BRICSRS-00-45Damgard&Jurik:GeneralisationandApplicationsofPaillier'sPr - PDF document

BRICSRS-00-45Damgard&Jurik:GeneralisationandApplicationsofPaillier'sProbabilisticPublic-KeySystem BRICS BasicResearchinComputerScienceAGeneralisation,aSimplicationandsomeApplicationsofPaillier'sProbabilisticPublic-KeySystemIvanB.DamgMadsJ.JurikBRICSReportSeriesRS-00-45 ISSN0909-0878December2000 2000,IvanB.Damgard&MadsJ.Jurik.BRICS,DepartmentofComputerScienceUniversityofAarhus.Allrightsreserved.Reproductionofallorpartofthisworkispermittedforeducationalorresearchuseonconditionthatthiscopyrightnoticeisincludedinanycopy.SeebackinnerpageforalistofrecentBRICSReportSeriespublications.Copiesmaybeobtainedbycontacting:BRICSDepartmentofComputerScienceUniversityofAarhusNyMunkegade,building540DK–8000AarhusCTelephone:+4589423360Telefax:+4589423255Internet:BRICS@brics.dkBRICSpublicationsareingeneralaccessiblethroughtheWorldWideWebandanonymousFTPthroughtheseURLs:Thisdocumentinsubdirectory AGeneralisation,aSimplicationandsomeApplicationsofPaillier'sProbabilisticPublic-KeySystemIvanDamgardandMadsJurikUniversityofAarhus,BRICSAbstract.WeproposeageneralisationofPaillier'sprobabilisticpublickeysystem,inwhichtheexpansionfactorisreducedandwhichallowstoadjusttheblocklengthoftheschemeevenafterthepublickeyhasbeenxed,withoutloosingthehomomorphicproperty.WeshowthatthegeneralisationisassecureasPaillier'soriginalsystem.Weconstructathresholdvariantofthegeneralisedschemeaswellaszero-knowledgeprotocolstoshowthatagivenciphertextencryptsoneofasetofgivenplaintexts,andprotocolstoverifymultiplicativerelationsonplaintexts.Wethenshowhowthesebuildingblockscanbeusedforapplyingtheschemetoecientelectronicvoting.Thisreducesdramaticallytheworkneededtocomputethenalresultofanelection,comparedtotheprevi-ouslybestknownschemes.Weshowhowthebasicschemeforayes/novotecanbeeasilyadaptedtocastingavoteforuptooutofcan-didates.Thesamebasicbuildingblockscanalsobeadaptedtopro-videreceipt-freeelections,underappropriatephysicalassumptions.Theschemefor1outofelectionscanbeoptimisedsuchthatforacertainrangeofparametervalues,aballothassizeonly(log)bits.1IntroductionIn[9],Paillierproposesanewprobabilisticencryptionschemebasedoncompu-tationsinthegroup,whereisanRSAmodulus.Thisschemehassomeveryattractiveproperties,inthatitishomomorphic,allowsencryptionofmanybitsinoneoperationwithaconstantexpansionfactor,andallowsecientde-cryption.InthispaperweproposeageneralisationofPaillier'sschemeusingcomputationsmodulo,forany1.Wealsoshowthatthesystemcanbesimplied(withoutdegradingsecurity)suchthatthepublickeycanconsistofonlythemodulus.Thisallowsinstantiatingthesystemsuchthattheblocklengthfortheencryptioncanbechosenfreelyforeachencryption,independentlyofthesizeofthepublickey,andwithoutloosingthehomomorphicproperty.Thegeneralisationalsoallowsreducingtheexpansionfactorfrom2forPaillier'sorig-inalsystemtoalmost1.WeprovethatthegeneralisationisassecureasPaillier'soriginalscheme. BasicResearchinComputerScience,CentreoftheDanishNationalResearchFoundation. Weproposeathresholdvariantofthegeneralisedsystem,allowinganumberofserverstoshareknowledgeofthesecretkey,suchthatanylargeenoughsubsetofthemcandecryptaciphertext,whilesmallersubsetshavenousefulinformation.Weproveintherandomoraclemodelthattheschemeisassecureasastandardcentralisedimplementation.Wealsoproposeazero-knowledgeproofofknowledgeallowingaprovertoshowthatagivenciphertextencodesagivenplaintext.Fromthiswederiveothertools,suchasaprotocolshowingthataciphertextencodesoneoutofanumberofgivenplaintexts.Finally,weproposeaprotocolthatallowsverica-tionofmultiplicativerelationsamongencryptedvalueswithoutrevealingextrainformation.Welookatapplicationsofthistoelectronicvotingschemes.Alargenumberofsuchschemesisknown,butthemostecientone,atleastintermsoftheworkneededfromvoters,isbyCramer,GennaroandSchoenmakers[4].Thisprotocolprovidesinfactageneralframeworkthatallowsusageofanyproba-bilisticencryptionschemeforencryptionofvotes,iftheencryptionschemehasasetof"nice"properties,inparticularitmustbehomomorphic.Thebasicideaofthisisstraightforward:eachvoterbroadcastsanencryptionofhisvote(bysendingittoabulletinboard)togetherwithaproofthatthevoteisvalid.Allthevalidvotesarethencombinedtoproduceanencryptionoftheresult,usingthehomomorphicpropertyoftheencryptionscheme.Finally,asetoftrustees(whosharethesecretkeyoftheschemeinathresholdfashion)candecryptandpublishtheresult.Paillierpointedoutalreadyin[9]thatsincehisencryptionschemeishomo-morphic,itmaybeapplicabletoelectronicvoting.Inordertoapplyitintheframeworkof[4],however,someimportantbuildingblocksaremissing:oneneedsanecientproofofvalidityofavote,andalsoanecientthresholdvariantofthescheme,sothattheresultcanbedecryptedwithoutallowingasingleentitythepossibilityoflearninghowsinglevotersvoted.Thesebuildingblocksarepreciselywhatweprovidehere.Thusweimmedi-atelygetavotingprotocol.Inthisprotocol,theworkneededfromthevotersisofthesameorderasintheoriginalversionof[4].However,theworkneededtoproducetheresultisreduceddramatically,aswenowexplain.WiththeElGamalencryptionusedin[4],thedecryptionprocessafterayes/noelectionpro-mod,whereisprime,isageneratorandisthedesiredresult.Thusoneneedstosolveadiscretelogprobleminordertondtheresult.Sinceisboundedbythenumberofvoters,thisisfeasibleformoderatesizeButitrequires )exponentiations,andmaycertainlybesomethingonewantstoavoidforlargescaleelections.Theproblembecomesworse,ifwecon-sideranelectionwherewechoosebetweencandidates,2.Themethodgivenforthisin[4]isexponentialininthatitrequirestime ),andsoisprohibitivelyexpensiveforelectionswithlargeIntheschemeweproposebelow,thisworkcanberemovedcompletely.Ourdecryptionprocessproducesthedesiredresultdirectly.Wealsogivewaystoimplementecientlyconstraintsonvotingthatoccurinrealelections,suchas allowingtovoteforpreciselyoutofthecandidates,ortovoteforuptothem.Ineachoftheseschemes,thesizeofasingleballotis),whereisthebitlengthofthemodulusused.Weproposeavariantusingadierenttechniquewhereballotshavesizek;Lloglog).Thusforlog,thisismuchmoreecient,andevenoptimaluptoaconstantfactor,sincewithlessthanlogbitsonecannotdistinguishbetweenthecandidates.Furthermorethisschemerequiresonly1decryptionoperation,evenwhen2RelatedWorkInworkindependentfrom,butearlierthanours,Fouque,PoupardandStern[6]proposedtherstthresholdversionofPaillier'soriginalscheme.Likeourthresholdscheme,[6]usesanadaptationofShoup'sthresholdRSAscheme[10],butbeyondthisthetechniquesaresomewhatdierent,inparticularbecauseweconstructathresholdversionforourgeneralisedcryptosystem(andnotonlyPaillier'soriginalscheme).In[6]votingwasalsopointedoutasapotentialapplication,however,nosuggestionwasmadethereforprotocolstoprovethatanencryptedvoteiscorrectlyformed,somethingthatisofcoursenecessaryforasecureelectioninpractice.Inworkdoneconcurrentlywithandindependentfromours,Baudron,Fou-que,Pointcheval,PoupardandStern[1]proposeavotingschemesomewhatsimilartoours.Theirworkcanbeseenasbeingcomplementarytooursinthesensethattheirproposalismoreorientedtowardsthesystemarchitecturalaspectsofalargescaleelection,andlesstowardsoptimisationofthebuildingblocks.Tocomparetotheirscheme,werstnotethattherethemoduluslengthmustbechosensuchthat�kLlog.Theschemeproducesballotsofsize).Anestimatewithexplicitconstantsisgivenin[1]inwhichthedominatingterminournotationis9BecauseourvotingschemeusesthegeneralisedPailliercryptosystem,bechosenfreely,andthevotingschemecanstillaccommodateanyvaluesofL;M.Ifwechooseasin[1],i.e.�kLlog,thentheballotsweproducehavelog).Workingouttheconcreteconstantsinvolved,onendsthatourcomplexityisdominatedbytheterm11log.Soforlargescaleelectionswehavegainedasignicantfactorincomplexitycomparedto[1].In[8],HirtandSakoproposeageneralmethodforbuildingreceipt-freeelec-tionschemes,i.e.protocolswherevote-buyingor-coercingisnotpossiblebecausevoterscannotprovetoothershowtheyvoted.Theirmethodcanbeappliedtomakeareceipt-freeversionoftheschemefrom[4].Itcanalsobeappliedtoourscheme,withthesameeciencygainasinthenon-receiptfreecase. Allcomplexitiesgivenhereassumethatthelengthofchallengesforthezero-knowledgeproofsisatmost.Also,strictlyspeaking,thiscomplexityonlyholdsif,however,since1000isneededforsecurityanyway,thiswillalwaysbesatisedinpractice 3AGeneralisationofPaillier'sProbabilisticEncryptionSchemeThepublic-keycrypto-systemwedescribehereusescomputationsmodulowhereisanRSAmodulusandisanaturalnumber.ItcontainsPaillier'sscheme[9]asaspecialcasebysetting=1.Westartfromtheobservationthatifp;qoddprimes,thenasamultiplicativegroupisadirectproduct,whereiscyclicoforderandisisomorphicto,whichfollowsdirectlyfromelementarynumbertheory.Thus,thefactorgroupisalsocyclicoforder.Foranarbitraryelement,weletdenotetheelementrepresentedbyinthefactorgroupLemma1.Foranys;q,theelementhasorderProof.Considertheinteger(1+.Thisnumberis1moduloforsomeifandonlyifis0modulo.Clearly,thisisthecaseif,soitfollowsthattheorderof1+isadivisorin,i.e.,itisanumberofform,where;.Set,andconsideraterminthesum.Weclaimthateachsuchtermisdivisibleby:thisistrivialif&#xp277;js,andfor,itfollowsbecause!canthennothaveasprimefactors,andsomustdivide.Nowassumeforcontradictionthat.Withoutlossofgenerality,wecanassumethatthismeans.Weknowthat.Dividingbothnumbersbyweseethatmustdividethenumber.However,therstterminthissumafterdivisionbyis1,andalltherestaredivisibleby,sothenumberisinfact1modulo,andwehaveacontradiction.Sincetheorderofisrelativelyprimetothisimpliesimmediatelythattheelement :=(1+isageneratorof,exceptpossiblyforp;q.Sothecosetsof(1+(1+H;:::;(1+whichleadstoanaturalnumberingofthesecosets.Thenaltechnicalobservationweneedisthatitiseasytocomputefrom(1+mod.Wenowshowhowtodothis.Ifwedenethefunction)=(thenclearlywehave((1+mod)=()modWenowdescribeanalgorithmforcomputingfromthisnumber.Thegeneralideaofthealgorithmistoextractthevaluepartbypart,sothatwerstextractmod,thenmodandsoforth.Itiseasytoextract((1+modmod.Nowwecanextracttherestby thefollowinginductionstep:Inthe'thstepweknow.Thismeansthatforsome0kn.Ifweusethisin((1+mod)=()modWecannoticethateachtermfor⤀jt⤀0satisesthatmod.Thisisbecausethecontributionsfromvanishmoduloaftermultiplicationby.Thismeansthatweget:((1+mod)=()modThenwejustrewritethattogetwhatwewanted((1+mod)mod((1+mod)modThisequationleadstothefollowingalgorithm::=0; j:=1 s begin mod k:=2 j begin mod mod it1; Wearenowreadytodescribeourcryptosystem.Infact,foreachnaturalnumber,wecanbuildacryptosystem,asfollows: KeyGenerationOninputthesecurityparameter,chooseanRSAmodulusoflength.Alsochooseanelementsuchthat=(1+modforaknownrelativelyprimetoandThiscanbedone,e.g.,bychoosingj;xatrandomrstandcomputingsomealternativesaredescribedlater.Letbetheleastcommonmultiple1and1.BytheChineseRemainderTheorem,choosesuchthatmodand=0mod.Anysuchchoiceofwillworkinthefollowing.InPaillier'soriginalschemewasused,whichisthesmallestpossiblevalue.However,whenmakingathresholdvariant,otherchoicesarebetter-weexpandonthisinthefollowingsection.Nowthepublickeyisn;gwhilethesecretkeyisencryptionTheplaintextsetis.Givenaplaintext,choosearandom,andlettheciphertextbei;rmoddecryptionGivenaciphertext,rstcomputemod.Clearly,ifv;r),weget=((1+=(1+jidmodmod=(1+jidmodNowapplytheabovealgorithmtocomputejidmod.Applyingthesamemethodwithreplacedbyclearlyproducesthevaluemod,sothiscaneitherbecomputedonthe yorbesavedaspartofthesecretkey.Inanycaseweobtainthecleartextby(jidmodClearly,thissystemisadditivelyhomomorphicover,thatis,theproductofencryptionsofmessagesi;iisanencryptionofmodThesecurityofthesystemisbasedonthefollowingassumption,introducedbyPaillierin[9]thedecisionalcompositeresiduosityassumptionConjecture1.beanyprobabilisticpolynomialtimealgorithm,andassumegetsn;xasinput.Herehasbits,andischosenasdescribedabove,andiseitherrandominoritisarandom'thpowerin(thatis,arandomelementinthesubgroupdenedearlier).outputsabit.LetA;k)betheprobabilitythat=1ifisrandominandA;k)theprobabilitythat=1ifisarandom'thpower.ThenA;kA;kisnegligibleHere,\negligiblein"asusualmeanssmallerthan1)foranypolynomial()andalllargeenoughWenowdiscussthesemanticsecurityof.Thereareseveralequivalentformulationsofsemanticsecurity.Wewillusethefollowing:Denition1.Anadversaryagainstapublic-keycryptosystemgetsthepub-lickeygeneratedfromsecuityparameterasinputandoutputsames-sage.Thenisgivenanencryptionunderofeitheroramessage strictlyspeaking,wealsoneedthatsp;q,butthisisinsignicantsinceisaconstant chosenuniformlyinthemessagespace,andoutputsabit.LetA;k,re-spectivelyA;kbetheprobabilitythatoutputs1whengivenanencryp-tionof,respectivelyarandomencryption.DenetheadvantagetobeA;kA;kA;k.ThecryptosystemissemanticallysecureifforanyprobabilisticpolynomialtimeadversaryA;kisnegligibleinIn[9],Pailliershowedthatsemanticsecurityofhiscryptosystem(whichisthesameasour)isequivalenttoDCRA.Thisequivalenceholdsforanychoiceof,andfollowseasilyfromthefactthatgivenaciphertextthatiseitherrandomorencryptsamessagemodiseitherrandominarandom'thpower.Inparticularonemaychoose+1alwayswithoutdegradingsecurity.Wedothisinthefollowingforsimplicity,sothatapublickeyconsistsonlyofthemodulus.WenowshowthatinfactsecurityofequivalenttoDCRA:Theorem1.Forany,thecryptosystemissemanticallysecureifandonlyiftheDCRAassumptionistrue.Proof.Fromaciphertextin,onecanobtainaciphertextinbyreducingmodulo,thisimplicitlyreducesthemessagemodulo.ItisthereforeclearthatifDCRAfails,thencannotbesecureforany.Fortheconverse,weshowbyinductiononthatsecurityoffollowsfromDCRA.For=1,thisisexact.lyPaillier'sresult.Sotakeany1andassumethatforanyissecure.Themessagespaceof.Thusanymessagecanbewrittenin-adicnotationasan-tuple(;:::;m),whereeachand.Let;:::;m)bethedistributionobtainedbyencryptingthemessage(;:::;m)underpublickey.Ifoneormoreofthearereplaced's,thismeansthatthecorrespondingpositioninthemessageischosenuniformlyinbeforeencrypting.Now,assumeforcontradictionthatisinsecure,thusthereisanadversary,suchthatforinnitelymanyA;k)forsomepolynomialTakesucha.Withoutlossofgenerality,assumewehaveA;kA;k).Supposewemakeapublickeyfromsecurityparameter,showittogetamessage(;:::;m)fromandshowasampleof;:::;mA;k)betheprobabilitythatnowoutputs1.Ofcourse,wemusthaveA;kA;k