Homomorphic properties of Paillier
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$, I will get as result $alpha + alpha^-1$. But, does it also mean that if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha)^textsfEnc(textsfpk, alpha^-1))$, then the result will be $alpha cdot alpha^-1$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
add a comment |
up vote
2
down vote
favorite
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$, I will get as result $alpha + alpha^-1$. But, does it also mean that if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha)^textsfEnc(textsfpk, alpha^-1))$, then the result will be $alpha cdot alpha^-1$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
@kelalaka What you mean?
– tinker
yesterday
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$, I will get as result $alpha + alpha^-1$. But, does it also mean that if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha)^textsfEnc(textsfpk, alpha^-1))$, then the result will be $alpha cdot alpha^-1$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
I'm curious about the homomorphic properties of Paillier. So, basically if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$, I will get as result $alpha + alpha^-1$. But, does it also mean that if I have $textsfDec(textsfsk, textsfEnc(textsfpk, alpha)^textsfEnc(textsfpk, alpha^-1))$, then the result will be $alpha cdot alpha^-1$, which will basically cancel each other, and will be left with 1?
encryption homomorphic-encryption paillier
encryption homomorphic-encryption paillier
asked yesterday
tinker
30127
30127
@kelalaka What you mean?
– tinker
yesterday
add a comment |
@kelalaka What you mean?
– tinker
yesterday
@kelalaka What you mean?
– tinker
yesterday
@kelalaka What you mean?
– tinker
yesterday
add a comment |
2 Answers
2
active
oldest
votes
up vote
4
down vote
accepted
No, there is no reason that $textsfDec(textsfsk, textsfEnc(textsfpk,alpha)^textsfEnc(textsfpk, alpha^-1))$ would be $alphacdotalpha^-1$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsfDec(textsfsk,textsfEnc(textsfpk, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^-1bmod N$ and get $textsfDec(textsfsk,textsfEnc(textsfpk,alpha)^(alpha^-1bmod N)bmod N^2)=1$, but that's not useful anyway, since $alpha^-1bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^-1$, and that matters.
$textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$ will be $alpha+alpha^-1bmod N$, which may or may not be $alpha+alpha^-1$.
Thanks for the clarification.
– tinker
yesterday
add a comment |
up vote
1
down vote
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcalE$ homomotphic property is: $mathcalE(alpha)times mathcalE(beta)=mathcalE(alpha+beta)$. So, $mathcalE(alpha)^n=mathcalE(nalpha)$. In your example, $n=mathcalE(alpha^-1)$ and thus after decryption you will have $mathcalE(alpha^-1)times alpha$ ans not $alpha^-1 times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
New contributor
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
accepted
No, there is no reason that $textsfDec(textsfsk, textsfEnc(textsfpk,alpha)^textsfEnc(textsfpk, alpha^-1))$ would be $alphacdotalpha^-1$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsfDec(textsfsk,textsfEnc(textsfpk, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^-1bmod N$ and get $textsfDec(textsfsk,textsfEnc(textsfpk,alpha)^(alpha^-1bmod N)bmod N^2)=1$, but that's not useful anyway, since $alpha^-1bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^-1$, and that matters.
$textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$ will be $alpha+alpha^-1bmod N$, which may or may not be $alpha+alpha^-1$.
Thanks for the clarification.
– tinker
yesterday
add a comment |
up vote
4
down vote
accepted
No, there is no reason that $textsfDec(textsfsk, textsfEnc(textsfpk,alpha)^textsfEnc(textsfpk, alpha^-1))$ would be $alphacdotalpha^-1$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsfDec(textsfsk,textsfEnc(textsfpk, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^-1bmod N$ and get $textsfDec(textsfsk,textsfEnc(textsfpk,alpha)^(alpha^-1bmod N)bmod N^2)=1$, but that's not useful anyway, since $alpha^-1bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^-1$, and that matters.
$textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$ will be $alpha+alpha^-1bmod N$, which may or may not be $alpha+alpha^-1$.
Thanks for the clarification.
