Comparison of the Paillier and ElGamal for Smart Grid Aggregation Protocols

Fabian Knirsch a, Andreas Unterweger, Maximilian Unterrainer and Dominik Engel Center for Secure Energy Informatics, Salzburg University of Applied Sciences, Urstein Sud¨ 1, 5412 Puch/Hallein, Austria {firstname.lastname}@en-trust.at

Keywords: Secure Aggregation, Paillier , ElGamal Cryptosystem, Privacy.

Abstract: Many smart grid applications require the collection of fine-grained load data from customers. In order to pro- tect customer privacy, secure aggregation protocols have been proposed that aggregate data spatially without allowing the aggregator to learn individual load data. Many of these protocols build on the Paillier cryptosys- tem and its additively homomorphic property. Existing works provide little or no justification for the choice of this cryptosystem and there is no direct performance comparison to other schemes that allow for an additively homomorphic property. In this paper, we compare the ElGamal cryptosystem with the established Paillier cryptosystem, both, conceptually and in terms of runtime, specifically for the use in privacy-preserving aggre- gation protocols. We find that, in the ElGamal cryptosystem, when made additively homomorphic, the runtime for and decryption is distributed more asymmetrically between the smart meter and the aggregator than it is in the Paillier cryptosystem. This better reflects the setup typically found in smart grid environments, where encryption is performed on low-powered smart meters and decryption is usually performed on power- ful machines. Thus, the ElGamal cryptosystem is a better, albeit overlooked, choice for secure aggregation protocols.

1 INTRODUCTION needs to be trusted for performing the correct aggre- gation (Unterweger et al., 2019). Figure 1 shows the Collecting fine-grained load data from smart me- principal setup and actors of such a smart grid aggre- ters installed in the customer premises has shown to gation protocol. pose severe privacy risks (Wicker and Thomas, 2011; Existing works, e.g., (Li et al., 2010; Erkin and McKenna et al., 2012; Burkhart et al., 2018). To mit- Tsudik, 2012; Erkin, 2015; Rane et al., 2015) provide igate them, secure aggregation protocols have been little or no justification for the choice of the cryptosys- proposed by many authors for privacy-preserving data tem and most commonly employ the Paillier scheme aggregation in the smart gird, e.g., (Li et al., 2010; (Paillier, 1999). Only very few publications make Erkin and Tsudik, 2012; Knirsch et al., 2017). These use of the ElGamal cryptosystem in the context of protocols protect customer privacy by only providing smart grids, e.g., (Busom et al., 2016). To the best the sum of load data from a number of households at of our knowledge, there exists no performance com- one point in time (Buescher et al., 2017). parison between the Paillier cryptosystem and the El- One approach for secure aggregation protocols is Gamal cryptosystem (ElGamal, 1985), which are the to employ an additively homomorphic cryptosystem two most commonly used homomorphic cryptosys- and an entity that acts as a (semi-trusted) aggrega- tems (Armknecht et al., 2013) and also those with tor. Each smart meter encrypts its individual mea- the highest security guarantees (Fontaine and Galand, surement and sends the encrypted value to the aggre- 2007). gator. The aggregator uses the additively homomor- While ElGamal is more lightweight in terms of phic property of the underlying cryptosystem to cal- encryption complexity, it is multiplicative homo- culate the encrypted sum and forwards this sum to the morphic, but can be made additively homomorphic energy provider, who decrypts it. This way, the ag- (Cramer et al., 1997). This can be advantageous for gregator does not learn individual meter readings, but low-powered devices such as smart meters. For this reason, the ElGamal cryptosystem is already widely a https://orcid.org/0000-0002-6346-5759 employed in e-voting applications, as presented in 1.2 Contribution EP

! This paper briefly presents both, the Paillier and the E (∑i mi) = ∏i E(mi) ElGamal cryptosystems with extensions from the lit- erature to make them comparable for additive homo- A morphic operations. The main contribution of this pa- E(m1) E(mN) E(m ) per is the runtime analysis and comparison of the two 2 cryptosystems for aggregated smart meter data. The

