Extensions to the Paillier Cryptosystem with Applications to Cryptological Protocols

The main contribution of this thesis is a simplification, a generalization and some modifications of the homomorphic cryptosystem proposed by Paillier in 1999, and several cryptological protocols that follow from these changes. The Paillier cryptosystem is an additive homomorphic cryptosystem, meaning that one can combine ciphertexts into a new ciphertext that is the encryption of the sum of the messages of the original ciphertexts. The cryptosystem uses arithmetic over the group Zn2 and the cryptosystem can encrypt messages from the group Zn. In this thesis the cryptosystem is generalized to work over the group Zns+1 for any integer s > 0 with plaintexts from the group Zns . This has the advantage that the ciphertext is only a factor of (s + 1)/s longer than the plaintext, which is an improvement to the factor of 2 in the Paillier cryptosystem. The generalized cryptosystem is also simplified in some ways, which results in a threshold decryption that is conceptually simpler than other proposals. Another cryptosystem is also proposed that is length-flexible, i.e. given a fixed public key, the sender can choose the s when the message is encrypted and use the message space of Zns. This new system is modified using some El Gamal elements to create a cryptosystem that is both length-flexible and has an efficient threshold decryption. This new system has the added feature, that with a globally setup RSA modulus n, provers can efficiently prove various relations on plaintexts inside ciphertexts made using different public keys. Using these cryptosystems several multi-party protocols are proposed: • A mix-net, which is a tool for making an unknown random permutation of a list of ciphertext. This makes it a useful tool for achieving anonymity. • Several voting systems: – An efficient large scale election system capable of handling large elections with many candidates. – Client/server trade-offs: 1) a system where vote size is within a constant of the minimal size, and 2) a system where a voter is protected even when voting from a hostile environment (i.e. a Trojan infested computer). Both of these improvements are achieved at the cost of some extra computations at the server side. – A small scale election with perfect ballot secrecy (i.e. any group of persons only learns what follows directly from their votes and the final result) usable e.g. for board room election.

[1]  Ivan Damgård,et al.  Efficient Multiparty Computations Secure Against an Adaptive Adversary , 1999, EUROCRYPT.

[2]  Masayuki Abe,et al.  A Length-Invariant Hybrid Mix , 2000, ASIACRYPT.

[3]  Jan Camenisch,et al.  Efficient Computation Modulo a Shared Secret with Application to the Generation of Shared Safe-Prime Products , 2002, CRYPTO.

[4]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[5]  Mikkel T. Jensen,et al.  Robust and Flexible Scheduling with Evolutionary Computation , 2001 .

[6]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[7]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[8]  Ivan Damgård,et al.  A Length-Flexible Threshold Cryptosystem with Applications , 2003, ACISP.

[9]  Valtteri Niemi,et al.  Secure Vickrey Auctions without Threshold Trust , 2002, Financial Cryptography.

[10]  M. Oliver,et al.  Structure and Hierarchy in Real-Time Systems , 2002 .

[11]  Masayuki Abe,et al.  Mix-Networks on Permutation Networks , 1999, ASIACRYPT.

[12]  Ivan Damgård,et al.  Scalable Key-Escrow , 2003 .

[13]  Ivan Damgård,et al.  Practical Threshold RSA Signatures without a Trusted Dealer , 2000, EUROCRYPT.

[14]  Ivan Damgård,et al.  Client/Server Tradeoffs for Online Elections , 2002, Public Key Cryptography.

[15]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[16]  Alexandra Boldyreva,et al.  Efficient threshold signature , multisignature and blind signature schemes based on the Gap-Diffie-Hellman-group signature scheme , 2002 .

[17]  Berry Schoenmakers,et al.  A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic , 1999, CRYPTO.

[18]  Jean-Jacques Quisquater,et al.  A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Transmission and Memory , 1988, EUROCRYPT.

[19]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[20]  Moti Yung,et al.  Robust efficient distributed RSA-key generation , 1998, STOC '98.

[21]  Moti Yung,et al.  Robust efficient distributed RSA-key generation , 1998, STOC '98.

[22]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[23]  Masayuki Abe,et al.  Remarks on Mix-Network Based on Permutation Networks , 2001, Public Key Cryptography.

[24]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[25]  Oded Goldreich,et al.  On the Security of Modular Exponentiation with Application to the Construction of Pseudorandom Generators , 2003, Journal of Cryptology.

[26]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[27]  Rosario Gennaro,et al.  The Bit Security of Paillier's Encryption Scheme and Its Applications , 2001, EUROCRYPT.

[28]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[29]  Aggelos Kiayias,et al.  Self-tallying Elections and Perfect Ballot Secrecy , 2002, Public Key Cryptography.

[30]  Claus Brabrand,et al.  Domain Specific Languages for Interactive Web Services , 2003 .

[31]  Jacques Stern,et al.  Sharing Decryption in the Context of Voting or Lotteries , 2000, Financial Cryptography.

[32]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[33]  Matthew K. Franklin,et al.  Multi-Autority Secret-Ballot Elections with Linear Work , 1996, EUROCRYPT.

[34]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[35]  Jiang Shao Partial Key Escrow Monitoring Scheme , 2000 .

[36]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[37]  Mihir Bellare,et al.  Verifiable partial key escrow , 1997, CCS '97.

[38]  Jesper Buus Nielsen,et al.  On Protocol Security in the Cryptographic Model , 2003 .

[39]  Jens Groth Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model , 2001 .

[40]  Jacques Stern,et al.  Practical multi-candidate election system , 2001, PODC '01.

[41]  Ivan Damgård,et al.  Multiparty Computation from Threshold Homomorphic Encryption , 2000, EUROCRYPT.

[42]  Kazue Sako,et al.  Efficient Receipt-Free Voting Based on Homomorphic Encryption , 2000, EUROCRYPT.

[43]  Stefan Dantchev On Resolution Complexity of Matching Principles , 2002 .

[44]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[45]  Markus Jakobsson,et al.  An optimally robust hybrid mix network , 2001, PODC '01.

[46]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[47]  Rasmus K. Ursem,et al.  Models for Evolutionary Algorithms and Their Applications in System Identification and Control Optimization , 2003 .

[48]  Judit Bar-Ilan,et al.  Non-cryptographic fault-tolerant computing in constant number of rounds of interaction , 1989, PODC '89.

[49]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[50]  Wenbo Mao Publicly verifiable partial key escrow , 1997, ICICS.

[51]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[52]  Yvo Desmedt,et al.  How to Break a Practical MIX and Design a New One , 2000, EUROCRYPT.

[53]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[54]  Abraham Waksman,et al.  A Permutation Network , 1968, JACM.

[55]  Ronald Cramer,et al.  Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption , 2001, EUROCRYPT.

[56]  Adi Shamir,et al.  How to share a secret , 1979, CACM.