Paillier Threshold Encryption WebService

by Brett Wilson

Paillier Encryption

Trapdoor Discrete Logarithm Scheme  c = g M r n mod n 2   n is an RSA modulus g is an integer of order n α mod n 2 r is a random number in Z n * M = L(c λ(n) mod n 2 )/L(g λ(n) mod n 2 ) mod n L(u) = (u-1)/n, λ(n)=lcm((p-1)(q-1)) Important Properties   Homomorphic E(M 1 + M 2 ) = E(M 1 ) x E(M 2 ), E(k x M) = E(M) k Self-blinding Re encryption with a different r doesn’t change M

Threshold Encryption

Public key encryption as usual Distribute secret key “shares” among i participants Decryption can only be accomplished if a threshold number t of the i participants cooperate  No information about m can be obtained with less than t participants cooperating

Threshold Paillier Encryption

Different public key and secret key generation algorithm Distribute secret key shares using Shamir Secret Sharing scheme “Sharing Decryption in the Context of Voting or Lotteries” Fouque, Poupard, and Stern 2000

Threshold Paillier Encryption WebService   Key generation algorithm Input k – size of key l – number of shares to generate  One RSA public key (of the designated participant) for each share t – threshold parameter Output Public Key PK List SK 1 , …, SK l of private key shares  Encrypted with supplied RSA keys so only designated participant can recover the key share List of Verifier Keys VK, VK 1 , …,VK l

Threshold Paillier Encryption WebService Encryption Algorithm  Input Public Key PK Random string r Cleartext M  Output Ciphertext c

Threshold Paillier Encryption WebService Share Decryption Algorithm  Input Ciphertext c Private Key Share Sk i  Encrypted with public key of webservice  Output Decryption share c i Validity proof p i

Threshold Paillier Encryption WebService Combining Algorithm  Input  Ciphertext c List of decryption shares c 1 ,…,c l List of verification keys VK, VK 1 …VK l List of validity proofs P 1 ,…P l Output M

Use of WebService in Secure Voting Ballot format: pick 1 out of c candidates  Vote = 2 and v is the next power of 2 greater than the maximum number of voters c*log2v where c is the desired candidate number (0…c) All Paillier-encrypted votes could be publicly posted At end of election, all encrypted votes could be multiplied together (publicly verifiable) With cooperation of the required threshold number of “authorities”, the final product could be decrypted to reveal the vote total (sum of individual votes).

  A threshold number of authorities would not agree to decrypt a single particular vote, and thus the individual votes would remain private All computations are publicly verifiable given the validity proofs

Implementation Tools

Visual Studio 2005  VB.NET

Gnu Multiprecision Library (Gmp)  Open source arbitrary precision numeric library  Compiled under Visual Studio 2005 NGmp   Open source VB.NET binding of gmp.dll

Enables calling of gmp library functions through VB.NET

 Compiled under Visual Studio 2005