Saltar a la navegación Saltar al contenido principal Ir al pie de página

The Paillier Cryptosystem with Applications to Threshold ECDSA

You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely.

Contents

RSA Encryption Refresher and Notation

We’ll start with a review of RSA encryption and two related functions: Euler’s phi function \phi(x) and Carmichael’s lambda function \lambda(x).

RSA works in a group \mathbb{Z}^\star_{n} where n = p\cdot q is a product of two distinct primes (also called a biprime or an RSA prime). Both plaintexts and ciphertexts are in this group.

For any integer x \geq 1, \mathbb{Z}^\star_{x} is the set of integers less than and co-prime to x and it always forms a multiplicative group called the group of units modulo \mathbf{x}. An integer less than and co-prime to x is called a totative of x.

The primes p and q should be chosen independently and randomly. RSA moduli don’t need to be generated with safe primes or strong primes; two random primes are fine. (In 1999, Rivest and Silverman published an article titled “Are ‘Strong Primes’ Needed for RSA?” (PDF) in which they argued that it is unnecessary to use strong primes.)

The number of elements in \mathbb{Z}^\star_{n} is, by definition, \phi(n).

For any integer x \geq 1, \phi(x) is Euler’s phi (or totient) function, defined as the number of totatives of x (i.e., positive integers less than or equal to x that are co-prime to it). Euler’s phi function is a multiplicative function: if x_1 and x_2 are co-prime, then \phi(x_1 \cdot x_2) = \phi(x_1) \cdot \phi(x_2).

In the RSA setting, n = p\cdot q is a product of two distinct primes, so the size of \mathbb{Z}^\star_{n} is \phi(n) = \phi(p) \cdot \phi(q) = (p-1)(q-1).

The RSA cryptosystem uses a public encryption exponent e and a private decryption exponent d. Encrypting a message m \in \mathbb{Z}^\star_{n} is done by computing m^e \mod n, and decrypting a ciphertext c \in \mathbb{Z}^\star_{n} is done by computing c^d \mod n. For these operations to be correct, they must be inverses of each other: it’s required that m^{ed} \equiv m \mod n for all m \in \mathbb{Z}^\star_{n}. In other words, e and d must satisfy e\cdot d \equiv 1 \mod \text{order}_{n}(m) for every possible message m \in \mathbb{Z}^\star_{n}.

The order \text{order}_{x}(a) of an integer a modulo x is the smallest positive integer k such that a^k \equiv 1 \mod x (or undefined if no such k exists, but this case won’t arise in this blog post).

For RSA decryption and encryption to be correct for all possible messages m \in \mathbb{Z}^\star_{n}, it is necessary and sufficient for the product e\cdot d to be congruent to 1 modulo \lambda(n).

For any integer x \geq 1, \lambda(x) is Carmichael’s lambda (or least universal exponent) function, defined as the smallest positive integer k such that a^k \equiv 1 \mod x for all totatives a \in \mathbb{Z}^\star_{x}. It is the least common multiple of the orders of all elements in \mathbb{Z}^\star_{x}, so it is always less than or equal to the order of the group, \phi(x). If (and only if) \lambda(x) = \phi(x), then the group \mathbb{Z}^\star_{x} has a generator. (See the first definition of the Carmichael function at Wolfram MathWorld.)

Unlike Euler’s phi function, Carmichael’s lambda function is not quite a multiplicative function, but it satisfies a similar property: if x_1 and x_2 are co-prime, then \lambda(x_1 \cdot x_2) = LCM(\lambda(x_1), \lambda(x_2)), where LCM() is the least common multiple function. It turns out that if x is a power of an odd prime, say x=p^a, then \lambda(x) = \phi(x). (The value of \lambda(p^a) for p = 2 is slightly different: it is either \phi(p^a) for a \leq 2, or \frac{1}{2} \phi(p^a) for a \geq 3, but this fact won’t be used in this post.)

Just as \phi(x) can be efficiently computed when x’s factorization into prime powers is known, \lambda(x) can also be efficiently computed based on x’s factorization into prime powers.

