Threshold Paillier Cryptosystem
=============

## A Distributed Decryption for Paillier

The protocol offers a distributive decryption for Paillier with simulation based security against malicious adversaries without randomness extraction. It is comprised of the following two subprotocols:

1. The parties produce shares of a value d similarly to the **Damgard-Jurik scheme**

2. The parties run the distributed decryption algorithm using their shares.

use $g = 1 + N$ as a generator of the subgroup of $Z^∗_{N^2}$ of order $N$. Encryption of a plaintext $m$ with randomness $r$ is then,

$$
Enc_N(m, r) = (1+N)^m \cdot r^N \mod N^2
$$

### Generating a Shared Paillier Decryption Key

We now present our protocol for generating a shared Paillier decryption key. As stated, similarly to **Damgard and Jurik** , we share a decryption exponent as follows:



$$
d \equiv \left\{
\begin{aligned}
0 \mod \phi(N) \\
1 \mod N
\end{aligned}
\right\}
$$

#### A distributed generation of a shared Paillier decryption key with passive security:

* **Input**:

A public **RSA** modulus $N=pq$ with unknow factorization, additive shares of $\phi(N)$:

$$
sk_0 = N-p_0-q_0+1\\
sk_1 = -p_1-q_2
$$

$sk_0, sk_1$ hold by $P_0, and P_1$ respectively, A public **ElGamel** key $(g,h)$ with secret key shared between the parities. A public Pailler key $N_0>>N^3$ with the secret key hold by $P_0$

In [5]:
from klefki.numbers.primes import generate_prime
from klefki.numbers import lcm

In [6]:
P, Q = generate_prime(16), generate_prime(16)
N = P * Q
phi_N = lcm(P-1, Q-1)

In [7]:
p0, q0 = generate_prime(16), generate_prime(16)
p1, q1 = generate_prime(16), generate_prime(16)

In [8]:
sk0 = N - p0 - q0 + 1
sk1 = -p1 - q1

In [9]:
from klefki.crypto.elgamal import ElGamal

In [10]:
x = 42
el = ElGamal(x)

In [11]:
g, h = el.pubkey

* **The  protocol**

Ref:

* Carmit Hazay, Gert Læssøe Mikkelsen, etc.., Efﬁcient RSA Key Generation and Threshold Paillier in the Two-Party Setting