A Step by Step Partially Homomorphic Encryption Example with Paillier in Python

In today’s world, data security is a crucial concern for individuals and organizations alike. Encryption is a popular technique used to safeguard sensitive information from unauthorized access. However, traditional encryption methods have limitations when it comes to performing computations on encrypted data. This is where homomorphic encryption comes in. Homomorphic encryption allows computations to be performed on encrypted data without the need for decryption. In this blog post, we will explore Paillier encryption, a partially homomorphic encryption scheme that enables computations on encrypted data with respect to addition and multiplication. We will delve into the math behind the algorithm and its homomorphic features, demonstrating how it can be implemented step-by-step in Python. This post will be an excellent resource for those looking to understand the principles of partially homomorphic encryption with Paillier and its use cases.

Pascal Paillier, Creator of Paillier Cryptosystem

Vlog

You can either continue to read this tutorial or watch the following video. They both cover the implementation of Paillier cryptosystem with its homomorphic features in python programming language.

🙋‍♂️ You may consider to enroll my top-rated cryptography course on Udemy

Cryptography Basiscs From Scratch In Python

🐍 Python Library

In this post, we will mostly focus on the math behind the cryptosystem and implement it from scratch. If you are interested in how to use the algorithm easy and fast instead of its mathematical foundation, then you may consider to use LightPHE.

LightPHE is a lightweight partially homomorphic encryption library for python. It wraps many partially homomorphic algorithms such as RSA, ElGamal, Exponential ElGamal, Elliptic Curve ElGamal, Paillier, Damgard-Jurik, Okamoto–Uchiyama, Benaloh, Naccache–Stern, Goldwasser–Micali. With LightPHE, you can build homomorphic crypto systems with a couple of lines of code, encrypt & decrypt your data and perform homomorphic operations such as homomorphic addition, homomorphic multiplication, homomorphic xor, regenerate cipher texts, multiplying your cipher text with a known plain constant according to the built algorithm.

# pip install lightphe
from lightphe import LightPHE

# build a cryptosystem
cs = LightPHE(algorithm_name = 'Paillier')

# define plaintexts
m1 = 17
m2 = 23

# calculate ciphertexts
c1 = cs.encrypt(m1)
c2 = cs.encrypt(m2)

# performing homomorphic addition on ciphertexts
assert cs.decrypt(c1 + c2) == m1 + m2

# scalar multiplication (increase its value 5%)
k = 1.05
assert cs.decrypt(k * c1) == k * m1

You may consider to watch the LightPHE demo video.

Now, let’s turn back to understand and implement the crypto system from scratch!

Pre-requisites

Similar to RSA, we are firstly expected to pick two different large primes.

p = 13
q = 17
assert p != q

We should perform the primeness tests for p and q.

def is_prime(n):
    for i in range(2, n): # [2, n)
        if n % i == 0:
            return False
    return True
# ---------------------------------
assert is_prime(p)
assert is_prime(q)

We then calculate the totient function of n where n is the multiplication of two primes we just picked.

import math
n = p*q
phi = (p-1)*(q-1)
assert math.gcd(n, phi) == 1

Paillier cryptosystem depends on a L function such that L(x) = (x-1)/n. Notice that result of function L must be integer always. We will use this function in optionally key generation and decryption.

def lx(x):
    y = (x-1)/n
    assert y - int(y) == 0
    return int(y)

Key Generation

We are going to generate generator g, lamdba and mu. According to the original paper,

g should be picked randomly in range of [0, n*n]
Lambda is the least common multiple (lcm) of p-1 and q-1. Lcm function comes with python 3.9.
Mu should be calculated with the formula such that μ = ( L(g^λ mod n²) )^-1

g = random.randint(0, n*n)
lmbda = math.lcm(p-1, q-1)
mu = pow(lx(pow(g, lmbda, n*n)), -1, n)

Instead, we are simply able to generate these values as:

g should be equal to n plus 1
lambda should be equal to the totient function of n or shortly phi
mu is equal to the multiplicative inverse of lambda in mod n

g = n + 1
lmbda = phi * 1
mu = pow(lmbda, -1, n)

This simplified variant is recommended for implementation purposes because of required time.

