Comparison of the Paillier and ElGamal Cryptosystems for Smart Grid Aggregation Protocols Fabian Knirsch a, Andreas Unterweger, Maximilian Unterrainer and Dominik Engel Center for Secure Energy Informatics, Salzburg University of Applied Sciences, Urstein Sud¨ 1, 5412 Puch/Hallein, Austria ffi[email protected] Keywords: Secure Aggregation, Paillier Cryptosystem, ElGamal Cryptosystem, Privacy. Abstract: Many smart grid applications require the collection of fine-grained load data from customers. In order to pro- tect customer privacy, secure aggregation protocols have been proposed that aggregate data spatially without allowing the aggregator to learn individual load data. Many of these protocols build on the Paillier cryptosys- tem and its additively homomorphic property. Existing works provide little or no justification for the choice of this cryptosystem and there is no direct performance comparison to other schemes that allow for an additively homomorphic property. In this paper, we compare the ElGamal cryptosystem with the established Paillier cryptosystem, both, conceptually and in terms of runtime, specifically for the use in privacy-preserving aggre- gation protocols. We find that, in the ElGamal cryptosystem, when made additively homomorphic, the runtime for encryption and decryption is distributed more asymmetrically between the smart meter and the aggregator than it is in the Paillier cryptosystem. This better reflects the setup typically found in smart grid environments, where encryption is performed on low-powered smart meters and decryption is usually performed on power- ful machines. Thus, the ElGamal cryptosystem is a better, albeit overlooked, choice for secure aggregation protocols. 1 INTRODUCTION needs to be trusted for performing the correct aggre- gation (Unterweger et al., 2019). Figure 1 shows the Collecting fine-grained load data from smart me- principal setup and actors of such a smart grid aggre- ters installed in the customer premises has shown to gation protocol. pose severe privacy risks (Wicker and Thomas, 2011; Existing works, e.g., (Li et al., 2010; Erkin and McKenna et al., 2012; Burkhart et al., 2018). To mit- Tsudik, 2012; Erkin, 2015; Rane et al., 2015) provide igate them, secure aggregation protocols have been little or no justification for the choice of the cryptosys- proposed by many authors for privacy-preserving data tem and most commonly employ the Paillier scheme aggregation in the smart gird, e.g., (Li et al., 2010; (Paillier, 1999). Only very few publications make Erkin and Tsudik, 2012; Knirsch et al., 2017). These use of the ElGamal cryptosystem in the context of protocols protect customer privacy by only providing smart grids, e.g., (Busom et al., 2016). To the best the sum of load data from a number of households at of our knowledge, there exists no performance com- one point in time (Buescher et al., 2017). parison between the Paillier cryptosystem and the El- One approach for secure aggregation protocols is Gamal cryptosystem (ElGamal, 1985), which are the to employ an additively homomorphic cryptosystem two most commonly used homomorphic cryptosys- and an entity that acts as a (semi-trusted) aggrega- tems (Armknecht et al., 2013) and also those with tor. Each smart meter encrypts its individual mea- the highest security guarantees (Fontaine and Galand, surement and sends the encrypted value to the aggre- 2007). gator. The aggregator uses the additively homomor- While ElGamal is more lightweight in terms of phic property of the underlying cryptosystem to cal- encryption complexity, it is multiplicative homo- culate the encrypted sum and forwards this sum to the morphic, but can be made additively homomorphic energy provider, who decrypts it. This way, the ag- (Cramer et al., 1997). This can be advantageous for gregator does not learn individual meter readings, but low-powered devices such as smart meters. For this reason, the ElGamal cryptosystem is already widely a https://orcid.org/0000-0002-6346-5759 employed in e-voting applications, as presented in 1.2 Contribution EP ! This paper briefly presents both, the Paillier and the E (∑i mi) = ∏i E(mi) ElGamal cryptosystems with extensions from the lit- erature to make them comparable for additive homo- A morphic operations. The main contribution of this pa- E(m1) E(mN) E(m ) per is the runtime analysis and comparison of the two 2 cryptosystems for aggregated smart meter data. The SM1 SM2 ::: SMN detailed analysis of encryption and decryption times as well as of each relevant algorithmic step allows Figure 1: Aggregation protocol with homomorphic encryp- for conclusions on the suitability and practicability of tion: Each smart meter (SMi) sends its encrypted value both cryptosystems for secure aggregation. It also al- E(mi) to the aggregator (A). The aggregator calculates the lows for recommendations on which system to prefer sum of the values in the ciphertext domain using the addi- for this smart grid aggregation use case. In this paper, tive homomorphic property of the cryptosystem. The result we find that the ElGamal cryptosystem is overlooked is sent to the energy provider (EP) which decrypts it to ob- for many proposed protocols. The encryption is more m tain the plaintext sum ∑i i of the readings. lightweight compared to Paillier cryptosystem and the (Adida, 2008; Chaum et al., 2008; Culnane et al., additional overhead at decryption can be mitigated by 2015). powerful devices in the EP’s premises or is negligible for practical applications. 