A Generalisation, a Simplification and

some Applications of Paillier's

Probabilistic Public-Key System
Ivan B. Damgrd
Mads J. Jurik
December 2000
Abstract:
We propose a generalisation of Paillier's probabilistic public key system, in which the
expansion factor is reduced and which allows to adjust the block length of the scheme
even after the public key has been fixed, without loosing the homomorphic property. We
show that the generalisation is as secure as Paillier's original system.
We construct a threshold variant of the generalised scheme as well as zero-knowledge
protocols to show that a given ciphertext encrypts one of a set of given plaintexts, and
protocols to verify multiplicative relations on plaintexts.
We then show how these building blocks can be used for applying the scheme to
efficient electronic voting. This reduces dramatically the work needed to compute the
final result of an election, compared to the previously best known schemes. We show
how the basic scheme for a yes/no vote can be easily adapted to casting a vote for up
to out of
candidates. The same basic building blocks can also be adapted to
provide receipt-free elections, under appropriate physical assumptions. The scheme for
1 out of elections can be optimised such that for a certain range of parameter values,
a ballot has size only

bits.

Available as PostScript, PDF, DVI.

A Length-Flexible Threshold
Cryptosystem with Applications
Ivan B. Damgrd
Mads J. Jurik
March 2003
Abstract:
We propose a public-key cryptosystem which is derived from the Paillier cryptosystem.
The scheme inherits the attractive homomorphic properties of Paillier encryption. In
addition, we achieve two new properties: First, all users can use the same modulus
when generating key pairs, this allows more efficient proofs of relations between
different encryptions. Second, we can construct a threshold decryption protocol for our
scheme that is length flexible, i.e., it can handle efficiently messages of arbitrary length,
even though the public key and the secret key shares held by decryption servers are of
fixed size. We show how to apply this cryptosystem to build:
1) a self-tallying election scheme with perfect ballot secrecy. This is a small voting
system where the result can be computed from the submitted votes without the need for
decryption servers. The votes are kept secret unless the cryptosystem can be broken,
regardless of the number of cheating parties. This is in contrast to other known schemes
that usually require a number of decryption servers, the majority of which must be
honest.
2) a length-flexible mix-net which is universally verifiable, where the size of keys and

ciphertexts do not depend on the number of mix servers, and is robust against a corrupt
minority. Mix-nets can provide anonymity by shuffling messages to provide a random
permutation of input ciphertexts to the output plaintexts such that no one knows which
plaintexts relate to which ciphertexts. The mix-net inherits several nice properties from
the underlying cryptosystem, thus making it useful for a setting with small messages or
high computational power, low-band width and that anyone can verify that the mix have
been done correctly
Available as PostScript, PDF, DVI.

Abstract
In the traditional scenario in cryptography there is one sender, one receiver and an active or passive eavesdropper
who is an opponent. Large bank transactions require two people to sign, implying two senders. So the power to
generate a valid transaction is shared. Threshold cryptography allows one to share the power of a cryptosystem.
Threshold cryptosystems are distinct from threshold schemes in which the power to regenerate a secret key is
shared. A normal threshold scheme is not directly suited for threshold signatures. Using a threshold scheme directly
would require the shareholders to send their shares to a trusted person who would apply the cryptosystem for them.
But the use of such a trusted person violates the main point of threshold cryptography. We motivate the need for
treshold cryptosystems, overview the research in the field, and give some simple examples. We will conclude by
giving a list of open problems.

Introduction

In modern cryptography most schemes have been developed for a

scenario with one sender and one receiver. However, there are
scenarios in which many receivers (or many senders) need to share
the power to use a cryptosystem. The main motivation for threshold
cryptography was to develop techniques to deal with the multisender/multi-receiver scenarios.
To illustrate the aforementioned scenarios we first discuss several
particular cases of threshold cryptography to clarify its importance.
To motivatethreshold decryption, take the setting of key escrow [4,
p. 210]. In Micali's approach [33] as well as the NIST proposal
Clipper Chip proposal [7], a threshold scheme is used. Key Escrow
agents have shares of each user's secret key. When a court order
is received, the law enforcement receives these shares from the
Key Escrow agents. This permits recovering the user's secret key. A
major disadvantage of these schemes is that once these shares of a
user have been provided, ...