So, public key will be n, g and mu to encrypt messages whereas private key will be lambda to decrypt messages.

Encryption and decryption theory

To encrypt a message, we are going to calculate the message-th power of generator times n-th power of a random integer in modulus n squared.

c = g^m . rⁿ (mod n²)

Then, we are able to restore a message from ciphertext c with the following formula.

m = L(c^λ mod n²) x μ (mod n)

Proof of Paillier decryption

You can skip to the next topic if you are not interested in the math behind the algorithm.

Remember the ciphertext calculation formula first.

c = g^m . rⁿ (mod n²)

We have set generator g to n+1.

c = (1+n)^m . rⁿ (mod n²)

Plaintext restoration requires to find lambda-th power of ciphertext.

c^λ = ( (1+n)^m . rⁿ )^λ mod n²

Move lambda-th power into the parenthesis

c^λ = (1+n)^mλ . r^nλ mod n²

Please focus on the term r^nλ mod n², we have set lambda to totient function ϕ(n) in the simplified key generation.

r^nϕ(n) mod n²

Besides, totient function of n-squared is n times ϕ(n) if n is the multiplication of two prime numbers.

ϕ(n²) = n.ϕ(n)

where n=pq and p and q are prime numbers.

So, the term – r^nϕ(n) mod n² – is exactly same with the Fermat-Euler Theorem. This has to be 1 according to this theorem. In that way, we can simplify the lambda-th power of ciphertext.

c^λ = (1+n)^mλ mod n²

To expand the mλ-th power of (1+n), we are going to use binomial theorem.

(x+y)ⁿ = C(n, 0).xⁿy⁰ + C(n, 1).x^n-1y¹ + C(n, 2).x^n-2y² + …

Apply binomial theorem to the (1+n)^mλ

(1+n)^mλ = C(mλ, 0)1^mλn⁰ + C(mλ, 1)1^mλ-1n¹ + C(mλ, 2)1^mλ-2n² + … mod n²

(1+n)^mλ = 1 + nmλ + C(mλ, 2)1^mλ-2n² + … mod n²

Since the third term, all items are divisible by n². And we are working on mod n². That is why, we can ignore these terms and have much simplified expression.

(1+n)^mλ = 1 + nmλ mod n²

Now, please focus on the decryption.

m = L(c^λ mod n²) x μ (mod n)

Replace lambda-th power of ciphertext in the plaintext restoration formula.

m = L(1 + nmλ mod n²) x μ (mod n)

Formula of function L is such that

L(u) = (u-1)/n

Expand the formula L in the plaintext restoration.

m = ( (1 + nmλ – 1)/n ) x μ (mod n)

Plus 1 and minus 1 terms and also n terms in the dividend and divisor can be simplified.

m = mλ x μ (mod n)

We have set μ to multiplicative inverse of totient function in modulus n. We also set λ to totient function itself. So, multiplication of λ and μ must be 1.

m = m (mod n)

As you can see, Paillier decryption is proven because m is equal to m always!

Encryption and decryption implementation

So, we are going to use following function to encrypt and decrypt messages. Notice that modulus is n squared is required in encryption whereas n itself is required in decryption.

def encrypt(m, r):
    assert math.gcd(r, n) == 1
    c = ( pow(g, m, n*n) * pow(r, n, n*n) ) % (n*n)
    return c

def decrypt(c):
    p = ( lx(pow(c, lmbda, n*n)) * mu ) % n
    return p

Encryption and decryption

Suppose that we want to encrypt a message 123. We will also need to generate a random integer for each encryption.

m = 123
r = random.randint(0, n)

c = encrypt(m, r)
p = decrypt(c)

assert p == m

Additive homomorphic feature

To encrypt a message, we are using a formula such that

E(m, r) = g^m . rⁿ (mod n²)

Let’s encrypt a message pair according to this formula.

