1/11/2007 bswilson/eVote-PTCWS 1 Paillier Threshold Cryptography Web Service by Brett Wilson

21/11/2007bswilson/eVote-PTCWS Outline of the Talk Introduction/Motivation Related Work Design of Paillier Threshold Cryptography Web Service (PTC Web Service) ImplementationPerformance Lessons Learnt Future Direction Conclusion

31/11/2007bswilson/eVote-PTCWS Introduction/Motivation Secure electronic voting Why? Why? 2000 Florida Presidential election Increase participation/election visibility Extensive research into developing technologies to allow secure electronic voting Extensive research into developing technologies to allow secure electronic voting Current methods vulnerable Diebold voting machine security Princeton hacks Princeton hacks Kohno et al. software security analysis Kohno et al. software security analysis E-voting Requirements Privacy/Anonymity, Completeness, Soundness, Un-reusability, Eligibility, Fairness Privacy/Anonymity, Completeness, Soundness, Un-reusability, Eligibility, Fairness Robustness, Universal Verifiability, Receipt-Freeness, Incoercibility Robustness, Universal Verifiability, Receipt-Freeness, Incoercibility

41/11/2007bswilson/eVote-PTCWS Introduction/Motivation Many of the new Secure Voting protocols use new encryption techniques Mathematical algorithms presented in literature Mathematical algorithms presented in literature Unable to identify/locate implementations of these algorithms Unable to identify/locate implementations of these algorithms UCCS effort to develop a secure e-voting application Basic building blocks unavailable for a large number of published evoting protocols Basic building blocks unavailable for a large number of published evoting protocols

51/11/2007bswilson/eVote-PTCWS Related Work Unable to locate other implementations Basis for Implementation Sharing Decryption in the context of Voting or Lotteries (Fouque, Poupard, Stern) Sharing Decryption in the context of Voting or Lotteries (Fouque, Poupard, Stern) Closely related research A Generalization of Paillier’s Public Key Cryptosystem with Applications to Electronic Voting (Damgard, Jurik, Nielson) A Generalization of Paillier’s Public Key Cryptosystem with Applications to Electronic Voting (Damgard, Jurik, Nielson) Uses of Paillier Cryptography Electronic Voting Electronic Voting Anonymous Mix Nets (due to self-blinding property) Anonymous Mix Nets (due to self-blinding property) Electronic Auctions Electronic Auctions Electronic Lotteries Electronic Lotteries

61/11/2007bswilson/eVote-PTCWS Related Work Other Techniques Used In E-voting Protocols Non-Interactive Zero Knowledge Proofs Non-Interactive Zero Knowledge Proofs Proof does not require interaction Proof does not require interaction Proof does not reveal any other information Proof does not reveal any other information Prove vote is valid without revealing content of vote Prove vote is valid without revealing content of vote Prove two encryptions encrypt the same message without revealing message Prove two encryptions encrypt the same message without revealing message Mix Nets Anonymize votes Anonymize votes Permutate and “blind” input so that output contains same information, but re-ordered and unrecognizable Permutate and “blind” input so that output contains same information, but re-ordered and unrecognizable

71/11/2007bswilson/eVote-PTCWS Cryptographic Techniques Implemented Paillier CryptoSystem Trapdoor Discrete Logarithm Scheme Trapdoor Discrete Logarithm Scheme c = g M r n mod n 2 c = g M r n mod n 2 n is an RSA modulus (modulus of 2 safe primes) n is an RSA modulus (modulus of 2 safe primes) Safe prime - Safe prime - p = 2q + 1 where q is also prime g is an integer of order nα mod n 2 g is an integer of order nα mod n 2 r is a random number in Z n * r is a random number in Z n * M = L(c λ(n) mod n 2 )/L(g λ(n) mod n 2 ) mod n M = L(c λ(n) mod n 2 )/L(g λ(n) mod n 2 ) mod n L(u) = (u-1)/n, λ(n)=lcm((p-1)(q-1)) L(u) = (u-1)/n, λ(n)=lcm((p-1)(q-1)) Important Properties Important Properties Probabilistic (randomness of E(M)) Homomorphic E(M 1 + M 2 ) = E(M 1 ) x E(M 2 ), E(k x M) = E(M) k E(M 1 + M 2 ) = E(M 1 ) x E(M 2 ), E(k x M) = E(M) kSelf-blinding D(E(M) r n mod n 2 ) = m D(E(M) r n mod n 2 ) = m

81/11/2007bswilson/eVote-PTCWS Cryptographic Techniques Implemented Threshold Encryption Public key encryption as usual Public key encryption as usual Distribute secret key “shares” among i participants Distribute secret key “shares” among i participants Decryption can only be accomplished if a threshold number t of the i participants cooperate Decryption can only be accomplished if a threshold number t of the i participants cooperate No information about m can be obtained with less than t participants cooperating Shamir Secret Sharing Lagrange Interpolation formula Lagrange Interpolation formula f(X) = Σ t i=0 a i X i f(X) = Σ t i=0 a i X i a 0 is secret, a i are random, f(X) are “secret shares” a 0 is secret, a i are random, f(X) are “secret shares” X is share index (1 to number of servers) If enough f(X) available it is possible to recover a 0 If enough f(X) available it is possible to recover a 0

