privacy preserving systems for dynamic resource …...services. resource allocation matters in...

Privacy preserving systems for

dynamic resource reallocation

Yuehan Zhao

u6417810

COMP8755

Supervised by

Dr. Sid Chi-Kin Chau

May 31, 2019

A thesis submitted in part fulfillment of the degree of

Master of Computing

College of Engineering and Computer Science

The Australian National University

For Sid Chi-Kin Chau,

who provides the project and supports me for

a full year to finish the project

For my parents,

who support me to come to ANU and study

here

For Weifa Liang,

who gives us applicable advice during the

initial and final presentation

i

Abstract

Resource allocation is the heart of public services and has always been a difficult

issue to solve. It contains the sharing of space and sharing of public services such

as the living space or the transportation arrangement. Privacy-preserving dynamic

resource allocation guarantees that the service and facilities will make the smart

operations to meet the actual demands due to the client and reduce the cost. Also

it guarantees the privacy between users and server.

The approach that I use to solve the privacy-preserving dynamic resources

reallocation problem includes four algorithms. Two algorithms are based on Paillier

cryptosystem, one is based on ELGamal cryptosystem and the other one is based

on the transition algorithm. The results I obtained in this report include the

computation time analysis, the simulation and an Android application to visualize

the experiment. The impacts of the results include the new way of thinking of the

privacy-preserving resource reallocation problem and I hope this can contribute to

the current research.

Keywords: Resource allocation, privacy-preserving, Paillier cryptosystem, EL-

Gamal cryptosystem

Contents

1 Background 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.3 Report Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Introduction 3

2.1 Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.1 Basic concept of homomorphic encryption . . . . . . . . . . . 3

2.2 Public-key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.2.1 Paillier Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 6

2.2.2 ELGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . 9

3 Design and Implementation 13

3.1 Related Privacy Preserving Algorithm . . . . . . . . . . . . . . . . . 13

3.1.1 Paillier cryptosystem . . . . . . . . . . . . . . . . . . . . . . . 13

3.1.2 ELGamal cryptosystem . . . . . . . . . . . . . . . . . . . . . . 13

3.2 Algorithms for dynamic resource allocation . . . . . . . . . . . . . . . 14

3.2.1 Paillier Algorithm 1 . . . . . . . . . . . . . . . . . . . . . . . . 14

3.2.2 ELGamal Algorithm 2 . . . . . . . . . . . . . . . . . . . . . . 15

3.2.3 Transition Algorithm 3 . . . . . . . . . . . . . . . . . . . . . . 17

3.2.4 Paillier Algorithm 4 . . . . . . . . . . . . . . . . . . . . . . . . 19

4 Experiment Result 22

4.1 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.1.1 Paillier algorithm 1 Computation time . . . . . . . . . . . . . 22

4.1.2 ELGamal algorithm 2 Computation time . . . . . . . . . . . . 26

4.1.3 Transition algorithm 3 Computation time . . . . . . . . . . . 27

4.1.4 Paillier algorithm 4 Computation time . . . . . . . . . . . . . 27

4.2 Experiment result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4.2.1 Algorithm 1 simulation . . . . . . . . . . . . . . . . . . . . . 30

4.2.2 Algorithm 2 simulation . . . . . . . . . . . . . . . . . . . . . 32

4.2.3 Algorithm 3 simulation . . . . . . . . . . . . . . . . . . . . . . 33

4.2.4 Algorithm 4 simulation . . . . . . . . . . . . . . . . . . . . . . 34

5 Conclusion and Future Work 39

5.1 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

i

.1 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

.2 Appendix B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

.2.1 Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

.2.2 System of application . . . . . . . . . . . . . . . . . . . . . . . 48

.2.3 List of files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

.3 Appendix C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

List of Figures1 Example of dynamic sharing of space . . . . . . . . . . . . . . . . . . 1

2 Symmetric cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Asymmetric cryptography . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Paillier cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5 Multiplicative ELGamal cryptosystem . . . . . . . . . . . . . . . . . 9

