privacy preserving systems for dynamic resource …...services. resource allocation matters in...
TRANSCRIPT
Privacy preserving systems for
dynamic resource reallocation
Yuehan Zhao
u6417810
COMP8755
Supervised by
Dr. Sid Chi-Kin Chau
May 31, 2019
A thesis submitted in part fulfillment of the degree of
Master of Computing
College of Engineering and Computer Science
The Australian National University
For Sid Chi-Kin Chau,
who provides the project and supports me for
a full year to finish the project
For my parents,
who support me to come to ANU and study
here
For Weifa Liang,
who gives us applicable advice during the
initial and final presentation
i
Abstract
Resource allocation is the heart of public services and has always been a difficult
issue to solve. It contains the sharing of space and sharing of public services such
as the living space or the transportation arrangement. Privacy-preserving dynamic
resource allocation guarantees that the service and facilities will make the smart
operations to meet the actual demands due to the client and reduce the cost. Also
it guarantees the privacy between users and server.
The approach that I use to solve the privacy-preserving dynamic resources
reallocation problem includes four algorithms. Two algorithms are based on Paillier
cryptosystem, one is based on ELGamal cryptosystem and the other one is based
on the transition algorithm. The results I obtained in this report include the
computation time analysis, the simulation and an Android application to visualize
the experiment. The impacts of the results include the new way of thinking of the
privacy-preserving resource reallocation problem and I hope this can contribute to
the current research.
Keywords: Resource allocation, privacy-preserving, Paillier cryptosystem, EL-
Gamal cryptosystem
Contents
1 Background 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Report Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Introduction 3
2.1 Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1 Basic concept of homomorphic encryption . . . . . . . . . . . 3
2.2 Public-key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2.1 Paillier Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.2 ELGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . 9
3 Design and Implementation 13
3.1 Related Privacy Preserving Algorithm . . . . . . . . . . . . . . . . . 13
3.1.1 Paillier cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 13
3.1.2 ELGamal cryptosystem . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Algorithms for dynamic resource allocation . . . . . . . . . . . . . . . 14
3.2.1 Paillier Algorithm 1 . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2.2 ELGamal Algorithm 2 . . . . . . . . . . . . . . . . . . . . . . 15
3.2.3 Transition Algorithm 3 . . . . . . . . . . . . . . . . . . . . . . 17
3.2.4 Paillier Algorithm 4 . . . . . . . . . . . . . . . . . . . . . . . . 19
4 Experiment Result 22
4.1 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.1.1 Paillier algorithm 1 Computation time . . . . . . . . . . . . . 22
4.1.2 ELGamal algorithm 2 Computation time . . . . . . . . . . . . 26
4.1.3 Transition algorithm 3 Computation time . . . . . . . . . . . 27
4.1.4 Paillier algorithm 4 Computation time . . . . . . . . . . . . . 27
4.2 Experiment result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2.1 Algorithm 1 simulation . . . . . . . . . . . . . . . . . . . . . 30
4.2.2 Algorithm 2 simulation . . . . . . . . . . . . . . . . . . . . . 32
4.2.3 Algorithm 3 simulation . . . . . . . . . . . . . . . . . . . . . . 33
4.2.4 Algorithm 4 simulation . . . . . . . . . . . . . . . . . . . . . . 34
5 Conclusion and Future Work 39
5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
i
.1 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
.2 Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
.2.1 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
.2.2 System of application . . . . . . . . . . . . . . . . . . . . . . . 48
.2.3 List of files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
.3 Appendix C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
List of Figures1 Example of dynamic sharing of space . . . . . . . . . . . . . . . . . . 1
2 Symmetric cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Asymmetric cryptography . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Paillier cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5 Multiplicative ELGamal cryptosystem . . . . . . . . . . . . . . . . . 9
6 Additive ELGamal cryptosystem . . . . . . . . . . . . . . . . . . . . 11
7 Flow of Algorithm 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8 Paillier algorithm 1 total computation time . . . . . . . . . . . . . . . 23
9 Paillier algorithm 1 encryption time . . . . . . . . . . . . . . . . . . . 23
10 Paillier algorithm 1 decryption time . . . . . . . . . . . . . . . . . . . 23
11 Paillier algorithm 1 server processing time . . . . . . . . . . . . . . . 24
12 ELGamal algorithm 2 total computation time . . . . . . . . . . . . . 24
13 ELGamal algorithm 2 encryption time . . . . . . . . . . . . . . . . . 25
14 ELGamal algorithm 2 decryption time . . . . . . . . . . . . . . . . . 25
15 ELGamal algorithm 2 server processing time . . . . . . . . . . . . . . 25
16 Transition algorithm 3 computation time . . . . . . . . . . . . . . . . 27
17 Paillier algorithm 4 total computation time . . . . . . . . . . . . . . . 28
18 Paillier algorithm 4 encryption time . . . . . . . . . . . . . . . . . . . 28
19 Paillier algorithm 4 decryption time . . . . . . . . . . . . . . . . . . . 28
20 Paillier algorithm 4 server processing time . . . . . . . . . . . . . . . 29
21 Paillier algorithm 1 key generation . . . . . . . . . . . . . . . . . . . 30
22 Paillier algorithm 1 encryption . . . . . . . . . . . . . . . . . . . . . . 31
23 Paillier algorithm 1 server process . . . . . . . . . . . . . . . . . . . . 31
24 ELGamal algorithm 2 key generation . . . . . . . . . . . . . . . . . . 33
25 ELGamal algorithm 2 additive encryption . . . . . . . . . . . . . . . 33
26 ELGamal algorithm 2 multiplicative encryption . . . . . . . . . . . . 34
27 ELGamal algorithm 2 server process . . . . . . . . . . . . . . . . . . 34
28 Transition algorithm 3 aggregate schedule of occupancy . . . . . . . . 36
29 Paillier algorithm 4 key generation . . . . . . . . . . . . . . . . . . . 37
30 Paillier algorithm 4 encryption . . . . . . . . . . . . . . . . . . . . . . 37
31 Paillier algorithm 4 server process . . . . . . . . . . . . . . . . . . . . 37
32 Paillier algorithm 4 aggregate schedule of occupancy . . . . . . . . . . 38
33 User process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
34 Server process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
iii
35 Log in interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
36 Sign up interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
37 Usage interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
38 Number of usages for current user interface . . . . . . . . . . . . . . . 55
39 Aggregate schedule of occupancy schedule interface . . . . . . . . . . 56
List of Tables1 Original usage of users . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2 Input of Paillier Algorithm 1 . . . . . . . . . . . . . . . . . . . . . . . 32
3 Paillier algorithm 1 result: Number of usages in used time slots for
each user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4 ELGamal algorithm 2 result: The number of usages for current user 35
5 Algorithm 3,4 Number of usages for current user . . . . . . . . . . . . 35
6 Transition algorithm 3 Z vector for each user . . . . . . . . . . . . . . 36
7 Transition algorithm 3 reassigned usage for each time slot . . . . . . . 36
8 Paillier algorithm 4 reassigned usage for each time slot . . . . . . . . 36
v
1. BackgroundThe background chapter includes my motivation and goals of doing this project
and also the structure of the report.
1.1 Motivation
Cities have become the major living place for human beings. Around 54% of
population live in cities right now[1]. However, people are still struggling with
some problems living in the cities due to the lack of resources. There are also
some limitations and competitions for wide range of urban facilities services. For
example, the living spaces, the transportation services and some other public
services. Resource allocation matters in public services and has been a difficult
issue to solve. Here I want to resolve the dynamic resource allocation problem,
which is due to the actual demands of the users. Here I provide two concrete
examples[2].
The first one is the dynamic sharing of public services, which includes the
transportation arrangement, the garbage collection and some other public services.
The operator can reduce the operation cost due to a reasonable dynamic resource
allocation algorithm. For example, if there are only two people want to take a
bus at 11 pm, the operator will not try to arrange 10 buses there because it will
significantly increase the cost.
The second one is the dynamic sharing of space, which means that a group
of people can share their spaces due to the demands of personal schedule. If the
Figure 1: Example of dynamic sharing of space
1
sharing space is not full, it can be reallocated by the operator for some other
purpose, e.g. storage. Also if only two people want to use a room, the operator
can dynamically allocate a small room for them instead of a big room which can
hold 500 people. Figure 1 is an example of the dynamic sharing of space problem.
A group of users want to use the room and the facility operator wants to make a
reasonable room allocation plan. First the users provide their personal schedules
to the facility operator and then the dynamic resource allocation algorithm will
provide two schedules. The first one is shared schedules, the users can know the
number of usages of the time slots he is going to use. For those time slots he does
not want to use, he cannot know about the number of usages, so it shows as the
question mark. The second one is an aggregated schedule of occupancy. Here the
server will have an aggregate schedule of occupancy, where S means small room,
B means big room and X means no user will use it. In this way, it can reduce the
incurred cost for the facility and service operators.