– tinker
yesterday
add a comment |
up vote
4
down vote
accepted
up vote
4
down vote
accepted
No, there is no reason that $textsfDec(textsfsk, textsfEnc(textsfpk,alpha)^textsfEnc(textsfpk, alpha^-1))$ would be $alphacdotalpha^-1$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsfDec(textsfsk,textsfEnc(textsfpk, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^-1bmod N$ and get $textsfDec(textsfsk,textsfEnc(textsfpk,alpha)^(alpha^-1bmod N)bmod N^2)=1$, but that's not useful anyway, since $alpha^-1bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^-1$, and that matters.
$textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$ will be $alpha+alpha^-1bmod N$, which may or may not be $alpha+alpha^-1$.
No, there is no reason that $textsfDec(textsfsk, textsfEnc(textsfpk,alpha)^textsfEnc(textsfpk, alpha^-1))$ would be $alphacdotalpha^-1$, including when we spread $bmod N$ or $bmod N^2$ here and there.
What does apply is: for overwhelmingly most $alpha$ and $k$ in $Bbb Z$, it holds that $textsfDec(textsfsk,textsfEnc(textsfpk, alpha)^kbmod N^2)=kcdotalphabmod N$. We could take $k=alpha^-1bmod N$ and get $textsfDec(textsfsk,textsfEnc(textsfpk,alpha)^(alpha^-1bmod N)bmod N^2)=1$, but that's not useful anyway, since $alpha^-1bmod N$ reveals $alphabmod N$.
Criticism of the question:
- It is not defined in which group it is computed $alpha^-1$, and that matters.
$textsfDec(textsfsk, textsfEnc(textsfpk, alpha) cdot textsfEnc(textsfpk, alpha^-1))$ will be $alpha+alpha^-1bmod N$, which may or may not be $alpha+alpha^-1$.
edited 18 hours ago
answered yesterday
fgrieu
76.2k7155320
76.2k7155320
Thanks for the clarification.
– tinker
yesterday
add a comment |
Thanks for the clarification.
– tinker
yesterday
Thanks for the clarification.
– tinker
yesterday
Thanks for the clarification.
– tinker
yesterday
add a comment |
up vote
1
down vote
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcalE$ homomotphic property is: $mathcalE(alpha)times mathcalE(beta)=mathcalE(alpha+beta)$. So, $mathcalE(alpha)^n=mathcalE(nalpha)$. In your example, $n=mathcalE(alpha^-1)$ and thus after decryption you will have $mathcalE(alpha^-1)times alpha$ ans not $alpha^-1 times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
New contributor
add a comment |
up vote
1
down vote
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcalE$ homomotphic property is: $mathcalE(alpha)times mathcalE(beta)=mathcalE(alpha+beta)$. So, $mathcalE(alpha)^n=mathcalE(nalpha)$. In your example, $n=mathcalE(alpha^-1)$ and thus after decryption you will have $mathcalE(alpha^-1)times alpha$ ans not $alpha^-1 times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
New contributor
add a comment |
up vote
1
down vote
up vote
1
down vote
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcalE$ homomotphic property is: $mathcalE(alpha)times mathcalE(beta)=mathcalE(alpha+beta)$. So, $mathcalE(alpha)^n=mathcalE(nalpha)$. In your example, $n=mathcalE(alpha^-1)$ and thus after decryption you will have $mathcalE(alpha^-1)times alpha$ ans not $alpha^-1 times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
New contributor
Given two plaintexts $alpha$ and $beta$, Pailler cryptosystem $mathcalE$ homomotphic property is: $mathcalE(alpha)times mathcalE(beta)=mathcalE(alpha+beta)$. So, $mathcalE(alpha)^n=mathcalE(nalpha)$. In your example, $n=mathcalE(alpha^-1)$ and thus after decryption you will have $mathcalE(alpha^-1)times alpha$ ans not $alpha^-1 times alpha$. This is a high level answer, but you need to define the modulo $N$ of your system.
New contributor
New contributor
answered yesterday
Youssef El Housni
1545
1545
New contributor
New contributor
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63991%2fhomomorphic-properties-of-paillier%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
@kelalaka What you mean?
– tinker
yesterday