SM1 SM2 ... SMN detailed analysis of encryption and decryption times as well as of each relevant algorithmic step allows Figure 1: Aggregation protocol with homomorphic encryp- for conclusions on the suitability and practicability of tion: Each smart meter (SMi) sends its encrypted value both cryptosystems for secure aggregation. It also al- E(mi) to the aggregator (A). The aggregator calculates the lows for recommendations on which system to prefer sum of the values in the domain using the addi- for this smart grid aggregation use case. In this paper, tive homomorphic property of the cryptosystem. The result we find that the ElGamal cryptosystem is overlooked is sent to the energy provider (EP) which decrypts it to ob- for many proposed protocols. The encryption is more m tain the plaintext sum ∑i i of the readings. lightweight compared to Paillier cryptosystem and the (Adida, 2008; Chaum et al., 2008; Culnane et al., additional overhead at decryption can be mitigated by 2015). powerful devices in the EP’s premises or is negligible for practical applications. 1.1 Related Work 1.3 Structure The properties of the Paillier cryptosystem have been investigated in detail by, e.g., (Catalano et al., 2001; The paper is structured as follows: Section 2 de- Damgard˚ and Jurik, 2001; Damgard˚ et al., 2010). scribes the Paillier and ElGamal cryptosystems, as The same is true for a number of variations of the well as additional algorithms to make them compara- system, e.g., (Fouque et al., 2001; Galbraith, 2002; ble. Section 3 compares both cryptosystems and their Hazay et al., 2012). Similarly, investigations for the application for privacy-preserving aggregation. Sec- ElGamal cryptosystem and its variations exist, e.g., tion 4 summarizes the findings and gives an outlook (Cramer and Shoup, 2003; Kumar and Madrai, 2012; to future work. Armknecht et al., 2013). A general runtime comparison between the ElGa- mal and the multiplicative homomorphic RSA cryp- 2 BACKGROUND tosystem has been conducted by (Maqsood et al., 2017). However, the Paillier cryptosystem has not In this section, the Paillier and ElGamal cryptosys- been considered in their analysis, as opposed to our tems, which are compared in this paper, are explained work. briefly, together with their relevant properties. In ad- A non-peer-reviewed publication titled “An exper- dition, the Cramer transformation is described which imental study on Performance Evaluation of Asym- allows using the ElGamal cryptosystem in such a way metric Encryption Algorithms” by Farah et al. exists that it becomes comparable to the Paillier cryptosys- which describes runtime results for both, the Paillier tem. Furthermore, multiple algorithms for calculating and ElGamal cryptosystems. However, their reported the aggregate after ElGamal decryption are described. results do not increase with increasing plaintext size and even drop to zero for some plaintexts, casting 2.1 Paillier Cryptosystem doubts on their numbers and thus their conclusions. To the best of our knowledge there is currently no The Paillier cryptosystem is an additively homomor- comparison of the Paillier and ElGamal cryptosystem phic, semantically secure public-private cryp- in the context of smart grid aggregation protocols and tosystem (Paillier, 1999; Catalano et al., 2001). no analysis of the suitability of the latter in practical An additively homomorphic cryptosystem fulfills the setups exists. Thus, this aspect is investigated in this equation paper. D(E(m1) · E(m2)) = m1 + m2

