The Paillier Cryptosystem

Slides:

Advertisements

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Advertisements

Perfect Non-interactive Zero-Knowledge for NP

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

CSE331: Introduction to Networks and Security Lecture 19 Fall 2002.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

1/11/2007 bswilson/eVote-PTCWS 1 Paillier Threshold Cryptography Web Service by Brett Wilson.

and Factoring Integers (I)

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.

Attacks on Digital Signature Algorithm: RSA

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut.

The Algebra of Encryption CS 6910 Semester Research and Project University of Colorado at Colorado Springs By Cliff McCullough 20 July 2011.

Introduction to Modern Cryptography Homework assignments.

Kickoff Meeting „E-Voting Seminar“

Paillier Threshold Encryption WebService by Brett Wilson.

Introduction to Modern Cryptography, Lecture 10 Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Cryptography in Subgroups of Z n * Jens Groth UCLA.

1/11/2007 bswilson/eVote-PTCWS 1 Enhancing PTC based Secure E-Voting System (note: modification of Brett Wilson’s Paillier Threshold Cryptography Web Service.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

Chapter 3 Encryption Algorithms & Systems (Part C)

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Public Key Algorithms 4/17/2017 M. Chatterjee.

PRESENTED BY CHRIS ANDERSON JULY 29, 2009 Using Zero Knowledge Proofs to Validate Electronic Votes.

ASYMMETRIC CIPHERS.

Lecture 6: Public Key Cryptography

Public Key Model 8. Cryptography part 2.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Chapter 5 Digital Signatures MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI 1.

Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the order Teams mostly.

1 Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Author: Pascal Paillier Presenter: 廖俊威 [Published in J. Stern, Ed., Advances in.

Cryptographic Voting Systems (Ben Adida) Jimin Park Carleton University COMP 4109 Seminar 15 February 2011.

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.

Topic 22: Digital Schemes (2)

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

A. Steffen, , Kickoff.pptx 1 Kickoff Meeting „E-Voting Seminar“ An Introduction to Cryptographic Voting Systems Andreas Steffen Hochschule für.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

RSA Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013.

Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.

Elliptic Curve Cryptography

Prepared by Dr. Lamiaa Elshenawy

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.

CS 4803 Fall 04 Public Key Algorithms. Modular Arithmetic n Public key algorithms are based on modular arithmetic. n Modular addition. n Modular multiplication.

Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.

Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.

RSA Pubic Key Encryption CSCI 5857: Encoding and Encryption.

1 Introduction to Information Security , Spring 2016 Lecture 4: Applied cryptography: asymmetric Zvi Ostfeld Slides credit: Eran Tromer.

Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.

Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.

An efficient threshold RSA digital signature scheme

Some slides borrowed from Philippe Golle, Markus Jacobson

RSA and El Gamal Cryptosystems

ISI Day – 20th Anniversary

Introduction to Modern Cryptography

Presentation transcript:

The Paillier Cryptosystem E-Voting Seminar The Paillier Cryptosystem Andreas Steffen Hochschule für Technik Rapperswil andreas.steffen@hsr.ch

Agenda Some mathematical properties Encryption and decryption Additive homomorphic properties Zero knowledge proof for n-th powers Paillier e-voting simulator Non-interactive ZKP using the Fiat-Shamir heuristic Damgård-Jurik Cryptosystem (Generalized Paillier) Damgård-Jurik JavaScript e-voting client Threshold decryption schemes

The Paillier Cryptosystem I Proposed by Pascal Paillier in 1999: Choose two large prime numbers p and q and form the modulus Euler‘s totient function gives the number of elements in The number of elements in is The private key  is determined using Carmichael‘s function Due to Carmichael‘s theorem, for every element

The Paillier Cryptosystem II The hard problem: Deciding n-th composite residuosity! The set of n-th residues is a multiplicative subgroup of of order Each n-th residue z has exactly n roots of degree n, among which exactly one is strictly smaller than n, namely The n-th roots of unity are the numbers of the form Generate the multiplicative subgroup as Paillier Encryption m: plaintext message, r: random number for semantic security

Example: Multiplicative Subgroup 1 16 31 46 61 76 91 106 121 136 151 166 181 196 211 g^m 1 1 1 16 31 46 61 76 91 106 121 136 151 166 181 196 211 2 143 143 38 158 53 173 68 188 83 203 98 218 113 8 128 23 4 199 199 34 94 154 214 49 109 169 4 64 124 184 19 79 139 7 118 118 88 58 28 223 193 163 133 103 73 43 13 208 178 148 8 107 107 137 167 197 2 32 62 92 122 152 182 212 17 47 77 11 26 26 191 131 71 11 176 116 56 221 161 101 41 206 146 86 13 82 82 187 67 172 52 157 37 142 22 127 7 112 217 97 202 14 224 224 209 194 179 164 149 134 119 104 89 74 59 44 29 14 r r^n p = 3, q = 5, n = 15, n2 = 225 Generator in most general form: (n) = 8, (n) = lcm(2, 4) = 4

Paillier Decryption with Apply the private key  and use Carmichael‘s theorem Make use of the relationship Apply the L(x) function

Additive Homomorphic Properties Verification Use in e-voting systems with homomorphic tallying: The additive homomorphic property directly returning the tally is the biggest advantage of the Paillier Cryptosystem over the El Gamal Cryptosystem which has an intrinsically multiplicative homomorphic property requiring the computation of a discrete logarithm over a bounded range to extract the tally.

Validity Proof of Ballot (Case: k = i) K valid voting messages (e.g. vote for one out of K candidates) Zero knowledge proof : Prove that uk is an n-th power Commitment: Prover chooses a random number  Challenge: Verifier chooses a random bit string ei of length b Response: Prover computes zi Verification:

Validity Proof of Ballot (Cases: k  i) Preparation: Prover chooses zk and bit string ek randomly Commitment: Prover computes ak so that it passes verification Challenge: Verifier chooses a random bit string e of length b Response: Prover sends prepared zk and ek Verification: Prover can preselect all ek for k  i but is bound by e for the choice of ei.

Paillier E-Voting Simulator http://security.hsr.ch/msevote/paillier

E-Voting Simulator – Tallying with ZKPs

Non-Interactive ZKP (Fiat-Shamir Heuristic) Election ID Voter ID Encrypted Ballot c Commitments ak SHA-256 Counter AES-256 Counter Mode 256 bit key Challenge Bit String e

The Damgård-Jurik Cryptosystem Additional parameter s (Paillier: s = 1) Generate the multiplicative subgroup as Generator usually chosen as g = (1+n) Size of modulus n: b bits (e.g. 1536 bits) Size of message m: sb - 1 bits (s=1: 1535 bits, s=2: 3071 bits) Size of ciphertext c: (s+1)b (s=1: 3072 bits, s=2: 4608 bits) Efficiency:  = s/(s+1) (s=1: 50%, s=2: 67%, s=3: 75%) m: plaintext message, r: random number for semantic security

Damgård-Jurik JavaScript E-Voting Client

Damgård-Jurik JavaScript E-Voting Client

Commitment

Challenge Verification

Response Verification

Threshold Scheme with a Trusted Dealer

Threshold Scheme without a Trusted Dealer Practical threshold RSA signatures without a trusted dealer Ivan Damgard, Maciej Koprowski, 2001 The distributed generation of an RSA private key required by a Threshold Paillier Cryptosystem is much more complex than the simple independent partial private key generation possible with the El Gamal Cryptosystem.