E(m₁, r₁) = g^m₁ . r₁ⁿ (mod n²)

E(m₂, r₂) = g^m₂ . r₂ⁿ (mod n²)

Multiply these two encrypted messages

E(m₁, r₁).E(m₂, r₂) = g^m₁.g^m₂.r₁ⁿ.r₂ⁿ (mod n²)

Here, g bases and n exponents are common. We can simplify this as

E(m₁, r₁).E(m₂, r₂) = g^m₁+m₂.(r₁.r₂)ⁿ (mod n²)

On the other hand, if we encrypt the sum of these message pair with the multiplication of its random keys, we will have same result.

E(m₁+m₂, r₁.r₂) = g^m₁+m₂.(r₁.r₂)ⁿ (mod n²)

So, Paillier is homomorphic with respect to the addition.

Additive homomorphic implementation

Let’s encrypt a message pair with Paillier cryptosystem.

m1 = 123
r1 = random.randint(0, n)

m2 = 37
r2 = random.randint(0, n)

c1 = encrypt(m1, r1)
c2 = encrypt(m2, r2)

The following rule must be satisfied always because we proven Paillier is homomorphic with respect to the addition.

assert (c1*c2) % (n*n) == encrypt(m1 + m2, r1*r2)

Re-encrypting a ciphertext with the neutral element

Neutral element in addition is 0. If we add 0 to something, we must have same value. This rule is valid in Paillier. But Paillier has one to many mapping. In other words, a plaintext should have many ciphertext. If we multiply something to the encrypted neutral element, then we should have different ciphertexts but this should not affect plaintext.

m1 = 123
r1 = random.randint(0, n)
c1 = encrypt(m1, r1)

m2 = 0
r2 = random.randint(0, n)
c2 = encrypt(m2, r2)

c1_reencrypted = (c1*c2) % (n*n)

assert c1 != c1_reencrypted
assert decrypt(c1) == decrypt(c1_reencrypted)

This usage is very common in e-voting applications. Imagine that a political party got same votes in many ballot boxes. We can re-encrypt that number of votes with neutral element and we have many different ciphertexts. However, we will have same plaintext when we decrypt it.

Multiplicative homomorphic feature

Remember that we are using the following rule to encrypt messages

E(m, r) = g^m . rⁿ (mod n²)

Let’s encrypt a message m₁ according to this rule.

E(m₁, r₁) = g^m₁ . r₁ⁿ (mod n²)

Then, let’s find the message m₂-th power of encrypted message m₁. Notice that E(m₁, r₁) is encrypted but m₂ is plain here.

E(m₁, r₁)^m₂ = (g^m₁ . r₁ⁿ)^m₂ (mod n²)

Let’s apply the m₂ power into the parenthesis.

E(m₁, r₁)^m₂ = g^m₁m₂ . r₁^nm₂ (mod n²)

On the other hand, if we encrypt the multiplication of m₁ and m₂ with the random key m₂-th power of r₁, we will have the same result.

E(m₁m₂, r₁^m₂) = g^m₁m₂ . r₁^{^nm₂} (mod n²)

Multiplicative homomorphic implementation

Let’s encrypt a message pair first.

m1 = 123
r1 = random.randint(0, n)
c1 = encrypt(m1, r1)

m2 = 25
r2 = random.randint(0, n)
c2 = encrypt(m2, r2)

The following rules must be satisfied because we proven the multiplicative homomorphic feature of Paillier.

assert pow(c1, m2, n*n) == encrypt(m1*m2, pow(r1, m2, n*n))
assert pow(c2, m1, n*n) == encrypt(m1*m2, pow(r2, m1, n*n))

Why Paillier is not fully homomorphic

Even though Paillier has both additive and multiplicative homomorphic features, this does not make it fully homomorphic. In its multiplicative feature, we have to use a plain message-th power of a encrypted message. In fully homomorphic encryption, we should perform the multiplication of two encrypted values.

Conclusion

So, we have mentioned Paillier cryptosystem with its homomorphic features and implement it in python programming language from scratch. In contrast to RSA and ElGamal, Paillier comes with additive and homomorphic features by default. This made the crypto-system very popular in the past for real world homomorphic encryption applications such as e-voting. Still, the crypto-system is not fully homomorphic.

I pushed the source code of this experiment to GitHub. You can support this study if you star its repo.

Like this blog? Support me on Patreon