You may have learned RSA encryption with the requirement that e\cdot d \equiv 1 modulo \phi(n) instead of modulo \lambda(n) — this is how I learned it too. Although this condition with Euler’s phi function is sufficient for correctness (since \lambda(n) always divides \phi(n)), it is not necessary (since \lambda(n) is always at most \phi(n)).

In this post, only two values of the Carmichael lambda function will arise: \lambda(n) and \lambda(n^2), for n = p\cdot q with odd primes p and q. Their values are \lambda(n) = LCM(p-1, q-1) and \lambda(n^2) = LCM(\lambda(p^2), \lambda(q^2)) = LCM(p(p-1), q(q-1)) = n\cdot \lambda(n).

The Computational Composite Residuosity Class Problem

RSA encryption is effective at hiding data because it’s believed to be hard to find eth roots modulo a product of two primes, n = p\cdot q. This is (rather redundantly) called the RSA problem.

Let n = p\cdot q be a biprime and let e be an integer greater than 2 in \mathbb{Z}^\star_{\phi(n)}. The RSA problem is to solve the equation y \equiv x^e \mod n for x given a random y \in \mathbb{Z}^\star_{n}.

For Paillier encryption, we again consider some integer n = p\cdot q that is a product of two primes, with the additional requirement that GCD(n, \phi(n)) = 1. An easy way to guarantee this requirement is satisfied is to choose p and q to have the same bitlength (i.e., to have their most significant bit in the same position). Instead of working with ciphertexts that are integers modulo n as in RSA, Paillier ciphertexts are integers modulo n^2. Specifically, Paillier ciphertexts are in \mathbb{Z}^\star_{n^2}, the group of units modulo n^2, which has order \phi(n^2) = n \cdot \phi(n) for a biprime n.

There are multiple ways to think of the set of integers in this group. Here’s a non-obvious one: for an appropriate choice of base g (having a particular property, as we will explain soon), each integer w in \mathbb{Z}^\star_{n^2} corresponds to a pair of integers (x,y), where x is in \mathbb{Z}_{n}, y is in the group of units \mathbb{Z}^\star_{n}, and w = g^x \cdot y^n \mod n^2.

While it’s easy to compute w given a pair (x,y) for a fixed base g modulo n, it’s believed to be hard to compute the unique, corresponding pair (x,y) for a particular w without some additional information.

Not every possible value of g \in \mathbb{Z}^\star_{n^2} is an appropriate base; g must be chosen so that for every w in \mathbb{Z}^\star_{n^2}, there is exactly one pair (x,y) in (\mathbb{Z}_{n}, \mathbb{Z}^\star_{n}) such that w = g^x \cdot y^n \mod n^2. It turns out (see Lemma 3 of [Paillier1999]) that we get this property exactly when g is an element of \mathbb{Z}^\star_{n^2} whose order is a (non-zero) multiple of n. Since the order of any element in \mathbb{Z}^\star_{n^2} is at most \lambda(n^2) = n\cdot \lambda(n), bases are those elements with orders in { n, 2n, 3n, \ldots, \lambda(n)\cdot n }. (There isn’t necessarily a base with each of these orders; the order of any element in \mathbb{Z}^\star_{n^2} must divide \lambda(n^2) = p\cdot q\cdot LCM(p-1,q-1).)

In other words, g \in \mathbb{Z}^\star_{n^2} is an appropriate base when there’s a (non-zero) multiple m of n such that g^{m\cdot n} \equiv 1 \mod n^2, but g^{i} \not\equiv 1 \mod n^2 for any positive integer i < mn.

For some biprime n=p\cdot q, g \in \mathbb{Z}^\star_{n^2} is called a base if its order modulo n^2 is a non-zero multiple of n.