6 Additive ELGamal cryptosystem . . . . . . . . . . . . . . . . . . . . 11

7 Flow of Algorithm 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

8 Paillier algorithm 1 total computation time . . . . . . . . . . . . . . . 23

9 Paillier algorithm 1 encryption time . . . . . . . . . . . . . . . . . . . 23

10 Paillier algorithm 1 decryption time . . . . . . . . . . . . . . . . . . . 23

11 Paillier algorithm 1 server processing time . . . . . . . . . . . . . . . 24

12 ELGamal algorithm 2 total computation time . . . . . . . . . . . . . 24

13 ELGamal algorithm 2 encryption time . . . . . . . . . . . . . . . . . 25

14 ELGamal algorithm 2 decryption time . . . . . . . . . . . . . . . . . 25

15 ELGamal algorithm 2 server processing time . . . . . . . . . . . . . . 25

16 Transition algorithm 3 computation time . . . . . . . . . . . . . . . . 27

17 Paillier algorithm 4 total computation time . . . . . . . . . . . . . . . 28

18 Paillier algorithm 4 encryption time . . . . . . . . . . . . . . . . . . . 28

19 Paillier algorithm 4 decryption time . . . . . . . . . . . . . . . . . . . 28

20 Paillier algorithm 4 server processing time . . . . . . . . . . . . . . . 29

21 Paillier algorithm 1 key generation . . . . . . . . . . . . . . . . . . . 30

22 Paillier algorithm 1 encryption . . . . . . . . . . . . . . . . . . . . . . 31

23 Paillier algorithm 1 server process . . . . . . . . . . . . . . . . . . . . 31

24 ELGamal algorithm 2 key generation . . . . . . . . . . . . . . . . . . 33

25 ELGamal algorithm 2 additive encryption . . . . . . . . . . . . . . . 33

26 ELGamal algorithm 2 multiplicative encryption . . . . . . . . . . . . 34

27 ELGamal algorithm 2 server process . . . . . . . . . . . . . . . . . . 34

28 Transition algorithm 3 aggregate schedule of occupancy . . . . . . . . 36

29 Paillier algorithm 4 key generation . . . . . . . . . . . . . . . . . . . 37

30 Paillier algorithm 4 encryption . . . . . . . . . . . . . . . . . . . . . . 37

31 Paillier algorithm 4 server process . . . . . . . . . . . . . . . . . . . . 37

32 Paillier algorithm 4 aggregate schedule of occupancy . . . . . . . . . . 38

33 User process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

34 Server process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

iii

35 Log in interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

36 Sign up interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

37 Usage interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

38 Number of usages for current user interface . . . . . . . . . . . . . . . 55

39 Aggregate schedule of occupancy schedule interface . . . . . . . . . . 56

List of Tables1 Original usage of users . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2 Input of Paillier Algorithm 1 . . . . . . . . . . . . . . . . . . . . . . . 32

3 Paillier algorithm 1 result: Number of usages in used time slots for

each user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 ELGamal algorithm 2 result: The number of usages for current user 35

5 Algorithm 3,4 Number of usages for current user . . . . . . . . . . . . 35

6 Transition algorithm 3 Z vector for each user . . . . . . . . . . . . . . 36

7 Transition algorithm 3 reassigned usage for each time slot . . . . . . . 36

8 Paillier algorithm 4 reassigned usage for each time slot . . . . . . . . 36

v

1. BackgroundThe background chapter includes my motivation and goals of doing this project

and also the structure of the report.

1.1 Motivation

Cities have become the major living place for human beings. Around 54% of

population live in cities right now[1]. However, people are still struggling with

some problems living in the cities due to the lack of resources. There are also

some limitations and competitions for wide range of urban facilities services. For

example, the living spaces, the transportation services and some other public

services. Resource allocation matters in public services and has been a difficult

issue to solve. Here I want to resolve the dynamic resource allocation problem,

which is due to the actual demands of the users. Here I provide two concrete

examples[2].

The first one is the dynamic sharing of public services, which includes the

transportation arrangement, the garbage collection and some other public services.

The operator can reduce the operation cost due to a reasonable dynamic resource

allocation algorithm. For example, if there are only two people want to take a

bus at 11 pm, the operator will not try to arrange 10 buses there because it will

significantly increase the cost.

The second one is the dynamic sharing of space, which means that a group

of people can share their spaces due to the demands of personal schedule. If the

Figure 1: Example of dynamic sharing of space

1

sharing space is not full, it can be reallocated by the operator for some other

purpose, e.g. storage. Also if only two people want to use a room, the operator

can dynamically allocate a small room for them instead of a big room which can

hold 500 people. Figure 1 is an example of the dynamic sharing of space problem.

A group of users want to use the room and the facility operator wants to make a

reasonable room allocation plan. First the users provide their personal schedules

to the facility operator and then the dynamic resource allocation algorithm will

provide two schedules. The first one is shared schedules, the users can know the

number of usages of the time slots he is going to use. For those time slots he does

not want to use, he cannot know about the number of usages, so it shows as the

question mark. The second one is an aggregated schedule of occupancy. Here the

server will have an aggregate schedule of occupancy, where S means small room,

B means big room and X means no user will use it. In this way, it can reduce the

incurred cost for the facility and service operators.

Also, people in Australia don’t like to share their information with others, hence

I want to use a privacy preserving algorithm to implement the dynamic resource

allocation algorithm[3].

