1. Cryptographic protocols 2014, Lecture 6
Trapdoor discrete logarithm. Paillier
Helger Lipmaa
University of Tartu, Estonia

2. Up to now Introduction to the field
Simple secure computation protocols
based on DDH ("DL is hard" family)
Can design many efficient 2MAH protocols
General problem: Alice needs to compute DL
which is hard by assumption

3. this time Trapdoor discrete logarithm
hard if you do not know secret key
easy if you do
Paillier cryptosystem
Some protocols
E-voting

4. trapdoor discrete logarithm
Def. Binomial coefficient:
Relation with exponent.:
a = n, b = 1:
modulo n²:
Idea: while encrypting, use g = 1 + n as a generator in a group modulo n². Needed: can compute DL only while knowing some secret

5. getting closer to paillier...
Enc(m; r) = ((n + 1)ᵐ hʳ, (n + 1)ʳ ) mod n² // Analogy to Elgamal
possible but not so efficient
|Enc (m; r)| = 4 |m| since m∈ ℤn
Paillier cryptosystem (1999):
Enc(m; r) = (n + 1)ᵐ rⁿ = (mn + 1) rⁿ mod n²
Trapdoor (idea): related to knowledge of factorization of n
We need later (1 + mn) < n²

6. Various pairing assumptions
Some assumptions
Factoring
RSA
Strong RSA
Discrete Log
CDH
DDH
SVP
CVP
LWE
RLWE
gapSVP
DCRA
Various pairing assumptions

7. factoring
Assumption: given a large composite number, it is infeasible to factor it
Not quite: it is easy to factor any even number
also say any square numbers
Common version: given n = pq, for two random large primes p and q, it is difficult to find p and q

8. factoring Probably the best known hard problem
The problem of distinguishing prime numbers from composite numbers and of resolving the latter into their prime factors is known to be one of the most important and useful in arithmetic. ~~~~~~~ Carl Friedrich Gauss
Classical computers: subexponential but superpolynomial time (like DL instantiation 1)
Quantum computers: easy (like DL)

9. getting closer to paillier...
Paillier cryptosystem (1999):
for random large p and q, let pk = n ← pq
c = Enc(m; r) = (mn + 1) rⁿ mod n²
Trapdoor (idea): knowledge of the factoring of n
More precisely: trapdoor = i, such that one can recover m efficiently from cⁱ mod n² only if i is known

10. Note on r Let r = a + bn for a, b < n
rⁿ = (a + bn)ⁿ = aⁿ + n · (aⁿ ⁻ ¹ bn) = aⁿ mod n²
Thus one can always assume b = 0
Or: r ∈ ℤn*

11. getting closer to paillier...
Paillier: c=Enc(m; r) = (mn + 1) rⁿ mod n²
Idea: trapdoor = i, such that one can recover m efficiently from cⁱ mod n² only if i is known
cⁱ = (mn + 1)ⁱ rⁿⁱ = (1 + imn) rⁿⁱ mod n²
Most logical: i is such that rⁿⁱ = 1 mod n²

12. recall: totient function
φ (N) is the order of multiplicative group ℤN*
In our case: for any r∈ℤ*n², r^(φ (n²)) = 1 mod n²
φ (p) = p - 1 for prime p (0 is not invertible)
φ (N) = N · Π (1 - 1 / p') in general
product over all distinct primes p' that divide N
Here: φ (n²) = p²q² (1 - 1 / p) (1 - 1 / q) = pq(p - 1)(q - 1) = n·φ(n)

13. factoring => φ Assume knowledge of p, q
Can efficiently compute φ := φ (n) = (p - 1) (q - 1)

14. QUIZ: φ => factoring
Assume knowl. of n=pq and φ=(p-1)(q-1)=n- (p+q)+1
Knowing n and φ, one can compute s = p + q
Knowing n = pq and s :
q = s - p, thus n = p (s - p), thus p² - sp + n = 0
Quadratic equation, thus can find p efficiently

