A Restrained Paillier Cryptosystem and Its Applications for Access

arXiv:1912.09034v1 [cs.CR] 19 Dec 2019 tlt n fcec ftepooe protocols. proposed illustr the results of resis efficiency experimental and can The utility attack. cryptosystem plaintext Restrained-Paillier manageme chosen the key that and Securit recovery. shows our key distribution private In and identity authentication owners. identity for pr two we Secondly, protocols of secret. access three secret cannot owner common one on only of Based scheme, Fi key. control applications. private access two strong realize develop the by we on ciphe Restrained-Paillier, decrypted encryption mixed this be the not additive generate can and the which ciphertext perform multiplicative Paill We the mult modified the homomorphism. the t endowing of address tive To version by key. restrained (Restrained-Paillier), private an cryptosystem strong propose the impor t we of is of issue, decryption it the Thus, security stop down. the to break s compromised, absolutely this system or If application ciphertexts. attacked all has is decrypt administrator, differen can administrator system and under appl the key often is private even member, strong cryptosystem strong the Paillier ciphertexts system, The modified a all in the key. decrypt When decrypt can keys. public only can public key corresponding key private the weak private A under key. key private ciphertexts private strong weak a addi provides its and cryptosystem to owning This fields, many homomorphism. in applied and popular tremely cesCnrl dniyCertificates. Identity Control; Access nomto ehooisudrGatAHY150400. Initiativ Anhui Grant by under 61572452, Technologies and Information U1636201 Grant under China nomto,Uiest fSineadTcnlg fChina of Technology and China. Science of University Information, opeiys ti o e fceteog ob implemented be to enough space efficient yet and not time is high it has so com- FHE complexity But, arbitrary ciphertexts. allows over (FHE) putations encryption homomorphic Fully exposin allows without encryption, data information. key private encrypted public on of operations the kind mathematical h encrypt Fortunately, a inconvenient. encryption, then is morphic useful and which operations, perform result, required calculation to encrypte the the order decrypt perform would data, In we data, encrypted data. on [2]. operations encrypted RSA like on encryption mathematic key operations support public not does the encryption is symmetric However, kind [1 other DES like the encryption and symmetric the is kind one technology, E plctosfrAcs oto fCmo Secret Common of Control Access for Applications hswr a upre npr yteNtrlSineFounda Science Natural the by part in supported was work (email:zhangwm@ustc This Zhang Weiming author: Corresponding l h uhr r ihCSKyLbrtr fElectro-magne of Laboratory Key CAS with are authors the All ne Terms Index Abstract o,hmmrhcecyto spplri ayfields. many in popular is encryption homomorphic Now, ofietaiyo aa hr r w id fencryption of kinds two protect are to There data. used of commonly confidentiality is technology NCRYPTION TemdfidPile rpoytmhsbcm ex- become has cryptosystem Paillier modified —The etandPile rpoytmadIts and Cryptosystem Paillier Restrained A HmmrhcEcyto;PiayPreserving; Privacy Encryption; —Homomorphic .I I. iounDn,WiigZag osnSa,BiWn,Nengha Wang, Bei Shah, Mohsin Zhang, Weiming Dong, Xiaojuan NTRODUCTION ee 230026, Hefei , nQuantum in e .edu.cn). analysis y sl,we rstly, i Space tic t the ate iplica- inof tion ystem omo- rtext, the t esent tant tive the ied his ier nt, he al ], g d s t erpinkey decryption neetdcyto key decryption inherent module a scheme. cryptosystem, encryption Paillier homomorphic the additive In an domain. is Paillier [4] The ciphertext ciphertexts. tosystem suppor over the schemes calculations additive encryption allow in some homomorphic [2], data additive cryptosystem plaintext Partially homomorphic RSA of multiplicative as Partially multiplication such [3]. schemes, encryption systems real on sr copne yadcyto key decryption a by accompanied user, ytm eetees hsasmto suraoal sin the unreasonable in is tasked keys be assumption private could this of KGC user’s Nevertheless, management the decrypt and system. that distribution to so the party order Center with trusted Generation in a Key was the conspired that (KGC) that discuss CSP assumed not they the a Moreover, did data. to and [9] sent in CP authors was coul the The share key decryption. split other allow one the the Only not send and (CSP). split was provider (CP) [9] share service platform computation in One cloud shares. al. a different et to into Liu key issue, private the strong solve To cryptosystem. data. genomic patients’ all compan the pharmaceutical obtain the result, could a pharmaceutical As the benefits. to for compromised company be w may administrator, key, strong system the the preserved had However, were key. t under public patient encryption patient’s the a via company, of pharmaceutical the privacy from we genomic company The pharmaceutical involved. the s and the patients The introduced administrator, [8] test. cropping in image susceptibility al. the and et disease Ayday of privacy-preserving scaling user. help image perform the the and with can outsourcer involved. images [7] were encrypted over in user operations image server an cloud and Paillier The server modified image cloud a a a proposed where outsourcer, scheme, [7] processing in image al. cryptosystem-based data. et privacy protecting Mohanty while instance, on, calcula so and ciphertext search perform ciphertext can pa parties multiple Multiple with involved. especially schemes, their to their cryptosystem and residue [5] quadratic in of scheme group the cyclic modulo the simplified in [6] works in cryptosystem al. et Bresson module common calculat a security a in multi-party where perform and cryptosystem, communicate Paillier can the of variant module a proposed [5] e si nycndcytiscrepnigonrsciphert owner’s corresponding its λ decrypt can only it as key scle stesrn e ic tcndcytalciphertex all decrypt can it since key strong the as called is h togkylaaei hett h oie Paillier modified the to threat a is leakage key strong The [6] in Paillier modified the applied have researchers Many N N 2 . a eue o ru.Mmeso h group the of Members group. a for used be can θ hl h aidPile rpoytmhsthe has cryptosystem Paillier varied the while , N λ ahmme ftegophsa has group the of member Each . . θ scle stewa decryption weak the as called is Yu i λ N rmradShoup and Cramer . sue o nya only for used is ystem cryp- tion, rties ext. For ion ho he ce re t. d y a s 1 t 2