With such a base, the correspondence between a w \in \mathbb{Z}^\star_{n^2} and some (x,y) \in (\mathbb{Z}_{n}, \mathbb{Z}^\star_{n}) is a proper bijection. Although this post won’t prove that the mapping yields a bijection, you can do a quick, reassuring check that both groups have the same size, n\cdot \phi(n). (For the full proof, see Lemma 3 of [Paillier1999]). The first element of the pair, x, is called the \mathbf{n}th residuosity class of \mathbf{w} with respect to g and Paillier is effective at hiding data because computing it is believed to be a hard problem.

Let n=p\cdot q be a biprime and let g \in \mathbb{Z}^\star_{n^2} be a base. Given n, g, and a random value w \in \mathbb{Z}^\star_{n^2}, the composite residuosity class problem is to compute the unique x \in \mathbb{Z}_{n} such that w = g^x \cdot y^n \mod n^2 for some y \in \mathbb{Z}^\star_{n}.

There are many potential bases g \in \mathbb{Z}^\star_{n^2} having orders modulo n^2 that are non-zero multiple of n. However, there’s no need to run a complex algorithm to identify one due to a nice property of the set of potential bases: the hardness of computing the residuosity class of a random w modulo n^2 relative to some base g doesn’t actually depend on the choice of g! (For the proof, see Lemma 7 of [Paillier1999].) A common choice of base is g = 1+n, which has order n, because it allows optimizations during encryption and decryption.

The Paillier Cryptosystem

The Paillier cryptosystem is built so that decrypting a ciphertext corresponds to solving the computational composite residuosity class problem. First, we’ll go over the mechanics of key generation, encryption, and decryption, and then we’ll dive in to how decryption works and explain the trick that allows doing it efficiently.

Key generation. Pick two primes p and q of the same bitlength independently at random. Let n=p\cdot q be their product. Choose a base g \in \mathbb{Z}^\star_{n^2} whose order is a non-zero multiple of n, e.g., g=1+n. Compute the Carmichael lambda function of n: \lambda(n)=LCM(p-1,q-1). The public key is (n, g) and the private key is \lambda(n).

Encryption of a message \mathbf{m} \in {\mathbb{Z}}_{n}. Pick a random integer y \in \mathbb{Z}^\star_{n} and compute the ciphertext c = g^m \cdot y^n \bmod n^2.

Decryption of a ciphertext \mathbf{c} \in \mathbb{Z}^\star_{n^2}. Compute the two values c_{dividend} = ((c^{\lambda(n)} \mod n^2) - 1)/n and c_{divisor} = ((g^{\lambda(n)} \mod n^2) - 1)/n. Then, compute the resulting message m = c_{dividend} / c_{divisor} \mod n.

One of the brilliant properties of Paillier’s scheme is that knowing the factorization of n allows efficiently computing composite residuosity classes: calculating \lambda(n) gives a trapdoor for computing the necessary discrete logarithm.

Recall that, for a base g, any c \in \mathbb{Z}^\star_{n^2} can be written as g^x \cdot y^n for a unique pair of x \in \mathbb{Z}_n and y \in \mathbb{Z}^\star_{n} — these x and y values just aren’t known yet. Decryption has three implicit sub-steps: cancelling out the random value y, bringing the plaintext x down from the exponent, and isolating x from values that depend on the base g.

