Degree in Mathematics
Title: Homomorphic cryptosystems for electronic voting
Author: Enric Cusell
Advisor: Javier Herranz
Department: Applied Mathematics IV
Academic year: 2013/2014
Universitat Polit`ecnicade Catalunya Facultat de Matem`atiquesi Estad´ıstica
Bachelor’s degree thesis
Homomorphic cryptosystems for electronic voting
Enric Cusell
Advisor: Javier Herranz
Applied Mathematics IV
Abstract
This bachelor's degree thesis deals with homomorphic public-key cryptogra- phy, or in other words cryptosystems with special addition properties. Such cryptosystems are widely used in real life situations, for instance to make electronic voting secure. Therefore, this thesis will walk you through how Mathematics can lie behind day to day life.
In Chapter 1 we introduce a few basic algebra results and other key concepts that will be used later. In Chapters 2 and 3 we describe and discuss the algorithms and properties of the two cryptosystems which are considered to be the best ones for e-voting: Paillier and Joye-Libert. We have imple- mented the two schemes from scratch. We conclude the thesis in Chapter 4, by comparing running times of the two above-mentioned cryptosystems, in simulations of real-life e-voting systems, with up to tens of thousands of voters, and dierent levels of security. Through these simulations, we discern the situations where each of the two cryptosystems is preferable. vi To my love Carla for supporting my particularities for six years. To my parents for the energy that made me stronger. To the future that awaits me. ii Contents
1 Introduction 1 1.1 Prime numbers ...... 1 1.1.1 Fermat numbers ...... 1 1.1.2 Carmichael numbers ...... 2
1.2 Modular arithmetic on Zn ...... 2 1.2.1 Quadratic residues ...... 2 1.2.2 n-th power residues ...... 3 1.2.3 Legendre symbol ...... 3 1.2.4 Jacobi symbol ...... 4 1.3 Mathematical results ...... 4 1.3.1 Fermat's little theorem ...... 4 1.3.2 Prime number theorem ...... 5 1.4 Computational results ...... 6 1.4.1 Eratosthenes sieve ...... 6 1.4.2 Modular exponentiation ...... 7 1.4.3 Primality tests ...... 9 1.4.3.1 Fermat ...... 9 1.4.3.2 Solovay-Strassen ...... 10 1.4.3.3 Miller-Rabin ...... 10 1.4.4 Random prime generation ...... 13 1.5 Public key cryptography ...... 13 1.5.1 Description ...... 13 1.5.2 Examples ...... 14 1.6 Additive Homomorphic encryption ...... 15
iii CONTENTS
1.6.1 Paillier ...... 16 1.6.2 Goldwasser-Micali ...... 16 1.7 Notation ...... 17
2 Paillier cryptosystem 19 2.1 Background ...... 19 2.2 Algorithm ...... 20 2.2.1 Key generation ...... 20 2.2.2 Encryption ...... 21 2.2.3 Decryption ...... 21 2.3 Cryptosystem analysis ...... 22 2.3.1 Optimizations ...... 22 2.3.1.1 Key generation ...... 22 2.3.1.2 Encryption ...... 22 2.3.1.3 Decryption ...... 22 2.3.2 Properties ...... 22 2.3.2.1 Additive Homomorphism ...... 22 2.3.2.2 Self-Blinding ...... 23 2.4 Implementation and performance ...... 23 2.4.1 Complexity ...... 23 2.4.2 Running time ...... 24 2.4.3 Code ...... 25
3 Joye-Libert cryptosystem 29 3.1 Background ...... 29 3.2 Algorithm ...... 30 3.2.1 Key generation ...... 30 3.2.2 Encryption ...... 30 3.2.3 Decryption ...... 30 3.3 Cryptosystem analysis ...... 31 3.3.1 Optimizations ...... 31 3.3.1.1 Key generation ...... 31 3.3.1.2 Encryption ...... 31 3.3.1.3 Decryption ...... 31
iv CONTENTS
3.3.2 Properties ...... 32 3.3.2.1 Additive Homomorphism ...... 32 3.3.2.2 Self-Blinding ...... 32 3.4 Implementation and performance ...... 32 3.4.1 Complexity ...... 32 3.4.2 Running time ...... 33 3.4.3 Code ...... 34
4 Electronic voting 39 4.1 Problem context ...... 39 4.2 Cryptosystem comparison ...... 39 4.2.1 256 bits ...... 40 4.2.2 512 bits ...... 41 4.2.3 1024 bits ...... 42
5 Conclusions 45
Bibliography 47
v CONTENTS
vi Chapter 1
Introduction
1.1 Prime numbers
+ A prime number is a number x ∈ Z which can only be divided with zero remainder by 1 and itself.
