1/11/2007 bswilson/eVote-PTCWS 1 Paillier Threshold Cryptography Web Service by Brett Wilson.

1/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS 11

Paillier Threshold Paillier Threshold Cryptography Web ServiceCryptography Web Service

byby

Brett WilsonBrett Wilson

221/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Outline of the TalkOutline of the Talk

Introduction/MotivationIntroduction/MotivationRelated WorkRelated WorkDesign of Paillier Threshold Cryptography Web Design of Paillier Threshold Cryptography Web Service (PTC Web Service)Service (PTC Web Service)ImplementationImplementationPerformancePerformanceLessons LearntLessons LearntFuture DirectionFuture DirectionConclusionConclusion

331/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Introduction/MotivationIntroduction/MotivationSecure electronic votingSecure electronic voting

Why?Why?2000 Florida Presidential election2000 Florida Presidential electionIncrease participation/election visibilityIncrease participation/election visibility

Extensive research into developing technologies to allow secure Extensive research into developing technologies to allow secure electronic votingelectronic voting

Current methods vulnerableCurrent methods vulnerableDiebold voting machine securityDiebold voting machine security

Princeton hacksPrinceton hacks Kohno et al. software security analysisKohno et al. software security analysis

E-voting RequirementsE-voting Requirements Privacy/Anonymity, Completeness, Soundness, Un-reusability, Privacy/Anonymity, Completeness, Soundness, Un-reusability,

Eligibility, FairnessEligibility, Fairness Robustness, Universal Verifiability, Receipt-Freeness, Robustness, Universal Verifiability, Receipt-Freeness,

IncoercibilityIncoercibility

441/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Introduction/MotivationIntroduction/MotivationMany of the new Secure Voting protocols Many of the new Secure Voting protocols use new encryption techniquesuse new encryption techniques Mathematical algorithms presented in Mathematical algorithms presented in

literatureliterature Unable to identify/locate implementations of Unable to identify/locate implementations of

these algorithmsthese algorithms

UCCS effort to develop a secure e-voting UCCS effort to develop a secure e-voting applicationapplication Basic building blocks unavailable for a large Basic building blocks unavailable for a large

number of published evoting protocolsnumber of published evoting protocols

551/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Related WorkRelated WorkUnable to locate other implementationsUnable to locate other implementationsBasis for ImplementationBasis for Implementation

Sharing Decryption in the context of Voting or LotteriesSharing Decryption in the context of Voting or Lotteries (Fouque, (Fouque, Poupard, Stern) Poupard, Stern)

Closely related researchClosely related research A Generalization of Paillier’s Public Key Cryptosystem with A Generalization of Paillier’s Public Key Cryptosystem with

Applications to Electronic VotingApplications to Electronic Voting (Damgard, Jurik, Nielson) (Damgard, Jurik, Nielson)

Uses of Paillier CryptographyUses of Paillier Cryptography Electronic VotingElectronic Voting Anonymous Mix Nets (due to self-blinding property)Anonymous Mix Nets (due to self-blinding property) Electronic AuctionsElectronic Auctions Electronic LotteriesElectronic Lotteries

661/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Related WorkRelated WorkOther Techniques Used In E-voting ProtocolsOther Techniques Used In E-voting Protocols Non-Interactive Zero Knowledge ProofsNon-Interactive Zero Knowledge Proofs

Proof does not require interactionProof does not require interaction

Proof does not reveal any other informationProof does not reveal any other information Prove vote is valid without revealing content of voteProve vote is valid without revealing content of vote Prove two encryptions encrypt the same message without Prove two encryptions encrypt the same message without

revealing messagerevealing message

Mix NetsMix Nets Anonymize votesAnonymize votes Permutate and “blind” input so that output contains Permutate and “blind” input so that output contains

same information, but re-ordered and unrecognizablesame information, but re-ordered and unrecognizable

771/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Cryptographic Techniques ImplementedCryptographic Techniques Implemented

Paillier CryptoSystemPaillier CryptoSystem Trapdoor Discrete Logarithm SchemeTrapdoor Discrete Logarithm Scheme c = gc = gMMrrnn mod n mod n22

n is an RSA modulus (modulus of 2 safe primes)n is an RSA modulus (modulus of 2 safe primes) Safe prime - Safe prime - p = 2q + 1 where q is also prime

g is an integer of order ng is an integer of order nαα mod mod nn22

r is a random number in r is a random number in ZZnn**

M = L(cM = L(cλλ(n)(n) mod mod nn22)/L(g)/L(gλλ(n)(n) mod mod nn22) mod n) mod n L(u) = (u-1)/n, L(u) = (u-1)/n, λλ(n)=lcm((p-1)(q-1))(n)=lcm((p-1)(q-1)) Important PropertiesImportant Properties

