Degree in Mathematics

Title: Homomorphic cryptosystems for electronic voting

Author: Enric Cusell

Advisor: Javier Herranz

Department: Applied Mathematics IV

Academic year: 2013/2014

Universitat Polit`ecnicade Catalunya Facultat de Matem`atiquesi Estad´ıstica

Bachelor’s degree thesis

Homomorphic cryptosystems for electronic voting

Enric Cusell

Advisor: Javier Herranz

Applied Mathematics IV

Abstract

This bachelor's degree thesis deals with homomorphic public-key cryptogra- phy, or in other words cryptosystems with special addition properties. Such cryptosystems are widely used in real life situations, for instance to make electronic voting secure. Therefore, this thesis will walk you through how Mathematics can lie behind day to day life.

In Chapter 1 we introduce a few basic algebra results and other key concepts that will be used later. In Chapters 2 and 3 we describe and discuss the algorithms and properties of the two cryptosystems which are considered to be the best ones for e-voting: Paillier and Joye-Libert. We have imple- mented the two schemes from scratch. We conclude the thesis in Chapter 4, by comparing running times of the two above-mentioned cryptosystems, in simulations of real-life e-voting systems, with up to tens of thousands of voters, and dierent levels of security. Through these simulations, we discern the situations where each of the two cryptosystems is preferable. vi To my love Carla for supporting my particularities for six years. To my parents for the energy that made me stronger. To the future that awaits me. ii Contents

1 Introduction 1 1.1 Prime numbers ...... 1 1.1.1 Fermat numbers ...... 1 1.1.2 Carmichael numbers ...... 2

1.2 Modular arithmetic on Zn ...... 2 1.2.1 Quadratic residues ...... 2 1.2.2 n-th power residues ...... 3 1.2.3 Legendre symbol ...... 3 1.2.4 Jacobi symbol ...... 4 1.3 Mathematical results ...... 4 1.3.1 Fermat's little theorem ...... 4 1.3.2 Prime number theorem ...... 5 1.4 Computational results ...... 6 1.4.1 Eratosthenes sieve ...... 6 1.4.2 Modular exponentiation ...... 7 1.4.3 Primality tests ...... 9 1.4.3.1 Fermat ...... 9 1.4.3.2 Solovay-Strassen ...... 10 1.4.3.3 Miller-Rabin ...... 10 1.4.4 Random prime generation ...... 13 1.5 Public key cryptography ...... 13 1.5.1 Description ...... 13 1.5.2 Examples ...... 14 1.6 Additive Homomorphic encryption ...... 15

iii CONTENTS

1.6.1 Paillier ...... 16 1.6.2 Goldwasser-Micali ...... 16 1.7 Notation ...... 17

2 Paillier cryptosystem 19 2.1 Background ...... 19 2.2 Algorithm ...... 20 2.2.1 Key generation ...... 20 2.2.2 Encryption ...... 21 2.2.3 Decryption ...... 21 2.3 Cryptosystem analysis ...... 22 2.3.1 Optimizations ...... 22 2.3.1.1 Key generation ...... 22 2.3.1.2 Encryption ...... 22 2.3.1.3 Decryption ...... 22 2.3.2 Properties ...... 22 2.3.2.1 Additive Homomorphism ...... 22 2.3.2.2 Self-Blinding ...... 23 2.4 Implementation and performance ...... 23 2.4.1 Complexity ...... 23 2.4.2 Running time ...... 24 2.4.3 Code ...... 25

3 Joye-Libert cryptosystem 29 3.1 Background ...... 29 3.2 Algorithm ...... 30 3.2.1 Key generation ...... 30 3.2.2 Encryption ...... 30 3.2.3 Decryption ...... 30 3.3 Cryptosystem analysis ...... 31 3.3.1 Optimizations ...... 31 3.3.1.1 Key generation ...... 31 3.3.1.2 Encryption ...... 31 3.3.1.3 Decryption ...... 31

iv CONTENTS

3.3.2 Properties ...... 32 3.3.2.1 Additive Homomorphism ...... 32 3.3.2.2 Self-Blinding ...... 32 3.4 Implementation and performance ...... 32 3.4.1 Complexity ...... 32 3.4.2 Running time ...... 33 3.4.3 Code ...... 34

4 Electronic voting 39 4.1 Problem context ...... 39 4.2 Cryptosystem comparison ...... 39 4.2.1 256 bits ...... 40 4.2.2 512 bits ...... 41 4.2.3 1024 bits ...... 42

5 Conclusions 45

Bibliography 47

v CONTENTS

vi Chapter 1

Introduction

1.1 Prime numbers

+ A prime number is a number x ∈ Z which can only be divided with zero remainder by 1 and itself.

Theorem 1. (Fundamental theorem of arithmetic) Every integer greater than 1 is either a prime or can be factorized as the product of prime numbers.

To represent the factorization of an integer number, repeated primes are grouped and written in increasing order with their respective exponents, as shown:

k α1 α2 αk Y αi x = p1 p2 ··· pk = pi i=1 Theorem 2. (Euclid's theorem) There are innitely many primes.

Euclid's theorem has many dierent approaches to prove it, but there's one worth mentioning because of its simplicity:

Euclid's proof. Lets assume there's a nite number of primes n: p1, p2, ··· , pn. Then consider x = p1p2 ··· pn +1. The number x is not divisible by any of the pi∀i ∈ [1, n], so x is a prime number larger than all the others, which is clearly a contradiction. (1)

1.1.1 Fermat numbers

A Fermat number is a positive integer which can be written as:

(2n) Fn = 2 + 1

1 1. INTRODUCTION

The only known Fermat primes are (2)

F0 = 3

F1 = 5

F2 = 17

F3 = 257

F4 = 65537 If there's a larger fermat prime number or if they are all composites, has been an unsolved mystery for 170 years. There are many interesting properties related with Fermat numbers, but for this matter it's only worth mentioning that some fermat numbers turn out to report as primes on many probabilistic primality tests (false positives pseudoprimes).

1.1.2 Carmichael numbers

A Carmichael number is a positive integer which satises the congruence

bn ≡ b (mod n)

Theorem 3. (Korselt) A positive composite integer n is a Carmichael number ⇔ n is square-free (not divisible by squares greater than 1), and for all prime divisors p of n, p − 1|n − 1.

It's possible to generate Carmichael numbers which are strong pseudoprimes to several bases, so the Miller Rabin Primality test may fail. (3, Constructing Carmichael Numbers which are Strong Pseudoprimes to Several Bases). The following sections will talk about Miller-Rabin and why it is important to be able to check whether a number is prime or not with a reasonable level of condence.

1.2 Modular arithmetic on Zn 1.2.1 Quadratic residues

An integer q is a quadratic residue modulo n if there's a number for which its square is equal to q modulo n. (4) ∃x x2 ≡ q (mod n)

2 1.2 Modular arithmetic on Zn

(5, Hardy and Wright) uses the notation q R n and q N n to indicate that q is a quadratic residue or non-residue respectively, and that's the notation that will be used in this work.

