The Case of Small Prime Numbers Versus the Joye-Libert Cryptosystem

Romania Abstract. In this paper we study the effect of using small prime numbers within the Joye-Libert public key encryption scheme. We introduce two novel versions and prove their security. We further show how to choose the system’s parameters such that the security results hold. More-over, we provide a practical comparison between the cryptographic algorithms we introduced and the original Joye-Libert


Introduction
The Joye-Libert cryptosystem was introduced in [7,20] as a generalisation of the Goldwasser-Micali public key encryption scheme [18,19]. The main advantage of the Joye-Libert scheme compared to Goldwasser-Micali is that the first mentioned supports a larger message space, and thus it considerably decreases the expansion of the ciphertext. Regarding security, the authors prove that inverting the encryption function is equivalent to breaking the quadratic residuosity problem modulo n = pq, where p and q are prime numbers. Another important security result is that the scheme is semantically secure if the gap 2 k -residue assumption modulo n holds. We underline that the Joye-Libert cryptosystem is partially homomorphic with respect to message addition and supports ciphertext randomization.
In this paper, we aim at finding a way to improve decryption times for the Joye-Libert scheme. Therefore, we introduce two variants of the system: an unbalanced version and a multiprime one. In the first version we show how to decrease the size of p, while keeping the system secure and implicitly decreasing the complexity of decryption. The only cryptosystem related to this version is called the unbalanced RSA [31]. Just like our version, the scope is to reduce p, while keeping the system secure.
In the multiprime version, we increase the number of factors while keeping the size of the modulus constant and we manage to prove that inverting encryption is equivalent to a vectorial form of the quadratic residuosity assumption. We can find only a related cryptosystem in the literature: the multiprime RSA [4,30]. The philosophy behind the multiprime RSA is the same as ours: uses parallelism to speed up decryption. A bonus of the multiprime Joye-Libert is that we can also use multiple threads to improve encryption time, while in the case of RSA this is not possible.
In the final section of our paper, we analyze the complexity of the two novel variants. Then we compare the decryption time complexities for all versions of the Joye-Libert scheme. If parallelization is possible, then the multiprime variant is to be preferred since it has faster encryption and decryption. Otherwise, the unbalanced version should be used.
Previous work. Note that a preliminary version of this proposal was presented in [27].
Structure of the paper. In Section 2 we provide the notations used in our paper. Then we recall several definitions needed to describe our proposals. The original Joye-Libert scheme is detailed in Section 3. In Sections 4 and 5 we present two novel versions of the Joye-Libert scheme. A performance analysis of the Joye-Libert variants is provided in Section 6. Conclusions and open problems are given in Section 7.

Preliminaries
Notations. In this paper, λ represents a security parameter. By |n| we denote the size of n in bits. The action of selecting a random element x from a sample space X is denoted by x $ ← − X. The assignment operator x ← y initialises variable x with value y. Let E be an event, then P r [E] represents the likelihood of E occurring. Probabilistic polynomial-time algorithms are referred to as PPT algorithms. In this paper, the set of natural numbers {0, . . . , a − 1} is denoted by [0, a). To simplify notations we denote the set

Computational Complexity
In this subsection we present the reader with computational complexities of multiplication, exponentiation and modular inverse. These complexities are needed in order to determine the efficiency of our proposed schemes. Note that the asymptotic values are given in Table 1 and are taken from [15,28]. To simplify our presentation, we use the notation M (·) for the complexity of the multiplication algorithm. Note that while discussing the complexity of performing an exponentiation we assume that the exponent's length is k bits.

Operation Complexity
Multiplication

Number Theoretic Prerequisites
The Joye-Libert encryption scheme is based on a generalisation of the Legendre symbol, namely the 2 k -th power residue symbol. Note that the Legendre symbol is obtained when k = 1 and, for simplicity, we further denote it by J p (a). We recall the definition of the 2 k -th power residue symbol and some of its properties as stated in [33].

Definition 1.
Let p be an odd prime such that 2 k |p − 1. Then the symbol
Let n = p 1 . . . p t . We further denote by J n (a) = J p1 (a) . . . J pt (a) the Jacobi symbol of an integer a modulo an integer n. J n and QR n denote the set of integers modulo n with Jacobi symbol 1 and, respectively, the set of quadratic residues modulo n.