1.2 Goals

I have three goals for my report. The first goal is to implement a method to compute

the number of usages of the time slots when the current user is going to use. The

second goal is to calculate the aggregate schedule of coarse occupancy for all time

slots, thus can generate a better resource reallocation plan due to it. The third goal

is to implement a simple Android application to visualize the algorithm.

1.3 Report Structure

The report contains the following part. The second chapter is the introduction,

which includes the basic knowledge I am using for the dynamic resource allocation

algorithm. The third chapter is the design and implementation. In this part, I will

introduce four algorithms based on the public-key cryptography to implement the

goals. The fourth chapter is the experiment result of the algorithms I provide. The

last chapter is the conclusion and future work.

2. IntroductionThe introduction part introduces the related knowledge for the privacy-preserving

dynamic resource allocation algorithm.

2.1 Homomorphic Encryption

Homomorphic Encryption schemes is an open problem proposed by the Cryptog-

raphy long time ago and is developed with the research of public key encryption

system. Ron Rivest and Leonard Adelman and Michael L. Dertouzos proposed the

concept based on the application in bank background. Ron Rivest and Lenonard

Adleman is the founder of RSA algorithm[4], which is one of the most famous

homomophic encryption algorithm. RSA algorithm is the first one found to

own the property of Homomorphic multiplication and the reliability is based on

the practical difficulty of the factorization of the product of two large prime numbers.

So what is homomorphic encryption? Craig Gentry first denote the fully

homomorphic encryption: ”A way to delegate processing of your data, without

giving away access to it.”[5]

Generally, the encryption scheme is mainly focused on the data storage security.

For example, if we need to send someone else an encrypted message, or we want

to store message on the computer or the server, we need to first encrypt the

message before we send it or store it. Anyone without the keys cannot know

the information of the original message. Only the clients with keys can decrypt

correctly and get the message. Clients should not do anything to the result of

encrypted message, otherwise he or she will get wrong decrypted message. The

most interesting thing of homomorphic encryption is that it mainly focused on

the data processing security. Homomorphic encryption offers a function to process

the cipher, which means that the clients can process the encrypted message,

but it will not reveal any information of the original message. Meanwhile, the

user with the key can process the cipher and get the result after processing exactly[6].

2.1.1 Basic concept of homomorphic encryption

If we have a encryption function E, which can encrypt plian text m1 to ciphertext

m′1 and encrypt plain text m2 to cipher text m′2. Then we have a decryption

function D, which can decrypt the message which has been encrypted before[6].

3

For the general encryption method, if we add m′1 and m′2, or we multiply A′ and

B′, we normally get meaningless message from the decryption method.

Homomorphic encryption

Here we define S,P as two calculations and K as the key, N ∈ N. If

S(Ek(m1), Ek(m2), . . . , Ek(mN)) = Ek(P (m1,m2, . . . ,mN)) (2.1)

Then we say the encryption function E is homomorphic encryption.

Additive homomorphic encryption

For any plain text m1, m2, if we have

Ek(m1 +m2) = Ek(m1) + Ek(m2) (2.2)

D(Ek(m1) + Ek(m2)) = m1 +m2 (2.3)

Then we say the encryption function E has the property of an additive homomor-

phic encryption.

Multiplicative homomorphic encryption

For any plain text m1, m2, if we have

Ek(m1 ·m2) = Ek(m1) · Ek(m2) (2.4)

D(Ek(m1) · Ek(m2)) = m1 ·m2 (2.5)

Then we say the encryption function E has the property of an multiplicative

homomorphic encryption.

Somewhat homomorphic encryption

If a homomorphic encryption scheme has the property of additive and multiplicative

homomorphic encryption but can only perform a limited number of operations, then

we say this homomorphic encryption scheme is a somewhat homomorphic encryption

schema.

Fully homomorphic encryption If a homomorphic encryption scheme has the

property of additive and multiplicative homomorphic encryption and can perform

any number of operations, then we say this homomorphic encryption scheme is a

fully homomorphic encryption schema[7].

2.2 Public-key cryptography

Key cryptosystem consists of symmetric-key cryptography and asymmetric-key

cryptography. Symmetric-key cryptography uses the same key to encrypt and,

Figure 2: Symmetric cryptography

which is shown in figure 2. Although it has the advantage of small amount of

calculation, fast encryption and high efficiency in encryption, the disadvantages

are quite apparent. For example, keys transportation problem. The client and the

server needs to transmit the key and the message privately. However, it is usually

very hard to find such a secure channel. Meanwhile, suppose there are n users in

a transition net, then there should be a shared key in every two users. When n is

large, the number of keys to be managed is large, which is n(n−1)2

.