15. getting closer to paillier...
Paillier: c = Enc(m; r) = (mn + 1) rⁿ mod n²
Trapdoor: φ := (p - 1) (q - 1), μ := φ⁻¹ mod n
Thus (rⁿ)^φ = r^(φ(n²)) = 1 mod n²
Thus c^φ = (mn + 1)^φ = φmn + 1 mod n²

16. getting closer to paillier...
c^φ = (mn + 1)^φ = φmn + 1 mod n²
Decryption: // Need to recover m from c^φ
Define L (x) := (x - 1) / n for x < n²
Problem: n is not invertible modulo n²
Thus L(c^φ mod n²) = φ m mod n
m ← L(c^φ mod n²) μ mod n (= φ m φ ⁻¹ = m mod n)
Assuming x < n², this is integer division

17. paillier encryption Paillier.Keygen (gk): Paillier.Setup (κ):
Choose good keylength (length of p, q)
Return gk ← keylength
Paillier.Keygen (gk):
p, q ← random keylength-long primes
φ ← (p-1)(q-1); μ ← φ⁻ ¹ mod n; n ← pq
Return ((φ,μ), n) /* secret key, public key */ n
public key n
φ=(p-1)(q-1), n=pq
r∈ℤ n*, m∈ℤn
c ← (mn + 1) rⁿ mod n²
Paillier.Enc (gk, n; m, r):
/* Assumes r ← ℤ n*: randomized alg. */
c ← (mn + 1) rⁿ mod n²
Return c
Paillier.Dec (gk, (φ, μ); c):
m ← TDL(c^φ mod n²) · μ mod n
Return m
c* ← c^φ mod n²
m ← TDL(c*)μ

18. security If factoring is easy then Paillier can be broken
Opposite not known
How would you come up with precise security assumption?
Tautological assumption... :(
but been well known for 15 years

19. Chosen-Plaintext Attack
IND-CPA Security n pk
φ, n r,
e←{0,1}
(m0,m1 )
c ← (mₑn + 1) rⁿ mod n²
m ← TDL(c^φ) μ e*
e* = e ?

20. Decisional Composite Residuosity
DCR assumption
Decisional Composite Residuosity
Paillier = (Setup, Keygen, Enc, Dec)
Adv[DCR] := | Pr[DCR = 1] - 1 / 2 |
A ε-breaks DCR security iff Adv[DCR] ≥ ε
DCR is (τ,ε)-secure iff no PPT adversary ε-breaks DCRA security in time ≤ τ
DCR is secure iff it is (poly(κ),negl(κ))- secure
Game DCR(κ,A)
gk ← Setup (κ)
((φ,μ), n) ← Keygen (κ)
m ← ℤn
r ← ℤn*
c₀ ← Enc (n; m, r)
c₁ ← Enc (n; 0, r)
e ← {0, 1}
e* ← A (n, cₑ)
Return e = e* ? 1 : 0

21. Paillier is IND-CPA secure
Theorem. DCR is (≈τ, ≈ε)-secure iff Paillier is (τ,ε)-IND-CPA secure.
Proof idea. DCR states Paillier is real-or-random IND-CPA-secure. We know from before that real- or-random IND-CPA = left-or-right IND-CPA.

22. malleability of paillier
Recall: Enc (m, r) = (n + 1)ᵐ rⁿ mod n²
=> Enc (m, r) · Enc (m', r') = Enc (m + m', r · r')
Thus, additively homomorphic
just remember that randomizer multiplies
For example: Enc (m; r) Enc (0; r') = Enc (m; rr')

23. efficiency Factoring of n must be hard Thus |n| ≥ 3000
(2|n| = 6000)-bit arithmetic
vs 160-bit arithmetic with Elgamal+elliptic curves
Much, much slower...
but: decryption does not need computation of DL
n-bit arithm. on elliptic curves is slower than n-bit modular arithm.

