The Paillier Encryption Algorithm

Perhaps one of the simplest and most elegant solutions to the problem of implementing a cryptocounter is to use Paillier’s public key cryptosystem [216]. The Paillier cryptosystem constitutes a one-way trapdoor under the computational composite residuosity assumption (see Appendix B.3.3). The Paillier cryptosystem is semantically secure against plaintext attacks under the decision composite residuosity (DCR) problem (see Appendix B.3.4).

The value n in Paillier is the product of two large primes p and q, the same as in RSA. The Paillier cryptosystem is based on the following two properties of Carmichael’s λ function.

1. For anyw contained inZZ∗_n2, the congruence wλ(n)≡1 mod nholds.

2. For any w contained in ZZ∗_n2, the congruence wnλ(n) ≡ 1 mod n2

holds.

In RSA the public exponentein the public key (e, n) is relatively prime to (p−1)(q−1). Typically, the valueeis shared by all the users. Paillier’s cryptosystem is quite a bit different since it does not employ e. Instead, the cryptosystem utilizes an integer g that has orderv modulo n2 _{with v}

satisfying the following congruence.2

v ≡0mod n (5.1) The value g is shared by all the users. The public key is (n, g) and the private key is λ(n).

1_{In fact, by using two different counter constructs such as this one and the ElGamal}

one at the same time, by making the counter values equivalent, and by incrementing them in lock-step, a redundancy check is implemented. The check is verified by de- crypting the cryptocounters and making sure they both store the same count. This makes it harder for an active adversary to falsify a previous counter value.

2_{The valuegis said to haveordervmodulon}2_{if and only ifvis the smallest positive}

The following is how to encrypt a message m, which is an integer satisfying m < n. A value u is chosen uniformly at random from ZZ∗_n and the ciphertextc is computed as follows,

c=gmun mod n2 (5.2)

The function L(x) = x−1 mod n_n 2 is used for decryption. The following equation shows how to decrypt cto recover m.

m =L(cλ(n) mod n2)L(gλ(n) mod n2)−1 mod n (5.3)

It remains to show that decryption succeeds for all messages m. By Euclid’s division rule, given positive integers gλ(n) and n2 with n2 6= 0, there exist unique integers q and r, with 0 ≤ r < n2 _{such that g}λ(n) ₌

qn2+r. In this equation q is the quotient and r is the remainder upon dividing gλ(n) by n2. The value r equals gλ(n) mod n2. By reducing both sides modulo n this implies that,

gλ(n)≡r mod n (5.4)

By property (1),

gλ(n) ≡1 mod n (5.5)

By transitivity, equations 5.4 and 5.5 imply thatr ≡1 mod n. Hence,

gλ(n)_{mod n}2 _{is congruent to 1 modulon. So, there exists an integerβ < n}

such thatgλ(n) mod n2 = 1 +βn. Hence,

gλ(n) ≡1 +βn mod n2 (5.6)

By subtracting 1 from both sides it follows thatgλ(n)−1≡βn mod n2. This implies that gλ(n)_{−1 mod n}2 _{=βn mod n}2_{. Define t}

1 to begλ(n)−

1 mod n2_{. So, t}

follows that there exists ak1 such thatβn =k1n2+t1. So,t1/n=β−k1n.

By reducing both sides modulo n, it follows that t1/n ≡β mod n. Since

t1/n=L(gλ(n) mod n2) this implies that

β ≡L(gλ(n) mod n2)mod n (5.7)

By raising both sides of equation 5.2 byλ(n) and reducing modulo n2

it follows that cλ(n) _{≡ (g}m_un₎λ(n) _{mod n}2_{. From property (2), the value}

unλ(n) ≡1mod n2. Hence,

cλ(n) ≡(gλ(n))m mod n2 (5.8)

Now, by substituting equation 5.6 for gλ(n) _{in equation 5.8 it follows}

that cλ(n) _{≡ (1 +βn)}m _{mod n}2_{. The Binomial Theorem describes the}

expansion of the binomial (1 +βn) on the right side of this equation. But, since this equation is reduced modulon2_{, every term will be zero except for}

the first two terms of the expansion. As a result, cλ(n)_{≡1 +mβn mod n}2_.

So,

cλ(n)−1≡mβn mod n2 (5.9)

But this implies that cλ(n)_{−1 mod n}2 _{= mβn mod n}2_{. Define t} 2 to

be cλ(n) −1 mod n2. By the division rule, there exists a k2 such that

mβn = k2n2 +t2. Hence, t2/n = mβ −k2n. By reducing both sides

modulo n it follows that t2/n≡mβ mod n. Sincet2/n=L(cλ(n) mod n2)

this implies that,

L(cλ(n) mod n2)≡mβ mod n (5.10)

By substituting equation 5.7 for β in equation 5.10 it follows that,

Multiplying both sides by L(gλ(n) mod n2)−1 mod n results in the plaintext m.

Since the quantity L(gλ(n) _{mod n}2₎−1 _{mod n is always the same each}

time that a ciphertext c is decrypted, this value can be computed once and for all. So, letψ =L(gλ(n)_{mod n}2₎−1 _{mod n. The user can then store}

(λ(n), ψ) as his or her private key. Equation 5.12 shows how to decrypt c

using ψ.

m=ψL(cλ(n) mod n2) mod n (5.12) As in RSA, the Chinese Remainder Theorem can be used to speed up decryption. A variant of Paillier’s scheme has been proposed that makes some efficiency improvements regarding the size of Paillier ciphertexts [79].