Does the Paillier system remain secure if it is used to encrypt only binary values, i.e. {0, 1}?

Question

Is there any security compromises if the Paillier system was used to encrypt only binary message in {0, 1}? i.e., plaintexts are either 0 or 1.

score 2 · Answer 1 · edited May 08 '15 at 16:34

2

No, there are no security compromises; the Pallier system remains secure. Both messages are in the supported message space and as Paillier encryption provides IND-CPA security you are safe when doing this.

edited May 08 '15 at 16:34

poncho

147,019
11
229
360

answered May 08 '15 at 16:32

DrLecter

12,547
3
43
61

score 1 · Answer 2 · answered May 08 '15 at 18:26

Let's review the encryption process for Paillier:

Let $m$ be a message to be encrypted where $m\in\mathbb{Z}_n$ (in your case $m\in\{0,1\}$)
Select random $r$ where $r\in\mathbb{Z}_n^*$
Compute ciphertext as: $c=g^m\cdot r^n\bmod{n^2}$

It is that random value $r$ that makes it so that encrypting values drawn from a small plaintext space does not have security issues. The encryption process is randomized. So, an attacker would either have to break the cipher given just the public key and the ciphertext, or guess the randomness. Both will be extremely hard.

Does the Paillier system remain secure if it is used to encrypt only binary values, i.e. {0, 1}?

2 Answers2