Also, people in Australia don’t like to share their information with others, hence
I want to use a privacy preserving algorithm to implement the dynamic resource
allocation algorithm[3].
1.2 Goals
I have three goals for my report. The first goal is to implement a method to compute
the number of usages of the time slots when the current user is going to use. The
second goal is to calculate the aggregate schedule of coarse occupancy for all time
slots, thus can generate a better resource reallocation plan due to it. The third goal
is to implement a simple Android application to visualize the algorithm.
1.3 Report Structure
The report contains the following part. The second chapter is the introduction,
which includes the basic knowledge I am using for the dynamic resource allocation
algorithm. The third chapter is the design and implementation. In this part, I will
introduce four algorithms based on the public-key cryptography to implement the
goals. The fourth chapter is the experiment result of the algorithms I provide. The
last chapter is the conclusion and future work.
2. IntroductionThe introduction part introduces the related knowledge for the privacy-preserving
dynamic resource allocation algorithm.
2.1 Homomorphic Encryption
Homomorphic Encryption schemes is an open problem proposed by the Cryptog-
raphy long time ago and is developed with the research of public key encryption
system. Ron Rivest and Leonard Adelman and Michael L. Dertouzos proposed the
concept based on the application in bank background. Ron Rivest and Lenonard
Adleman is the founder of RSA algorithm[4], which is one of the most famous
homomophic encryption algorithm. RSA algorithm is the first one found to
own the property of Homomorphic multiplication and the reliability is based on
the practical difficulty of the factorization of the product of two large prime numbers.
So what is homomorphic encryption? Craig Gentry first denote the fully
homomorphic encryption: ”A way to delegate processing of your data, without
giving away access to it.”[5]
Generally, the encryption scheme is mainly focused on the data storage security.
For example, if we need to send someone else an encrypted message, or we want
to store message on the computer or the server, we need to first encrypt the
message before we send it or store it. Anyone without the keys cannot know
the information of the original message. Only the clients with keys can decrypt
correctly and get the message. Clients should not do anything to the result of
encrypted message, otherwise he or she will get wrong decrypted message. The
most interesting thing of homomorphic encryption is that it mainly focused on
the data processing security. Homomorphic encryption offers a function to process
the cipher, which means that the clients can process the encrypted message,
but it will not reveal any information of the original message. Meanwhile, the
user with the key can process the cipher and get the result after processing exactly[6].
2.1.1 Basic concept of homomorphic encryption
If we have a encryption function E, which can encrypt plian text m1 to ciphertext
m′1 and encrypt plain text m2 to cipher text m′2. Then we have a decryption
function D, which can decrypt the message which has been encrypted before[6].
3
For the general encryption method, if we add m′1 and m′2, or we multiply A′ and
B′, we normally get meaningless message from the decryption method.
Homomorphic encryption
Here we define S,P as two calculations and K as the key, N ∈ N. If
S(Ek(m1), Ek(m2), . . . , Ek(mN)) = Ek(P (m1,m2, . . . ,mN)) (2.1)
Then we say the encryption function E is homomorphic encryption.
Additive homomorphic encryption
For any plain text m1, m2, if we have
Ek(m1 +m2) = Ek(m1) + Ek(m2) (2.2)
D(Ek(m1) + Ek(m2)) = m1 +m2 (2.3)
Then we say the encryption function E has the property of an additive homomor-
phic encryption.
Multiplicative homomorphic encryption
For any plain text m1, m2, if we have
Ek(m1 ·m2) = Ek(m1) · Ek(m2) (2.4)
D(Ek(m1) · Ek(m2)) = m1 ·m2 (2.5)
Then we say the encryption function E has the property of an multiplicative
homomorphic encryption.
Somewhat homomorphic encryption
If a homomorphic encryption scheme has the property of additive and multiplicative
homomorphic encryption but can only perform a limited number of operations, then
we say this homomorphic encryption scheme is a somewhat homomorphic encryption
schema.
Fully homomorphic encryption If a homomorphic encryption scheme has the
property of additive and multiplicative homomorphic encryption and can perform
any number of operations, then we say this homomorphic encryption scheme is a
fully homomorphic encryption schema[7].
2.2 Public-key cryptography
Key cryptosystem consists of symmetric-key cryptography and asymmetric-key
cryptography. Symmetric-key cryptography uses the same key to encrypt and,
Figure 2: Symmetric cryptography
which is shown in figure 2. Although it has the advantage of small amount of
calculation, fast encryption and high efficiency in encryption, the disadvantages
are quite apparent. For example, keys transportation problem. The client and the
server needs to transmit the key and the message privately. However, it is usually
very hard to find such a secure channel. Meanwhile, suppose there are n users in
a transition net, then there should be a shared key in every two users. When n is
large, the number of keys to be managed is large, which is n(n−1)2
.
Therefore, asymmetric-key cryptography, also known as public-key cryptography
is introduced. Public-key crptography can solve the problems of symmetric-key
cryptography. There are many famous public-key cryptography algorithm. For
example, RSA algorithm, ELGamal algorithm, Diffe-Helmman algorithm, etc[8].
There are also some problems using public-key cryptography. The public-key
cryptography algorithms are usually more complicated, hence taking more time to
encrypt and decrypt.
Public-key cryptography is an algorithm in cryptography. Figure 3 shows the
process of asymmetric cyrptography. It needs a pair of keys, one public key and
one private key. One is used to encrypt and the other one is used to decrypt. After
encrypting the plain text using one of the key, one can only use the corresponding
key to decrypt the original plaintext, even if the original key cannot be used to
Figure 3: Asymmetric cryptography
decrypt. This is called as the asymmetric encryption, which is different from
symmetric-key algorithm who using the same key to encrypt and decrypt. Even if
the pair of keys is related to each other mathematically, the key cannot be known
or calculated by the other key. Therefore, one key can be presented as the public
key, which can be shared to anyone. However, the other key cannot be shared,
which can only be known by the client himself. Only in this way can guarantee the
security of public-key cryptography.
2.2.1 Paillier Cryptosystem
Paillier described the paillier homomorphic cryptosystem, which is a probabilistic
asymmetric algorithm for public key cryptography[9]. The hardness of integer
factorization and computing n-th residue classes guarantees the security of paillier
cryptosystem. The scheme is an additive homomorphic cryptosystem. Figure 4
shows the process of Paillier cryptosystem.
Key generation
First select two large primes numbers p and q.
calculate n = p · q, λ = lcm(p− 1, q − 1), where lcm(a, b) means Least Common
Multiple.
Next, select the random integer g, where g ∈ N and the order of g is a
Figure 4: Paillier cryptosystem
multiple of n. Paillier mentioned that g should be small for good performance.
For example, g = 2. However, according to the survey, g = n + 1 will have better
performance.Then the public key is (n,g).Private key is (p,q).
Encryption
For any plain text m ∈ N, select a random integer r ∈ N, then the cipher text
c = E(m) = gm · rn mod n2
Decryption
Use the private key to decrypt, then the plain text is m = L(cλ mod n2)L(gλ mod n2)
mod n.
Define L(u) = u−1n
for u ≤ n2 when u = 1 mod n.
Lemma 1 Paillier cryptosystem can get correct plain text after
decryption
Proof We have m = L(cλ mod n2) · u. By the definition above,
m =L(cλ mod n2)
L(gλ mod n2)mod n (2.6)
Notice that λ is the private key and then apply Carmichael’s theorem we can get
cλ = (gm · rn)λ = gm·λ · rn·λ = gm·λ (2.7)
By the Binomial theorem,
(1 + n)x =∑k=0
x(xk
)nk = 1 + n · x+
(x2
)n2 + nhigherpower (2.8)
we can get
(1 + n)x ≡ 1 + n · x mod n2 (2.9)
Therefore
gmλ = ((1 + n)α · βn)λm = (1 + n)αλm · βnλm ≡ (1 + αλmn) mod n2 (2.10)
By the definition of L(u) function,
L(cλ mod n2)
L(gλ mod n2)mod n =
L(1 + αλmn)
L(1 + αλn)mod n =
αλmn
αλnmod n = m (2.11)
which proves the correctness of Paillier cryptosystem.
