Degree in Mathematics Title: Homomorphic cryptosystems for electronic voting Author: Enric Cusell Advisor: Javier Herranz Department: Applied Mathematics IV Academic year: 2013/2014 Universitat Polit`ecnicade Catalunya Facultat de Matem`atiquesi Estad´ıstica Bachelor’s degree thesis Homomorphic cryptosystems for electronic voting Enric Cusell Advisor: Javier Herranz Applied Mathematics IV Abstract This bachelor's degree thesis deals with homomorphic public-key cryptogra- phy, or in other words cryptosystems with special addition properties. Such cryptosystems are widely used in real life situations, for instance to make electronic voting secure. Therefore, this thesis will walk you through how Mathematics can lie behind day to day life. In Chapter 1 we introduce a few basic algebra results and other key concepts that will be used later. In Chapters 2 and 3 we describe and discuss the algorithms and properties of the two cryptosystems which are considered to be the best ones for e-voting: Paillier and Joye-Libert. We have imple- mented the two schemes from scratch. We conclude the thesis in Chapter 4, by comparing running times of the two above-mentioned cryptosystems, in simulations of real-life e-voting systems, with up to tens of thousands of voters, and dierent levels of security. Through these simulations, we discern the situations where each of the two cryptosystems is preferable. vi To my love Carla for supporting my particularities for six years. To my parents for the energy that made me stronger. To the future that awaits me. ii Contents 1 Introduction 1 1.1 Prime numbers . .1 1.1.1 Fermat numbers . .1 1.1.2 Carmichael numbers . .2 1.2 Modular arithmetic on Zn ..........................2 1.2.1 Quadratic residues . .2 1.2.2 n-th power residues . .3 1.2.3 Legendre symbol . .3 1.2.4 Jacobi symbol . .4 1.3 Mathematical results . .4 1.3.1 Fermat's little theorem . .4 1.3.2 Prime number theorem . .5 1.4 Computational results . .6 1.4.1 Eratosthenes sieve . .6 1.4.2 Modular exponentiation . .7 1.4.3 Primality tests . .9 1.4.3.1 Fermat . .9 1.4.3.2 Solovay-Strassen . 10 1.4.3.3 Miller-Rabin . 10 1.4.4 Random prime generation . 13 1.5 Public key cryptography . 13 1.5.1 Description . 13 1.5.2 Examples . 14 1.6 Additive Homomorphic encryption . 15 iii CONTENTS 1.6.1 Paillier . 16 1.6.2 Goldwasser-Micali . 16 1.7 Notation . 17 2 Paillier cryptosystem 19 2.1 Background . 19 2.2 Algorithm . 20 2.2.1 Key generation . 20 2.2.2 Encryption . 21 2.2.3 Decryption . 21 2.3 Cryptosystem analysis . 22 2.3.1 Optimizations . 22 2.3.1.1 Key generation . 22 2.3.1.2 Encryption . 22 2.3.1.3 Decryption . 22 2.3.2 Properties . 22 2.3.2.1 Additive Homomorphism . 22 2.3.2.2 Self-Blinding . 23 2.4 Implementation and performance . 23 2.4.1 Complexity . 23 2.4.2 Running time . 24 2.4.3 Code . 25 3 Joye-Libert cryptosystem 29 3.1 Background . 29 3.2 Algorithm . 30 3.2.1 Key generation . 30 3.2.2 Encryption . 30 3.2.3 Decryption . 30 3.3 Cryptosystem analysis . 31 3.3.1 Optimizations . 31 3.3.1.1 Key generation . 31 3.3.1.2 Encryption . 31 3.3.1.3 Decryption . 31 iv CONTENTS 3.3.2 Properties . 32 3.3.2.1 Additive Homomorphism . 32 3.3.2.2 Self-Blinding . 32 3.4 Implementation and performance . 32 3.4.1 Complexity . 32 3.4.2 Running time . 33 3.4.3 Code . 34 4 Electronic voting 39 4.1 Problem context . 39 4.2 Cryptosystem comparison . 39 4.2.1 256 bits . 40 4.2.2 512 bits . 41 4.2.3 1024 bits . 42 5 Conclusions 45 Bibliography 47 v CONTENTS vi Chapter 1 Introduction 1.1 Prime numbers + A prime number is a number x 2 Z which can only be divided with zero remainder by 1 and itself. Theorem 1. (Fundamental theorem of arithmetic) Every integer greater than 1 is either a prime or can be factorized as the product of prime numbers. To represent the factorization of an integer number, repeated primes are grouped and written in increasing order with their respective exponents, as shown: k α1 α2 αk Y αi x = p1 p2 ··· pk = pi i=1 Theorem 2. (Euclid's theorem) There are innitely many primes. Euclid's theorem has many dierent approaches to prove it, but there's one worth mentioning because of