Correct Paillier code. Dissertation
This commit is contained in:
parent
d397cf352a
commit
bffc7a3a66
@ -31,7 +31,7 @@ class PrivKey {
|
|||||||
decrypt(c) {
|
decrypt(c) {
|
||||||
return (
|
return (
|
||||||
(((fastModularExponentiation(c, this.lambda, this.n ** 2n) - 1n) / this.n) *
|
(((fastModularExponentiation(c, this.lambda, this.n ** 2n) - 1n) / this.n) *
|
||||||
(this.mu % this.n)) %
|
this.mu) %
|
||||||
this.n
|
this.n
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
Binary file not shown.
@ -3,7 +3,19 @@
|
|||||||
\usepackage{Bath-CS-Dissertation}
|
\usepackage{Bath-CS-Dissertation}
|
||||||
\usepackage{amsmath}
|
\usepackage{amsmath}
|
||||||
\usepackage{amssymb}
|
\usepackage{amssymb}
|
||||||
|
\usepackage{amsthm}
|
||||||
|
|
||||||
|
\DeclareMathOperator{\lcm}{lcm}
|
||||||
|
|
||||||
|
\newtheorem{theorem}{Theorem}[section]
|
||||||
|
\newtheorem{proposition}[theorem]{Proposition}
|
||||||
|
|
||||||
|
\theoremstyle{definition}
|
||||||
|
\newtheorem{definition}[theorem]{Definition}
|
||||||
|
\newtheorem{lemma}[theorem]{Lemma}
|
||||||
|
\newtheorem{remark}[theorem]{Remark}
|
||||||
|
\newtheorem{corollary}[theorem]{Corollary}
|
||||||
|
\newtheorem{example}[theorem]{Example}
|
||||||
|
|
||||||
\title{Cryptographic protocol for playing Risk in an untrusted setting}
|
\title{Cryptographic protocol for playing Risk in an untrusted setting}
|
||||||
\author{Jude Southworth}
|
\author{Jude Southworth}
|
||||||
@ -246,7 +258,74 @@ Despite this approach being centralised, it does emulate a fully peer-to-peer en
|
|||||||
|
|
||||||
In particular, the final point allows for the use of purely JSON messages, which are readily parsed and processed by the client-side JavaScript.
|
In particular, the final point allows for the use of purely JSON messages, which are readily parsed and processed by the client-side JavaScript.
|
||||||
|
|
||||||
|
\subsection{Paillier}
|
||||||
|
|
||||||
|
Paillier requires the calculation of two large primes for the generation of public and private key pairs. ECMAScript typically stores integers as floating point numbers, giving precision up to $2^{53}$. This is clearly inappropriate for the generation of sufficiently large primes.
|
||||||
|
|
||||||
|
In 2020, %reference
|
||||||
|
ECMAScript introduced \texttt{BigInt}, which are, as described in the spec, "[integers which] may be any size and are not limited to a particular bit-width". Whilst this does not hold true in common ECMAScript implementations (such as V8), these "big integers" still provide sufficient precision for the Paillier cryptosystem, given some optimisations and specialisations are made with regards to the Paillier algorithm and in particular the modular exponentiation operation.
|
||||||
|
|
||||||
|
\subsection{Optimising modular exponentiation}
|
||||||
|
|
||||||
|
% todo
|
||||||
|
|
||||||
|
\subsection{Generating large primes}
|
||||||
|
|
||||||
|
I chose to use primes of length 2048 bits. This is on the upper end of typical prime sizes for cryptography, as this generates $n = pq$ of length 4096 bits.
|
||||||
|
|
||||||
|
Generating these primes is a basic application of the Miller-Rabin primality test. This produces probabilistic primes, however upon completing sufficiently many rounds of verification, the likelihood of these numbers actually not being prime is dwarfed by the likelihood of hardware failure.
|
||||||
|
|
||||||
|
\subsection{Public key}
|
||||||
|
|
||||||
|
In the Paillier cryptosystem, the public key is a pair $(n, g)$ where $n = pq$ for primes $p, q$ satisfying $\gcd(pq, (p - 1)(q - 1)) = 1$ and $g \in \mathbb{Z}^*_{n^2}$. We restrict the range of plaintexts $m$ to $m < n$.
|
||||||
|
|
||||||
|
The Paillier cryptosystem is otherwise generic over the choice of primes $p, q$. However, by choosing $p, q$ of equal length, the required property on $pq, (p - 1)(q - 1)$ coprime is guaranteed.
|
||||||
|
|
||||||
|
\begin{proposition}
|
||||||
|
For $p, q$ prime of equal length, $\gcd(pq, (p - 1)(q - 1)) = 1$.