Therefore, asymmetric-key cryptography, also known as public-key cryptography

is introduced. Public-key crptography can solve the problems of symmetric-key

cryptography. There are many famous public-key cryptography algorithm. For

example, RSA algorithm, ELGamal algorithm, Diffe-Helmman algorithm, etc[8].

There are also some problems using public-key cryptography. The public-key

cryptography algorithms are usually more complicated, hence taking more time to

encrypt and decrypt.

Public-key cryptography is an algorithm in cryptography. Figure 3 shows the

process of asymmetric cyrptography. It needs a pair of keys, one public key and

one private key. One is used to encrypt and the other one is used to decrypt. After

encrypting the plain text using one of the key, one can only use the corresponding

key to decrypt the original plaintext, even if the original key cannot be used to

Figure 3: Asymmetric cryptography

decrypt. This is called as the asymmetric encryption, which is different from

symmetric-key algorithm who using the same key to encrypt and decrypt. Even if

the pair of keys is related to each other mathematically, the key cannot be known

or calculated by the other key. Therefore, one key can be presented as the public

key, which can be shared to anyone. However, the other key cannot be shared,

which can only be known by the client himself. Only in this way can guarantee the

security of public-key cryptography.

2.2.1 Paillier Cryptosystem

Paillier described the paillier homomorphic cryptosystem, which is a probabilistic

asymmetric algorithm for public key cryptography[9]. The hardness of integer

factorization and computing n-th residue classes guarantees the security of paillier

cryptosystem. The scheme is an additive homomorphic cryptosystem. Figure 4

shows the process of Paillier cryptosystem.

Key generation

First select two large primes numbers p and q.

calculate n = p · q, λ = lcm(p− 1, q − 1), where lcm(a, b) means Least Common

Multiple.

Next, select the random integer g, where g ∈ N and the order of g is a

Figure 4: Paillier cryptosystem

multiple of n. Paillier mentioned that g should be small for good performance.

For example, g = 2. However, according to the survey, g = n + 1 will have better

performance.Then the public key is (n,g).Private key is (p,q).

Encryption

For any plain text m ∈ N, select a random integer r ∈ N, then the cipher text

c = E(m) = gm · rn mod n2

Decryption

Use the private key to decrypt, then the plain text is m = L(cλ mod n2)L(gλ mod n2)

mod n.

Define L(u) = u−1n

for u ≤ n2 when u = 1 mod n.

Lemma 1 Paillier cryptosystem can get correct plain text after

decryption

Proof We have m = L(cλ mod n2) · u. By the definition above,

m =L(cλ mod n2)

L(gλ mod n2)mod n (2.6)

Notice that λ is the private key and then apply Carmichael’s theorem we can get

cλ = (gm · rn)λ = gm·λ · rn·λ = gm·λ (2.7)

By the Binomial theorem,

(1 + n)x =∑k=0

x(xk

)nk = 1 + n · x+

(x2

)n2 + nhigherpower (2.8)

we can get

(1 + n)x ≡ 1 + n · x mod n2 (2.9)

Therefore

gmλ = ((1 + n)α · βn)λm = (1 + n)αλm · βnλm ≡ (1 + αλmn) mod n2 (2.10)

By the definition of L(u) function,

L(cλ mod n2)

L(gλ mod n2)mod n =

L(1 + αλmn)

L(1 + αλn)mod n =

αλmn

αλnmod n = m (2.11)

which proves the correctness of Paillier cryptosystem.

Homomorphic properties For any m1, m2 ∈ N and k as the key, use paillier

homomorphic cryptosystem to encrypt we can get Ek(m1) = gm1 · r1n mod n2,

Ek(m2) = gm2 · rn2 mod n2, then we have

Ek(m1) · Ek(m2) = gm1+m2 · (r1r2)n mod n2 (2.12)

From the paillier decryption we can know

D(Ek(m1) · Ek(m2) mod n2 = m1 +m2 mod n (2.13)

Proof

D(Ek(m1, r1) · Ek(m2, r2) mod n2)

= D(gm1 · rn1 · gm2 · rn2 ) mod n2

= D(gm1+m2 · (r1 · r2)n) mod n2 = m1 +m2 mod n

(2.14)

Thus, paillier cryptosystem is an additive homomorphic cryptosystem. Also we have

D(Ek(m1) · gm2 mod n2 = m1 +m2 mod n (2.15)

Proof

D(Ek(m1, r1) · gm2 mod n2)

= D(gm1 · rn1 · gm2) mod n2

= D(gm1+m2 · rn1 ) mod n2 = m1 +m2 mod n

(2.16)

Pallier cryptosystem also have some multiplicative properties of plain text for

m1,m2 ∈ N, k ∈ N.

