Comparison of the Paillier and ElGamal Cryptosystems for Smart Grid Aggregation Protocols Fabian Knirsch1 a, Andreas Unterweger1, Maximilian Unterrainer1 and Dominik Engel1 1Center for Secure Energy Informatics, Salzburg University of Applied Sciences, Urstein Sud¨ 1, 5412 Puch/Hallein, Austria fi[email protected] Keywords: Secure aggregation, Paillier cryptosystem, ElGamal cryptosystem, Privacy Abstract: Many smart grid applications require the collection of fine-grained load data from customers. In order to pro- tect customer privacy, secure aggregation protocols have been proposed that aggregate data spatially without allowing the aggregator to learn individual load data. Many of these protocols build on the Paillier cryptosys- tem and its additively homomorphic property. Existing works provide little or no justification for the choice of this cryptosystem and there is no direct performance comparison to other schemes that allow for an additively homomorphic property. In this paper, we compare the ElGamal cryptosystem with the established Paillier cryptosystem, both, conceptually and in terms of runtime, specifically for the use in privacy-preserving aggre- gation protocols. We find that, in the ElGamal cryptosystem, when made additively homomorphic, the runtime for encryption and decryption is distributed more asymmetrically between the smart meter and the aggregator than it is in the Paillier cryptosystem. This better reflects the setup typically found in smart grid environments, where encryption is performed on low-powered smart meters and decryption is usually performed on power- ful machines. Thus, the ElGamal cryptosystem is a better, albeit overlooked, choice for secure aggregation protocols. 1 INTRODUCTION to be trusted for performing the correct aggregation (Unterweger et al., 2019). Figure 1 shows the princi- Collecting fine-grained load data from smart me- pal setup and actors of such a smart grid aggregation ters installed in the customer premises has shown to protocol. pose severe privacy risks (Wicker and Thomas, 2011; Existing works, e.g., (Li et al., 2010; Erkin and McKenna et al., 2012; Burkhart et al., 2018). To mit- Tsudik, 2012; Erkin, 2015; Rane et al., 2015) provide igate them, secure aggregation protocols have been little or no justification for the choice of the cryptosys- proposed by many authors for privacy-preserving data tem and most commonly employ the Paillier scheme aggregation in the smart gird, e.g., (Li et al., 2010; (Paillier, 1999). Only very few publications make Erkin and Tsudik, 2012; Knirsch et al., 2017). These use of the ElGamal cryptosystem in the context of protocols protect customer privacy by only providing smart grids, e.g., (Busom et al., 2016). To the best the sum of load data from a number of households at of our knowledge, there exists no performance com- one point in time (Buescher et al., 2017). parison between the Paillier cryptosystem and the El- One approach for secure aggregation protocols is to Gamal cryptosystem (ElGamal, 1985), which are the employ an additively homomorphic cryptosystem and two most commonly used homomorphic cryptosys- an entity that acts as a (semi-trusted) aggregator. Each tems (Armknecht et al., 2013) and also those with smart meter encrypts its individual measurement and the highest security guarantees (Fontaine and Galand, sends the encrypted value to the aggregator. The ag- 2007). gregator uses the additively homomorphic property While ElGamal is more lightweight in terms of of the underlying cryptosystem to calculate the en- encryption complexity, it is multiplicative homo- crypted sum and forwards this sum to the energy morphic, but can be made additively homomorphic provider, who decrypts it. This way, the aggregator (Cramer et al., 1997). This can be advantageous for does not learn individual meter readings, but needs low-powered devices such as smart meters. For this reason, the ElGamal cryptosystem is already widely a https://orcid.org/0000-0002-6346-5759 employed in e-voting applications, as presented in 1.2 CONTRIBUTION EP ! This paper briefly presents both, the Paillier and the E (∑ mi) = ∏ E(mi) i i ElGamal cryptosystems with extensions from the lit- A erature to make them comparable for additive homo- morphic operations. The main contribution of this pa- E(m1) E(mN) E(m2) per is the runtime analysis and comparison of the two cryptosystems for aggregated smart meter data. The SM1 SM2 ::: SMN detailed analysis of encryption and decryption times as well as of each relevant algorithmic step allows Figure 1: Aggregation protocol with homomorphic encryp- for conclusions on the suitability and practicability of tion: Each smart meter (SMi) sends its encrypted value both cryptosystems for secure aggregation. It also al- E(mi) to the aggregator (A). The aggregator calculates the sum of the values in the ciphertext domain using the addi- lows for recommendations on which system to prefer tive homomorphic property of the cryptosystem. The result for this smart grid aggregation use case. In this paper, is sent to the energy provider (EP) which decrypts it to ob- we find that the ElGamal cryptosystem is overlooked tain the plaintext sum ∑i mi of the readings. for many proposed protocols. The encryption is more lightweight compared to Paillier cryptosystem and the additional overhead at decryption can be mitigated by (Adida, 2008; Chaum et al., 2008; Culnane et al., powerful devices in the EP’s premises or is negligible 2015). for practical applications. 