No - you would lose the semantic security. In other words, two encryptions of the same plaintext would be the same two ciphertexts. With a random zeta, I can encrypt two equal plaintexts and get two different ciphertexts. This is particularly important in Wideskies when encrypting the E_i values.
On Thu, Sep 22, 2016 at 5:02 AM, Tim Ellison <[email protected]> wrote: > On 21/09/16 20:10, Walter Ray-Dulany wrote: > > Let me see if I understand you, but, if I do, then I would respond: > "Yes." > > > >> can I simply think of this as a way that one of the encryption values is > >> 'selected' during the encrypt process? > > > > When encrypting, because of our friendly random zeta, we can get many > > different ciphertexts from the same message. As you point out, when > taking > > E(5)*E(7) we can (and in your case, do) get another valid-but-distinct > > ciphertext corresponding to the message m=12. Additionally, there is some > > choice of zeta that would make E(12) encrypt to 19 instead of 208. > > Yep, that's what I meant. > > So why does Pirk provoke a different secure random number for each > encryption via Pailler#encrypt(BigInteger)? I don't see that it > enhances the security, since whatever random value we choose the > decryption is based solely upon knowing our p and q. > > Would it be ok to pick some zeta value when Paillier is initialized, and > stick with it? > > Regards, > Tim > > > On Wed, Sep 21, 2016 at 12:14 PM, Tim Ellison <[email protected]> > wrote: > > > >> With apologies for the lazy language...since there can be multiple > >> numbers in the encryption space that map back to the same plain text > >> number, can I simply think of this as a way that one of the encryption > >> values is 'selected' during the encrypt process? > >> > >> Taking my simple example, if I encrypt E() and decrypt D() the following > >> to test the homomorphic properties: > >> > >> E(5 + 7) mod N = 208 > >> D(E(5) * E(7) mod N^2) = D(19) > >> > >> hmm, but D(19) = D(208) = 12 so we are all good. > >> > >> Regards, > >> Tim (hoping to get to some PIR soon!) > >> > >> On 21/09/16 13:25, Ellison Anne Williams wrote: > >>> Ah, the math-magic of semantic encryption... :) (re: random zeta) > >>> > >>> We can certainly walk through the proof of the semantic encryption (the > >>> random zeta) as it is quite mathematically beautiful, but it will take > us > >>> even further down the algebraic path. > >>> > >>> On Wed, Sep 21, 2016 at 8:19 AM, Tim Ellison <[email protected]> > >> wrote: > >>> > >>>> On 19/09/16 18:36, Walter Ray-Dulany wrote: > >>>> <snip/> > >>>>> Let's see what we've got. > >>>>> > >>>>> ( (16**12)*(7**15) ) mod 225 = 208. > >>>>> > >>>>> I will leave it as an exercise to check that the decryption of 208 is > >> in > >>>>> fact 12. > >>>> > >>>> I like a challenge :-) > >>>> > >>>> So we got to p=3, q=5, and my encrypted value c=208. > >>>> > >>>> Following the Wideskies Pallier decryption algorithm, > >>>> Step (2): > >>>> N = p * q > >>>> = 15 > >>>> > >>>> lambda(N) = lcm(p-1,q-1) > >>>> = 4 > >>>> > >>>> Step (3): > >>>> mu = lambda(N) modinverse N > >>>> = 4 > >>>> > >>>> Step (4): > >>>> c' = c^lambda(N) mod N^2 > >>>> = 208^4 mod 225 > >>>> = 46 > >>>> > >>>> Step(5): > >>>> m' = L(c') > >>>> = ((c' - 1) / N) mod N > >>>> = (45 / 15) mod 15 > >>>> = 3 > >>>> > >>>> Step(6): > >>>> m = (m' * mu) mod N > >>>> = 12 > >>>> > >>>> yay! > >>>> > >>>> The fog is slowly clearing, though I'm totally baffled about how I can > >>>> pick a random zeta during encryption, and it plays no part in the > >>>> decryption. > >>>> > >>>> Regards, > >>>> Tim > >>>> > >>> > >> > > >