A;kA;k forinnitelymanyIntherstcasein(),wecanmakeasuccessfuladversaryagainst,asfollows:wegetthepublickey,showitto,get(;:::;m),andreturnoutput.Wewillgetaciphertextthateitherencrypts,orisarandomciphertext,i.e.,arandomelementfrom.Ifweconsiderasanelementin,weknowitisanencryptionofsomeplaintext,whichmusthaveeither orarandomelementinitsleastsignicantposition.Hencemodanencryptionof(;:::;0)or(;:::;0).Wethenmakearandomencryptionof(0;:::;m),givemodandreturnthebitoutputs.Now,if,wehaveshowntoasampleof;:::;m),andotherwiseasampleof;:::;m).Sobyassumptionon,thisbreakswithanadvantageof1),andsocontradictstheinductionassumption.Inthesecondcaseof(),wecanmakeanadversaryagainst,asfol-lows:wegetthepublickey,showitto,andgetamessage(;:::;m).Weoutput(;:::;m)andgetbackaciphertextthatencryptsin;:::;m)orsomethingrandom.Ifweconsiderasanumbermoduloweknowthatthecorrespondingplaintextinhaseither(;:::;m)orrandomelementsintheleastsignicant1positions-andsomethingun-knowninthetopposition.Wemakearandomencryptionof(;:::;0),showmodandreturnthebitoutputs.Ifencrypted(;:::;mwehaveshownasamplefrom;::::;m),andotherwiseasamplefrom;:::;).Sobyasumptionon,thisbreakswithanadvantageof1)andagaincontradictstheinductionassumption.3.1AdjustingtheBlocklengthTofacilitatecomparisonwithPaillier'soriginalsystem,wehavekepttheabovesystemdescriptionascloseaspossibletothatofPaillier.Inparticular,thedescriptionallowschoosinginavarietyofways.However,asmentioned,wemaychoose+1alwayswithoutloosingsecurity,andthepublickeymaythenconsistonlyofthemodulus.Thismeansthatwecanletthereceiverdecideonwhenheencryptsamessage.Moreconcretely,thesystemwillworkasfollows:KeyGenerationChooseanRSAmodulus.Nowthepublickeyiswhilethesecretkeyis,theleastcommonmultipleof(1)and(1).encryptionGivenaplaintext,choosearandom,andlettheciphertextbei;r)=(1+moddecryptionGivenaciphertext,rstcompute,bytheChineseRemainderTheorem,suchthat=1modand=0mod(notethatthelengthoftheciphertextallowstodecideontherightvalueof,exceptwithnegligibleprobability).Thencomputemod.Clearly,ifi;r),weget=((1+=(1+modmod=(1+modNowapplytheabovealgorithmtocomputemod4SomeBuildingBlocks4.1AThresholdVariantoftheSchemeWhatweareafterinthissectionisawaytodistributethesecretkeytoasetofservers,suchthatanysubsetofatleastofthemcandodecryptioneciently, whilelessthanhavenousefulinformation.Ofcoursethismustbedonewithoutdegradingthesecurityofthesystem.In[10],ShoupproposesanecientthresholdvariantofRSAsignatures.ThemainpartofthisisaprotocolthatallowsasetofserverstocollectivelyandecientlyraiseaninputnumbertoasecretexponentmoduloanRSAmodulus.Alittlemoreprecisely:oninput,eachserverreturnsashareoftheresult,togetherwithaproofofcorrectness.Givensucientlymanycorrectshares,thesecanbeecientlycombinedtocomputemod,whereisthesecretexponent.Asweexplainbelowitisquitesimpletotransplantthismethodtoourcase,thusallowingtheserverstoraiseaninputnumbertooursecretexponentmodulo.Sowecansolveourproblembyrstlettingtheservershelpuscomputei;rmod.Thenifweuse+1andchoosesuchthat=1modand=0mod,theremainingpartofthedecryptioniseasytodowithoutknowledgeofWewarnthereaderthatthisisonlysecurefortheparticularchoiceofhavemade,forinstance,ifwehadusedPaillier'soriginalchoice,thenseeingthevaluei;rmodwouldallowanadversarytocomputeandbreakthesystemcompletely.However,inourcase,theexponentiationresultcansafelybemadepublic,sinceitcontainsnotraceofthesecretAmoreconcretedescription:Comparedto[10]westillhaveasecretexponent,butthereisnopublicexponent,sowewillhavetodosomethingsslightlydierently.Wewillassumethattherearedecryptionservers,andaminimumkn=2oftheseareneededtomakeacorrectdecryption.KeygenerationKeygenerationstartsoutasin[10]:wend2primesand,thatsatises+1and+1,whereandareprimesanddierentfromand.Wesetand.Wedecideonsome0,thustheplaintextspacewillbe.Wepicktosatisfy=0modand=1mod.Nowwemakethepolynomialmod,bypicking(for0asrandomvaluesfromand.Thesecretshareofthei'thauthoritywillbe)for1andthepublickeywillbe.Forvericationoftheactionsofthedecryptionservers,weneedthefollowingxedpublicvalues:,generatingthecyclicgroupofsquaresinandforeachdecryptionserveravericationkeymod,whereEncryptionToencryptamessage,arandomispickedandtheciphertextiscomputedasmodSharedecryptionThei'thauthoritywillcompute,whereistheciphertext.Alongwiththiswillbeazero-knowledgeproofthatloglog),whichwillconvinceus,thathehasindeedraisedtohissecretexponent Anoninteractivezero-knowledgeproofforthisusingtheFiat-Shamirheuristiciseasytoderivefromthecorrespondingonein[10] SharecombiningIfwehavetherequired(ormore)numberofshareswithacorrectproof,wecancombinethemintotheresultbytakingasubsetSofsharesandcombinethemtomodwhere