Theorem 1. (Fundamental theorem of arithmetic) Every integer greater than 1 is either a prime or can be factorized as the product of prime numbers.
To represent the factorization of an integer number, repeated primes are grouped and written in increasing order with their respective exponents, as shown:
k α1 α2 αk Y αi x = p1 p2 ··· pk = pi i=1 Theorem 2. (Euclid's theorem) There are innitely many primes.
Euclid's theorem has many dierent approaches to prove it, but there's one worth mentioning because of its simplicity:
Euclid's proof. Lets assume there's a nite number of primes n: p1, p2, ··· , pn. Then consider x = p1p2 ··· pn +1. The number x is not divisible by any of the pi∀i ∈ [1, n], so x is a prime number larger than all the others, which is clearly a contradiction. (1)
1.1.1 Fermat numbers
A Fermat number is a positive integer which can be written as:
(2n) Fn = 2 + 1
1 1. INTRODUCTION
The only known Fermat primes are (2)
F0 = 3
F1 = 5
F2 = 17
F3 = 257
F4 = 65537 If there's a larger fermat prime number or if they are all composites, has been an unsolved mystery for 170 years. There are many interesting properties related with Fermat numbers, but for this matter it's only worth mentioning that some fermat numbers turn out to report as primes on many probabilistic primality tests (false positives pseudoprimes).
1.1.2 Carmichael numbers
A Carmichael number is a positive integer which satises the congruence
bn ≡ b (mod n)
Theorem 3. (Korselt) A positive composite integer n is a Carmichael number ⇔ n is square-free (not divisible by squares greater than 1), and for all prime divisors p of n, p − 1|n − 1.
It's possible to generate Carmichael numbers which are strong pseudoprimes to several bases, so the Miller Rabin Primality test may fail. (3, Constructing Carmichael Numbers which are Strong Pseudoprimes to Several Bases). The following sections will talk about Miller-Rabin and why it is important to be able to check whether a number is prime or not with a reasonable level of condence.
1.2 Modular arithmetic on Zn 1.2.1 Quadratic residues
An integer q is a quadratic residue modulo n if there's a number for which its square is equal to q modulo n. (4) ∃x x2 ≡ q (mod n)
2 1.2 Modular arithmetic on Zn
(5, Hardy and Wright) uses the notation q R n and q N n to indicate that q is a quadratic residue or non-residue respectively, and that's the notation that will be used in this work.
1.2.2 n-th power residues
The n-th power residues are a generalisation of quadratic residues to arbitrary n-th exponents. An integer q is an n-th power residue modulo m if and only if:
∃x | xn ≡ q (mod m)
The set of n-th power residues modulo M will be noted as
∗ n n ∗ (ZM ) = {x |x ∈ ZM }
If the relation n has no solution in ∗ then is called a th-power non-residue a = x ZM a n modulo M.
