1/11/2007 bswilson/eVote-PTCWS 1 Paillier Threshold Cryptography Web Service by Brett Wilson.
-
date post
19-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of 1/11/2007 bswilson/eVote-PTCWS 1 Paillier Threshold Cryptography Web Service by Brett Wilson.
1/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS 11
Paillier Threshold Paillier Threshold Cryptography Web ServiceCryptography Web Service
byby
Brett WilsonBrett Wilson
221/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Outline of the TalkOutline of the Talk
Introduction/MotivationIntroduction/MotivationRelated WorkRelated WorkDesign of Paillier Threshold Cryptography Web Design of Paillier Threshold Cryptography Web Service (PTC Web Service)Service (PTC Web Service)ImplementationImplementationPerformancePerformanceLessons LearntLessons LearntFuture DirectionFuture DirectionConclusionConclusion
331/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Introduction/MotivationIntroduction/MotivationSecure electronic votingSecure electronic voting
Why?Why?2000 Florida Presidential election2000 Florida Presidential electionIncrease participation/election visibilityIncrease participation/election visibility
Extensive research into developing technologies to allow secure Extensive research into developing technologies to allow secure electronic votingelectronic voting
Current methods vulnerableCurrent methods vulnerableDiebold voting machine securityDiebold voting machine security
Princeton hacksPrinceton hacks Kohno et al. software security analysisKohno et al. software security analysis
E-voting RequirementsE-voting Requirements Privacy/Anonymity, Completeness, Soundness, Un-reusability, Privacy/Anonymity, Completeness, Soundness, Un-reusability,
Eligibility, FairnessEligibility, Fairness Robustness, Universal Verifiability, Receipt-Freeness, Robustness, Universal Verifiability, Receipt-Freeness,
IncoercibilityIncoercibility
441/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Introduction/MotivationIntroduction/MotivationMany of the new Secure Voting protocols Many of the new Secure Voting protocols use new encryption techniquesuse new encryption techniques Mathematical algorithms presented in Mathematical algorithms presented in
literatureliterature Unable to identify/locate implementations of Unable to identify/locate implementations of
these algorithmsthese algorithms
UCCS effort to develop a secure e-voting UCCS effort to develop a secure e-voting applicationapplication Basic building blocks unavailable for a large Basic building blocks unavailable for a large
number of published evoting protocolsnumber of published evoting protocols
551/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Related WorkRelated WorkUnable to locate other implementationsUnable to locate other implementationsBasis for ImplementationBasis for Implementation
Sharing Decryption in the context of Voting or LotteriesSharing Decryption in the context of Voting or Lotteries (Fouque, (Fouque, Poupard, Stern) Poupard, Stern)
Closely related researchClosely related research A Generalization of Paillier’s Public Key Cryptosystem with A Generalization of Paillier’s Public Key Cryptosystem with
Applications to Electronic VotingApplications to Electronic Voting (Damgard, Jurik, Nielson) (Damgard, Jurik, Nielson)
Uses of Paillier CryptographyUses of Paillier Cryptography Electronic VotingElectronic Voting Anonymous Mix Nets (due to self-blinding property)Anonymous Mix Nets (due to self-blinding property) Electronic AuctionsElectronic Auctions Electronic LotteriesElectronic Lotteries
661/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Related WorkRelated WorkOther Techniques Used In E-voting ProtocolsOther Techniques Used In E-voting Protocols Non-Interactive Zero Knowledge ProofsNon-Interactive Zero Knowledge Proofs
Proof does not require interactionProof does not require interaction
Proof does not reveal any other informationProof does not reveal any other information Prove vote is valid without revealing content of voteProve vote is valid without revealing content of vote Prove two encryptions encrypt the same message without Prove two encryptions encrypt the same message without