its simplicity: Euclid's proof. Lets assume there's a nite number of primes n: p1; p2; ··· ; pn. Then consider x = p1p2 ··· pn +1. The number x is not divisible by any of the pi8i 2 [1; n], so x is a prime number larger than all the others, which is clearly a contradiction. (1) 1.1.1 Fermat numbers A Fermat number is a positive integer which can be written as: (2n) Fn = 2 + 1 1 1. INTRODUCTION The only known Fermat primes are (2) F0 = 3 F1 = 5 F2 = 17 F3 = 257 F4 = 65537 If there's a larger fermat prime number or if they are all composites, has been an unsolved mystery for 170 years. There are many interesting properties related with Fermat numbers, but for this matter it's only worth mentioning that some fermat numbers turn out to report as primes on many probabilistic primality tests (false positives pseudoprimes). 1.1.2 Carmichael numbers A Carmichael number is a positive integer which satises the congruence bn ≡ b (mod n) Theorem 3. (Korselt) A positive composite integer n is a Carmichael number , n is square-free (not divisible by squares greater than 1), and for all prime divisors p of n, p − 1jn − 1. It's possible to generate Carmichael numbers which are strong pseudoprimes to several bases, so the Miller Rabin Primality test may fail. (3, Constructing Carmichael Numbers which are Strong Pseudoprimes to Several Bases). The following sections will talk about Miller-Rabin and why it is important to be able to check whether a number is prime or not with a reasonable level of condence. 1.2 Modular arithmetic on Zn 1.2.1 Quadratic residues An integer q is a quadratic residue modulo n if there's a number for which its square is equal to q modulo n. (4) 9x x2 ≡ q (mod n) 2 1.2 Modular arithmetic on Zn (5, Hardy and Wright) uses the notation q R n and q N n to indicate that q is a quadratic residue or non-residue respectively, and that's the notation that will be used in this work. 1.2.2 n-th power residues The n-th power residues are a generalisation of quadratic residues to arbitrary n-th exponents. An integer q is an n-th power residue modulo m if and only if: 9x j xn ≡ q (mod m) The set of n-th power residues modulo M will be noted as ∗ n n ∗ (ZM ) = fx jx 2 ZM g If the relation n has no solution in ∗ then is called a th-power non-residue a = x ZM a n modulo M. 1.2.3 Legendre symbol Denition 1. (Legendre symbol) Let p be an odd prime number. The Legendre symbol is dened as: 8 if and >1; a R p a 6≡ 0 (mod p) a <> = −1 if a N p p > :>0 if a ≡ 0 (mod p) Multiplicative property ab a b In general, if is an odd prime the follow- p = p p p ing equality known as Euler's criterion holds a = a(p−1)=2(modp) p Denition 2. (Generalized Legendre symbol) For any integers a,k and prime p such that kjp − 1 and (a; p) = 1, the generalized Legendre symbol (GLS) is dened by a p−1 = a k p k p 3 1. INTRODUCTION 1.2.4 Jacobi symbol The Jacobi symbol is a generalization of the Legendre symbol for non prime numbers, which comes very naturally. Let a be an integer and n be a positive integer with prime decomposition n = α1 α2 αk . The Jacobi symbol for and is dened as: p1 p2 ··· pk a n a a α1 a α2 a αk = ··· n p1 p2 pk where a is the Legendre symbol, dened for an odd prime number . p p If n is prime, the Legendre and Jacobi symbols are the same. If n is composite and the Jacobi symbol a , then , and if then a , but if a it's ( m ) = −1 a N n a R n ( n ) = 1 ( n ) = 1 not know whether a R n or a N n. This is one of the interesting properties that will be used on later sections. The Solovay-Strassen primality test uses the fact that the value for the Euler cri- terion formula may not even be -1 or 1 if the modulo is composite. This primal- ity test will be discussed more deeply in further sections. For instance we can see 5 but (21−1)=2 21 = 1 5 ≡ 16 (mod 21) Denition 3. (Generalized Jacobi symbol) For any integers a,k, n where n = pq with two primes p and q, kjp − 1, kjq − 1 and gcd(a; n) = 1, the generalized Jacobi symbol (GJS) is dened by a a a = n k p k q k 1.3 Mathematical results 1.3.1 Fermat's little theorem Theorem 4. (Fermat's little theorem) Let p be a prime number.