Journal of Cryptology

, Volume 30, Issue 2, pp 519–549 | Cite as

Efficient Cryptosystems From \(\mathbf{2}^{{\varvec{k}}}\)-th Power Residue Symbols

  • Fabrice Benhamouda
  • Javier Herranz
  • Marc JoyeEmail author
  • Benoît Libert


Goldwasser and Micali (J Comput Syst Sci 28(2):270–299, 1984) highlighted the importance of randomizing the plaintext for public-key encryption and introduced the notion of semantic security. They also realized a cryptosystem meeting this security notion under the standard complexity assumption of deciding quadratic residuosity modulo a composite number. The Goldwasser–Micali cryptosystem is simple and elegant but is quite wasteful in bandwidth when encrypting large messages. A number of works followed to address this issue and proposed various modifications. This paper revisits the original Goldwasser–Micali cryptosystem using \(2^k\)-th power residue symbols. The so-obtained cryptosystems appear as a very natural generalization for \(k \ge 2\) (the case \(k=1\) corresponds exactly to the Goldwasser–Micali cryptosystem). Advantageously, they are efficient in both bandwidth and speed; in particular, they allow for fast decryption. Further, the cryptosystems described in this paper inherit the useful features of the original cryptosystem (like its homomorphic property) and are shown to be secure under a similar complexity assumption. As a prominent application, this paper describes an efficient lossy trapdoor function-based thereon.


Public-key encryption Quadratic residuosity Goldwasser–Micali cryptosystem Homomorphic encryption Standard model 



The authors are thankful to an anonymous referee for useful comments. The third author is also thankful to Antoine Joux for comments on an earlier version of this work. The work of the second author was partially supported by project MTM 2013-41426-R of Spanish Ministry MINECO. Part of the fourth author’s work was supported by ERC Starting Grant ERC-2013-StG-335086-LATTAC and the “Programme Avenir Lyon Saint-Etienne de l’Université de Lyon” in the framework of “Investissements d’Avenir” (ANR-11-IDEX-0007).