for two plaintexts m1 and m2, where E and D denote the encryption and decryption functions, respectively. Given two large prime number p and q of the same 2.4 Brute Force Algorithm length, the public key (n,g) is calculated by n = pq, g = n + 1 To recover m from m0 = gm (mod q) with known g 0 and the private key λ is calculated by and q, the logg(m ) = m (mod q) can be solved by brute forcing all possible values of λ = ϕ(n), µ = ϕ(n)−1 mod n, m, until a solution is found. The complexity of this al- where ϕ(n) = (p − 1)(q − 1). gorithm is O(q). If it is known that m is within a given Encryption of a plaintext m ∈ {0,1,...,n−1} to a interval [0,b], the complexity is reduced to O(b). ciphertext c is performed by Linear speedup can be achieved by parallelizing m n 2 c = g r mod n , the brute-force search. While not reducing the com- with a random number r ∈ {1,2,...,n − 1}. plexity itself, the constant factor of the runtime is re- Given two c1 and c2, the additive ho- duced proportional to the number of parallel searches. momorphic property can be shown by m1+m2 n 2 c1 · c2 = g (r1 · r2) mod n . 2.5 Pollard’s Lambda Algorithm Decryption of the above expression will result in the sum of m1 and m2. Pollard’s Lambda algorithm is designed to solve the discrete√ logarithm and achieves a runtime complexity 2.2 ElGamal Cryptosystem of O b − a for a plaintext in the interval m ∈ [a,b] (Pollard, 1978). This assumes that m is with certainty The ElGamal cryptosystem is a public-private key within the defined interval. cryptosystem with a multiplicatively homomorphic Pollard’s Lambda algorithm rewrites m = b + d − property (ElGamal, 1985). A multiplicatively homo- dk (mod q) for a k ∈ [0,I − 1]. I can be chosen ac- morphic cryptosystem fulfills the equation cording to (Pollard, 1978). First, a sequence x0...I is computed where x = gb and D(E(m1) · E(m2)) = m1 · m2. 0 Given a publicly known cyclic group G of order q f (xi) xi+1 = xig , with a publicly known generator g, the public key is h = gr, with f being a parameterizable pseudorandom func- tion. d is calculated as with r ∈ {1,2,...,q − 1} being randomly chosen. r is the private key. I−1 Encryption of a plaintext m to a ciphertext c is per- d = ∑ f (xi). formed by i=0 s s 0 c1 = g , c2 = m · h , Then, a sequence y0...k is computed where y0 = m , with a randomly chosen s ∈ {1,2,...,q − 1}. f (yi) Calculating the product of two ciphertexts yields yi+1 = yig , the product of the corresponding plaintexts after de- and additionally, a sequence d is computed by cryption. 0...k j−1 2.3 Cramer Transformation d j = ∑ f (yi). i=0 The ElGamal cryptosystem with its multiplicatively 0 d b+d If yk = xI (mod q), then m g k = g (mod q), homomorphic property can be transformed into an which equals gm+dk = gb+d (mod q) and thus m = additively homomorphic cryptosystem (like the Pail- b + d − dk (mod q). If k > I or di > b − a + d lier) scheme with the Cramer transformation (Cramer (mod q), the algorithm fails and the choice of f needs et al., 1997). to be adapted. The plaintext value to be encrypted must be in the 0 exponent. In practice, m can be transformed to m by 2.6 Baby Step Giant Step Algorithm m0 = gm mod q. 0 The encryption is then applied to m . Note, however, The Baby Step Giant Step algorithm is designed to m that, after decryption, this yields g∑i i as a plaintext. solve the discrete logarithm and achieves a runtime √ To solve the discrete logarithm and to retrieve the ac- complexity of O( q), where q is the order of the tual value ∑i mi, one of three recovery algorithms can group (Shoup, 1997; Schnorr and Jakobsson, 2000). be applied: (i) Brute Force; (ii) Pollard’s Lambda; or m0 = gm (mod q) (see previous section) can be √ (iii) Baby Step Giant Step. rewritten as m0 = gkx+l (mod q) where x =  q. The algorithm first computes gl (mod q) for 0 ≤ l < x • The Baby Step Giant Step algorithm is a modified and then tries the values 0 ≤ k < x until version of an implementation from the University 3 l 0 −x k of Maryland , which can be extended in order to g = m (g ) mod q support multiple threads. holds. This comparison is realized efficiently by hav- The implementations for Paillier, ElGamal, Cramer ing a look-up table with the precomputed values of and the recovery algorithm only use the formulas as gl. in Section 2 without additional overhead. All of them rely on the Java BigInteger class4 and its perfor- mance, so that the time required for the calculations is comparable. 3 COMPARISON The current recommended key length for cryp- tosystems based on the discrete logarithm problem to In this section, we compare the complexity and run- be secure for the year 2030 and beyond is 3072 bits time properties of the Paillier and ElGamal cryptosys- according to (Barker, 2016). As this applies to both, tems in a setup typical for smart grid secure aggrega- the Paillier cryptosystem (Paillier, 1999) and the El- tion use cases. Gamal cryptosystem (ElGamal, 1985), a key length For the comparison, we use a setup that reflects of 3072 bits is used for the evaluation. typical capabilities that can be found in the field. All measurements are repeated 110 times in order Smart meters are lightweight devices with limited to minimize external factors on the mean value. The computational resources, whereas the EP can have first ten measurement values are discarded to mitigate more powerful devices to decrypt and calculate the cache-warming effects of the Java Virtual Machine. aggregate, respectively. The setup for the comparison is based on the aggregation protocol depicted in Fig- 3.2 Paillier and ElGamal Runtime ure 1, which reflects a setup commonly found in lit- erature, see, e.g., (Li et al., 2010; Erkin, 2015; Rane Figure 2 depicts the runtimes for encryption and de- et al., 2015). Each smart meter encrypts its measure- cryption of the Paillier and ElGamal cryptosystems. It ment value using either the Paillier cryptosystem or is clear that the encryption time for the ElGamal cryp- the ElGamal cryptosystem and submits the encrypted tosystem is more than one order of magnitude smaller values to an aggregator. The aggregator calculates the (approximately one 15th) than that of the Paillier cryp- product of these values and forwards the result to the tosystem. The reason for this discrepancy is the much energy provider. The EP then decrypts the aggregate. smaller range in the size of the exponent for which the calculations for the ElGamal encryption are per- 3.1 Evaluation Setup formed (see Section 2). However, in order to allow for an additively ho- Both cryptosystems, the Cramer transformation and momorphic property for the ElGamal cryptosystem, the recovery algorithm, are implemented in Java 8. the Cramer transformation as described in Section 2 Measurements are performed on Windows 10 using needs to be applied to the plaintext value. This is an Intel Core i7-6500U Processor1 capable of running already included in the values depicted in Figure 2. 4 threads. The following implementations are used Figure 3 shows how large the runtime portion for this transformation (0.042 ms) is compared to the to- • Paillier Encryption Threshold Toolbox2. This tal runtime (2.709 ms). This portion is negligible in toolbox implements the Paillier cryptosystem and practice. also provides support for the thresholded variant. Similar to the encryption runtime, the decryption • The ElGamal cryptosystem and the Cramer trans- time for the ElGamal cryptosystem is lower than that formation are implemented according to (Cramer of the Paillier cryptosystem. The runtime is about one et al., 1997) and (ElGamal, 1985). fourth. Note that the result of the decryption is, how- ever, not the sum of the plaintext values ∑i mi, but • Pollard’s Lambda algorithm is implemented ac- rather g∑i mi . Thus, one of the recovery algorithms cording to (Pollard, 1978). mentioned in Section 2 (e.g., Brute Force algorithm) needs to be applied, which incurs additional runtime. 1https://ark.intel.com/products/88194/ Intel-Core-i7-6500U-Processor-4MCache-up-to-3 3https://www.csee.umbc.edu/∼stephens/crypto/ 10-GHz CIPHERS/BigIntegerMath.java 2http://www.cs.utdallas.edu/dspl/cgi-bin/ 4https://docs.oracle.com/javase/8/docs/api/java/math/ pailliertoolbox/index.php BigInteger.html 16 40 Each thread starts at a defined value, e.g., m = 2 for the first thread, calculates the discrete logarithm 30 and then increases this value by one in each step until m0 is found. For T = 1, the entire space of the mea- 20 surement sum is thus searched linearly. The runtime increases nearly linearly with the size of ∑i mi (note that both axes are logarithmic).