the MA may reveal private keys for benefits or being invaded II. PRELIMINARY by skilled attackers. In this section, we review the cryptographic primitives The exposure of strong key can destroy the security of the involved, and the system model, the security requirements of system. However, the strong key λ can not be abandoned the proposed protocols in this paper. because λ is an inherent part of the modified Paillier cryptosystem. In this paper, we propose to restrain the decryption A. Cryptographic Primitives ability of the strong key. Based on this idea, we propose In this section, we introduce typical properties of partially an restrained version of the modified Paillier cryptosystem homomorphic cryptosystems and then review the modified (Restrained-Paillier). In the Restrained-Paillier system, the Paillier cryptosystem in [6] and [5]. For the sake of brevity multiplicative ciphertext is added. We perform the additive and readability, Table I lists some notations used for the rest encryption on the multiplicative ciphertext and generate the of the paper. mixed ciphertext. The strong private key λ is used to decrypt the mixed ciphertext, obtaining the multiplicative ciphertext. TABLE I: Definitions and Notations in the Cryptosystems But the λ can not decrypt the multiplicative ciphertext to get the plaintext data. The multiplicative ciphertext only can be Symbols Definition |·| Bit length decrypted by its corresponding weak key θ. Hence, a party has pk, sk Partially homomorphic public & private key + the strong key λ and still fail to decrypt the mixed ciphertext Epk(·) Additive encryption algorithm with public key × data. We regard the KGC as a semi-trusted party. The KGC Epk(·) Multiplicative encryption algorithm with public key can manage both public and private keys, but can not obtain lcm(x,y) Lowest common multiple between x and y private keys. Specifically, the major contribution of this paper gcd(x,y) Greatest common divisor between x and y H(·) Hash Function can be summarized below. • First, the Restrained-Paillier cryptosystem supports mixed 1) Partially Homomorphic Cryptosystems: Two additive ciphertexts, which are generated by executing the additive + + ciphertexts Epk(m1) and Epk(m2) accord with the following encryption on the multiplicative ciphertexts. The strong property: + + + key decrypts the mixed ciphertexts, only getting the Epk(m1) × Epk(m2)= Epk(m1 + m2); multiplicative ciphertexts but not the plaintext data. × × Two multiplicative ciphertexts like Epk(m1) and Epk(m2) • Second, we use the property of mixed ciphertext to realize accord with the following property: access control to common secrets belonging to two owner. × × × Epk(m1) × Epk(m2)= Epk(m1 × m2). No one can obtain the the secret by oneself. Besides, a owner can control the other owner’s information obtained form their common secret. 4. Identity Authentication • Third, based on the Restrained-Paillier cryptosystem, we present three associated protocols for achieving identity 1. Hidden Key distribution and key management, identity authentication, 2. Identity Certificate 3. Private Key Recovery and private key recovery. The key management protocol Key Generation

can prevent the private key exposure. If some one lost User U i / U j Center (KGC) his/her private key, the private key recovery protocol can 5. Common recover the key. Secret • Fourth, we give security analysis that the Restrained- Fig. 1: System Model. Paillier cryptosystem can resist the chosen plaintext attack. The proposed protocols can achieve security re- 2) Paillier Cryptosystem: The pubic key is (N,g) with quirements. N|ordN 2 (g), where N = pq and p and q are two prime • Fifth, we analyze the communication and computation numbers. ordN 2 (g) is the order of g. The private key λ = Z overheads of the Restrained-Paillier cryptosystem and lcm(p − 1, q − 1). To encrypt a message m ∈ N , select a Z m+rN 2 protocols. We examine these overheads by building a sim- random r ∈ N and compute : c = g mod N . The λ λ ulator in Java to demonstrate the utility of our proposals. message can be recovered as: m = L(c )/L(g ) mod N, u−1 mod N 2 2 where L(u) = N , for all u ∈ {u

