International Association
for Cryptologic Research

In Paillier's scheme, $c=y^{m}x^{n}\,\mathrm{mod}\,n^{2},\,m \in Z_{n},\,x \in Z_{n^{2}}^{*},\,n=PQ$ is a product of two large primes. Damgård and Jurik generalized Paillier's scheme to reduce the ciphertext expansion, $c=y^{m}x^{n^{s}}\,\mathrm{mod}\,n^{s+1},\,m \in Z_{n^{s}},\,x \in Z_{n^{s+1}}^{*}$. In this paper, we propose a new generalization of Paillier's scheme and prove that our scheme is IND-CPA secure under $k$-subgroup assumption for $\Pi_{k}$. Compared to Damgård and Jurik's generalization, our scheme has three advantages. (a)We use the modulus $P^{a}Q^{b}$ instead of $P^{a}Q^{a}$, so it is more general. (b)We use a general $y$ satisfying $P^{a-1} | order_{P^{a}}(y), \,Q^{b-1} | order_{Q^{b}}(y)$ instead of $y=(1+PQ)^{j}x \,\mathrm{mod}\,N$ which is used in Damgård and Jurik's generalization. (c)Our decryption scheme is more efficient than Damgård and Jurik's generalization system.