Runtime in ms 10 Increasing the number of threads incurs a near 0 constant overhead for starting the additional threads. ElGamal Paillier ElGamal Paillier This leads to higher runtimes for small values of Encryption Decryption ∑i mi. However, this allows partitioning the search Figure 2: Comparison of encryption and decryption run- space and thus running the recovery algorithm in par- times for the ElGamal cryptosystem and the Paillier cryp- allel. tosystem. Running the algorithm in parallel leads to earlier recoveries. Once ∑i mi has been successfully recov- Cramer transformation ered, all threads can be stopped. It can be seen that a ElGamal encryption higher number of threads in general improves runtime for larger values of ∑i mi. For example, the worst case runtime for one thread is 104.5 s, while it is 49.9 s for ElGamal four threads. It can also be seen from the results that the choice of the starting value for a thread signifi- cantly impacts the time needed for recovery. Since for practical applications an interval for ∑i mi can be 0 1 2 3 guessed, this will improve overall performance. Runtime in ms While the Brute Force algorithm only provides a Figure 3: Breakdown of runtime for the steps of ElGamal baseline which can be outperformed by more efficient encryption. algorithms, such as Baby Step Giant Step and Pol- lard’s Lambda, it can be seen that the time needed for 3.3 Recovery Runtime recovering the sum of the measurements is below 50 s even for the largest value of ∑i mi using four threads. After decryption, the EP has to apply a recovery al- Other algorithms for recovery as described in Sec- gorithm for retrieving the actual sum of the values. tion 2 can be used. This will further reduce the In order to assess the required runtime for this step, complexity, but not necessarily the runtime for this an aggregation group size (number of smart meters step. For the Baby Step Giant Step algorithm and N) and a value range (size of mi) that is representa- Pollard’s Lambda algorithm in the practical evalua- tive for real-world applications (Erkin, 2015) (and is tion we could not find suitable algorithm parameters commonly used in related work (Knirsch et al., 2018; for which any value bit size could be processed faster Buescher et al., 2017)) are used: Each measurement than Brute Force. mi is 16 bits in size and the aggregation group size N Alternatively, due to the comparably small range (number of smart meters) is varied between one and of ∑i mi (i.e., a small plaintext space), a lookup ta- 27 = 128. Aggregating 16-bit values with these group ble can be constructed that stores all possible values 16 m sizes results in measurement sums ∑i mi between 2 for g∑i i and the corresponding exponent. This al- and 223. lows trading additional memory consumption against Note that the EP can have powerful devices to access time (Croman et al., 2016). In particular, perform the calculations and thus any recovery algo- an access complexity of O(1) can be achieved with rithm can be implemented efficiently using multiple 3095 MiB of additional memory with 223 entries map- threads. For our analysis, the value range is split into ping one 3072 bit ciphertext to one 23 bit plaintext T ∈