  1. 1.
    M. Abdalla, F. Ben Hamouda, and D. Pointcheval. Tighter reductions for forward-secure signature schemes. In PKC 2013, LNCS 7778, pp. 292–311. Springer, February/March 2013.Google Scholar
  2. 2.
    M. Bellare, Z. Brakerski, M. Naor, T. Ristenpart, G. Segev, H. Shacham, and S. Yilek. Hedged public-key encryption: How to protect against bad randomness. In ASIACRYPT 2009, LNCS 5912, pp. 232–249. Springer, December 2009.Google Scholar
  3. 3.
    M. Bellare, A. Boldyreva, and A. O’Neill. Deterministic and efficiently searchable encryption. In CRYPTO 2007, LNCS 4622, pp. 535–552. Springer, August 2007.Google Scholar
  4. 4.
    L. Blum, M. Blum, and M. Shub. Comparison of two pseudo-random number generators. In CRYPTO’82, pp. 61–78. Plenum Press, New York, USA, 1982.Google Scholar
  5. 5.
    L. Blum, M. Blum, and M. Shub. A simple unpredictable pseudo-random number generator. SIAM J. Comput., 15(2):363–383, 1986.Google Scholar
  6. 6.
    J. D. C. Benaloh. Verifiable Secret-Ballot Elections. PhD thesis, Yale University, New Haven, CT, USA, 1987.Google Scholar
  7. 7.
    A. Boldyreva, S. Fehr, and A. O’Neill. On notions of security for deterministic encryption, and efficient constructions without random oracles. In CRYPTO 2008, LNCS 5157, pp. 335–359. Springer, August 2008.Google Scholar
  8. 8.
    M. Blum and S. Goldwasser. An efficient probabilistic public-key encryption scheme which hides all partial information. In CRYPTO’84, LNCS 196, pp. 289–302. Springer, August 1984.Google Scholar
  9. 9.
    M. Bellare, D. Hofheinz, and S. Yilek. Possibility and impossibility results for encryption and commitment secure under selective opening. In EUROCRYPT 2009, LNCS 5479, pp. 1–35. Springer, April 2009.Google Scholar
  10. 10.
    Z. Brakerski and G. Segev. Better security for deterministic public-key encryption: The auxiliary-input setting. In CRYPTO 2011, LNCS 6841, pp. 543–560. Springer, August 2011.Google Scholar
  11. 11.
    J. D. Cohen and M. J. Fischer. A robust and verifiable cryptographically secure election scheme (extended abstract). In 26th FOCS, pp. 372–382. IEEE Computer Society Press, October 1985.Google Scholar
  12. 12.
    D. Catalano, R. Gennaro, N. Howgrave-Graham, and P. Q. Nguyen. Paillier’s cryptosystem revisited. In ACM CCS 01, pp. 206–214. ACM Press, November 2001.Google Scholar
  13. 13.
    D. Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptology, 10(4):233–260, 1997.Google Scholar
  14. 14.
    I. Damgård, M. Jurik, and J. B. Nielsen. A generalization of Paillier’s public-key system with applications to electronic voting. Int. J. Inf. Sec., 9(6):371–385, 2010.Google Scholar
  15. 15.
    C. Dwork, M. Naor, O. Reingold, and L. Stockmeyer. Magic functions. J. ACM, 50(6):852–921, 2003.Google Scholar
  16. 16.
    Y. Dodis, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In EUROCRYPT 2004, LNCS 3027, pp. 523–540. Springer, May 2004.Google Scholar
  17. 17.
    ECRYPT II. Yearly report on algorithms and keysizes, 2012.Google Scholar
  18. 18.
    D. M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, and G. Segev. More constructions of lossy and correlation-secure trapdoor functions. In PKC 2010, LNCS 6056, pp. 279–295. Springer, May 2010.Google Scholar
  19. 19.
    D. M. Freeman, O. Goldreich, E. Kiltz, A. Rosen, and G. Segev. More constructions of lossy and correlation-secure trapdoor functions. J. Cryptology, 26(1):39–74, January 2013.Google Scholar
  20. 20.
    S. Goldwasser and S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, 1984.Google Scholar
  21. 21.
    O. Goldreich. Foundations of Cryptography. Cambridge University Press, 2004.Google Scholar
  22. 22.
    J. Groth. Cryptography in subgroups of \({\mathbb{Z}}_n\). In TCC 2005, LNCS 3378, pp. 50–65. Springer, February 2005.Google Scholar
  23. 23.
    J. A. Horwitz. Applications of Cayley Graphs, Bilinearity, and Higher-Order Residues to Cryptology. PhD thesis, Stanford University, Stanford, CA, USA, 2004.Google Scholar
  24. 24.
    D. Hofheinz, E. Kiltz, and V. Shoup. Practical chosen ciphertext secure encryption from factoring. J. Cryptology, 26(1):102–118, January 2013.Google Scholar
  25. 25.
    B. Hemenway and R. Ostrovsky. Extended-DDH and lossy trapdoor functions. In PKC 2012, LNCS 7293, pp. 627–643. Springer, May 2012.Google Scholar
  26. 26.
    K. Ireland and M. Rosen. A Classical Introduction to Modern Number Theory, Graduate Texts in Mathematics 84. Springer, 2nd edition, 1990.Google Scholar
  27. 27.
    ISO/IEC 18033-2. Information technology – Security techniques – Encryption algorithms – Part 2: Asymmetric ciphers. International Organization for Standardization, May 2006.Google Scholar
