Paillier Threshold Encryption WebService
description
Transcript of Paillier Threshold Encryption WebService
Paillier Threshold Paillier Threshold Encryption WebServiceEncryption WebService
byby
Brett WilsonBrett Wilson
Paillier EncryptionPaillier EncryptionTrapdoor Discrete Logarithm SchemeTrapdoor Discrete Logarithm Scheme c = gc = gMMrrnn mod n mod n22
n is an RSA modulusn is an RSA modulus g is an integer of order ng is an integer of order nαα mod mod nn22
r is a random number in r is a random number in ZZnn**
M = L(cM = L(cλλ(n)(n) mod mod nn22)/L(g)/L(gλλ(n)(n) mod mod nn22) mod n) mod n L(u) = (u-1)/n, L(u) = (u-1)/n, λλ(n)=lcm((p-1)(q-1))(n)=lcm((p-1)(q-1))
Important PropertiesImportant Properties HomomorphicHomomorphic
E(ME(M11 + M + M22) = E(M) = E(M11) x E(M) x E(M22), E(k x M) = E(M)), E(k x M) = E(M)kk
Self-blindingSelf-blindingRe-encryption with a different r doesn’t change MRe-encryption with a different r doesn’t change M
Threshold EncryptionThreshold Encryption
Public key encryption as usualPublic key encryption as usual
Distribute secret key “shares” among i Distribute secret key “shares” among i participantsparticipants
Decryption can only be accomplished if a Decryption can only be accomplished if a threshold number t of the i participants threshold number t of the i participants cooperatecooperate No information about m can be obtained with No information about m can be obtained with
less than t participants cooperatingless than t participants cooperating
Threshold Paillier EncryptionThreshold Paillier Encryption
Different public key and secret key Different public key and secret key generation algorithmgeneration algorithm
Distribute secret key shares using Shamir Distribute secret key shares using Shamir Secret Sharing schemeSecret Sharing scheme
“ “Sharing Decryption in the Context of Sharing Decryption in the Context of Voting or Lotteries” Fouque, Poupard, and Voting or Lotteries” Fouque, Poupard, and Stern 2000Stern 2000
Threshold Paillier Encryption Threshold Paillier Encryption WebServiceWebService
Key generation algorithmKey generation algorithm InputInput
k – size of keyk – size of key l – number of shares to generatel – number of shares to generate
One RSA public key (of the designated participant) for each One RSA public key (of the designated participant) for each shareshare
t – threshold parametert – threshold parameter OutputOutput
Public Key PKPublic Key PK
List SKList SK11, …, SK, …, SKll of private key shares of private key shares Encrypted with supplied RSA keys so only designated Encrypted with supplied RSA keys so only designated
participant can recover the key shareparticipant can recover the key share
List of Verifier Keys VK, VKList of Verifier Keys VK, VK11, …,VK, …,VKll
Threshold Paillier Encryption Threshold Paillier Encryption WebServiceWebService
Encryption AlgorithmEncryption Algorithm InputInput
Public Key PKPublic Key PK
Random string rRandom string r
Cleartext MCleartext M OutputOutput
Ciphertext cCiphertext c
Share Decryption AlgorithmShare Decryption Algorithm InputInput
Ciphertext cCiphertext c
Private Key Share SkPrivate Key Share Skii
Encrypted with public key of webserviceEncrypted with public key of webservice
OutputOutput Decryption share cDecryption share cii
Validity proof pValidity proof pii
Threshold Paillier Encryption Threshold Paillier Encryption WebServiceWebService
Threshold Paillier Encryption Threshold Paillier Encryption WebServiceWebService
Combining AlgorithmCombining Algorithm InputInput
Ciphertext cCiphertext c
List of decryption shares cList of decryption shares c11,…,c,…,cll
List of verification keys VK, VKList of verification keys VK, VK11…VK…VKll
List of validity proofs PList of validity proofs P11,…P,…Pll
OutputOutput MM
Use of WebService in Secure Use of WebService in Secure VotingVoting
Ballot format: pick 1 out of c candidatesBallot format: pick 1 out of c candidates Vote = 2Vote = 2c*logc*log22vv where c is the desired candidate number (0…c) where c is the desired candidate number (0…c)
and v is the next power of 2 greater than the maximum number and v is the next power of 2 greater than the maximum number of votersof voters
All Paillier-encrypted votes could be publicly postedAll Paillier-encrypted votes could be publicly postedAt end of election, all encrypted votes could be multiplied At end of election, all encrypted votes could be multiplied together (publicly verifiable)together (publicly verifiable)With cooperation of the required threshold number of With cooperation of the required threshold number of “authorities”, the final product could be decrypted to “authorities”, the final product could be decrypted to reveal the vote total (sum of individual votes).reveal the vote total (sum of individual votes).
A threshold number of authorities would not agree to decrypt a A threshold number of authorities would not agree to decrypt a single particular vote, and thus the individual votes would remain single particular vote, and thus the individual votes would remain privateprivate
All computations are publicly verifiable given the validity proofsAll computations are publicly verifiable given the validity proofs
Implementation ToolsImplementation Tools
Visual Studio 2005Visual Studio 2005 VB.NETVB.NET
Gnu Multiprecision Library (Gmp)Gnu Multiprecision Library (Gmp) Open source arbitrary precision numeric libraryOpen source arbitrary precision numeric library Compiled under Visual Studio 2005Compiled under Visual Studio 2005
NGmpNGmp Open source VB.NET binding of gmp.dllOpen source VB.NET binding of gmp.dll Enables calling of gmp library functions through Enables calling of gmp library functions through
VB.NETVB.NET Compiled under Visual Studio 2005Compiled under Visual Studio 2005