1.2.2 n-th power residues

The n-th power residues are a generalisation of quadratic residues to arbitrary n-th exponents. An integer q is an n-th power residue modulo m if and only if:

∃x | xn ≡ q (mod m)

The set of n-th power residues modulo M will be noted as

∗ n n ∗ (ZM ) = {x |x ∈ ZM }

If the relation n has no solution in ∗ then is called a th-power non-residue a = x ZM a n modulo M.

1.2.3 Legendre symbol

Denition 1. (Legendre symbol) Let p be an odd prime number. The Legendre symbol is dened as:

 if and 1, a R p a 6≡ 0 (mod p) a  = −1 if a N p p  0 if a ≡ 0 (mod p)

      Multiplicative property ab a b In general, if is an odd prime the follow- p = p p p ing equality known as Euler's criterion holds

a = a(p−1)/2(modp) p

Denition 2. (Generalized Legendre symbol) For any integers a,k and prime p such that k|p − 1 and (a, p) = 1, the generalized Legendre symbol (GLS) is dened by

a  p−1  = a k p k p

3 1. INTRODUCTION

1.2.4 Jacobi symbol

The Jacobi symbol is a generalization of the Legendre symbol for non prime numbers, which comes very naturally. Let a be an integer and n be a positive integer with prime decomposition n = α1 α2 αk . The Jacobi symbol for and is dened as: p1 p2 ··· pk a n  a   a α1  a α2  a αk = ··· n p1 p2 pk   where a is the Legendre symbol, dened for an odd prime number . p p If n is prime, the Legendre and Jacobi symbols are the same. If n is composite and the Jacobi symbol a , then , and if then a , but if a it's ( m ) = −1 a N n a R n ( n ) = 1 ( n ) = 1 not know whether a R n or a N n. This is one of the interesting properties that will be used on later sections. The Solovay-Strassen primality test uses the fact that the value for the Euler cri- terion formula may not even be -1 or 1 if the modulo is composite. This primal- ity test will be discussed more deeply in further sections. For instance we can see 5
but (21−1)/2 21 = 1 5 ≡ 16 (mod 21) Denition 3. (Generalized Jacobi symbol) For any integers a,k, n where n = pq with two primes p and q, k|p − 1, k|q − 1 and gcd(a, n) = 1, the generalized Jacobi symbol (GJS) is dened by  a  a a = n k p k q k 1.3 Mathematical results

1.3.1 Fermat's little theorem

Theorem 4. (Fermat's little theorem) Let p be a prime number. For any integer a, ap − a is a multiple of p. ap ≡ a (mod p) If a is not a multiple of p, then:

ap−1 ≡ 1 (mod p)

Denition 4. (Inverse modulo p) Let p be a prime number. For any integer a which is not a multiple of p, b = a−1 is named the inverse of a modulo p if and only if

ab ≡ 1 (mod p)

4 1.3 Mathematical results

Fermat's little theorem gives us a tool to calculate the inverse of a number a modulo p by calculating b = ap−2 (mod p)

. Which is clearly the inverse since

ab ≡ aap−2 ≡ ap−1 ≡ 1 (mod p)

1.3.2 Prime number theorem

The following result gives us an asymptotic estimation of how many prime numbers are up until a given value.

Theorem 5. (Prime number theorem (PNT)) Let π(x) be the prime counting function that gives the number of prime numbers lower than or equal to x. The function x approximates . More specically: ln(x) π(x)

π(x) lim = 1 x→∞ x/ ln(x)

Figure 1.1: Distribution of π(x) as x increases.

5 1. INTRODUCTION

Figure 1.1 shows the value of π(x), π(x) − x/ ln(x) and π(x)/(x/ ln(x)) for some powers of 10. Check that the ratio goes to one as x increases .

1.4 Computational results

1.4.1 Eratosthenes sieve

The sieve of Eratosthenes is a method to calculate all the primes below a given number n. It lists every number as a potential prime, and iteratively marks their multiples, so when a non-marked number is reached, it's a prime.

1. Create a list of all the integers unmarked from 2 to n − 1.

2. Start with p = 2.

3. p is a primer number.

4. Mark all the multiples of p below n (2p, 3p, 4p, ...).

5. Let p become the rst unmarked number greater than p.

6. If there's no such number, stop. Otherwise go to 3.

Figure 1.2: Sieve of Eratosthenes: result of the algorithm for primes below 121.

At the end, pi equals 1 if and only if i is a prime, for i < N. The running time for the algorithm to calculate all the primes below N is O(N(log N)(log log N)) and the needed memory O(N).

6 1.4 Computational results

Eratosthenes sieve in Python

N = 1000000 p = [1]*N p[0] = p[1] = 0 for i in range(2,N): if p[i]: j = i+i while j < N: p[j] = 0 j += i

As a nal note,the fastest known algorithm (General number eld sieve) requires  q  (ln N)1/3(ln ln N)2/3( 3 64 +o(1)) O e 9 operations to factor N. 1.4.2 Modular exponentiation

Calculating powers of numbers is a very common operation on cryptosystems, and it needs to be done as eciently as possible. The problem trying to solved is given a and b and m positive integers, compute:

ab (mod m)

There's the linear method which can compute the result in O(b) steps, as described below:

Linear exponentiation def mpow(a, b, m): ans = 1 while b > 0: ans = (ans * a) % m b -= 1 return ans

When the exponent has magnitudes as signicant as b = 24096 that's an obviously way too slow computation.

7 1. INTRODUCTION

The binary exponentiation method can solve the same problem by repeatedly squar- ing, achievement a running time of O(log b), which would be just few thousands opera- tions when raising a number to a power of the magnitude of b = 24096. A rough idea comes from the fact that given a number a, a2 can be calculated with just a single multiplication. By repeteadly squaring, a2k can be calculated with just O(k) multiplications. b can be represented in binary as

n−1 X i b = bi2 i=0

b with n bits, where bi can be either 0 or 1. Then a can be calculated as

n−1 b b Pn−1 b 2i Y  2i  i a = a( i=0 i ) = a i=0

The terms where bi is 0 will be gone, since they would be 1 multiplying in the product, and the terms a2i , can be calculated consecutively in constant time by squaring the previous product. Modular binary exponentiation can be implemented recursively in an easily under- standable way as: Recursive logarithmic exponentiation def mpow(a, b, m): if b == 0: return 1 x = mpow(a, b/2) x = (x * x) % m if b %2 == 1: x = (x * a) % m return x

The last implementation changes the recursive approach to an iterative one: Iterative logarithmic exponentiation def mpow(a, b, m): ans = 1

8 1.4 Computational results

while b > 0: if b & 1: ans = (ans * a) % m b = b >> 1 a = (a * a) % m return ans

1.4.3 Primality tests

Primality testing is another fundamental problem to solve on the Cryptography scene. It consists in saying if a number is either a prime or a composite. There are two types of primality tests:

• determinists, which are absolutely certain and generally slower

• probabilistic, which are certain with an ideally high probability, and are generally faster

There's a modication of the probabilistic Miller-Rabin test which relies on the as- sumption that the Generalized Riemann hypothesis is true, and uses the Fast Fourier Transformation for multiplication and achieves a running time of O˜((log n)4). On the other hand, the AKS primality test does not rely on any assumption and was originally proven to have an assymptotic time complexity of O˜((log n)12), improved with a vari- ation to O˜((log n)6) in 2005-2011 by (6, Lenstra-Pomerance). O˜(f(n)) is being used equally to represent O˜(f(n)) = O(f(n) logk g(n)) for some k. There's a publication comparing the asymptotic time with the real running time of various deterministic primality tests at (7, Primality testing). The asymptotic complexity of those methods does not take into account implemen- tation constants which make the tests even slower. For that and because in this work the numbers to be tested have from hundreds to thousands of bits, probabilistic faster tests will be used.