  28. 28.
    M. Joye and P. Paillier. Fast generation of prime numbers on portable devices: An update. In CHES 2006, LNCS 4249, pp. 160–173. Springer, October 2006.Google Scholar
  29. 29.
    M. Joye, P. Paillier, and S. Vaudenay. Efficient generation of prime numbers. In CHES 2000, LNCS 1965, pp. 340–354. Springer, August 2000.Google Scholar
  30. 30.
    K. Kurosawa, Y. Katayama, W. Ogata, and S. Tsujii. General public key residue cryptosystems and mental poker protocols. In EUROCRYPT’90, LNCS 473, pp. 374–388. Springer, May 1990.Google Scholar
  31. 31.
    J. Katz and Y. Lindell. Introduction to Modern Cryptography. CRC Press, 2007.Google Scholar
  32. 32.
    E. Kiltz, A. O’Neill, and A. Smith. Instantiability of RSA-OAEP under chosen-plaintext attack. In CRYPTO 2010, LNCS 6223, pp. 295–313. Springer, August 2010.Google Scholar
  33. 33.
    E. Kiltz, K. Pietrzak, M. Stam, and M. Yung. A new randomness extraction paradigm for hybrid encryption. In EUROCRYPT 2009, LNCS 5479, pp. 590–609. Springer, April 2009.Google Scholar
  34. 34.
    F. Lemmermeyer. Reciprocity Laws. Springer Monographs in Mathematics. Springer, 2000.Google Scholar
  35. 35.
    J. Monnerat and S. Vaudenay. Generic homomorphic undeniable signatures. In ASIACRYPT 2004, LNCS 3329, pp. 354–371. Springer, December 2004.Google Scholar
  36. 36.
    J. Monnerat and S. Vaudenay. Undeniable signatures based on characters: How to sign with one bit. In PKC 2004, LNCS 2947, pp. 69–85. Springer, March 2004.Google Scholar
  37. 37.
    P. Mol and S. Yilek. Chosen-ciphertext security from slightly lossy trapdoor functions. In PKC 2010, LNCS 6056, pp. 296–311. Springer, May 2010.Google Scholar
  38. 38.
    P. Q. Nguyen. Public-key cryptanalysis. In Recent Trends in Cryptography, Contemporary Mathematics. AMS–RSME, 2009.Google Scholar
  39. 39.
    D. Naccache and J. Stern. A new public key cryptosystem based on higher residues. In ACM CCS 98, pp. 59–66. ACM Press, November 1998.Google Scholar
  40. 40.
    T. Okamoto and D. Pointcheval. The gap-problems: A new class of problems for the security of cryptographic schemes. In PKC 2001, LNCS 1992, pp. 104–118. Springer, February 2001.Google Scholar
  41. 41.
    T. Okamoto and S. Uchiyama. A new public-key cryptosystem as secure as factoring. In EUROCRYPT’98, LNCS 1403, pp. 308–318. Springer, May/June 1998.Google Scholar
  42. 42.
    P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In EUROCRYPT’99, LNCS 1592, pp. 223–238. Springer, May 1999.Google Scholar
  43. 43.
    S. H. Pohlig and M. E. Hellman. An improved algorithm for computing logarithms over \({\rm GF}(p)\) and its cryptographic significance. IEEE Tran. Inf. Theory, 24(1):106–110, 1978.Google Scholar
  44. 44.
    S. J. Park, B. Y. Lee, and D. H. Won. A probabilistic encryption using very high residuosity and its applications. In Global Telecommunications Conference (GLOBECOM ’95), pp. 1179–1182. IEEE Press, 1995.Google Scholar
  45. 45.
    C. Peikert and B. Waters. Lossy trapdoor functions and their applications. In 40th ACM STOC, pp. 187–196. ACM Press, May 2008.Google Scholar
  46. 46.
    O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6), 2009. Earlier version in STOC 2005.Google Scholar
  47. 47.
    R. Scheidler. A public-key cryptosystem using purely cubic fields. J. Cryptology, 11(2):109–124, 1998.Google Scholar
  48. 48.
    V. Shoup. A Computational Introduction to Number Theory and Algebra. Cambridge University Press, 2nd edition, 2010.Google Scholar
  49. 49.
    R. Scheidler and H. C. Williams. A public-key cryptosystem utilizing cyclotomic fields. Des. Codes Cryptography, 6(2):117–131, 1995.Google Scholar
  50. 50.
    H. Wee. Dual projective hashing and its applications - lossy trapdoor functions and more. In EUROCRYPT 2012, LNCS 7237, pp. 246–262. Springer, April 2012.Google Scholar
  51. 51.
    S. Y. Yan. Number Theory for Computing. Springer, 2nd edition, 2002.Google Scholar
  52. 52.
    Y. Zheng, T. Matsumoto, and H. Imai. Residuosity problem and its applications to cryptography. Trans. IEICE, E-71(8):759–767, 1988.Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Fabrice Benhamouda
    • 1
  • Javier Herranz
    • 2
  • Marc Joye
    • 3
    Email author
  • Benoît Libert
    • 4
  1. 1.ENS Paris, CNRS, INRIA, and PSLParis Cedex 05France
  2. 2.Universitat Politècnica de Catalunya, Dept. MatemàtiquesBarcelonaSpain
  3. 3.TechnicolorLos AltosUSA
  4. 4.ENS Lyon, Laboratoire d’Informatique du ParallélismeLyon Cedex 07France

Personalised recommendations