In this paper, we study the problem of single database private information retrieval, and present schemes with only logarithmic server-side communication complexity. Previously the best result could only achieve polylogarithmic communication, and was based on certain less well-studied assumptions in number theory [CMS99]. On the contrary, our construction is based on Paillier's cryptosystem [P99], which along with its variants have drawn extensive studies in recent cryptographic researches [PP99, G00, CGGN01, DJ01, CGG02, CNS02, ST02, GMMV03, KT03], and have many important applications (e.g., the Cramer-Shoup CCA2 encryption scheme in the standard model [CS02]).

At ACM CCS '01, Catalano et al. proposed a mix of the RSA cryptosystem with the Paillier cryptosystem from Eurocrypt '99.

In this paper, we study some RSA-based semantically secure encryption schemes (IND-CPA) in the standard model. We first derive the exactly tight one-wayness of Rabin-Paillier encryption scheme which assumes that factoring Blum integers is hard. We next propose the first IND-CPA scheme whose one-wayness is equivalent to factoring general n = pq (not factoring Blum integers). Our reductions of one-wayness are very tight because they require only one decryption-oracle query.

Abstract. We propose a practical scheme based on factoring and semantically secure (IND-CPA) in the standard model. The scheme is obtained from a modification of the so called RSA-Paillier [5] scheme. This modification is reminiscent of the ones applied by Rabin [22] and Williams [25] to the well-known RSA cryptosystem. Thanks to the special properties of such schemes, we obtain efficiency similar to that of RSA cryptosystem, provably secure encryption (since recovering plaintext from ciphertext is as hard as factoring) and indistinguishability against plaintext attacks. We also construct a new trapdoor permutation based on factoring, which has interest on its own. Semantic security of the scheme is based on an appropiate decisional assumption, named as Decisional Small 2e-Residues assumption. The robustness of this assumption is also discussed. Compared to Okamoto-Uchiyama’s scheme [18], the previous IND-CPA cryptosystem in the standard model with one-wayness based on factoring, our scheme is drastically more efficient in encryption, and presents higher bandwith, achieving the same expansion factor as Paillier or El Gamal schemes. We believe the new scheme could be an interesting starting point to develop efficient IND-CCA schemes in the standard model with one-wayness based on factoring.

RSA type public key cryptosystems based on the Pell's equation are proposed in the honor of an Indian mathematician Brahmgupta who studied Pell's equation long before European mathematicians came to know about it. Three RSA type schemes are proposed, first two are not semantically secure where as the other two schemes are semantically secure. The decryption speed of the proposed schemes is about two times as fast as RSA for a 2 log n-bit message. It is shown that the proposed schemes are more secure than the RSA scheme when purely common plaintexts are encrypted in the broadcast application and are as secure as the RSA scheme against ciphertext attack. In addition the proposed schemes are also secure against partially known plaintext attack. First two are not semantically secure but the third one is semantically secure.

Schmidt and Takagi proposed a variant of the Paillier encryption scheme which employs modulus n = p2q [16]. Their scheme has a good property that the one-wayness is under the factoring assumption, and has an additively homomorphic property. Their scheme can be applied to trapdoor commitment and on-line/off-line signature. In this paper, we propose a new variant of the Schmidt-Takagi encryption scheme described as Et(r, m) = rns(1 + mnt) mod ns+1, where n, s, t are the public key, m a message, and r a random number. Our scheme has the one-wayness under the chosen plaintext attack based on the factoring problem, and the indistinguishability under the chosen plaintext attack based on the desicional composite residuosity problem. Our scheme implies the Schmidt-Takagi encryption scheme when s = t = 1. Compared with the Damg˚ard-Jurik encryption scheme, although the modulus of our schemes employs n = p 2 q (their scheme employs n = pq), the encryption and decryption speed of our scheme is faster than that of their scheme. Furthermore, we get that Et is additively homomorphic in m if t ≥ ⌈(s + 1)/2⌉. In addition, by adding a parameter t we have some properties closely related to homomorphic, which can be applied to cryptographic applications [9]. Keywords: Paillier encryption scheme, additively homomorphic, provable security.