## A Generalization of Paillier's Public-Key System with Applications to Electronic Voting (2003)

### Cached

### Download Links

Venue: | P Y A RYAN |

Citations: | 20 - 1 self |

### BibTeX

@ARTICLE{Damgård03ageneralization,

author = {Ivan Damgård and Mads Jurik and Jesper Buus Nielsen},

title = {A Generalization of Paillier's Public-Key System with Applications to Electronic Voting},

journal = {P Y A RYAN},

year = {2003},

pages = {3}

}

### Years of Citing Articles

### OpenURL

### Abstract

We propose a generalization of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key has been fixed, without losing the homomorphic property. We show that the generalization is as secure as Paillier's original system and propose several ways to optimize implementations of both the generalized and the original scheme. We construct

### Citations

621 | Public-Key Cryptosystems Based on Composite Degree Residuosity Classes
- Paillier
- 1999
(Show Context)
Citation Context ...propriate physical assumptions. The scheme for 1 out of L elections can be optimized such that for a certain range of the other parameter values, the ballotsize is logarithmic in L. 1 Introduction In =-=[18]-=-, Paillier proposes a new probabilistic encryption scheme based on computations in the group Z # n 2 , where n is an RSA modulus. This scheme has some very attractive properties, in that it is homomor... |

220 | A Secure and Optimally Efficient Multi-Authority Election Scheme
- Cramer, Gennaro, et al.
- 1997
(Show Context)
Citation Context ...ons of this to electronic voting schemes. A large number of such schemes is known, but the most efficient one, at least in terms of the work needed from voters, is by Cramer, Gennaro and Schoenmakers =-=[8]-=-. This protocol provides in fact a general framework that allows usage of any probabilistic encryption scheme for encryption of votes, if the encryption scheme has a set of ”nice” properties, in parti... |

202 | Practical threshold signatures
- Shoup
- 2000
(Show Context)
Citation Context ...ers, such that any subset of at least w of them can do decryption e#ciently, while less than w have no useful information. Of course this must be done without degrading the security of the system. In =-=[19]-=-, Shoup proposes an e#cient threshold variant of RSA signatures. The main part of this is a protocol that allows a set of servers to collectively and e#ciently raise an input number to a secret expone... |

198 |
A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...vincing V that c(1 + n) -i mod n s+1 is an encryption of 0, or equivalently that it is an n s 'th power. So we now propose a protocol for this purpose which is a simple generalization of the one from =-=[15]-=-. We note that this and the following protocols are not zero-knowledge as they stand, only honest verifier zero-knowledge. However, first zero-knowledge protocols for the same problems can be construc... |

115 | D.: Non-Cryptographic Fault-Tolerant Computing in a Constant Number of Rounds of Interaction - Bar-Ilan, Beaver - 1989 |

114 | Multiparty computation from threshold homomorphic encryption
- Cramer, Damgaard, et al.
(Show Context)
Citation Context ...eme without a trusted dealer and using a general RSA modulus. The threshold version of our scheme can also be used for general secure multiparty computation as shown by Cramer, Damgard and Nielsen in =-=[4]-=-. 3 A Generalization of Paillier's Probabilistic Encryption Scheme The public-key crypto system we describe here uses computations modulo n s+1 where n is an RSA modulus and s is a natural number. It ... |

113 | Efficient receipt-free voting based on homomorphic encryption
- Hirt, Sako
- 2000
(Show Context)
Citation Context ... of challenges for the zeroknowledge proofs is at most k.sdominated by the term 10k log L. So already for moderate size elections we have gained a significant factor in complexity compared to [3]. In =-=[16]-=-, Hirt and Sako propose a general method for building receipt-free election schemes, i.e. protocols where vote-buying or -coercing is not possible because voters cannot prove to others how they voted.... |

67 | Efficient multiparty computations secure against an adaptive adversary
- Cramer, Damg˚ard, et al.
- 1999
(Show Context)
Citation Context ...ng block allows a prover to convince a verifier that three encryptions contain values a, b and c such that ab = c mod n s . For this, we propose a protocol inspired by a similar construction found in =-=[6]-=-. Protocol Multiplication-mod-n s Input: n, g, ea, eb, ec Private Input for P : a, b, c, ra, rb, rc such that ab = c mod n and ea = E(a, ra), eb = E(b, rb), ec = E(c, rc) 1. P chooses random values d ... |

55 | M.: Robust Efficient Distributed RSA-Key Generation - Frankel, MacKenzie, et al. - 1998 |

52 | M.: Practical Threshold RSA Signatures Without a Trusted Dealer
- Damg˚ard, Koprowski
- 2000
(Show Context)
Citation Context ...our scheme, we assume for simplicity a trusted dealer for setting up the keys initially, and we assume that the modulus used is a safe prime product, similar to what is done in Shoup's paper [19]. In =-=[10]-=-, Damgard and Koprowski propose techniques by which one can drop these restrictions from Shoup's scheme, at the expense of an extra intractability assumption. The same idea can be easily applied to ou... |

49 | Secure vickrey auctions without thresh-old trust - Lipmaa, Asokan, et al. - 2002 |

