10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson

210/25/2006 Motivation Secure Electronic Voting Research Interest in improving current voting process is high Interest in improving current voting process is high 2000 Presidential election snafu Improved access/availability (voter turnout) Cryptographic research has led to new solutions to problems with electronic voting Cryptographic research has led to new solutions to problems with electronic voting Basic requirements for electronic voting Privacy – All votes should be kept secret Privacy – All votes should be kept secret Completeness – All valid votes should be counted correctly Completeness – All valid votes should be counted correctly Soundness – Any invalid vote should not be counted Soundness – Any invalid vote should not be counted Unreusability – No voter can vote twice Unreusability – No voter can vote twice Eligibility – Only authorized voters can cast a vote Eligibility – Only authorized voters can cast a vote Fairness – Nothing can affect the voting Fairness – Nothing can affect the voting Extended Requirements for electronic voting Robustness – faulty behavior of any reasonably sized coalition of participants can be tolerated Robustness – faulty behavior of any reasonably sized coalition of participants can be tolerated Universal Verifiability – any party can verify the result of the voting Universal Verifiability – any party can verify the result of the voting Recipt-freeness – Voters are unable to prove the content of his/her vote Recipt-freeness – Voters are unable to prove the content of his/her vote Incoercibility – Voter cannot be coerced into casting a particular vote by a coercer Incoercibility – Voter cannot be coerced into casting a particular vote by a coercer

310/25/2006 Motivation Many of the proposed electronic voting protocols utilize threshold homomorhpic encryption schemes as part of the protocol Protects voter privacy Protects voter privacy Individual vote can not be decrypted without cooperation of t of l “authorities” Efficient, universally verifiable vote tallying Efficient, universally verifiable vote tallying Only sum of votes is decrypted Individuals can compute encrypted sum, verify proof of correct decryption of sum Implementations of threshold homomorphic encryption algorithms are not freely available

410/25/2006 Threshold Encryption Public key encryption as usual Distribute secret key “shares” among l participants Decryption can only be accomplished if a threshold number t of the l participants cooperate No information about m can be obtained with less than t participants cooperating No information about m can be obtained with less than t participants cooperating Proof of valid decryption is provided Proof of valid decryption is provided

510/25/2006 Paillier Encryption Trapdoor Discrete Logarithm Scheme c = g M r n mod n 2 c = g M r n mod n 2 n is an RSA modulus n is an RSA modulus g is an integer of order nα mod n 2 g is an integer of order nα mod n 2 r is a random number in Z n * r is a random number in Z n * M = L(c λ(n) mod n 2 )/L(g λ(n) mod n 2 ) mod n M = L(c λ(n) mod n 2 )/L(g λ(n) mod n 2 ) mod n L(u) = (u-1)/n, λ(n)=lcm((p-1)(q-1)) L(u) = (u-1)/n, λ(n)=lcm((p-1)(q-1)) Important Properties Homomorphic Homomorphic E(M 1 + M 2 ) = E(M 1 ) x E(M 2 ), E(k x M) = E(M) k E(M 1 + M 2 ) = E(M 1 ) x E(M 2 ), E(k x M) = E(M) k Self-blinding Self-blinding Re-encryption with a different r doesn’t change M

610/25/2006 Threshold Paillier Encryption Different public key and secret key generation algorithm Distribute key shares using RSA public key encryption Distribute key shares using RSA public key encryption Distribute secret key shares using Shamir Secret Sharing scheme Web Service will be an implementation of scheme proposed in “Sharing Decryption in the Context of Voting or Lotteries” Fouque, Poupard, and Stern 2000

710/25/2006 Use of Threshold Paillier Encryption in Secure Voting Ballot format: pick 1 out of c candidates Let N be number of voters, k such that N<2 k Let N be number of voters, k such that N<2 k Vote = 2 ck where c is the desired candidate number (0…c) Vote = 2 ck where c is the desired candidate number (0…c) All Paillier-encrypted votes could be publicly posted Votes include proof of validity (v lies in a given set of valid votes) Votes include proof of validity (v lies in a given set of valid votes) At end of election, all invalid votes are removed, all encrypted votes are then multiplied together to get encrypted sum (publicly verifiable) With cooperation of the required threshold number of “authorities”, the final product could be decrypted to reveal the vote total (sum of individual votes). A threshold number of authorities would not agree to decrypt a single particular vote, and thus the individual votes would remain private A threshold number of authorities would not agree to decrypt a single particular vote, and thus the individual votes would remain private All computations are publicly verifiable given the validity proofs that prove the decryption was done correctly All computations are publicly verifiable given the validity proofs that prove the decryption was done correctly

