0

GM is a cryptosystem with a modulus $N = pq$ ($p$, $q$ prime) and quadratic nonresidue $r \in (\Bbb Z / N\Bbb Z)^*$ as the public key. You can see the details on Wikipedia.

Anyway, let's say that $N < 2^{1024}$. Then the ciphertext can be represented as a $1024$-bit string regardless of $N$. In which case, you can take a ciphertext $c$ (which is the encryption of a single bit), and then multiply $c$ by a random $z^2 \pmod{2^{1024}}$, and get an equivalent ciphertext. An adversary should, as far as I can tell, be unable to decide whether this decrypts to the same plainbit as $c$. And you don't need to know the public key $(N,r)$ to do this operation.

Is there any literature on this property?

wlad
  • 1,259
  • 1
  • 13
  • 24

1 Answers1

1

This property is a consequence of the homeomorphic property of GM (plus the fact you don't need to know $r$ to encrypt a 0).

In GM, given $Encrypt(A)$ and $Encrypt(B)$, you can compute $Encrypt(A \oplus B)$. This is what the above observation is doing; generating a random encryption of 0, and then computing $Encrypt( A \oplus 0 )$ (which, of course, stands for the same plaintext as did the original $Encrypt(A)$. Because someone without the private key couldn't tell that your random $Encrypt(0)$ held a 0 or not, they also can't tell whether your new ciphertext has the same plaintext as same as the old.

You can do the same with Pallier; you can encrypt a 0, and then compute $Encrypt(A + 0)$; again, no one without the private key can tell whether the new ciphertext conceals the same value as the old.

poncho
  • 154,064
  • 12
  • 239
  • 382