## A generalisation, a simplification and some applications of Paillier's probabilistic public-key system (2001)

### Cached

### Download Links

- [www.mathmagic.cn]
- [www.brics.dk]
- [www.brics.dk]
- [www.daimi.au.dk]
- CiteULike

### Other Repositories/Bibliography

Venue: | LNCS |

Citations: | 150 - 2 self |

### BibTeX

@INPROCEEDINGS{Damgård01ageneralisation,,

author = {Ivan Damgård and Mads Jurik},

title = {A generalisation, a simplification and some applications of Paillier's probabilistic public-key system},

booktitle = {LNCS},

year = {2001},

pages = {119--136},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

We propose a generalisation of Paillier’s probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without loosing the homomorphic property.We show that the generalisation is as secure as Paillier’s original system. We construct a threshold variant of the generalised scheme as well as zero-knowledge protocols to show that a given ciphertext encrypts one of a set of given plaintexts, and protocols to verify multiplicative relations on plaintexts. We then show how these building blocks can be used for applying the scheme to efficient electronic voting. This reduces dramatically the work needed to compute the final result of an election, compared to the previously best known schemes. We show how the basic scheme for a yes/no vote can be easily adapted to casting a vote for up to t out of L candidates.The same basic building blocks can also be adapted to provide receipt-free elections, under appropriate physical assumptions. The scheme for 1 out of L elections can be optimised such that for a certain range of parameter values, a ballot has size only O(log L) bits.

### Citations

200 |
A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing both Transmission and Memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...vealed. It is easy to see that that this is equivalent to convincing V that cg -i mod n s+1 is an n s 'th power. So we now propose a protocol for this which is a simple generalisation of the one from =-=[7]-=-. We note that this and the following protocols are not zero-knowledge as they stand, only honest verifier zero-knowledge. However, first zero-knowledge protocols for the same problems can be construc... |

115 | D.: Non-Cryptographic Fault-Tolerant Computing in a Constant Number of Rounds of Interaction - Bar-Ilan, Beaver - 1989 |

114 | Efficient receipt-free voting based on homomorphic encryption. 19th international conference on Theory and application of cryptographic techniques - Hirt, Sako - 2000 |

67 | Efficient multiparty computations secure against an adaptive adversary - Cramer, Damg˚ard, et al. - 1999 |

15 |
A secure and optimally e#cient multi-authority election scheme
- Cramer, Gennaro, et al.
- 1997
(Show Context)
Citation Context ...tions of this to electronic voting schemes. A large number of such schemes is known, but the most e#cient one, at least in terms of the work needed from voters, is by Cramer, Gennaro and Schoenmakers =-=[4]. This pro-=-tocol provides in fact a general framework that allows usage of any probabilistic encryption scheme for encryption of votes, if the encryption scheme has a set of "nice" properties, in parti... |

12 |
Robust ecient distributed RSA-key generation
- Frankel, MacKenzie, et al.
- 1998
(Show Context)
Citation Context ...get some x as result, and then computes the product d = x# (over the integers). This does not require generic multi-party computation techniques, but can be done quite e#ciently using techniques from =-=[5]-=-. Note that, while this does require communication between servers, it is not needed for every decryption, but only once for every value of s that is used. We can now show in the random oracle model t... |

10 |
K.Sako: E#cient Receipt-Free Voting based on Homomorphic Encryption
- Hirt
(Show Context)
Citation Context ...t the concrete constants involved, one finds that our complexity is dominated by the term 11k log L. So for large scale elections we have gained a significant factor in complexity compared to [1]. In =-=[8]-=-, Hirt and Sako propose a general method for building receipt-free election schemes, i.e. protocols where vote-buying or-coercing is not possible because voters cannot prove to others how they voted. ... |

9 |
Sharing Decryption in the Context of Voting or
- Fouque, Poupard, et al.
- 2000
(Show Context)
Citation Context ...uish between the L candidates. Furthermore this scheme requires only 1 decryption operation, even when L > 2. 2 Related Work In work independent from, but earlier than ours, Fouque, Poupard and Stern =-=[6]-=- proposed the first threshold version of Paillier's original scheme. Like our threshold scheme, [6] uses an adaptation of Shoup's threshold RSA scheme [10], but beyond this the techniques are somewhat... |

5 | B.Schoenmakers: A Secure and Optimally Efficient Multi-Authority Election Scheme - Cramer |

4 | and Moti Yung Robust Efficient Distributed RSA-Key Generation - Frankel, MacKenzie |

2 |
and Stern: Practical MultiCandidate Election Scheme, manuscript
- Baudron, Pointcheval
- 2000
(Show Context)
Citation Context ...is correctly formed, something that is of course necessary for a secure election in practice. In work done concurrently with and independent from ours, Baudron, Fouque, Pointcheval, Poupard and Stern =-=[1]-=- propose a voting scheme somewhat similar to ours. Their work can be seen as being complementary to ours in the sense that their proposal is more oriented towards the system architectural aspects of a... |

2 |
and Schoenmakers: Proofs of partial knowledge
- Cramer
(Show Context)
Citation Context ..., which means that we cannot obtain zero-knowledge, we can, however, obtain security in the random oracle model. As for soundness, we prove that the protocols satisfy so called special soundness (see =-=[2]-=-), which in particular implies that they satisfy standard knowledge soundness. Protocol for n s 'th powers Input: n, u Private Input for P : v, such that u = v n s mod n s+1 1. P chooses r at random m... |

1 |
M.Hirt and T.Rabin: E#cient Multiparty Computations Secure against an Adaptive Adversary
- Cramer, Damgard
(Show Context)
Citation Context ...ng block allows a prover to convince a verifier that three encryptions contain values a, b and c such that ab = c mod n s . For this, we propose a protocol inspired by a similar construction found in =-=[3]-=-. Protocol Multiplication-mod-n s Input: n, g, e a , e b , e c Private Input for P : a, b, c, r a , r b , r c such that ab = c mod n and e a = E(a, r a ), e b = E(b, r b ), e c = E(c, r c ) 1. P choos... |