  1. Cancelling out the random value y is straightforward when n is a biprime.
    Since the least universal exponent modulo n^2 is \lambda(n^2) = n\cdot \lambda(n), raising c \in \mathbb{Z}^\star_{n^2} to the power of \lambda(n) modulo n^2 yields g^{x \cdot \lambda(n)} \mod n^2 for some not-yet-known x \mod n, because (y^n)^{\lambda(n)} \equiv 1 \mod n^2.
  2. Next, we observe that the exponentiation in step 1 was enough to bring x down from the exponent.
    Raising any element to the power of \lambda(n) modulo n^2 yields something called an \mathbf{n}th root of unity modulo \mathbf{n^2}. This is an element that, when raised to the power of n, yields 1 — in other words, its order must be either 1, p, q, or n. This follows from the definition of the least universal exponent, \lambda(n^2) = n\cdot \lambda(n). These nth roots of unity modulo n^2 all have a particular form: they can be written as 1 + k\cdot n for some k \in \mathbb{Z}_n. To partially convince yourself this is true, observe that applying binomial expansion to (1 + k\cdot n)^n modulo n^2 gives 1. (See Section 2 in [Paillier1999].) So, g^{\lambda(n)} \mod n^2 is an nth root of unity and can be written as 1 + k\cdot n for some k \in \mathbb{Z}_n. The result of step 1 (g^{x \cdot \lambda(n)} \mod n^2) can therefore be written as (1 + k\cdot n)^x \mod n^2 for some k \in \mathbb{Z}_n. By applying binomial expansion once more, we see that it can be written as 1 + k\cdot x\cdot n \mod n^2. By subtracting 1 and dividing by n (over the integers), we get the value of the dividend in the description of decryption above: c_{dividend} = ((c^{\lambda(n)} \mod n^2) - 1)/n = k\cdot x.
  3. Finally, we need to isolate x by dividing by k (modulo n).
    The value of k depends only on the base g: g^{\lambda(n)} \equiv 1 + k\cdot n \mod n^2, so k = ((g^{\lambda(n)} \mod n^2) - 1)/n. This is the value of c_{divisor} in the description of decryption. The last step of decryption is to compute x = c_{dividend} / c_{divisor} \mod n.

Security and Homomorphic Properties

Paillier encryption effectively hides data (the messages m \in \mathbb{Z}_{n}) assuming that computing the nth residuosity classes of ciphertexts is hard. More strongly, and more formally, Paillier ciphertexts are indistinguishable under chosen plaintext attacks (IND-CPA) assuming that deciding whether the nth residuosity class of a ciphertext equals some given value is hard. (See Theorem 15 in [Paillier1999].)

However, Paillier ciphertexts cannot be indistinguishable under chosen ciphertext attacks (IND-CCA) because of the scheme’s homomorphic properties. In general, a homomorphic encryption scheme is one that allows certain operations to be performed on ciphertexts such that the resulting ciphertexts contain the encrypted result. Paillier encryption is additively homomorphic:

\text{Encrypt}_{(n,g)}(m_1) \cdot \text{Encrypt}_{(n,g)}(m_2) \equiv \text{Encrypt}_{(n,g)}(m_1 + m_2 \mod n) \mod n^2

and

(\text{Encrypt}_{(n,g)}(m))^c \equiv \text{Encrypt}_{(n,g)}(m \cdot c \mod n) \mod n^2.

The first equation above says that multiplication of ciphertexts modulo n^2 corresponds to addition of plaintexts modulo n. The second equation says that exponentiation of a ciphertext to a constant modulo n^2 corresponds to multiplication of a plaintext by a constant modulo n.

In the context of IND-CCA security, these properties would allow an attacker with access to a decryption oracle (that works on any ciphertext besides the target ciphertext) to decrypt a target ciphertext by transforming it homomorphically before querying the oracle, and undoing the transformation after. In that sense, Paillier is no different than any other homomorphic encryption scheme: no homomorphic encryption scheme can offer IND-CCA security.

Applications and Protocols using Paillier Encryption

In the 20+ years since Pascal Paillier devised this encryption scheme, it has been used in a variety of cryptographic protocols and applications. One recent popular application is multi-party ECDSA signing protocols.

ECDSA produces signatures in a group \mathbb{G} of elliptic curve points over a field of order p with generator G of order q. (We write p and q here to distinguish these primes from the factors of an RSA or Paillier modulus — they are completely different.) ECDSA private keys are elements x \in \mathbb{Z}_{q (scalars) and public keys are the corresponding elliptic curve points, xG. The signature on a message whose hash is h \in \mathbb{Z}_{q is computed as

(r, s) = (r_x \mod q

where (r_x, r_y) = kG for a fresh, uniformly random k \in \mathbb{Z}_{q.

