public final class Paillier
extends java.lang.Object
implements java.io.Serializable
The algorithm is as follows:
Let N=pq, be a RSA modulus where p,q are large primes of roughly the same length
The plaintext space is the additive group Z/NZ and the ciphertext space is the multiplicative group (Z/N^2 Z)*.
Public key: N, Private key: The factorization of N=pq.
Let lambda(N) be the Carmichael function of N (the exponent of the multiplicative group of units modulo N):
lambda(N) = lcm(p-1,q-1) = (p-1)(q-1)/gcd(p-1,q-1)
Encryption E(m) for a message m is as follows:
- Given N and m
- Select a random value r in (Z/NZ)*
- E(m) = (1 + mN)r^N mod N^2
Decryption D(c) for a ciphertext c is as follows:
- Given N, its factorization N=pq, and ciphertext c
- Set w = lambda(N)^-1 mod N
- Set x = c^(lambda(N))mod N^2
- Set y = (x-1)/N
- D(c) = yw mod N
Ref: Paillier, Pascal. "Public-Key Cryptosystems Based on Composite Degree Residuosity Classes." EUROCRYPT'99.
Constructor and Description |
---|
Paillier(java.math.BigInteger p,
java.math.BigInteger q,
int bitLength)
Creates a Paillier algorithm with all parameters specified.
|
Paillier(int bitLength,
int certainty)
Constructs a Paillier algorithm with generated keys.
|
Paillier(int bitLength,
int certainty,
int ensureBitSet)
Constructs a Paillier algorithm with generated keys and optionally ensures a certain bit is set in the modulus.
|
Modifier and Type | Method and Description |
---|---|
java.math.BigInteger |
decrypt(java.math.BigInteger c)
Returns the plaintext message for a given ciphertext.
|
java.math.BigInteger |
encrypt(java.math.BigInteger m)
Returns the encrypted value of
m using a generated random value. |
java.math.BigInteger |
encrypt(java.math.BigInteger m,
java.math.BigInteger r)
Returns the ciphertext of a message using the given random value.
|
int |
getBitLength()
Returns the bit length of the modulus
N . |
java.math.BigInteger |
getLambdaN()
Returns the value of Carmichael's function at
N . |
java.math.BigInteger |
getN()
Returns the RSA modulus value
N . |
java.math.BigInteger |
getNSquared()
Returns the value of
N 2. |
java.math.BigInteger |
getP()
Returns the value of the large prime
p . |
java.math.BigInteger |
getQ()
Returns the value of the large prime
q . |
public Paillier(java.math.BigInteger p, java.math.BigInteger q, int bitLength)
p
- First large prime.q
- Second large prime.bitLength
- Bit length of the modulus N
.java.lang.IllegalArgumentException
- If p
or q
do not satisfy primality constraints.public Paillier(int bitLength, int certainty)
The generated keys p
and q
will have half the given modulus bit length, and the given prime certainty.
The probability that the generated keys represent primes will exceed (1 - (1/2)certainty
). The execution time of this constructor is
proportional to the value of this parameter.
bitLength
- The bit length of the resulting modulus N
.certainty
- The probability that the new p
and q
represent prime numbers.java.lang.IllegalArgumentException
- If the certainty
is less than the system allowed lower bound.public Paillier(int bitLength, int certainty, int ensureBitSet)
The generated keys p
and q
will have half the given modulus bit length, and the given prime certainty.
The probability that the generated keys represent primes will exceed (1 - (1/2)certainty
). The execution time of this constructor is
proportional to the value of this parameter.
When ensureBitSet > -1 the value of bit "ensureBitSet
" in modulus N
will be set.
bitLength
- The bit length of the resulting modulus N
.certainty
- The probability that the new p
and q
represent prime numbers.ensureBitSet
- index of bit in N
to ensure is set.java.lang.IllegalArgumentException
- If the certainty
is less than the system allowed lower bound, or the index of ensureBitSet
is greater than the bitLength
.public java.math.BigInteger getP()
p
.public java.math.BigInteger getQ()
q
.public java.math.BigInteger getN()
N
.p
and q
.public java.math.BigInteger getNSquared()
N
2.public java.math.BigInteger getLambdaN()
N
.
The Carmichael function of N
is the least common multiple of p-1
and q-1
,
N
.public int getBitLength()
N
.public java.math.BigInteger encrypt(java.math.BigInteger m) throws PIRException
m
using a generated random value.m
- the value to be encrypted.PIRException
- If m
is not less than @{code N}.public java.math.BigInteger encrypt(java.math.BigInteger m, java.math.BigInteger r) throws PIRException
m
- the value to be encrypted.r
- the random value to use in the Pailler encryption.PIRException
- If m
is not less than @{code N}.public java.math.BigInteger decrypt(java.math.BigInteger c)
c
- an encrypted value.