1.4.3.1 Fermat

The Fermat primality test is a probabilistic test that tries to determine whether a number is prime or not, also known as testing if a number is probable prime. The

9 1. INTRODUCTION

problem to be solved is to know if a number n is prime or not. From the Fermat's little theorem it's known that if n is prime, then for every integer a:

an−1 ≡ 1 (mod n)

The test consists in picking several random values of a in the interval [1, n − 1] and checking if the equality holds. If it does not, then n is denitely a composite number. The values of a for which an−1 6≡ 1 (mod n) are known as Fermat witnesses. Such test fails when not enough random values are picked and the equality holds for all of them, or when an−1 ≡ 1 (mod n)∀a. There are innitely many values of n, known as the aforementioned Carmichael numbers for which all values of a for which gcd(a, n) = 1 are Fermat liars. They are not primes, but pass the test.

1.4.3.2 Solovay-Strassen

The Solovay-Strassen primality test is based on the Legendry symbol calculation using Euler's criterion, both previously detailed. Given an odd number n the test consists in checking whether or not the congruence  a  a(n−1)/2 ≡ (mod n) n holds for dierent values of a. If n is prime, then the congruence is true for all a. The method picks random values of a and if one of them does not satisfy the congruence, then n is a composite number. This a is called an Euler witness for n. A value of a is called an Euler liar if the congruence is true while n is composite. In contrast with the Fermat primality test, where there could be values of n with no witnesses (Carmichael numbers), there are many for the Solovaly-Strassen test. For every odd composite n, at least half of all the bases a coprime with n in [1, n − 1] are Euler witnesses. The error probability of 1/2 holds for a single round of any input n, and after k rounds of the test, the error probability is roughly 2−k.

1.4.3.3 Miller-Rabin

The Miller-Rabin primality test is the one used in the following sections since it's not only fast in its execution, but it provides high certainty that a number is either composite or prime.

10 1.4 Computational results

Discerning prime numbers from composites is based on the following property of primes.

Proposition 1. Let n > 2 be a prime number. n − 1 is even, so n can be written as s ∗ n = 2 d + 1, with an odd d. For each a ∈ (Z/nZ) , either

ad ≡ 1 (mod n) or for some 0 ≤ r ≤ s − 1 r a2 d ≡ 1 (mod n).

Lemma 1. (Square roots of unit in Z/pZ) Let p be an odd prime. Lets name 1 and -1 trivial square roots of 1, which are clearly 1 when squared modulo p. There are no other square roots of 1 modulo p.

Square roots of unit in Z/pZ. Suppose x is a square root of 1 modulo p. Then:

x2 ≡ 1 (mod p)

(x − 1)(x + 1) ≡ 0 (mod p)

Which would mean that p divides x − 1 or x + 1, which is a contradiction.

Proposition. For a prime number n, by the Fermat's little theorem

an−1 ≡ 1 (mod n)

When the left term square root is taken, the result is either 1 or −1. If it's −1, the second equality holds. If in the process there are no −1, there are no powers of two remaining, the exponent is odd and the rst equality holds.

The Miller-rabin primality test looks for an a such that

ad 6≡ 1 (mod n) and ∀ 0 ≤ r ≤ s − 1 r a2 d 6≡ 1 (mod n).

In that case, a is called a witness for the compositeness of n. When the equations hold given an a for a composite n, a is called a strong liar.

11 1. INTRODUCTION

After k rounds with random bases a the probability of being mistaken is smaller than 4−k. The algorithm can be described in not so theoretical terms as follows. Given an odd integer n, let n = 2sd + 1 with odd d. Then choose a random integer a with r 1 ≤ a ≤ n − 1. If ad ≡ 1 (mod n) or a2 d ≡ −1 (mod n) for some 0 ≤ j ≤ s − 1, then n passes the test. A prime will pass the test for all a. The implementation of the Miller-Rabin primality test in Python used for the further presented cryptosystems is the following. Note this method is run with several random witnesses before asserting a number is probably prime.

Miller Rabin def miller_rabin(witness, possible): a = witness b = possible -1 n = possible

A = a = long(a % n) if A == 1: return False t = 1L while t <= b: t <<= 1

# t = 2**k, and t > b t >>= 2

while t: A = (A * A) % n if t & b: A = (A * a) % n if A == 1: return False t >>= 1 return True

12 1.5 Public key cryptography

1.4.4 Random prime generation

Another commonly faced problem in cryptography is how to generate a prime number of a given length in bits. It sounds theoretically impossible problem, but what really is needed is a probable prime. Since the prime number theorem that there are around x/ log(x) prime numbers be- low x, checking random numbers to be prime will yield an expected number of checks of around log(x), which is fast enough (both theoretically and experimentally) for numbers of hundreds to thousands of bits. The function tests the primality with small known primes followed by k tests of Miller-Rabin.

Prime generation def get_prime(bits): k = 64 while True: maybe_prime = random.randrange(2 ** (bits-1) + 1, 2 ** bits) | 1 if Crypto.is_probably_prime(maybe_prime, k): return maybe_prime

1.5 Public key cryptography

1.5.1 Description

Public key cryptography is the use of asymmetric key algorithms where the key used to encrypt a message is not the same as the key used to decrypt it. Everyone can use the public key to encrypt a message. On the other hand, private keys are secret. This way only the intended receiver can decrypt the message. The most known and widely used for secure data transmission cryptosystem is RSA (from the authors Rivest, Shamir and Adleman). The asymmetric term refers to the fact that dierent keys are used to perform inverse functions, as opposed to symmetric, which relies on the same key to perform both. One of the great advantages of public key cryptosystems is that they do not require an initial exchange of secrets keys between the parties involved in the secure commu-

13 1. INTRODUCTION

Figure 1.3: Schematic of asymmetric encryption. nication. It requires, though, that all the involved parties to be able to generate their own key pair. Specically for the matter of this work, a cryptosystem is dened as the description of three algorithms: key generation, encryption and decryption. For simplicity, the messages will be represented as numbers, noting that's not an exaggerated simplication since not only every message can be represented as an integer but a message can be split in dierent parts and sent in smaller encrypted chunks (for example, sent as hexadecimal data representing the numbers associated to a substring of the text of a given size). On a related term, digital signature is a scheme for demonstrating the authenticity of a digital message. A valid signature guarantees that the sender cannot deny having sent the message, and that the message was not modied after being sent. They are closely related with asymmetric encryption and consist of three elements: key genera- tion, signing, signature verifying. Most of the times, instead of verifying a full message, a strong hashing function is enough.