λ λ(N)xr • can be calculated. T2 = g (1 + mλN)=(1+ mλN). Recovery of Lost Private Keys. When a user loses Thus, given that gcd(λ, N)=1, m can be recovered as: m = his/her private key, the key can be restored. λ −1 L(T2 )λ mod N. The difference between the Paillier cryptosystem in [4] and III. RESTRAINED-PAILLIER CRYPTOSYSTEM the modified Paillier cryptosystem in [6] is the number of users. The Paillier cryptosystem can only be used for one user, The strong key λ of the modified Paillier system can decrypt who has the public-private key pair (N,g,λ). The modified all ciphertexts. This threatens the security of this system since Paillier cryptosystem can be used for a group of users, or an λ may be compromised. In order to address this issue, we en- organization. The member of the organization has the public dow a multiplicative homomorphic encryption to the modified and weak private key pair (N,gθ,θ) and only can decrypt the Paillier, yielding mixed ciphertexts. The mixed ciphertexts are ciphertext under gθ, while the organization manager has the obtained by additively encrypting the multiplicative cipher- public and strong private key pair (N,g,λ) and can decrypt texts. λ cannot disclose the mixed ciphertexts. The details of any ciphertext. the Restrained-Paillier cryptosystem are described as follows. Key Generation (KeyGen): The public key is (N,g,h = B. System Model & Security Requirement gθ mod N) with the base g (where p =2p′ +1, q =2q′ +1 1) System Model: The system model consists of three are safe primes). The strong key is λ, and the weak private 2 participants: a KGC, a User Ui and a User Uj , as illustrated key θ ∈ [1,N /2]. Such a g can be obtained by select a Z∗ in Fig. 1. random a ∈ N 2 but a 6= 1 mod N and computing g = KGC: The semi-trusted KGC is tasked with the key manage- −a2N mod N. The base g meets gλ mod N =1 and gNλ 2 ment and the distribution of identity certificates in the system. mod N =1, proved in Appendix A. The user Uis’ a pair of The KGC is curious-but-honest, which strictly follows the public and private key is denoted as (pki, ski). The user Uj ’s protocols, but also interested to learn private keys belonging a pair of keys is denoted as (pkj , skj ). to users. Additive Encryption (AddEnc): Given a message m ∈ Ui: The Ui registers in the system, sends his/hert hidden key ZN , choose a random r ∈ [0,N/4] and output the additive + r to the KGC and asks the KGC for his/her identity certificate. ciphertext as Epk(m) = {AC1, AC2}, where AC1 = (h N 2 r When the Ui’s private key is lost, Ui’s can recover his/her key mod N) (1 + mN) mod N ; AC2 = g mod N. with the the cooperation of the KGC. Additive Decryption with Weak Private Key (Ad- + Uj : The Uj, a registered user, authenticates the Ui’s iden- dDecWkey): An additive ciphertext as Epk(m) can be de- tity before their communication. There is a common secret crypted with private key sk = θ by calculating: m = AC1 between Ui and Uj . But no one can open the secret by oneself. L{ θ N }. [(AC2) mod N] Only with the permission of Ui, Uj can get secrets and vice Additive Decryption with Strong Private Key (Ad- versa. + dDecSkey): Use the strong key to decrypt Epk(m), m is 2) Design Goals: To efficiently support key protection, λ − calculated as :m = L[(AC ) mod N 2]λ 1 mod N, since identity authentication and access control of common secret, 1 gcd(λ, N)=1. The specific proofs are shown in Appendix our work is designed to achieve the following goals: A. • Access Control of Common Secret. A common secret Strong Private Key Splitting (SkeyS): According to the belongs to two users. One user cannot open the secret Chinese remainder theorem [10], split the strong private key without the permission of his/her companion. λ into two partial strong private keys. One, denoted as λi, is • Protection of Private Keys. To present the KGC knows sent to a party i; the other one, denoted as λ , is sent to a participants’ private keys, private keys are unavailable to j party j. λ and λ meet the following two constraints: the KGC. i j λ + λ = 0 mod λ, • Correctness of Identity Certificates. To guarantee that i j when a user sends his/her true identity certificate to the (λ1 + λj = 1 mod N. other user, the identity certificate can pass the verification Additive Decryption with Partial Strong Private Key of the other user. Step One (AddDecPSkey1): The Ui runs the algorithm. • Soundness of Identity Certificates. Assure that cor- Exploiting the partial strong private key λi, the partial de- + rupted identity certificates cannot pass verification. crypted ciphertext DC1 of Epk(m) can be calculated as: λi λi·rθ 2 • Unforgeability of Identity Certificates. A passive ad- DC1 = (AC1) = g (1 + λimN) mod N . The Ui + versary has public keys, but cannot forge a certificate of forwards {Epk(m), DC1} to the Uj. his chosen identity. Additive Decryption with Partial Strong Private Key • Existential Unforgeability Against Adaptive Chosen Step Two (AddDecPSkey2): This algorithm is run in the + Messages Attacks. An active adversary can access a Uj’s side. Given {Epk(m), DC1} and λj , the partial decrypted λj certificate oracle, which can generate legitimate identity ciphertext DC2 can be calculated as: DC2 = (AC1) = λj ·rθ 2 certificates. The adversary’s goal is to generate a legiti- g (1 + λj mN) mod N . Then, the original message m mate identity certificate of an identity, which cannot has can be recovered as: m = L[DC1 · DC2]. The specific proof been asked the certificate oracle before. Thus, this active is in Appendix B. adversary win. To stop an active adversary, our proposals Multiplicative Encryption (MulEnc): Given a message are under existential unforgeability. m ∈ ZN , choose a random number r ∈ [1,N/4] and output the 4