1.2.3 Legendre symbol
Denition 1. (Legendre symbol) Let p be an odd prime number. The Legendre symbol is dened as:
if and 1, a R p a 6≡ 0 (mod p) a = −1 if a N p p 0 if a ≡ 0 (mod p)
Multiplicative property ab a b In general, if is an odd prime the follow- p = p p p ing equality known as Euler's criterion holds
a = a(p−1)/2(modp) p
Denition 2. (Generalized Legendre symbol) For any integers a,k and prime p such that k|p − 1 and (a, p) = 1, the generalized Legendre symbol (GLS) is dened by
a p−1 = a k p k p
3 1. INTRODUCTION
1.2.4 Jacobi symbol
The Jacobi symbol is a generalization of the Legendre symbol for non prime numbers, which comes very naturally. Let a be an integer and n be a positive integer with prime decomposition n = α1 α2 αk . The Jacobi symbol for and is dened as: p1 p2 ··· pk a n a a α1 a α2 a αk = ··· n p1 p2 pk where a is the Legendre symbol, dened for an odd prime number . p p If n is prime, the Legendre and Jacobi symbols are the same. If n is composite and the Jacobi symbol a , then , and if then a , but if a it's ( m ) = −1 a N n a R n ( n ) = 1 ( n ) = 1 not know whether a R n or a N n. This is one of the interesting properties that will be used on later sections. The Solovay-Strassen primality test uses the fact that the value for the Euler cri- terion formula may not even be -1 or 1 if the modulo is composite. This primal- ity test will be discussed more deeply in further sections. For instance we can see 5 but (21−1)/2 21 = 1 5 ≡ 16 (mod 21) Denition 3. (Generalized Jacobi symbol) For any integers a,k, n where n = pq with two primes p and q, k|p − 1, k|q − 1 and gcd(a, n) = 1, the generalized Jacobi symbol (GJS) is dened by a a a = n k p k q k 1.3 Mathematical results
1.3.1 Fermat's little theorem
Theorem 4. (Fermat's little theorem) Let p be a prime number. For any integer a, ap − a is a multiple of p. ap ≡ a (mod p) If a is not a multiple of p, then:
ap−1 ≡ 1 (mod p)
Denition 4. (Inverse modulo p) Let p be a prime number. For any integer a which is not a multiple of p, b = a−1 is named the inverse of a modulo p if and only if
ab ≡ 1 (mod p)
4 1.3 Mathematical results
Fermat's little theorem gives us a tool to calculate the inverse of a number a modulo p by calculating b = ap−2 (mod p)
. Which is clearly the inverse since
ab ≡ aap−2 ≡ ap−1 ≡ 1 (mod p)
1.3.2 Prime number theorem
The following result gives us an asymptotic estimation of how many prime numbers are up until a given value.
Theorem 5. (Prime number theorem (PNT)) Let π(x) be the prime counting function that gives the number of prime numbers lower than or equal to x. The function x approximates . More specically: ln(x) π(x)
π(x) lim = 1 x→∞ x/ ln(x)
Figure 1.1: Distribution of π(x) as x increases.
5 1. INTRODUCTION
Figure 1.1 shows the value of π(x), π(x) − x/ ln(x) and π(x)/(x/ ln(x)) for some powers of 10. Check that the ratio goes to one as x increases .
1.4 Computational results
1.4.1 Eratosthenes sieve
The sieve of Eratosthenes is a method to calculate all the primes below a given number n. It lists every number as a potential prime, and iteratively marks their multiples, so when a non-marked number is reached, it's a prime.
1. Create a list of all the integers unmarked from 2 to n − 1.
2. Start with p = 2.
3. p is a primer number.
4. Mark all the multiples of p below n (2p, 3p, 4p, ...).
5. Let p become the rst unmarked number greater than p.
6. If there's no such number, stop. Otherwise go to 3.
Figure 1.2: Sieve of Eratosthenes: result of the algorithm for primes below 121.
At the end, pi equals 1 if and only if i is a prime, for i < N. The running time for the algorithm to calculate all the primes below N is O(N(log N)(log log N)) and the needed memory O(N).