Thevalueofwillhavetheform.Notingthat40modand4mod,wecanconcludethat=(1+mod,whereisthedesiredplaintext,sothismeanswecancomputebyap-plyingthealgorithmfromSection3andmultiplyingtheresultby(4modComparedtotheschemeproposedin[6],therearesometechnicaldierences,apartfromthefactthat[6]onlyworksfortheoriginalPaillierversionmodulo:in[6],anextrarandomvaluerelatedtothepublicelementispartofthepublickeyandisusedintheSharecombiningalgorithm.Thisisavoidedinourschemebythewaywechoose,andthuswegetaslightlyshorterpublickeyandaslightlysimplerdecryptionalgorithm.Thesystemasdescribedrequiresatrustedpartytosetupthekeys.Thismaybeacceptableasthisisaonceandforalloperation,andthetrustedpartycandeleteallsecretinformationassoonasthekeyshavebeendistributed.However,usingmulti-partycomputationtechniquesitisalsopossibletodothekeygenerationwithoutatrustedparty.Notethatthekeygenerationphaserequiresthatavalueoftheparameterisxed.Thismeansthatthesystemwillbeabletohandlemessagesencryptedmodulo,forany,simplybecausetheexponentsatises1mod,forany.Butitwillnotworkif.Ifacompletelygeneraldecryptionprocedureisneeded,thiscanbedoneaswell:Ifweassumethatsecret-sharedinthekeyset-upphase,theserverscancomputeasuitablerunningasecureprotocolthatrstinvertsmodulotogetsomeasresult,andthencomputestheproduct(overtheintegers).Thisdoesnotrequiregenericmulti-partycomputationtechniques,butcanbedonequiteecientlyusingtechniquesfrom[5].Notethat,whilethisdoesrequirecommunicationbetweenservers,itisnotneededforeverydecryption,butonlyonceforeveryvalueofthatisused.Wecannowshowintherandomoraclemodelthatthisthresholdversionisassecureasacentralisedschemewhereonetrustedplayerdoesthedecryptioninparticularthethresholdversionissecurerelativetothesamecomplexityassumptionasthebasicscheme.Thiscanbedoneinamodelwhereastaticadversarycorruptsupto1playersfromthestart.Concretely,wehave:Theorem2.Assumetherandomoraclemodelandastaticadversarythatcor-ruptsuptoplayersfromthebeginning.Thenwehave:Givenanycipher- Infacttherandomoraclewillbeneededonlytoensurethatthenon-interactiveproofsofcorrectnessofshareswillwork.Doingtheseproofsinteractivelyinsteadwouldallowustodispensewiththerandomoracle text,thedecryptionprotocoloutputsthecorrectplaintext,exceptwithnegligibleprobability.Givenanoraclethatoninputaciphertextreturnsthecorrespond-ingplaintext,theadversary'sviewofthedecryptionprotocolcanbeecientlysimulatedwithastatisticallyindistinguishabledistribution.Thefullproofwillbeincludedinthenalversionofthispaper.Hereweonlygivethebasicideas:correctnessoftheschemeisimmediateassumingthattheadversarycancontributebadvaluesforthe'swithonlynegligibleprobability.This,inturn,isensuredbysoundnessofthezero-knowledgeproofsgivenforeachForthesimulation,westartfromthepublickey.Thenwecansimulatetheshares;:::;softhebadplayersbychoosingthemasrandomnumbersinanappropriateinterval.Sinceisxedbythechoiceof,thismeansthatthesharesofuncorruptedplayersandthepolynomialarenowxedaswell,butarenoteasyforthesimulatortocompute.However,ifwechooseasaciphertextwithknownplaintext,wecanalsocomputewhatwouldbe,namelymod=(1+mod.ThenbydoingLagrangeinterpolation"intheexponent"asin[10],wecancomputecorrectvaluesoffortheuncorruptedplayers.Whenwegetaciphertextasinput,weasktheoraclefortheplaintext.Thisallowsustocompute=(1+mod.Againthismeanswecaninterpolateandcomputethecontributionsfromtheuncorruptedplayers.Finally,thezero-knowledgepropertyisinvokedtosimulatetheproofsthatthesearecorrect.4.2SomeAuxiliaryProtocolsSupposeaproverpresentsascepticalverierwithaciphertextandclaimsthatitencodesplaintext.Atrivialwaytoconvincewouldbetorevealalsotherandomchoice,thencanverifyhimselfthati;r).However,foruseinthefollowing,weneedasolutionwherenoextrausefulinformationisrevealed.Itiseasytoseethatthatthisisequivalenttoconvincingthatmodisan'thpower.Sowenowproposeaprotocolforthiswhichisasimplegeneralisationoftheonefrom[7].Wenotethatthisandthefollowingprotocolsarenotzero-knowledgeastheystand,onlyhonestverierzero-knowledge.How-ever,rstzero-knowledgeprotocolsforthesameproblemscanbeconstructedfromthemusingstandardmethodsandsecondly,inourapplications,wewillalwaysbeusingtheminanon-interactivevariantbasedontheFiat-Shamirheuristic,whichmeansthatwecannotobtainzero-knowledge,wecan,however,obtainsecurityintherandomoraclemodel.Asforsoundness,weprovethattheprotocolssatisfysocalledspecialsoundness(see[2]),whichinparticularimpliesthattheysatisfystandardknowledgesoundness.Protocolfor'thpowersn;uPrivateInputfor,suchthatmod