Rivest Problem Set 4 Solutions

(a) Groups wrote implementations of Paillier in C, C++, Java, and Python. The shortest implementation was in Python; the second shortest was in C++ using the NTL large number library. (b) Groups were awarded 5 points for a correct decryption and 5 points for a correct encryption. Many students asked how the number to be decrypted was chosen. The number was simply a randomly-generated 10 digit number. We graded the problem by doing quick scan through the log file to verify that the number you reported was given to someone in your group. The PINs were to prevent one group of students from sabotaging another student’s results. Luckily that didn’t happen, so we didn’t need to use them. (c) There are two security flaws with Ben’s idea. The first is that a person could vote more than once. However, on the night before the problem set was due, we sent out email saying that this flaw would be handled by standard voter registration techniques. The second flaw — the one we were looking for — is that a person can stuff the ballot box with a single vote by submitting a ciphertext for an m > 1. In fact, a person could even take away votes by voting with a negative m, which would be an m that is somewhat less than n; that is, if Ben wanted to remove 10 votes, he could vote with m = n− 10. A third flaw is that the scheme does not protect the votes of voters, since the agency is able to decrypt any individual voter’s vote at any time. You need to trust the agency. One group of students suggested an active attack: if you are in favor of the resolution, multiply each ciphertext by g, and if you are opposed multiply each ciphertext by g−1. That’s a lot of work; you could just multiply a single ciphertext by g to add 500 votes to the resolution. It was incorrect to state that there were only two valid ciphertexts, allowing an attacker to create a dictionary of possible ciphertexts. That’s the whole point of a randomized cryptosystem — involving the random value r in the calculation of each ciphertext prevents this kind of attack. Grading policy: 5 points for working code, 5 points for a valid encryption, 5 points for a valid decryption, and 5 points for identifying a valid flaw.