Probabilistic (randomness of E(M))Probabilistic (randomness of E(M))HomomorphicHomomorphic

E(ME(M11 + M + M22) = E(M) = E(M11) x E(M) x E(M22), E(k x M) = E(M)), E(k x M) = E(M)kk

Self-blindingSelf-blinding D(E(M) D(E(M) rrn n mod nmod n2 2 )) = m= m

881/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Cryptographic Techniques ImplementedCryptographic Techniques Implemented

Threshold EncryptionThreshold Encryption Public key encryption as usualPublic key encryption as usual Distribute secret key “shares” among i participantsDistribute secret key “shares” among i participants Decryption can only be accomplished if a threshold Decryption can only be accomplished if a threshold

number t of the i participants cooperatenumber t of the i participants cooperateNo information about m can be obtained with less than t No information about m can be obtained with less than t participants cooperatingparticipants cooperating

Shamir Secret SharingShamir Secret Sharing Lagrange Interpolation formulaLagrange Interpolation formula f(X) = Σf(X) = Σtt

i=0i=0 a aiiXXii aa00 is secret, is secret, aaii are random, f(X) are “secret shares” are random, f(X) are “secret shares”

X is share index (1 to number of servers)X is share index (1 to number of servers) If enough f(X) available it is possible to recover aIf enough f(X) available it is possible to recover a00

991/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Generic PTC UseGeneric PTC Use

AdminPTC Web Service

PTC CSP

2. SOAP/XML Request for PTC Parameters

3. SOAP/XML Response containing encrypted PTC Parameters

Key Share Owner(s)

1. Key Share Owners’ RSA Public Keys

8. Partial Decryption Shares/Proofs of Correct Decryption

4. RSA Encrypted Secret Key Shares

PTC CSP

PTC CSP7. Cipher Text

9. Clear Text

External Users

PTC CSP

5. Paillier Public Key

6. Cipher Text

10101/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Voting Application PTC UseVoting Application PTC Use

Election Admin PTC

Web Service

PTC CSP

2. SOAP/XML Request for PTC Parameters

3. SOAP/XML Response containing RSA encrypted PTC Parameters

Election Authorities

1. Election Authorities’ RSA Public Keys

8. Partial Decryption Shares of Vote Tally/Proofs of Correct Decryption

4. RSA Encrypted Secret Key Shares

PTC CSP

PTC CSP7. Paillier Encrypted

Vote Tally

9. Vote Tally

Voter

PTC CSP

5. Paillier Public Key

6. Paillier-Encrypted Vote

Election Setup – Admin create election/ballots and requests election parameters

Voters VoteAdmin computes encrypted vote product (tally)

Authorities Partially Decrypt Vote Tally

Admin combines partial decryptions to recover tally

11111/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Paillier Threshold Cryptography Paillier Threshold Cryptography Web Service (PTC Web Service)Web Service (PTC Web Service)Provides for generation of Paillier Threshold Provides for generation of Paillier Threshold Cryptography parametersCryptography parameters Public KeyPublic Key Private Key SharesPrivate Key Shares

Can be encrypted with provided public keysCan be encrypted with provided public keys Verification KeysVerification Keys

Used to verify correct “decryption shares”Used to verify correct “decryption shares”

Removes trusted dealer from system Removes trusted dealer from system participantsparticipants No interaction between authorities required in this No interaction between authorities required in this

schemescheme Other Methods exist for interactive generation of private key Other Methods exist for interactive generation of private key shares that also remove trusted dealershares that also remove trusted dealer

Interaction requiredInteraction required

12121/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

PTC Web Service ArchitecturePTC Web Service ArchitectureOne Web MethodOne Web Method GeneratePaillierThresholdParametersGeneratePaillierThresholdParameters

1 Input Parameter1 Input Parameter ThresholdParameterRequest XML serializationThresholdParameterRequest XML serialization KeysizeKeysize Number of Secret Key SharesNumber of Secret Key Shares System Decryption ThresholdSystem Decryption Threshold List of Key Share OwnersList of Key Share Owners

May include public keys of Key Share OwnersMay include public keys of Key Share Owners Returns PaillierThresholdParameters XMLReturns PaillierThresholdParameters XML

Public KeyPublic Key Secret Key SharesSecret Key Shares Verification Key SharesVerification Key Shares

Used by admin to verify decryption sharesUsed by admin to verify decryption shares

13131/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

PTC Web Service ImplementationPTC Web Service ImplementationPaillierThresholdCryptoServiceProviderPaillierThresholdCryptoServiceProvider

Implements Microsoft’s .NET interface for asymmetric algorithmsImplements Microsoft’s .NET interface for asymmetric algorithms ICSPAsymmetricAlgorithmICSPAsymmetricAlgorithm

Not fully implemented – threshold systems are differentNot fully implemented – threshold systems are different Provides all basic functionalityProvides all basic functionality