choosesatrandommodandsendsmodchooses,arandombitnumber,andsendsmod,andchecksthatmodandacceptsifandonlyifthisisthecase.ItisnowsimpletoshowLemma2.Theaboveprotocoliscomplete,honestverierzero-knowledge,andsatisesthatfromanypairofacceptingconversations(betweenandanyprover)offorma;e;za;ewith,onecanecientlycomputean'throotof,providedissmallerthanthesmallestprimefactorofProof.Completenessisobviousfrominspectionoftheprotocol.Forhonestver-iersimulation,thesimulatorchoosesarandom,arandom,setsmodandoutputs(a;e;z).Thisiseasilyseentobeaperfectsimulation.Forthelastclaim,observethatsincetheconversationsareaccepting,wehavemodandmod,sowegetz=zmodisprimetobytheassumptionon2,choose;suchthat)=1.Thenletz=zmod.Wethengetz=zmodsothatisindeedthedesired'throotofInourapplicationofthisprotocol,themoduluswillbechosenbyatrustedparty,orbyamulti-partycomputationsuchthathastwoprimefactorsofroughlythesamesize.Hence,ifisthebitlengthof,wecanset2andbeassuredthatacheatingprovercanmaketheverieracceptwithprobabilityThelemmaimmediatelyimplies,usingthetechniquesfrom[2],thatwecanbuildanecientproofthatanencryptioncontainsoneoftwogivenvalues,withoutrevealingwhichoneitis:giventheencryptionandthetwocandi-dateplaintexts,proverandveriercomputeC=gmodC=gmod,andtheprovershowsthateitherisan'thpower.Thiscanbedoneusingthefollowingprotocol,whereweassumewithoutlossofgeneralitythattheproverknowsan'throot,andwheredenotesthehonest-veriersimulatorforthe-powerprotocolabove:Protocol1-out-of-2'thpowern;uPrivateInputfor,suchthatmodchoosesatrandommod.Heinvokesoninputn;utogetaconversation.Hesendsmod chooses,arandombitnumber,andsendsmod2andmod.Hethensendschecksthatmod2modandmod,andacceptsifandonlyifthisisthecase.Theprooftechniquesfrom[2]andLemma2immediatelyimplyLemma3.Protocol1-out-of-2'thpoweriscomplete,honestverierzero-knowledge,andsatisesthatfromanypairofacceptingconversations(betweenandanyprover)ofform;s;ewith,onecanecientlycomputean'throotof,andan'throotofprovidedislessthanthesmallestprimefactorofOurnalbuildingblockallowsaprovertoconvinceaverierthatthreeencryptionscontainvaluesa;bandsuchthatmod.Forthis,weproposeaprotocolinspiredbyasimilarconstructionfoundin[3].ProtocolMultiplication-mod-n;g;ePrivateInputfora;b;c;rsuchthatmodanda;rb;rc;rchoosesarandomvalueandsendstod;rdb;rchooses,arandom-bitnumber,andsendsittoopenstheencryptiond;rmod)bysendingmodandmod.Finally,openstheencryptionmod)bysendingmodveriesthattheopeningsofencryptionsinthepreviousstepwerecorrect,andacceptsifandonlyifthiswasthecase.Lemma4.ProtocolMultiplication-mod-iscomplete,honestverierzero-knowledge,andsatisesthatfromanypairofacceptingconversations(betweenandanyprover)ofform;e;f;zwithonecanecientlycomputetheplaintexta;b;ccorrespondingtothatmod,providedissmallerthanthesmallestprimefactorinProof.Completenessisclearbyinspectionoftheprotocol.Forhonestverierzero-knowledge,observethattheequationscheckedbyf;zmodand)mod.Fromthisitisclearthatwecangenerateaconversationbychoosingrstf;zatrandom,andthencomputingthatwillsatisfytheequations.Thisonlyrequiresinversionmodulo,andgeneratestherightdistributionbecausethevaluesf;zarealsoindependentandrandomintherealconversation.Forthelastclaim,noterstthatsinceencryptionsuniquelydetermineplaintexts,therearexedvaluesa;b;c;dcontainedin,andavaluecontainedin.The factthattheconversationsgivenareacceptingimpliesthatmodmod=0=mod.Puttingthistogether,weobtain(modor(mod.Now,since()isinvertiblemodulobyassumptionon2,wecanconcludethatmod(andalsocomputea;bandTheprotocolsfromthissectioncanbemadenon-interactiveusingthestan-dardFiat-Shamirheuristicofcomputingthechallengefromtherstmessageusingahashfunction.Thiscanbeprovedsecureintherandomoraclemodel.5EcientElectronicVotingIn[4],ageneralmodelforelectionswasused,whichwebrie yrecallhere:wehaveasetofvoters;:::;V,abulletinboard,andasetoftallyingauthorities;:::;A.Thebulletinboardisassumedtofunctionasfollows:everyplayercanwriteto,andamessagecannotbedeletedonceitiswritten.Allplayerscanaccessallmessageswritten,andcanidentifywhichplayereachmessagecomesfrom.Thiscanallbeimplementedinasecurewayusinganalreadyexistingpublickeyinfrastructureandserverreplicationtopreventdenialofserviceattacks.Weassumethatthepurposeofthevoteistoelectawinneramongcandidates,andthateachvoterisallowedtovotefortLcandidates.Inthefollowing,willdenoteaxedhashfunctionusedtomakenon-interactiveproofsaccordingtotheFiat-Shamirheuristic.Also,wewillassumethroughoutthataninstanceofthresholdversionofPaillier'sschemewithpublickeyn;ghasbeensetup,withthe'sactingasdecryptionservers.Wewillassumethat,whichcanalwaysbemadetruebychoosinglargeenough.ThenotationProof),whereissomelogicalstatementwilldenoteabitstringcreatedbyplayerasfollows:selectstheappropriateprotocolfromtheprevioussectionthatcanbeusedtointeractivelyprove.Hecomputestherstmessageinthisprotocol,computesa;S;ID))where)ishisuseridentityinthesystemand,takingtheresultofthisasthechallengefromtheverier,computestheanswer.ThenProofe;z).Theinclusionof)intheinputtoisdoneinordertopreventvoteduplication.Tochecksuchaproof,notethatalltheauxiliaryprotocolsaresuchthatfromS;z;conecaneasilycomputewhatshouldhavebeen,hadtheproofbeencorrect.Forinstance,fortheprotocolforpowers,thestatementconsistsofasinglenumbermodulo,andtheverierchecksthatmod,sowehavemod.Onceiscomputed,onechecksthata;S;IDAprotocolforthecase=2isnowsimpletodescribe.Thisisequivalenttoayes/novoteandsoeachvotecanthoughtofasanumberequalto0fornoand1foryes:1.Eachvoterdecidesonhisvote,hecalculates),whereisrandomlychosen.HealsocreatesProofisan'thpowermodulo