Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 Key generation 2 Encryption 3 Decryption 4 Simplification 5 See also 6 References

Damgård–Jurik cryptosystem

●Deutsch ●Русский Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

The Damgård–Jurik cryptosystem^[1] is a generalization of the Paillier cryptosystem. It uses computations modulo $n^{s+1}$ where $n$ is an RSA modulus and $s$ a (positive) natural number. Paillier's scheme is the special case with $s=1$ . The order $\varphi (n^{s+1})$ (Euler's totient function) of $Z_{n^{s+1}}^{*}$ can be divided by $n^{s}$ . Moreover, $Z_{n^{s+1}}^{*}$ can be written as the direct productof $G\times H$ . $G$ is cyclic and of order $n^{s}$ , while $H$ is isomorphic to $Z_{n}^{*}$ . For encryption, the message is transformed into the corresponding coset of the factor group $G\times H/H$ and the security of the scheme relies on the difficulty of distinguishing random elements in different cosets of $H$ . It is semantically secure if it is hard to decide if two given elements are in the same coset. Like Paillier, the security of Damgård–Jurik can be proven under the decisional composite residuosity assumption.

Key generation[edit]

Choose two large prime numbers p and q randomly and independently of each other.
Compute $n=pq$ and $\lambda =\operatorname {lcm} (p-1,q-1)$ .
Choose an element $g\in \mathbb {Z} _{n^{s+1}}^{*}$ such that $g=(1+n)^{j}x\mod n^{s+1}$ for a known $j$ relative primeto $n$ and $x\in H$ .
Using the Chinese Remainder Theorem, choose $d$ such that $d\mod n\in \mathbb {Z} _{n}^{*}$ and $d=0\mod \lambda$ . For instance $d$ could be $\lambda$ as in Paillier's original scheme.

The public (encryption) key is $(n,g)$ .
The private (decryption) key is $d$ .

Encryption[edit]

Let $m$ be a message to be encrypted where $m\in \mathbb {Z} _{n^{s}}$ .
Select random $r$ where $r\in \mathbb {Z} _{n}^{*}$ .
Compute ciphertext as: $c=g^{m}\cdot r^{n^{s}}\mod n^{s+1}$ .

Decryption[edit]

Ciphertext $c\in \mathbb {Z} _{n^{s+1}}^{*}$
Compute $c^{d}\;mod\;n^{s+1}$ . If c is a valid ciphertext then $c^{d}=(g^{m}r^{n^{s}})^{d}=((1+n)^{jm}x^{m}r^{n^{s}})^{d}=(1+n)^{jmd\;mod\;n^{s}}(x^{m}r^{n^{s}})^{d\;mod\;\lambda }=(1+n)^{jmd\;mod\;n^{s}}$ .
Apply a recursive version of the Paillier decryption mechanism to obtain $jmd$ . As $jd$ is known, it is possible to compute ${\displaystyle m=(jmd)\cdot ($ .

Simplification[edit]

At the cost of no longer containing the classical Paillier cryptosystem as an instance, Damgård–Jurik can be simplified in the following way:

The base g is fixed as $g=n+1$ .
The decryption exponent d is computed such that $d=1\;mod\;n^{s}$ and $d=0\;mod\;\lambda$ .

In this case decryption produces $c^{d}=(1+n)^{m}\;mod\;n^{s+1}$ . Using recursive Paillier decryption this gives us directly the plaintext m.

References[edit]

^ Ivan Damgård, Mads Jurik: A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System. Public Key Cryptography 2001: 119-136

Public-key cryptography

Algorithms

Integer factorization	Benaloh Blum–Goldwasser Cayley–Purser Damgård–Jurik GMR Goldwasser–Micali Naccache–Stern Paillier Rabin RSA Okamoto–Uchiyama Schmidt–Samoa
Discrete logarithm	BLS Cramer–Shoup DH DSA ECDH X25519 X448 ECDSA EdDSA Ed25519 Ed448 ECMQV EKE ElGamal signature scheme MQV Schnorr SPEKE SRP STS
Lattice/SVP/CVP/LWE/SIS	BLISS Kyber NewHope NTRUEncrypt NTRUSign RLWE-KEX RLWE-SIG
Others	AE CEILIDH EPOC HFE IES Lamport McEliece Merkle–Hellman Naccache–Stern knapsack cryptosystem Three-pass protocol XTR

Theory

Standardization

Topics

Cryptography

General

Mathematics

Category

Retrieved from "https://en.wikipedia.org/w/index.php?title=Damgård–Jurik_cryptosystem&oldid=1004013163" Category: ●Public-key encryption schemes ●This page was last edited on 31 January 2021, at 18:43 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view