Let me see if I understand you, but, if I do, then I would respond: "Yes."

> can I simply think of this as a way that one of the encryption values is
'selected' during the encrypt process?

When encrypting, because of our friendly random zeta, we can get many
different ciphertexts from the same message. As you point out, when taking
E(5)*E(7) we can (and in your case, do) get another valid-but-distinct
ciphertext corresponding to the message m=12. Additionally, there is some
choice of zeta that would make E(12) encrypt to 19 instead of 208.

On Wed, Sep 21, 2016 at 12:14 PM, Tim Ellison <t.p.elli...@gmail.com> wrote:

> With apologies for the lazy language...since there can be multiple
> numbers in the encryption space that map back to the same plain text
> number, can I simply think of this as a way that one of the encryption
> values is 'selected' during the encrypt process?
>
> Taking my simple example, if I encrypt E() and decrypt D() the following
> to test the homomorphic properties:
>
> E(5 + 7) mod N = 208
> D(E(5) * E(7) mod N^2) = D(19)
>
> hmm, but D(19) = D(208) = 12 so we are all good.
>
> Regards,
> Tim (hoping to get to some PIR soon!)
>
> On 21/09/16 13:25, Ellison Anne Williams wrote:
> > Ah, the math-magic of semantic encryption... :) (re: random zeta)
> >
> > We can certainly walk through the proof of the semantic encryption (the
> > random zeta) as it is quite mathematically beautiful, but it will take us
> > even further down the algebraic path.
> >
> > On Wed, Sep 21, 2016 at 8:19 AM, Tim Ellison <t.p.elli...@gmail.com>
> wrote:
> >
> >> On 19/09/16 18:36, Walter Ray-Dulany wrote:
> >> <snip/>
> >>> Let's see what we've got.
> >>>
> >>> ( (16**12)*(7**15) ) mod 225 = 208.
> >>>
> >>> I will leave it as an exercise to check that the decryption of 208 is
> in
> >>> fact 12.
> >>
> >> I like a challenge :-)
> >>
> >> So we got to p=3, q=5, and my encrypted value c=208.
> >>
> >> Following the Wideskies Pallier decryption algorithm,
> >> Step (2):
> >> N = p * q
> >>   = 15
> >>
> >> lambda(N) = lcm(p-1,q-1)
> >>           = 4
> >>
> >> Step (3):
> >> mu = lambda(N) modinverse N
> >>    = 4
> >>
> >> Step (4):
> >> c' = c^lambda(N) mod N^2
> >>    = 208^4 mod 225
> >>    = 46
> >>
> >> Step(5):
> >> m' = L(c')
> >>    = ((c' - 1) / N) mod N
> >>    = (45 / 15) mod 15
> >>    = 3
> >>
> >> Step(6):
> >> m = (m' * mu) mod N
> >>   = 12
> >>
> >> yay!
> >>
> >> The fog is slowly clearing, though I'm totally baffled about how I can
> >> pick a random zeta during encryption, and it plays no part in the
> >> decryption.
> >>
> >> Regards,
> >> Tim
> >>
> >
>

Reply via email to