1.5.2 Examples

Public-key algorithms are fundamental in many internet standards used by millions of people, such as TLS, SSL and PGP. An everyday example would be the digital certicates used when visiting a website under the https prex. The connection is established using SSL and even if someone was capturing the data between the user and the website, they wouldn't be able to know what data is being transmitted.

14 1.6 Additive Homomorphic encryption

Figure 1.4: Https green lock shown in a end-user browser.

A curious commonly accepted way of trusting a website is having a third party trusted certicate authority (in this case VeriSign), trusted by both the site owner and the client. Note that in Figure 1.5 TLS, SHA1 (hash) and RSA are being mentioned.

Figure 1.5: Certicate information shown in Google Chrome.

Some well-known techniques include ElGamal, the Paillier Cryptosystem, RSA and some elliptic curve techniques. Many protocols such as GPG, PGP, SSH and Bitcoin rely on asymmetric key algorithms.

1.6 Additive Homomorphic encryption

Homomorphic encryption is a type of encryption which allows certain functions to be applied on the encrypted text which result in another encrypted text that, when de- crypted, is equivalent as if the encryption was done after applying the initial function. The term additive refers to the result operation, which is a sum. In the cases of interest

15 1. INTRODUCTION

(Paillier and Goldwasser-Micali), the product of two encrypted messages is equivalent to the encryption of the addition of those messages.

1.6.1 Paillier

The public key is the modulus n and the base g, the encryption of a message m is E(m) = gmrn mod n2 for a random r ∈ [0, n − 1]. The homomorphic property is:

m1 n m2 n m1+m2 n E(m1) · E(m2) = (g r1 )(g r2 ) = g (r1r2) = E(m1 + m2 mod n)

1.6.2 Goldwasser-Micali

The Goldwasser-Micali is the cryptosystem that Joye-Libert is based on. The public key is the modulus n and the quadratic non-residue m. The encryption of a single bit b is E(b) = mbr2 mod n for a random r ∈ [0, n − 1]. The homomorphic property is:

b1 2 b2 2 b1+b2 2 E(b1) · E(b2) = m r1m r2 = m (r1r2) = E(b1 ⊕ b2) where ⊕ is the bit operation XOR.

16 1.7 Notation

1.7 Notation

Zn the set of non-negative minimal residues modulus n, i.e., {0, 1, ··· , n − 1}.

hxin x (mod n), result in a non-negative minimal residue.

(x)n x (mod n), result in an absolute minimal residue. (a, b) the greatest common divisor of a and b. [a, b] the least common multiple of a and b. ∗ the multiplicative group modulus , i.e., . Zn n {a ∈ Zn|(a, n) = 1}   a a's generalized Legendre symbol modulus p. p k a
's generalized Jacobi symbol modulus . n k a p the set of elements ∗ such that a
, Jn,k a ∈ Zn n k = 1 Jn,k = Rn,k ∪ NRn,k. the set of th-power residues modulus , i.e. k ∗ . Rn,k k n {(x )n|x ∈ Zn} th NRn,k the set of k -power non-residues in Jn,k, i.e., Jn,kRn,k. φ(n) Euler's totient function on n. λ(n) Carmichael's function on n.

Table 1.1: Notations used in this work.

17 1. INTRODUCTION

18 Chapter 2

Paillier cryptosystem

The Paillier cryptosystem (8) is a probabilistic asymmetric algorithm for public key cryptography.

2.1 Background

Denition 6. A number z is said to be a n-th residue modulo n2 if there exists a number ∗ such that y ∈ Zn2 z ≡ yn (mod n2)

Each n-th residue z has exactly n roots of degree n, among which exactly one is strictly smaller than n. The n-th roots of unity are the numbers of the form (1 + n)x = 1 + xn (mod n2).

Decisional composite residuosity assumption (DCRA) 1. Let n be an composite integer and z an integer, then it's computationally dicult to decide whether z is a n-residue modulo n2 or not. In other words, it's dicult to decide if there exists a y such that z ≡ yn (mod n2)

Conjecture 1. There exists no polynomial time distinguisher for n-th residues modulo n2. The problem is intractable.

Let be some element of ∗ and denote by the integer-valued function dened g Zn2 Eg by

∗ ∗ Zn × Zn 7→ Zn2

19 2. PAILLIER CRYPTOSYSTEM

(x, y) 7→ gxyn (mod n2)

We denote by ∗ the set of elements of order and by their disjoint union B ⊂ Zn2 nα B ∀α.

Denition 7. Assume that . For ∗ , we call -th residuosity class of g ∈ B w ∈ Zn2 n w with respect to the unique integer for which there exists ∗ such that g x ∈ Zn y ∈ Zn

Eg(x, y) = w

Adopting notations in (9), the class of w is denoted w g. J K Denition 8. The n-th Residuosity Class Problem of base g, denoted Class[n,g], is dened as: given ∗ and , compute . w ∈ Zn2 g ∈ B w g J K Theorem 5. Class[n] is polynomially reducible (equivalent) to factorizing n (Fact[n]).

Proof. Can be found at (8)

2.2 Algorithm

The following encryption scheme employs Eg for encryption and the polynomial reduc- tion of Theorem 5 for decryption. It uses the factorisation as a trapdoor (one-way function). The following sections will make use of the helper function L(u) = (u−1)/n; this function can thus be applied only if n divides u − 1.

2.2.1 Key generation

1. Select two large prime numbers p and q randomly and independent of each other such that gcd(pq, (p − 1)(q − 1)) = 1.

2. Compute n = pq and λ = lcm(p − 1, q − 1).

3. Select a base . Pick a random ∗ and ensure divides the order of by g ∈ B g ∈ Zn2 n g checking the existence of the following modular multiplicative inverse: µ = (L(gλ (mod n2)))−1 (mod n).

4. The public (encryption) key is (n, g).

5. The private (decryption) key is (λ, µ).

20 2.2 Algorithm

If both primes p and q have the same bit length, the property gcd(pq, (p−1)(q−1)) = 1 is assured and a simpler variant can be used with g = n+1, λ = φ(n) = (p−1)(q −1), and µ = φ(n)−1 (mod n). For simplicity, two primes p and q of k bits each will be considered.

2.2.2 Encryption

1. Let (n, g) be the Public Key.

2. Let m be the plain text message, assuring m < n, i.e. m ∈ Zn.

3. Select a random ∗ . r ∈ Zn

4. Compute the ciphertext c = gmrn (mod n2).

2.2.3 Decryption

1. Let (λ, µ) be the Private Key.

2. Let be the ciphertext to decrypt, ∗ . c c ∈ Zn2

3. Compute m = L(cλ (mod n2)) · µ (mod n).

The decryption is based on the fact that

n X n x (1 + n)x = xk = 1 + nx + n2 + higher powers of n k 2 k=0 So we can express, which reduces to

(1 + n)x ≡ 1 + nx (mod n2)

y = (1 + n)x mod n2 y − 1 x ≡ (mod n2) n And thus proves that the decryption is correct

L((1 + n)x (mod n2)) ≡ x (mod n)

21 2. PAILLIER CRYPTOSYSTEM

2.3 Cryptosystem analysis

Until the appearance of the Paillier cryptosystem, most public-key cryptosystems pre- sented a cubic decryption complexity, which is exactly the cost of this. On the other hand, several aspects can be optimized:

2.3.1 Optimizations

2.3.1.1 Key generation

Generating primes with the same number of bits helps reducing most of the calculations, as mentioned on the respective section. The whole process can be made faster by carrying computations separately mod p2 and mod q2 and solving the Chinese remainder problem for g (mod p2) and g (mod q2) at the very end.