Generation of system parametersGeneration of system parameters Encryption using public keyEncryption using public key Partial decryption using secret key sharePartial decryption using secret key share

Generates proof of correct decryptionGenerates proof of correct decryption Combining of decryption shares into original cleartextCombining of decryption shares into original cleartext

Validates provided proofs of decryptionValidates provided proofs of decryption

PTC UtilitiesPTC Utilities Conversion between byte arrays, NGmp IntMP, and ASCII Conversion between byte arrays, NGmp IntMP, and ASCII

stringsstrings Random number generation (within Random number generation (within ZZnn

**)) Safe prime generationSafe prime generation

Random prime generation – check for “safeness”Random prime generation – check for “safeness”

14141/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

PTC Web Service Implementation PTC Web Service Implementation (cont’d)(cont’d)

ThresholdCryptographyServiceThresholdCryptographyService Web Service ApplicationWeb Service Application Microsoft Internet Information ServicesMicrosoft Internet Information Services ASP.NET 2.0ASP.NET 2.0

15151/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Implementation Problems/SolutionsImplementation Problems/SolutionsLarge Safe Prime GenerationLarge Safe Prime Generation Key Size above 256 bits takes an unacceptable Key Size above 256 bits takes an unacceptable

amount of time (512 bits - 39.85 sec)amount of time (512 bits - 39.85 sec) Fast algorithm does not existFast algorithm does not exist Implemented one option for efficiency increaseImplemented one option for efficiency increase

Long Term SolutionLong Term Solution Generate long list of safe primes off lineGenerate long list of safe primes off line

Extract from list when neededExtract from list when needed Must protect listMust protect list

Shamir Secret SharingShamir Secret Sharing Index of each key share must be persistedIndex of each key share must be persisted

Indexes required to re-assemble the polynomial and thus Indexes required to re-assemble the polynomial and thus the secretthe secret

16161/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Performance EvaluationPerformance EvaluationScalability not high priority in current schemeScalability not high priority in current scheme

Web service only accessed once during cryptosystem parameter Web service only accessed once during cryptosystem parameter creationcreation

WebPartner Test and Performance CenterWebPartner Test and Performance Center Request for 256 bit key, 5 keyshares, threshold = 3Request for 256 bit key, 5 keyshares, threshold = 3

Up to 100 simultaneous requests successfulUp to 100 simultaneous requests successful Random busy errorsRandom busy errors

Due to random nature of safe prime generationDue to random nature of safe prime generation

17171/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Demo: E-Voting ApplicationDemo: E-Voting ApplicationElection AdministratorElection Administrator

Creates election and ballot issuesCreates election and ballot issues Submits request for election PTC parameters to PTC Web ServiceSubmits request for election PTC parameters to PTC Web Service

Includes public keys of key share ownersIncludes public keys of key share owners Receives public key, encrypted private key shares, verifier keysReceives public key, encrypted private key shares, verifier keys

Makes public key available to votersMakes public key available to votersDistributes encrypted key shares to key share ownersDistributes encrypted key shares to key share ownersMakes verifier keys publicly availableMakes verifier keys publicly available

At conclusion of election, multiplies all Paillier-encrypted votes together At conclusion of election, multiplies all Paillier-encrypted votes together and distributes to key share ownersand distributes to key share owners

Receives decryption shares/proofs from key share ownersReceives decryption shares/proofs from key share ownersverifies proofsverifies proofscombines decryption shares to reveal vote tally if enough valid proofscombines decryption shares to reveal vote tally if enough valid proofs

VoterVoter Receives ballot issues/choices from administratorReceives ballot issues/choices from administrator Uses election public key to encrypt voteUses election public key to encrypt vote

Key Share OwnersKey Share Owners Receive encrypted secret key shares from administratorReceive encrypted secret key shares from administrator Receive encrypted vote tally from administratorReceive encrypted vote tally from administrator

Partially decrypt vote tally using secret key sharePartially decrypt vote tally using secret key shareGenerate proof of correct decryptionGenerate proof of correct decryption

18181/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Implementation ToolsImplementation ToolsVisual Studio 2005Visual Studio 2005 VB.NETVB.NET

Gnu Multiprecision Library (Gmp)Gnu Multiprecision Library (Gmp) Open source arbitrary precision numeric libraryOpen source arbitrary precision numeric library Compiled under Visual Studio 2005Compiled under Visual Studio 2005

NGmpNGmp Open source VB.NET binding of gmp.dllOpen source VB.NET binding of gmp.dll Enables calling of gmp library functions through Enables calling of gmp library functions through

VB.NETVB.NET Compiled under Visual Studio 2005Compiled under Visual Studio 2005

19191/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Future DirectionsFuture DirectionsPTC Web ServicePTC Web Service

