Editing Paillier cryptosystem (section)

===Semantic security===
The original cryptosystem as shown above does provide [[semantic security]] against chosen-plaintext attacks ([[IND-CPA]]). The ability to successfully distinguish the challenge ciphertext essentially amounts to the ability to decide composite residuosity. The so-called [[decisional composite residuosity assumption]] (DCRA) is believed to be intractable.

Because of the aforementioned homomorphic properties however, the system is [[Malleability (cryptography)|malleable]], and therefore does not enjoy the highest level of semantic security, protection against adaptive chosen-ciphertext attacks ([[IND-CCA2#Indistinguishability under chosen ciphertext attack.2Fadaptive chosen ciphertext attack .28IND-CCA1.2C IND-CCA2.29|IND-CCA2]]). 
Usually in cryptography the notion of malleability is not seen as an "advantage," but under certain applications such as secure electronic voting and [[threshold cryptosystem]]s, this property may indeed be necessary.

Paillier and Pointcheval however went on to propose an improved cryptosystem that incorporates the combined hashing of message ''m'' with random ''r''. Similar in intent to the [[Cramer–Shoup cryptosystem]], the hashing prevents an attacker, given only ''c,'' from being able to change ''m'' in a meaningful way. Through this adaptation the improved scheme can be shown to be [[IND-CCA2#Indistinguishability under chosen ciphertext attack.2Fadaptive chosen ciphertext attack .28IND-CCA1.2C IND-CCA2.29|IND-CCA2]] secure in the [[random oracle model]].