J u m p t o c o n t e n t
M a i n m e n u
M a i n m e n u
N a v i g a t i o n
● M a i n p a g e
● C o n t e n t s
● C u r r e n t e v e n t s
● R a n d o m a r t i c l e
● A b o u t W i k i p e d i a
● C o n t a c t u s
● D o n a t e
C o n t r i b u t e
● H e l p
● L e a r n t o e d i t
● C o m m u n i t y p o r t a l
● R e c e n t c h a n g e s
● U p l o a d f i l e
S e a r c h
Search
A p p e a r a n c e
● C r e a t e a c c o u n t
● L o g i n
P e r s o n a l t o o l s
● C r e a t e a c c o u n t
● L o g i n
P a g e s f o r l o g g e d o u t e d i t o r s l e a r n m o r e
● C o n t r i b u t i o n s
● T a l k
( T o p )
1
B a c k g r o u n d
2
O p e r a t i o n
T o g g l e O p e r a t i o n s u b s e c t i o n
2 . 1
K e y g e n e r a t i o n
2 . 2
E n c r y p t i o n
2 . 3
D e c r y p t i o n
3
E x a m p l e
4
P r o o f o f c o r r e c t n e s s
5
S e c u r i t y
6
R e f e r e n c e s
T o g g l e t h e t a b l e o f c o n t e n t s
O k a m o t o – U c h i y a m a c r y p t o s y s t e m
4 l a n g u a g e s
● D e u t s c h
● ע ב ר י ת
● Р у с с к и й
● T ü r k ç e
E d i t l i n k s
● A r t i c l e
● T a l k
E n g l i s h
● R e a d
● E d i t
● V i e w h i s t o r y
T o o l s
T o o l s
A c t i o n s
● R e a d
● E d i t
● V i e w h i s t o r y
G e n e r a l
● W h a t l i n k s h e r e
● R e l a t e d c h a n g e s
● U p l o a d f i l e
● S p e c i a l p a g e s
● P e r m a n e n t l i n k
● P a g e i n f o r m a t i o n
● C i t e t h i s p a g e
● G e t s h o r t e n e d U R L
● D o w n l o a d Q R c o d e
● W i k i d a t a i t e m
P r i n t / e x p o r t
● D o w n l o a d a s P D F
● P r i n t a b l e v e r s i o n
A p p e a r a n c e
F r o m W i k i p e d i a , t h e f r e e e n c y c l o p e d i a
Let
p
{\displaystyle p}
be an odd prime. Define
Γ
=
{
x
∈
(
Z
/
p
2
Z
)
∗
|
x
≡
1
mod
p
}
{\displaystyle \Gamma =\{x\in (\mathbb {Z} /p^{2}\mathbb {Z} )^{*}|x\equiv 1{\bmod {p}}\}}
.
Γ
{\displaystyle \Gamma }
is a subgroup of
(
Z
/
p
2
Z
)
∗
{\displaystyle (\mathbb {Z} /p^{2}\mathbb {Z} )^{*}}
with
|
Γ
|
=
p
{\displaystyle |\Gamma |=p}
(the elements of
Γ
{\displaystyle \Gamma }
are
1
,
1
+
p
,
1
+
2
p
…
1
+
(
p
−
1
)
p
{\displaystyle 1,1+p,1+2p\dots 1+(p-1)p}
).
Define
L
:
Γ
→
Z
/
p
Z
{\displaystyle L:\Gamma \to \mathbb {Z} /p\mathbb {Z} }
by
L
(
x
)
=
x
−
1
p
{\displaystyle L(x )={\frac {x-1}{p}}}
L
{\displaystyle L}
is a homomorphism between
Γ
{\displaystyle \Gamma }
and the additive group
Z
/
p
Z
{\displaystyle \mathbb {Z} /p\mathbb {Z} }
: that is,
L
(
a
b
)
=
L
(
a
)
+
L
(
b
)
mod
p
{\displaystyle L(ab )=L(a )+L(b ){\bmod {p}}}
. Since
L
{\displaystyle L}
is bijective, it is an isomorphism.