revealing messagerevealing message
Mix NetsMix Nets Anonymize votesAnonymize votes Permutate and “blind” input so that output contains Permutate and “blind” input so that output contains
same information, but re-ordered and unrecognizablesame information, but re-ordered and unrecognizable
771/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Cryptographic Techniques ImplementedCryptographic Techniques Implemented
Paillier CryptoSystemPaillier CryptoSystem Trapdoor Discrete Logarithm SchemeTrapdoor Discrete Logarithm Scheme c = gc = gMMrrnn mod n mod n22
n is an RSA modulus (modulus of 2 safe primes)n is an RSA modulus (modulus of 2 safe primes) Safe prime - Safe prime - p = 2q + 1 where q is also prime
g is an integer of order ng is an integer of order nαα mod mod nn22
r is a random number in r is a random number in ZZnn**
M = L(cM = L(cλλ(n)(n) mod mod nn22)/L(g)/L(gλλ(n)(n) mod mod nn22) mod n) mod n L(u) = (u-1)/n, L(u) = (u-1)/n, λλ(n)=lcm((p-1)(q-1))(n)=lcm((p-1)(q-1)) Important PropertiesImportant Properties
Probabilistic (randomness of E(M))Probabilistic (randomness of E(M))HomomorphicHomomorphic
E(ME(M11 + M + M22) = E(M) = E(M11) x E(M) x E(M22), E(k x M) = E(M)), E(k x M) = E(M)kk
Self-blindingSelf-blinding D(E(M) D(E(M) rrn n mod nmod n2 2 )) = m= m
881/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Cryptographic Techniques ImplementedCryptographic Techniques Implemented
Threshold EncryptionThreshold Encryption Public key encryption as usualPublic key encryption as usual Distribute secret key “shares” among i participantsDistribute secret key “shares” among i participants Decryption can only be accomplished if a threshold Decryption can only be accomplished if a threshold
number t of the i participants cooperatenumber t of the i participants cooperateNo information about m can be obtained with less than t No information about m can be obtained with less than t participants cooperatingparticipants cooperating
Shamir Secret SharingShamir Secret Sharing Lagrange Interpolation formulaLagrange Interpolation formula f(X) = Σf(X) = Σtt
i=0i=0 a aiiXXii aa00 is secret, is secret, aaii are random, f(X) are “secret shares” are random, f(X) are “secret shares”
X is share index (1 to number of servers)X is share index (1 to number of servers) If enough f(X) available it is possible to recover aIf enough f(X) available it is possible to recover a00
991/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Generic PTC UseGeneric PTC Use
AdminPTC Web Service
PTC CSP
2. SOAP/XML Request for PTC Parameters
3. SOAP/XML Response containing encrypted PTC Parameters
Key Share Owner(s)
1. Key Share Owners’ RSA Public Keys
8. Partial Decryption Shares/Proofs of Correct Decryption
4. RSA Encrypted Secret Key Shares
PTC CSP
PTC CSP7. Cipher Text
9. Clear Text
External Users
PTC CSP
5. Paillier Public Key
6. Cipher Text
10101/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Voting Application PTC UseVoting Application PTC Use
Election Admin PTC
Web Service
PTC CSP
2. SOAP/XML Request for PTC Parameters
3. SOAP/XML Response containing RSA encrypted PTC Parameters
Election Authorities
1. Election Authorities’ RSA Public Keys
8. Partial Decryption Shares of Vote Tally/Proofs of Correct Decryption
4. RSA Encrypted Secret Key Shares
PTC CSP
PTC CSP7. Paillier Encrypted
Vote Tally
9. Vote Tally
Voter
PTC CSP
5. Paillier Public Key
6. Paillier-Encrypted Vote
Election Setup – Admin create election/ballots and requests election parameters
Voters VoteAdmin computes encrypted vote product (tally)
Authorities Partially Decrypt Vote Tally
Admin combines partial decryptions to recover tally
11111/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Paillier Threshold Cryptography Paillier Threshold Cryptography Web Service (PTC Web Service)Web Service (PTC Web Service)Provides for generation of Paillier Threshold Provides for generation of Paillier Threshold Cryptography parametersCryptography parameters Public KeyPublic Key Private Key SharesPrivate Key Shares
Can be encrypted with provided public keysCan be encrypted with provided public keys Verification KeysVerification Keys
