Homomorphic properties of Paillier
$begingroup$
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$, I will get as result $alpha + alpha^{-1}$. But, does it also mean that if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$, then the result will be $alpha cdot alpha^{-1}$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
asked Nov 14 '18 at 10:04
tinkertinker
397310
$endgroup$
add a comment |
$begingroup$
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$, I will get as result $alpha + alpha^{-1}$. But, does it also mean that if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$, then the result will be $alpha cdot alpha^{-1}$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
asked Nov 14 '18 at 10:04
tinkertinker
397310
$endgroup$
add a comment |
$begingroup$
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$, I will get as result $alpha + alpha^{-1}$. But, does it also mean that if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$, then the result will be $alpha cdot alpha^{-1}$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
asked Nov 14 '18 at 10:04
tinkertinker
397310
$endgroup$
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$, I will get as result $alpha + alpha^{-1}$. But, does it also mean that if I have $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$, then the result will be $alpha cdot alpha^{-1}$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
encryption homomorphic-encryption paillier
asked Nov 14 '18 at 10:04
tinkertinker
397310
asked Nov 14 '18 at 10:04
tinkertinker
397310
asked Nov 14 '18 at 10:04
tinkertinker
397310
asked Nov 14 '18 at 10:04
tinkertinker
397310
asked Nov 14 '18 at 10:04
tinkertinker
397310
397310
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
No, there is no reason that $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk},alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$ would be $alphacdotalpha^{-1}$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk}, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^{-1}bmod N$ and get $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk},alpha)^{(alpha^{-1}bmod N)}bmod N^2)=1$, but that's not useful anyway, since $alpha^{-1}bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^{-1}$, and that matters.
$textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$ will be $alpha+alpha^{-1}bmod N$, which may or may not be $alpha+alpha^{-1}$.
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
$endgroup$
add a comment |
$begingroup$
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcal{E}$ homomotphic property is: $mathcal{E}(alpha)times mathcal{E}(beta)=mathcal{E}(alpha+beta)$. So, $mathcal{E}(alpha)^n=mathcal{E}(nalpha)$. In your example, $n=mathcal{E}(alpha^{-1})$ and thus after decryption you will have $mathcal{E}(alpha^{-1})times alpha$ ans not $alpha^{-1} times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63991%2fhomomorphic-properties-of-paillier%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
No, there is no reason that $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk},alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$ would be $alphacdotalpha^{-1}$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk}, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^{-1}bmod N$ and get $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk},alpha)^{(alpha^{-1}bmod N)}bmod N^2)=1$, but that's not useful anyway, since $alpha^{-1}bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^{-1}$, and that matters.
$textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$ will be $alpha+alpha^{-1}bmod N$, which may or may not be $alpha+alpha^{-1}$.
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
$endgroup$
add a comment |
$begingroup$
No, there is no reason that $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk},alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$ would be $alphacdotalpha^{-1}$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk}, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^{-1}bmod N$ and get $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk},alpha)^{(alpha^{-1}bmod N)}bmod N^2)=1$, but that's not useful anyway, since $alpha^{-1}bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^{-1}$, and that matters.
$textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$ will be $alpha+alpha^{-1}bmod N$, which may or may not be $alpha+alpha^{-1}$.
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
$endgroup$
add a comment |
$begingroup$
No, there is no reason that $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk},alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$ would be $alphacdotalpha^{-1}$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk}, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^{-1}bmod N$ and get $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk},alpha)^{(alpha^{-1}bmod N)}bmod N^2)=1$, but that's not useful anyway, since $alpha^{-1}bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^{-1}$, and that matters.
$textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$ will be $alpha+alpha^{-1}bmod N$, which may or may not be $alpha+alpha^{-1}$.
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
$endgroup$
No, there is no reason that $textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk},alpha)^{textsf{Enc}(textsf{pk}, alpha^{-1})})$ would be $alphacdotalpha^{-1}$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk}, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^{-1}bmod N$ and get $textsf{Dec}(textsf{sk},textsf{Enc}(textsf{pk},alpha)^{(alpha^{-1}bmod N)}bmod N^2)=1$, but that's not useful anyway, since $alpha^{-1}bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^{-1}$, and that matters.
$textsf{Dec}(textsf{sk}, textsf{Enc}(textsf{pk}, alpha) cdot textsf{Enc}(textsf{pk}, alpha^{-1}))$ will be $alpha+alpha^{-1}bmod N$, which may or may not be $alpha+alpha^{-1}$.
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
edited Nov 15 '18 at 7:00
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
answered Nov 14 '18 at 11:12
fgrieufgrieu
79.4k7169336
79.4k7169336
add a comment |
add a comment |
$begingroup$
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcal{E}$ homomotphic property is: $mathcal{E}(alpha)times mathcal{E}(beta)=mathcal{E}(alpha+beta)$. So, $mathcal{E}(alpha)^n=mathcal{E}(nalpha)$. In your example, $n=mathcal{E}(alpha^{-1})$ and thus after decryption you will have $mathcal{E}(alpha^{-1})times alpha$ ans not $alpha^{-1} times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
$endgroup$
add a comment |
$begingroup$
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcal{E}$ homomotphic property is: $mathcal{E}(alpha)times mathcal{E}(beta)=mathcal{E}(alpha+beta)$. So, $mathcal{E}(alpha)^n=mathcal{E}(nalpha)$. In your example, $n=mathcal{E}(alpha^{-1})$ and thus after decryption you will have $mathcal{E}(alpha^{-1})times alpha$ ans not $alpha^{-1} times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
$endgroup$
add a comment |
$begingroup$
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcal{E}$ homomotphic property is: $mathcal{E}(alpha)times mathcal{E}(beta)=mathcal{E}(alpha+beta)$. So, $mathcal{E}(alpha)^n=mathcal{E}(nalpha)$. In your example, $n=mathcal{E}(alpha^{-1})$ and thus after decryption you will have $mathcal{E}(alpha^{-1})times alpha$ ans not $alpha^{-1} times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
$endgroup$
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcal{E}$ homomotphic property is: $mathcal{E}(alpha)times mathcal{E}(beta)=mathcal{E}(alpha+beta)$. So, $mathcal{E}(alpha)^n=mathcal{E}(nalpha)$. In your example, $n=mathcal{E}(alpha^{-1})$ and thus after decryption you will have $mathcal{E}(alpha^{-1})times alpha$ ans not $alpha^{-1} times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
answered Nov 14 '18 at 11:12
Youssef El HousniYoussef El Housni
52938
52938
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63991%2fhomomorphic-properties-of-paillier%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