2.3.1.2 Encryption

Note that for the same bit length p and q, when g = n + 1 the product term gm can be computationally simplied to gm ≡ (n + 1)m ≡ 1 + mn (mod n2).

2.3.1.3 Decryption

Computing L(u) may be achieved at a very low cost (only one multiplication modulo 2n) by precomputing n−1 (mod 2n). The constant parameter

L(gλ (mod n2))−1 (mod n) can also be precomputed just once.

2.3.2 Properties

2.3.2.1 Additive Homomorphism

m n 2 The encryption function m 7→ g r (mod n ) is additively homomorphic on Zn. Con- sidering E to be the encryption function and D the decryption function, this leads to the following identities:

∀m1, m2 ∈ Zn andk ∈ N

2 D(E(m1)E(m2) (mod n )) = m1 + m2 (mod n)

22 2.4 Implementation and performance

D(E(m)k (mod n2)) = km (mod n)

m2 2 D(E(m)g (mod n )) = m1 + m2 (mod n)

m2 2 D(E(m1) (mod n )) = m1m2 (mod n)

m1 2 D(E(m2) (mod n )) = m1m2 (mod n) These properties are really important in the elds of voting protocols, threshold cryptosystems, watermarking, secret sharing schemes,and server-aided polynomial eval- uation. Electronic voting will be more extended in the following chapters.

2.3.2.2 Self-Blinding

Any ciphertext can be publicly changed into another one without aecting the plaintext:

∀m ∈ Zn and r ∈ N

D(E(m)rn (mod n2)) = m

Such a property has potential applications in a wide range of cryptographic settings.

2.4 Implementation and performance

The Paillier cryptosystem has been implemented in Python and has no external depen- dencies whatsoever except for a custom Cryptographic library.

2.4.1 Complexity

Generating random primes of k bits each is done by repeatedly trying random numbers in the interval [2k−1 + 1, 2k − 1] and testing each of them with 64 iterations of the Miller-Rabin test with random witnesses. According to the PNT, Ok
tries will be needed, and the cost of a Miller-Rabin test is linear on the number of bits, multiplied by the cost of a multiplication operation. Since the numbers are so large, we can no longer assume a multiplication operation happens in constant time, and even though a naive implementation would result in Ok2
time, that could be improved to Ok log k
implementing multiplication using the Fast Fourier Transform. In reality, the Python implementation is used, which is done using the Karatsuba multiplication

23 2. PAILLIER CRYPTOSYSTEM

log 3
1.5
algorithm, which has a O k 2 ∼ O k complexity. The total cost will result in 2+log 3
3.6
O k 2 ∼ O k . For the encryption, two exponentiations and a multiplication is required. As men- tioned on the introductory chapter the exponentiation can be done in Ok
number of steps, multiplied by the cost of a single product. A tricky detail to notice is that since the computation is done modulo n2, the number of bits k doubles. That yields to a 1+log 3 log 3
1+log 3
total of O 2(2k) 2 + (2k) 2 = O (2k) 2 . Finally, for the decryption an exponentiation modulo n2 needs to be done, followed by an integer division of a number of 2k bits divided by a number of k bits and a product 1+log 3
modulo n. That yields to a nal complexity of O (2k) 2 .

2.4.2 Running time

The runnings times are in seconds for primes of k bits each, the following table shows the running times on a single core of a 3.6Ghz AMD machine (AMD FX-8150). The running times are the medians of 10 experiments each. The prime generation includes the time to generate both of the primes.

k sec 256 0.126 512 0.894 1024 8.233 2048 76.226

Table 2.1: Prime generation running times table for Paillier.

k sec 256 0.005 512 0.031 1024 0.216 2048 1.766

Table 2.2: Key pair generation running times table for Paillier.

24 2.4 Implementation and performance

k sec 256 0.011 512 0.085 1024 0.694 2048 4.609

Table 2.3: Encryption running times table for Paillier.

k sec 256 0.014 512 0.093 1024 0.679 2048 4.692

Table 2.4: Decryption running times table for Paillier.

2.4.3 Code

Paillier implementation import math import random from crypto import * """ Implements the Paillier cryptosystem. - Prime generation. - Encryption. - Decryption. - Encrypted message addition. - Adding and multiplying constants to an encrypted message. @author Enric Cusell Revision: 2013-11-21 Second version modifications have V2 in a comment. """ class Paillier(object): [p, q, n, bits] = [0]*4 debug = False [priv, pub] = [None]*2

25 2. PAILLIER CRYPTOSYSTEM

def __init__(self, bits, debug = False): self.p = Crypto.get_prime(bits/2) self.q = Crypto.get_prime(bits/2) self.debug = debug if (self.debug): print "P =", self.p print "Q =", self.q

#There’s no need to check gcd(pq,(p-1)(q-1))=1. #This property is assured if both primes are of equivalent length. self.n = self.p * self.q

def setDebug(self, debugval): self.debug = debugval

""" PrivateKey given by l=Lambda and m=Mu """ class PrivateKey(object): """ We calculate l=(p-1)(q-1) and m such that l*m=1 mod n. Since we know n = p*q, Euler’s theorem (generalization of Fermat’s little theorem) says that a ^ phi(n) = 1 mod n Where phi is the Euler totient function and in this case phi(n) = (p-1)(q-1). This yields m = ((p-1)(q-1))^((p-1)(q-1)-1) = l^(l-1) mod n """ def __init__(self, p, q, n): self.l = (p-1) * (q-1) self.m = Crypto.mpow(self.l, self.l-1, n)

def __str__(self): return "PrivateKey\n L = " + str(self.l) + "\n M = " + str(self.m)

class PublicKey(object): def __init__(self, n): self.n = n self.n_sq = n * n self.g = n + 1

26 2.4 Implementation and performance

def __str__(self): return "PublicKey\n N = " + str(self.n) + "\n G = " + str(self.g)

