^m r_i x_i \hbox { mod }p'q' \), so that the image size is smaller than \(p'q'\). The residual leakage is thus at most \(\log _2(p'q')\) bits.

Combining this result with Theorem 3, the security of the new trapdoor function relies on the \({\mathsf {DDH}}\) assumption in the subgroup of \(2^k\)-th residues and additionally either the combination of the \(k\text {-}{\mathsf {QR}}\) and \(k\text {-}{\mathsf {SJS}}\) assumptions (when \(L > 1\)) or the \(k\text {-}{\mathsf {QR}}\) assumption alone (when \(L=1\)).

It is worth noting that, with \(N=pq\) such that \(p \equiv 1 \pmod {2^k}\), a side effect of working in the subgroup \(R_k\) (of order \(p'q'\)) is an improved lossiness. Indeed, we lose \(n-\log _2(p'q')\) bits in comparison with \(n-\log _2 \phi (N)\) in [25]. Since \(\phi (N) = 2^{K+L} p'q'\), this means we lose \(K+L\) more bits than by using the construction in [25], where \(K = k\), \(1 \le L \le k\).

The most interesting instantiations are:

  • \(K = L = k\): in which case we lose 2k more bits than [25] and the construction is secure under \(k\text {-}{\mathsf {QR}} \), \(k\text {-}{\mathsf {SJS}} \), and \({\mathsf {DDH}} \) in \(R_k\);

  • \(K = k\) and \(L=1\): in which case we lose only k more bits than [25], but the \(k\text {-}{\mathsf {SJS}} \) assumption is no more required.

6.2 An All-But-One Trapdoor Function

Using the techniques of Peikert and Waters [45], it is easy to construct an equally efficient all-but-one trapdoor function providing the same amount of lossiness as our lossy trapdoor function, under the same assumptions. A difference will be that, in order to enable inversion, the resulting all-but-one function will handle k / 2 bits (instead of k) in each chunk.

First we recall the definition of an all-but-one trapdoor function. Let \( {\kappa } \in {\mathbb {N}}\) be a security parameter and \(n : {\mathbb {N}}\rightarrow {\mathbb {N}}\), \(\ell :{\mathbb {N}}\rightarrow {\mathbb {R}}\) be nonnegative functions of \(\kappa \). A collection of \((n,\ell )\)-all-but-one trapdoor functions (ABO-TDF) is a tuple of efficient algorithms \(({\mathsf {BranchGen}},{\mathsf {ABOGen}},{\mathsf {Eval}},{\mathsf {Invert}})\) with the following specifications.

  • Sampling a branch: Given a security parameter \(\kappa \), \({\mathsf {BranchGen}}\) is a randomized algorithm that outputs a branch \(b \in \{0,1\}^*\) of appropriate length.

  • Sampling a function: \({\mathsf {ABOGen}}\) is a probabilistic algorithm that takes as input a security parameter \(\kappa \) and a branch \(b^\star \) produced by \({\mathsf {BranchGen}}\). It outputs the description \( ek \) of a function and a trapdoor t.

  • Evaluation: For any branch \(b^\star \) produced by \({\mathsf {BranchGen}}\), any pair (ekt) produced by \({\mathsf {ABOGen}}(1^\kappa ,b^\star )\), any branch b and any input \(x \in \{0,1\}^n\), the evaluation algorithm \({\mathsf {Eval}}\) outputs \(F_{b, ek }(x)\) such that:

    • If \(b\ne b^\star \), then \(F_{b, ek }(\cdot )\) is an injective function;

    • If \(b= b^\star \), then \(F_{b^\star , ek }(\cdot )\) has image size \(2^{n-\ell }\). In this case, the value \(n-\ell \) is called residual leakage.

  • Inversion: For any \(b^\star \) produced by \({\mathsf {BranchGen}}\) and any pair \(( ek ,t)\) produced by \({\mathsf {ABOGen}}(1^\kappa ,b^\star )\), any branch \(b \ne b^\star \) and any input \(x \in \{0,1\}^n\), the inversion algorithm \({\mathsf {Invert}}\) returns \(F_{b, ek }^{-1}(t,F_{b, ek }(x))=x\).