Used to verify correct “decryption shares”Used to verify correct “decryption shares”
Removes trusted dealer from system Removes trusted dealer from system participantsparticipants No interaction between authorities required in this No interaction between authorities required in this
schemescheme Other Methods exist for interactive generation of private key Other Methods exist for interactive generation of private key shares that also remove trusted dealershares that also remove trusted dealer
Interaction requiredInteraction required
12121/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
PTC Web Service ArchitecturePTC Web Service ArchitectureOne Web MethodOne Web Method GeneratePaillierThresholdParametersGeneratePaillierThresholdParameters
1 Input Parameter1 Input Parameter ThresholdParameterRequest XML serializationThresholdParameterRequest XML serialization KeysizeKeysize Number of Secret Key SharesNumber of Secret Key Shares System Decryption ThresholdSystem Decryption Threshold List of Key Share OwnersList of Key Share Owners
May include public keys of Key Share OwnersMay include public keys of Key Share Owners Returns PaillierThresholdParameters XMLReturns PaillierThresholdParameters XML
Public KeyPublic Key Secret Key SharesSecret Key Shares Verification Key SharesVerification Key Shares
Used by admin to verify decryption sharesUsed by admin to verify decryption shares
13131/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
PTC Web Service ImplementationPTC Web Service ImplementationPaillierThresholdCryptoServiceProviderPaillierThresholdCryptoServiceProvider
Implements Microsoft’s .NET interface for asymmetric algorithmsImplements Microsoft’s .NET interface for asymmetric algorithms ICSPAsymmetricAlgorithmICSPAsymmetricAlgorithm
Not fully implemented – threshold systems are differentNot fully implemented – threshold systems are different Provides all basic functionalityProvides all basic functionality
Generation of system parametersGeneration of system parameters Encryption using public keyEncryption using public key Partial decryption using secret key sharePartial decryption using secret key share
Generates proof of correct decryptionGenerates proof of correct decryption Combining of decryption shares into original cleartextCombining of decryption shares into original cleartext
Validates provided proofs of decryptionValidates provided proofs of decryption
PTC UtilitiesPTC Utilities Conversion between byte arrays, NGmp IntMP, and ASCII Conversion between byte arrays, NGmp IntMP, and ASCII
stringsstrings Random number generation (within Random number generation (within ZZnn
**)) Safe prime generationSafe prime generation
Random prime generation – check for “safeness”Random prime generation – check for “safeness”
14141/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
PTC Web Service Implementation PTC Web Service Implementation (cont’d)(cont’d)
ThresholdCryptographyServiceThresholdCryptographyService Web Service ApplicationWeb Service Application Microsoft Internet Information ServicesMicrosoft Internet Information Services ASP.NET 2.0ASP.NET 2.0
15151/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Implementation Problems/SolutionsImplementation Problems/SolutionsLarge Safe Prime GenerationLarge Safe Prime Generation Key Size above 256 bits takes an unacceptable Key Size above 256 bits takes an unacceptable
amount of time (512 bits - 39.85 sec)amount of time (512 bits - 39.85 sec) Fast algorithm does not existFast algorithm does not exist Implemented one option for efficiency increaseImplemented one option for efficiency increase
Long Term SolutionLong Term Solution Generate long list of safe primes off lineGenerate long list of safe primes off line
Extract from list when neededExtract from list when needed Must protect listMust protect list
Shamir Secret SharingShamir Secret Sharing Index of each key share must be persistedIndex of each key share must be persisted
Indexes required to re-assemble the polynomial and thus Indexes required to re-assemble the polynomial and thus the secretthe secret
16161/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Performance EvaluationPerformance EvaluationScalability not high priority in current schemeScalability not high priority in current scheme