Authenticity of PTC Parameters not currently guaranteedAuthenticity of PTC Parameters not currently guaranteed Implement signing of PTC Parameters by Web ServiceImplement signing of PTC Parameters by Web Service

Insert UID field in web service signature to uniquely identify PTC Insert UID field in web service signature to uniquely identify PTC ParametersParameters

Extend Web Service to provide other threshold encryption Extend Web Service to provide other threshold encryption parametersparameters

RSA threshold signaturesRSA threshold signatures

E-Voting Application SupportE-Voting Application Support Implement voter identity verificationImplement voter identity verification Develop non-interactive proof of vote validityDevelop non-interactive proof of vote validity

encrypted vote is one of a set of valid votesencrypted vote is one of a set of valid votes Authenticity of election parameters/ballots not currently Authenticity of election parameters/ballots not currently

guaranteedguaranteedImplement signing of election parameters/ballots by adminImplement signing of election parameters/ballots by admin

20201/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

ConclusionConclusion

Implemented a web service and Implemented a web service and underlying cryptographic algorithms in underlying cryptographic algorithms in VB.NET that provides Paillier Threshold VB.NET that provides Paillier Threshold Cryptographic services for supporting e-Cryptographic services for supporting e-voting and other applicationsvoting and other applications

A demonstration e-voting application was A demonstration e-voting application was completed using Microsoft Visual Studio completed using Microsoft Visual Studio 20052005

21211/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

ReferencesReferences[1] P. Paillier, [1] P. Paillier, Public-Key Cryptosystems Based on Composite Public-Key Cryptosystems Based on Composite Degree Residuosity ClassesDegree Residuosity Classes, Eurocrypt ‘99, Eurocrypt ‘99[2] P. Fouque, G. Poupard, J.Stern, [2] P. Fouque, G. Poupard, J.Stern, Sharing Decryption in the Sharing Decryption in the Context of Voting or LotteriesContext of Voting or Lotteries, Financial Cryptography 2000 , Financial Cryptography 2000 ProceedingsProceedings[3] I. Damgard, M. Jurik, J. Nielson, [3] I. Damgard, M. Jurik, J. Nielson, A Generalization of Paillier’s A Generalization of Paillier’s Public-Key System with Applications to Electronic VotingPublic-Key System with Applications to Electronic Voting, Aarhus , Aarhus University, Dept. of Computer ScienceUniversity, Dept. of Computer Science[4] A. Shamir, [4] A. Shamir, How to Share a SecretHow to Share a Secret, Communications of the ACM , Communications of the ACM 19791979[5] A.J. Menezes, P. C. van Oorschot, and S.A. Vanstone, [5] A.J. Menezes, P. C. van Oorschot, and S.A. Vanstone, Handbook of Applied CryptographyHandbook of Applied Cryptography, CRC Press, 1997, CRC Press, 1997[6] D. Naccache, [6] D. Naccache, Double-Speed Safe Prime GenerationDouble-Speed Safe Prime Generation, Gemplus , Gemplus Card InternationalCard International[7] M. Wiener, [7] M. Wiener, Safe Prime Generation with a Combined SieveSafe Prime Generation with a Combined Sieve, , Cryptographic ClarityCryptographic Clarity

22221/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Backup SlidesBackup Slides

23231/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Other Project DocumentsOther Project Documents

Paillier Threshold Cryptography Web Service Paillier Threshold Cryptography Web Service and Evote Demonstration Quick Set-upand Evote Demonstration Quick Set-up Information on installation/setup of VS2005 Information on installation/setup of VS2005

solution for developing/testing PTC Web Service solution for developing/testing PTC Web Service and Evote Demonstrationand Evote Demonstration

Paillier Threshold Cryptography Web Service Paillier Threshold Cryptography Web Service User’s GuideUser’s Guide Detailed Information on installing/using the PTC Detailed Information on installing/using the PTC

Web ServiceWeb Service

24241/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS

Use of WebService in Secure Use of WebService in Secure VotingVoting

Ballot format: pick 1 out of c candidatesBallot format: pick 1 out of c candidates Vote = 2c*log2v where c is the desired candidate Vote = 2c*log2v where c is the desired candidate

number (0…c) and v is the next power of 2 greater number (0…c) and v is the next power of 2 greater than the maximum number of votersthan the maximum number of voters

All Paillier-encrypted votes could be publicly All Paillier-encrypted votes could be publicly postedpostedAt end of election, all encrypted votes could be At end of election, all encrypted votes could be multiplied together (publicly verifiable)multiplied together (publicly verifiable)With cooperation of the required threshold With cooperation of the required threshold number of “authorities”, the final product could number of “authorities”, the final product could be decrypted to reveal the vote total (sum of be decrypted to reveal the vote total (sum of individual votes).individual votes).