On the Security of a Modified Paillier Public-Key Primitive

  • Kouichi Sakurai
  • Tsuyoshi Takagi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2384)


Choi et al. proposed the modified Paillier cryptosystem (M-Paillier cryptosystem). They use a special public-key g ∈ ℤ/nℤ such that g ϕ(n) = 1 + n mod n 2, where n is the RSA modulus. The distribution of the public key g is different from that of the original one. In this paper, we study the security of the usage of the public key. Firstly, we prove that the one-wayness of the M-Paillier cryptosystem is as intractable as factoring the modulus n, if the public key g can be generated only by the public modulus n. Secondly, we prove that the oracle that can generate the public-key factors the modulus n. Thus the public keys cannot be generated without knowing the factoring of n. The Paillier cryptosystem can use the public key g = 1 + n, which is generated only from the public modulus n. Thirdly, we propose a chosen ciphertext attack against the M-Paillier cryptosystem. Our attack can factor the modulus n by only one query to the decryption oracle. This type of total breaking attack has not been reported for the original Paillier cryptosystem. Finally, we discuss the relationship between the M-Paillier cryptosystem and the Okamoto-Uchiyama scheme.


One-wayness Factoring Chosen ciphertext attack Key distribution Composite residuosity problem Paillier cryptosystem 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BDPR98]
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations among notions of security for public-key encryption schemes,” CRYPTO’98, LNCS 1462, pp. 26–45, 1998.Google Scholar
  2. [BFL91]
    J. Boyar, K. Friedl, and C. Lund, “Practical zero-knowledge proofs: Giving hits and using deficiencies,” Journal of Cryptology, 4(3), pp. 185–206, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  3. [CM99]
    J. Camenish and M. Michels, “Proving that a number is the product of two safe primes,” Eurocrypt’ 99, LNCS 1592, pp. 107–122, 1999.Google Scholar
  4. [CGH01]
    D. Catalano, R. Gennaro, and N. Howgraw-Graham, “The bit security of Paillier’s encryption scheme and its applications,” Eurocrypt 2001, LNCS 2045, pp. 229–243, 2001.CrossRefGoogle Scholar
  5. [CGHN01]
    D. Catalano, R. Gennaro, N. Howgrave-Graham, and P. Nguyen, “Paillier’s cryptosystem revisited,” to appear in the ACM conference on Computer and Communication Security, 2001. (available from
  6. [CCW01]
    D.-H. Choi, S. Choi, and D. Won, “Improvement of probabilistic public key cryptosystem using discrete logarithm,” The 4th International Conference on Information Security and Cryptology, ICISC 2001, LNCS 2288, pp. 72–80, 2002.Google Scholar
  7. [DJ01]
    I. Damgård and M. Jurik, “A generalization, a simplification and some applications of Paillier’s probabilistic public-key system, ” PKC 2001, LNCS 1992, pp. 119–136, 2001.Google Scholar
  8. [FO99a]
    E. Fujisaki and T. Okamoto, “How to enhance the security of public-key encryption at minimum cost,” 1999 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1560, pp. 53–68, 1999.Google Scholar
  9. [FO99b]
    E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes,’ Advances in Cryptology-CRYPTO’99, LNCS 1666, pp. 537–554, 1999.CrossRefGoogle Scholar
  10. [Gal01]
    S. Galbraith, “Elliptic curve Paillier schemes,” to appear in Journal of Cryptology, 2001. (available from
  11. [GMMV02]
    D. Galindo, S. Martín, P. Morillo, and J. Villar, “An efficient semantically secure elliptic curve cryptosystem based on KMOV scheme,” Cryptology ePrint Archive, Report 2002/037, 2002. (available from
  12. [GMR98]
    R. Gennaro, D. Micciancio, and T. Rabin, “An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products,” ACM Conference on Computer and Communications Security, pp. 67–72, 1998.Google Scholar
  13. [OP01a]
    T. Okamoto and D. Pointcheval, “The Gap-Problems: a new class of problems fro the security of cryptographic schemes,” 2001 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1992, pp. 104–118, 2001.Google Scholar
  14. [OP01b]
    T. Okamoto and D. Pointcheval, “REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform,” In Proceedings of the Cryptographers’ Track at RSA Conference’ 2001, LNCS 2020, pp. 159–175, 2001.CrossRefGoogle Scholar
  15. [OU98]
    T. Okamoto and S. Uchiyama, “A new public-key cryptosystem as secure as factoring,” Eurocrypt’98, LNCS 1403, pp. 308–318, 1998.Google Scholar
  16. [Pai99]
    P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” Eurocrypt’99, LNCS 1592, pp. 223–238, 1999.Google Scholar
  17. [PP99]
    P. Paillier and D. Pointcheval, “Efficient public key cryptosystems provably secure against active adversaries,” Asiacrypt’99, LNCS 1716, pp. 165–179, 1999.Google Scholar
  18. [Poi00]
    D. Pointcheval, “Chosen-ciphertext security for any one-way cryptosystem,” 2000 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1751, pp. 129–146, 2000.Google Scholar
  19. [Rab79]
    M. Rabin, “Digitalized signatures and public-key functions as intractable as factorization”, Technical Report No.212, MIT, Laboratory of Computer Science, Cambridge, pp. 1–16, 1979.Google Scholar
  20. [ST02]
    K. Sakurai and T. Takagi, “New semantically secure public-key cryptosystems from the RSA-primitive,” PKC 2002, LNCS 2274, pp. 1–16, 2002.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Kouichi Sakurai
    • 1
  • Tsuyoshi Takagi
    • 2
  1. 1.Department of Computer Science and Communication EngineeringKyushu UniversityFukuokaJapan
  2. 2.Fachbereich InformatikTechnische Universität DarmstadtDarmstadtGermany

Personalised recommendations