Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [paillier]

A public-key cryptosystem invented by Pascal Paillier in 1999.

The Paillier cryptosystem was invented in Pascal Paillier in 1999. It is a public-key cryptosystem which, due to its additive homomorphic property, is starting to be used in a number of research systems. It is semantically secure without modification unlike RSA which requires random padding to be semantically secure. It is based on the difficulty of computing n-th residue classes.

175 questions
12
votes
3 answers

What are some disadvantages of homomorphic encryption schemes?

I'm doing some self-teaching / research for my own benefit in homomorphic cryptography. I've studied both additive and multiplicative schemes (Paillier and RSA respectively), but all I can seem to find are the benefits of the schemes. Are there any…
John Smith
  • 121
  • 1
  • 1
  • 3
11
votes
3 answers

Division in paillier cryptosystem

Is division possible in the Paillier Cryptosystem? i.e. given a the cipher-text $C$ of an integer $M$ the plain-text divisor $D$, and only the public key, can one compute the cipher-text of $M/D$ ?
user996522
  • 315
  • 2
  • 7
11
votes
1 answer

Homomorphic (encrypted) comparison to an integer

When working with an additive homomorphic encryption scheme (say Pallier's), is there an efficient way to get the encrypted value of a comparison test to an integer value (I realise that an unencrypted comparison test would make the encryption…
Dave
  • 385
  • 2
  • 11
10
votes
0 answers

Hardness of iterated squaring in Paillier group

The (computational) problem of iterated squaring (IS) in the RSA group is defined as follows, where $\leftarrow$ denotes sampling uniformly at random: Input: $(N,x,T)$, where $N$ is the RSA modulus, $x\leftarrow\mathbb{Z}_N^*$, and $T\in\mathbb{N}$…
ckamath
  • 5,488
  • 2
  • 25
  • 42
10
votes
1 answer

Paillier can add and multiply, why is it only partially homomorphic?

I've seen that it's widely accepted that before Gentry's breakthrough (which is not practical yet) in 2009 there were no known full homomorphic encryption scheme. I've read here in another answer that: "...there are many known partially homomorphic…
Cedric Martin
  • 455
  • 4
  • 11
9
votes
2 answers

Can the CRT speed-up Paillier decryption by more than a factor of two?

In the Paillier cryptosystem, decryption goes $m\gets\displaystyle\left\lfloor\frac {\left(c^\lambda\bmod N^2\right)-1}N\right\rfloor\mu\bmod N$ with $\mu
fgrieu
  • 149,326
  • 13
  • 324
  • 622
8
votes
1 answer

Zero knowledge proof for Paillier addition under multiple keys

Suppose $m_0, m_1, m_2 \in \mathbb{N}$ such that $m_0 = m_1 + m_2$, $m_i > 0$ (none of them can be 0 or lower) Under a Paillier cryptosystem, set $e_0 = E(m_0, r_0)$ for a public key $(g_0, n_0)$ $e_1 = E(m_1, r_1)$ for a public key $(g_1,…
Guillem
  • 81
  • 3
8
votes
1 answer

Equality checking using additive homomorphic encryption

Given two ciphertexts $c_1 = enc(p_1)$ and $c_2= enc(p_2)$ using any additive homomorphic encryption scheme (or specifically Paillier). Can we find out whether the underlying plaintexts $p_1,p_2$ are equal without decrypting $c_1,c_2$ i.e.…
sashank
  • 6,234
  • 4
  • 36
  • 68
7
votes
1 answer

What if the p and q used in keys generation of Paillier cryptosystem are composite?

I've seen a few implementations of Paillier cryptosystem that uses probable primes to choose $p$ and $q$. Assuming that a keypair is generated with $p$ and $q$ that are coprime and that $pq$ is coprime with $(p - 1)(q - 1)$, but either $p$ or $q$…
Giacomo Tesio
  • 223
  • 2
  • 5
7
votes
1 answer

Generating suitable prime numbers for Paillier key pair in GG18

I am working on MPCs (multi party computation) in crypto, and now I am developing a implementation of GG 18. In sign phase, algorithm needs MtA (Multiplicative to Additive) and uses a Paillier key pair for this. Paillier uses modulus $N$ ($N=p_1 *…
user109261
  • 83
  • 4
6
votes
2 answers

Paillier Homomorphic encryption to calculate the means

Paillier Homomorphic encryption supports addition and multiplication with plaintext value. Can I use these properties to calculate the means of cipher-text values? I try to use the following steps: Multiply set of cipher texts (to get there sum in…
Karen
  • 63
  • 3
6
votes
2 answers

How to prove correct decryption in Paillier cryptosystem

Bob sends a ciphertext obtained by Paillier encryption to Alice. Alice has the private key. She decrypts the ciphertext and returns the plaintext to Bob. How can Alice convince Bob that the plaintext is correct to this ciphertext? Bob only has the…
bin
  • 61
  • 1
  • 2
6
votes
2 answers

SPDZ for the 2-party case

There exist protocols for 2-party computation e.g., GMW that use Boolean circuits. I could also use Paillier and arithmetic circuits for a 2 party computation. However after reading about SPDZ is my understanding I could use it to do 2-party…
DaWNFoRCe
  • 892
  • 7
  • 17
6
votes
2 answers

Showing the decrypted sum of encrypted values

Is there a system that would allow to encrypt values with one or more keys, sum the encrypted values, and reveal a key which could only decrypt the sum. Essentially would be able to show encrypted values where anyone could verify the sum by adding…
Jeff
  • 63
  • 2
6
votes
2 answers

Zero-knowledge proof for the product of additive Paillier ciphers

Suppose that Alice received the cipher values: $E(x_1), E(x_2), ..., E(x_n)$ that are encrypted using Paillier cryptosystem by $n$ entities with Bob's public key. Alice computes $E(\sum x_i)$ from the product of the cipher values she…
MTI
  • 81
  • 3
1
2 3
11 12