× ′ (r+s) −1 − r [hij ] N s 1 2 multiplicative ciphertext as Epk(m)= {MC1, MC2}, where = (hij mod N) [1 + m(hij ) N] mod N . rθ r θi sθi MC1 = mg mod N; MC2 = g mod N. Then, i computes T2 = (t2) = g mod N, and forwards ′ Multiplicative Decryption (MulDec): The multiplicative {(MixCij,1) ,T2} to j. × ciphertext Epk(m) can be decrypted with the private key sk = Step-3 (@Uj): After receiving T2, Uj uses it to MC ′ θj s 1 compute a middle result (T2) = (T2) = h mod N. θ by calculating : m = (MC )θ mod N. ij 2 Next, the additive ciphertext E+ (m) is computed as: Seen from the AddDecSkey algorithm, our strong key λ still pkij can arbitrarily decrypt the additive ciphertext E+ (m). Thus, E+ (m) pk pkij ′ the additive ciphertext cannot be used directly. We investigate ′ (T2) = [(MixCij,1) ] the approach inspired by [16]. Given a message m, we first ′ (r+s) −1· s − r [hij ] hij N s 1 s 2 = (hij mod N) [1 + m(hij ) · hij N] mod N run the MulEnc algorithm and acquire the multiplicative ′ r −1 × r (hij ) N 2 = (hij mod N) (1 + mN) mod N . ciphertext Epk(m), on which we next execute the AddEnc algorithm, and consequently we get a mixed cipheretex denoted ∗ as Epk(m), where ∗ indicates that a multiplicative ciphertext is transformed to a mixed ciphertext. Consequently, an attacker, IV. A SIMPLE APPLICATION OF RESTRAINED-PAILLIER ∗ × who gets λ, can only decrypt Epk(m)and get Epk(m), but CRYPTOSYSTEM not the original message m. The joint key of the Ui and Ui and Uj employ the Diffie-Hellman Key Exchange θiθj the Uj is hij = g mod N. This mixing process can be Agreement [15] to produce their joint public key executed between the U and the U as Fig. 2. We introduce i j h = gθiθj mod N. The common secret S between U the MultoMix algorithm as follows. ij i and Uj is encrypted under the joint key hij , producing A Multiplicative Ciphertext to A Mixed Ciphertext ∗ r N rm Epkij (S) = {((hij ) mod N) (1 + S(hij ) N) (MultoMix): 2 rm mod N ; g mod N}. Uj obtains the secret S on Step-1 (@Ui): Ui gives Uj a multiplicative ciphertext × r multiples of the number b ∈ [1,N/8]. Besides, Ui controls E (m) = {MCij,1, Cij,2}, where MCij,1 = mh pkij ij the access result using a control factor c ∈ [1,N/8]. U gets r j mod N; Cij,2 = g mod N. ′ the secret bS + c. The specific process seen in Fig. 4, is Step-2 (@Uj ): Uj randomly chooses a random r , runs described as follows. the AddEnc algorithm, and outputs the mixed cipher- ∗ ∗ text E (m) as: E (m) = {MixCij,1, MixCij,2}, pkij pkij ′ r N r 2 A. Access Control of Common Secret Protocol (ACCS) where MixCij,1 = (hij mod N) (1 + mhij N) mod N ; r N MixCij,2 = Cij,2 = g mod N. Step-1 (@Uj): (1) The Uj chooses a and d from [1, 4 ], a − ∗ r and calculates A = (h ) mod N, dA 1 and t = gθj (rm+a) Considering the mixed ciphertext Epk(m), if mhij mod N ij 1 ′ ∗ ∗ mod N. The parameter d can hide A−1. is denoted as m , Epk(m) can be rewritten as :Epk(m) = ′ ∗ ∗ r N (2) The U calculates E (bdS) = [E (S)]bd. The U {MixC , MixC }, where MixC = (h mod N) (1 + j pkij pkij j 1 2 1 ij − ∗ ′ 2 r keeps A secret and sends {t , dA 1, E (bd · S)} to the U . m N) mod N ; MixC2 = C2 = g mod N. The mixed 1 pkij i θi ciphertext actually is a variant of an additive ciphertext. If we Step-2 (@Ui): (1) The Uj computes t2 = (t1) = (rm+a) −1 use the generator g of the Paillier Cryptosystem, the message (hij ) mod N and its inverse t3 = (t2) = r 2 (rm+a) −1 mhij mod N ∈ ZN 2 is not bounded by ZN . So the Paillier [(hij ) ] mod N. cryptosystem does not hold the MultoMix algorithm. (2) The computes rm −1 and ∗ Uj cdhij = c·dA ·t2 Epkij (bdS + To convert a mixed ciphertext to an additive ciphertext, the ∗ rm . cd) = [Epkij (bdS)] · (1 + cdhij · N) process that a mixed ciphertext is transformed to an additive ∗ −1 (3) The Ui computes Epk [(bdS + cd) · A ] = ∗ ij ∗ − ciphertext is given as Fig. 3. We bring in the MixtoAdd [E (bdS + cd)]t3 . For simplicity, E [(bdS + cd) · A 1] algorithm as follows. pkij pkij is denoted as Resluti. A Mixed Ciphertext to An Additive Ciphertext (Mix- λi (4) The Ui sends to the Uj {Resluti, (Resluti) }. toAdd): Step-3 (@Uj): (1) The Uj obtains bdS + cd as: Step-1 (@Uj ): Given a mixed ciphertext A λi A ′ bdS + cd = AddDecPSkey2((Resluti) , [(Resluti) ] , λj ). ∗ r E (m)= {MixCij,1, MixCij,2}, where MixCij,1 = (h pkij ij (2) The Uj obtains bS + c = (bdS + cd)/d. N r 2 r mod N) (1 + mhij N) mod N ; MixCij,2 = g mod N, Uj chooses a random number s ∈ Z2p′q′ , and computes s V. THREE PROTOCOLS FOR KEY MANAGEMENT AND θj (r+s)θj s t1 = (MixCij,2 · g ) = g mod N and t2 = g IDENTITY AUTHENTICATION mod N. Uj sends {MixCij,1,t1,t2} to Ui. The Paillier cryptosystem [4] is used for a single user Step-2 (@Ui): Once t1 is received, Ui θi (r+s)θiθj (r+s) because the Paillier only has a private key λ. The modified first computes (t1) = g = hij (r+s) −1 Paillier cryptosystem in [6] and the proposed cryptosystem mod N and its inverse [hij ] mod N, which ′ have the special characteristic that there is a strong private Ui uses to calculate (MixCij ) as follows: ′ key and many weak keys. Because of the characteristic, the (MixCij,1) (r+s) − modified Paillier and the proposed cryptosystem can be used [h ] 1 2 = (MixCij,1) ij mod N for multi-user systems. Weak private keys are individually ′ (r+s) −1 r s − r [hij ] N r ( + ) 1 2 = (hij mod N) (1 + mhij · [hij ] N) mod N distributed to users while the system manager has the only 5

Fig. 2: A Multiplicative Ciphertext to A Mixed Ciphertext (MultoMix).