6 1.4 Computational results
Eratosthenes sieve in Python
N = 1000000 p = [1]*N p[0] = p[1] = 0 for i in range(2,N): if p[i]: j = i+i while j < N: p[j] = 0 j += i
As a nal note,the fastest known algorithm (General number eld sieve) requires q (ln N)1/3(ln ln N)2/3( 3 64 +o(1)) O e 9 operations to factor N. 1.4.2 Modular exponentiation
Calculating powers of numbers is a very common operation on cryptosystems, and it needs to be done as eciently as possible. The problem trying to solved is given a and b and m positive integers, compute:
ab (mod m)
There's the linear method which can compute the result in O(b) steps, as described below:
Linear exponentiation def mpow(a, b, m): ans = 1 while b > 0: ans = (ans * a) % m b -= 1 return ans
When the exponent has magnitudes as signicant as b = 24096 that's an obviously way too slow computation.
7 1. INTRODUCTION
The binary exponentiation method can solve the same problem by repeatedly squar- ing, achievement a running time of O(log b), which would be just few thousands opera- tions when raising a number to a power of the magnitude of b = 24096. A rough idea comes from the fact that given a number a, a2 can be calculated with just a single multiplication. By repeteadly squaring, a2k can be calculated with just O(k) multiplications. b can be represented in binary as
n−1 X i b = bi2 i=0
b with n bits, where bi can be either 0 or 1. Then a can be calculated as
n−1 b b Pn−1 b 2i Y 2i i a = a( i=0 i ) = a i=0
The terms where bi is 0 will be gone, since they would be 1 multiplying in the product, and the terms a2i , can be calculated consecutively in constant time by squaring the previous product. Modular binary exponentiation can be implemented recursively in an easily under- standable way as: Recursive logarithmic exponentiation def mpow(a, b, m): if b == 0: return 1 x = mpow(a, b/2) x = (x * x) % m if b %2 == 1: x = (x * a) % m return x
The last implementation changes the recursive approach to an iterative one: Iterative logarithmic exponentiation def mpow(a, b, m): ans = 1
8 1.4 Computational results
while b > 0: if b & 1: ans = (ans * a) % m b = b >> 1 a = (a * a) % m return ans
1.4.3 Primality tests
Primality testing is another fundamental problem to solve on the Cryptography scene. It consists in saying if a number is either a prime or a composite. There are two types of primality tests:
• determinists, which are absolutely certain and generally slower
• probabilistic, which are certain with an ideally high probability, and are generally faster
There's a modication of the probabilistic Miller-Rabin test which relies on the as- sumption that the Generalized Riemann hypothesis is true, and uses the Fast Fourier Transformation for multiplication and achieves a running time of O˜((log n)4). On the other hand, the AKS primality test does not rely on any assumption and was originally proven to have an assymptotic time complexity of O˜((log n)12), improved with a vari- ation to O˜((log n)6) in 2005-2011 by (6, Lenstra-Pomerance). O˜(f(n)) is being used equally to represent O˜(f(n)) = O(f(n) logk g(n)) for some k. There's a publication comparing the asymptotic time with the real running time of various deterministic primality tests at (7, Primality testing). The asymptotic complexity of those methods does not take into account implemen- tation constants which make the tests even slower. For that and because in this work the numbers to be tested have from hundreds to thousands of bits, probabilistic faster tests will be used.
1.4.3.1 Fermat
The Fermat primality test is a probabilistic test that tries to determine whether a number is prime or not, also known as testing if a number is probable prime. The
9 1. INTRODUCTION
problem to be solved is to know if a number n is prime or not. From the Fermat's little theorem it's known that if n is prime, then for every integer a:
an−1 ≡ 1 (mod n)
The test consists in picking several random values of a in the interval [1, n − 1] and checking if the equality holds. If it does not, then n is denitely a composite number. The values of a for which an−1 6≡ 1 (mod n) are known as Fermat witnesses. Such test fails when not enough random values are picked and the equality holds for all of them, or when an−1 ≡ 1 (mod n)∀a. There are innitely many values of n, known as the aforementioned Carmichael numbers for which all values of a for which gcd(a, n) = 1 are Fermat liars. They are not primes, but pass the test.
