Schmidt-Samoa cryptosystem

The Schmidt-Samoa cryptosystem is an asymmetric cryptographic technique, whose security, like Rabin depends on the difficulty of integer factorization. Unlike Rabin this algorithm does not produce an ambiguity in the decryption at a cost of encryption speed.

Key generation

 * Choose two large distinct primes p and q and compute $$N = p^2q$$
 * Compute $$d = N^{-1} \mod \text{lcm}(p-1,q-1)$$

Now N is the public key and d is the private key.

Encryption
To encrypt a message m we compute the ciphertext as $$c = m^N\mod N.$$

Decryption
To decrypt a ciphertext c we compute the plaintext as $$m = c^d \mod pq,$$ which like for Rabin and RSA can be computed with the Chinese remainder theorem.

Example:
 * $$p = 7, q = 11, N = p^2q = 539, d = N^{-1} \mod \text{lcm}(p-1,q-1) = 29$$
 * $$m = 32, c = m^N \mod N = 373$$

Now to verify:
 * $$m = c^d \mod pq = 373^{29} \mod pq = 373^{29} \mod 77 = 32$$

Security
The algorithm, like Rabin, is based on the difficulty of factoring the modulus N, which is a distinct advantage over RSA. That is, it can be shown that if there exists an algorithm that can decrypt arbitrary messages, then this algorithm can be used to factor N.

Efficiency
The algorithm processes decryption as fast as Rabin and RSA, however it has much slower encryption since the sender must compute a full exponentiation.

Since encryption uses a fixed known exponent an addition chain may be used to optimize the encryption process. The cost of producing an optimal addition chain can be amortized over the life of the public key, that is, it need only be computed once and cached.