Cryptographic protocols 2014, Lecture 6 Trapdoor discrete logarithm. Paillier Helger Lipmaa University of Tartu, Estonia
Up to now Introduction to the field Simple secure computation protocols based on DDH ("DL is hard" family) Can design many efficient 2MAH protocols General problem: Alice needs to compute DL which is hard by assumption
this time Trapdoor discrete logarithm hard if you do not know secret key easy if you do Paillier cryptosystem Some protocols E-voting
trapdoor discrete logarithm Def. Binomial coefficient: Relation with exponent.: a = n, b = 1: modulo n²: Idea: while encrypting, use g = 1 + n as a generator in a group modulo n². Needed: can compute DL only while knowing some secret
getting closer to paillier... Enc(m; r) = ((n + 1)ᵐ hʳ, (n + 1)ʳ ) mod n² // Analogy to Elgamal possible but not so efficient |Enc (m; r)| = 4 |m| since m∈ ℤn Paillier cryptosystem (1999): Enc(m; r) = (n + 1)ᵐ rⁿ = (mn + 1) rⁿ mod n² Trapdoor (idea): related to knowledge of factorization of n We need later (1 + mn) < n²
Various pairing assumptions Some assumptions Factoring RSA Strong RSA Discrete Log CDH DDH SVP CVP LWE RLWE gapSVP DCRA Various pairing assumptions
factoring Assumption: given a large composite number, it is infeasible to factor it Not quite: it is easy to factor any even number also say any square numbers Common version: given n = pq, for two random large primes p and q, it is difficult to find p and q
factoring Probably the best known hard problem The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. ~~~~~~~ Carl Friedrich Gauss Classical computers: subexponential but superpolynomial time (like DL instantiation 1) Quantum computers: easy (like DL)
getting closer to paillier... Paillier cryptosystem (1999): for random large p and q, let pk = n ← pq c = Enc(m; r) = (mn + 1) rⁿ mod n² Trapdoor (idea): knowledge of the factoring of n More precisely: trapdoor = i, such that one can recover m efficiently from cⁱ mod n² only if i is known
Note on r Let r = a + bn for a, b < n rⁿ = (a + bn)ⁿ = aⁿ + n · (aⁿ ⁻ ¹ bn) + ... = aⁿ mod n² Thus one can always assume b = 0 Or: r ∈ ℤn*
getting closer to paillier... Paillier: c=Enc(m; r) = (mn + 1) rⁿ mod n² Idea: trapdoor = i, such that one can recover m efficiently from cⁱ mod n² only if i is known cⁱ = (mn + 1)ⁱ rⁿⁱ = (1 + imn) rⁿⁱ mod n² Most logical: i is such that rⁿⁱ = 1 mod n²
recall: totient function φ (N) is the order of multiplicative group ℤN* In our case: for any r∈ℤ*n², r^(φ (n²)) = 1 mod n² φ (p) = p - 1 for prime p (0 is not invertible) φ (N) = N · Π (1 - 1 / p') in general product over all distinct primes p' that divide N Here: φ (n²) = p²q² (1 - 1 / p) (1 - 1 / q) = pq(p - 1)(q - 1) = n·φ(n)
factoring => φ Assume knowledge of p, q Can efficiently compute φ := φ (n) = (p - 1) (q - 1)
QUIZ: φ => factoring Assume knowl. of n=pq and φ=(p-1)(q-1)=n- (p+q)+1 Knowing n and φ, one can compute s = p + q Knowing n = pq and s : q = s - p, thus n = p (s - p), thus p² - sp + n = 0 Quadratic equation, thus can find p efficiently
getting closer to paillier... Paillier: c = Enc(m; r) = (mn + 1) rⁿ mod n² Trapdoor: φ := (p - 1) (q - 1), μ := φ⁻¹ mod n Thus (rⁿ)^φ = r^(φ(n²)) = 1 mod n² Thus c^φ = (mn + 1)^φ = φmn + 1 mod n²
getting closer to paillier... c^φ = (mn + 1)^φ = φmn + 1 mod n² Decryption: // Need to recover m from c^φ Define L (x) := (x - 1) / n for x < n² Problem: n is not invertible modulo n² Thus L(c^φ mod n²) = φ m mod n m ← L(c^φ mod n²) μ mod n (= φ m φ ⁻¹ = m mod n) Assuming x < n², this is integer division
paillier encryption Paillier.Keygen (gk): Paillier.Setup (κ): Choose good keylength (length of p, q) Return gk ← keylength Paillier.Keygen (gk): p, q ← random keylength-long primes φ ← (p-1)(q-1); μ ← φ⁻ ¹ mod n; n ← pq Return ((φ,μ), n) /* secret key, public key */ n public key n φ=(p-1)(q-1), n=pq r∈ℤ n*, m∈ℤn c ← (mn + 1) rⁿ mod n² Paillier.Enc (gk, n; m, r): /* Assumes r ← ℤ n*: randomized alg. */ c ← (mn + 1) rⁿ mod n² Return c Paillier.Dec (gk, (φ, μ); c): m ← TDL(c^φ mod n²) · μ mod n Return m c* ← c^φ mod n² m ← TDL(c*)μ
security If factoring is easy then Paillier can be broken Opposite not known How would you come up with precise security assumption? Tautological assumption... :( but been well known for 15 years
Chosen-Plaintext Attack IND-CPA Security n pk φ, n r, e←{0,1} (m0,m1 ) c ← (mₑn + 1) rⁿ mod n² m ← TDL(c^φ) μ e* e* = e ?