In multi-party ECDSA signing protocols, two or more parties have shares of a private key and jointly generate signatures. These schemes typically provide security and correctness even when some small number of protocol participants misbehave. To achieve this, the use of Paillier encryption is often augmented with zero-knowledge proofs: for example, protocol participants can prove that their Paillier public keys were correctly generated, that ciphertexts encrypt values within given ranges, or that ciphertexts encrypt values corresponding to the discrete logarithm of some known public value.

Combining Paillier encryption — which works in groups modulo n or n^2, where n is usually at least 2048 bits long — and ECDSA — which works in groups whose sizes are usually 256 bits — is not trivial. To illustrate this, we’ll examine three recent multi-party ECDSA protocols.

Lindell’s Two-Party ECDSA Protocol (2017)

Lindell’s two-party ECDSA signing protocol [Lindell2017] uses Paillier encryption to compute the s component of the signature homomorphically. During key generation, the first party sends a Paillier encryption of their share x_1 of the ECDSA private key to the second party, along with zero-knowledge proofs that (i) their Paillier modulus satisfies GCD(n, \phi(n)) = 1, and (ii) the ciphertext is indeed an encryption of the discrete log of x_1 G. Then, when generating a signature, the second party can craft most of the s component of the signature by operating homomorphically on the encryption of x_1 and combining it with a ciphertext that it crafts. The second party sends back the Paillier ciphertext to the first party, who decrypts it and performs a final operation with their share of the nonce.

Since the second party crafted the ciphertext homomorphically, it cannot reduce the encrypted value modulo q before sending it back to the first party, which may allow some information to leak. To prevent this, the second party must add a random multiple of q when it is forming the ciphertext.

The proof that GCD(n, \phi(n)) = 1 is described in a paper by Hazay, Mikkelsen, Rabin, Toft, and Nicolosi (eprint 2011/494, Section 3.3). Interestingly, proving that the Paillier modulus satisfies GCD(n, \phi(n)) = 1 — which guarantees nothing about how many prime factors it has — is sufficient for the security of this particular ECDSA protocol: using the base g=1+n, there is still the same isomorphism between \mathbb{Z}^\star_{n^2} and \mathbb{Z}_n \times \mathbb{Z}^\star_n. The Paillier modulus must be at least {q, where q is the size of the ECDSA group.

The Gennaro–Goldfeder Multi-Party Threshold ECDSA Protocol (2018–2021)

In Gennaro and Goldfeder’s threshold ECDSA protocol [GenGol2019], each party has their own Paillier key pair. Each Paillier modulus is accompanied by a zero-knowledge proof that it is square-free and that for any two prime factors p and q of the modulus, p does not divide q - 1. This proof was devised by Gennaro, Micciancio, and Rabin (CCS 1998, PDF, Section 3.1). The protocol also requires that each Paillier modulus is greater than {q, where q is the size of the ECDSA group.

Each participant has an additive share of the private ECDSA key x. When the signing protocol is run, each party also randomly generates an additive share of the nonce inverse k^{-1} and an additive share of the nonce “mask” \gamma used to hide the value of k (which, if leaked, would allow recovering the ECDSA private key). As part of jointly computing the signature, parties must compute additive shares of the products k^{-1}\cdot \gamma and k^{-1}\cdot x. Paillier encryption is used in a sub-protocol for multiplicative-to-additive share conversion during the computation of additive shares of these two products.

Suppose there are t parties whose goal is to jointly compute the product a\cdot b, and each party i has additive shares a_i and b_i of a and b. The product can be written as

(\sum_{i=1}^{t} a_i) (\sum_{i=1}^{t} b_i) = \sum_{i=1}^{t} a_i\cdot b_i + \sum_{i,j : i \neq j} a_i\cdot b_j.