D(Ek(m1)R mod n2 = R ·m1 mod n (2.17)

Figure 5: Multiplicative ELGamal cryptosystem

Proof

D(Ek(m1, r1)R mod n2) = D((gm1 · rn1 )R) mod n2

= D(gR·m1 · rn1 ) mod n2

= D(gRm1 · rRn1 ) mod n2 = R ·m1 mod n

(2.18)

D(Ek(m1)m2 mod n2 = m1 ·m2 mod n (2.19)

Proof

D(Ek(m1, r1)m2 mod n2) = D((gm1 · rn1 )m2) mod n2

= D(gm1·m2 · rn1 ) mod n2 = D(gm1m2 · rnm21 ) mod n2 = m1 ·m2 mod n

(2.20)

2.2.2 ELGamal Cryptosystem

ELGamal encryption system is described by Taher Elgamal in 1985, which is a key

encryption algorithm based on Elliptic curve cryptography and public-key cryptosys-

tem. ELGamal cryptosystem can be applied into any cyclic group. There are many

hard computing operations in cyclic group, which are usually related to discrete log-

arithm hence guaranteeing the security of ELGamal cryptosystem. Generally, the

length of cipher text generated by the ELGamal encryption scheme is twice of length

of the plain text, which is one of the disadvantage of ELGamal cryptosystem[10].

Figure 5 shows the process of multiplicative ELGamal cryptosytem and figure 6

shows the process of additive ELGamal cryptosystem.

• Multiplicative ELGamal cryptosystem

Key generation

First choose a prime p and two random integer g and x where g, x ≤ p. Then

compute y = gx mod p. Then we have the public key denoted by (y, g, p)

and the private key is x. g, p can be shared with a group of users.

Encryption

Suppose the message to be encrypted is m. Choose a random integer k from

1, . . . , p− 1, then compute cipher c1 = gk( mod p), c2 = m ∗ yk( mod p).

Then the cipher text will be (c1, c2).

Decryption

Use the private key to decrypt, then the plain text will be m = c2cx1

( mod p)

Lemma 2 ELGamal cryptosystem can get correct plain text after

decryption

Proofc2cx1

=m · yk

(gx)r= m (2.21)

The plain text cannot be got without the private key x, hence ELGamal

cryptosystem is security and the decryption is correct.

homomorphic properties

D[EKp(m1, r1) · EKp(m2, r2)] = D((gr1 ,m1hr1) · (gr2 ,m2h

r2))

= D(gr, (m1 ·m2)hr) = m1 ·m2

(2.22)

proof

E(m1) · E(m2) = (gr1,m1 · hr1) · (gr2 ,m2 · hr2)= (gr1+r2 , (m1 ·m2)h

r1+r2) = E(m1 ·m2)(2.23)

• Additive ELGamal cryptosystem

Figure 6: Additive ELGamal cryptosystem

Key generation

First choose a prime p and two random integer g and x where g, x ≤ p. Then

compute y = gx mod p. Then we have the public key denoted by (y, g, p)

and the private key is x. g, p can be shared with a group of users.

Encryption

Suppose the message to be encrypted is m. Choose a random integer k from

1, . . . , p− 1, then compute cipher c1 = gk( mod p), c2 = gm · yk( mod p).

Then the cipher text will be (c1, c2).

Decryption

Use the private key to decrypt, then the plain text will be gm = c2cx1

( mod p)

Then generate a looking up table of base g, then get the plain text m.

Lemma 2 ELGamal cryptosystem can get correct plain text after

decryption

Proofc2cx1

=gm · yk

(gx)r= gm (2.24)

Then generate the looking up table to find the plain text m. The plain text

cannot be got without the private key x, hence ELGamal cryptosystem is

security and the decryption is correct. homomorphic properties


r2))

= D(gr, (m1 ·m2)hr) = m1 ·m2

(2.25)

proof

E(m1) · E(m2) = (gr1, gm1 · hr1) · (g(r2), gm2 · hr2)

= (gr1+r2 , (gm1+m2)hr1+r2) = E(m1 +m2)(2.26)

3. Design and ImplementationThe design and implementation part contains the algorithms to solve the dynamic

resource allocation problem. The first two algorithms are to calculate the number

of usages for current user in his used time slots. The last two algorithms are to

generate an aggregate schedule of coarse occupancy.

3.1 Related Privacy Preserving Algorithm

3.1.1 Paillier cryptosystem

Paillier cryptosystem is an additive homomorphic cryptosystem. Here we use the

following properties.