  • Security: For any distinct \(b,b' \in \{0,1\}^*\) produced by \({\mathsf {BranchGen}}\), the ensembles

    $$\begin{aligned} \{ ek \mid ( ek ,t) \leftarrow {\mathsf {ABOGen}}(1^{\kappa },b)\}_{\kappa \in {\mathbb {N}}} \quad \text {and}\quad \{ ek \mid ( ek ,t) \leftarrow {\mathsf {ABOGen}}(1^{\kappa },b')\}_{\kappa \in {\mathbb {N}}} \end{aligned}$$

    are computationally indistinguishable.

Our ABO-TDF is described below. A difference with the Paillier-based construction of [18] is that, when inverting the function, we must pay attention to the fact that the output of the function may contain encryptions of values which are not invertible modulo \(2^k\). In order to avoid the need to invert in \({\mathbb {Z}}_{2^k}\), we perform the division over the integers. To this end, we have to adjust the parameter k so as to make sure that, for any branches \(b,b^\star \) and any input block x, the product \((b-b^\star ) \cdot x\) will be smaller than \(2^k\).

  • Sampling a branch. Given a security parameter \(\kappa \in {\mathbb {N}}\) and a parameter \(\lambda {:}{=}\lambda (\kappa )\) determined by \(\kappa \), the algorithm chooses \(b \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\{0,1\}^{\lambda }\).

  • Sampling a function. The function sampling algorithm takes as input a security parameter \(\kappa \), parameters \(\ell {:}{=}\ell _N(\kappa )\) and \(\lambda {:}{=}\lambda (\kappa )\) that are determined by \(\kappa \), the desired input length \(n {:}{=}n(\kappa )\), and a branch \(b^\star \in \{0,1\}^{\lambda }\). It sets \(k=2\lambda \) and defines \(m=n/\lambda \) (we assume that \( \lambda \) divides n for simplicity) and does the following.

    1. 1.

      Generate an \(\ell _N\)-bit RSA modulus \(N=pq\) such that \(p=2^K p'+1\) and \(q=2^L q'+1\), for odd prime integers \(p,q,p',q'\), \(K = k\), and some \(L \in \{1, \dots , k\}\). Choose \(y \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {J}}_N {\setminus } {\mathbb {QR}}_N\) at random.

    2. 2.

      For each \(i \in \{1,\cdots ,m\}\), pick \(h_i\) in the subgroup \(R_k\) (of order \(p'q'\)), by setting \(h_i={g_i}^{2^{k}} \hbox { mod }N\) for a randomly chosen \(g_i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_N^*\).

    3. 3.

      Choose \(r_1,\cdots ,r_m \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}{\mathbb {Z}}_{p'q'}\) and compute a matrix

      $$\begin{aligned} Z= & {} \big (Z_{i,j} \big )_{i,j\in \{1,\cdots ,m\}}\\= & {} \begin{pmatrix} y^{-z_{1,1}b^\star } \cdot {h_1}^{r_1} \hbox { mod }N &{} \ldots &{} \ldots &{} y^{z_{1,m}} \cdot {h_m}^{r_1} \hbox { mod }N \\ \vdots &{} &{} &{} \vdots \\ y^{z_{m,1}} \cdot {h_1}^{r_m} \hbox { mod }N &{} \ldots &{} \ldots &{} y^{-z_{m,m}b^\star } \cdot {h_m}^{r_m} \hbox { mod }N \end{pmatrix} , \end{aligned}$$

      where \(\bigl (z_{i,j}\bigr )_{i,j\in \{1,\cdots ,m\}}\) is the identity matrix; i.e., \(Z_{i,i}=y^{-b^\star } {h_i}^{r_i} \hbox { mod }N\) and \(Z_{i,j}= {h_j}^{r_i} \hbox { mod }N\) if \(j\ne i\).

    The evaluation key of the ABO function is \( ek {:}{=}\big (N,(Z_{i,j})_{i,j \in \{1,\cdots ,m\}},y\big )\), and the trapdoor is \(t{:}{=}p \).

