# A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System

@inproceedings{Damgrd2001AGA, title={A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System}, author={Ivan Damg{\aa}rd and Mads Jurik}, booktitle={International Conference on Theory and Practice of Public Key Cryptography}, year={2001} }

We propose a generalisation of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without loosing the homomorphic property. We show that the generalisation is as secure as Paillier's original system.
We construct a threshold variant of the generalised scheme as well as zero-knowledge protocols to show that a given ciphertext encrypts one of a set of given…

## 1,057 Citations

### Benaloh's Dense Probabilistic Encryption Revisited

- Computer Science, MathematicsAFRICACRYPT
- 2011

This paper shows on several applications that a bad choice in the key generation phase of Benaloh's scheme has a real impact on the behaviour of the application, and shows how to formulate the security of the corrected scheme in a generic setting suitable for several homomorphic encryptions.

### Paillier's cryptosystem revisited

- Computer Science, MathematicsCCS '01
- 2001

We re-examine Paillier's cryptosystem, and show that by choosing a particular discrete log base g, and by introducing an alternative decryption procedure, we can extend the scheme to allow an…

### A Generalization of Paillier's Public-Key System With Fast Decryption

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

A very simple decryption algorithm is proposed which is more efficient than other generalization algorithms and it is proved that the generalized Paillier’s scheme is IND-CPA secure.

### Homomorphic Secret Sharing from Paillier Encryption

- Computer Science, MathematicsProvSec
- 2017

This work extends Boyle et al.

### Optimized Paillier’s Cryptosystem with Fast Encryption and Decryption

- Computer ScienceACSAC
- 2021

A new optimization for the Paillier’s additively homomorphic encryption scheme (Eurocrypt’99) is proposed, with a well-chosen subgroup of the underlying , which is used as the randomness space for masking messages during encryption.

### A Weakness in Some Oblivious Transfer and Zero-Knowledge Protocols

- Mathematics, Computer ScienceASIACRYPT
- 2006

It appears that even a semi-honest chooser (verifier) can derive from the random coin bounds for all or some of the sender's (prover's) private inputs with non-negligible probability.

### Efficient Binary Conversion for Paillier Encrypted Values

- Computer Science, MathematicsEUROCRYPT
- 2006

The framework of secure n-party computation based on threshold homomorphic cryptosystems as put forth by Cramer, Damgard, and Nielsen is extended by considering the problem of converting a given Paillier encryption of a value x∈ℤN intoPaillier encryptions of the bits of x.

### A Length-Flexible Threshold Cryptosystem with Applications

- Computer Science, MathematicsACISP
- 2003

The scheme inherits the attractive homomorphic properties of Paillier encryption and achieves two new properties: first, all users can use the same modulus when generating key pairs, this allows more efficient proofs of relations between different encryptions, and second, a threshold decryption protocol is constructed for the scheme that is length-flexible.

### The Paillier's Cryptosystem and Some Variants Revisited

- Computer Science, MathematicsInt. J. Netw. Secur.
- 2017

It is shown that there is a big difference between the original Paillier's encryption and some variants, and the alternative decryption procedure of Bresson-Catalano-Pointcheval encryption scheme proposed at Asiacrypt'03 is simplified.

### A Variant of the Schmidt-Takagi Encryption Scheme

- Computer Science, Mathematics
- 2008

This paper proposes a new variant of the Schmidt-Takagi encryption scheme described as Et(r, m) = r s (1 + mn) mod n, where n, s, t are the public key, m a message, and r a random number, and gets that Et is additively homomorphic in m if t ≥ ⌈(s+1)/2⌉.

## References

SHOWING 1-10 OF 19 REFERENCES

### A Generalisation, a Simplification and some Applications of Paillier’s Probabilistic Public-Key System

- Mathematics, Computer Science
- 2000

We propose a generalisation of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key…

### A secure and optimally efficient multi-authority election scheme

- Computer ScienceEur. Trans. Telecommun.
- 1997

In this paper we present a new multi-authority secret-ballot election scheme that guarantees privacy, universal verifiability, and robustness. It is the first scheme for which the performance is…

### Sharing Decryption in the Context of Voting or Lotteries

- Computer Science, MathematicsFinancial Cryptography
- 2000

A distributed version of the Paillier cryptosystem presented at Eurocrypt '99 is proposed, which can be used in an electronic voting scheme or in a lottery where a random number related to the winning ticket has to be jointly chosen by all participants.

### Robust efficient distributed RSA-key generation

- Computer Science, MathematicsPODC '98
- 1998

The solution can be combined with recent pronctive function sharing techniques to establish the first efficient, optimal-resilience, robust and proactively-secure RSAbased diotributcd trust services where the key is never entrusted to a oin8le entity (Le., distributed trust totally “from scratch”).

### A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory

- Computer ScienceEUROCRYPT
- 1988

This paper proposes a new scheme which requires the storage of only one authentication number in each security microprocessor and the check ofonly one witness number, and the needed computations are only 2 or 3 more than for the scheme of Fiat-Shamir.

### Efficient Receipt-Free Voting Based on Homomorphic Encryption

- Computer ScienceEUROCRYPT
- 2000

The security of the multi-authority voting protocol of Benaloh and Tuinstra is analyzed and it is demonstrated that this protocol is not receiptfree, opposed to what was claimed in the paper and was believed before.

### Efficient Multiparty Computations Secure Against an Adaptive Adversary

- Computer Science, MathematicsEUROCRYPT
- 1999

This paper observes that a subprotocol of Rabin and Ben-Or's, known as weak secret sharing (WSS), is not secure against an adaptive adversary, and proposes new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones.

### Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

- Computer Science, MathematicsEUROCRYPT
- 1999

A new trapdoor mechanism is proposed and three encryption schemes are derived : a trapdoor permutation and two homomorphic probabilistic encryption schemes computationally comparable to RSA, which are provably secure under appropriate assumptions in the standard model.

### Practical multi-candidate election system

- Computer SciencePODC '01
- 2001

A practical multi-candidate election scheme that guarantees privacy of voters, public verifiability, and robustness against a coalition of malicious authorities is described, based on the Paillier cryptosystem and on some related zero-knowledge proof techniques.

### Practical Threshold Signatures

- Computer Science, MathematicsEUROCRYPT
- 2000

An RSA threshold signature scheme that is unforgeable and robust in the random oracle model, assuming the RSA problem is hard and the size of an individual signature share is bounded by a constant times thesize of the RSA modulus.