The Damgård–Jurik cryptosystem[1] is a generalization of the Paillier cryptosystem. It uses computations modulo where
is an RSA modulus and
a (positive) natural number. Paillier's scheme is the special case with
. The order
(Euler's totient function) of
can be divided by
. Moreover,
can be written as the direct productof
.
is cyclic and of order
, while
is isomorphic to
. For encryption, the message is transformed into the corresponding coset of the factor group
and the security of the scheme relies on the difficulty of distinguishing random elements in different cosets of
. It is semantically secure if it is hard to decide if two given elements are in the same coset. Like Paillier, the security of Damgård–Jurik can be proven under the decisional composite residuosity assumption.
At the cost of no longer containing the classical Paillier cryptosystem as an instance, Damgård–Jurik can be simplified in the following way:
In this case decryption produces . Using recursive Paillier decryption this gives us directly the plaintext m.