1.4.3.2 Solovay-Strassen
The Solovay-Strassen primality test is based on the Legendry symbol calculation using Euler's criterion, both previously detailed. Given an odd number n the test consists in checking whether or not the congruence a a(n−1)/2 ≡ (mod n) n holds for dierent values of a. If n is prime, then the congruence is true for all a. The method picks random values of a and if one of them does not satisfy the congruence, then n is a composite number. This a is called an Euler witness for n. A value of a is called an Euler liar if the congruence is true while n is composite. In contrast with the Fermat primality test, where there could be values of n with no witnesses (Carmichael numbers), there are many for the Solovaly-Strassen test. For every odd composite n, at least half of all the bases a coprime with n in [1, n − 1] are Euler witnesses. The error probability of 1/2 holds for a single round of any input n, and after k rounds of the test, the error probability is roughly 2−k.
1.4.3.3 Miller-Rabin
The Miller-Rabin primality test is the one used in the following sections since it's not only fast in its execution, but it provides high certainty that a number is either composite or prime.
10 1.4 Computational results
Discerning prime numbers from composites is based on the following property of primes.
Proposition 1. Let n > 2 be a prime number. n − 1 is even, so n can be written as s ∗ n = 2 d + 1, with an odd d. For each a ∈ (Z/nZ) , either
ad ≡ 1 (mod n) or for some 0 ≤ r ≤ s − 1 r a2 d ≡ 1 (mod n).
Lemma 1. (Square roots of unit in Z/pZ) Let p be an odd prime. Lets name 1 and -1 trivial square roots of 1, which are clearly 1 when squared modulo p. There are no other square roots of 1 modulo p.
Square roots of unit in Z/pZ. Suppose x is a square root of 1 modulo p. Then:
x2 ≡ 1 (mod p)
(x − 1)(x + 1) ≡ 0 (mod p)
Which would mean that p divides x − 1 or x + 1, which is a contradiction.
Proposition. For a prime number n, by the Fermat's little theorem
an−1 ≡ 1 (mod n)
When the left term square root is taken, the result is either 1 or −1. If it's −1, the second equality holds. If in the process there are no −1, there are no powers of two remaining, the exponent is odd and the rst equality holds.
The Miller-rabin primality test looks for an a such that
ad 6≡ 1 (mod n) and ∀ 0 ≤ r ≤ s − 1 r a2 d 6≡ 1 (mod n).
In that case, a is called a witness for the compositeness of n. When the equations hold given an a for a composite n, a is called a strong liar.
11 1. INTRODUCTION
After k rounds with random bases a the probability of being mistaken is smaller than 4−k. The algorithm can be described in not so theoretical terms as follows. Given an odd integer n, let n = 2sd + 1 with odd d. Then choose a random integer a with r 1 ≤ a ≤ n − 1. If ad ≡ 1 (mod n) or a2 d ≡ −1 (mod n) for some 0 ≤ j ≤ s − 1, then n passes the test. A prime will pass the test for all a. The implementation of the Miller-Rabin primality test in Python used for the further presented cryptosystems is the following. Note this method is run with several random witnesses before asserting a number is probably prime.
Miller Rabin def miller_rabin(witness, possible): a = witness b = possible -1 n = possible
A = a = long(a % n) if A == 1: return False t = 1L while t <= b: t <<= 1
# t = 2**k, and t > b t >>= 2
while t: A = (A * A) % n if t & b: A = (A * a) % n if A == 1: return False t >>= 1 return True
12 1.5 Public key cryptography
1.4.4 Random prime generation
Another commonly faced problem in cryptography is how to generate a prime number of a given length in bits. It sounds theoretically impossible problem, but what really is needed is a probable prime. Since the prime number theorem that there are around x/ log(x) prime numbers be- low x, checking random numbers to be prime will yield an expected number of checks of around log(x), which is fast enough (both theoretically and experimentally) for numbers of hundreds to thousands of bits. The function tests the primality with small known primes followed by k tests of Miller-Rabin.