basedonthe1-out-of-2'thpowerprotocol.Hewritestheencryptedvoteandproofto2.Eachdoesthefollowing:rstset=1.Thenforall:checktheproofwrittenbyandifisitvalid,thenmod.Finally,executeshispartofthethresholddecryptionprotocol,usingastheinputciphertext,andwriteshisresultto3.Fromthemessageswrittenbythe's,anyonecannowreconstructtheplaintextcorrespondingto(possiblyafterdiscardinginvalidmessages).Assumingforsimplicitythatallvotesarevalid,itisevidentthatmodmod).SothedecryptionresultmodwhichisSecurityofthisprotocol(intherandomoraclemodel)followseasilyfromsecurityofthesub-protocolsused,andsemanticsecurityofPaillier'sencryptionscheme.Proofswillbeincludedinthenalversionofthispaper.Thereareseveralwaystogeneralisethisto2.Probablythesimplestwayistoholdparallelyes/novotesasabove.Avotervotes1forthecandidateshewants,and0fortheothers.Thismeansthatwillsendvotesofform;::;LProofisan'thpowermoduloToprovethathevotedforexactlycandidates,healsowritestothenum-bermod.Thisallowsthetallierstoverifythat)isanencryptionof.Thischeckissucient,sinceallindividualvotesareprovedtobe0or1.Itisimmediatethatdecryptionoftheresultswillimmediatelygivethenumberofvoteseachcandidatereceived.Wenotethathiseasilygeneralisestocaseswherevotersareallowedtovoteforuptocandidates:onesimplyintroduces"dummycandidates"inadditiontotheactual.Wethenexecutetheprotocolasbefore,butwithcandidates.Eachvoterplacesthevoteshedoesnotwanttouseondummycandidates.Thesizeofavoteinthisprotocolisseentobe),whereisthebitlength,bysimpleinspectionoftheprotocol.Theprotocolrequiresoperations.Asanumericexample,supposewehave=1000=64000=1andweusechallengesof80bitsintheproofs.Thenavoteintheabovesystemhassizeabout50Kbyte.IftheparametersaresuchthatlogMkand=1,thenwecandosignicantlybetter.Theseconditionswillbesatisedinmanyrealisticsituations,suchasforinstanceinthenumericexampleabove.Thebasicideaisthefollowing:avoteforcandidate,where0jLdenedtobeanencryptionofthenumber.Eachvoterwillcreatesuchanen-cryptionandproveitscorrectnessasdetailedbelow.Whenalltheseencryptionsaremultipliedwegetanencryptionofanumberofformmodwhereisthenumberofvotescastforcandidate.SincelogMk,thisrelationalsoholdsovertheintegers,sodecryptingandwriting-aryno-tationwilldirectlyproduceallthe Itremainstodescribehowtoproduceencryptionhidinganumberofform,forsome0jL,andproveitwascorrectlyformed.Let;:::;bbethebitsinthebinaryrepresentationof,i.e..Thenclearlywehave.Eachfactorinthisproductiseither1orapowerof.Thisisusedinthefollowingalgorithmforproducingthedesiredproof(wheredenotestheprover):computesencryptions;:::;eof(;:::;.ForeachhealsocomputesProofisan'thpower).2.Let,forcomputesanencryption,for.Weset.Now,forProof(Plaintextscorr.tosatisfymodbasedonthemultiplication-mod-protocol.Theencryptionisthedesiredencryption,itcanbeveriedfromtheandalltheproofscomputed.Itisstraightforwardtoseethatavoteinthissystemwillhavelengthlog)bits(stillassuming,ofcourse,thatlogWithparametervaluesasinthenumericexamplebefore,avotewillhavesizeabout8.5Kbyte,afactorofmorethan5betterthantheprevioussystem.Moreover,weneedonly1decryptionoperationasopposedtobefore.6EciencyandImplementationAspectsAnimplementationofsomeoftheteqniquesdiscussedinthispapercanbefoundhttp://www.brics.dk/jurik/research.htmlKeyGeneration.Theprimesandaremadeusingtheusualtechniques,sothatwillbeasdicultaspossibletofactor.Sincethereisnodierenceinchoosingageneraland(+1)asgenerator,wecanjustuse(+1)andsavesomeworkforndingasuitableEncryption.AsmentionedinPaillierwecanchoose=2(provideditsatisesthecontraints)togetaspeed-upinencryption.Butsincewecanuse(+1)asgeneratorwecanmakeitevenmoreecientsincecalculating(+1)isthesameascalculating:modthismeansraising(+1)to'thpowertakesabout5multiplications.Wecanprecomputethefactorsmodwhichreducesthenumberofmulti-plicationsto2.Wecan'tgetridoftheexponentiationmod,buttherandomvaluecanbechooseninadvanceandtheexponentiationcalculatedin advance.Ifmodiscalculatedinadvanceanencryptionwilltake2multiplicationswhichisapproximatelyasecientasRSAforsmallDecryption.Decryptioncanbespeededupbycalculatingthedierentpowers,andthemodfor2.Allthiscanbecalculatedmodandmodinsteadofmodbyusing