  • Evaluation. In order to evaluate the function on a branch \(b \in \{0,1\}^{\lambda }\) for the input \(x \in \{0,1\}^n\) using the evaluation key \( ek =\big (N,(Z_{i,j})_{i,j \in \{1,\cdots ,m\}},y\big )\), algorithm \({\mathsf {Eval}}\) parses \(x \in \{0,1\}^n\) as a vector of \(\lambda \)-bit blocks \(\tilde{x}=(x_{1},\ldots ,x_m)\), with \(x_i \in {\mathbb {Z}}_{2^{\lambda }}\) for each i. Then, it defines the matrix

    $$\begin{aligned} Z^b&= (Z_{i,j}^b)_{i,j \in \{1,\cdots ,m\}} \\&= \begin{pmatrix} y^b \cdot Z_{1,1} \hbox { mod }N ~~&{} ~ Z_{1,2} ~ &{} ~\ldots ~ &{} ~ Z_{1,m}\\ Z_{2,1} &{} y^b \cdot Z_{2,2} \hbox { mod }N &{} \ldots &{} Z_{2,m} \\ \vdots &{} &{} \ddots &{} \vdots \\ Z_{m,1} &{} \ldots &{} ~ \ldots ~ &{} ~ y^b \cdot Z_{m,m} \hbox { mod }N \end{pmatrix} , \end{aligned}$$

    i.e., \(Z_{i,j}^b=Z_{i,j}\) if \(i \ne j\) and \(Z_{i,i}^b=y^b \cdot Z_{i,i} \hbox { mod }N\) for each \(i,j \in \{1,\cdots ,m\}\). Then, it computes and returns

    $$\begin{aligned} \tilde{y}&= \Bigl (\prod _{i=1}^m (Z_{i,1}^b)^{x_i} \hbox { mod }N, \cdots , \prod _{i=1}^m (Z_{i,m}^b)^{x_i} \hbox { mod }N\Bigr )\\&= \Big (y^{(b-b^\star )x_1} \cdot {h_1}^{\sum _{i=1}^m r_ix_i} \hbox { mod }N ,~ \ldots ,~y^{ (b-b^\star ) x_m} \cdot {h_m}^{\sum _{i=1}^m r_ix_i} \hbox { mod }N \Big ). \end{aligned}$$

  • Inversion. Given a description \( ek =\bigl (N,(Z_{i,j})_{i,j \in \{1,\cdots ,m\}},y\bigr )\) of the function, the trapdoor \(t=p\) and the output \(\tilde{y} = (y_1,\cdots ,y_m) \in {\mathbb {Z}}_N^m\), the function can be inverted for the branch \(b \ne b^\star \) by proceeding as follows.

    1. 1.

      Define the vector \((w_1,\cdots ,w_m) \in {\mathbb {Z}}_N^m\) as \((w_1,\ldots ,w_m)=(y_1,\ldots ,y_m)\) if \(b>b^\star \) (when the bitstrings b and \(b^\star \) are interpreted as natural integers) and \((w_1,\ldots ,w_m)=({y_1}^{-1} \hbox { mod }N,\cdots , {y_m}^{-1} \hbox { mod }N)\) if \(b < b^\star \).

    2. 2.

      For \(i=1\) to m, apply the decryption algorithm of Sect. 3.2 to \(w_i\).

    3. 3.

      From the vector of plaintexts \(\tilde{x}=(x_1,\cdots ,x_m) \in {\mathbb {Z}}_{2^\lambda }^m\) obtained at Step 2, define \(\tilde{x}'=(x_1',\ldots ,x_m') \in {\mathbb {Z}}_{2^\lambda }^m\) such that \(x_i'= x_i/|b-b^\star |\) (the division being performed over \({\mathbb {Z}}\)), where \(|b-b^\star |=b-b^\star \) if \(b>b^\star \) and \(b^\star -b\) otherwise.

    4. 4.

      From \(\tilde{x}'=(x_1',\ldots ,x_m')\), recover the original input \(x\in \{0,1\}^n\) by concatenating the binary representations the coordinates of \(\tilde{x}'\).

The correctness of the inversion algorithm stems from the fact that, since we have \(x_i,b,b^\star < 2^{\lambda }\), it holds that \(|b-b^\star | \cdot x_i < 2^{2\lambda } = 2^k\) for each \(i \in \{1,\cdots ,m\}\), so that \(x_i'\) can be computed over the integers at step 3 of the inversion algorithm.