The share conversion protocol transforms multiplicative shares of values (the cross-terms a_i\cdot b_j) held by parties i and j to equivalent additive shares (\alpha_{i,j} and \beta_{i,j}) satisfying a_i \cdot b_j \equiv \alpha_{i,j} + \beta_{i,j} \mod q. It works as follows. First, party i sends party j a Paillier encryption of their multiplicative share a_i (along with a zero-knowledge proof that the encrypted value is in the correct range respective to q). Party j operates homomorphically on the ciphertext it received to compute an encryption of a_i \cdot b_j + \beta for a random \beta (and provides a zero-knowledge proof that the ciphertext was formed with values from the correct ranges). Party i then computes their additive share \alpha_{i,j} by decrypting this ciphertext and reducing it modulo q. Party j’s additive share is \beta_{i,j} = - \beta.

Note that \beta is sampled uniformly at random from \mathbb{Z}_{q, not \mathbb{Z}_{q (where q is the ECDSA group size) or \mathbb{Z}_{n} (where n is the Paillier modulus). This modulus was chosen so that the range of possible values is big enough that the distribution of a_i \cdot b_j - \beta does not leak information about b_j \in \mathbb{Z}_{q, but small enough that no reduction modulo the Paillier modulus n occurs when homomorphically computing the ciphertext of a_i \cdot b_j - \beta.

Finally, after repeating this sub-protocol for all cross-terms in the product of a\cdot b, each party i can compute their additive share of the product as a_i\cdot b_i + \sum_{j : j \neq i} \alpha_{i,j} + \beta_{j,i}. This is how additive shares of the products k^{-1}\cdot \gamma and k^{-1}\cdot x are computed.

The Canetti–Gennaro–Goldfeder–Makriyannis–Peled Threshold ECDSA Protocol (2020–2021)

In Canetti, Gennaro, Goldfeder, Makriyannis, and Peled’s threshold ECDSA scheme [CanGenGolMakPel2021], each party has their own Paillier key pair that is accompanied by a proof that the modulus is a Paillier-Blum modulus (that it is a product of two primes congruent to 3 modulo 4 and that it satisfies GCD(n, \phi(n)) = 1) and that it has no small factors.

Paillier encryption has several uses in this scheme.

  • First, it is used in a multiplicative-to-additive share conversion protocol like the ones in Gennaro and Goldfeder’s 2018 protocol, described earlier, to compute additive shares of k^{-1}\cdot \gamma and k^{-1}\cdot x during signing. The zero-knowledge proof accompanying the first party’s (party i’s) message is like the one described earlier: it proves that the encrypted value is in the correct range with respect to q. The proof accompanying party j’s message is slightly different than in Gennaro and Goldfeder’s multiplicative-to-additive share conversion scheme. Recall that party j operates homomorphically on the ciphertext it received from party i by multiplying it with b_j and adding -\beta to it using party i’s Paillier key. Here, party j provides a zero-knowledge proof that the ciphertext it sends back to party i was formed with values from the correct ranges, and that (i) the multiplicative coefficient equals the discrete log of a certain known value, and (ii) the additive term equals the same value encrypted in a Paillier ciphertext using party j’s own key.
  • Paillier encryption is also used in a key refresh procedure, where each party chooses a random secret sharing of 0 (modulo the ECDSA group order q) and encrypts one share to each other party’s Paillier key. The parties then use the received shares to update their secret key shares without changing their shared public key.
  • Finally, the Paillier modulus is re-used as the modulus of ring Pedersen (Fujisaki–Okamoto) commitments (eprint 2001/064, PDF), whose security relies on the strong RSA problem. Each party has a pair of ring Pedersen parameters (s,t) \in \mathbb{Z}^\star_{n} \times \mathbb{Z}^\star_{n} (where n is their Paillier modulus), for which they provide a zero-knowledge proof that s belongs to the multiplicative group generated by t modulo n. Ring Pedersen commitments are used in zero-knowledge proofs with the verifier’s Paillier modulus.

The paper includes the interesting observation that Paillier encryption can be used as a commitment scheme to simplify some zero-knowledge proofs. When a participant encrypts a plaintext with their own Paillier key, it produces a cryptographic commitment to that plaintext that is perfectly binding (due to the bijection between \mathbb{Z}^\star_{n^2} and \mathbb{Z}_n \times \mathbb{Z}^\star_{n}) and computationally hiding (due to Paillier’s IND-CPA security, assuming computing nth residue classes is hard).