42 | A Generalisation, a Simplification and some - Damg˚ard, Jurik |

39 | A generalisation, a simplification and some applications of paillier’s probabilistic public-key system - Damga˚ard, Jurik - 2001 |

16 | On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators
- Goldreich, Rosen
(Show Context)
Citation Context ...(p-1)(q-1)/2). However, since (p-1)(q-1)/2 is the secret key, this would allow only the owner of the secret key to encrypt, which would of course be useless. We can remedy this by using a result from =-=[13]-=-. Let (n, h) be generated as above. Let a be a uniformly random integer from [0, (p - 1)(q - 1)/2) and let a # be a uniformly random element from [0, 2 #k/2# ). Then by [13, Theorem 3.2] the random va... |

15 |
A secure and optimally e#cient multi-authority election scheme
- Cramer, Gennaro, et al.
- 1997
(Show Context)
Citation Context ...tions of this to electronic voting schemes. A large number of such schemes is known, but the most e#cient one, at least in terms of the work needed from voters, is by Cramer, Gennaro and Schoenmakers =-=[8]. This pro-=-tocol provides in fact a general framework that allows usage of any probabilistic encryption scheme for encryption of votes, if the encryption scheme has a set of "nice" properties, in parti... |

12 | Robust ecient distributed RSA-key generation - Frankel, MacKenzie, et al. - 1998 |

11 |
A Simple Secure Unpredictable Pseudo-Random Number Generator
- Blum, Blum, et al.
- 1984
(Show Context)
Citation Context ...om r # Z # n . Note that if we reduce a ciphertext modulo n, we obtain: c mod n = (1 + n) x r n s mod n = r n s mod n The Jacobi symbol modulo n is easy to compute, even without the factors (see e.g. =-=[2]-=-), and since n s is odd and the Jacobi symbol is multiplicative, we see that from c = # s (i, r), we can compute the Jacobi symbol of r e#ciently. Further, by multiplying c by a number of form # s (0,... |

11 |
E cient multiparty computations secure against an adaptive adversary
- Cramer, Damgaard, et al.
- 1999
(Show Context)
Citation Context ...ng block allows a prover to convince a verifier that three encryptions contain values a, b and c such that ab = c mod n s . For this, we propose a protocol inspired by a similar construction found in =-=[6]-=-. Protocol Multiplication-mod-n s Input: n, g, e a , e b , e c Private Input for P : a, b, c, r a , r b , r c such that ab = c mod n and e a = E(a, r a ), e b = E(b, r b ), e c = E(c, r c ) 1. P choos... |

11 | The bit security of Paillier’s encryption scheme and its applications
- Catalano, Gennaro, et al.
- 2001
(Show Context)
Citation Context ... t is not one-way either. If we want to claim that a cryptosystem "hides" the plaintext in any reasonable sense, the one-way assumption is essentially the weakest possible assumption one can=-= make. In [7]-=-, Catalano, Gennaro and Howgrave-Graham show that this assumption for CS 1 implies that one can make a semantically secure system hiding a logarithmic number of bits per ciphertext in the original sys... |

10 |
K.Sako: E#cient Receipt-Free Voting based on Homomorphic Encryption
- Hirt
(Show Context)
Citation Context ... of challenges for the zeroknowledge proofs is at most k. dominated by the term 10k log L. So already for moderate size elections we have gained a significant factor in complexity compared to [3]. In =-=[16]-=-, Hirt and Sako propose a general method for building receipt-free election schemes, i.e. protocols where vote-buying or-coercing is not possible because voters cannot prove to others how they voted. ... |

9 |
Sharing Decryption in the Context of Voting or
- Fouque, Poupard, et al.
- 2000
(Show Context)
Citation Context ...tion operation, even when L > 2. Some of the results in this paper were presented in preliminary form in [9]. 2 Related Work In work independent from, but earlier than ours, Fouque, Poupard and Stern =-=[12]-=- proposed the first threshold version of Paillier's original scheme. Like our threshold scheme, [12] uses an adaptation of Shoup's threshold RSA scheme [19], but beyond this the techniques are somewha... |

3 |
Extracting Witnesses From Proofs of Knowledge
- Groth
- 2001
(Show Context)
Citation Context ...Paillier's encryption scheme. Since the voting schemes in this paper play the role of example applications of our crypto system and auxiliary protocols we do not give a formal proof here. However, in =-=[14]-=-, Groth presents a full proof of security for our voting scheme according to the definition of Canetti. There are several ways to generalize this to L > 2. Probably the simplest way is to hold L paral... |

2 |
and Schoenmakers: Proofs of partial knowledge
- Cramer
(Show Context)
Citation Context ..., which means that we cannot obtain zero-knowledge, we can, however, obtain security in the random oracle model. As for soundness, we prove that the protocols satisfy so called special soundness (see =-=[5]-=-), which in particular implies that they satisfy standard knowledge soundness. Protocol for n s 'th powers Input: n, u Private Input for P : v # Z # n , such that u = E(0, v). 1. P chooses r at random... |