""" Change public and private keys for the given ones. """ def change_keys(self, priv, pub): self.priv = priv self.pub = pub def generate_keypair(self): self.priv = self.PrivateKey(self.p, self.q, self.n) self.pub = self.PublicKey(self.n) return self.priv, self.pub def encrypt(self, plain): prime_bits = long(round(math.log(self.pub.n, 2))) while True: #r = self.get_prime(prime_bits) # We don’t need a random prime, just coprime with pq. #Common factors with probability (p+q)/(pq) -> pick anyone. r = random.randrange(2 ** (prime_bits-1) + 1, 2 ** prime_bits) | 1 if r > 0 and r < self.pub.n: break x = pow(r, self.pub.n, self.pub.n_sq) cipher = (pow(self.pub.g, plain, self.pub.n_sq) * x) % self.pub.n_sq #When computing g^m mod n^2, since g=n+1 we only need #terms up to exponent 2. #(n+1)^m = C[m][0]*n^0*1^m + C[m][1]*n^1*1^(m-1) + n^2*1^(m-2) + .. = # = 1 + mn. (Note it’s 1 when m=0). cipher = ((1 + plain*self.pub.n) * x) % self.pub.n_sq return cipher def decrypt(self, cipher): x = pow(cipher, self.priv.l, self.pub.n_sq) - 1 plain = ((x / self.pub.n) * self.priv.m) % self.pub.n return plain

27 2. PAILLIER CRYPTOSYSTEM

""" Add two encrypted messages. """ def add(self, a, b): return a * b % self.pub.n_sq

""" Add a constant n to an encrypted message. """ def add_ct(self, a, n): return a * Crypto.mpow(self.pub.g, n, self.pub.n_sq) % self.pub.n_sq

""" Multiply an encrypted message by a constant n. """ def mul_ct(self, a, n): """Multiplies an encrypted integer by a constant""" return Crypto.mpow(a, n, self.pub.n_sq)

28 Chapter 3

Joye-Libert cryptosystem

The Joye-Libert cryptosystem (10) is a probabilistic asymmetric algorithm for public key cryptography. Herranz-Sisternes (11) presented a very similar scheme.

3.1 Background

Denition 9. Let p be an odd prime and let n ≥ 2 such that n|p − 1. Then the symbol

a p−1 = a n (mod p) p n

p−1 is called the n-th power residue symbol modulo p, where a n (mod p) represents the p−1 absolute smallest residue of a n modulo p.

Let n = pq be the product of two odd primes p and q. For an integer a co-prime to n, the Jacobi symbol is the product of the corresponding Legendre symbols as mentioned in the rst chapter, i.e., a a a ). This gives rise to the multiplicative group ( n ) = ( p )( q Jn of integers whose Jacobi symbol is 1, ∗ a . Then the set of quadratic Jn = a ∈ Zn|( n 2) = 1 residues modulo , a subset of , can be express as ∗ a a . n Jn QRn = a ∈ Zn|( p ) = ( q )2 = 1 The quadratic residuosity assumption says that given a random element a ∈ Jn, it is computationally dicult to decide whether a ∈ QRn if the prime factors of n are unknown.

Picking a number in 2. Such number will satisfy that y y y Jn\QRn y ( n )2 = ( p )( q ) = 1 but both symbols can be one, since that would imply y being an element of the quadratic residues. satises that y y . y ( p ) = ( q ) = −1

29 3. JOYE-LIBERT CRYPTOSYSTEM

Quadratic Residuosity assumption 3. Let RSAGen be a probabilistic algorithm which, given a security parameter `, outputs primes p, q such that p ≡ q ≡ 1 (mod 2`), and their product n = pq. The Quadratic Residuosity assumption asserts that the ad- versary function QR ` , dened as the distance AdvD (1 )

|P r[D(x, n) = 1|x ← QRn] − P r[D(x, n) = 1|x ← Jn\QRn]| is negligible for any probabilistic polynomial-time distuiguisher D; the probabilities are taken over the experiment of running (N, p, q) ← RSAGen(1`) and choosing at random x ∈ QRn and x ∈ J\QRn.

3.2 Algorithm

3.2.1 Key generation

1. Select two large prime numbers such that p ≡ q ≡ 1 (mod 2`), and set n = pq.

2. Pick y ∈ Jn\QRn as described in Picking a number in Jn\QRn (2).

3. The public (encryption) key is (n, y, `).

4. The private (decryption) key is (p).

3.2.2 Encryption

1. Let (n, y, `) be the Public Key.

2. Let be the plain text message, ∗ . m m ∈ Z2`

3. Select a random ∗ . x ∈ Zn

` 4. Compute the ciphertext c = ymx2 (mod n).

3.2.3 Decryption

1. Let (p) be the Private Key.

2. Let be the ciphertext to decrypt, ∗ . c c ∈ Z2`

3. Compute z = ( c ) and then nd m ∈ 0, ··· , 2` − 1 such that the relation p 2` y m holds. (( p )2` ) = z (mod p)

30 3.3 Cryptosystem analysis

3.3 Cryptosystem analysis

The Goldwasser-Micali (12) cryptosystem has a ciphertext of size for bits and k log2 n k n = pq. The previously explained Paillier cryptosystem not only operates modulo n2, which is slower, but it generates a ciphertext of size . An important advantage 2 log2 n of the Joye-Libert proposed cryptosystem is that the message length uses way less bandwith by having a ciphertext of size only . log2 n

3.3.1 Optimizations

3.3.1.1 Key generation

As grows, the probability of picking a quadratic residue is 1 . Picking an p 2 y ∈ Jn\QRn is just double the luck, since it needs to be a quadratic residue in both p and q, so trying random y will yield to 4 expected iterations, checking that each of them satises the restriction of the Lagrange symbol being -1.

3.3.1.2 Encryption

Since the k is constant, the value 2k can be precomputed so it does not need to be cal- culated on every encryption. The rest are trivial logarithmic modular exponentiations.

3.3.1.3 Decryption

The description of the decryption process does not give specic details about how big is the space where to nd m. The decryption algorithm can proceed by setting bit by bit in the following manner: m := 0 B := 1 for i = 1 to k do c z = ( p )2i y m t = ( p )2i (mod p) if (t =6 z) then m := m + B B := 2B end return m

31 3. JOYE-LIBERT CRYPTOSYSTEM

3.3.2 Properties

3.3.2.1 Additive Homomorphism

It shares the most important homomorphic properties with the Paillier cryptosystem, even though a message can not be

∀m1, m2 ∈ Zn

2 D(E(m1)E(m2) (mod n )) = m1 + m2 (mod n)

m2 2 D(E(m)y (mod n )) = m1 + m2 (mod n)

3.3.2.2 Self-Blinding

Just like the Paillier cryptosystem, since the constant number raised to the power of the message is multiplied by an arbitrary vaalue the same self-blinding applies. Any ciphertext can be publicly changed into another one without aecting the plaintext:

∀m ∈ Zn and r ∈ N

D(E(m)rn (mod n2)) = m

3.4 Implementation and performance

3.4.1 Complexity

Calculating a Lagrange symbol is just an exponentiation with logarithmic cost as stated in Denition 9. Generating random primes such that p ≡ q ≡ 1 (mod 2k) takes about roughly k tries each, which in practice is never that high for the number of bits between 256 and 4096. Each number needs to be a prime, so the total time is k multiplied by the time of getting a random prime, which was calculated in the Paillier 3+log 3
4.6
complexity analysis. The total is O k 2 ∼ O k . Choosing the appropriate y just requires in average 4 tests, which is not even comparable to the cost of generating the primes. For the encryption, two exponentiations to numbers of k bits is needed. Including 1+log 3
the cost of the multiplication, it is O k 2 . For the decryption, every bit is decoded separately, so k iterations need to be done. On each of those, two Lagrange symbols are calculated, and there's one k bit

32 3.4 Implementation and performance exponentiation involved. The other operations are not comparable in asymptotical cost.