Fig. 3: A Mixed Ciphertext to An Additive Ciphertext (MixtoAdd).

θr N strong private key. In multi-user systems, key distribution and After that Ui calculates Regi = (g i mod N) (1 + riN) identity authentication are two important security issues. mod N 2 and transmits it to the KGC as a registration request.

We investigate the characteristic of the modified Paillier and Step-2 (@KGC): Once Regi is received, the KGC assigns 2 the proposed cryptosystem to present three protocols for key a unique identity IDi from [1, N /4] and produces a identity management and identity authentication. We discuss the case certificate Certi by running the AddDecPSkey1 algorithm as: where the KGC is a semi-trusted party and cannot know about Certi = {Certi,1,Certi,2}. IDi N 2 each user’s weak key. The weak key is processed by the it’s Certi,1 = (g mod N) Regi mod N θr +IDi N 2 user before sent to the KGC. When the user loses his/her weak = (g i mod N) (1 + riN) mod N . sigk 2 key, he/she can take back the weak key from the KGC. We Certi,2 = (Certi,1) mod N . use one split part of the strong key to produce the identity The KGC stores {IDi,Certi} on its servers and returns certificates, and use the other split part to validate identity {IDi,Certi} to the Ui. certificates. See the following protocols for details.

A. Identity Distribution and Key Management(IdDis & Key- B. Identity Authentication (IdAuth) Protocol Man) Protocol Before interaction, the Uj verifies the Ui’s identity through The KGC has no access to private keys of parties. For running the IdAuth protocol, seen as Fig. 6. This process is example, the Ui’s private key is generated and hidden. Then, executed as follows. the U ’s hidden key is regarded as the registration request, i Step-1 (@ ): The sends the a request for identity which is sent to the KGC. The KGC creates a unique identity Uj Uj Ui authentication. IDi, and uses it to generate an identity certificate Certi. The Step-2 (@ ): The returns , , to the . KGC returns {IDi,Certi} to Ui. The KGC uses the SkeyS Ui Ui {hi IDi Certi} Uj algorithm to produce a pair of split keys (sigk, verk), where Step-3 (@Uj): The Uj executes the AddDecPSkey2 al- sigk is used for signing Cert, and verk is public for verifying gorithm on Certi using the verification key verk, and Cert. When the Ui enrolls in the system, the IdDis& KeyMan obtains ri. The Ui uses it to compute H(ri), and com- H(ri) protocol, seen as Fig. 5, is implemented as follows. putes g mod N. Then, Uj checks whether the equation 2 Certi,1 Step-1 (@Ui): The Ui chooses θi from [1, N /4] and ri H(r )+ID N 2 =1 holds. If it holds, (hig i i mod N) (1+riN) mod N θi from [1, N/4], computes hi = g mod N as Ui’s public the Uj is safe in the knowledge of the Ui’s identity. Otherwise, key, calculates θri = θi + H(ri) and preserves it as a secret. the Uj firmly refuses the Ui’s request. 6

Fig. 4: ACCS Protocol.

Fig. 5: IdDis & KeyMan Protocol.

Fig. 6: IdAuth Protocol.

C. Private Key Recovery(PriKeyRec) Protocol VI. SECURITY ANALYSIS In this section, we will analyze the security of the If the Ui carelessly loses his/her own private key θi, the Ui Restrained-Paillier, before demonstrating the security of four can recover θi by running the PriKeyRec protocol, seen as protocols. One protocol is used to achieving the access control Fig. 7. This process is described as follows. of common secret between two users. Other three protocols

Step-1 (@Ui): The Ui issues a key recovery request IDi are used to realize secure key management and identity to the KGC. authentication. Step-2 (@KGC): Once the key recovery request is received, the KGC runs the AddDecSkey algorithm on Certi,1 A. Security of Restrained-Paillier and gets a result, denoted as ri and sent to to the Ui. Multiplicative ciphertexts of the Restrained-Paillier are Step-3 (@i): The Ui uses ri to compute H(ri), and com- secure under the INDistinguishable under Chosen Plain- H(ri) putes g mod N. Then Ui veriﬁes whether the formula text Attack (IND-CPA) model since the multiplicative ci- θr H(ri) g i = hi ·g mod N is correct. If not, the Ui dispatches phertexts same to those of the ElGamal scheme [12]. an error in calculation of ri to the KGC, and Step 2 and Step The additive ciphertext of the Restrained-Paillier, formulated r N 2 r 3 are re-executed. Otherwise, the Ui believes that ri is correct as {(h mod N) (1 + mN) mod N ; g mod N}, has and takes out θi by calculating θi = θri − H(ri). a N-power calculation more than those of the modiﬁed 7

Fig. 7: PriKeyRec Protocol.

