Paillier's encryption Scheme
==========================

The Paillier crypto system, invented by and named after Pascal Paillier in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing $n-th$ residue classes is believed to be computationally difficult. The decisional composite residuosity assumption is the intractability hypothesis upon which this cryptosystem is based. 

## Key Generation:

1. Choose two large prime numbers $P$ and $Q$ randomly and indenpendently of each other such that $gcd(PQ, (P-1)(Q-1))=1$. This property is assured if both primes are qual lenth.

In [1]:
from klefki.const import (SECP256K1_P as P, SECP256K1_N as Q)

In [2]:
from math import gcd

assert gcd(P * Q, (P - 1) * (Q - 1)) == 1

2. Compute $N=PQ$ and $\lambda(N)=lcm(P-1, Q-1)$ be the Carmichael function of N.

In [3]:
from klefki.numbers import lcm

In [4]:
N = P * Q
Lam = lcm(P - 1, Q - 1)

3. Select random integer $\Gamma$ where $\Gamma \in \mathbf{Z}_{n^2}^*$.

In [5]:
from random import randint
from klefki.types.algebra.utils import randfield
from klefki.types.algebra.meta import field

F = field(N)
DF = field(N**2)
G = randfield(DF)

4. Ensure $n$ devides the order of $g$ by checking the existence of the following modular multiplicative inverse: 

$$
\mu = (L(G^{\lambda(N)}\mod N^2))^{-1} \mod \ N
$$

Where $L$ be a function defined over the set $\{x\in \mathbf{Z}_{N^2}: x=1 \ mod \ N\}$ computed as

$$
L(x) = \frac{x-1}{N}
$$

In [6]:
L = lambda x: (x - 1) // N
M = ~F(L(pow(G, Lam).value))

The public key is $(N, \Gamma)$ and the secret key is $(\lambda(N), \mu)$

If using p,q of equivalent length, a simpler variant of the above key generation steps would be to set $g = n + 1 , λ = φ ( n )$, and $\mu = φ(n)^{-1}\ mod \ n$, where $φ(n)=(p-1)(q-1)$

In [7]:
print("PrivKey: %s, %s" % (Lam, M))

PrivKey: 2234634654990432849929004166367641021238215826767191291571707378398254532167475902984296517123225539202576657105730699764493290075143829571044458305451072, 1356243185564225029010976210171438347786848199765720176971849731425668329460806744977319786636662333281711241127905579420465613902848601153635824276504824


In [8]:
print("PubKey: %s; %s" % (N, G))

PubKey: 13407807929942597099574024998205846127429294960603147749430244270389527193005087002084253735130200377185477318450090306135904455919285040173416176828872431; 52526344197461374693463843755584898885183186899394408387456821138477739048602700085633956728850633136970009276859213211234624324616524316161274381389724345950793295545660384680202652885935735480380260758901980150116767436061569472257165253950496976009469613931670505025662256321582935275087711079507518765499


## Encryption:

To Encrypt a message $M \in Z_N$, select $R \in_R Z_N^*$ and return $c=\Gamma^M R^N\ mod \ N^2$.

In [9]:
import random
import math
m = random.randint(0, N)
assert 0 <= m < N

r = random.randint(0, N)
assert 0 < r < N

assert math.gcd(r, N) == 1

In [10]:
pow(DF(r), N).value == pow(r, N, N**2)

True

In [11]:
c = G**m * DF(r)**N

In [12]:
print("Ciphtertext Text: %s" % c)

Ciphtertext Text: 119073621447419038792605821717735246565693627026599572996505011240281818378929690293753614295637907380978434436615709270776367409892414265163608288171158718805559608658992094768172335437574243644151004647324044247215803192193475153099090700554676296130197788002800002159877788699809901889253924316525271258117


## Decryption:

To decrypt a ciphertext $c \in Z_N$, let $L$ be a function defined over the set $\{u\in Z_{N^2}: u=1 \ mod \ N\}$ computed as $L(u) = \frac{u-1}{N}$. Then the decryption of $c$ is computed as

$$
\frac{L(c^{\lambda(N)}\ mod\ N^2)}{L(\Gamma^{\lambda(N)}\ mod\ N^2)}\ mod\ N
$$

In [13]:
assert F(m) == F(L(pow(DF(c), Lam).value)) * M

## Homomorphic

$$
E(m_i) \in Z_{N^2}\\
m_i \in Z_N
$$

#### Homomorphic addition

In [14]:
from klefki.crypto.paillier import Paillier
from klefki.const import (SECP256K1_P as P, SECP256K1_N as Q)
from klefki.types.algebra.utils import randfield

In [15]:
Pai = Paillier(P, Q)
E = Pai.E
D = Pai.D

Lam, M = Pai.privkey
N, G = Pai.pubkey

F = M.functor

In [16]:
m1, m2 = randfield(F), randfield(F)


* The product of two ciphertexts will decrypt to the sum of their corresponding plaintexts,
$$
D(E(m_1, r_1) \circ E(m_2, r_2)) = m_1 + m_2\\
$$


In [17]:
assert D(E(m1) * E(m2)) == D(E(m1)) + D(E(m2)) == m1 + m2

* The product of a ciphertext with a plaintext raising $g$ will decrypt to the sum of the corresponding plaintexts.


$$
D(E(m_1, r_1)\circ g^m_2) = m_1+m_2\\
$$


In [18]:
D(E(m1) * (G ** m2)) == m1 + m2

True

#### Homomorphic multiplication

* An encrypted plaintext raised to the power of another plaintext will decrypt to the product of the two plaintexts,

$$
D(E(m_1, r_1)^{m_2}) = m_1m_2\\
D(E(m_2, r_2)^{m_1}) = m_1m_2\\\\
$$


In [19]:
D(E(m1)**m2) == m1 * m2 == D(E(m2)**m1)

True

More generally, an encrypted plaintext raised to a constant k will decrypt to the product of the plaintext and the constant,

$$
D(E(m, r)^{k}) = km
$$


In [20]:
k = randfield(F)
m = randfield(F)


D(E(m) ** k) == k * m

True

## Ref

* Wikipedia: Pillier Cryptosystem https://en.wikipedia.org/wiki/Paillier_cryptosystem


* Encryption Performance Improvementsof the Paillier Cryptosystem https://eprint.iacr.org/2015/864.pdf


* Stackoverflow - Paillier algorithm encryption https://stackoverflow.com/questions/29217630/paillier-algorithm-encryption