Public Key Encryption
The three PPT algorithms specific to a public key encryption (PKE) scheme are: Setup, Encrypt and Decrypt. Given as input a security parameter, the Setup algorithm outputs the public key and the corresponding secret key. To encrypt a message, Encrypt also needs the public key as input in order to output the correlated ciphertext. To recover the original message the Decrypt algorithm takes as input the secret key and the ciphertext. Note that if decryption fails, Decrypt returns an invalidity symbol.

Definition 2 (Indistinguishability under Chosen Plaintext Attacks -
ind-cpa). The security model against chosen plaintext attacks for a PKE scheme is described using the following game: The advantage of an adversary A attacking a PKE scheme is defined as where the probability is computed over the random bits used by C and A. A PKE scheme is ind-cpa secure if for any PPT adversary A, the advantage

The Joye-Libert PKE scheme
The Joye-Libert encryption scheme was initially introduced in [20]. Its security was improved in [7]. The authors proved that inverting the encryption function is as hard as the quadratic residuosity assumption. Joye et al. also showed that in the standard model the ind-cpa security of the PKE is equivalent to the gap 2 k -residuosity assumption. We shortly present the algorithms of the Joye-Libert cryptosystem.

Setup(λ):
Set an integer k ≥ 1. Randomly generate two distinct large prime numbers p, q such that |p| = |q| = λ and p ≡ 1 mod 2 k . Output the public key pk = (n, y, k), where n = pq and y ∈ J n \ QR n . The corresponding secret key is sk = (p, q).
Encrypt(pk, m): To encrypt a message m ∈ [0, 2 k ), we choose x $ ← − Z * n and compute c ≡ y m x 2 k mod n. Output the ciphertext c. Decrypt(sk, c): Compute the value z ≡ J p,2 k (c) and find m such that the relation [ J p,2 k (y) ] m ≡ z mod p holds. Efficient methods to recover m can be found in a subsequent section.

The Unbalanced Joye-Libert PKE scheme
In the unbalanced Joye-Libert scheme we reduce the size of p (denoted by λ p ) while keeping the size of n constant (denoted by λ n ). This modification only impacts the description of the Setup algorithm, which we briefly describe below. Therefore, we have λ n = λ p + λ q , where λ q = |q| and λ p ≤ λ q . Note that when λ p = λ q we obtain the Joye-Libert cryptosystem, which we further refer to as the balanced Joye-Libert scheme.
Setup(λ p , λ q ): Set an integer k ≥ 1. Randomly generate two distinct large prime numbers p, q such that |p| = λ p , |q| = λ q and p ≡ 1 mod 2 k . Output the public key pk = (n, y, k), where n = pq and y ∈ J n \QR n . The corresponding secret key is sk = (p, q).

Remark 1.
Modifying the size of p does not impact the security proofs discussed in [7,20]. Therefore, as long as factoring is hard, the unbalanced version is secure. We show how to choose λ p such that factoring remains difficult in Section 6.

Description
We further describe the multiprime Joye-Libert encryption scheme. In this case we split up n into multiple primes. Therefore, we have that λ n = tλ p + λ q . Note that when λ p = λ q and t = 1 we obtain the original cryptosystem from [7,20] and, moreover, when in addition we set k = 1 we obtain the Goldwasser-Micali cryptosystem [18]. Also, if we set t = 1 we obtain the unbalanced version.

Algorithm 1: Basic decryption algorithm
Input: The secret prime p i , the value y i and the ciphertext c As a result, the message block m i can be recovered bit by bit using p i .

Security Analysis
In this section we first introduce a vectorial generalisation of the quadratic residuosity problem and prove that inverting the encryption function of our proposal is as hard as breaking this assumption. Then we generalise the gap 2 k -residuosity problem stated in [20] and prove the ind-cpa security of our proposal. Before stating the security assumptions used to prove the security of our proposal, we first define the following sets Definition 3 (Vectorial Quadratic Residuosity -vqr). Choose t + 1 distinct large prime numbers p 1 , . . . , p t , q such that |p 1 | = . . . = |p t | = λ p , |q| = λ q and p 1 , . . . , p t ≡ 1 mod 2 k . Let n = p 1 . . . p t q. Let A be a PPT algorithm that returns 1 on input (x 1 , . . . , x t , n) if x i ∈ QR n (i). We define the advantage The Vectorial Quadratic Residuosity assumption states that for any PPT algorithm A the advantage ADV vqr A (λ p , λ q ) is negligible. Theorem 1. Inverting the encryption function of the multiprime Joye-Libert PKE is intractable if the vqr assumption is intractable.
Proof. Let's assume that there exists an adversary A such that given a ciphertext c, it recovers the message m. We construct a PPT algorithms that breaks the vqr assumption. More precisely, on input (y 1 , . . . , y t ) B computes i mod n, and thus c ≡ (w 1 . . . w t x) 2 k mod n is an encryption of m 0 = 0. According to the above arguments, on input (y 1 , . . . , y t , c) algorithm A outputs either m 2 k−1 or m 0 , and thus B outputs 0 or 1, respectively. Therefore, B breaks the vqr assumption with non-negligible probability.