91/11/2007bswilson/eVote-PTCWS Generic PTC Use Admin PTC Web Service PTC CSP 2. SOAP/XML Request for PTC Parameters 3. SOAP/XML Response containing encrypted PTC Parameters Key Share Owner(s) 1. Key Share Owners’ RSA Public Keys 8. Partial Decryption Shares/Proofs of Correct Decryption 4. RSA Encrypted Secret Key Shares PTC CSP 7. Cipher Text 9. Clear Text External Users PTC CSP 5. Paillier Public Key 6. Cipher Text

101/11/2007bswilson/eVote-PTCWS Voting Application PTC Use Election Admin PTC Web Service PTC CSP 2. SOAP/XML Request for PTC Parameters 3. SOAP/XML Response containing RSA encrypted PTC Parameters Election Authorities 1. Election Authorities’ RSA Public Keys 8. Partial Decryption Shares of Vote Tally/Proofs of Correct Decryption 4. RSA Encrypted Secret Key Shares PTC CSP 7. Paillier Encrypted Vote Tally 9. Vote Tally Voter PTC CSP 5. Paillier Public Key 6. Paillier- Encrypted Vote Election Setup – Admin create election/ballots and requests election parameters Voters VoteAdmin computes encrypted vote product (tally) Authorities Partially Decrypt Vote Tally Admin combines partial decryptions to recover tally

111/11/2007bswilson/eVote-PTCWS Paillier Threshold Cryptography Web Service (PTC Web Service) Provides for generation of Paillier Threshold Cryptography parameters Public Key Public Key Private Key Shares Private Key Shares Can be encrypted with provided public keys Can be encrypted with provided public keys Verification Keys Verification Keys Used to verify correct “decryption shares” Used to verify correct “decryption shares” Removes trusted dealer from system participants No interaction between authorities required in this scheme No interaction between authorities required in this scheme Other Methods exist for interactive generation of private key shares that also remove trusted dealer Other Methods exist for interactive generation of private key shares that also remove trusted dealer Interaction required Interaction required

121/11/2007bswilson/eVote-PTCWS PTC Web Service Architecture One Web Method GeneratePaillierThresholdParameters GeneratePaillierThresholdParameters 1 Input Parameter 1 Input Parameter ThresholdParameterRequest XML serialization ThresholdParameterRequest XML serialization Keysize Keysize Number of Secret Key Shares Number of Secret Key Shares System Decryption Threshold System Decryption Threshold List of Key Share Owners List of Key Share Owners May include public keys of Key Share Owners Returns PaillierThresholdParameters XML Returns PaillierThresholdParameters XML Public Key Public Key Secret Key Shares Secret Key Shares Verification Key Shares Verification Key Shares Used by admin to verify decryption shares Used by admin to verify decryption shares

131/11/2007bswilson/eVote-PTCWS PTC Web Service Implementation PaillierThresholdCryptoServiceProvider Implements Microsoft’s.NET interface for asymmetric algorithms Implements Microsoft’s.NET interface for asymmetric algorithms ICSPAsymmetricAlgorithm ICSPAsymmetricAlgorithm Not fully implemented – threshold systems are different Not fully implemented – threshold systems are different Provides all basic functionality Provides all basic functionality Generation of system parameters Generation of system parameters Encryption using public key Encryption using public key Partial decryption using secret key share Partial decryption using secret key share Generates proof of correct decryption Generates proof of correct decryption Combining of decryption shares into original cleartext Combining of decryption shares into original cleartext Validates provided proofs of decryption Validates provided proofs of decryption PTC Utilities Conversion between byte arrays, NGmp IntMP, and ASCII strings Conversion between byte arrays, NGmp IntMP, and ASCII strings Random number generation (within Z n * ) Random number generation (within Z n * ) Safe prime generation Safe prime generation Random prime generation – check for “safeness”

141/11/2007bswilson/eVote-PTCWS PTC Web Service Implementation (cont’d) ThresholdCryptographyService Web Service Application Web Service Application Microsoft Internet Information Services Microsoft Internet Information Services ASP.NET 2.0 ASP.NET 2.0

151/11/2007bswilson/eVote-PTCWS Implementation Problems/Solutions Large Safe Prime Generation Key Size above 256 bits takes an unacceptable amount of time (512 bits sec) Key Size above 256 bits takes an unacceptable amount of time (512 bits sec) Fast algorithm does not exist Fast algorithm does not exist Implemented one option for efficiency increase Implemented one option for efficiency increase Long Term Solution Long Term Solution Generate long list of safe primes off line Generate long list of safe primes off line Extract from list when needed Extract from list when needed Must protect list Must protect list Shamir Secret Sharing Index of each key share must be persisted Index of each key share must be persisted Indexes required to re-assemble the polynomial and thus the secret Indexes required to re-assemble the polynomial and thus the secret