Decisional Composite Residuosity DCR assumption Decisional Composite Residuosity Paillier = (Setup, Keygen, Enc, Dec) Adv[DCR] := | Pr[DCR = 1] - 1 / 2 | A ε-breaks DCR security iff Adv[DCR] ≥ ε DCR is (τ,ε)-secure iff no PPT adversary ε-breaks DCRA security in time ≤ τ DCR is secure iff it is (poly(κ),negl(κ))- secure Game DCR(κ,A) gk ← Setup (κ) ((φ,μ), n) ← Keygen (κ) m ← ℤn r ← ℤn* c₀ ← Enc (n; m, r) c₁ ← Enc (n; 0, r) e ← {0, 1} e* ← A (n, cₑ) Return e = e* ? 1 : 0
Paillier is IND-CPA secure Theorem. DCR is (≈τ, ≈ε)-secure iff Paillier is (τ,ε)-IND-CPA secure. Proof idea. DCR states Paillier is real-or-random IND-CPA-secure. We know from before that real- or-random IND-CPA = left-or-right IND-CPA.
malleability of paillier Recall: Enc (m, r) = (n + 1)ᵐ rⁿ mod n² => Enc (m, r) · Enc (m', r') = Enc (m + m', r · r') Thus, additively homomorphic just remember that randomizer multiplies For example: Enc (m; r) Enc (0; r') = Enc (m; rr')
efficiency Factoring of n must be hard Thus |n| ≥ 3000 (2|n| = 6000)-bit arithmetic vs 160-bit arithmetic with Elgamal+elliptic curves Much, much slower... but: decryption does not need computation of DL n-bit arithm. on elliptic curves is slower than n-bit modular arithm.
scalar product protocol for i = 1 to n rᵢ←ℤn* cᵢ←Enc(aᵢ; rᵢ) Protocol r'←ℤn* d←Πcᵢ^(bᵢ)·Enc(0; r') {cᵢ} pk,sk aᵢ∈{0,1}ᴸ a={aᵢ:i∈[n]} pk bᵢ∈{0,1}ᴸ b={bᵢ:i∈[n]} M←Dec(d) d Decryption succeeds when Σaᵢbᵢ ≤ n2²ᴸ is small, e.g., n2²ᴸ < 2^402^3000 d=Enc(Σaᵢbᵢ;... + r') M=Σaᵢbᵢ
d← c^(f₁ - f₀) · Enc(f₀; r') (2, 1)-CPIR protocol Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c^(f₁ - f₀) · Enc(f₀; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ M←Dec(d) d
For larger L, apply protocol many times CPIR complexity Commun. (bits) Alice's comp. (exp, DL) Bob's comp. (exp) Elgamal 4*160 3·160^(2.58)+2^(L/2) 5 · 160^(2.58) Elgamal bitwise (2L + 2)*160 (L + 2) · 160^(2.58) 2L · 160^(2.58) Paillier 6000 2 · 6000^(2.58) Concrete keylengths may vary For first protocol, need L ≤ 160 For third protocol, need L ≤ 3000 For larger L, apply protocol many times
more protocols We only saw 2-message 2-party protocols but there are many more...
e-voting: motivation
e-voting: motivation Motivations: better security direct democracy conveniency
e-voting cᵢ cᵢ Tally({cᵢ})
two-candidate e-voting pk pk sk Enc(cᵢ) Enc(Σcᵢ) Dec(Σcᵢ) cᵢ ∈ {0, 1} ... = #voters who prefered 1 complete tally can be computed from this efficiently
multiple-candidate e-voting pk pk sk Enc(cᵢ) Enc(Σcᵢ) Dec(Σcᵢ) cᵢ ∈ {0, ..., C - 1} 2 = 0 + 2 = 1 + 1 non-unique
quiz: how to? pk pk sk Enc(f(cᵢ)) Enc(Σf(cᵢ)) g(Dec(Σf(cᵢ))) Hint: cᵢ ∈ {0, ..., C - 1} Hint: Let V = #voters V f(i) < f (i + 1)
presentation in (V+1)ary number system Multiple voters f (i) := (V + 1)ⁱ Then clearly Vf (i) = V (V + 1)ⁱ < (V + 1)ⁱ ⁺ ¹ = f (i + 1) Voter i outputs Enc ((V + 1)^(cᵢ)) Server 1 outputs Enc (Σᵢ (V + 1)^(cᵢ)) Server 2 outputs Σᵢ (V + 1)^(cᵢ) = Σₑ Tₑ (V + 1)^e presentation in (V+1)ary number system 1 TV ... T₁ T₀
Efficiency The number to be decrypted: ≤ (V + 1)^C Country like Estonia: V = 500 000, C = 150 => (V + 1)^C ≈ 2^(2840) Cannot compute DL of this size! Must use Paillier
Remarks: malicious security We assumed here that everybody is semihonest honest-but-curious In real elections, parties can be malicious => All parties must additionally "prove" they acted correctly Second part of the lecture series However, one must first design a protocol secure in semihonest model
Study outcomes Trapdoor discrete logarithm: idea Paillier with all gory details Example: efficiency of Paillier E-voting
What next? We saw how to use homomorphism to obtain interesting protocols However, the number of such protocols is limited Next lectures: adding tools: recursion, multiple rounds