Paillier Threshold Cryptography Web Service

1
Paillier Threshold Cryptography Web Service

• by
• Brett Wilson

2
Outline of the Talk

• Introduction/Motivation
• Related Work
• Design of Paillier Threshold Cryptography Web
  Service (PTC Web Service)
• Implementation
• Performance
• Lessons Learnt
• Future Direction
• Conclusion

3
Introduction/Motivation

• Secure electronic voting
• Why?
• 2000 Florida Presidential election
• Increase participation/election visibility
• Extensive research into developing technologies
  to allow secure electronic voting
• Current methods vulnerable
• Diebold voting machine security
• Princeton hacks
• Kohno et al. software security analysis
• E-voting Requirements
• Privacy/Anonymity, Completeness, Soundness,
  Un-reusability, Eligibility, Fairness
• Robustness, Universal Verifiability,
  Receipt-Freeness, Incoercibility

4
Introduction/Motivation

• Many of the new Secure Voting protocols use new
  encryption techniques
• Mathematical algorithms presented in literature
• Unable to identify/locate implementations of
  these algorithms
• UCCS effort to develop a secure e-voting
  application
• Basic building blocks unavailable for a large
  number of published evoting protocols

5
Related Work

• Unable to locate other implementations
• Basis for Implementation
• Sharing Decryption in the context of Voting or
  Lotteries (Fouque, Poupard, Stern)
• Closely related research
• A Generalization of Pailliers Public Key
  Cryptosystem with Applications to Electronic
  Voting (Damgard, Jurik, Nielson)
• Uses of Paillier Cryptography
• Electronic Voting
• Anonymous Mix Nets (due to self-blinding
  property)
• Electronic Auctions
• Electronic Lotteries

6
Related Work

• Other Techniques Used In E-voting Protocols
• Non-Interactive Zero Knowledge Proofs
• Proof does not require interaction
• Proof does not reveal any other information
• Prove vote is valid without revealing content of
  vote
• Prove two encryptions encrypt the same message
  without revealing message
• Mix Nets
• Anonymize votes
• Permutate and blind input so that output
  contains same information, but re-ordered and
  unrecognizable

7
Cryptographic Techniques Implemented

• Paillier CryptoSystem
• Trapdoor Discrete Logarithm Scheme
• c gMrn mod n2
• n is an RSA modulus (modulus of 2 safe primes)
• Safe prime - p 2q 1 where q is also prime
• g is an integer of order na mod n2
• r is a random number in Zn
• M L(c?(n) mod n2)/L(g?(n) mod n2) mod n
• L(u) (u-1)/n, ?(n)lcm((p-1)(q-1))
• Important Properties
• Probabilistic (randomness of E(M))
• Homomorphic
• E(M1 M2) E(M1) x E(M2), E(k x M) E(M)k
• Self-blinding
• D(E(M) rn mod n2 ) m

8
Cryptographic Techniques Implemented

• Threshold Encryption
• Public key encryption as usual
• Distribute secret key shares among i
  participants
• Decryption can only be accomplished if a
  threshold number t of the i participants
  cooperate
• No information about m can be obtained with less
  than t participants cooperating
• Shamir Secret Sharing
• Lagrange Interpolation formula
• f(X) Sti0 aiXi
• a0 is secret, ai are random, f(X) are secret
  shares
• X is share index (1 to number of servers)
• If enough f(X) available it is possible to
  recover a0

9
Generic PTC Use
9. Clear Text
2. SOAP/XML Request for PTC Parameters
Admin
5. Paillier Public Key
PTC Web Service
PTC CSP
3. SOAP/XML Response containing encrypted PTC
Parameters
PTC CSP
6. Cipher Text
1. Key Share Owners RSA Public Keys
8. Partial Decryption Shares/Proofs of Correct
Decryption
External Users
PTC CSP
Key Share Owner(s)
4. RSA Encrypted Secret Key Shares
PTC CSP
7. Cipher Text
10
Voting Application PTC Use
9. Vote Tally
2. SOAP/XML Request for PTC Parameters
Election Admin
5. Paillier Public Key
PTC Web Service
PTC CSP
6. Paillier-Encrypted Vote
3. SOAP/XML Response containing RSA encrypted
PTC Parameters
PTC CSP
Voter
1. Election Authorities RSA Public Keys
PTC CSP
8. Partial Decryption Shares of Vote
Tally/Proofs of Correct Decryption
Election Setup Admin create election/ballots
and requests election parameters
Election Authorities
4. RSA Encrypted Secret Key Shares
Admin combines partial decryptions to recover
tally
Voters Vote
Admin computes encrypted vote product (tally)
Authorities Partially Decrypt Vote Tally
PTC CSP
7. Paillier Encrypted Vote Tally
11
Paillier Threshold Cryptography Web Service (PTC
Web Service)

• Provides for generation of Paillier Threshold
  Cryptography parameters
• Public Key
• Private Key Shares
• Can be encrypted with provided public keys
• Verification Keys
• Used to verify correct decryption shares
• Removes trusted dealer from system participants
• No interaction between authorities required in
  this scheme
• Other Methods exist for interactive generation
  of private key shares that also remove trusted
  dealer
• Interaction required

12
PTC Web Service Architecture

• One Web Method
• GeneratePaillierThresholdParameters
• 1 Input Parameter
• ThresholdParameterRequest XML serialization
• Keysize
• Number of Secret Key Shares
• System Decryption Threshold
• List of Key Share Owners
• May include public keys of Key Share Owners
• Returns PaillierThresholdParameters XML
• Public Key
• Secret Key Shares
• Verification Key Shares
• Used by admin to verify decryption shares