2+log 3
The total is O k 2

3.4.2 Running time

The running times are in seconds for the number of given bits. Note the key generation is way slower, but still needs to be done just once, the encryption faster since all the calculations are done modulo n instead of n2, and the decryption is way slower. Experiments done on a single core of a 3.6Ghz AMD machine (AMD FX-8150). The resulting times are the medians of 10 experiments each.

k sec 256 1.144 512 5.573 1024 56.562 2048 2127.779

Table 3.1: Prime generation running times table for Joye-Libert.

k sec 256 0.005 512 0.038 1024 0.272 2048 2.025

Table 3.2: Encryption running times table for Joye-Libert.

k sec 256 1.631 512 21.547 1024 306.989 2048 4487.369

Table 3.3: Decryption running times table for Joye-Libert.

33 3. JOYE-LIBERT CRYPTOSYSTEM

3.4.3 Code

Joye-Libert implementation import math import random import time from crypto import * """ Implements the Joye Libert cryptosystem. - Encryption. - Decryption. @author Enric Cusell Revision: 2013-12-25 """ class JoyeLibert(object): [p, q, n, y, k] = [0]*5 [priv, pub] = [None]*2 def __init__(self, kappa): #Given the security parameter kappa, choose a k>=1. self.k = kappa #Randomly generate primes p,q = 1 mod 2^k. N = pq. self.p = self.generate_prime_1mod2k() self.q = self.generate_prime_1mod2k() self.n = self.p * self.q

#Pick y \in J_n \ QR_N. self.y = self.generate_y()

class PrivateKey(object): def __init__(self, p): self.p = p

def __str__(self): return "PrivateKey\n P = " + str(self.p)

class PublicKey(object):

34 3.4 Implementation and performance

def __init__(self, n, y, k): self.n = n self.y = y self.k = k #The following value does not need to be in #the public key, but it’s done as an optimization. self.p2k = pow(2,self.k) def __str__(self): return "PublicKey\n N = " + str(self.n) + "\n Y = "\ + str(self.y) + "\n K = " + str(self.k)

""" Change public and private keys for the given ones. """ def change_keys(self, priv, pub): self.priv = priv self.pub = pub def generate_keypair(self): self.priv = self.PrivateKey(self.p) self.pub = self.PublicKey(self.n, self.y, self.k) return self.priv, self.pub

""" Encrypts a message m seen as an integer in [0,2^k-1]. """ def encrypt(self, m): p2 = self.pub.p2k #This is pow(2,self.pub.k) if (m >= p2): print "Error, message should be in [0,2^k-1]." return None x = random.randrange(1, self.pub.n) c = (Crypto.mpow(self.pub.y,m, self.pub.n) *\ Crypto.mpow(x,p2, self.pub.n))%self.pub.n return c def decrypt(self, c): m = 0

35 3. JOYE-LIBERT CRYPTOSYSTEM

B = 1 for i in xrange(1,self.pub.k+1): pot = pow(2,i) z = self.legendre_symbol(c, self.priv.p, pot) t = self.legendre_symbol(self.pub.y, self.priv.p, pot) t = Crypto.mpow(t, m, self.priv.p) if t != z: m = m + B B *= 2 return m

""" Add two encrypted messages. """ def add(self, a, b): return a * b % self.pub.n

#Mathematic methods """ Returns a probable prime p of self.k bits, such that p = 1 mod 2^k """ def generate_prime_1mod2k(self): p2 = pow(2,self.k) start_time = time.time() x = 1 it = 0 while not Crypto.is_probably_prime(p2*x+1): x=random.randrange(1, p2) it += 1 goal_time = time.time() print "Running time (random[1,2^k) approach):", (goal_time-start_time) print "Iterations =", it print self.k, x, p2*x+1 return p2*x+1

""" Returns the n-th power residue symbol modulo p, p being a prime.

36 3.4 Implementation and performance

The absolute small residue of a^{(p-1)/n} modulo p. For n=2: # 1 if a is a quadratic residue modulo p. # -1 if a is a quadratic non-residue modulo p. """ def legendre_symbol(self, a, p, n): if (p-1)%n != 0: print "Error calculating legendre_symbol for", a, p, n return None return Crypto.mpow(a, (p-1)/n, p)

""" Retusn an y \in J_N \ QR_N. Which is setting n = 2 and requesting # symbol(y/p)*symbol(y/q) = 1 # But not satisfying symbol(y/p) = symbol(y/q) = 1 Which yields to symbol(y/p) = symbol(y/q) = -1 """ def generate_y(self): y = 1 it = 0 #If the legendre symbols are both -1, the jacobi symbol (y/N) = # = (y/p)*(y/q) = -1*-1 = 1. while self.legendre_symbol(y, self.p, 2) != self.p-1 or \ self.legendre_symbol(y, self.q, 2) != self.q-1: y = random.randrange(1, self.n) it += 1 print "Found y after", it, "iterations. y =", y return y

37 3. JOYE-LIBERT CRYPTOSYSTEM

38 Chapter 4

Electronic voting

Electronic voting, or e-voting, is a term including both electronic means of casting and counting votes. Electronic voting technology can speed the counting of ballots, make the voting process more secure and can provide improved accessibility for disabled voters and people outside of the voting country. There has been contention because it could facilitate electoral fraud, and most people feel unsafe about electronic with fear of being tracked.

4.1 Problem context

The mentioned homomorphic properties on both Paillier and Joye-Libert cryptosystems can be used by secure electronic voting systems. Let m voters cast a vote of either 1 (yes) or 0 (no). After encrypting their choice before casting their vote, the election ocial takes the sum of the m encrypted votes and then decrypts the result and obtains the sum of all the votes. The election ocial then knows that how many people people voted each of the options, what each of the citizens voted. This work is not going to focus on every aspect of e-voting, such as hardware mon- itoring, voter privacy, authentication signatures or zero-knowledge-proofs to make sure all the casted votes are valid. It's focused on: the encryption of the vote, the addition of the ciphertexts, and the decryption of the result of the voting.

4.2 Cryptosystem comparison

For electronic voting, it makes sense to present an scenario as follows

39 4. ELECTRONIC VOTING

• A single key generation. Can be done days before the voting, so the running time is not really important

• A lot of encryptions. Thousands or millions of votes can be casted in a real election.

• A single message addition at the end equivalent to the ballot counting.

• A single decryption to know the voting results.

As seen on the Table 3.2, a single encryption with primes of 2048 bits takes more than 2 seconds, so for practical (and realistic) purposes, only tests up to 1024 bits will be done. For each of the experiments, the goal is to see at what point Joye-Libert becomes faster than Paillier for electronic voting. The key generation will be mentioned but not taken into account when comparing two cryptosystems. Note the number of bits on the following sections refers to the number of bits of a single prime, thus n having twice as many bits as stated in each title.

