Naccache–Stern cryptosystem

The Naccache–Stern cryptosystem is a homomorphic public-key cryptosystem whose security rests on the higher residuosity problem. The Naccache–Stern cryptosystem was discovered by David Naccache and Jacques Stern in 1998.

Scheme Definition

Like many public key cryptosystems, this scheme works in the group $(ℤ / n ℤ)^{*}$ where n is a product of two large primes. This scheme is homomorphic and hence malleable.

Pick a family of k small distinct primes p₁,...,p_k.
Divide the set in half and set $u = \prod_{i = 1}^{k / 2} p_{i}$ and $v = \prod_{k / 2 + 1}^{k} p_{i}$ .
Set $σ = u v = \prod_{i = 1}^{k} p_{i}$
Choose large primes a and b such that both p = 2au+1 and q=2bv+1 are prime.
Set n=pq.
Choose a random g mod n such that g has order φ(n)/4.

The public key is the numbers σ,n,g and the private key is the pair p,q.

When k=1 this is essentially the Benaloh cryptosystem.

This system allows encryption of a message m in the group $ℤ / σ ℤ$ .

Then E(m) is an encryption of the message m.

To decrypt, we first find m mod p_i for each i, and then we apply the Chinese remainder theorem to calculate m mod $σ$ .

Given a ciphertext c, to decrypt, we calculate

\begin{matrix} c^{ϕ (n) / p_{i}} & \equiv & x^{σ ϕ (n) / p_{i}} g^{m ϕ (n) / p_{i}} mod n \\ \equiv & g^{(m_{i} + y_{i} p_{i}) ϕ (n) / p_{i}} mod n \\ \equiv & g^{m_{i} ϕ (n) / p_{i}} mod n \end{matrix}

where $m_{i} \equiv m mod p_{i}$ .

Since p_i is chosen to be small, m_i can be recovered by exhaustive search, i.e. by comparing $c_{i}$ to $g^{j ϕ (n) / p_{i}}$ for j from 1 to p_i-1.
Once m_i is known for each i, m can be recovered by a direct application of the Chinese remainder theorem.

The semantic security of the Naccache–Stern cryptosystem rests on an extension of the quadratic residuosity problem known as the higher residuosity problem.

Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).