One can now show the following as a corollary:
Let
x
∈
Γ
{\displaystyle x\in \Gamma }
such that
L
(
x
)
≠
0
mod
p
{\displaystyle L(x )\neq 0{\bmod {p}}}
and
y
=
x
m
mod
p
2
{\displaystyle y=x^{m}{\bmod {p}}^{2}}
for
0
≤
m
<
p
{\displaystyle 0\leq m<p}
. Then
m
=
L
(
y
)
L
(
x
)
=
y
−
1
x
−
1
mod
p
{\displaystyle m={\frac {L(y )}{L(x )}}={\frac {y-1}{x-1}}{\bmod {p}}}
The corollary is a direct consequence of
L
(
x
m
)
=
m
⋅
L
(
x
)
{\displaystyle L(x^{m})=m\cdot L(x )}
.
Operation [ edit ]
Like many public key cryptosystems , this scheme works in the group
(
Z
/
n
Z
)
∗
{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{*}}
. This scheme is homomorphic and hence malleable .
Key generation [ edit ]
A public/private key pair is generated as follows:
Generate two large primes
p
{\displaystyle p}
and
q
{\displaystyle q}
.
Compute
n
=
p
2
q
{\displaystyle n=p^{2}q}
.
Choose a random integer
g
∈
{
2
…
n
−
1
}
{\displaystyle g\in \{2\dots n-1\}}
such that
g
p
−
1
≢
1
mod
p
2
{\displaystyle g^{p-1}\not \equiv 1\mod p^{2}}
.
Compute
h
=
g
n
mod
n
{\displaystyle h=g^{n}{\bmod {n}}}
.
The public key is then
(
n
,
g
,
h
)
{\displaystyle (n,g,h)}
and the private key is
(
p
,
q
)
{\displaystyle (p,q)}
.
Encryption [ edit ]
A message
m
<
p
{\displaystyle m<p}
can be encrypted with the public key
(
n
,
g
,
h
)
{\displaystyle (n,g,h)}
as follows.
Choose a random integer
r
∈
{
1
…
n
−
1
}
{\displaystyle r\in \{1\dots n-1\}}
.
Compute
c
=
g
m
h
r
mod
n
{\displaystyle c=g^{m}h^{r}{\bmod {n}}}
.
The value
c
{\displaystyle c}
is the encryption of
m
{\displaystyle m}
.
Decryption [ edit ]
An encrypted message
c
{\displaystyle c}
can be decrypted with the private key
(
p
,
q
)
{\displaystyle (p,q)}
as follows.
Compute
a
=
L
(
c
p
−
1
mod
p
2
)
{\displaystyle a=L(c^{p-1}{\bmod {p^{2}}})}
.
Compute
b
=
L
(
g
p
−
1
mod
p
2
)
{\displaystyle b=L(g^{p-1}{\bmod {p^{2}}})}
.
a
{\displaystyle a}
and
b
{\displaystyle b}
will be integers.
Using the Extended Euclidean Algorithm , compute the inverse of
b
{\displaystyle b}
modulo
p
{\displaystyle p}
:
b
′
=
b
−
1
mod
p
{\displaystyle b'=b^{-1}{\bmod {p}}}
.
Compute
m
=
a
b
′
mod
p
{\displaystyle m=ab'{\bmod {p}}}
.
The value
m
{\displaystyle m}
is the decryption of
c
{\displaystyle c}
.
Example [ edit ]
Let
p
=
3
{\displaystyle p=3}
and
q
=
5
{\displaystyle q=5}
. Then
n
=
3
2
⋅
5
=
45
{\displaystyle n=3^{2}\cdot 5=45}
. Select
g
=
22
{\displaystyle g=22}
. Then
h
=
22
45
mod
4
5
=
37
{\displaystyle h=22^{45}{\bmod {4}}5=37}
.
Now to encrypt a message
m
=
2
{\displaystyle m=2}
, we pick a random
r
=
13
{\displaystyle r=13}
and compute
c
=
g
m
h
r
mod
n
=
22
2
37
13
mod
4
5
=
43
{\displaystyle c=g^{m}h^{r}{\bmod {n}}=22^{2}37^{13}{\bmod {4}}5=43}
.