D[EKp(m1, r1) · EKp(m2, r2) mod n2] = m1 +m2 mod n (3.1)

D[EKp(m1, r1)m2 mod n2] = m1 ·m2 mod n (3.2)

Here Kp represents the shared public key. n is generate by n = p·q where p and q

are random large primes. m is the message that waiting to be encrypted. r1, r2 ∈ Nare random positive numbers. Suppose there are N users and m time slots, denote

by ui = [b1i , b2i , . . . , b

mi ]. Here i ∈ [1 . . . N ] and m is the number of time slots. [?]

3.1.2 ELGamal cryptosystem

ELGamal cryptosystem is a multiplicative homomorphic cryptosystem. Here we use

the following properties.


r2))

= D(gr, (m1 ·m2)hr) = m1 ·m2

(3.3)

Here Kp represents the shared public key. r1, r2 ∈ N are random positive

numbers,r = r1 + r2. ELGamal cryptosystem can also be made to a addictive

homomorphic cryptosystem based on the exponential properties. Here we use the

following properties to implement the privacy-preserving algorithm.[10]

D[EKp(m1, r1) · EKp(m2, r2)] = D((gr1 , gm1 · hr1) · (gr2 , gm2 · hr2))= D(gr1+r2 , g(m1+m2) · hr1+r2) = m1 +m2

(3.4)

Here Kp represents the shared public key. r1, r2 ∈ N are random positive numbers.

13

3.2 Algorithms for dynamic resource allocation

3.2.1 Paillier Algorithm 1

Given users’ usage, for each user, calculate the number of all the users who is going

to use in user i’s used time slot. Here we use bji = 0 to represent the user i does not

use time slot j and bji = Rj to represent user i uses time slot j.

Algorithm 1 Number of usages for current user calculation.

Require: The set of users’ usages in each time slot, bji ;

1: Each user encrypts own usage.

2: Ei = [Ekp,rij (bji ), EKp,rij (b

2i ), . . . , EKp,rij (b

mi )]. User sends own encrypted usage

to server privately.

3: Server process multiplication for users’ usages in each time slot. EKp,rj(Sj) =

Ekp,rj(∑N

i=1(bji )) = (

∏Ni=1EKp,rj(b

ji ))modn

2, j ∈ [1 . . .m].

4: Server then send EKp,rj(Sj) back to each user.

5: Sj =∑N

i=1(bji ) = x ·Rj

6: return Sj;

Each user set own usage bi. If bji = 1, then bji = Rj, where Rj is a random

integer, j ∈ [1, . . . ,m]. Then each user individually using paillier cryptosystem to

encrypt usage Ei = [Ekp,rij (b1i ), EKp,rij (b

2i ), . . . , EKp,rij (b

mi )].

Then users send the encrypted usage to the server. For each time slot, server process

the multiplication for all users’ encrypted schedule, EKp,rj(Sj) = (∏N

i=1(EKp,rj(bji ))

where j ∈ [1 . . .m]. Server sends this encrypted schedule EKp,rj(Sj) back to the

users. As the formula described, Sj contains the aggregation of the encrypted

usages of users in time slot j. Each user decrypts the schedule Sj from the server.

After decryption, user gets the schedule Sj =∑N

i=1(bji ). If bji = 0, then the user

cannot get the number of usages in time slot j because the user does not know the

value of Rj. Otherwise, if bji = 1, which proves that the user knows the value of

Rj, then he can just simply use Sj = x · Rj to divide by Rj and get the number of

usages x in time slot j.

lemma 1 Algorithm 1 is correct

Proof The ideal output for the number of usages calculation algorithm is that in

time slot j will be some certain of value of number of usages if the current user

usages for time slot j. And when the current user does not use time slot j, he will

receive meaningless message.

From the homomorphic properties of paillier algorithm, we have that

Sj =∑N

i=1(bji ) = x · Rj, Therefore, when bji = 0, the user has no idea of Rj,

hence the user cannot know the value of x. Therefore, when bji = 0, the user will

only get meaningless message. When bji = 1, Sj = R ·∑N

i=1(bji ) = x · Rj, the user

knows about Rj, hence he can get the value of x. Therefore, algorithm 1 is correct.

lemma 2 Algorithm 1 is privacy-preserving

Proof The ideal private-preserving algorithm is that server cannot know any infor-

mation from any user and the users cannot know each other’s usages for any time

slot. We know that firstly each user encrypts his message privately and send it to

the server. Therefore, each user cannot know any other user’s message in encryption

stage. By the homomorphic properties of paillier algorithm and public cryptography,

the server does not have private key and hence cannot know the information about

users. In decryption, the user will use the private key to decrypt their schedule, and

they will only know the number of usages in time slot j when bji = 1. Otherwise

the user will get meaningless message. So the users cannot know any other user’s

schedule. Therefore, algorithm 1 is privacy-preserving.