810/25/2006 Web Service Design Goals Platform Independent Use of web service Use of web service XML input/output Extensible Additional encryption algorithms could be added Additional encryption algorithms could be added Additional services could be offered Additional services could be offered Threshold signatures Verifiable Mix Net

910/25/2006 Implementation Tools Visual Studio 2005 VB.NET VB.NET Gnu Multiprecision Library (Gmp) Open source arbitrary precision numeric library Open source arbitrary precision numeric library Compiled under Visual Studio 2005 Compiled under Visual Studio 2005NGmp Open source VB.NET binding of gmp.dll Open source VB.NET binding of gmp.dll Enables calling of gmp library functions through VB.NET Enables calling of gmp library functions through VB.NET Compiled under Visual Studio 2005 Compiled under Visual Studio 2005

1010/25/2006 Threshold Paillier Encryption Web Service Key generation algorithm Key generation algorithm Input Input k – size of key k – size of key l – number of shares to generate l – number of shares to generate One RSA public key (of the designated participant) for each share One RSA public key (of the designated participant) for each share t – threshold parameter t – threshold parameter Output Output Public Key PK Public Key PK List SK 1, …, SK l of private key shares List SK 1, …, SK l of private key shares Encrypted with supplied RSA keys so only designated participant can recover the key share Encrypted with supplied RSA keys so only designated participant can recover the key share List of Verifier Keys VK, VK 1, …,VK l List of Verifier Keys VK, VK 1, …,VK l Used for proving validity of decryption Used for proving validity of decryption

1110/25/2006 Threshold Paillier Encryption Web Service Encryption Algorithm Input Input Public Key PK Public Key PK Random string r Random string r Cleartext M Cleartext M Output Output Ciphertext c Ciphertext c

1210/25/2006 Share Decryption Algorithm Input Input Ciphertext c Ciphertext c Private Key Share Sk i Private Key Share Sk i Encrypted with public key of webservice Encrypted with public key of webservice Output Output Decryption share c i Decryption share c i Validity proof p i Validity proof p i Threshold Paillier Encryption Web Service

1310/25/2006 Threshold Paillier Encryption Web Service Combining Algorithm Input Input Ciphertext c Ciphertext c List of decryption shares c 1,…,c l List of decryption shares c 1,…,c l List of verification keys VK, VK 1 …VK l List of verification keys VK, VK 1 …VK l List of validity proofs P 1,…P l List of validity proofs P 1,…P l Output Output M

1410/25/2006 Project Deliverables A working prototype of Paillier Threshold Encryption Web Service (PTEWS) A simple demo of applying PTEWS in online voting A master project report documenting the research findings and lessons learned

1510/25/2006 Tasks and Milestones Week 1: Proposal Briefing/Approval Week 2: WebService “skeleton” complete WebMethod stubs created, classes for passing parameters and return results complete WebMethod stubs created, classes for passing parameters and return results complete Week 3: Encryption algorithms implemented WebMethod stubs completely implemented with encryption and utility algorithms WebMethod stubs completely implemented with encryption and utility algorithms Week 4: Testing Interface complete Windows application for testing of Web Service Windows application for testing of Web Service Simple test of voting application Simple test of voting application Week 5: Final Report complete Week 1 ends Oct 30, Week 5 ends Nov 27

1610/25/2006 References “Sharing Decryption in the Context of Voting or Lotteries” P. Fouque, G. Poupard, and J. Stern, 2000 “Public Key Cryptosystems Based on Composite Degree Residuosity Classes” P. Paillier, 1999 “How to Share a Secret” A. Shamir, 1979 Big Number Libraries Gnu Multiprecision Library – Opensource C language library Gnu Multiprecision Library – Opensource C language library J# BigInteger – J# library available from Microsoft J# BigInteger – J# library available from Microsoft C# BigInteger – Opensource implementation of Java BigInteger C# BigInteger – Opensource implementation of Java BigInteger NGmp.NET Mono Multiprecision Library (gmp binding to.NET) Building Gmp with Visual Studio