-1

I am trying to do some calculations with the Paillier Homomorphic encryption scheme. Specifically, given three plain text integers, x1, x2,and x3. I want to first encrypt them, getting their corresponding ciphertexts, say c1, c2 and c3. I want to find the results of (x1+x2+x3)/3 by utilizing c1, c2, c3 and the homomorphic property of Paillier.

I found a post here, which was answered quite a long time ago. When I try the toy example in the accepted answer in this link myself, I can not get the provided result. Specifically, for the following step:enter image description here

I can calculate the value of k^(-1) mod N with powermod function correctly, but I can not calculate [\mu] correctly. Here is what I did:

  1. Say temp = powermod(k, -1, N), Calculate A = powermod(c1*c2*c3, temp, N^2).
  2. Calculate B = powermod(r, N, N^2).
  3. Calculate [\mu] = mod(A*B, N^2).

This gives me wrong results, I also try replacing powermod with mod, but this time the answer is going to NaN.

Can anyone help me with this, please? Thanks in advance!

Sea_
  • 1
  • 1

2 Answers2

0

Not sure precisely which language you're using, but the intermediate values should be

temp=206674

A=284095452063

B=144829438301

and the calculation works fien for me.

Daniel S
  • 23,716
  • 1
  • 29
  • 67
  • Hello! Thanks for your comment! I am using matlab with powermod function, the value of A is different from the one you have (B is the same), any ideas? (I can confirm when I call the function, the values of c1, c2 and c3 are correct and I have 319242668083 for A) – Sea_ Jun 26 '23 at 16:44
  • ... and your value for temp is? – Daniel S Jun 26 '23 at 17:47
  • Value of temp is also the same as the one you show... – Sea_ Jun 26 '23 at 17:51
  • 1
    aha, I tried this computation with Python, and now everything is fine. But do you have any idea why the value of A is the only one that is not correct when using Matlab? I do not think the reason is the number precision... – Sea_ Jun 26 '23 at 17:57
0

Mathlab is not directly adequate for the large integers used in public-key crypto.

Reading The Fine Manual shows there is a limit of $2^{64}$. Even $c_1\cdot c_2$ exceeds that.

Python, SageMath, Mathematica, and many other languages have no such limitation. That makes them adequate for experimenting with the math in public-key crypto (but not necessarily implementation of public-key crypto when it comes to adequate speed, or resisting side-channel attacks).

fgrieu
  • 140,762
  • 12
  • 307
  • 587