r rm −1 Paillier cryptosystem in [6], formulated as {h (1 + mN) present Ui from computing hij = A · t2 mod N. Thus, 2 r 2 rm mod N ; g mod N }. The security of additive ciphertexts the Ui, who has gotten λ, figures out S(hij ) from the mixed ∗ of the Restrained-Paillier is still guaranteed. We give the secure ciphertext , but cannot decrypt rm with Epkij (S) S(hij ) t2 = analysis of our additive ciphertexts as follows. (rm+a) rm (hij ) or dhij . Against Additive Ciphertexts Analysis: The security of additive ciphertexts in the Restrained-Paillier C. Security of Three Key and Identity Protocols can resist Chosen Plaintext Attack (IND-CPA) [11] based on the Decisional Composite Residuosity (DCR) assumption in Theorem 2. For a passive adversary A, the identity certifi- [4]. Let N = pq be the product of two safe primes. The cates in three protocols for key and identity are unforgeable. DCR assumption approximately claims that the set of N-th A passive adversary A gets the verk that is public for powers modulo N 2 is computationally indistinguishable from verifying Cert, but cannot recover the the strong key since the the uniform distribution modulo N 2, i.e., Shamir secret sharing scheme is information-theoretic secure. Definition 1 (DCR Assumption) The Decisional Thus, A can not get the sign key sigk and uses it to generate Composite Residuosity (DCR) assumption states that {xN the signature of a message he chooses. 2 ∗ C ∗ C Theorem 3. For an active adversary A, the identity certifi- mod N : x ∈ ZN 2 }≈{x : x ∈ ZN 2 }, where ≈ denotes computational indistinguishability. cates in three protocols for key and identity are secure under Theorem 1. If the DCR assumption holds, additive cipher- Existential Unforgeability Against Adaptive Chosen Messages texts are secure under the INDistinguishable Chosen Plaintext Attacks. Attack (IND-CPA). The active adversary A gets Cert1 and Cert2 from the Proof: Assume that a polynomial time distinguisher A certificate oracle. But A can not produces a legitimate identity certificate that can pass validation, because of the properties chooses the messages m0 and m1 and sends them to a challenger C. The public key is first set as (N,g,h) where of hash functions. h = gα mod N. C flips a random coin µ ∈{0, 1}, randomly Proof: αr θ1+H(r1)+ID1 N 2 chooses r and encrypts the data mµ, obtaining {cµ = [(g Cert1,1 = (g mod N) (1 + r1N) mod N , N 2 r sigk mod N)] (1+mµN) mod N ,g mod N} that is returned Cert1,2 = (Cert1,1) . θ2+H(r2)+ID2 N 2 to A. Cert2,1 = (g mod N) (1 + r2N) mod N , sigk In A’s side, cµ is the ciphertext of m0 if and only if Cert2,2 = (Cert2,1) . c µ αr N 2 A uses Cert1 and Cert2 to generate Cert3. 1+m N = (g mod N) mod N is a N-th residue as αr 0 ∗ ∗ Cert = RN (1 + (r + r )N) mod N 2, g mod N ∈ Z ∈ Z 2 . Therefore, a successful chosen- 3,1 1 2 N N sigk plaintext attacker could decide composite residuosity, and Cert3,2 = (Cert3,1) , θ +H(r )+θ +H(r )+ID +ID vice-versa. where R = g 1 1 2 2 1 2 mod N. Against the MultoMix and MixtoAdd algorithms Anal- But Cert3 can not pass validation, because of the properties ysis: of hash functions H(r1)+ H(r2) 6= H(r1 + r2). The MultoMix and MixtoAdd algorithms are secure under the IND-CPA model because the two algorithms are based on D. Analysis of the Security Requirements the AddEnc and MulEnc algorithms. In this subsection, we show that the proposed protocol can Against Splitting of the String Key Analysis: achieve the design goals described in Section II. The privacy of divided private key is guaranteed by the Protection of Private Keys: Participants’ private keys are Shamir secret sharing scheme [13]. The strong private is hidden in the registration requests Reg, identity certificates randomly split into two shares in a way that any less than Cert, and public keys h. < Reg,Cert,h > are multiplicative two shares cannot recover the original strong key. It further ciphertexts or additive ciphertexts which are secure under the implies that the adversary cannot recover the original secret IND-CPA model. (the strong key) even the adversary gets the one share. Correctness of Identity Certificates: Correct identity certificate can pass the check in the Auth protocol. B. Security of the ACCS Protocol Soundness of Identity Certificates: Use the The ciphertexts are secure under the IND-CPA model. The corrupted identity certificate to get the result ′ ′ Ui and Uj can not use the extra data < A,t1,t2,t3 > to r = AddDecPSkey2(Cert,verk). H(r ) 6= H(r) due decrypt ciphertexts, even though they have λ. t2 is used to to strong collision resistance fails to pass the check in the rm −1 present Ui from computing hij . Besides, dA is used to Auth protocol. 8