Homomorphic properties For any m1, m2 ∈ N and k as the key, use paillier
homomorphic cryptosystem to encrypt we can get Ek(m1) = gm1 · r1n mod n2,
Ek(m2) = gm2 · rn2 mod n2, then we have
Ek(m1) · Ek(m2) = gm1+m2 · (r1r2)n mod n2 (2.12)
From the paillier decryption we can know
D(Ek(m1) · Ek(m2) mod n2 = m1 +m2 mod n (2.13)
Proof
D(Ek(m1, r1) · Ek(m2, r2) mod n2)
= D(gm1 · rn1 · gm2 · rn2 ) mod n2
= D(gm1+m2 · (r1 · r2)n) mod n2 = m1 +m2 mod n
(2.14)
Thus, paillier cryptosystem is an additive homomorphic cryptosystem. Also we have
D(Ek(m1) · gm2 mod n2 = m1 +m2 mod n (2.15)
Proof
D(Ek(m1, r1) · gm2 mod n2)
= D(gm1 · rn1 · gm2) mod n2
= D(gm1+m2 · rn1 ) mod n2 = m1 +m2 mod n
(2.16)
Pallier cryptosystem also have some multiplicative properties of plain text for
m1,m2 ∈ N, k ∈ N.
D(Ek(m1)R mod n2 = R ·m1 mod n (2.17)
Figure 5: Multiplicative ELGamal cryptosystem
Proof
D(Ek(m1, r1)R mod n2) = D((gm1 · rn1 )R) mod n2
= D(gR·m1 · rn1 ) mod n2
= D(gRm1 · rRn1 ) mod n2 = R ·m1 mod n
(2.18)
D(Ek(m1)m2 mod n2 = m1 ·m2 mod n (2.19)
Proof
D(Ek(m1, r1)m2 mod n2) = D((gm1 · rn1 )m2) mod n2
= D(gm1·m2 · rn1 ) mod n2 = D(gm1m2 · rnm21 ) mod n2 = m1 ·m2 mod n
(2.20)
2.2.2 ELGamal Cryptosystem
ELGamal encryption system is described by Taher Elgamal in 1985, which is a key
encryption algorithm based on Elliptic curve cryptography and public-key cryptosys-
tem. ELGamal cryptosystem can be applied into any cyclic group. There are many
hard computing operations in cyclic group, which are usually related to discrete log-
arithm hence guaranteeing the security of ELGamal cryptosystem. Generally, the
length of cipher text generated by the ELGamal encryption scheme is twice of length
of the plain text, which is one of the disadvantage of ELGamal cryptosystem[10].
Figure 5 shows the process of multiplicative ELGamal cryptosytem and figure 6
shows the process of additive ELGamal cryptosystem.
• Multiplicative ELGamal cryptosystem
Key generation
First choose a prime p and two random integer g and x where g, x ≤ p. Then
compute y = gx mod p. Then we have the public key denoted by (y, g, p)
and the private key is x. g, p can be shared with a group of users.
Encryption
Suppose the message to be encrypted is m. Choose a random integer k from
1, . . . , p− 1, then compute cipher c1 = gk( mod p), c2 = m ∗ yk( mod p).
Then the cipher text will be (c1, c2).
Decryption
Use the private key to decrypt, then the plain text will be m = c2cx1
( mod p)
Lemma 2 ELGamal cryptosystem can get correct plain text after
decryption
Proofc2cx1
=m · yk
(gx)r= m (2.21)
The plain text cannot be got without the private key x, hence ELGamal
cryptosystem is security and the decryption is correct.
homomorphic properties
D[EKp(m1, r1) · EKp(m2, r2)] = D((gr1 ,m1hr1) · (gr2 ,m2h
r2))
= D(gr, (m1 ·m2)hr) = m1 ·m2
(2.22)
proof
E(m1) · E(m2) = (gr1,m1 · hr1) · (gr2 ,m2 · hr2)= (gr1+r2 , (m1 ·m2)h
r1+r2) = E(m1 ·m2)(2.23)
• Additive ELGamal cryptosystem
Figure 6: Additive ELGamal cryptosystem
Key generation
First choose a prime p and two random integer g and x where g, x ≤ p. Then
compute y = gx mod p. Then we have the public key denoted by (y, g, p)
and the private key is x. g, p can be shared with a group of users.
Encryption
Suppose the message to be encrypted is m. Choose a random integer k from
1, . . . , p− 1, then compute cipher c1 = gk( mod p), c2 = gm · yk( mod p).
Then the cipher text will be (c1, c2).
Decryption
Use the private key to decrypt, then the plain text will be gm = c2cx1
( mod p)
Then generate a looking up table of base g, then get the plain text m.
Lemma 2 ELGamal cryptosystem can get correct plain text after
decryption
Proofc2cx1
=gm · yk
(gx)r= gm (2.24)
Then generate the looking up table to find the plain text m. The plain text
cannot be got without the private key x, hence ELGamal cryptosystem is
security and the decryption is correct. homomorphic properties
D[EKp(m1, r1) · EKp(m2, r2)] = D((gr1 ,m1hr1) · (gr2 ,m2h
r2))
= D(gr, (m1 ·m2)hr) = m1 ·m2
(2.25)
proof
E(m1) · E(m2) = (gr1, gm1 · hr1) · (g(r2), gm2 · hr2)
= (gr1+r2 , (gm1+m2)hr1+r2) = E(m1 +m2)(2.26)
3. Design and ImplementationThe design and implementation part contains the algorithms to solve the dynamic
resource allocation problem. The first two algorithms are to calculate the number
of usages for current user in his used time slots. The last two algorithms are to
generate an aggregate schedule of coarse occupancy.
3.1 Related Privacy Preserving Algorithm
3.1.1 Paillier cryptosystem
Paillier cryptosystem is an additive homomorphic cryptosystem. Here we use the
following properties.
D[EKp(m1, r1) · EKp(m2, r2) mod n2] = m1 +m2 mod n (3.1)
D[EKp(m1, r1)m2 mod n2] = m1 ·m2 mod n (3.2)
Here Kp represents the shared public key. n is generate by n = p·q where p and q
are random large primes. m is the message that waiting to be encrypted. r1, r2 ∈ Nare random positive numbers. Suppose there are N users and m time slots, denote
by ui = [b1i , b2i , . . . , b
mi ]. Here i ∈ [1 . . . N ] and m is the number of time slots. [?]
3.1.2 ELGamal cryptosystem
ELGamal cryptosystem is a multiplicative homomorphic cryptosystem. Here we use
the following properties.
D[EKp(m1, r1) · EKp(m2, r2)] = D((gr1 ,m1hr1) · (gr2 ,m2h
r2))
= D(gr, (m1 ·m2)hr) = m1 ·m2
(3.3)
Here Kp represents the shared public key. r1, r2 ∈ N are random positive
numbers,r = r1 + r2. ELGamal cryptosystem can also be made to a addictive
homomorphic cryptosystem based on the exponential properties. Here we use the
following properties to implement the privacy-preserving algorithm.[10]
D[EKp(m1, r1) · EKp(m2, r2)] = D((gr1 , gm1 · hr1) · (gr2 , gm2 · hr2))= D(gr1+r2 , g(m1+m2) · hr1+r2) = m1 +m2
(3.4)
Here Kp represents the shared public key. r1, r2 ∈ N are random positive numbers.
13
3.2 Algorithms for dynamic resource allocation
3.2.1 Paillier Algorithm 1
Given users’ usage, for each user, calculate the number of all the users who is going
to use in user i’s used time slot. Here we use bji = 0 to represent the user i does not
use time slot j and bji = Rj to represent user i uses time slot j.
Algorithm 1 Number of usages for current user calculation.
Require: The set of users’ usages in each time slot, bji ;
1: Each user encrypts own usage.
2: Ei = [Ekp,rij (bji ), EKp,rij (b
2i ), . . . , EKp,rij (b
mi )]. User sends own encrypted usage
to server privately.
3: Server process multiplication for users’ usages in each time slot. EKp,rj(Sj) =
Ekp,rj(∑N
i=1(bji )) = (
∏Ni=1EKp,rj(b
ji ))modn
2, j ∈ [1 . . .m].
4: Server then send EKp,rj(Sj) back to each user.
5: Sj =∑N
i=1(bji ) = x ·Rj
6: return Sj;
Each user set own usage bi. If bji = 1, then bji = Rj, where Rj is a random
integer, j ∈ [1, . . . ,m]. Then each user individually using paillier cryptosystem to
encrypt usage Ei = [Ekp,rij (b1i ), EKp,rij (b
2i ), . . . , EKp,rij (b
mi )].
Then users send the encrypted usage to the server. For each time slot, server process
the multiplication for all users’ encrypted schedule, EKp,rj(Sj) = (∏N
i=1(EKp,rj(bji ))
where j ∈ [1 . . .m]. Server sends this encrypted schedule EKp,rj(Sj) back to the
users. As the formula described, Sj contains the aggregation of the encrypted
usages of users in time slot j. Each user decrypts the schedule Sj from the server.
