Schmidt-Samoa cryptosystem

Key generation

• Choose two large distinct primes p and q and compute N = p^2q
• Compute d = N^{-1} \mod \text{lcm}(p-1,q-1)

Now N is the public key and d is the private key.

Encryption

To encrypt a message m we compute the ciphertext as c = m^N\mod N.

Decryption

To decrypt a ciphertext c we compute the plaintext as m = c^d \mod pq, which like for Rabin and RSA can be computed with the Chinese remainder theorem.

Example:

• p = 7, q = 11, N = p^2q = 539, d = N^{-1} \mod \text{lcm}(p-1,q-1) = 29
• m = 32, c = m^N \mod N = 373

Now to verify:

• m = c^d \mod pq = 373^{29} \mod pq = 373^{29} \mod 77 = 32

Security

The algorithm, like Rabin, is based on the difficulty of factoring the modulus N, which is a distinct advantage over RSA. That is, it can be shown that if there exists an algorithm that can decrypt arbitrary messages, then this algorithm can be used to factor N.

Efficiency

The algorithm processes decryption as fast as Rabin and RSA, however it has much slower encryption since the sender must compute a full exponentiation.

Since encryption uses a fixed known exponent an addition chain may be used to optimize the encryption process. The cost of producing an optimal addition chain can be amortized over the life of the public key, that is, it need only be computed once and cached.

References

• A New Rabin-type Trapdoor Permutation Equivalent to Factoring and Its Applications