Theorem 2. The multiprime Joye-Libert PKE is ind-cpa secure if and only if the vgr assumption is intractable.
Proof. The proof of the statement is obtained by simply replacing the distribution of the public key elements (y 1 , . . . , y t ). More precisely, we select randomly the y i values from the multiplicative subgroup of 2 k residues modulo n instead of drawing them from the J n (i) \ QR n (i) set. Under the vgr assumption, the adversary will not notice this change. Therefore, we removed any link between the ciphertext c and the message m, and thus the ind-cpa security follows. ⊓ ⊔

Optimizations
Setup Optimization. When choosing the public key we have to meet certain restrictions. An effective way to accomplish this is to first randomly choose the values y i,i Then compute the elements y i,j ← w 2 k i,j mod p j . Using the Chinese remainder theorem we compute the desired value y i ∈ Z * n such that y i ≡ y i,ℓ mod p ℓ for all ℓ ∈ [1, t] and y i ≡ y i,t+1 mod q.
Decryption Optimization. In order to speed-up the decryption process, the authors of [21] add an extra restriction when generating the prime factors of n, and then use it to simplify decryption. Applying this to the multiprime case, we obtain the fact that we have to generate p i such that p i ̸ ≡ 1 mod 2 k+1 holds.
Let p ′ i = (p i − 1)/2 k and α i [s] = 2 k−s p ′ i . Then the following relation between the ciphertext and plaintext holds , then we can recover message block m i . Wrapping it all together we obtain Algorithm 2. Note that when t = 1 we obtain [21, Algorithm 3]. The authors also propose three other optimizations 3 [21, Algorithm 4, 5 and 6], but their complexity is similar with Algorithm 3's complexity.

Input:
The secret values (pi, Di), the value yi and the ciphertext c Output: The message block mi 3 Note that two of these optimizations contain a typo: in line 5, Algorithm 5 and line 6, Algorithm 6 we should have 6 Implementation and Performance Analysis

Parameter Selection
The fastest currently known algorithm for factoring composite numbers is the Number Field Sieve (NFS) [26]. The expected running time of the NFS depends on the size of the modulus n and not on the size of its factors. More precisely, the expected running time is approximately In [25,26], the authors extrapolate the running time needed to factor a modulus of size λ n from the computational effort required to factor a 512-bit modulus. Hence, a λ n -bit modulus offers a security equivalent to a block cipher of d-bit security if Since we start from a secure Joye-Libert PKE and we wish to optimize decryption by decreasing the size of some of the factors of the modulus, while keeping the size of the modulus constant, the NFS cannot be expected to factor n. Unfortunately, this strategy can make the resulting PKEs vulnerable to the Elliptic Curve Method (ECM) [22], if we lower the size of the factors below a certain threshold. Compared to the NFS, the ECM has the running time determined by the size of the smallest factor. Thus, if p is the smallest factor, then the running time of the ECM is Similarly to the NFS, Lenstra [24] extrapolates the equivalent security provided by a module of size λ n with the smallest prime of size λ p to be (2) From Equations (1) and (2) A different model for predicting the security against the NFS and the ECM is provided in [11]. Compared to Lenstra's model, Brent uses known historical factoring records to predict the year a modulus of a given size will be factored. Using the least-squares fit, Brent obtains the following equation for the NFS 6 13.24 or equivalently Y = 13.24 · D 1/3 n + 1928.6 (4) and for the ECM where D n is the number of digits of the factored modulus and D p is the number of digits of the largest prime factor found using the ECM.
and for the ECM Equations (4) to (7) are presented in Figures 3 and 4. Note that the black dots represent the acquired data points. We observe that in the case of the NFS the estimates are close, while in the case of the ECM the new estimate is more pessimistic from a security point of view. Using the updated estimates (Equations (6) and (7)) we obtain the following equivalency  According to NIST [6], the recommended key sizes for composite modules are λ n = 1536/3840/15360. We preferred to use NIST recommendations instead of the ones from [25,26] since these key sizes are the ones used by the industry and the key sizes from [25,26] are criticized as being too conservative [32]. Therefore, using Equations (3) and (8) we obtain the equivalent size of the smallest prime. The results are presented in Table 2. Note that in the parentheses we provide the maximum number of prime factors that n can have. Based on these equivalences, we obtain the parameters for the Joye-Libert schemes that offer protection against the NFS and the ECM (see Table 4). Due to a powerful attack by Coppersmith [14], the size of k must be upper bounded by 0.5λ p . Otherwise, the factors of n can be found. We can easily see that the block sizes from Table 4 offer a large enough security margin obtained from this bound (see Table 3).

