The Damgård–Jurik cryptosystem is a generalization of the Paillier cryptosystem. It uses computations modulo ${\displaystyle n^{s+1}}$ where ${\displaystyle n}$ is an RSA modulus and ${\displaystyle s}$ a (positive) natural number. Paillier's scheme is the special case with ${\displaystyle s=1}$. The order ${\displaystyle \varphi (n^{s+1})}$ (Euler's totient function) of ${\displaystyle Z_{n^{s+1}}^{*}}$ can be divided by ${\displaystyle n^{s}}$. Moreover, ${\displaystyle Z_{n^{s+1}}^{*}}$ can be written as the direct product of ${\displaystyle G\times H}$. ${\displaystyle G}$ is cyclic and of order ${\displaystyle n^{s}}$, while ${\displaystyle H}$ is isomorphic to ${\displaystyle Z_{n}^{*}}$. For encryption, the message is transformed into the corresponding coset of the factor group ${\displaystyle G\times H/H}$ and the security of the scheme relies on the difficulty of distinguishing random elements in different cosets of ${\displaystyle H}$. It is semantically secure if it is hard to decide if two given elements are in the same coset. Like Paillier, the security of Damgård–Jurik can be proven under the decisional composite residuosity assumption.