Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Paillier Cryptosystem

Published byPhebe Hunt Modified over 8 years ago

Similar presentations

Presentation on theme: "The Paillier Cryptosystem"— Presentation transcript:

1 The Paillier Cryptosystem
E-Voting Seminar The Paillier Cryptosystem Andreas Steffen Hochschule für Technik Rapperswil

2 Agenda Some mathematical properties Encryption and decryption
Additive homomorphic properties Zero knowledge proof for n-th powers Paillier e-voting simulator Non-interactive ZKP using the Fiat-Shamir heuristic Damgård-Jurik Cryptosystem (Generalized Paillier) Damgård-Jurik JavaScript e-voting client Threshold decryption schemes

3 The Paillier Cryptosystem I
Proposed by Pascal Paillier in 1999: Choose two large prime numbers p and q and form the modulus Euler‘s totient function gives the number of elements in The number of elements in is The private key  is determined using Carmichael‘s function Due to Carmichael‘s theorem, for every element

4 The Paillier Cryptosystem II
The hard problem: Deciding n-th composite residuosity! The set of n-th residues is a multiplicative subgroup of of order Each n-th residue z has exactly n roots of degree n, among which exactly one is strictly smaller than n, namely The n-th roots of unity are the numbers of the form Generate the multiplicative subgroup as Paillier Encryption m: plaintext message, r: random number for semantic security

5 Example: Multiplicative Subgroup
g^m r r^n p = 3, q = 5, n = 15, n2 = Generator in most general form: (n) = 8, (n) = lcm(2, 4) = 4

6 Paillier Decryption with
Apply the private key  and use Carmichael‘s theorem Make use of the relationship Apply the L(x) function

7 Additive Homomorphic Properties
Verification Use in e-voting systems with homomorphic tallying: The additive homomorphic property directly returning the tally is the biggest advantage of the Paillier Cryptosystem over the El Gamal Cryptosystem which has an intrinsically multiplicative homomorphic property requiring the computation of a discrete logarithm over a bounded range to extract the tally.

8 Validity Proof of Ballot (Case: k = i)
K valid voting messages (e.g. vote for one out of K candidates) Zero knowledge proof : Prove that uk is an n-th power Commitment: Prover chooses a random number  Challenge: Verifier chooses a random bit string ei of length b Response: Prover computes zi Verification:

9 Validity Proof of Ballot (Cases: k  i)
Preparation: Prover chooses zk and bit string ek randomly Commitment: Prover computes ak so that it passes verification Challenge: Verifier chooses a random bit string e of length b Response: Prover sends prepared zk and ek Verification: Prover can preselect all ek for k  i but is bound by e for the choice of ei.

10 Paillier E-Voting Simulator

11 E-Voting Simulator – Tallying with ZKPs

12 Non-Interactive ZKP (Fiat-Shamir Heuristic)
Election ID Voter ID Encrypted Ballot c Commitments ak SHA-256 Counter AES-256 Counter Mode 256 bit key Challenge Bit String e

13 The Damgård-Jurik Cryptosystem
Additional parameter s (Paillier: s = 1) Generate the multiplicative subgroup as Generator usually chosen as g = (1+n) Size of modulus n: b bits (e.g bits) Size of message m: sb - 1 bits (s=1: 1535 bits, s=2: 3071 bits) Size of ciphertext c: (s+1)b (s=1: 3072 bits, s=2: 4608 bits) Efficiency:  = s/(s+1) (s=1: 50%, s=2: 67%, s=3: 75%) m: plaintext message, r: random number for semantic security

14 Damgård-Jurik JavaScript E-Voting Client

15 Damgård-Jurik JavaScript E-Voting Client

16 Commitment

17 Challenge Verification

18 Response Verification

19 Threshold Scheme with a Trusted Dealer

20 Threshold Scheme without a Trusted Dealer
Practical threshold RSA signatures without a trusted dealer Ivan Damgard, Maciej Koprowski, 2001 The distributed generation of an RSA private key required by a Threshold Paillier Cryptosystem is much more complex than the simple independent partial private key generation possible with the El Gamal Cryptosystem.

Download ppt "The Paillier Cryptosystem"

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
1/11/2007 bswilson/eVote-PTCWS 1 Paillier Threshold Cryptography Web Service by Brett Wilson.

1/11/2007 bswilson/eVote-PTCWS 1 Paillier Threshold Cryptography Web Service by Brett Wilson.
and Factoring Integers (I)

and Factoring Integers (I)
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Similar presentations

Ads by Google