TY - GEN

T1 - On the security of a modified paillier public-key primitive

AU - Sakurai, Kouichi

AU - Takagi, Tsuyoshi

PY - 2002

Y1 - 2002

N2 - Choi et al. proposed the modified Paillier cryptosystem (M-Paillier cryptosystem). They use a special public-key g ∈ ZZ/nZZ such that gϕ(n) = 1+n mod n2, where n is the RSA modulus. The distribution of the public key g is different from that of the original one. In this paper, we study the security of the usage of the public key. Firstly, we prove that the one-wayness of the M-Paillier cryptosystem is as intractable as factoring the modulus n, if the public key g can be generated only by the public modulus n. Secondly, we prove that the oracle that can generate the public-key factors the modulus n. Thus the public keys cannot be generated without knowing the factoring of n. The Paillier cryptosystem can use the public key g = 1+n, which is generated only from the public modulus n. Thirdly, we propose a chosen ciphertext attack against the M-Paillier cryptosystem. Our attack can factor the modulus n by only one query to the decryption oracle. This type of total breaking attack has not been reported for the original Paillier cryptosystem. Finally, we discuss the relationship between the M-Paillier cryptosystem and the Okamoto-Uchiyama scheme.

AB - Choi et al. proposed the modified Paillier cryptosystem (M-Paillier cryptosystem). They use a special public-key g ∈ ZZ/nZZ such that gϕ(n) = 1+n mod n2, where n is the RSA modulus. The distribution of the public key g is different from that of the original one. In this paper, we study the security of the usage of the public key. Firstly, we prove that the one-wayness of the M-Paillier cryptosystem is as intractable as factoring the modulus n, if the public key g can be generated only by the public modulus n. Secondly, we prove that the oracle that can generate the public-key factors the modulus n. Thus the public keys cannot be generated without knowing the factoring of n. The Paillier cryptosystem can use the public key g = 1+n, which is generated only from the public modulus n. Thirdly, we propose a chosen ciphertext attack against the M-Paillier cryptosystem. Our attack can factor the modulus n by only one query to the decryption oracle. This type of total breaking attack has not been reported for the original Paillier cryptosystem. Finally, we discuss the relationship between the M-Paillier cryptosystem and the Okamoto-Uchiyama scheme.

UR - http://www.scopus.com/inward/record.url?scp=55749113270&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=55749113270&partnerID=8YFLogxK

U2 - 10.1007/3-540-45450-0_33

DO - 10.1007/3-540-45450-0_33

M3 - Conference contribution

AN - SCOPUS:55749113270

SN - 3540438610

SN - 9783540438618

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 436

EP - 448

BT - Information Security and Privacy - 7th Australasian Conference, ACISP 2002, Proceedings

A2 - Batten, Lynn

A2 - Seberry, Jennifer

PB - Springer Verlag

T2 - 7th Australasian Conference on Information Security and Privacy, ACISP 2002

Y2 - 3 July 2002 through 5 July 2002

ER -