TheGoldwasser–Micali (GM) cryptosystem is anasymmetric key encryption algorithm developed byShafi Goldwasser andSilvio Micali in 1982. GM has the distinction of being the firstprobabilistic public-key encryption scheme which isprovably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition ofsemantic security.

The GM cryptosystem issemantically secure based on the assumed intractability of thequadratic residuosity problem modulo a compositeN =pq wherep, q are largeprimes. This assumption states that given (x,N) it is difficult to determine whetherx is a quadratic residue moduloN (i.e.,x =y² modN for somey), when theJacobi symbol forx is +1. The quadratic residue problem is easily solved given the factorization ofN, while new quadratic residues may be generated by any party, even without knowledge of this factorization. The GM cryptosystem leverages this asymmetry by encrypting individual plaintext bits as either random quadratic residues or non-residues moduloN, all with quadratic residue symbol +1. Recipients use the factorization ofN as asecret key, and decrypt the message by testing the quadratic residuosity of the received ciphertext values.

Because Goldwasser–Micali produces a value of size approximately |N| to encrypt every single bit of a plaintext, GM encryption results in substantialciphertext expansion. To preventfactorization attacks, it is recommended that |N| be several hundred bits or more. Thus, the scheme serves mainly as a proof of concept, and more efficient provably-secure schemes such asElGamal have been developed since.

Because encryption is performed using a probabilistic algorithm, a given plaintext may produce very different ciphertexts each time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by comparing them to a dictionary of known ciphertexts.

Goldwasser–Micali consists of three algorithms: a probabilistic key generation algorithm which produces a public and a private key, a probabilistic encryption algorithm, and a deterministic decryption algorithm.

The scheme relies on deciding whether a given valuex is a square modN, given the factorization (p,q) ofN. This can be accomplished using the following procedure:

1. Computex_p =x modp,x_q =x modq.
2. If${\displaystyle x_p^{(p-1)/2}\equiv 1(\mathrm{mod}p)}$ and${\displaystyle x_q^{(q-1)/2}\equiv 1(\mathrm{mod}q)}$, thenx is a quadratic residue mod N.

The modulus used in GM encryption is generated in the same manner as in theRSA cryptosystem. (SeeRSA, key generation for details.)

1. Alice generates two distinct largeprime numbersp andq, randomly and independently of each other.
2. Alice computesN =p q.
3. She then finds some non-residuex such that theLegendre symbols satisfy${\displaystyle \left(\frac{x}{p}\right)=\left(\frac{x}{q}\right)=-1}$ and hence theJacobi symbol${\displaystyle \left(\frac{x}{N}\right)}$ is +1. The valuex can for example be found by selecting random values and testing the two Legendre symbols. Ifp,q = 3 mod 4 (i.e.,N is aBlum integer), then the valueN − 1 is guaranteed to have the required property.

Thepublic key consists of (x, N). The secret key is the factorization (p, q).

Suppose Bob wishes to send a messagem to Alice:

1. Bob first encodesm as a string of bits (m₁, ...,m_n).
2. For every bit${\displaystyle m_i}$, Bob generates a random value${\displaystyle y_i}$ from the group of units modulo N, or${\displaystyle gcd(y_i,N)=1}$. He outputs the value${\displaystyle c_i=y_i^2{x}^{m_i}(\mathrm{mod}N)}$.

Bob sends the ciphertext (c₁, ...,c_n).

Alice receives (c₁, ...,c_n). She can recoverm using the following procedure:

1. For eachi, using the prime factorization (p,q), Alice determines whether the valuec_i is a quadratic residue; if so,m_i = 0, otherwisem_i = 1.

Alice outputs the messagem = (m₁, ...,m_n).

There is a simplereduction from breaking this cryptosystem to the problem of determining whether a random value moduloN with Jacobi symbol+1 is a quadratic residue. If an algorithmA breaks the cryptosystem,then to determine if a given valuex is a quadratic residue moduloN, we testA to see if it can break the cryptosystem using (x,N) as a public key. Ifx is a non-residue, thenA should work properly. However, ifx is a residue, then every "ciphertext" will simply be a random quadratic residue, soA cannot be correct more than half of the time. Furthermore, this problem israndom self-reducible, which ensures that for a givenN, every public key is just as secure as every other public key.

The GM cryptosystem hashomomorphic properties, in the sense that ifc₀,c₁ are the encryptions of bitsm₀,m₁, thenc₀c₁ mod N will be an encryption of${\displaystyle m_0\oplus m_1}$. For this reason, the GM cryptosystem is sometimes used in more complex cryptographic primitives.

• S. Goldwasser, S. Micali (1982). "Probabilistic encryption & how to play mental poker keeping secret all partial information".Proceedings of the fourteenth annual ACM symposium on Theory of computing - STOC '82. pp. 365–377.doi:10.1145/800070.802212.ISBN 0897910702.S2CID 10316867.
• S. Goldwasser, S. Micali (1984)."Probabilistic encryption".Journal of Computer and System Sciences.28 (2):270–299.doi:10.1016/0022-0000(84)90070-9.

• Blum–Goldwasser cryptosystem

• Public-key encryption schemes

• Articles with short description
• Short description matches Wikidata