Example: Goldwasser-Micali with n=217 and y=145. Note 217 = 7 * 31. y=145 is a pseudosquare since (y|7) = (145)^(3) = -1 (mod 7) and (y|31) = (145)^(15) = -1 (mod 31) by using Euler's criterion: the Legendre symbol (y|p) is given by (y|p) = y^{(p-1)/2} (mod p). Alice sent a 4-bit message encoded using the following numbers: x[1] = 185 (mod 217) x[2] = 144 (mod 217) x[3] = 61 (mod 217) x[4] = 211 (mod 217) Bob decodes the bits by checking the Legendre symbol (x|p): (185 | 7) = 185^3 (mod 7) = -1 => m[1] = 1 that is 185 is a pseudosquare (144 | 7) = 144^3 (mod 7) = 1 => m[2] = 0 that is 144 is a square (quadratic residue) (61 | 7) = 61^3 (mod 7) = -1 => m[3] = 1 that is 61 is a pseudosquare (211 | 7) = 211^3 (mod 7) = 1 => m[4] = 0 that is 211 is a square (quadratic residue) Note: (185 | 7) = (185 | 31) = -1, that is, it suffices for Bob to check one value of the Legendre symbol (as they are supposed to agree). Example: Blum-Goldwasser with n=217 Alice sent the ciphertext (1,1,1,1,1,1,1,1) and s[9]=39(mod 217). What is her plaintext to Bob? n = p*q, where p = 7 and q = 31 Recall that the square root function for a prime congruent to 3 mod 4 is: sqrt(x) mod p = x^[(p+1)/4] (mod p) Bob needs to compute s[1] mod 217 (by taking 8 consecutive square roots): s[1] = s[9]^u (mod 7) s[1] = s[9]^v (mod 31) where u = [(7+1)/4]^8 (mod 6) = 4 v = [(31+1)/4]^8 (mod 30) = 16 Thus, s[1] = 4 (mod 7) s[1] = 8 (mod 31) Apply the Aryabhata (extended Euclidean) algorithm on 7 and 31: ------------------------------------------------------------- A B Q R X1 Y1 X2 Y2 ------------------------------------------------------------- 31 7 4 3 1 0 0 1 7 3 2 1 0 1 1 -4 3 1 3 0 1 -4 -2 9 ------------------------------------------------------------- check: 1 = (-2)*31 + 9*7 By the Chinese Remainder Theorem: s[1] = 4*(5*31) + 8*(9*7) = 39 (mod 217) Checking the Blum-Blum-Shub pseudorandom sequence and deciphering the sequence (1,1,1,1,1,1,1,1): s[1] = 39 b[1] = 1 m[1] = 0 s[2] = 2 b[2] = 0 m[2] = 1 s[3] = 4 b[3] = 0 m[3] = 1 s[4] = 16 b[4] = 0 m[4] = 1 s[5] = 39 b[5] = 1 m[5] = 0 s[6] = 2 b[6] = 0 m[6] = 1 s[7] = 4 b[7] = 0 m[7] = 1 s[8] = 16 b[8] = 0 m[8] = 1 s[9] = 39 Plaintext = 01110111