I was wondering if there is a security difference between Lattice based homomorphic encryption schemes versus an partially homomorphic encryption scheme like Paillier, and El Gamal encryption schemes especially with respect to the security against quantum attacks?
Asked
Active
Viewed 2,129 times
2 Answers
7
Sure there's a difference between Paillier and ElGamal as opposed to lattice-based cryptography regarding quantum attackers.
Paillier's security is broken as soon as you can efficiently factor large integers which is "easy" using Shor's algorithm. This is caused by the fact that you can easily recover the private from the public key by factoring $n$.
ElGamal's security is broken as soon as you can efficiently compute discrete logarithms which is "easy" using Shor's algorithm. This is caused by the fact that you can easily recover the private from the public key by finding the $x$ such that $\alpha^x\equiv \beta\pmod p$ given everything but $x$.
With lattice-based schemes it's a bit more interesting. Some schemes, like NTRU, can hold up against quantum attackers, while others not so much, like one invented and broken by GCHQ (PDF).
SEJPM
- 46,697
- 9
- 103
- 214
