BRICS Basic Research in Computer Science BRICS DS-03-9 M. J. Jurik: Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols Mads J. Jurik BRICS Dissertation Series DS-03-9 ISSN 1396-7002 August 2003 Copyright c 2003, Mads J. Jurik. BRICS, Department of Computer Science University of Aarhus. All rights reserved. Reproduction of all or part of this work is permitted for educational or research use on condition that this copyright notice is included in any copy. See back inner page for a list of recent BRICS Dissertation Series publi- cations. Copies may be obtained by contacting: BRICS Department of Computer Science University of Aarhus Ny Munkegade, building 540 DK–8000 Aarhus C Denmark Telephone: +45 8942 3360 Telefax: +45 8942 3255 Internet: [email protected] BRICS publications are in general accessible through the World Wide Web and anonymous FTP through these URLs: http://www.brics.dk ftp://ftp.brics.dk This document in subdirectory DS/03/9/ Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols Mads Johan Jurik PhD Dissertation Department of Computer Science University of Aarhus Denmark Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols A Dissertation Presented to the Faculty of Science of the University of Aarhus in Partial Fulfilment of the Requirements for the PhD Degree by Mads Johan Jurik March 19, 2004 Abstract The main contribution of this thesis is a simplification, a generalization and some modifications of the homomorphic cryptosystem proposed by Paillier in 1999, and several cryptological protocols that follow from these changes. The Paillier cryptosystem is an additive homomorphic cryptosystem, mean- ing that one can combine ciphertexts into a new ciphertext that is the encryp- tion of the sum of the messages of the original ciphertexts. The cryptosystem Z uses arithmetic over the group n∗ 2 and the cryptosystem can encrypt messages from the group Zn. In this thesis the cryptosystem is generalized to work over Z Z the group n∗ s+1 for any integer s>0 with plaintexts from the group ns .This has the advantage that the ciphertext is only a factor of (s +1)/s longer than the plaintext, which is an improvement to the factor of 2 in the Paillier cryp- tosystem. The generalized cryptosystem is also simplified in some ways, which results in a threshold decryption that is conceptually simpler than other pro- posals. Another cryptosystem is also proposed that is length-flexible, i.e. given a fixed public key, the sender can choose the s when the message is encrypted and use the message space of Zns . This new system is modified using some El Gamal elements to create a cryptosystem that is both length-flexible and has an efficient threshold decryption. This new system has the added feature, that with a globally setup RSA modulus n, provers can efficiently prove various relations on plaintexts inside ciphertexts made using different public keys. Using these cryptosystems several multi-party protocols are proposed: A mix-net, which is a tool for making an unknown random permutation • of a list of ciphertext. This makes it a useful tool for achieving anonymity. Several voting systems: • – An efficient large scale election system capable of handling large elections with many candidates. – Client/server trade-offs: 1) a system where vote size is within a con- stant of the minimal size, and 2) a system where a voter is protected even when voting from a hostile environment (i.e. a Trojan infested computer). Both of these improvements are achieved at the cost of some extra computations at the server side. – A small scale election with perfect ballot secrecy (i.e. any group of persons only learns what follows directly from their votes and the final result) usable e.g. for board room election. v A key escrow system, which allows an observer to decrypt any message • sent using any public key set up in the defined way. This is achieved even though the servers only store a constant amount of key material. The last contribution of this thesis is a petition system based on the modified Weil pairing. This system greatly improves the naive implementations using normal signatures from using an order of (tk) group operations to using only (t + k), where t is the number of signaturesO checked, and k is the security parameter.O vi Acknowledgements First I would like to thank my supervisor Ivan B. Damg˚ard for creating a research environment that has been very inspiring. He always had time to discuss new ideas and give feedback on early ideas and research problems. I would also like to thank the cryptology group at BRICS for listening to all my seminars and providing valuable feedback on the presentations, and especially to Louis Salvail for making the whole