and insteadofthenormal.Thedecryptionalgorithmisthenexecuted2times,oncemod'sinsteadofmodandwithinsteadofandoncewithmodand.Thenafterthe2partshavebeencalculatedtheyarecombinedusingChineseremaindering.PerformanceEvaluations.Wegivehereacomparisonbetweentheschemespresentedinthispaper,Paillier'soriginalscheme,RSAwithpublicexponent+1andEl-Gamal.Thereare3versionsofourscheme,namelyonewithoutprecomputation,onewith,andonewith=1(andnoprecomputation),sincethisisequivalenttoPaillier'sscheme.Itisassumedthatallnumbershasaboutthesamenumberof1'sand0'sintheirbinaryrepresentation.Ingure1wecomparethedierentschemeusingthesamesecurityparameter.Itshouldbenotedthatitcomparesthenumberofmultiplications,butthesemultiplicationsaremadeusingdierentmodulussize.Itshouldbealsobenotedthatthe2rstcolumnsencryptbitsofplaintextinsteadofbitsintheothercolumns.Thelast2rowsofthetableshowsthenumberofbitsthatareencryptedforeachmultiplicationmade.Itonlymakessensetocomparethenumbersinthese2rowsifthemodulussizeisthesameandthusthesecurityparameterisdierent.Fig.1.Comparisonwithequalsecurityparameter Scheme GeneralScheme Scheme NoPrecomp. Precomp. s Paillier El-Gamal Size( k k k k k k ModulusSize +1) +1) 2k 2k k k PlaintextSize sk k k k k Multiplications forEncryption 3 2s 2s 3 2k+5 3k+1 3k Multiplications 5 +1) 5 +1) forDecryption +1) +1) 5k+8 3 2k 3k+3 3 2k+1 Multiplications perbitencrypted 3 2 2 k 3 2 3 k 3 Multiplications perbitdecrypted 5 2 5 2 5 3 3 2 3 2 References1.Baudron,Fouque,Pointcheval,PoupardandStern:PracticalMulti-CandidateElec-tionScheme,manuscript,May2000.2.Cramer,DamgardandSchoenmakers:Proofsofpartialknowledge,Proc.ofCrypto94,SpringerVerlagLNCSseriesnr.839.3.R.Cramer,S.Dziembowski,I.Damgard,M.HirtandT.Rabin:EcientMulti-partyComputationsSecureagainstanAdaptiveAdversary,Proc.ofEuroCrypt99,SpringerVerlagLNCSseries1592,pp.311-326.4.R.Cramer,R.Gennaro,B.Schoenmakers:ASecureandOptimallyEcientMulti-AuthorityElectionScheme,ProceedingsofEuroCrypt97,SpringerVerlagLNCSseries,pp.103-118.5.Frankel,MacKenzieandYung:RobustEcientDistributedRSA-keyGenerationproceedingsofSTOC98.6.P.Fouque,G.Poupard,J.Stern:SharingDecryptionintheContextofVotingorLotteries,ProceedingsofFinancialCrypto2000.7.L.GuillouandJ.-J.Quisquater:APracticalZero-KnowledgeProtocolttedtoSecurityMicroprocessorMinimizingbothTransmissionandMemory,Proc.ofEu-roCrypt88,SpringerVerlagLNCSseries.8.M.HirtandK.Sako:EcientReceipt-FreeVotingbasedonHomomorphicEncryp-tion,ProceedingsofEuroCrypt2000,SpringerVerlagLNCSseries,pp.539-556.9.P.Pallier:Public-KeyCryptosystemsbasedonCompositeDegreeResidueClassesProceedingsofEuroCrypt99,SpringerVerlagLNCSseries,pp.223-238.10.V.Shoup:PracticalThresholdSignatures,ProceedingsofEuroCrypt2000,SpringerVerlagLNCSseries,pp.207-220.11.J.Bar-Ilan,andD.Beaver:Non-CryptographicFault-TolerantComputinginaCon-stantNumberofRounds,ProceedingsoftheACMSymposiumonPrinciplesofDistributedComputation,1989,pp.201-209. RecentBRICSReportSeriesPublicationsRS-00-45IvanB.DamgardandMadsJ.Jurik.AGeneralisation,aSimplicationandsomeApplicationsofPaillier'sProbabilisticPublic-KeySystem.December2000.18pp.ToappearinFourthInternationalWorkshoponPracticeandTheoryinPublicKeyCryptography,PKC'01Proceedings,LNCS,2001.ThisrevisedandextendedreportsupersedestheearlierBRICSreportRS-RS-00-44BerndGrobauerandZheYang.TheSecondFutamuraPro-jectionforType-DirectedPartialEvaluation.December2000.ToappearinHigher-OrderandSymbolicComputation.Thisre-visedandextendedreportsupersedestheearlierBRICSreportRS-99-40whichinturnwasanextendedversionofLawall,editor,ACMSIGPLANWorkshoponPartialEvaluationandSemantics-BasedProgramManipulation,PEPM'00Proceed-ings,2000,pages22–32.RS-00-43ClausBrabrand,AndersMøller,MikkelChristensen,Ricky,andMichaelI.Schwartzbach.PowerForms:DeclarativeClient-SideFormFieldValidation.December2000.21pp.ToappearWorldWideWebJournal,4(3),2000.RS-00-42ClausBrabrand,AndersMøller,andMichaelI.Schwartzbach..December2000.25pp.RS-00-41NilsKlarlund,AndersMøller,andMichaelI.Schwartzbach.TheDSDSchemaLanguageanditsApplications.December2000.32pp.ShorterversionappearsinHeimdahl,editor,ACMSIGSOFTWorkshopononFormalMethodsinSoftware,FMSP'00Proceedings,2000,pages101–111.RS-00-40NilsKlarlund,AndersMøller,andMichaelI.Schwartzbach.MONAImplementationSecrets.December2000.19pp.ShorterversionappearsinDaley,EramianandYu,editors,FifthInter-nationalConferenceonImplementationandApplicationofAu-,CIAA'00Pre-Proceedings,2000,pages93–102.RS-00-39AndersMøllerandMichaelI.Schwartzbach.ThePointerAs-sertionLogicEngine.December2000.23pp.ToappearinACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation,PLDI'01Proceedings,2001.