It is easy to prove that the description of the function computationally hides the underlying lossy branch if the \(k\text {-}{\mathsf {QR}}\) and \(k\text {-}{\mathsf {SJS}}\) assumptions hold (when \(L > 1\)) or if the \(k\text {-}{\mathsf {QR}}\) assumption holds (when \(L=1\)), and if the \({\mathsf {DDH}}\) assumption holds in the subgroup \(R_k\) (of order \(p'q'\)). The proof is essentially identical to the proof of Theorem 4 and is omitted.

6.3 Application: Efficient \({\mathsf {CCA}}\)-Secure Encryption

By combining the lossy and all-but-one trapdoor function, a \({\mathsf {CCA}}\)-secure encryption scheme can be obtained using the construction of [45]. We argue now that \(m=O(1)\) suffices for this purpose. Recall that the scheme of [45] combines a pairwise independent hash function \(H:\{0,1\}^n \rightarrow \{0,1\}^{\tau }\), an \((n,\ell )\)-lossy function and an \((n,\ell ')\)-all-but-one function such that \(\ell +\ell ' \ge n + \nu \) and \(\tau \ge \nu -2 \log _2(1/\varepsilon )\), for some \(\nu \in \omega (\log n)\) and where \(\varepsilon \) is the statistical distance in the modified Leftover Hash Lemma used in [16]. If we choose \(\varepsilon \approx 2^{-\kappa }\) and \(\tau = k\) in order to encrypt k-bit messages, we can set \(\nu = k + 2 \kappa \). Setting \(\ell =\ell '=n-\log _2(p'q')\), the constraint \(\ell +\ell ' \ge n+ \nu \) translates into \(n- 2 \log _2(p'q') \ge \nu \).

Since \(q = 2^L q' + 1\) and \(p = 2^k p' + 1\) in our trapdoor functions, if we set \(k=\frac{1}{4}\log _2N-\kappa \) (cf. Sect. 5.1), we have \(\log _2 (p'q')=\log _2 \phi (N)-k - L \approx 4(k+ \kappa ) - k - L= 3k+4 \kappa - L\), which yields \(n \ge 4k+6 \kappa - L\). If \(k > \kappa \), it is sufficient to set \(n \ge 10k\). If we take into account the fact that our all-but-one function processes blocks of k / 2 bits, we find that \(m =2n/k=20\) suffices here, even for \(L=1\). For larger values of L, an even smaller m would suffice.

As it turns out, when the Peikert–Waters construction [45, Sect. 4.3] of \({\mathsf {CCA}}\)-secure encryption is instantiated with our lossy and all-but-one trapdoor functions, it only requires a constant number of exponentiations while retaining constant-size public keys and ciphertexts.

With the exception of [24] (which relies on a weaker assumption), to the best of our knowledge, it yields the only known \({\mathsf {CCA}}\)-secure \({\mathsf {QR}}\)-based cryptosystem combining the aforementioned efficiency properties. Up to now, the most efficient chosen-ciphertext-secure cryptosystem strictly based on the \({\mathsf {QR}}\) assumption was the one of Kiltz et al.[33], where \(O(\kappa )\) exponentiations are needed to encrypt and the public key contains \(O(\kappa )\) group elements. On the other hand, our construction requires more specific moduli than [33] and additionally appeals to the \({\mathsf {DDH}}\)  assumption (and the \(k\text {-}{\mathsf {SJS}}\) assumption, as well, if \(L > 1\)).

7 Conclusion

This paper introduced a new generalization of the Goldwasser–Micali cryptosystem. The so-obtained cryptosystems are shown to be secure under well-defined assumptions. Further, they enjoy a number of useful features including fast decryption, optimal ciphertext expansion, and homomorphic property. We believe that our proposal is the most natural yet efficient generalization of the Goldwasser–Micali cryptosystem. It keeps the nice attributes and properties of the original scheme while improving the overall performance.

When applied to the Peikert–Waters framework for building lossy trapdoor functions, it yields a practical construction based on quadratic residuosity related and \({\mathsf {DDH}}\)  assumptions, with companion deterministic encryption scheme and \({\mathsf {CCA}}\)-secure cryptosystem.