Transcript Paillier Threshold Encryption WebService
Paillier Threshold Encryption WebService
by Brett Wilson
Paillier Encryption
Trapdoor Discrete Logarithm Scheme c = g M r n mod n 2 n is an RSA modulus g is an integer of order n α mod n 2 r is a random number in Z n * M = L(c λ(n) mod n 2 )/L(g λ(n) mod n 2 ) mod n L(u) = (u-1)/n, λ(n)=lcm((p-1)(q-1)) Important Properties Homomorphic E(M 1 + M 2 ) = E(M 1 ) x E(M 2 ), E(k x M) = E(M) k Self-blinding Re encryption with a different r doesn’t change M
Threshold Encryption
Public key encryption as usual Distribute secret key “shares” among i participants Decryption can only be accomplished if a threshold number t of the i participants cooperate No information about m can be obtained with less than t participants cooperating
Threshold Paillier Encryption
Different public key and secret key generation algorithm Distribute secret key shares using Shamir Secret Sharing scheme “Sharing Decryption in the Context of Voting or Lotteries” Fouque, Poupard, and Stern 2000
Threshold Paillier Encryption WebService Key generation algorithm Input k – size of key l – number of shares to generate One RSA public key (of the designated participant) for each share t – threshold parameter Output Public Key PK List SK 1 , …, SK l of private key shares Encrypted with supplied RSA keys so only designated participant can recover the key share List of Verifier Keys VK, VK 1 , …,VK l
Threshold Paillier Encryption WebService Encryption Algorithm Input Public Key PK Random string r Cleartext M Output Ciphertext c
Threshold Paillier Encryption WebService Share Decryption Algorithm Input Ciphertext c Private Key Share Sk i Encrypted with public key of webservice Output Decryption share c i Validity proof p i
Threshold Paillier Encryption WebService Combining Algorithm Input Ciphertext c List of decryption shares c 1 ,…,c l List of verification keys VK, VK 1 …VK l List of validity proofs P 1 ,…P l Output M
Use of WebService in Secure Voting Ballot format: pick 1 out of c candidates Vote = 2 and v is the next power of 2 greater than the maximum number of voters c*log2v where c is the desired candidate number (0…c) All Paillier-encrypted votes could be publicly posted At end of election, all encrypted votes could be multiplied together (publicly verifiable) With cooperation of the required threshold number of “authorities”, the final product could be decrypted to reveal the vote total (sum of individual votes).
A threshold number of authorities would not agree to decrypt a single particular vote, and thus the individual votes would remain private All computations are publicly verifiable given the validity proofs
Implementation Tools
Visual Studio 2005 VB.NET
Gnu Multiprecision Library (Gmp) Open source arbitrary precision numeric library Compiled under Visual Studio 2005 NGmp Open source VB.NET binding of gmp.dll
Enables calling of gmp library functions through VB.NET
Compiled under Visual Studio 2005