[cryptography] Paillier Crypto for homomorphic computation
Joss Wright
joss-cypherpunks at pseudonymity.net
Wed Aug 7 02:08:07 PDT 2013
On Wed, Aug 07, 2013 at 09:26:02AM +0100, Joss Wright wrote:
> On Wed, Aug 07, 2013 at 01:09:07AM +0200, Adam Back wrote:
> > I dont get it. Paillier is additively homomorphic only. (And
> > obviously by implication multiplyable by non-encrypted constants.)
>
> Minor point, but by raising one Paillier ciphertext to the power of
> another you get multiplication without revealing the factor.
Sorry, I misremembered the homomorphic properties of Paillier. This
isn't true.
>
> >
> > RSA is multiplicatively homomorphic. And Elgamal additive.
> >
> > Why is paillier proposed as "might scale homomorphic" the
> > interesting property is dual homomorphic crypto which Gentry and
> > variants provide (but at impractical computational and large space
> > overhead huge). Dual or fully homomorphic is the interesting
> > property because then you can do arbitrary computations (using
> > multiplication as single-bit AND and addition as single-bit OR and
> > building a CPU from gates - still expensive even if the base
> > algorithm was as efficient as Paillier/RSA/Elgamal but interesting).
> >
> > Also why would they send the "encrypted numbers" to two peers and
> > have them do the encrypted computation? The whole point is its
> > zero-trust secure from the point of view of the client - client
> > encrypts, server does computations on encrypted values, sends
> > encrypted result back to client, client decrypts - and you dont need
> > to trust the server. No need for threshold crypto, having multiple
> > peers do some kind of multi-party computation etc.
> >
> > Adam
> >
> > On Tue, Aug 06, 2013 at 08:11:52PM +0200, Eugen Leitl wrote:
> > >----- Forwarded message from dan at geer.org -----
> > >
> > >Date: Mon, 05 Aug 2013 14:43:28 -0400 From: dan at geer.org To:
> > >cryptography at randombit.net Subject: [cryptography] fwd: Paillier
> > >Crypto
> > >
> > >
> > >>http://9ac345a5509a.github.io/p2p-paillier/
> > >>
> > >>This is a form of Homomorphic Encryption that might actually
> > >>scale, given the right cloud backend. It verges on the spookiness
> > >>of Quantum.
> > >>
> > >>Support logic that might shed light on the true performance of
> > >>Paillier.
> > >>
> > >>http://plaintext.crypto.lo.gy/article/658/encounter
> > >
> > >
> > >--dan
> > >
> > >_______________________________________________ cryptography
> > >mailing list cryptography at randombit.net
> > >http://lists.randombit.net/mailman/listinfo/cryptography
> > >
> > >----- End forwarded message ----- -- Eugen* Leitl <a
> > >href="http://leitl.org">leitl</a> http://leitl.org
> > >______________________________________________________________
> > >ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
> > >AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
>
> -- Joss Wright | @JossWright http://www.pseudonymity.net
--
Joss Wright | @JossWright
http://www.pseudonymity.net
More information about the cypherpunks
mailing list