1.1 Related Work 1.3 Structure The properties of the Paillier cryptosystem have been investigated in detail by, e.g., (Catalano et al., 2001; The paper is structured as follows: Section 2 de- Damgard˚ and Jurik, 2001; Damgard˚ et al., 2010). scribes the Paillier and ElGamal cryptosystems, as The same is true for a number of variations of the well as additional algorithms to make them compara- system, e.g., (Fouque et al., 2001; Galbraith, 2002; ble. Section 3 compares both cryptosystems and their Hazay et al., 2012). Similarly, investigations for the application for privacy-preserving aggregation. Sec- ElGamal cryptosystem and its variations exist, e.g., tion 4 summarizes the findings and gives an outlook (Cramer and Shoup, 2003; Kumar and Madrai, 2012; to future work. Armknecht et al., 2013). A general runtime comparison between the ElGa- mal and the multiplicative homomorphic RSA cryp- 2 BACKGROUND tosystem has been conducted by (Maqsood et al., 2017). However, the Paillier cryptosystem has not In this section, the Paillier and ElGamal cryptosys- been considered in their analysis, as opposed to our tems, which are compared in this paper, are explained work. briefly, together with their relevant properties. In ad- A non-peer-reviewed publication titled “An exper- dition, the Cramer transformation is described which imental study on Performance Evaluation of Asym- allows using the ElGamal cryptosystem in such a way metric Encryption Algorithms” by Farah et al. exists that it becomes comparable to the Paillier cryptosys- which describes runtime results for both, the Paillier tem. Furthermore, multiple algorithms for calculating and ElGamal cryptosystems. However, their reported the aggregate after ElGamal decryption are described. results do not increase with increasing plaintext size and even drop to zero for some plaintexts, casting 2.1 Paillier Cryptosystem doubts on their numbers and thus their conclusions. To the best of our knowledge there is currently no The Paillier cryptosystem is an additively homomor- comparison of the Paillier and ElGamal cryptosystem phic, semantically secure public-private key cryp- in the context of smart grid aggregation protocols and tosystem (Paillier, 1999; Catalano et al., 2001). no analysis of the suitability of the latter in practical An additively homomorphic cryptosystem fulfills the setups exists. Thus, this aspect is investigated in this equation paper. D(E(m1) · E(m2)) = m1 + m2 for two plaintexts m1 and m2, where E and D denote the encryption and decryption functions, respectively. Given two large prime number p and q of the same 2.4 Brute Force Algorithm length, the public key (n;g) is calculated by n = pq; g = n + 1 To recover m from m0 = gm (mod q) with known g 0 and the private key l is calculated by and q, the discrete logarithm logg(m ) = m (mod q) can be solved by brute forcing all possible values of l = j(n); µ = j(n)−1 mod n; m, until a solution is found. The complexity of this al- where j(n) = (p − 1)(q − 1). gorithm is O(q). If it is known that m is within a given Encryption of a plaintext m 2 f0;1;:::;n−1g to a interval [0;b], the complexity is reduced to O(b). ciphertext c is performed by Linear speedup can be achieved by parallelizing m n 2 c = g r mod n ; the brute-force search. While not reducing the com- with a random number r 2 f1;2;:::;n − 1g. plexity itself, the constant factor of the runtime is re- Given two ciphertexts c1 and c2, the additive ho- duced proportional to the number of parallel searches. momorphic property can be shown by m1+m2 n 2 c1 · c2 = g (r1 · r2) mod n : 2.5 Pollard’s Lambda Algorithm Decryption of the above expression will result in the sum of m1 and m2. Pollard’s Lambda algorithm is designed to solve the discretep logarithm and achieves a runtime complexity 2.2 ElGamal Cryptosystem of O b − a for a plaintext in the interval m 2 [a;b] (Pollard, 1978). This assumes that m is with certainty The ElGamal cryptosystem is a public-private key within the defined interval. cryptosystem with a multiplicatively homomorphic Pollard’s Lambda algorithm rewrites m = b + d − property (ElGamal, 1985). A multiplicatively homo- dk (mod q) for a k 2 [0;I − 1]. I can be chosen ac- morphic cryptosystem fulfills the equation cording to (Pollard, 1978).