To decrypt the message 43, we compute
a
=
(
43
2
mod
3
2
)
−
1
3
=
1
{\displaystyle a={\frac {(43^{2}{\bmod {3}}^{2})-1}{3}}=1}
.
b
=
(
22
2
mod
3
2
)
−
1
3
=
2
{\displaystyle b={\frac {(22^{2}{\bmod {3}}^{2})-1}{3}}=2}
.
b
′
=
2
−
1
mod
3
=
2
{\displaystyle b'=2^{-1}{\bmod {3}}=2}
.
And finally
m
=
a
b
′
=
2
{\displaystyle m=ab'=2}
.
Proof of correctness [ edit ]
We wish to prove that the value computed in the last decryption step,
a
b
′
mod
p
{\displaystyle ab'{\bmod {p}}}
, is equal to the original message
m
{\displaystyle m}
. We have
(
g
m
h
r
)
p
−
1
≡
(
g
m
g
n
r
)
p
−
1
≡
(
g
p
−
1
)
m
g
p
(
p
−
1
)
r
p
q
≡
(
g
p
−
1
)
m
mod
p
2
{\displaystyle (g^{m}h^{r})^{p-1}\equiv (g^{m}g^{nr})^{p-1}\equiv (g^{p-1})^{m}g^{p(p-1)rpq}\equiv (g^{p-1})^{m}\mod p^{2}}
So to recover
m
{\displaystyle m}
we need to take the discrete logarithm with base
g
p
−
1
{\displaystyle g^{p-1}}
. This can be done by applying
L
{\displaystyle L}
, as follows.
By Fermat's little theorem ,
g
p
−
1
≡
1
mod
p
{\displaystyle g^{p-1}\equiv 1{\bmod {p}}}
. Since
g
p
−
1
≢
1
mod
p
2
{\displaystyle g^{p-1}\not \equiv 1{\bmod {p}}^{2}}
one can write
g
p
−
1
=
1
+
p
r
{\displaystyle g^{p-1}=1+pr}
with
0
<
r
<
p
{\displaystyle 0<r<p}
. Then
L
(
g
p
−
1
)
≢
0
mod
p
{\displaystyle L(g^{p-1})\not \equiv 0{\bmod {p}}}
and the corollary from earlier applies:
m
=
L
(
(
g
p
−
1
)
m
)
L
(
g
p
−
1
)
mod
p
{\displaystyle m={\frac {L((g^{p-1})^{m})}{L(g^{p-1})}}{\bmod {p}}}
.
Security [ edit ]
Inverting the encryption function can be shown to be as hard as factoring n , meaning that if an adversary could recover the entire message from the encryption of the message they would be able to factor n . The semantic security (meaning adversaries cannot recover any information about the message from the encryption) rests on the p -subgroup assumption, which assumes that it is difficult to determine whether an element x in
(
Z
/
n
Z
)
∗
{\displaystyle (\mathbb {Z} /n\mathbb {Z} )^{*}}
is in the subgroup of order p . This is very similar to the quadratic residuosity problem and the higher residuosity problem .
References [ edit ]
t
e
Algorithms
Theory
Standardization
Topics
R e t r i e v e d f r o m " https://en.wikipedia.org/w/index.php?title=Okamoto–Uchiyama_cryptosystem&oldid=1182469695 "
C a t e g o r y :
● P u b l i c - k e y e n c r y p t i o n s c h e m e s
● T h i s p a g e w a s l a s t e d i t e d o n 2 9 O c t o b e r 2 0 2 3 , a t 1 4 : 5 6 ( U T C ) .
● T e x t i s a v a i l a b l e u n d e r t h e C r e a t i v e C o m m o n s A t t r i b u t i o n - S h a r e A l i k e L i c e n s e 4 . 0 ;
a d d i t i o n a l t e r m s m a y a p p l y . B y u s i n g t h i s s i t e , y o u a g r e e t o t h e T e r m s o f U s e a n d P r i v a c y P o l i c y . W i k i p e d i a ® i s a r e g i s t e r e d t r a d e m a r k o f t h e W i k i m e d i a F o u n d a t i o n , I n c . , a n o n - p r o f i t o r g a n i z a t i o n .
● P r i v a c y p o l i c y
● A b o u t W i k i p e d i a
● D i s c l a i m e r s
● C o n t a c t W i k i p e d i a
● C o d e o f C o n d u c t
● D e v e l o p e r s
● S t a t i s t i c s
● C o o k i e s t a t e m e n t
● M o b i l e v i e w