3.2.2 ELGamal Algorithm 2

Given users’ usages, for each user, calculate the number of usages in user i’s used

time slot. Here I combined the exponential ELGamal algorithm with multiplicative

ELGamal algorithm. I use bji = 0 to represent the user i does not use time slot j

in ELGamal additive(exponentiatl) algorithm, bji = R to represent user i does not

use time slot j in ELGamal multiplication algorithm and bji = 1 to represent user i

uses time slot j, where R ∈ N is a random positive integer which is supposed to be

largely greater than the number of users N .

Each user set own usage bi and then individually using exponential ELGamal

cryptosystem to encrypt own usage Ei = [Ekp,r(b1i ), EKp,r(b

2i ), . . . , EKp,r(b

mi )] and

send it to server privately. For each user i and each time slot j, server process the

multiplication EKp,r(Xj) = Ekp(∏N

i=1(bji )) of the user’s encrypted schedule to get

the aggregation of users’ usages EKp,r(Xj), where j ∈ [1, . . . ,m]. Now each user

encrypts own usage by multiplicative ELGamal algorithm with the same pair of

private key and public key, Emi = [Emkp,r(b1i ),

Emkp,r(b2i ), . . . , Emkp,r(b

mi ) and sends it to server privately. Server process mul-

tiplication with the previous aggregate encrypted schedule and user i’s encrypted

schedule EmKp,r(Vji ) = Emkp,r(b

ji ) ·Ekp,r(Xj). Server then sends the encrypted plan

EmKp,r(Vi) back to user i. In decryption, if V ji = None, then the user has no idea

Algorithm 2 Number of usages for current user calculation.

Require: The set of users’ usages in each time slot, bij1: Each user encrypts own usage using exponential ELGamal algorithm. Ei =

[Ekp,r(b1i ), EKp,r(b

2i ), . . . , EKp,r(b

mi )]. User sends own encrypted usage to server

privately.

2: for each i ∈ [1, N ],j ∈ [1,m] do

3: EKp,r(Xj) = Ekp(∏N

i=1(bji )) = (

∑Ni=1EKp,r(b

ji ))

4: end for

5: Each user encrypts own usage using multiplicative ELGamal algorithm using the

same private key and public key Emi = [Emkp,r(b1i ), Emkp,r(b

2i ), . . . , Emkp,r(b

mi ).

6: for each user i ∈ [1, N ],j ∈ [1,m] do, compute

7: EmKp,r(Vji ) = Emkp,r(b

ji ) · Ekp,r(Xj)

8: end for

9: Server sends EmKp,r(Vi) back to user i.

10: Each user decrypts EKp,r(Vi)

11:

V ji =

{None bji = R

Otherwise bji = 1

12: return Vi

about the number of users that usages for time slot j because user i does not usage

for time slot j. Otherwise, the user i will get the number of usages for time slot j.


Proof The ideal output for the number of usages calculation algorithm is that in

time slot j will be some certain of value of number of usages if the current user is

going to use time slot j. And when the current user does not use time slot j, he

will receive meaningless message. From the multicative and exponential properties

of elgamal algorithm, we have that:

D[EmKp(m1, r1) · EmKp(m2, r2)] = D((gr1 , gm1 · hr1) · (gr2 , gm2 · hr2))= D(gr1 , g(m1+m2) · hr) = m1 +m2

(3.5)

D[EKp(m1, r1) · (EmKp(m2, r2) · EmKp(m3, r3))]

= D((gr1 ,m1 · hr1) · (gr2 , gm2 · hr2) · (gr3 , gm3 · hr3))

= D(gr,m1 · gm2+m3 · hr) =

{m2 +m3 m1 = 1

Otherwise m1 6= 1

(3.6)

Here EmKp(m, r) is the exponential elgamal encryption of message m. EKp(m, r)

is the multicative elgamal encryption of message m. Each user shares the same pair

of private key and public key in both exponential and multicative elgamal encryption

Figure 7: Flow of Algorithm 3

cryptosystem. Here each user uses multiplicative elgamal cryptosystem to encrypt

his usages as m1. All users use the exponential elgamal cryptosystem to encrypt

own usages and send to server to get aggregated schedule plan. From the equation

above, we can see that if m1 = 1, then the result will be the same as the decryption

of aggregated exponential elgamal encryption. However, if m1 6= 1, then there’s

no such decryption method that can find the value of the message. Therefore, the

algorithm 2 is correct.




slot. We know that firstly each user encryped his message privately and send it to

the server. Therefore, each user cannot know any other user’s message in encryp-

tion stage. By the homomorphic properties of elgamal algorithm, the server does not

have private key and hence cannot know about the information about users. After

decryption, the user will use the private key to decrypt the encrypted schedule. The

user will only get the number of usages in time slots where he is going to use, thus

the algorithm is user-private. Therefore, algorithm 2 is privacy-preserving.