|
||||||
|
\end{proposition}
|
||||||
|
|
||||||
|
\begin{proof}
|
||||||
|
WLOG, assume $p > q$. Suppose $\gcd(pq, (p - 1)(q - 1)) \neq 1$. Then, $q - 1 \mid p$. However, the bit-lengths of $p, q$ are identical. So $\lfloor \frac{1}{2}p \rfloor < q$. This is a contradiction to $q - 1 \mid p$, and so $\gcd(pq, (p - 1)(q - 1)) = 1$ as required.
|
||||||
|
\end{proof}
|
||||||
|
|
||||||
|
As the prime generation routine generates primes of equal length, this property is therefore guaranteed. The next optimisation is to select $g = 1 + n$.
|
||||||
|
|
||||||
|
\begin{proposition}
|
||||||
|
$1 + n \in \mathbb{Z}^*_{n^2}$.
|
||||||
|
\end{proposition}
|
||||||
|
|
||||||
|
\begin{proof}
|
||||||
|
We see that $(1 + n)^n \equiv 1 \mod n^2$ from binomial expansion. So $1 + n$ is invertible as required.
|
||||||
|
\end{proof}
|
||||||
|
|
||||||
|
The selection of such $g$ is ideal, as the binomial expansion property helps to optimise exponentiation. Clearly, from the same result, $g^m = 1 + mn$. This operation is far easier to perform, as it can be performed without having to take the modulus to keep the computed value within range (for $m$ of sufficiently small size).
|
||||||
|
|
||||||
|
\subsection{Encryption}
|
||||||
|
|
||||||
|
The cyphertext is, in general, computed as $c = g^m r^n \mod n^2$ for $r < n$ some random blinding factor. This computation is exceptionally irritating to perform however in JavaScript, even with big integer types. We instead compute $c = (r^n \mod n^2) \cdot (g^m \mod n^2) \mod n^2$, and propose that this is equivalent.
|
||||||
|
|
||||||
|
\subsection{Private key}
|
||||||
|
|
||||||
|
The private key is the value of the Carmichael function $\lambda = \lambda(n)$, defined as the exponent of the group $\mathbb{Z}^*_n$. From the Chinese remainder theorem, $\lambda(n) = \lambda(pq)$ can be computed as $\lcm(\lambda(p), \lambda(q))$. From Carmichael's theorem, this is equivalent to $\lcm(\phi(p), \phi(q))$, where $\phi$ is Euler's totient function. Hence, from the definition of Euler's totient function, and as $p, q$ are equal length, $\lambda = (p - 1)(q - 1) = \phi(n)$.
|
||||||
|
|
||||||
|
We are also interested in the ability to compute $\mu = \lambda^{-1} \mod n$ as part of decryption. Fortunately, this is easy, as from Euler's theorem, $\lambda^{\phi(n)} \equiv 1 \mod n$, and so we propose $\mu = \lambda^{\phi(n) - 1} \mod n$. As $\phi(n)$ is well-known to us, we get $\mu = \lambda^{(p - 1)(q - 1)} \mod n$, a relatively straight-forward computation.
|
||||||
|
|
||||||
|
\subsection{Decryption}
|
||||||
|
|
||||||
|
Let $c$ be the cyphertext. The corresponding plaintext is computed as $m = L(c^\lambda \mod n^2) \cdot \mu \mod n$, where $L(x) = \frac{x - 1}{n}$. Fortunately, unlike the encryption case, this is relatively simple to compute in JavaScript. We now show that the "simplified" encryption is compatible with this decryption.
|
||||||
|
|
||||||
|
\begin{proposition}
|
||||||
|
The cyphertexts provided are equivalent up to decryption.
|
||||||
|
\end{proposition}
|
||||||
|
|
||||||
|
\begin{proof}
|
||||||
|
Let $c = g^m r^n \mod n^2$ and $c' = (r^n \mod n^2) \cdot (g^m \mod n^2) \mod n^2$. Then, \begin{align*}
|
||||||
|
L(c^\lambda \mod n^2) \cdot \mu &\equiv L((g^m r^n)^\lambda \mod n^2) \cdot \mu \mod n \\
|
||||||
|
&\equiv L(g^{\lambda m} r^{\lambda n} \mod n^2) \cdot \lambda^{(p - 1)(q - 1)} \mod n
|
||||||
|
\end{align*}
|
||||||
|
%todo
|
||||||
|
\end{proof}
|
||||||
|
|
||||||
\bibliography{Dissertation}
|
\bibliography{Dissertation}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user