Prime generation def get_prime(bits): k = 64 while True: maybe_prime = random.randrange(2 ** (bits-1) + 1, 2 ** bits) | 1 if Crypto.is_probably_prime(maybe_prime, k): return maybe_prime
1.5 Public key cryptography
1.5.1 Description
Public key cryptography is the use of asymmetric key algorithms where the key used to encrypt a message is not the same as the key used to decrypt it. Everyone can use the public key to encrypt a message. On the other hand, private keys are secret. This way only the intended receiver can decrypt the message. The most known and widely used for secure data transmission cryptosystem is RSA (from the authors Rivest, Shamir and Adleman). The asymmetric term refers to the fact that dierent keys are used to perform inverse functions, as opposed to symmetric, which relies on the same key to perform both. One of the great advantages of public key cryptosystems is that they do not require an initial exchange of secrets keys between the parties involved in the secure commu-
13 1. INTRODUCTION
Figure 1.3: Schematic of asymmetric encryption. nication. It requires, though, that all the involved parties to be able to generate their own key pair. Specically for the matter of this work, a cryptosystem is dened as the description of three algorithms: key generation, encryption and decryption. For simplicity, the messages will be represented as numbers, noting that's not an exaggerated simplication since not only every message can be represented as an integer but a message can be split in dierent parts and sent in smaller encrypted chunks (for example, sent as hexadecimal data representing the numbers associated to a substring of the text of a given size). On a related term, digital signature is a scheme for demonstrating the authenticity of a digital message. A valid signature guarantees that the sender cannot deny having sent the message, and that the message was not modied after being sent. They are closely related with asymmetric encryption and consist of three elements: key genera- tion, signing, signature verifying. Most of the times, instead of verifying a full message, a strong hashing function is enough.
1.5.2 Examples
Public-key algorithms are fundamental in many internet standards used by millions of people, such as TLS, SSL and PGP. An everyday example would be the digital certicates used when visiting a website under the https prex. The connection is established using SSL and even if someone was capturing the data between the user and the website, they wouldn't be able to know what data is being transmitted.
14 1.6 Additive Homomorphic encryption
Figure 1.4: Https green lock shown in a end-user browser.
A curious commonly accepted way of trusting a website is having a third party trusted certicate authority (in this case VeriSign), trusted by both the site owner and the client. Note that in Figure 1.5 TLS, SHA1 (hash) and RSA are being mentioned.
Figure 1.5: Certicate information shown in Google Chrome.
Some well-known techniques include ElGamal, the Paillier Cryptosystem, RSA and some elliptic curve techniques. Many protocols such as GPG, PGP, SSH and Bitcoin rely on asymmetric key algorithms.
1.6 Additive Homomorphic encryption
Homomorphic encryption is a type of encryption which allows certain functions to be applied on the encrypted text which result in another encrypted text that, when de- crypted, is equivalent as if the encryption was done after applying the initial function. The term additive refers to the result operation, which is a sum. In the cases of interest
15 1. INTRODUCTION
(Paillier and Goldwasser-Micali), the product of two encrypted messages is equivalent to the encryption of the addition of those messages.
1.6.1 Paillier
The public key is the modulus n and the base g, the encryption of a message m is E(m) = gmrn mod n2 for a random r ∈ [0, n − 1]. The homomorphic property is:
m1 n m2 n m1+m2 n E(m1) · E(m2) = (g r1 )(g r2 ) = g (r1r2) = E(m1 + m2 mod n)
1.6.2 Goldwasser-Micali
The Goldwasser-Micali is the cryptosystem that Joye-Libert is based on. The public key is the modulus n and the quadratic non-residue m. The encryption of a single bit b is E(b) = mbr2 mod n for a random r ∈ [0, n − 1]. The homomorphic property is:
b1 2 b2 2 b1+b2 2 E(b1) · E(b2) = m r1m r2 = m (r1r2) = E(b1 ⊕ b2) where ⊕ is the bit operation XOR.
