Paillier Threshold Encryption WebService

Paillier Threshold Paillier Threshold Encryption WebServiceEncryption WebService

byby

Brett WilsonBrett Wilson

Paillier EncryptionPaillier EncryptionTrapdoor Discrete Logarithm SchemeTrapdoor Discrete Logarithm Scheme c = gc = gMMrrnn mod n mod n22

n is an RSA modulusn is an RSA modulus g is an integer of order ng is an integer of order nαα mod mod nn22

r is a random number in r is a random number in ZZnn**

M = L(cM = L(cλλ(n)(n) mod mod nn22)/L(g)/L(gλλ(n)(n) mod mod nn22) mod n) mod n L(u) = (u-1)/n, L(u) = (u-1)/n, λλ(n)=lcm((p-1)(q-1))(n)=lcm((p-1)(q-1))

Important PropertiesImportant Properties HomomorphicHomomorphic

E(ME(M11 + M + M22) = E(M) = E(M11) x E(M) x E(M22), E(k x M) = E(M)), E(k x M) = E(M)kk

Self-blindingSelf-blindingRe-encryption with a different r doesn’t change MRe-encryption with a different r doesn’t change M

Threshold EncryptionThreshold Encryption

Public key encryption as usualPublic key encryption as usual

Distribute secret key “shares” among i Distribute secret key “shares” among i participantsparticipants

Decryption can only be accomplished if a Decryption can only be accomplished if a threshold number t of the i participants threshold number t of the i participants cooperatecooperate No information about m can be obtained with No information about m can be obtained with

less than t participants cooperatingless than t participants cooperating

Threshold Paillier EncryptionThreshold Paillier Encryption

Different public key and secret key Different public key and secret key generation algorithmgeneration algorithm

Distribute secret key shares using Shamir Distribute secret key shares using Shamir Secret Sharing schemeSecret Sharing scheme

“ “Sharing Decryption in the Context of Sharing Decryption in the Context of Voting or Lotteries” Fouque, Poupard, and Voting or Lotteries” Fouque, Poupard, and Stern 2000Stern 2000

Threshold Paillier Encryption Threshold Paillier Encryption WebServiceWebService

Key generation algorithmKey generation algorithm InputInput

k – size of keyk – size of key l – number of shares to generatel – number of shares to generate

One RSA public key (of the designated participant) for each One RSA public key (of the designated participant) for each shareshare

t – threshold parametert – threshold parameter OutputOutput

Public Key PKPublic Key PK

List SKList SK11, …, SK, …, SKll of private key shares of private key shares Encrypted with supplied RSA keys so only designated Encrypted with supplied RSA keys so only designated

participant can recover the key shareparticipant can recover the key share

List of Verifier Keys VK, VKList of Verifier Keys VK, VK11, …,VK, …,VKll


Encryption AlgorithmEncryption Algorithm InputInput

Public Key PKPublic Key PK

Random string rRandom string r

Cleartext MCleartext M OutputOutput

Ciphertext cCiphertext c

Share Decryption AlgorithmShare Decryption Algorithm InputInput


Private Key Share SkPrivate Key Share Skii

Encrypted with public key of webserviceEncrypted with public key of webservice

OutputOutput Decryption share cDecryption share cii

Validity proof pValidity proof pii



Combining AlgorithmCombining Algorithm InputInput


List of decryption shares cList of decryption shares c11,…,c,…,cll

List of verification keys VK, VKList of verification keys VK, VK11…VK…VKll

List of validity proofs PList of validity proofs P11,…P,…Pll

OutputOutput MM

Use of WebService in Secure Use of WebService in Secure VotingVoting

Ballot format: pick 1 out of c candidatesBallot format: pick 1 out of c candidates Vote = 2Vote = 2c*logc*log22vv where c is the desired candidate number (0…c) where c is the desired candidate number (0…c)

and v is the next power of 2 greater than the maximum number and v is the next power of 2 greater than the maximum number of votersof voters

All Paillier-encrypted votes could be publicly postedAll Paillier-encrypted votes could be publicly postedAt end of election, all encrypted votes could be multiplied At end of election, all encrypted votes could be multiplied together (publicly verifiable)together (publicly verifiable)With cooperation of the required threshold number of With cooperation of the required threshold number of “authorities”, the final product could be decrypted to “authorities”, the final product could be decrypted to reveal the vote total (sum of individual votes).reveal the vote total (sum of individual votes).

A threshold number of authorities would not agree to decrypt a A threshold number of authorities would not agree to decrypt a single particular vote, and thus the individual votes would remain single particular vote, and thus the individual votes would remain privateprivate

All computations are publicly verifiable given the validity proofsAll computations are publicly verifiable given the validity proofs

Implementation ToolsImplementation Tools

Visual Studio 2005Visual Studio 2005 VB.NETVB.NET

Gnu Multiprecision Library (Gmp)Gnu Multiprecision Library (Gmp) Open source arbitrary precision numeric libraryOpen source arbitrary precision numeric library Compiled under Visual Studio 2005Compiled under Visual Studio 2005

NGmpNGmp Open source VB.NET binding of gmp.dllOpen source VB.NET binding of gmp.dll Enables calling of gmp library functions through Enables calling of gmp library functions through

VB.NETVB.NET Compiled under Visual Studio 2005Compiled under Visual Studio 2005

Paillier Threshold Encryption WebService

Documents

Transcript of Paillier Threshold Encryption WebService