After decryption, user gets the schedule Sj =∑N
i=1(bji ). If bji = 0, then the user
cannot get the number of usages in time slot j because the user does not know the
value of Rj. Otherwise, if bji = 1, which proves that the user knows the value of
Rj, then he can just simply use Sj = x · Rj to divide by Rj and get the number of
usages x in time slot j.
lemma 1 Algorithm 1 is correct
Proof The ideal output for the number of usages calculation algorithm is that in
time slot j will be some certain of value of number of usages if the current user
usages for time slot j. And when the current user does not use time slot j, he will
receive meaningless message.
From the homomorphic properties of paillier algorithm, we have that
Sj =∑N
i=1(bji ) = x · Rj, Therefore, when bji = 0, the user has no idea of Rj,
hence the user cannot know the value of x. Therefore, when bji = 0, the user will
only get meaningless message. When bji = 1, Sj = R ·∑N
i=1(bji ) = x · Rj, the user
knows about Rj, hence he can get the value of x. Therefore, algorithm 1 is correct.
lemma 2 Algorithm 1 is privacy-preserving
Proof The ideal private-preserving algorithm is that server cannot know any infor-
mation from any user and the users cannot know each other’s usages for any time
slot. We know that firstly each user encrypts his message privately and send it to
the server. Therefore, each user cannot know any other user’s message in encryption
stage. By the homomorphic properties of paillier algorithm and public cryptography,
the server does not have private key and hence cannot know the information about
users. In decryption, the user will use the private key to decrypt their schedule, and
they will only know the number of usages in time slot j when bji = 1. Otherwise
the user will get meaningless message. So the users cannot know any other user’s
schedule. Therefore, algorithm 1 is privacy-preserving.
3.2.2 ELGamal Algorithm 2
Given users’ usages, for each user, calculate the number of usages in user i’s used
time slot. Here I combined the exponential ELGamal algorithm with multiplicative
ELGamal algorithm. I use bji = 0 to represent the user i does not use time slot j
in ELGamal additive(exponentiatl) algorithm, bji = R to represent user i does not
use time slot j in ELGamal multiplication algorithm and bji = 1 to represent user i
uses time slot j, where R ∈ N is a random positive integer which is supposed to be
largely greater than the number of users N .
Each user set own usage bi and then individually using exponential ELGamal
cryptosystem to encrypt own usage Ei = [Ekp,r(b1i ), EKp,r(b
2i ), . . . , EKp,r(b
mi )] and
send it to server privately. For each user i and each time slot j, server process the
multiplication EKp,r(Xj) = Ekp(∏N
i=1(bji )) of the user’s encrypted schedule to get
the aggregation of users’ usages EKp,r(Xj), where j ∈ [1, . . . ,m]. Now each user
encrypts own usage by multiplicative ELGamal algorithm with the same pair of
private key and public key, Emi = [Emkp,r(b1i ),
Emkp,r(b2i ), . . . , Emkp,r(b
mi ) and sends it to server privately. Server process mul-
tiplication with the previous aggregate encrypted schedule and user i’s encrypted
schedule EmKp,r(Vji ) = Emkp,r(b
ji ) ·Ekp,r(Xj). Server then sends the encrypted plan
EmKp,r(Vi) back to user i. In decryption, if V ji = None, then the user has no idea
Algorithm 2 Number of usages for current user calculation.
Require: The set of users’ usages in each time slot, bij1: Each user encrypts own usage using exponential ELGamal algorithm. Ei =
[Ekp,r(b1i ), EKp,r(b
2i ), . . . , EKp,r(b
mi )]. User sends own encrypted usage to server
privately.
2: for each i ∈ [1, N ],j ∈ [1,m] do
3: EKp,r(Xj) = Ekp(∏N
i=1(bji )) = (
∑Ni=1EKp,r(b
ji ))
4: end for
5: Each user encrypts own usage using multiplicative ELGamal algorithm using the
same private key and public key Emi = [Emkp,r(b1i ), Emkp,r(b
2i ), . . . , Emkp,r(b
mi ).
6: for each user i ∈ [1, N ],j ∈ [1,m] do, compute
7: EmKp,r(Vji ) = Emkp,r(b
ji ) · Ekp,r(Xj)
8: end for
9: Server sends EmKp,r(Vi) back to user i.
10: Each user decrypts EKp,r(Vi)
11:
V ji =
{None bji = R
Otherwise bji = 1
12: return Vi
about the number of users that usages for time slot j because user i does not usage
for time slot j. Otherwise, the user i will get the number of usages for time slot j.
lemma 3 Algorithm 2 is correct
Proof The ideal output for the number of usages calculation algorithm is that in
time slot j will be some certain of value of number of usages if the current user is
going to use time slot j. And when the current user does not use time slot j, he
will receive meaningless message. From the multicative and exponential properties
of elgamal algorithm, we have that:
D[EmKp(m1, r1) · EmKp(m2, r2)] = D((gr1 , gm1 · hr1) · (gr2 , gm2 · hr2))= D(gr1 , g(m1+m2) · hr) = m1 +m2
(3.5)
D[EKp(m1, r1) · (EmKp(m2, r2) · EmKp(m3, r3))]
= D((gr1 ,m1 · hr1) · (gr2 , gm2 · hr2) · (gr3 , gm3 · hr3))
= D(gr,m1 · gm2+m3 · hr) =
{m2 +m3 m1 = 1
Otherwise m1 6= 1
(3.6)
Here EmKp(m, r) is the exponential elgamal encryption of message m. EKp(m, r)
is the multicative elgamal encryption of message m. Each user shares the same pair
of private key and public key in both exponential and multicative elgamal encryption
Figure 7: Flow of Algorithm 3
cryptosystem. Here each user uses multiplicative elgamal cryptosystem to encrypt
his usages as m1. All users use the exponential elgamal cryptosystem to encrypt
own usages and send to server to get aggregated schedule plan. From the equation
above, we can see that if m1 = 1, then the result will be the same as the decryption
of aggregated exponential elgamal encryption. However, if m1 6= 1, then there’s
no such decryption method that can find the value of the message. Therefore, the
algorithm 2 is correct.
lemma 4 Algorithm 2 is privacy-preserving
Proof The ideal private-preserving algorithm is that server cannot know any infor-
mation from any user and the users cannot know each other’s usages for any time
slot. We know that firstly each user encryped his message privately and send it to
the server. Therefore, each user cannot know any other user’s message in encryp-
tion stage. By the homomorphic properties of elgamal algorithm, the server does not
have private key and hence cannot know about the information about users. After
decryption, the user will use the private key to decrypt the encrypted schedule. The
user will only get the number of usages in time slots where he is going to use, thus
the algorithm is user-private. Therefore, algorithm 2 is privacy-preserving.
3.2.3 Transition Algorithm 3
After applying algorithm 1 or algorithm 2, each user will get the number of usages in
time slot j when the user wants to use time slot j, denote by Vi = [V 1i , V
2i , . . . , V
ji ],
where i ∈ [1, . . . , N ], j ∈ [1, . . . ,m], here if V ji = None, reassign it to 0. Now we
want to send an approximated number of usages in each time slot j, so that the
server can make an aggregate schedule of occupancy without knowing the exact
number of users usage in each time slot. The example of algorithm 3 is shown in
figure 7.
Algorithm 3 Aggregate schedule of occupancy calculation.
Require: The set of users’ usages in each time slot when user i wants to use time
slot j, denote by Vi, where Vi = [V 1i , V
2i , . . . , V
mi ]; The approximated plan,
denote by I1,I2,. . . , Ik, here k is the number of types of approximated plan.
1: for each i ∈ [1, N ],j ∈ [1,M ] do
2: initialize Zji for each user. Here Zj
i is a random positive number and only
user i knows.
3: each user calculates own approximated usage plan, denote by Ci = [ I1x
V 1i
+
Z1i ,
I2xV 2i
+ Z2i , . . . ,
ImxVmi
+ Zmi ]
4: end for
5: for i = 1; i < N ; i+ + do, compute
6: Si = Si + Ci
7: end for
8: Send the SN =∑N
i=1Ci to the first user. From the first user, compute,
9: for i = 1; i < N ; i+ + do
10: SN = SN − Zi11: end for
12: User sends the approximated plan SN = [I1x, I2x, . . . , I
mx ] to the server.