16 1.7 Notation
1.7 Notation
Zn the set of non-negative minimal residues modulus n, i.e., {0, 1, ··· , n − 1}.
hxin x (mod n), result in a non-negative minimal residue.
(x)n x (mod n), result in an absolute minimal residue. (a, b) the greatest common divisor of a and b. [a, b] the least common multiple of a and b. ∗ the multiplicative group modulus , i.e., . Zn n {a ∈ Zn|(a, n) = 1} a a's generalized Legendre symbol modulus p. p k a 's generalized Jacobi symbol modulus . n k a p the set of elements ∗ such that a , Jn,k a ∈ Zn n k = 1 Jn,k = Rn,k ∪ NRn,k. the set of th-power residues modulus , i.e. k ∗ . Rn,k k n {(x )n|x ∈ Zn} th NRn,k the set of k -power non-residues in Jn,k, i.e., Jn,kRn,k. φ(n) Euler's totient function on n. λ(n) Carmichael's function on n.
Table 1.1: Notations used in this work.
17 1. INTRODUCTION
18 Chapter 2
Paillier cryptosystem
The Paillier cryptosystem (8) is a probabilistic asymmetric algorithm for public key cryptography.
2.1 Background
Denition 6. A number z is said to be a n-th residue modulo n2 if there exists a number ∗ such that y ∈ Zn2 z ≡ yn (mod n2)
Each n-th residue z has exactly n roots of degree n, among which exactly one is strictly smaller than n. The n-th roots of unity are the numbers of the form (1 + n)x = 1 + xn (mod n2).
Decisional composite residuosity assumption (DCRA) 1. Let n be an composite integer and z an integer, then it's computationally dicult to decide whether z is a n-residue modulo n2 or not. In other words, it's dicult to decide if there exists a y such that z ≡ yn (mod n2)
Conjecture 1. There exists no polynomial time distinguisher for n-th residues modulo n2. The problem is intractable.
Let be some element of ∗ and denote by the integer-valued function dened g Zn2 Eg by
∗ ∗ Zn × Zn 7→ Zn2
19 2. PAILLIER CRYPTOSYSTEM
(x, y) 7→ gxyn (mod n2)
We denote by ∗ the set of elements of order and by their disjoint union B ⊂ Zn2 nα B ∀α.
Denition 7. Assume that . For ∗ , we call -th residuosity class of g ∈ B w ∈ Zn2 n w with respect to the unique integer for which there exists ∗ such that g x ∈ Zn y ∈ Zn
Eg(x, y) = w
Adopting notations in (9), the class of w is denoted w g. J K Denition 8. The n-th Residuosity Class Problem of base g, denoted Class[n,g], is dened as: given ∗ and , compute . w ∈ Zn2 g ∈ B w g J K Theorem 5. Class[n] is polynomially reducible (equivalent) to factorizing n (Fact[n]).
Proof. Can be found at (8)
2.2 Algorithm
The following encryption scheme employs Eg for encryption and the polynomial reduc- tion of Theorem 5 for decryption. It uses the factorisation as a trapdoor (one-way function). The following sections will make use of the helper function L(u) = (u−1)/n; this function can thus be applied only if n divides u − 1.
2.2.1 Key generation
1. Select two large prime numbers p and q randomly and independent of each other such that gcd(pq, (p − 1)(q − 1)) = 1.
2. Compute n = pq and λ = lcm(p − 1, q − 1).
3. Select a base . Pick a random ∗ and ensure divides the order of by g ∈ B g ∈ Zn2 n g checking the existence of the following modular multiplicative inverse: µ = (L(gλ (mod n2)))−1 (mod n).
4. The public (encryption) key is (n, g).
5. The private (decryption) key is (λ, µ).
20 2.2 Algorithm
If both primes p and q have the same bit length, the property gcd(pq, (p−1)(q−1)) = 1 is assured and a simpler variant can be used with g = n+1, λ = φ(n) = (p−1)(q −1), and µ = φ(n)−1 (mod n). For simplicity, two primes p and q of k bits each will be considered.