4.2.1 256 bits

According to the experiments of the previous chapter, the following table represents the times needed for each cryptosystem encryption and decryption.

Encryption (sec) Decryption (sec) Paillier 0.011 0.014 Joye-Libert 0.005 1.631

Table 4.1: Encryption and decryption running times table for 256 bits on Paillier and Joye-Libert.

The solution of the equation 0.011x + 0.014 = 0.005x + 1.631 is x = 269.5, so the experiments will be run with: 100, 500, 1000 and 104 votes. The following tables contain the running times for Paillier and Joye-Libert respectively.

40 4.2 Cryptosystem comparison

Votes (Paillier) Encryption (sec) Adding (sec) Decryption (sec) Total (sec) 100 1.364 0.002 0.012 1.380 500 7.031 0.011 0.013 7.056 1000 14.327 0.024 0.013 14.365 10000 137.307 0.228 0.013 137.549

Table 4.2: Votes time for the Paillier cryptosystem on 256 bits.

Votes (Joye-Libert) Encryption (sec) Adding (sec) Decryption (sec) Total (sec) 100 1.264 0.002 1.849 3.117 500 6.460 0.012 1.865 8.337 1000 12.677 0.024 2.003 14.704 10000 128.928 0.223 1.873 131.031

Table 4.3: Votes time for the Joye-Libert cryptosystem on 256 bits.

Note the theoretical required number of voters is actually lower than the reality, where it is closer to 1000 rather than 269.

4.2.2 512 bits

The times for each cryptosystem encryption and encryption with 512 bits primes are:

Encryption (sec) Decryption (sec) Paillier 0.085 0.093 Joye-Libert 0.038 21.547

Table 4.4: Encryption and decryption running times table for 512 bits on Paillier and Joye-Libert.

The solution of the equation 0.085x + 0.093 = 0.038x + 21.547 is x = 456.468, so the experiments will be run with: 100, 1000 and 5000. The following tables contain the running times for Paillier and Joye-Libert respectively.

41 4. ELECTRONIC VOTING

Votes (Paillier) Encryption (sec) Adding (sec) Decryption (sec) Total (sec) 100 10.248 0.008 0.090 10.347 1000 96.492 0.083 0.085 96.661 5000 529.887 0.439 0.089 530.416

Table 4.5: Votes time for the Paillier cryptosystem on 512 bits.

Votes (Joye-Libert) Encryption (sec) Adding (sec) Decryption (sec) Total (sec) 100 8.909 0.009 24.352 33.270 1000 91.174 0.086 26.803 118.063 5000 474.732 0.469 26.279 501.481

Table 4.6: Votes time for the Joye-Libert cryptosystem on 512 bits.

As expected, for a large enough number of votes, Joye-Libert ends up being faster.

4.2.3 1024 bits

The times for each cryptosystem encryption and encryption with 1024 bits primes are:

Encryption (sec) Decryption (sec) Paillier 0.694 0.679 Joye-Libert 0.272 306.989

Table 4.7: Encryption and decryption running times table for 1024 bits on Paillier and Joye-Libert.

The solution of the equation 0.694x + 0.679 = 0.272x + 306.989 is x = 725.853, so the experiments will be run with: 100, 1000. The following tables contain the running times for Paillier and Joye-Libert respectively.

Votes (Paillier) Encryption (sec) Adding (sec) Decryption (sec) Total (sec) 100 79.266 0.034 0.701 80.001 1000 753.059 0.293 0.664 754.017

Table 4.8: Votes time for the Paillier cryptosystem on 1024 bits.

42 4.2 Cryptosystem comparison

Votes (Joye-Libert) Encryption (sec) Adding (sec) Decryption (sec) Total (sec) 100 72.490 0.033 375.300 447.824 1000 713.472 0.313 364.172 1077.957

Table 4.9: Votes time for the Joye-Libert cryptosystem on 1024 bits.

The running times of 754 seconds (Paillier) and 1078 (Joye-Libert), may seem con- trary to the expected result: for large numbers of voters Joye-Libert is faster than Paillier. For 100 votes, Joye-Libert is more than 5 times slower than Paillier. On con- trast, for 1000 votes Joye-Libert is still slower, but proportionally faster. Since the decryption time is constant and the encryption time grows faster for Paillier than for Joye-Libert, it can be stated that for large enough number of voters, the Joye-Libert cryptosystems has better running times. In a e-voting scenario, the encryption may happen on many similar voting machines thousands of times, but the decryption could be run on a faster dedicated server with more computing power. This case, which is closer to the reality, favours Joye-Libert. An alternative analysis would be to account only the homomorphic combination of the votes (adding) and decryption time, since the encryption would be done on each of the voters computers. Substracting the encryption time from the previous analysis, Paillier becomes clearly the better option.

43 4. ELECTRONIC VOTING

44 Chapter 5

Conclusions

In this work we have considered two homomorphic encryption schemes for public-key settings, one proposed by Paillier in 1999 and one proposed by Joye and Libert in 2013. We have implemented them and used the resulting implementations to simulate an e-voting scenario, with the aim of deciding which of the two cryptosystems performs better. Theoretical and experimental results agreed upon the fact that both the level of security and the number of voters would highly aect the decision of which algorithm to pick. The higher the security level is, the larger the needed voters to make Joye-Libert actually faster. The time analysis is pessimistic since it's been run on a single machine. In a well- implemented voting scenario with dedicated decrypting hardware with huge computa- tion power, the result would tend to determine Paillier to be even slower. For small votings, Paillier is faster. As the number of voters reaches 5 digits, Joye- Libert needs to be considered as a way of signicantly speeding up the encryption process.

45 5. CONCLUSIONS

46 Bibliography

[1] Günter M. Ziegler Martin Aigner, Karl H. Hofmann. Proofs from THE BOOK, Springer. Publisher. 1

[2] Eric W. Weisstein. Fermat Prime. 2

[3] François Arnault. Constructing Carmichael Numbers which are Strong Pseudoprimes to Several Bases. Journal of Symbolic Computation, 20, Issue 2:151161, 1995. 2

[4] Eric W. Weisstein. Quadratic Residue. 2

[5] G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford University Press. 3

[6] H. W. Lenstra jr. and Carl Pomerance. Primality testing with Gaus- sian periods. http://www.math.dartmouth.edu/ carlp/aks041411.pdf, 2011. 9

[7] Richard P. Brent. Primality testing, August 2012. 9

[8] P. Paillier. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. Eurocrypt, 1999. 19, 20

[9] J. C. Benaloh. Veriable Secret-Ballot Elections. PhD Thesis, 1988. 20

[10] Marc Joye and Benoit Libert. Ecient Cryptosystems From 2k-th Power Residue Symbols. Eurocrypt, 2013. 29

[11] Javier Herranz and Juan Ramón Sisternes. Cifrado homomórco de clave pública basado en Residuosidad Cuadrática. RECSI, 2012. 29

[12] S. Goldwasser and S. Micali. Probabilistic Encryption. JCSS, 28:270299, 1984. 31

47