# On the Security of a Modified Paillier Public-Key Primitive

## Abstract

Choi et al. proposed the modified Paillier cryptosystem (M-Paillier cryptosystem). They use a special public-key *g ∈* ℤ/nℤ such that *g* ^{ϕ(n)} = 1 + *n* mod *n* ^{2}, where *n* is the RSA modulus. The distribution of the public key *g* is different from that of the original one. In this paper, we study the security of the usage of the public key. Firstly, we prove that the one-wayness of the M-Paillier cryptosystem is as intractable as factoring the modulus *n*, if the public key *g* can be generated only by the public modulus *n*. Secondly, we prove that the oracle that can generate the public-key factors the modulus *n*. Thus the public keys cannot be generated without knowing the factoring of *n*. The Paillier cryptosystem can use the public key *g* = 1 + *n*, which is generated only from the public modulus *n*. Thirdly, we propose a chosen ciphertext attack against the M-Paillier cryptosystem. Our attack can factor the modulus *n* by only one query to the decryption oracle. This type of total breaking attack has not been reported for the original Paillier cryptosystem. Finally, we discuss the relationship between the M-Paillier cryptosystem and the Okamoto-Uchiyama scheme.

## Keywords

One-wayness Factoring Chosen ciphertext attack Key distribution Composite residuosity problem Paillier cryptosystem## Preview

Unable to display preview. Download preview PDF.

## References

- [BDPR98]M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations among notions of security for public-key encryption schemes,” CRYPTO’98, LNCS 1462, pp. 26–45, 1998.Google Scholar
- [BFL91]J. Boyar, K. Friedl, and C. Lund, “Practical zero-knowledge proofs: Giving hits and using deficiencies,” Journal of Cryptology, 4(3), pp. 185–206, 1991.zbMATHCrossRefMathSciNetGoogle Scholar
- [CM99]J. Camenish and M. Michels, “Proving that a number is the product of two safe primes,” Eurocrypt’ 99, LNCS 1592, pp. 107–122, 1999.Google Scholar
- [CGH01]D. Catalano, R. Gennaro, and N. Howgraw-Graham, “The bit security of Paillier’s encryption scheme and its applications,” Eurocrypt 2001, LNCS 2045, pp. 229–243, 2001.CrossRefGoogle Scholar
- [CGHN01]D. Catalano, R. Gennaro, N. Howgrave-Graham, and P. Nguyen, “Paillier’s cryptosystem revisited,” to appear in the ACM conference on Computer and Communication Security, 2001. (available from http://www.di.ens.fr/~pnguyen/)
- [CCW01]D.-H. Choi, S. Choi, and D. Won, “Improvement of probabilistic public key cryptosystem using discrete logarithm,” The 4th International Conference on Information Security and Cryptology, ICISC 2001, LNCS 2288, pp. 72–80, 2002.Google Scholar
- [DJ01]I. Damgård and M. Jurik, “A generalization, a simplification and some applications of Paillier’s probabilistic public-key system, ” PKC 2001, LNCS 1992, pp. 119–136, 2001.Google Scholar
- [FO99a]E. Fujisaki and T. Okamoto, “How to enhance the security of public-key encryption at minimum cost,” 1999 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1560, pp. 53–68, 1999.Google Scholar
- [FO99b]E. Fujisaki and T. Okamoto, “Secure integration of asymmetric and symmetric encryption schemes,’ Advances in Cryptology-CRYPTO’99, LNCS 1666, pp. 537–554, 1999.CrossRefGoogle Scholar
- [Gal01]S. Galbraith, “Elliptic curve Paillier schemes,” to appear in Journal of Cryptology, 2001. (available from http://www.isg.rhul.ac.uk/~sdg/)
- [GMMV02]D. Galindo, S. Martín, P. Morillo, and J. Villar, “An efficient semantically secure elliptic curve cryptosystem based on KMOV scheme,” Cryptology ePrint Archive, Report 2002/037, 2002. (available from http://eprint.iacr.org/)
- [GMR98]R. Gennaro, D. Micciancio, and T. Rabin, “An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products,” ACM Conference on Computer and Communications Security, pp. 67–72, 1998.Google Scholar
- [OP01a]T. Okamoto and D. Pointcheval, “The Gap-Problems: a new class of problems fro the security of cryptographic schemes,” 2001 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1992, pp. 104–118, 2001.Google Scholar
- [OP01b]T. Okamoto and D. Pointcheval, “REACT: Rapid Enhanced-security Asymmetric Cryptosystem Transform,” In Proceedings of the Cryptographers’ Track at RSA Conference’ 2001, LNCS 2020, pp. 159–175, 2001.CrossRefGoogle Scholar
- [OU98]T. Okamoto and S. Uchiyama, “A new public-key cryptosystem as secure as factoring,” Eurocrypt’98, LNCS 1403, pp. 308–318, 1998.Google Scholar
- [Pai99]P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” Eurocrypt’99, LNCS 1592, pp. 223–238, 1999.Google Scholar
- [PP99]P. Paillier and D. Pointcheval, “Efficient public key cryptosystems provably secure against active adversaries,” Asiacrypt’99, LNCS 1716, pp. 165–179, 1999.Google Scholar
- [Poi00]D. Pointcheval, “Chosen-ciphertext security for any one-way cryptosystem,” 2000 International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1751, pp. 129–146, 2000.Google Scholar
- [Rab79]M. Rabin, “Digitalized signatures and public-key functions as intractable as factorization”, Technical Report No.212, MIT, Laboratory of Computer Science, Cambridge, pp. 1–16, 1979.Google Scholar
- [ST02]K. Sakurai and T. Takagi, “New semantically secure public-key cryptosystems from the RSA-primitive,” PKC 2002, LNCS 2274, pp. 1–16, 2002.Google Scholar