public-key homomorphic-encryption paillier probabilistic-encryption
Updated Tue, 21 Jun 2022 00:41:52 GMT

Why is Paillier Cryptosystem called probabilistic?

The definition of Paillier Cryptosystem says that it is a probabilistic asymmetric key algorithm for public key cryptography. Can some body explain why it is called "probabilistic"?


As user curious said in a other answer probabilistic means that the encryption of the same plaintext under the same key gives as output a different ciphertext.

This is a more general property and it is known as a basic security property: it is usually refered to as semantically secure or indistinguishability (roughly: an attacker cannot guess which one of two plaintext he provided has been encrypted). It was firstly defined and introduced by Goldwasser and Micali in their seminal paper "Probabilistic Encryption" on 1984. This property is usually achieved introducing a random token into the encryption algorithm. A very simple way to transform any deterministic encryption algorithm into a probabilistic one is to pad the plaintext with a random string before to encrypt it and do unpad it after the decryption. Under symmetric encryption it can be easily achieved using a random IV (or counter) for a secure block operation mode (as CBC or CTR).

More precisely about Pallier cryptoscheme, the encryption algorithm uses a random $r$ element per encryption.


  • Let $m$ be a message to be encrypted where $m\in \mathbb Z_{n}$;
  • Select random $r$ where $r\in \mathbb Z^{*}_{n}$;
  • Compute ciphertext as: $c=g^m \cdot r^n \bmod n^2 $.

External Links

External links referenced by this document: