# Re: Is fast variant of Paillier insecure?

*From*: Kristian Gjøsteen <kristiag+news@xxxxxxxxxxxx>*Date*: Wed, 1 Oct 2008 12:56:10 +0000 (UTC)

Amit <amitabh123@xxxxxxxxx> wrote:

Kristian, what did you mean when you said 'There are other minor

applications of such moduli'? Can you describe some application?

n = (2as+1)(2bs+1) = pq. Let g have order ab, let h have order s.

s can be prime or composite. If s only has small prime factors,

you can compute discrete logs to base h.

You then get a nice additively homomorphic cryptosystem where the public

key is (n,g,h), the private key is (n,ab), and you encrypt messages

as g^r h^m. To decrypt, compute c^ab, find the discrete logarithm x,

then find the message as x*(ab)^{-1} mod s.

That's a minor application if I ever saw one.

--

Kristian Gjøsteen

.

**References**:**Re: Is fast variant of Paillier insecure?***From:*Amit

- Prev by Date:
**Re: Is fast variant of Paillier insecure?** - Next by Date:
**Re: libtommath - Greg Rose - Help on libtommath** - Previous by thread:
**Re: Is fast variant of Paillier insecure?** - Next by thread:
**Re: Request for solutions of some cryptography books.** - Index(es):