Paillier’s Cryptosystem Modulo p 2 q and Its Applications to Trapdoor Commitment Schemes

* Final gross prices may vary according to local VAT.

Get Access

Abstract

In 1998/99, T. Okamoto and S. Uchiyama on the one hand and P. Paillier on the other hand introduced homomorphic encryption schemes semantically secure against passive adversaries (IND-CPA). Both schemes follow in the footsteps of Goldwasser-Micali, Benaloh-Fischer and Naccache-Stern cryptosystems, and yield their improvements above the latter by changing the group structure. Paillier’s scheme works in the group \({\mathbb Z}^{\times}_{n^{2}}\) where n is an RSA modulus, whilst Okamoto-Uchiyama is located in the group \({\mathbb Z}^{\times}_{n}\) for n of p 2 q type. The new schemes attracted much attention because of their rich mathematical structure. It is notable that Okamoto-Uchiyama is one-way under the p 2 q factoring assumption, whilst there is no reduction known from the one-wayness of Paillier’s scheme to a standard computational assumption.

In this paper we point out that the combination of both techniques yields a new scheme that inherits all the nice properties of Paillier’s scheme and that is one-way under the p 2 q factoring assumption. The one-wayness is based on a new trapdoor one-way function which might be of independent interest. In addition, we show how to construct trapdoor commitment schemes with practical applications based on our new scheme and on the trapdoor function. Among other things, we propose a trapdoor commitment scheme that perfectly meets the requirements to construct Shamir-Tauman on-line/off-line signatures.