Complexity
Using the complexities provided in Table 1, we compute the asymptotic run times of the decryption algorithm for each Joye-Libert variant. We also determine the size of a block m i for each variant. The results are provided in Table 5. Note  Table 5: Performance analysis that by parallel multiprime we mean the multiprime version in which we use a separate thread to compute each block m i . We can easily see that for the parameters presented in Table 4, the encryption and decryption complexities of the unbalanced and multiprime versions are similar. Therefore, we only compare the balanced, unbalanced and the parallel multiprime versions. Also, remark that we choose the parameters such that the message spaces are similar for all the variants.
The comparison of the computational complexity of the three variants is presented in Figures 5 to 7. Note that the two sets of crosses for the multiprime version correspond to the two equivalence models: Lenstra -right side crosses and Regression -left side crosses. We also added a dotted red line in the case of the basic decryption (Algorithm 1), which represent the boundary of the optimized decryption algorithm (Algorithm 2) of the balanced version.
From the six plots we can see that the parallel multiprime version always performs better than the (un)balanced version if multiple threads are available. Also, the more threads we use, the faster we recover the original message. Therefore, if additional memory is available and parallelization is possible, then the parallel multiprime version endowed with the optimized decryption algorithm is preferable. Nevertheless, if we only have access to parallelization, then the parallel multiprime version equipped with the basic decryption algorithm is the best choice. Otherwise, we should use the unbalanced variant.

Implementation Details
We further provide the reader with benchmarks for the three Joye-Libert PKE schemes. We ran each of the three sub-algorithms on a CPU Intel i7-4790 4.00 GHz and used GCC to compile it (with the O3 flag activated for optimization). Note that for all computations we used the GMP library [2]. To calculate the running times we used the omp_get_wtime() function [1]. For the parallel multiprime variant we used the OMP library [1] to parallelize encryption/decryption. To obtain the average running time in seconds we chose to encrypt 100 128/192/256-bit messages. Therefore, we wanted to simulate a key distribution scenario. The results are provided in Table 6. Note that the optimized version of the decryption algorithm is denoted by Decrypt (opt).
We can see from Table 6 that the conclusions presented in Section 6.2 hold. We can also see that the multiprime version has the shortest time to generate the parameters, while the unbalanced version the longest time. Nevertheless, generating parameters is a one-time operation.

Conclusions
In this work we introduced two novel versions of the Joye-Libert cryptosystem. The first one, called the unbalanced Joye-Libert PKE, lowers the size of p in order to decrease decryption time. The second one, called the multiprime Joye-Libert PKE, increases the number of factors and achieves better decryption    Table 6: Running times times by using multiple threads. Therefore, if parallel threads are available, we recommend the multiprime version, otherwise, we recommend the unbalanced variant. If additional memory is available, then we can replace the basic decryption algorithm with the optimized version, and therefore we can get even better decryption times.
Open Problem. In [7], the authors manage to link the gap 2 k -residuosity assumption to the quadratic residuosity assumption, when q ≡ 3 mod 4 and to the quadratic residuosity and squared Jacobi symbols assumptions, when q ≡ 1 mod 4. Therefore, it would be interesting to find a similar link for the vqr assumption. The main bottleneck that we encountered when trying to link it to the vqr is that the probability of choosing an element from J n (i) is 1/2 kt−k+2 , and thus for t elements the probability is 1/2 t(kt−k+2) . Therefore, for practical values of k and t, this probability is negligible.