13: return SN
By algorithm 1 or 2, each user has the number of usages in time slot j if he uses
time slot j, denote by Vi, where Vi = [V 1i , V
2i , . . . , V
mi ]. If V j
i = None, reassign it
to 0. First initialize Zji for each user. Here Zj
i is a random positive number and
only user i knows. Then each user i calculate In order to compute the approximated
plan, suppose there are k number of intervals. Then we have k types of plans,
denote by I1,I2,. . . , Ik, where Ik is the number of approximated usages of type k
and I1 = 0, I2 < I3 < · · · < Ik. Here if the number of usages in time slot j
is 0 or None, then the approximated type is I1, so the approximated number of
usages is 0. Each user reassign their approximated usage plan, denote by Ci =
[ I1x
V 1i
+ Z1i ,
I2xV 2i
+ Z2i , . . . ,
ImxVmi
+ Zmi ], where Imx is the approximated number of usages.
For example, if the approximated plan I2 is 5, which means the true number of
usages is greater than 0 and less than or equal to 5. Then if the true usages for time
slot j is V ji = 2, then the approximated usage plan for user i in time slot j will be
I2V ji
+ Zji = 5
2+ Zj
i . Then for each user, calculate the aggregated of approximated
usage plan, denote by Si = Si + Ci. Then from the first to the last user, each
one subtract own Zi, denote by SN = SN − Zi. Then the last user will have
the aggregated approximated plan, denote by Si = [I1x, I2x, . . . , I
Nx ]. Then the user
sends the aggregated approximated plan to the server. The server can make an
aggregate schedule of occupancy according to the aggregated approximated plan
without knowing the exact number of usages in each time slot.
lemma 5 Algorithm 3 is correct
Proof The ideal output for the approximated number of usages in each time slot
calculation is that the server will get the approximated number for all time slots,
I = [I1, I2, . . . , Im] without knowing the exact number of usages in each time slots.
By algorithm 1 and 2, each user will get a plan which contains the number of usages
of certain time slots when he uses for these time slots. For those time slots that he
does not know the number, reassign it to be 0. After applying algorithm 3, each
user will get the approximated plan in each time slot, Sji =∑N
i=1(IjiV ji
). We know
that if the user does not know the number of usages, we assign it to 0 and otherwise
the approximated number isIjiV ji
and the sum of it will be Iji . Hence algorithm 3 is
correct.
lemma 6 Algorithm 3 is privacy-preserving
Proof The ideal private-preserving algorithm is that server cannot know any infor-
mation from any user and the users cannot know each other’s usages for any time
slot. In algorithm 3, each user has a private Zi which only user i knows. By applying
the summation, all the users will get the sum of approximated number of usages∑Ni=1(
IjiV ji
) with∑N
i=1 Zi. Then from the first user, each user subtract his own Zi and
send it to next user. Then after last user subtract his Z, all the users can receive
the approximated plan Iji for each time slot without knowing other users’ informa-
tion. After users send it to the server, server can know the aggregate schedule of
occupancy for each time slots without knowing the information of users. Therefore,
algorithm 3 is privacy-preserving.
3.2.4 Paillier Algorithm 4
Similar to algorithm 3, by applying algorithm 1 or algorithm 2, each user
will get the number of usages in time slot j when the user uses time slot j,
denote by Vi = [V 1i , V
2i , . . . , V
ji ], where i ∈ [1, . . . , N ], j ∈ [1, . . . ,m]. Here if
V ji = None, reassign it to 0. Now we want to send an approximated number
of usages in each time slot j, so that the server can make an aggregate sched-
ule of occupancy without knowing the exact number of users usage in each time slot.
Algorithm 4 Aggregate schedule of occupancy calculation.
Require: The set of users’ usages in each time slot when user i usages for time slot
j, denote by Vi, where Vi = [V 1i , V
2i , . . . , V
mi ]; The approximated plan, denote
by I1,I2,. . . , Ik, here k is the number of types of approximated plan.
1: Each user first uses the rule to generate the approximated usage individually. If
V ji ∈ (Ix, Ix+1], then Xj
i = bR·IxV jic, where R ∈ N is a random large integer and
x ∈ [1, . . . , k]. If V ji = 0, then Xj
i = 0.
2: Each user encrypts own approximated usage using paillier cryptography.
3: Ei = [Ekp,rij (Xji ), EKp,rij (X
2i ), . . . , EKp,rij (X
mi )]. User sends own encrypted ap-
proximated usage to server privately.
4: Server process multiplication for users’ approximated usages in each time slot.
EKp,rj(Hj) = Ekp,rj(∑N
i=1(Xji )) = (
∏Ni=1EKp,rj(X
ji )) mod n2, j ∈ [1 . . .m].
5: Server then sends EKp,rj(Hj) back to each user.
6: Hj = b∑N
i=1(Xji )e = bR ·Ixe, then user divides R to get the approximated usage
plan Ix
7: return Ix;
By algorithm 1 or 2, each user has the number of usages in time slot j if he
usages for time slot j, denote by Vi, where Vi = [V 1i , V
2i , . . . , V
mi ]. If V j
i = None,
reassign it to 0. We have k types of plans, denote by I1,I2,. . . , Ik, where Ik is the
number of approximated usages of type k and I1 = 0, I2 < I3 < · · · < Ik. Here if
the number of usages in time slot j is 0 or None, then the approximated type is I1,
so the approximated number of usages is 0. First initialize the approximated usage
Xji for each user. Here Xj
i = bR·IxV jic if V j
i 6= 0, otherwise Xji = 0, where R ∈ N is
a random large integer and x ∈ [1, . . . , k]. For example, if the approximated plan
I1 = 1 and I2 = 5, which means the true number of usages of type I1 is greater than
1 and less than or equal to 5. Then if the true usages for time slot j is V ji = 2, then
the approximated usage plan for user i in time slot j will be Xji = bR·1
2c. Next,
the user uses the paillier cryptosystem to encrypt the approximated individual
usage plan and sends it to the server. Then for each time slot, server calculates
the aggregated of approximated individual usage plan, denote by EKp,rj(Hj), where
j = [1, . . . , k]. The server then sends the aggregated encrypted plan back to the
user. Then the user uses the private key to decrypt, thus will get the aggregated
approximated usage plan Hj = bR · Ixe. Then the user can divide R to get
the approximated plan Ix for each time slot. Thus sever can make an aggregate
schedule of occupancy according to the apprixmated plan.
lemma 7 Algorithm 4 is correct
Proof The ideal output for the approximated number of usages in each time slot
calculation is that the server will get the approximated number for all time slots,
I = [I1, I2, . . . , Im] without knowing the exact number of usages in each time slots.
By algorithm 1 or 2, each user will get a plan which contains the number of
usages of certain time slots when he uses these time slots. For those time slots
that he does not know the number, reassign it to be 0. After initializing the
approximated usage Xji for each user, where Xj
i = bR·IxV jic. Here R is a large integer
which guarantees that the new Xji will not influence the calculation and bR·Ix
V jic will
be a big integer which can be used in Paillier cryptosystem. If R is small, then
bR·IxV jic will be largely influenced by Ix
V jiand thus generating a meaningless result for
individual approximated usage plan. By applying algorithm 4, each user will get
the approximated plan in each time slot, Hj = b∑N
i=1(Xji )e = bR · Ixe. We know
that if the user does not know the number of usages, we assign it to 0 and otherwise
the approximated number is bR · Ixe. By dividing the large integer R, each user
can get the final approximated number of usages in each time slot and the server
can get aggregate schedule of occupancy.
lemma 8 Algorithm 4 is privacy-preserving
Proof The ideal private-preserving algorithm is that server cannot know any infor-
mation from any user and the users cannot know each other’s usages for any time
slot. In algorithm 4, we know that firstly each user encryped his message privately
and send it to the server. Therefore, each user cannot know any other user’s message
in encryption stage. By the homomorphic properties of paillier algorithm and public
cryptography, the server does not have private key and hence cannot know about the
information about users. In decryption, the user will use the private key to decrypt
their schedule, and they will know the type of usages for each time slot without the
exact number. So the users cannot know any other user’s schedule and the server
cannot know the information. Therefore, algorithm 4 is privacy-preserving.
4. Experiment ResultThe experiment result part contains the computation time analysis for the four
algorithms and the simulation results of four algorithms.
4.1 Experiment
All the experiments are under such condition. The number of time slots is from
20 to 100 with the increment of 20 and the number of users is from 20 to 200 with
the increment of 20. The computation time is the average of 10 experiments.
4.1.1 Paillier algorithm 1 Computation time
Figure 8 shows the total computation time of using Paillier cryptosystem to get
the number of usages in the used time slots for current user. From the figure, we
can see that with the increasing number of users and time slots, the computation
time is increased. The computation time is largely influenced by the number of
time slots. From the image we can observe that even when the number of users is
200 and the number of time slots is 20, the approximated running time is around
100 seconds. However when the number of time slots goes to 100, the approximated
computation time is around 320 seconds, which is much slower compared to only
have a few time slots. So we can conclude that Paillier cryptosystem algorithm 1
takes a lot of time to compute.
