Goldwasser-Micali cryptosystem

The Goldwasser–Micali (GM) cryptosystem is an asymmetric key encryption algorithm developed by Shafi Goldwasser and Silvio Micali in 1982. GM has the distinction of being the first probabilistic public-key encryption scheme which is provably secure under standard cryptographic assumptions. However, it is not an efficient cryptosystem, as ciphertexts may be several hundred times larger than the initial plaintext. To prove the security properties of the cryptosystem, Goldwasser and Micali proposed the widely used definition of semantic security.

The GM cryptosystem is semantically secure based on the assumed intractability of the quadratic residuosity problem modulo a composite N = pq where p, q are large primes. This assumption states that given (x, N) it is difficult to determine whether x is a quadratic residue modulo N (i.e., x = y² mod N for some y), when the Jacobi symbol for x is +1. The quadratic residue problem is easily solved given the factorization of N, while new quadratic residues may be generated by any party, even without knowledge of this factorization. The GM cryptosystem leverages this asymmetry by encrypting individual plaintext bits as either random quadratic residues or non-residues modulo N, all with quadratic residue symbol +1. Recipients use the factorization of N as a secret key, and decrypt the message by testing the quadratic residuosity of the received ciphertext values.

Because Goldwasser–Micali produces a value of size approximately |N| to encrypt every single bit of a plaintext, GM encryption results in substantial ciphertext expansion. To prevent factorization attacks, it is recommended that |N| be several hundred bits or more. Thus, the scheme serves mainly as a proof of concept, and more efficient provably-secure schemes such as Elgamal have been developed since.

...
Wikipedia