How can I compute r from: c = g^m * r^N mod N^2

  • Thread starter vanvincent
  • Start date
In summary, the conversation discussed the encryption scheme for the paillier cryptosystem and the process of finding the integer r used for encryption. The speaker also suggested a trial and error method for finding the solution and shared a potential method for solving the equation a = b^x mod c for b.
  • #1
vanvincent
6
0
How can I compute "r" from: c = g^m * r^N mod N^2

How can I compute "r" from: c = g^m * r^N mod N^2, when all values except r are known?

This is the encryption scheme for the paillier cryptosystem. The ciphertext c, plaintext m, and the public key <n, g> is known and I need to find the integer r used for the encryption. My number theory is a little rusty. Thanks!
 
Physics news on Phys.org
  • #2


and we also know the prime factors p and q of n, such that n = p * q
 
  • #3


vanvincent said:
How can I compute "r" from: c = g^m * r^N mod N^2, when all values except r are known?

This is the encryption scheme for the paillier cryptosystem. The ciphertext c, plaintext m, and the public key <n, g> is known and I need to find the integer r used for the encryption. My number theory is a little rusty. Thanks!
My bet is that there is no known solution but trial and error. If you find it submit your resume to the CIA. To start substitute x (found by computation) for g^m then compute c/x mod N^2. For the latter part you add N^2 (Mod x) to c repeatedly until it is divisible by x
 
Last edited:
  • #4


ramsey2879 said:
My bet is that there is no known solution but trial and error. If you find it submit your resume to the CIA. To start substitute x (found by computation) for g^m then compute c/x mod N^2. For the latter part you add N^2 (Mod x) to c repeatedly until it is divisible by x
Foolish of me to say mod x! 1/13 mod 25 = 26/13 = 2 mod 25 but if I added only 12 to 1 and divided by 13, I would get 1 but 2*13 = 26 = 1 mod 25 so the correct answer will not be found if you add N^2 (mod x). It can be done the way I first suggested but you must keep track of how many times you added (say n times m is added to c and then divided by x) then to this result you would add n * (N^2-m)/x. 1*(25-12)/13 + 1 = 2 which is correct when you figure 1/13 Mod 25.
 
Last edited:
  • #5


ramsey2879 said:
Foolish of me to say mod x! 1/13 mod 25 = 26/13 = 2 mod 25 but if I added only 12 to 1 and divided by 13, I would get 1 but 2*13 = 26 = 1 mod 25 so the correct answer will not be found if you add N^2 (mod x). It can be done the way I first suggested but you must keep track of how many times you added (say n times m is added to c and then divided by x) then to this result you would add n * (N^2-m)/x. 1*(25-12)/13 + 1 = 2 which is correct when you figure 1/13 Mod 25.

So if you had the problem

1 = 17^63 * r^5 mod 25

you would reduce 63 to 3 by repeatedly dividing by 17^20 which = 1 mod 25 since there are 20 numbers that are both prime to 25 and less than 25 (Euler's Theorm) then compute 17^3 = 13 mod 25. Then you would find 1/13 mod 25 which as shown above = 2 (= a)

The problem then becomes finding b from the equation a = b^x mod c which is the topic of your earlier thread.
 
  • #6


thanks ramsey for the detailed answer! any suggestions then on how to solve a = b^x mod c, for b?
 

FAQ: How can I compute r from: c = g^m * r^N mod N^2

1. What is the purpose of computing r from c in this equation?

The purpose of computing r from c in this equation is to solve for the unknown value of r, which is necessary to decrypt the message and obtain the original plaintext. This equation is commonly used in cryptography and is known as the Paillier cryptosystem.

2. What do the variables g, m, N, and N^2 represent in this equation?

In this equation, g and N are known values that are used to generate the key for encryption and decryption. m represents the message that is being encrypted, and N^2 is the modulus used in the Paillier cryptosystem.

3. How does this equation ensure the security of the encrypted message?

This equation is designed to be a one-way function, meaning that it is easy to compute r from c, but nearly impossible to compute c from r. This ensures the security of the encrypted message, as it would be extremely difficult for an unauthorized person to obtain the original plaintext without knowing the value of r.

4. Can this equation be used for both encryption and decryption?

Yes, this equation can be used for both encryption and decryption. The value of r is used as a random factor during encryption, and is then used to decrypt the message by raising it to the power of N and taking the inverse mod N^2.

5. Are there any limitations to using this equation for encryption?

One limitation of using this equation for encryption is that it is vulnerable to chosen-ciphertext attacks, where an attacker can manipulate the ciphertext and obtain information about the plaintext. Additionally, this equation is not suitable for use with large messages, as the size of the ciphertext is dependent on the size of the message.

Similar threads

A Structure of modulo-integer matrix group GL(r,Z(n))?
Replies
17
Views
5K
I Proof for subgroup -- How prove it is a subgroup of Z^m?
Replies
11
Views
2K
I General Method for Mapping an Ellipsoid to Unit Sphere
Replies
1
Views
1K
I Meaning of terms in a direct sum decomposition of an algebra
Replies
8
Views
2K
I How Does the Equation D x E mod Φ(N) = 1 Relate to RSA Encryption?
Replies
1
Views
1K
Prove ##(a+b)\cdot c=a\cdot c+b\cdot c## using Peano postulates
Replies
3
Views
987
How can I find a x such that the order of 2 mod x is n?
Replies
2
Views
1K
A About computing the tangent space at 1 of certain lie groups
Replies
4
Views
2K
Transform that maps points from any quad to an reactangle
Replies
4
Views
3K
I Dimension of the group O(n,R) - How to calc?
Replies
3
Views
1K

Hot Threads

Recent Insights

Back
Top