Web service only accessed once during cryptosystem parameter Web service only accessed once during cryptosystem parameter creationcreation
WebPartner Test and Performance CenterWebPartner Test and Performance Center Request for 256 bit key, 5 keyshares, threshold = 3Request for 256 bit key, 5 keyshares, threshold = 3
Up to 100 simultaneous requests successfulUp to 100 simultaneous requests successful Random busy errorsRandom busy errors
Due to random nature of safe prime generationDue to random nature of safe prime generation
17171/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Demo: E-Voting ApplicationDemo: E-Voting ApplicationElection AdministratorElection Administrator
Creates election and ballot issuesCreates election and ballot issues Submits request for election PTC parameters to PTC Web ServiceSubmits request for election PTC parameters to PTC Web Service
Includes public keys of key share ownersIncludes public keys of key share owners Receives public key, encrypted private key shares, verifier keysReceives public key, encrypted private key shares, verifier keys
Makes public key available to votersMakes public key available to votersDistributes encrypted key shares to key share ownersDistributes encrypted key shares to key share ownersMakes verifier keys publicly availableMakes verifier keys publicly available
At conclusion of election, multiplies all Paillier-encrypted votes together At conclusion of election, multiplies all Paillier-encrypted votes together and distributes to key share ownersand distributes to key share owners
Receives decryption shares/proofs from key share ownersReceives decryption shares/proofs from key share ownersverifies proofsverifies proofscombines decryption shares to reveal vote tally if enough valid proofscombines decryption shares to reveal vote tally if enough valid proofs
VoterVoter Receives ballot issues/choices from administratorReceives ballot issues/choices from administrator Uses election public key to encrypt voteUses election public key to encrypt vote
Key Share OwnersKey Share Owners Receive encrypted secret key shares from administratorReceive encrypted secret key shares from administrator Receive encrypted vote tally from administratorReceive encrypted vote tally from administrator
Partially decrypt vote tally using secret key sharePartially decrypt vote tally using secret key shareGenerate proof of correct decryptionGenerate proof of correct decryption
18181/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Implementation ToolsImplementation ToolsVisual Studio 2005Visual Studio 2005 VB.NETVB.NET
Gnu Multiprecision Library (Gmp)Gnu Multiprecision Library (Gmp) Open source arbitrary precision numeric libraryOpen source arbitrary precision numeric library Compiled under Visual Studio 2005Compiled under Visual Studio 2005
NGmpNGmp Open source VB.NET binding of gmp.dllOpen source VB.NET binding of gmp.dll Enables calling of gmp library functions through Enables calling of gmp library functions through
VB.NETVB.NET Compiled under Visual Studio 2005Compiled under Visual Studio 2005
19191/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Future DirectionsFuture DirectionsPTC Web ServicePTC Web Service
Authenticity of PTC Parameters not currently guaranteedAuthenticity of PTC Parameters not currently guaranteed Implement signing of PTC Parameters by Web ServiceImplement signing of PTC Parameters by Web Service
Insert UID field in web service signature to uniquely identify PTC Insert UID field in web service signature to uniquely identify PTC ParametersParameters
Extend Web Service to provide other threshold encryption Extend Web Service to provide other threshold encryption parametersparameters
RSA threshold signaturesRSA threshold signatures
E-Voting Application SupportE-Voting Application Support Implement voter identity verificationImplement voter identity verification Develop non-interactive proof of vote validityDevelop non-interactive proof of vote validity
encrypted vote is one of a set of valid votesencrypted vote is one of a set of valid votes Authenticity of election parameters/ballots not currently Authenticity of election parameters/ballots not currently