13
PTC Web Service Implementation

• PaillierThresholdCryptoServiceProvider
• Implements Microsofts .NET interface for
  asymmetric algorithms
• ICSPAsymmetricAlgorithm
• Not fully implemented threshold systems are
  different
• Provides all basic functionality
• Generation of system parameters
• Encryption using public key
• Partial decryption using secret key share
• Generates proof of correct decryption
• Combining of decryption shares into original
  cleartext
• Validates provided proofs of decryption
• PTC Utilities
• Conversion between byte arrays, NGmp IntMP, and
  ASCII strings
• Random number generation (within Zn)
• Safe prime generation
• Random prime generation check for safeness

14
PTC Web Service Implementation (contd)

• ThresholdCryptographyService
• Web Service Application
• Microsoft Internet Information Services
• ASP.NET 2.0

15
Implementation Problems/Solutions

• Large Safe Prime Generation
• Key Size above 256 bits takes an unacceptable
  amount of time (512 bits - 39.85 sec)
• Fast algorithm does not exist
• Implemented one option for efficiency increase
• Long Term Solution
• Generate long list of safe primes off line
• Extract from list when needed
• Must protect list
• Shamir Secret Sharing
• Index of each key share must be persisted
• Indexes required to re-assemble the polynomial
  and thus the secret

16
Performance Evaluation

• Scalability not high priority in current scheme
• Web service only accessed once during
  cryptosystem parameter creation
• WebPartner Test and Performance Center
• Request for 256 bit key, 5 keyshares, threshold
  3
• Up to 100 simultaneous requests successful
• Random busy errors
• Due to random nature of safe prime generation

17
Demo E-Voting Application

• Election Administrator
• Creates election and ballot issues
• Submits request for election PTC parameters to
  PTC Web Service
• Includes public keys of key share owners
• Receives public key, encrypted private key
  shares, verifier keys
• Makes public key available to voters
• Distributes encrypted key shares to key share
  owners
• Makes verifier keys publicly available
• At conclusion of election, multiplies all
  Paillier-encrypted votes together and distributes
  to key share owners
• Receives decryption shares/proofs from key share
  owners
• verifies proofs
• combines decryption shares to reveal vote tally
  if enough valid proofs
• Voter
• Receives ballot issues/choices from administrator
• Uses election public key to encrypt vote
• Key Share Owners
• Receive encrypted secret key shares from
  administrator
• Receive encrypted vote tally from administrator
• Partially decrypt vote tally using secret key
  share

18
Implementation Tools

• Visual Studio 2005
• VB.NET
• Gnu Multiprecision Library (Gmp)
• Open source arbitrary precision numeric library
• Compiled under Visual Studio 2005
• NGmp
• Open source VB.NET binding of gmp.dll
• Enables calling of gmp library functions through
  VB.NET
• Compiled under Visual Studio 2005

19
Future Directions

• PTC Web Service
• Authenticity of PTC Parameters not currently
  guaranteed
• Implement signing of PTC Parameters by Web
  Service
• Insert UID field in web service signature to
  uniquely identify PTC Parameters
• Extend Web Service to provide other threshold
  encryption parameters
• RSA threshold signatures
• E-Voting Application Support
• Implement voter identity verification
• Develop non-interactive proof of vote validity
• encrypted vote is one of a set of valid votes
• Authenticity of election parameters/ballots not
  currently guaranteed
• Implement signing of election parameters/ballots
  by admin

20
Conclusion

• Implemented a web service and underlying
  cryptographic algorithms in VB.NET that provides
  Paillier Threshold Cryptographic services for
  supporting e-voting and other applications
• A demonstration e-voting application was
  completed using Microsoft Visual Studio 2005

21
References

• 1 P. Paillier, Public-Key Cryptosystems Based
  on Composite Degree Residuosity Classes,
  Eurocrypt 99
• 2 P. Fouque, G. Poupard, J.Stern, Sharing
  Decryption in the Context of Voting or Lotteries,
  Financial Cryptography 2000 Proceedings
• 3 I. Damgard, M. Jurik, J. Nielson, A
  Generalization of Pailliers Public-Key System
  with Applications to Electronic Voting, Aarhus
  University, Dept. of Computer Science
• 4 A. Shamir, How to Share a Secret,
  Communications of the ACM 1979
• 5 A.J. Menezes, P. C. van Oorschot, and S.A.
  Vanstone, Handbook of Applied Cryptography, CRC
  Press, 1997
• 6 D. Naccache, Double-Speed Safe Prime
  Generation, Gemplus Card International
• 7 M. Wiener, Safe Prime Generation with a
  Combined Sieve, Cryptographic Clarity

22
Backup Slides
23
Other Project Documents

• Paillier Threshold Cryptography Web Service and
  Evote Demonstration Quick Set-up
• Information on installation/setup of VS2005
  solution for developing/testing PTC Web Service
  and Evote Demonstration
• Paillier Threshold Cryptography Web Service
  Users Guide
• Detailed Information on installing/using the PTC
  Web Service

24
Use of WebService in Secure Voting

• Ballot format pick 1 out of c candidates
• Vote 2clog2v where c is the desired candidate
  number (0c) and v is the next power of 2 greater
  than the maximum number of voters
• All Paillier-encrypted votes could be publicly
  posted
• At end of election, all encrypted votes could be
  multiplied together (publicly verifiable)
• With cooperation of the required threshold number
  of authorities, the final product could be
  decrypted to reveal the vote total (sum of
  individual votes).