Interestingly, this paper defines Paillier decryption with \phi(n) instead of \lambda(n) for the base 1+n. Since \lambda(n) \mid \phi(n), the decryption equation is still correct with c_{dividend} = ((c^{\phi(n)} \mod n^2) - 1)/n and c_{divisor} = (((1+n)^{\phi(n)} \mod n^2) - 1)/n = \phi(n).

Implementation Considerations

Key Generation

Paillier key generation has many of the same potential pitfalls as RSA key generation, as well as some other potential issues related to the choice of base.

  • First, the public key should be big enough that factoring it with modern, general-purpose algorithms, like the General Number Field Sieve (GNFS), is infeasible. For factoring the modulus with the GNFS to be roughly at least as hard as brute-forcing a 128-bit symmetric key, the modulus size should be at least 3072 bits, so the two prime factors p and q should be at least 1536 bits each.
  • It is crucial to use a good source of randomness when selecting primes p and q, and to choose them independently so that no special-purpose factoring algorithms apply. For example, if the primes are too close together, the modulus can be factored efficiently with Fermat’s factorization method.
  • The modulus must satisfy GCD(n, \phi(n)) = 1. An easy way to enforce this property is to choose the two primes p and q having exactly the same bitlength. If GCD(n, \phi(n)) > 1, then either p divides q-1 or q divides p-1. And since \lambda(n) = LCM(p-1,q-1), it will not be co-prime to n either. This destroys the bijection between the groups \mathbb{Z}^\star_{n^2} and \mathbb{Z}_n \times \mathbb{Z}^\star_{n} (for any base, even one with the correct order), and decryption no longer works. As a quick example, consider p=5 and q=11, so n=5\cdot 11=55 is not co-prime with \phi(n)=4\cdot 10=40. First, raising an element y \in \mathbb{Z}^\star_n to the power of n, as is done to randomize ciphertexts during encryption, is a many-to-one function, which is enough to break the bijection. For example, 1332 \equiv 3^n \equiv 23^n \equiv 38^n \equiv 48^n \equiv 53^n \mod n^2. Second, even with a proper base like g=1+n=56, which has order n=55 modulo n^2, decryption no longer works and many plaintexts can correspond to the same ciphertexts. For example, the five messages 8, 19, 30, 41, and 52 would be indistinguishable during decryption after raising the ciphertext to the power of \lambda(n): g^{8\cdot \lambda(n)} \equiv g^{19\cdot \lambda(n)} \equiv g^{30\cdot \lambda(n)} \equiv g^{41\cdot \lambda(n)} \equiv g^{52\cdot \lambda(n)} \equiv 2751 \mod n^2.
  • The order of the base g modulo n^2 must be a non-zero multiple of n.
    Otherwise, there is no longer a bijection between the groups \mathbb{Z}^\star_{n^2} and \mathbb{Z}_n \times \mathbb{Z}^\star_{n}. As a quick example, consider p=11, q=13, n=143, and the base g=146, which has order 165=3\cdot 5\cdot 11 modulo n^2 (which is not a multiple of 143). Then, encryption is a 13-to-1 mapping and every w \in \mathbb{Z}^\star_{n^2} has 13 possible corresponding messages. For example, the ciphertext 775 could be obtained by encrypting any one of \{5, 16, 27, 38, 49, 60, 71, 82, 93, 104, 115, 126, 137\}: 146^5\cdot 58^n \equiv 146^{16}\cdot 15^n \equiv 146^{27}\cdot 31^n \equiv \cdots \equiv 146^{137}\cdot 97^n \equiv 775 \mod 143^2.

Encryption

Paillier encryption is randomized and the random values y \in \mathbb{Z}^\star_{n} must be carefully generated and handled.