1.3 STRUCTURE 1.1 RELATED WORK The paper is structured as follows: Section 2 de- scribes the Paillier and ElGamal cryptosystems, as well as additional algorithms to make them compara- The properties of the Paillier cryptosystem have been ble. Section 3 compares both cryptosystems and their investigated in detail by, e.g., (Catalano et al., 2001; application for privacy-preserving aggregation. Sec- Damgard˚ and Jurik, 2001; Damgard˚ et al., 2010). tion 4 summarizes the findings and gives an outlook The same is true for a number of variations of the to future work. system, e.g., (Fouque et al., 2001; Galbraith, 2002; Hazay et al., 2012). Similarly, investigations for the ElGamal cryptosystem and its variations exist, e.g., (Cramer and Shoup, 2003; Kumar and Madrai, 2012; 2 BACKGROUND Armknecht et al., 2013). In this section, the Paillier and ElGamal cryptosys- A general runtime comparison between the ElGamal tems, which are compared in this paper, are explained and the multiplicative homomorphic RSA cryptosys- briefly, together with their relevant properties. In ad- tem has been conducted by (Maqsood et al., 2017). dition, the Cramer transformation is described which However, the Paillier cryptosystem has not been con- allows using the ElGamal cryptosystem in such a way sidered in their analysis, as opposed to our work. that it becomes comparable to the Paillier cryptosys- A non-peer-reviewed publication titled “An experi- tem. Furthermore, multiple algorithms for calculating mental study on Performance Evaluation of Asym- the aggregate after ElGamal decryption are described. metric Encryption Algorithms” by Farah et al. exists which describes runtime results for both, the Paillier 2.1 PAILLIER CRYPTOSYSTEM and ElGamal cryptosystems. However, their reported results do not increase with increasing plaintext size The Paillier cryptosystem is an additively homomor- and even drop to zero for some plaintexts, casting phic, semantically secure public-private key cryp- doubts on their numbers and thus their conclusions. tosystem (Paillier, 1999; Catalano et al., 2001). To the best of our knowledge there is currently no An additively homomorphic cryptosystem fulfills the comparison of the Paillier and ElGamal cryptosystem equation in the context of smart grid aggregation protocols and D(E(m ) · E(m )) = m + m no analysis of the suitability of the latter in practical 1 2 1 2 setups exists. Thus, this aspect is investigated in this for two plaintexts m1 and m2, where E and D denote paper. the encryption and decryption functions, respectively. Given two large prime number p and q of the same 2.4 BRUTE FORCE ALGORITHM length, the public key (n;g) is calculated by n = pq; g = n + 1 To recover m from m0 = gm (mod q) with known g 0 and the private key l is calculated by and q, the discrete logarithm logg(m ) = m (mod q) can be solved by brute forcing all possible values of l = j(n); µ = j(n)−1 mod n; m, until a solution is found. The complexity of this al- where j(n) = (p − 1)(q − 1). gorithm is O(q). If it is known that m is within a given Encryption of a plaintext m 2 f0;1;:::;n−1g to a interval [0;b], the complexity is reduced to O(b). ciphertext c is performed by Linear speedup can be achieved by parallelizing the c = gmrn mod n2; brute-force search. While not reducing the complex- with a random number r 2 f1;2;:::;n − 1g. ity itself, the constant factor of the runtime is reduced Given two ciphertexts c1 and c2, the additive ho- proportional to the number of parallel searches. momorphic property can be shown by m1+m2 n 2 c1 · c2 = g (r1 · r2) mod n : 2.5 POLLARD’S LAMBDA Decryption of the above expression will result in the ALGORITHM sum of m1 and m2. Pollard’s Lambda algorithm is designed to solve the 2.2 ELGAMAL CRYPTOSYSTEM discretep logarithm and achieves a runtime complexity of O b − a for a plaintext in the interval m 2 [a;b] The ElGamal cryptosystem is a public-private key (Pollard, 1978). This assumes that m is with certainty cryptosystem with a multiplicatively homomorphic within the defined interval. property (ElGamal, 1985). A multiplicatively homo- Pollard’s Lambda algorithm rewrites m = b + d − dk morphic cryptosystem fulfills the equation (mod q) for a k 2 [0;I −1]. I can be chosen according to (Pollard, 1978). First, a sequence x is computed D(E(m1) · E(m2)) = m1 · m2: 0:::I where x = gb and Given a publicly known cyclic group G of order q 0 g f (xi) with a publicly known generator , the public key is xi+1 = xig ; h = gr; with f being a parameterizable pseudorandom func- r 2 f ; ;:::;q − g r with 1 2 1 being randomly chosen.