24. scalar product protocol
for i = 1 to n
rᵢ←ℤn*
cᵢ←Enc(aᵢ; rᵢ)
Protocol
r'←ℤn*
d←Πcᵢ^(bᵢ)·Enc(0; r')
{cᵢ}
pk,sk
aᵢ∈{0,1}ᴸ
a={aᵢ:i∈[n]} pk
bᵢ∈{0,1}ᴸ
b={bᵢ:i∈[n]}
M←Dec(d) d
Decryption succeeds when Σaᵢbᵢ ≤ n2²ᴸ is small, e.g., n2²ᴸ < 2^402^3000
d=Enc(Σaᵢbᵢ;... + r')
M=Σaᵢbᵢ

25. d← c^(f₁ - f₀) · Enc(f₀; r')
(2, 1)-CPIR protocol
Protocol
r←ℤn*
c←Enc(x; r)
r'←ℤn*
d← c^(f₁ - f₀) · Enc(f₀; r') c
pk,sk
x∈{0,1} pk
f = (f₀,f₁)
fᵢ∈{0,1}ᴸ
M←Dec(d) d

26. For larger L, apply protocol many times
CPIR complexity
Commun. (bits)
Alice's comp. (exp, DL)
Bob's comp. (exp)
Elgamal
4*160
3·160^(2.58)+2^(L/2)
5 · 160^(2.58)
Elgamal bitwise
(2L + 2)*160
(L + 2) · 160^(2.58)
2L · 160^(2.58)
Paillier
6000
2 · 6000^(2.58)
Concrete keylengths may vary
For first protocol, need L ≤ 160
For third protocol, need L ≤ 3000
For larger L, apply protocol many times

27. more protocols We only saw 2-message 2-party protocols
but there are many more...

28. e-voting: motivation

29. e-voting: motivation Motivations: better security direct democracy
conveniency

30. e-voting cᵢ cᵢ
Tally({cᵢ})

31. two-candidate e-votingpk pk sk
Enc(cᵢ)
Enc(Σcᵢ)
Dec(Σcᵢ)
cᵢ ∈ {0, 1}
... = #voters who prefered 1
complete tally can be computed from this efficiently

32. multiple-candidate e-votingpk pk sk
Enc(cᵢ)
Enc(Σcᵢ)
Dec(Σcᵢ)
cᵢ ∈ {0, ..., C - 1}
2 = = 1 + 1
non-unique

33. quiz: how to? pk pk sk Enc(f(cᵢ)) Enc(Σf(cᵢ)) g(Dec(Σf(cᵢ))) Hint:
cᵢ ∈ {0, ..., C - 1}
Hint:
Let V = #voters
V f(i) < f (i + 1)

34. presentation in (V+1)ary number system
Multiple voters
f (i) := (V + 1)ⁱ
Then clearly Vf (i) = V (V + 1)ⁱ < (V + 1)ⁱ ⁺ ¹ = f (i + 1)
Voter i outputs Enc ((V + 1)^(cᵢ))
Server 1 outputs Enc (Σᵢ (V + 1)^(cᵢ))
Server 2 outputs Σᵢ (V + 1)^(cᵢ) = Σₑ Tₑ (V + 1)^e
presentation in (V+1)ary number system 1 TV
... T₁ T₀

35. Efficiency The number to be decrypted: ≤ (V + 1)^C
Country like Estonia:
V = , C = 150 => (V + 1)^C ≈ 2^(2840)
Cannot compute DL of this size!
Must use Paillier

36. Remarks: malicious security
We assumed here that everybody is semihonest
honest-but-curious
In real elections, parties can be malicious
=> All parties must additionally "prove" they acted correctly
Second part of the lecture series
However, one must first design a protocol secure in semihonest model

37. Study outcomes Trapdoor discrete logarithm: idea
Paillier with all gory details
Example: efficiency of Paillier
E-voting

38. What next?
We saw how to use homomorphism to obtain interesting protocols
However, the number of such protocols is limited
Next lectures:
adding tools: recursion, multiple rounds