experience a lot funnier than expected. A big thanks also goes to Dan Boneh for hosting my stay abroad at Stan- ford University and to the Ph.D. students at the Security Lab in the Stanford Computer Science Department, for making the stay both a professional and social success. Jan Camenish and Berry Schoenmakers also deserves thanks for providing alot of insightfull comments on the thesis during the defence. This has helped improve the overall quality of the thesis. Finally I would like to thank Kirill Morozov, Anne Grethe Jurik and Bo- lette Ammitzbøll Madsen for proof reading this dissertation, thereby helping to reduce the number of errors. Mads Johan Jurik, Arhus,˚ March 19, 2004. vii Contents Abstract v Acknowledgements vii 1 Introduction 1 1.1Motivation.............................. 1 1.2ListofPublications.......................... 2 1.2.1 A Generalization of Paillier’s Public-Key System with Applications to Electronic Voting .............. 2 1.2.2 Client/Server Tradeoffs for Online Elections . ....... 2 1.2.3 A Length-Flexible Threshold Cryptosystem with Appli- cations............................. 3 1.2.4 AKey-EscrowPublic-keyCryptosystem.......... 3 1.3OverviewofChapters........................ 3 2 Improving the Paillier Cryptosystem 7 2.1Introduction.............................. 7 2.1.1 Background.......................... 7 2.1.2 RelatedWork......................... 8 2.1.3 Contribution......................... 8 2.2 A Generalization of Paillier’s Probabilistic Encryption Scheme . 9 2.2.1 Security............................ 13 2.2.2 AdjustingtheBlocklength................. 16 2.3 Some Optimizations and Implementation Issues . ....... 17 2.3.1 AnAlternativeEncryptionFunction............ 17 2.3.2 OptimizationsofEncryptionandDecryption....... 18 2.4SomeBuildingBlocks........................ 21 2.4.1 AThresholdVariantoftheScheme............. 21 2.4.2 Some Auxiliary Protocols . .............. 25 2.5IntroducinganElGamalElement................. 29 2.5.1 SecurityoftheCryptosystem................ 30 2.6 An Efficient Length-Flexible Threshold Cryptosystem . 33 2.7AProofFriendlyVariant...................... 34 2.7.1 SecurityoftheThresholdCryptosystems......... 34 2.7.2 ProofsintheProofFriendlyVariant............ 35 2.7.3 HomomorphicProperties.................. 41 ix 3 Anonymity Using Mix-nets 43 3.1Introduction.............................. 43 3.1.1 Background.......................... 43 3.1.2 Contribution......................... 44 3.2TheMix-netModel.......................... 44 3.3Adversaries.............................. 45 3.4SecurityoftheMix-net........................ 46 3.5TheSystem.............................. 46 3.6SecurityProofs............................ 50 4 Secure On-line Voting 55 4.1Introduction.............................. 55 4.1.1 Background.......................... 55 4.1.2 RelatedWork......................... 58 4.1.3 Contribution......................... 59 4.2 Efficient Electronic Voting . .............. 61 4.2.1 ModelandNotation..................... 61 4.2.2 A Yes/No Election . .............. 62 4.2.3 A Multi-Candidate Election . .............. 63 4.2.4 Avariantwithsmallervotesize............... 63 4.3Client/ServerTrade-Offs....................... 66 4.3.1 The Minimal Vote Election Scheme . ....... 66 4.3.2 AnAlternativeSystem.................... 70 4.3.3 Protecting Clients Against Hackers . ....... 73 4.3.4 Interval Proofs for Paillier Encryptions . ....... 76 4.4 Self-Tallying Elections with Perfect Ballot Secrecy . ....... 79 4.4.1 SetupPhase.......................... 81 4.4.2 BallotCasting........................ 83 4.4.3 Tallying............................ 86 4.4.4 EfficiencyComparisontoSchemefrom[47]........ 88 5 Key Escrow 89 5.1Introduction.............................. 89 5.1.1 Background.......................... 89 5.1.2 Contribution......................... 90 5.2Model................................. 91 5.3ASimpleKeyEscrowSystem.................... 92 5.4ThresholdKeyEscrow........................ 93 5.4.1 RemovingtheTrustedThirdParty............. 95 5.5EncryptionVerification....................... 95 5.6 Improving Performance for s>1 .................. 96 5.7SecurityoftheSystem........................ 97 6 Efficient Petitions 99 6.1Introduction.............................. 99 6.1.1 Background.......................... 99 6.1.2 RelatedWork......................... 99 x 6.1.3 Contribution.........................100 6.2Model.................................100 6.2.1 PropertiesforPetitions...................101 6.3StandardPetitions..........................101 6.4ThresholdPetitions..........................102 6.5AnEfficientPetitionSystem....................103 6.5.1 AggregateSignatures.....................103