161/11/2007bswilson/eVote-PTCWS Performance Evaluation Scalability not high priority in current scheme Web service only accessed once during cryptosystem parameter creation Web service only accessed once during cryptosystem parameter creation WebPartner Test and Performance Center Request for 256 bit key, 5 keyshares, threshold = 3 Request for 256 bit key, 5 keyshares, threshold = 3 Up to 100 simultaneous requests successful Random busy errors Random busy errors Due to random nature of safe prime generation Due to random nature of safe prime generation

171/11/2007bswilson/eVote-PTCWS Demo: E-Voting Application Election Administrator Creates election and ballot issues Creates election and ballot issues Submits request for election PTC parameters to PTC Web Service Submits request for election PTC parameters to PTC Web Service Includes public keys of key share owners Receives public key, encrypted private key shares, verifier keys Receives public key, encrypted private key shares, verifier keys Makes public key available to voters Distributes encrypted key shares to key share owners Makes verifier keys publicly available At conclusion of election, multiplies all Paillier-encrypted votes together and distributes to key share owners At conclusion of election, multiplies all Paillier-encrypted votes together and distributes to key share owners Receives decryption shares/proofs from key share owners Receives decryption shares/proofs from key share owners verifies proofs combines decryption shares to reveal vote tally if enough valid proofs Voter Receives ballot issues/choices from administrator Receives ballot issues/choices from administrator Uses election public key to encrypt vote Uses election public key to encrypt vote Key Share Owners Receive encrypted secret key shares from administrator Receive encrypted secret key shares from administrator Receive encrypted vote tally from administrator Receive encrypted vote tally from administrator Partially decrypt vote tally using secret key share Generate proof of correct decryption

181/11/2007bswilson/eVote-PTCWS Implementation Tools Visual Studio 2005 VB.NET VB.NET Gnu Multiprecision Library (Gmp) Open source arbitrary precision numeric library Open source arbitrary precision numeric library Compiled under Visual Studio 2005 Compiled under Visual Studio 2005NGmp Open source VB.NET binding of gmp.dll Open source VB.NET binding of gmp.dll Enables calling of gmp library functions through VB.NET Enables calling of gmp library functions through VB.NET Compiled under Visual Studio 2005 Compiled under Visual Studio 2005

191/11/2007bswilson/eVote-PTCWS Future Directions PTC Web Service Authenticity of PTC Parameters not currently guaranteed Authenticity of PTC Parameters not currently guaranteed Implement signing of PTC Parameters by Web Service Implement signing of PTC Parameters by Web Service Insert UID field in web service signature to uniquely identify PTC Parameters Insert UID field in web service signature to uniquely identify PTC Parameters Extend Web Service to provide other threshold encryption parameters RSA threshold signatures RSA threshold signatures E-Voting Application Support Implement voter identity verification Implement voter identity verification Develop non-interactive proof of vote validity Develop non-interactive proof of vote validity encrypted vote is one of a set of valid votes encrypted vote is one of a set of valid votes Authenticity of election parameters/ballots not currently guaranteed Authenticity of election parameters/ballots not currently guaranteed Implement signing of election parameters/ballots by admin

201/11/2007bswilson/eVote-PTCWS Conclusion Implemented a web service and underlying cryptographic algorithms in VB.NET that provides Paillier Threshold Cryptographic services for supporting e- voting and other applications A demonstration e-voting application was completed using Microsoft Visual Studio 2005

211/11/2007bswilson/eVote-PTCWS References [1] P. Paillier, Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, Eurocrypt ‘99 [2] P. Fouque, G. Poupard, J.Stern, Sharing Decryption in the Context of Voting or Lotteries, Financial Cryptography 2000 Proceedings [3] I. Damgard, M. Jurik, J. Nielson, A Generalization of Paillier’s Public-Key System with Applications to Electronic Voting, Aarhus University, Dept. of Computer Science [4] A. Shamir, How to Share a Secret, Communications of the ACM 1979 [5] A.J. Menezes, P. C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1997 [6] D. Naccache, Double-Speed Safe Prime Generation, Gemplus Card International [7] M. Wiener, Safe Prime Generation with a Combined Sieve, Cryptographic Clarity

221/11/2007bswilson/eVote-PTCWS Backup Slides

231/11/2007bswilson/eVote-PTCWS Other Project Documents Paillier Threshold Cryptography Web Service and Evote Demonstration Quick Set-up Information on installation/setup of VS2005 solution for developing/testing PTC Web Service and Evote Demonstration Information on installation/setup of VS2005 solution for developing/testing PTC Web Service and Evote Demonstration Paillier Threshold Cryptography Web Service User’s Guide Detailed Information on installing/using the PTC Web Service Detailed Information on installing/using the PTC Web Service

241/11/2007bswilson/eVote-PTCWS Use of WebService in Secure Voting Ballot format: pick 1 out of c candidates Vote = 2c*log2v where c is the desired candidate number (0…c) and v is the next power of 2 greater than the maximum number of voters Vote = 2c*log2v where c is the desired candidate number (0…c) and v is the next power of 2 greater than the maximum number of voters All Paillier-encrypted votes could be publicly posted At end of election, all encrypted votes could be multiplied together (publicly verifiable) With cooperation of the required threshold number of “authorities”, the final product could be decrypted to reveal the vote total (sum of individual votes).