2.2.2 Encryption
1. Let (n, g) be the Public Key.
2. Let m be the plain text message, assuring m < n, i.e. m ∈ Zn.
3. Select a random ∗ . r ∈ Zn
4. Compute the ciphertext c = gmrn (mod n2).
2.2.3 Decryption
1. Let (λ, µ) be the Private Key.
2. Let be the ciphertext to decrypt, ∗ . c c ∈ Zn2
3. Compute m = L(cλ (mod n2)) · µ (mod n).
The decryption is based on the fact that
n X n x (1 + n)x = xk = 1 + nx + n2 + higher powers of n k 2 k=0 So we can express, which reduces to
(1 + n)x ≡ 1 + nx (mod n2)
y = (1 + n)x mod n2 y − 1 x ≡ (mod n2) n And thus proves that the decryption is correct
L((1 + n)x (mod n2)) ≡ x (mod n)
21 2. PAILLIER CRYPTOSYSTEM
2.3 Cryptosystem analysis
Until the appearance of the Paillier cryptosystem, most public-key cryptosystems pre- sented a cubic decryption complexity, which is exactly the cost of this. On the other hand, several aspects can be optimized:
2.3.1 Optimizations
2.3.1.1 Key generation
Generating primes with the same number of bits helps reducing most of the calculations, as mentioned on the respective section. The whole process can be made faster by carrying computations separately mod p2 and mod q2 and solving the Chinese remainder problem for g (mod p2) and g (mod q2) at the very end.
2.3.1.2 Encryption
Note that for the same bit length p and q, when g = n + 1 the product term gm can be computationally simplied to gm ≡ (n + 1)m ≡ 1 + mn (mod n2).
2.3.1.3 Decryption
Computing L(u) may be achieved at a very low cost (only one multiplication modulo 2n) by precomputing n−1 (mod 2n). The constant parameter
L(gλ (mod n2))−1 (mod n) can also be precomputed just once.
2.3.2 Properties
2.3.2.1 Additive Homomorphism
m n 2 The encryption function m 7→ g r (mod n ) is additively homomorphic on Zn. Con- sidering E to be the encryption function and D the decryption function, this leads to the following identities:
∀m1, m2 ∈ Zn andk ∈ N
2 D(E(m1)E(m2) (mod n )) = m1 + m2 (mod n)
22 2.4 Implementation and performance
D(E(m)k (mod n2)) = km (mod n)
m2 2 D(E(m)g (mod n )) = m1 + m2 (mod n)
m2 2 D(E(m1) (mod n )) = m1m2 (mod n)
m1 2 D(E(m2) (mod n )) = m1m2 (mod n) These properties are really important in the elds of voting protocols, threshold cryptosystems, watermarking, secret sharing schemes,and server-aided polynomial eval- uation. Electronic voting will be more extended in the following chapters.
2.3.2.2 Self-Blinding
Any ciphertext can be publicly changed into another one without aecting the plaintext:
∀m ∈ Zn and r ∈ N
D(E(m)rn (mod n2)) = m
Such a property has potential applications in a wide range of cryptographic settings.
2.4 Implementation and performance
The Paillier cryptosystem has been implemented in Python and has no external depen- dencies whatsoever except for a custom Cryptographic library.
2.4.1 Complexity
Generating random primes of k bits each is done by repeatedly trying random numbers in the interval [2k−1 + 1, 2k − 1] and testing each of them with 64 iterations of the Miller-Rabin test with random witnesses. According to the PNT, O k tries will be needed, and the cost of a Miller-Rabin test is linear on the number of bits, multiplied by the cost of a multiplication operation. Since the numbers are so large, we can no longer assume a multiplication operation happens in constant time, and even though a naive implementation would result in O k2 time, that could be improved to O k log k implementing multiplication using the Fast Fourier Transform. In reality, the Python implementation is used, which is done using the Karatsuba multiplication
23 2. PAILLIER CRYPTOSYSTEM