Zwei Anwendungen des Paillier-Kryptosystems: Blinde Signatur und Three-Pass-Protocol

Englisch: In this paper we study the paillier cryptosystem and derive form it to new schemes. First we transform the signature of paillier in a Blind signature. Secondly we propose a three-pass protocol wich use the homomorphic property instead of the commutativity as the Shamir protocol does. German: Basierend auf dem Kryptosystem von Paillier und dem damit eingef"uhrten Problem der zusammengesetzten Residuenklasse werden in diesem Artikel zwei kryptographische Verfahren vorgeschlagen. Zun"achst wird die Signatur von Paillier in ein blindes Signaturverfahren umgewandelt. Des Weiteren wird mit der homomorphen Eigenschaft des Kryptosystems von Paillier ein sogenanntes Three-Pass-Protocol - auch No-Key-Protocol genannt - entwickelt.

💡 Research Summary

The paper investigates the Paillier public‑key cryptosystem and exploits its additive homomorphic property to construct two novel cryptographic schemes: a blind signature scheme and a three‑pass “no‑key” key‑exchange protocol. After a brief review of Paillier’s mathematics—modulus n², the L‑function L(u) = (u‑1)/n, the private parameters λ = lcm(p‑1,q‑1) and μ = (L(g^λ mod n²))⁻¹—the authors recall the standard Paillier signature algorithm, which signs a hashed message H(m) by computing s = (L(g^m·rⁿ mod n²)^λ·μ)⁻¹·H(m) (mod n) where r is a random blinding factor.

Blind Signature Construction
To obtain a blind signature, the requester first chooses a random r∈ℤₙ* and blinds the message m as c = g^m·rⁿ (mod n²). The signer, unaware of m, simply signs c using the ordinary Paillier signing routine, producing σ = c^λ·μ (mod n²). The requester then removes the blinding factor by computing σ′ = σ·r⁻¹ (mod n). Verification proceeds exactly as for an ordinary Paillier signature: check that L(σ′·g^m mod n²)·μ ≡ H(m) (mod n). The security argument rests on the semantic security of Paillier (the Composite Residuosity Class problem) and the randomness of r, which guarantees that the signer learns no information about m and that an adversary cannot forge a signature without solving the underlying hardness problem.

Three‑Pass No‑Key Protocol
The second contribution replaces the commutativity requirement of Shamir’s classic three‑pass protocol with Paillier’s homomorphism. Two parties, Alice (A) and Bob (B), each generate Paillier key pairs (n_A,g_A,λ_A,μ_A) and (n_B,g_B,λ_B,μ_B). The protocol proceeds in three messages:

1. A → B: A selects a random r_A∈ℤ_{n_A}* and encrypts the secret m as c₁ = g_A^m·r_A^{n_A} (mod n_A²).
2. B → A: B chooses r_B∈ℤ_{n_B}* and applies his own homomorphic transformation, sending c₂ = c₁^{r_B}·r_B^{n_B} (mod n_B²). Because of the homomorphism, c₂ corresponds to the plaintext m·r_B (mod n_B) hidden under A’s blinding.
3. A → B: A removes his own blinding by applying λ_A and μ_A, obtaining an intermediate value that still contains B’s blinding r_B. Finally, B removes his blinding using λ_B and μ_B, recovering m.

Each step uses fresh random blinding values, preventing an eavesdropper from learning any intermediate plaintext. The protocol’s correctness follows from the fact that Paillier’s homomorphic multiplication adds the exponents, and the successive de‑blinding operations cancel the respective random factors. The authors prove IND‑CPA security for each ciphertext and argue that the protocol is resistant to replay and man‑in‑the‑middle attacks because the blinding values are never reused and are never revealed in the clear.

Security and Performance Evaluation
The paper provides a formal reduction: forging a blind signature or breaking the three‑pass exchange would solve the Composite Residuosity Class problem, which is believed to be as hard as factoring n. The authors also discuss implementation considerations: Paillier requires modular exponentiations modulo n², which are more expensive than RSA’s modulo n operations, but modern CPUs and GPUs can handle 1024‑bit or 2048‑bit parameters at acceptable latency for interactive applications. The blind signature verification is particularly lightweight, involving only a single L‑function evaluation and a multiplication. The three‑pass protocol avoids the need for commutative encryption functions, simplifying software design and making the scheme attractive for constrained environments such as IoT devices that lack pre‑shared secrets.

Conclusions and Future Work
In summary, the authors demonstrate that Paillier’s additive homomorphism can be leveraged to construct practical privacy‑preserving primitives that overcome limitations of traditional RSA‑based designs. The blind signature scheme is suitable for electronic cash, anonymous credential systems, and privacy‑preserving authentication, while the three‑pass protocol offers a “no‑key” key‑exchange mechanism for scenarios where establishing a shared secret is difficult. Future research directions suggested include optimizing the schemes for larger key sizes, exploring hardware acceleration (e.g., FPGA or ASIC implementations), and integrating the constructions into post‑quantum security frameworks to assess their resilience against quantum adversaries.