• Client Encryption time
Figure 9 shows the client encryption time of using Paillier cryptosystem to
get the number of usages in the used slots for current user. We can observe
that the client encryption time has taken a large percentage in the total com-
putation time, which is almost 100 percent. We can see that when the number
of time slots increases, the encryption time will increase significantly. So we
can conclude that the most time consuming part in Paillier cryptosystem is
encryption procedure.
• Client Decryption time
22
Figure 8: Paillier algorithm 1 total computation time
Figure 9: Paillier algorithm 1 encryption time
Figure 10: Paillier algorithm 1 decryption time
Figure 11: Paillier algorithm 1 server processing time
Figure 12: ELGamal algorithm 2 total computation time
As shown in figure 10, the client decryption of using Paillier cryptosystem
to get the number of usages in the used slots for current user barely takes any
time. The performance of decryption procedure is good.
• Server processing time
As it can be seen in figure 11, the server processing time of Paillier algorithm
is increased with the raise of number of time slots and users. However, even
when the number of time slots and users is very big, the server processing
time is still very low. This proves that the server performance is very good
and efficient in Paillier algorithm.
Figure 13: ELGamal algorithm 2 encryption time
Figure 14: ELGamal algorithm 2 decryption time
Figure 15: ELGamal algorithm 2 server processing time
4.1.2 ELGamal algorithm 2 Computation time
Figure 12 shows that the total computation time for ELGamal algorithm to
calculate the number of usages for the current user in his used time slots is less
than paillier algorithm 1. As it can be seen, the computation time of ELGamal will
increase when the number of users or the number of time slots raises up. We can
see that the ELGamal algorithm have better performance when there are only a
few time slots. However when the number of time slots goes up, it will take more
time. However, it is still much more efficient than paillier algorithm. This can show
that the number of time slots will influence the efficiency of the ELGamal algorithm
more than the number of users. We can conclude that the ELGamal algorithm is
very efficient when there are a few time slots.
• Client Encryption time
Figure 13 shows the client encryption time of using ELGamal cryptosystem
to get the number of usages when the user is going to use the time slots. The
client encryption time raises up when the number of time slots or the number
of users is increasing. As it can be seen, the encryption time does not increase
a lot with the raise of users. It takes around 0.2 seconds while there are 200
users and 20 time slots. When there are more time slots, the encryption time
is increased. We can see that the encryption time increases to approximated
1.4 second when there are 100 time slots. We can conclude that the client
encryption time will mainly depends on the number of time slots and the
encryption process is very efficient in ELGamal algorithm.
• Client Decryption time
Figure 14 shows the client decryption time for each user of algorithm 2.
We can see that the decryption time goes up when the number of time slots
increases. From the figure, the decryption time is about 0.8 seconds when there
are 100 time slots. We can conclude that the decryption time will influenced
by the number of time slots and take large percentage of the total computation
time.
• Server processing time
Figure 16: Transition algorithm 3 computation time
As it can be seen in figure 15, the server processing time of ELGamal al-
gorithm is increased with the raise of number of time slots and users. We
can observe that the computation time of server is very low and is under 0.1
seconds even where there are 200 users and 100 time slots. We can conclude
thatthe server performance is efficient and good.
4.1.3 Transition algorithm 3 Computation time
Figure 16 shows the total computation time of using transition algorithm to get the
aggregate schedule of occupancy. The experiment is testing from 20 to 100 time
slots and 20 to 200 users respectively. It is the average computation time of 10
experiments. From the figure, we can see that the performance of algorithm 3 is
very good. It only uses 0.05 seconds when there are 100 time slots and 200 users.
Therefore, the algorithm can be applied in real time.
4.1.4 Paillier algorithm 4 Computation time
Paillier algorithm 4 has very similar performance to the Paillier algorithm 1.
Figure 17 shows the total computation time of using Paillier cryptosystem to get
the aggregate schedule of occupancy. It does not have very good performance
even when the number of time slots is low. The algorithm takes approximated 90
seconds to compute when there are 200 users and 20 time slots. So we can conclude
that Paillier cryptosystem takes a lot of time to compute.
• Client Encryption time
Figure 17: Paillier algorithm 4 total computation time
Figure 18: Paillier algorithm 4 encryption time
Figure 19: Paillier algorithm 4 decryption time
Figure 20: Paillier algorithm 4 server processing time
Figure 18 shows the client encryption time of using Paillier cryptosystem
to get the aggregate schedule of occupancy. We can observe that the client
encryption time has taken a large percentage in the total computation time,
which is almost 100 percent. And the efficiency is largely influenced by the
number of time slots. So we can conclude that the most time consuming part
in Paillier cryptosystem is encryption procedure.
• Client Decryption time
As shown in figure 19, the client decryption of using Paillier cryptosystem
to get the aggregate schedule of occupancy takes little time. So the process of
decryption is very efficient.
• Server processing time
As it can be seen in figure 20, the server processing time of Paillier algorithm
is increased with the raise of number of time slots and users. The server
processing time is under 0.1 seconds even the number of users and time slots
is large. This proves that the server performance is very good and efficient in
Paillier algorithm.
4.2 Experiment result
The experiment settings is 10 users and 5 time slots. The group of user share a same
pair of public key and private key. The original information stored in the Client is
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 0 0 1 0 0
test user 2 1 0 0 1 0
test user 3 1 0 1 1 0
test user 4 0 0 0 0 0
test user 5 1 1 1 1 1
test user 6 0 0 1 0 1
test user 7 1 1 0 0 0
test user 8 1 0 0 1 0
test user 9 1 0 1 1 1
test user 10 0 0 0 0 1
Table 1: Original usage of users
Figure 21: Paillier algorithm 1 key generation
shown in the table 1.
4.2.1 Algorithm 1 simulation
The Client will first generate the private key and public key, which is shown below.
From the Paillier cryptosystem, we know that there will be two large primes with
128 bits. The key generation process can be shown in figure 21.
According to pallier algorithm 1, each user will get a value Rj if bji = 1. Here
R = [R1, . . . , Rm]. The result is shown in table 2.
Then the user using the encrypt personal schedule and send it to the server.
The result of encryption is shown in figure 22. Then the server will aggregate the
encrypted schedule for each time slot. Figure 23 shows the aggregated encrypted
schedule. Then the server will return the aggregated encrypted schedule back to
each user, then user uses the public key and private key to decrypt. The table 3
shows the result of descryption for each user.
Figure 22: Paillier algorithm 1 encryption
Figure 23: Paillier algorithm 1 server process
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 0 0 5887306919477435809 0 0
tset user 2 7624858340458734075 0 0 4729471728074494971 0
test user 3 7624858340458734075 0 5887306919477435809 4729471728074494971 0
test user 4 0 0 0 0 0
test user 5 7624858340458734075 2929017782384013705 5887306919477435809 4729471728074494971 7633210599468489860
test user 6 0 0 5887306919477435809 0 7633210599468489860
test user 7 7624858340458734075 2929017782384013705 0 0 0
test user 8 7624858340458734075 0 0 4729471728074494971 0
test user 9 7624858340458734075 0 5887306919477435809 4729471728074494971 7633210599468489860
test user 10 0 0 0 0 7633210599468489860
Table 2: Input of Paillier Algorithm 1
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 0 0 5 0 0
test user 2 6 0 0 5 0
test user 3 6 0 5 5 0
test user 4 0 0 0 0 0
test user 5 6 2 5 5 4
test user 6 0 0 5 0 4
test user 7 6 2 0 0 0
test user 8 6 0 0 5 0
test user 9 6 0 5 5 4
test user 10 0 0 0 0 4
Table 3: Paillier algorithm 1 result: Number of usages in used time slots for each
user
4.2.2 Algorithm 2 simulation
The Client will first generate the private key and public key, which is shown below.
From the ELGamal cryptosystem, we know that there will be one large primes with
128 bits. Figure 24 shows the key generation for algorithm 2.
There are two kinds of input in algorithm 2. The first input is the original input
for the additive ELGamal encryption and the second one is for the multiplicative
encryption.
In order to get the number of people in each time slots, the user should also
encrypt their usage with multiplicative ELGamal encryption. Here bji = R if the
user does not vote for time slot j, where R is a random integer. The multiplicative
encrypted usage is shown in figure 26. The additive encrypted usages is shown in
figure 25.
Then the server do the multiplication to get the aggregated plan for each time
slots. The result is shown in figure 27.