guaranteedguaranteedImplement signing of election parameters/ballots by adminImplement signing of election parameters/ballots by admin
20201/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
ConclusionConclusion
Implemented a web service and Implemented a web service and underlying cryptographic algorithms in underlying cryptographic algorithms in VB.NET that provides Paillier Threshold VB.NET that provides Paillier Threshold Cryptographic services for supporting e-Cryptographic services for supporting e-voting and other applicationsvoting and other applications
A demonstration e-voting application was A demonstration e-voting application was completed using Microsoft Visual Studio completed using Microsoft Visual Studio 20052005
21211/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
ReferencesReferences[1] P. Paillier, [1] P. Paillier, Public-Key Cryptosystems Based on Composite Public-Key Cryptosystems Based on Composite Degree Residuosity ClassesDegree Residuosity Classes, Eurocrypt ‘99, Eurocrypt ‘99[2] P. Fouque, G. Poupard, J.Stern, [2] P. Fouque, G. Poupard, J.Stern, Sharing Decryption in the Sharing Decryption in the Context of Voting or LotteriesContext of Voting or Lotteries, Financial Cryptography 2000 , Financial Cryptography 2000 ProceedingsProceedings[3] I. Damgard, M. Jurik, J. Nielson, [3] I. Damgard, M. Jurik, J. Nielson, A Generalization of Paillier’s A Generalization of Paillier’s Public-Key System with Applications to Electronic VotingPublic-Key System with Applications to Electronic Voting, Aarhus , Aarhus University, Dept. of Computer ScienceUniversity, Dept. of Computer Science[4] A. Shamir, [4] A. Shamir, How to Share a SecretHow to Share a Secret, Communications of the ACM , Communications of the ACM 19791979[5] A.J. Menezes, P. C. van Oorschot, and S.A. Vanstone, [5] A.J. Menezes, P. C. van Oorschot, and S.A. Vanstone, Handbook of Applied CryptographyHandbook of Applied Cryptography, CRC Press, 1997, CRC Press, 1997[6] D. Naccache, [6] D. Naccache, Double-Speed Safe Prime GenerationDouble-Speed Safe Prime Generation, Gemplus , Gemplus Card InternationalCard International[7] M. Wiener, [7] M. Wiener, Safe Prime Generation with a Combined SieveSafe Prime Generation with a Combined Sieve, , Cryptographic ClarityCryptographic Clarity
23231/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Other Project DocumentsOther Project Documents
Paillier Threshold Cryptography Web Service Paillier Threshold Cryptography Web Service and Evote Demonstration Quick Set-upand Evote Demonstration Quick Set-up Information on installation/setup of VS2005 Information on installation/setup of VS2005
solution for developing/testing PTC Web Service solution for developing/testing PTC Web Service and Evote Demonstrationand Evote Demonstration
Paillier Threshold Cryptography Web Service Paillier Threshold Cryptography Web Service User’s GuideUser’s Guide Detailed Information on installing/using the PTC Detailed Information on installing/using the PTC
Web ServiceWeb Service
24241/11/20071/11/2007 bswilson/eVote-PTCWSbswilson/eVote-PTCWS
Use of WebService in Secure Use of WebService in Secure VotingVoting
Ballot format: pick 1 out of c candidatesBallot format: pick 1 out of c candidates Vote = 2c*log2v where c is the desired candidate Vote = 2c*log2v where c is the desired candidate
number (0…c) and v is the next power of 2 greater number (0…c) and v is the next power of 2 greater than the maximum number of votersthan the maximum number of voters
All Paillier-encrypted votes could be publicly All Paillier-encrypted votes could be publicly postedpostedAt end of election, all encrypted votes could be At end of election, all encrypted votes could be multiplied together (publicly verifiable)multiplied together (publicly verifiable)With cooperation of the required threshold With cooperation of the required threshold number of “authorities”, the final product could number of “authorities”, the final product could be decrypted to reveal the vote total (sum of be decrypted to reveal the vote total (sum of individual votes).individual votes).