Unforgeability of Identity Certificates: The security require- The computational costs of the three protocols are listed ment has been realized in Theorem 2. in Table III with the KGC, Ui and Uj involved. For brief, Existential Unforgeability Against Adaptive Chosen Mes- we record the communication (Commu.) costs in last row sages Attacks: The security requirement has been realized in of Table III. In Table III, the KGC’s computation cost is Theorem 3. 1.5|N| multiplications of the module-N’s square, while the Recovery of Lost Private Keys: The private key can be Ui’s computation cost is 1.5|N| multiplications of the module- restored from the identity certificate. The corrupted identity N. Hence, the KGC uses more cost than Ui uses. certificate cannot pass the check in the PriKeyRec protocol. TABLE III: Costs of Three Key and Identity Protocols Access Control of Common Secret: Nobody can decrypt the encrypted secret by oneself. This has been proved in Security IdDis&KeyMan IdAuth PriKeyRec of the ACCS Protocol. KGC 5.25|N| 1.5|N| Ui 2.625|N| 1.5|N| Uj 5.625|N| VII. PERFORMANCE ANALYSIS Commu. 6.5|N| 6|N| 0.75|N| In this section, we analyze the communication cost and 3) ACCS Protocol: The Uj asks for the common secret computation cost of the Restrained-Pailiier and our protocols. with the help the Ui. The The computational (Compu.) cost of the ACCS protocol are listed in Table IV. The Uj as the A. Theoretical Analysis requester of common secret consumes more than the Ui, the We assume that one regular exponentiation operation with helper. The communication cost is 8|N|. an exponent of length |N| requires 1.5|N| multiplications [14] TABLE IV: Costs of ACCS Protocol (i.e. length of r is |N| and that computing gr requires 1.5|N| multiplications). Since the exponentiation operation brings in Ui Uj Compu. 5.625|N| 8.0625|N| significantly higher cost than the addition and multiplication operations, we ignore the fixed numbers of addition and multiplication operations in our analysis. B. Experimental Analysis 1) Restrained-Pailiier Cryptosystem: For comparison with the Paillier, the bit length of random number is chosen We perform the experiments using a personal computer powered by an Intel(R) Core(TM) i5-4490 @3.30GHz pro- as |r| = |N|/4 and the bit length of private key is set cessor, 8 GB of RAM memory and a Windows 7 professional as |θ| = |N 2|/2 ≈ |N|. The AddEnc algorithm in the operating system. The experimental results are averagely eval- Restrained-Pailiier scheme needs 2.25|N| multiplications to encrypt a message, and the AddDecWkey algorithm consumes uated over 1000 times using a custom simulator built in Java. 1) Restrained-Pailiier Cryptosystem: The evaluation of the 3|N| multiplications to decrypt an aditive ciphertext while the computational cost of the Restrained-Pailiier are listed in Table AddDecSkey algorithm uses up 1.5|N| multiplications. The V. Computation cost increases with increasing . Seen from overhead comparison between the modified Paillier cryptosys- |N| Table V, operations on multiplicative ciphertexts cost far less tem in [6] and Restrained-Paillier is listed in Table II. The than operations on additive ciphertexts. When , computation cost of the AddEnc algorithm in the Restrained- |N| = 1024 time consumption is acceptable. But when |N| = 2048, time Pailiier is more 1.5|N| than that in the modified Paillier. It consumption is too long. is because the calculation of gN in the Restrained-Pailiier 2) Our Protocols: The computational cost of IdDis & occupies 1.5|N|. KeyMan protocol is shown in Fig. 8(a). The computational TABLE II: Cost Comparison between Restrained-Paillier and cost of PrivKeyRec protocol is shown in Fig. 8(b). Seen from Modified Paillier Fig. 8(a) and Fig. 8(b), the KGC uses more overhead than Ui uses. The computation overhead of the PrivKeyRec protocol Restrained − Paillier Paillier is far lower than that of the IdDis & KeyMan protocol. AddEnc 2.25|N| 0.75|N| AddDecSkey 1.5|N| 1.5|N| The computational cost of the IdAuth protocol is listed in Table VI, where only the verifier needs to do calculations. The AddDecPSkey1 algorithm and AddDecPSkey2 algo- The computational cost of the ACCS protocol, shown in Fig. rithm both consume 3|N| multiplications, respectively as both 8(c). The party requesting the common secret Uj costs more the length of λ1 and λ2 is 2|N|. The MulEnc algorithm than the than the other party Ui does. occupies 0.75|N| multiplications, the MulDec algorithm needs The communication overhead of the four protocol is shown 1.5|N| multiplications. The MultoMix algorithm requires in Fig. 8(d), where B represents 8 bits. The communication 1.875|N| multiplications and the MixtoAdd algorithm needs overhead of the ACCS protocol is highest and the communi- 3|N| multiplications. cation overhead of the PrivKeyRec protocol is lowest, seen 2) Three Key Management and Identity Protocols: The bit from Fig. 8(d). length of random number is chosen as |r| = |N|/4, the bit length of private key is set as |θ| = |N 2|/4 ≈ |N|/2, the bit VIII. CONCLUSION length of identity is set as |ID| = |N 2|/4 ≈ |N|/2 and the We present the Restrained-Paillier cryptosystem, holding bit length of hash function is set as |N|/4. back the decryption of the strong key in the modified Paillier 9

TABLE V: The Performance of Restrained-Pailiier with Different |N|/(ms) |N| 512 768 1024 1280 1536 1792 2048 Algorithm AddEnc 1.398 4.511 9.875 19.743 32.903 50.88 75.209 AddDecSkey 1.108 3.84 8.529 17.284 28.81 44.89 66.343 AddDecWkey 1.664 5.27 11.397 22.55 37.325 57.7057 85.152 AddDecSkey1 2.217 7.59 16.96 34.188 57.402 88.513 130.504 AddDecSkey2 2.191 7.568 16.939 34.172 57.977 88.739 130.623 MulEnc 0.296 0.679 1.397 2.612 4.324 6.792 9.767 MulDec 0.531 1.315 2.634 5.141 8.461 13.557 19.336

TABLE VI: The Performance of the IdAuth Protocol with Different |N| |N| 512 768 1024 1280 1536 1792 2048 IdAuth Uj (ms) 3.856 10.753 23.97 51.637 87.415 122.662 190.095 Commu. (B) 382.413 575.19 766.523 958.19 1150.640 1342.426 1534.70

(a) (b)