Last, the user who will use the time slots can use their private key to decrypt
Figure 24: ELGamal algorithm 2 key generation
Figure 25: ELGamal algorithm 2 additive encryption
and get the number of usages in the time slot. The result is shown in figure 27.
4.2.3 Algorithm 3 simulation
In algorithm 3, first the operator will generate a random group of float
Zi = [Z1i , Z
2i , . . . , Z
mi ] to each user. By applying algorithm 1 or algorithm 2,
the user will get the number of votes for each time slots when he votes for the time
slots, the result is shown in table 5. The number of usages for each user is shown
in table 8, and the generated Z for each time slot is shown in table 6.
Then each user should determine the type of usage by the rules. For the
Figure 26: ELGamal algorithm 2 multiplicative encryption
Figure 27: ELGamal algorithm 2 server process
experiment, the number of type is 3. The number of usages from user i in time slot
j is denoted by uji . We say if xk·N ≤ uji ≤ x+1
k·N , then uji belongs to type x. Then
we reassign uji to be x
uji, which is shown in table 7. The final input will be (Zi + ui).
After applying the transition algorithm, the users and server will finally know
the type of usages in each time slot. The type is shown in figure 28.
4.2.4 Algorithm 4 simulation
The Client will first generate the private key and public key. From the Paillier
cryptosystem, we know that there will be two large primes with 128 bits. The key
generation process is shown in figure 29. The original schedule is provided by the
algorithm 1 or algorithm 2, which is shown below in table 5.
Similar to algorithm 3, each user should determine the type of usage by the rules.
For the experiment, the number of type is 3. The number of usages from user i in
time slot j is denoted by uji . We say if xk· N ≤ uji ≤ x+1
k· N , then uji belongs to
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 0 0 5 0 0
test user 2 6 0 0 5 0
test user 3 6 0 5 5 0
test user 4 0 0 0 0 0
test user 5 6 2 5 5 4
test user 6 0 0 5 0 4
test user 7 6 2 0 0 0
test user 8 6 0 0 5 0
test user 9 6 0 5 5 4
test user 10 0 0 0 0 4
Table 4: ELGamal algorithm 2 result: The number of usages for current user
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 0 0 5 0 0
test user 2 6 0 0 5 0
test user 3 6 0 5 5 0
test user 4 0 0 0 0 0
test user 5 6 2 5 5 4
test user 6 0 0 5 0 4
test user 7 6 2 0 0 0
test user 8 6 0 0 5 0
test user 9 6 0 5 5 4
test user 10 0 0 0 0 4
Table 5: Algorithm 3,4 Number of usages for current user
type x. Then we reassign uji to be bR·xujic. The final input is shown in table 8.
Then each user encrypt the their own schedule using Paillier cryptosystem. The
result is shown in figure 30.
Then the sever process multiplication for each time slot to calculate the aggre-
gated encrypted schedule of occupancy, the result is shown in figure 31.
Last, each user decrypts the aggregated approximated schedule of occupancy
and divide by R. The result is shown in the figure 32.
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 6133825661.004535 9520672597.35969 8405837383.193862 4327655796.1112585 7864545369.506094
test user 2 2992151461.5632224 504821273.1439457 9471603388.137575 3237697154.892989 9203262866.357733
test user 3 7305254021.267426 4061490610.7923 2777103028.3574977 2485090983.115836 1110056189.1761496
test user 4 4384517818.087211 8562086562.592957 4248644570.473121 9045502746.488913 7636019224.24958
test user 5 8559192630.512426 1175162581.814306 926687807.4156541 1200908760.6308684 1809427597.4236963
test user 6 1243865485.9794579 7932198509.076439 5674139354.320666 9257491607.207678 8236453205.65442
test user 7 4534214932.944109 8657776386.902678 790630190.3961891 4932376227.505535 447840540.3780162
test user 8 97394024.3230636 7895998972.403568 5191109435.086829 7635357311.097881 4174138361.021781
test user 9 1461048857.3608153 8771973525.172302 2325406356.177332 3318649217.3142753 9926439712.675196
test user 10 1635448096.0305316 6603338572.97395 2803988510.046929 5902442092.86887 2203921091.8938384
Table 6: Transition algorithm 3 Z vector for each user
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 0 0 0.2 0 0
test user 2 0.33333 0 0 0.2 0
test user 3 0.33333 0 0.2 0.2 0
test user 4 0 0 0 0 0
test user 5 0.33333 2 0.2 0.2 0.25
test user 6 0 0 0.2 0 4
test user 7 0.33333 2 0 0 0
test user 8 0.33333 0 0 0.2 0
test user 9 0.33333 0 0.2 0.2 0.25
test user 10 0 0 0 0 0.25
Table 7: Transition algorithm 3 reassigned usage for each time slot
username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5
test user 1 0 0 2808876771237379584 0 0
test user 2 3511095964046724608 0 0 2808876771237379584 0
test user 3 3511095964046724608 0 2808876771237379584 2808876771237379584 0
test user 4 0 0 0 0 0
test user 5 3511095964046724608 3511095964046724608 2808876771237379584 2808876771237379584 3511095964046724608
test user 6 0 0 2808876771237379584 0 3511095964046724608
test user 7 3511095964046724608 3511095964046724608 0 0 0
test user 8 3511095964046724608 0 0 2808876771237379584 0
test user 9 3511095964046724608 0 2808876771237379584 2808876771237379584 3511095964046724608
test user 10 0 0 0 0 3511095964046724608
Table 8: Paillier algorithm 4 reassigned usage for each time slot
Figure 28: Transition algorithm 3 aggregate schedule of occupancy
Figure 29: Paillier algorithm 4 key generation
Figure 30: Paillier algorithm 4 encryption
Figure 31: Paillier algorithm 4 server process
Figure 32: Paillier algorithm 4 aggregate schedule of occupancy
5. Conclusion and Future WorkThis chapter is my conclusion about what I have done and the result of experi-
ments. Also it contains the future work I need to focus on.
5.1 Conclusion
Resource allocation has been a problem for service and facility operators. In
order to reduce the cost operations and generate reasonable resource allocation
schedule, there should be a dynamic resource allocation algorithm to solve such
problems due to the actual demands of the users. Also, I want to protect the
privacy of the users. Therefore, I designed four algorithms to solve the dynamic
resource allocation problem.
For the algorithm, each user should first submit their own schedules to the
facility operator. There will be two results for the algorithm. The first one is the
privacy-preserving aggregation, which contains the number of usages for the current
users in his used time slots. The second one is an aggregated schedule of coarse
occupancy. The operator cannot know the exact number of usages in each time
slots, but it can generate the type of usages in each time slot.
I developed four algorithms to solve the problem. The first two are to calculate
the number of usages in the current user’s used time slots. The last two algorithms
are to generate the aggregated schedule of coarse occupancy.
The first algorithm is based on Paillier cryptosystem, which is a public cryp-
tosystem and has the additive homomorphic property. After the user modify their
schedule by the requirement of algorithm 1, the user can get the correct number of
usages in each time slot when he is going to use.
The second algorithm is based on ELGamal cryptosystem, which is a public
cryptosystem and has the additive homomorphic property also the multiplicative
homomorphic property due to different encryption. After the user modify their
schedule by the requirement of algorithm 2, the user can get the correct number of
39
usages in each time slot when he is going to use.
The third algorithm is based on transition algorithm. After the user modify
their schedule by the requirement of algorithm 3, the user and server can get the
aggregate schedule of occupancy.
The last algorithm is based on Paillier cryptosystem. The structure of algorithm
4 is very similar to algorithm 1. The only difference is the process of input and
output. After user modify their schedules due to the requirement of algorithm 4,
each user can finally get the aggregate schedule of occupancy.
Based on the experiment results, I can see that algorithm 1 and algorithm 4 has
to take a lot of time to compute, which cannot satisfy the ”real-time” requirement
of my experiment. However, algorithm 2 has good performance when the num-
ber of time slots is not a lot. Algorithm 3 has good performance under any condition.
I have also implemented a simple Android application to show the output of the
project, which is based on algorithm 2 and algorithm 3. Because the algorithm 1 and
4, which are both based on Paillier cryptosystem, takes too long time to compute.
This may reduce the user experience while using it.
5.2 Future work
Due to the experiment results and the algorithms I make, I want to improve the
project from two aspects.
One aspect is on improving the speed of algorithm 1 and algorithm 4, which
is based on the Paillier cryptosystem. From the expermient results we can see,
the encryption time of paillier cryptosystem almost takes 100 percent of the total
computation time. Therefore, find a method to reduce the time to encrypt is the
way to lower the total computation time.
The second aspect is to improve algorithm 2, which is based on the ELGamal
cryptosystem. As described in the implementation part, algorithm 2 only supports
binary input. Although it meet the requirements for my current goals, but if I want
to use the input other than the binary one, this algorithm will not work properly.
