Pairing-Based Key Exchange
P
P
two computation steps (
) and (
) as above. The public
key is
(
g,
n) and the private key is
λ. This scheme
is proven to be one-way under the RSA assumption
where
n is taken as public exponent. However, it does
not provide semantic security.
● A probabilistic encryption scheme where the encryp-
tion of a plaintext
m
∈ Z
n
is
c
=
E
g,
n
(
m,
r) where
r ∈ Z
n
is taken at random. The plaintext
m is recovered by per-
forming computation step (
) above and ignoring the
second step that retrieves the randomness
r. The public
key is
(
g,
n) and the private key is
λ.
● A subgroup variant where
m ∈ Z
n
is encrypted as
c
=
g
m
+
rn
mod
n
where
r
∈ Z
n
is taken at random. The
base
g must be of order
αn and the plaintext is recov-
ered as
m
=
L(
c
α
mod
n
)/
L(
g
α
mod
n
) mod
n. The
private key is therefore
α in this scheme and can be
made significantly smaller than
λ, thus speeding up
decryption. This encryption scheme is one-way and
semantically secure under stronger versions of the CR
and DCR assumptions.
The two probabilistic encryption schemes above are
homomorphic for addition; if
c
is an encryption of
m
and
c
and encryption of
m
then
c
=
c
c
mod
n
decrypts
to
m
=
m
+
m
mod
n. Digital signatures are obtained
through the hash-and-sign paradigm. To sign a message
m
∈ {, }
∗
, a hash function
H mapping arbitrary bit-
strings to integers modulo
n
is used. The signature is then
(
s
,
s
) =
E
−
g,
n
(
H(
m)) and is verified by checking whether
E
g,
n
(
s
,
s
) =
H(
m). This scheme is secure under adaptive
chosen-message attacks under the CR assumption in the
random oracle model.
Applications
Paillier encryption has applications in private informa-
tion retrieval, threshold decryption, traitor tracing, proofs
of knowledge, e-vote, e-auctions, multiparty computation,
standard-model chosen-ciphertext encryption, commit-
ment schemes, and secret sharing.
Recommended Reading
. Catalano D, Gennaro R, Howgrave-Graham N, Nguyen PQ ()
Paillier’s cryptosystem revisisted. In: Proceedings of the th
ACM conference on computer and communications security,
pp –
. Catalano D, Gennaro R, Howgrave-Graham N () The bit
security of Paillier’s encryption scheme and applications. In:
Proceedings of Eurocrypt’, LNCS , pp –
. Cramer R, Shoup V () Universal hash proofs and a paradigm
for chosen ciphertext secure public-key encryption. In: Proceed-
ings of Eurocrypt’, LNCS , pp –
. Damgård I, Jurik M () A generalisation, a simplification and
some applications of Paillier’s probabilistic public-key system. In:
Proceedings of PKC’, LNCS , pp –
. Galbraith SD () Elliptic curve Paillier schemes. J Cryptol
():–
. Paillier P () Public-key cryptosystems based on composite
degree residuosity classes. In: Proceedings of Eurocrypt’, LNCS
, pp –
. Paillier P, Pointcheval D () Efficient public-key cryptosys-
tems provably secure against active adversaries. In: Proceedings
of Asiacrypt’, LNCS , pp –
. Schmidt-Samoa K, Takagi T () Paillier’s cryptosystem mod-
ulo pq and its applications to trapdoor commitment schemes.
In: Proceedings of Mycrypt, LNCS , pp –