(c) (d) Fig. 8: Evaluation ﬁndings. (a) Run time of the IdDis & Key Man Protocol (vary with bit length of N). (b) Run time of the PriKeyRec Protocol (vary with bit length of N). (c) Run time of the ACCS Protocol (vary with bit length of N). (d) Communication cost of four protocols (vary with bit length of N). 10

cryptosystem. The Restrained-Paillier provides both additive In the splitting method, λ1 + λ2 ≡ nλ(0 ≤ n ≤ λ − 1) and ciphertexts, multiplicative ciphertexts and mixed ciphertexts. λ1 + λ2 ≡ 1+ kN(0 ≤ k ≤ N). We can obtain the Equation Mixed ciphertexts can not be decrypted by the strong key. (5). Using the the property of mixed ciphertext, we propose the AC(λ1+λ2) = (gθr mod N)nλN [1 + m(1 + kN)N] ACCS protocol that can control the access to the common = [1 + m(1 + kN)N] mod N 2 secret of two users. Moreover, exploiting the property of (5) Restrained-Paillier, we put forward three protocols about the =1+ mN + mkN 2 mod N 2 distribution of identity certificate, the identity authentication, =1+ mN mod N 2 key management and retrieval of private keys. Based on the security of Restrained-Paillier, the security of our protocols The Equation (5) can make m = L[AC(λ1+λ2)] hold. are guaranteed. We have calculated the computation and communication overheads of the Restrained-Paillier, our protocols. REFERENCES The simulation results show that these protocols use up less [1] National Bureau of Standards (NBS), “Data Encyption Standard (DES),” time consumption and low transmission cost. Hence, our FIPS Pub. 46, Jan. 1977. protocols are attractive for practical applications. Future work [2] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM, vol. 21, no. 2, will focus on how to apply the Restrained-Paillier onto digital pp. 120-126, Feb. 1978. signatures, especially proxy re-signatures. [3] L. Morris, “Analysis of partially and fully homomorphic encryption,” Rochester Institute of Technology, 2013, pp. 1-5. [4] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in Proc. Int. Conf. Theory Appl. Cryptograph. Techn. Adv. APPENDIX A Cryptol. (EUROCRYPT), Prague, Czech Republic, May 1999, pp. 223- ∗ 238. Select a a ∈ ZN 2 and a mod N 6= 1. The Euler function [5] Ronald Cramer and Victor Shoup, ”Universal hash proofs and a paradigm ′ ′ is denoted as ϕ(N) = (p − 1)(q − 1) = 4p q . Calculate the for adaptive chosen ciphertext secure public-key encryption,” in Proc. Int. base g as follows. Conf. Theory Appl. Cryptograph. Techn. Adv. Cryptol. (EUROCRYPT), Amsterdam, The Netherlands, Apr./May 2002, pp. 45C64. 2N [6] E. Bresson, D. Catalano, and D. Pointcheval, ”A simple public-key g = −a mod N cryptosystem with a double trapdoor decryption mechanism and its = −(a mod N)2N mod N applications,” Proceedings of Asiacrypt, 2003. (1) [7] M. Mohanty, M. R. Asghar, and G. Russello, “2DCrypt: Image scaling = −(a mod N)2pq mod ϕ(N) mod N and cropping in encrypted domains,” IEEE Trans. Inf. Forensics Security, vol. 11, no. 11, pp. 2542-2555, Nov. 2016. − − = −(a mod N)2(p 1)(q 1) mod N [8] E. Ayday, J. L. Raisaro, J. Rougemont, & J. P. Hubaux, ”Protecting and Evaluating Genomic Privacy in Medical Tests and Personalized Medicine,” Acm Workshop on Workshop on Privacy in the Electronic 2(p−1)(q−1) ∗ For simplicity, let γ = (a mod N) ,γ ∈ ZN . The Society, 2013. Equation (1) can be rewritten as the Equation (2). [9] X. Liu, R. H. Deng, K. K. R. Choo, and J. Weng, “An efficient privacy- preserving outsourced calculation toolkit with multiple keys,” IEEE Trans 2 Inf. Forensics Security, vol. 11, no. 11, pp. 2401-2414, Nov. 2016. g = −γ mod N (2) [10] C. Ding, ”Chinese Remainder Theorem,” Singapore: World Scientific, 1996. Obtain the Equation (3) using the Equation (2). [11] J. Katz and Y. Lindell. Introduction to Modern Cryptography. CRC Press, 2014. [12] T. ElGamal, “A public key cryptosystem and a signature scheme based ϕ(N) λ g 2 = g = 1 mod N (3) on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469- 472, Jul. 1985. ∗ θr ∗ θr [13] A. Shamir, ”How to share a secret,” Commun. ACM, vol. 22, no. 11, Since g ∈ ZN , g mod N ∈ ZN . Let µ = g mod N. pp. 612-613, Nov. 1979. Since N is the product of p and q, N has no primitive root. [14] E. Barker, W. Barker, W. Burr, W. Polk, and M. Smid, “Recommen- ′ ′ ϕ(N) 2p q λ λ dation for key management-Part 1: General (revision 4),” NIST Special µ 2 = µ = µ = 1 mod N. Obtain µ = 1+ kN 2 Publication 800-57, Sept. 2015. mod N (0 ≤ k ≤ N − 1) and the Equation (4). [15] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans.Inf. Theory, vol. 22, no. 6, pp. 644-654, Nov. 1976. (µλ)N = (1+ kN)N [16] H. W. Lim, S. Tople, P. Saxena, and E. Chang, “Faster secure arithmetic 1 N N computation using switchable homomorphic encryption,” IACR Cryptol. =1+ C · kN + ··· + C · (kN) ePrint Arch. Tech. Rep. 2014/539, Jul. 2014. N N (4) =1+ kN 2 mod N 2 = 1 mod N 2

Thus, (gθr mod N)λ mod N 2 = 1 mod N 2 holds.

APPENDIX B

In the AddDecPSkey2 algorithm, AC(λ1+λ2) = (gθr (λ1+λ2)N 2 mod N) (1+m(λ1+λ2)N) mod N . We will prove that the method of splitting the strong key λ can make AddDecPSkey2 algorithm decrypt m.