Therefore, find a method to improve the input limit of algorithm 2 is also necessary.
This are the two aspects I will mainly focus on in the future. In this way, the
method to solve the dynamic resource allocation problem will be better.
Bibliography[1] G. Marois and A. Belanger. Analyzing the impact of urban planning on pop-
ulation distribution in the montreal metropolitan area using a small-area mi-
crosimulation projection model. Population and Environment, 37(2):131–156,
2015.
[2] C.M. Fisher. THE PROBLEMATICS OF PUBLIC SECTOR RESOURCE
ALLOCATION. Routledge, 1998.
[3]
[4] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. Cryptographic com-
munications system and method, 20 1983. US Patent 4,405,829A.
[5] Craig Gentry. Computing arbitrary functions of encrypted data. Commun.
ACM, 53(3):97–105, March 2010.
[6] Shai Halevi. Homomorphic Encryption. Springer, 2017.
[7] Craig Gentry. A Fully Homomorphic Encryption Scheme. PhD thesis, Stanford,
CA, USA, 2009. AAI3382729.
[8] Techopedia explains public key cryptography (pkc). https://www.
techopedia.com/definition/9021/public-key-cryptography-pkc. Ac-
cessed April 20, 2019.
[9] Pascal Paillier. Public-key cryptosystems based on composite degree residu-
osity classes. In Advances in Cryptology — EUROCRYPT ’99: International
Conference on the Theory and Application of Cryptographic Techniques Prague,
Czech Republic, pages 223–228. Springer, 1999.
[10] Taher ElGamal. A public-key cryptosystem and a signature scheme based on
discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472,
1985.
.1 Appendix A
42
Figure 33: User process
.2 Appendix B
.2.1 Application
I design a user-server application for the dynamic resource allocation algorithm.
First, I introduce the basic information about the software developed for the algo-
rithm. Next, I introduce the functions and details of the application.
Figure 34: Server process
Figure 35: Log in interface
.2.2 System of application
Here the algorithm is implemented on python, the application is implemented and
experimented using kivy, which is a multi platform of python, Android and so on.
It can also be built into an android apk requires API 27.0. The database is built on
MySQL 5.6 using Amazon Web Service.
.2.2.1 User-Server Application
• Main function
The main function of the application includes: (a) Store the users’ accounts
and personal usage schedule in the user database. (b) User can set their usage
individually and privately. (c) Using ELGamal cryptosystem to encrypt the
personal votes and send to server. (d) Server conducts the ELGamal algorithm
2 and transition algorithm 3 to return the number of usages for the current user
and aggregated schedule of coarse occupancy. (e) Users will get the number
Figure 36: Sign up interface
of usages in the time slots that he or she votes for. (f) Users use own private
key to decrypt the plans and getting the approximated plan in each time slots
and send it to the server.
• User
The user first need to sign up or log in to the application. Then the user
should set the usages for the time slots. After the user saves or updates
their personal usage schedule, he or she can click ”save” button to start the
calculation of the approximated aggregate plan and the number of usages in
the used time slots. The user will first encrypt own schedule using the shared
public key and their private key, then send the encrypted usage plan to the
server. The process is shown in figure 33.
• Server-user After receiving a user’s encrypted usage plan, the server begins
to process the privacy preserving algorithms and get the encrypted shared
Figure 37: Usage interface
usages plan A and the encrypted personal usage plan B for the users. Then
the server sends the two encrypted usage plan back to the users. The users
can use their own private key and shared common key to decrypt plan A and
plan B. The first personal usage plan is different from users to users, which
includes the number of usages when the user is going to use the time slot. The
second plan is the approximated usage schedule calculated by the server. The
flow of process is shown in figure 34.
• GUI
The GUI of the application is shown in figure 35, figure 36, figure 37, figure 38
and figure 39. First, a user should log in or sign up into the system. Next, the
user can set usages for different time slots based on the use of the application.
The the user can click the ”Save” button to send their encrypted usage plan
to the server. Then the server will start to calculate the approximated plan
for the users. Figure 35 shows the process of log in and figure 36 shows the
sign up process.
In the experiment, figure 37 shows the time slots to be used is from Monday
to Friday and from Morning to the evening. In this example, the user votes
for Monday morning, Tuesday noon and Wednesday afternoon.
Figure 38 shows the number of usages in the time slots that the user is going
to use. The user can see the number of usages in Monday morning, Tuesday
noon and Wednesday afternoon. From the figure we can see, there are 7 people
in total using on Monday morning, 3 people on Tuesday noon and 4 people on
Wednesday afternoon. All the number of usages for other time slots is invisible
and is represented by the question mark.
Figure 39 shows the aggregate schedule of occupancy for all the users. Here
each user can clearly see the final result of the algorithm. The user and server
will know the type of usages in each time slots from the result without knowing
the exact number of votes in each time slot. In this case, we set there should be
four plans(”most”, ”medium”, ”little” and ”no one”). The result can clearly
show the type of the aggregate schedule.
.2.3 List of files
main.py: The GUI of android application based on kivy. This needs kivy and
pymysql library to run it. Also needs access to the internet.
calculation.py: If the user does not want to run with GUI, then use terminal to
run calculation.py to get the result of algorithm 1, 2, 3 and 4.
paillier.py: The paillier cryptosystem.
elgamal.py: The elgamal cryptosystem.
transition.py: The transition algorithm.
primes.py: Used to generate large primes for paillier and elgamal cryptosystem.
testalg1.py: Used to simulate algorithm 1 in experiment part. The function is
also used in calculation.py
testalg2.py: Used to simulate algorithm 2 in experiment part. The function is
also used in calculation.py
testalg3.py: Used to simulate algorithm 3 in experiment part. The function is
also used in calculation.py
testalg4.py: Used to simulate algorithm 4 in experiment part. The function is
also used in calculation.py
.3 Appendix C
Privacy-preserving systems for dynamic resource
reallocation ==========================================================
====================
About
This is a Python implementation privacy-preserving systems for dynamic resource
reallocation. This includes an implementation of paillier crytosystem, ELGamal
cryptosystem, transition algorithm, an Android application and the kivy-based GUI.
Usage
The main.py includes the kivy-based GUI. If you want to run this .py file you need to have
the kivy library and pymysql library. Also you need to have the access to the internet.
Notice that in the application I use the 20 time slots and the number of type for aggregate
schedule is 4.
I have provided an installation script (install.sh) to install the libraries.
"""
1) chmod +x
2) ./install.sh
"""
Also you can run the Android application with Android device with at least API 27.0(This
doesn't work on the Android emulator).
To run without GUI, you can run the calculation.py. You need to type in the parameters
using the terminal.
There are 5 parameters for you to test.
You could run "python calculation.py -h" for help.
usage: calculation.py [-h] [-a Int] [-b Int] [-N Int] [-m Int] [-k Int]
optional arguments:
-h, --help show this help message and exit
-a Int, --usage_algorithm Int
Choose algorithm 1 or algorithm 2
-b Int, --schedule_algorithm Int
Choose algorithm 3 or algorithm 4
-N Int, --Users Int Number of users
-m Int, --Time_slots Int
Number of time slots
-k Int, --Type_usages Int
Number of type
For example, if you want to run algorithm 1 and algorithm 3 and the number of users are 5,
the number of time slots are 5, the number of types are 3, then you should run the
following command:
python calculation.py -a 1 -b 3 -N 5 -m 5 -k 3
If you want to run algorithm 2 and algorithm 4 with the same settings,run
python use.py -a 2 -b 4 -N 5 -m 5 -k 3
>>Using algorithm 2 to calculate the number of usages
>>The original usage for each user is: [[1, 1, 0, 1, 0], [1, 1, 1, 0, 1], [1, 1, 1, 1, 0], [0, 1, 1, 1, 0],
[0, 0, 1, 1, 0]]
>>The number of usages for user 0 is [3, 4, 0, 4, 0]
>>The number of usages for user 1 is [3, 4, 4, 0, 1]
>>The number of usages for user 2 is [3, 4, 4, 4, 0]
>>The number of usages for user 3 is [0, 4, 4, 4, 0]
>>The number of usages for user 4 is [0, 0, 4, 4, 0]
>>Using algorithm 4 to calculate the aggregate schedule of occupancy
>>The final type for the time slot 0 is: 1
>>The final type for the time slot 1 is: 2
>>The final type for the time slot 2 is: 2
>>The final type for the time slot 3 is: 2
>>The final type for the time slot 4 is: 0
Figure 38: Number of usages for current user interface
Figure 39: Aggregate schedule of occupancy schedule interface