  • It is important to use a good source of randomness when choosing y \in \mathbb{Z}^\star_{n}, and to generate a fresh, independently chosen value of y every time a message is encrypted. Known relations between the y values of multiple ciphertexts can be exploited to learn information about their corresponding plaintexts. For example, suppose two ciphertexts c_1 and c_2 (encrypting x_1 and x_2) are known to have been generated with the base g = 1+n using random values that are inverses of each other modulo n: y \in \mathbb{Z}^\star_n and y^{-1} \in \mathbb{Z}^\star_n. Then, due to the additively homomorphic properties of Paillier ciphertexts and the cancellation of the random values, the sum of the plaintexts (modulo n) can be recovered by computing ((c_1\cdot c_2 \mod n^2) - 1) / n.
  • Since encryption includes modular exponentiation to a secret value (x), a constant-time implementation — one without any data-dependent operations — must be used to avoid leaking information about the plaintext.
  • The random element y also must be kept secret and handled in constant-time.
    If the value y corresponding to a particular ciphertext c = (1+n)^x\cdot y^n \mod n^2 is ever leaked, the plaintext can be recovered by computing (y^n)^{-1} \mod n^2 (e.g., using the Extended Euclidean Algorithm), then computing ((c\cdot (y^n)^{-1} \mod n^2) - 1) / n.

Decryption

Paillier decryption involves the secret key, \lambda(n), and the usual recommendations apply.

  • Since decryption includes modular exponentiation to the secret value \lambda(n), a constant-time implementation — one without any data-dependent operations — must be used to avoid leaking information about the key.
  • If the value of c_{divisor} = ((g^{\lambda(n)} \mod n^2) - 1)/n is pre-computed, it must be afforded the same protections as the secret key, \lambda(n).

Homomorphic Operations

Paillier homomorphic operations are a feature, not a bug! Still, some care must be taken.

  • It is important to remember that ciphertexts are malleable by design, and provide no message authentication — they can easily be tampered with.
  • Homomorphic operations apply modulo n: when homomorphically adding two plaintexts or homomorphically multiplying a plaintext by some constant c, the result will be their sum or product modulo n.
  • Certain edge cases of homomorphic operations require explicit re-randomization to retain ciphertext indistinguishability.
    To homomorphically multiply a ciphertext by 0 or 1, the ciphertext is raised to the power of 0 or 1 respectively, which either results in 1 or no change at all to the ciphertext. In these two cases, the ciphertext should be re-randomized by choosing a fresh random value y \in \mathbb{Z}^\star_n and multiplying the ciphertext by y^n modulo n^2.

Conclusion

The Paillier cryptosystem is based on a fascinating number theoretic problem. Its homomorphic properties make it especially useful in multi-party computation protocols, such as many recent threshold ECDSA protocols. Since the security of Paillier is related to factoring, Paillier moduli must always be large enough that factoring them is infeasible. Protocols involving Paillier encryption and groups of different sizes must carefully account for the different sizes.

Finally, if being familiar with RSA and Paillier has made you want to learn more, consider reading about the Damgård–Jurik cryptosystem (b. 2001) in “A Generalisation, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System” (PKC 2001, PDF).

References

[Paillier1999]: “Public-Key Cryptosystems Based on Composite Degree Residuosity Classes” by Pascal Paillier, EUROCRYPT ’99. Available at https://link.springer.com/chapter/10.1007/3-540-48910-X_16.

[Lindell2017]: “Fast Secure Two-Party ECDSA Signing” by Yehuda Lindell, CRYPTO 2017. Available at https://link.springer.com/chapter/10.1007/978-3-319-63715-0_21 and https://eprint.iacr.org/2017/552.

[GenGol2019]: “Fast Multiparty Threshold ECDSA with Fast Trustless Setup” by Rosario Gennaro and Steven Goldfeder. Available at https://eprint.iacr.org/2019/114.

[CanGenGolMakPel2021]: “UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts” by Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled. Available at https://eprint.iacr.org/2021/060.

Acknowledgements

Thank you to Paul Bottinelli, Giacomo Pope, and Eric Schorn of Cryptography Services and Paul Grubbs for comments on an earlier version of this blog post.