3.2.3 Transition Algorithm 3

After applying algorithm 1 or algorithm 2, each user will get the number of usages in

time slot j when the user wants to use time slot j, denote by Vi = [V 1i , V

2i , . . . , V

ji ],

where i ∈ [1, . . . , N ], j ∈ [1, . . . ,m], here if V ji = None, reassign it to 0. Now we

want to send an approximated number of usages in each time slot j, so that the

server can make an aggregate schedule of occupancy without knowing the exact

number of users usage in each time slot. The example of algorithm 3 is shown in

figure 7.

Algorithm 3 Aggregate schedule of occupancy calculation.

Require: The set of users’ usages in each time slot when user i wants to use time

slot j, denote by Vi, where Vi = [V 1i , V

2i , . . . , V

mi ]; The approximated plan,

denote by I1,I2,. . . , Ik, here k is the number of types of approximated plan.

1: for each i ∈ [1, N ],j ∈ [1,M ] do

2: initialize Zji for each user. Here Zj

i is a random positive number and only

user i knows.

3: each user calculates own approximated usage plan, denote by Ci = [ I1x

V 1i

+

Z1i ,

I2xV 2i

+ Z2i , . . . ,

ImxVmi

+ Zmi ]

4: end for

5: for i = 1; i < N ; i+ + do, compute

6: Si = Si + Ci

7: end for

8: Send the SN =∑N

i=1Ci to the first user. From the first user, compute,

9: for i = 1; i < N ; i+ + do

10: SN = SN − Zi11: end for

12: User sends the approximated plan SN = [I1x, I2x, . . . , I

mx ] to the server.

13: return SN

By algorithm 1 or 2, each user has the number of usages in time slot j if he uses

time slot j, denote by Vi, where Vi = [V 1i , V

2i , . . . , V

mi ]. If V j

i = None, reassign it

to 0. First initialize Zji for each user. Here Zj

i is a random positive number and

only user i knows. Then each user i calculate In order to compute the approximated

plan, suppose there are k number of intervals. Then we have k types of plans,

denote by I1,I2,. . . , Ik, where Ik is the number of approximated usages of type k

and I1 = 0, I2 < I3 < · · · < Ik. Here if the number of usages in time slot j

is 0 or None, then the approximated type is I1, so the approximated number of

usages is 0. Each user reassign their approximated usage plan, denote by Ci =

[ I1x

V 1i

+ Z1i ,

I2xV 2i

+ Z2i , . . . ,

ImxVmi

+ Zmi ], where Imx is the approximated number of usages.

For example, if the approximated plan I2 is 5, which means the true number of

usages is greater than 0 and less than or equal to 5. Then if the true usages for time

slot j is V ji = 2, then the approximated usage plan for user i in time slot j will be

I2V ji

+ Zji = 5

2+ Zj

i . Then for each user, calculate the aggregated of approximated

usage plan, denote by Si = Si + Ci. Then from the first to the last user, each

one subtract own Zi, denote by SN = SN − Zi. Then the last user will have

the aggregated approximated plan, denote by Si = [I1x, I2x, . . . , I

Nx ]. Then the user

sends the aggregated approximated plan to the server. The server can make an

aggregate schedule of occupancy according to the aggregated approximated plan

without knowing the exact number of usages in each time slot.


Proof The ideal output for the approximated number of usages in each time slot

calculation is that the server will get the approximated number for all time slots,

I = [I1, I2, . . . , Im] without knowing the exact number of usages in each time slots.

By algorithm 1 and 2, each user will get a plan which contains the number of usages

of certain time slots when he uses for these time slots. For those time slots that he

does not know the number, reassign it to be 0. After applying algorithm 3, each

user will get the approximated plan in each time slot, Sji =∑N

i=1(IjiV ji

). We know

that if the user does not know the number of usages, we assign it to 0 and otherwise

the approximated number isIjiV ji

and the sum of it will be Iji . Hence algorithm 3 is

correct.




slot. In algorithm 3, each user has a private Zi which only user i knows. By applying

the summation, all the users will get the sum of approximated number of usages∑Ni=1(

IjiV ji

) with∑N

i=1 Zi. Then from the first user, each user subtract his own Zi and

send it to next user. Then after last user subtract his Z, all the users can receive

the approximated plan Iji for each time slot without knowing other users’ informa-

tion. After users send it to the server, server can know the aggregate schedule of

occupancy for each time slots without knowing the information of users. Therefore,

algorithm 3 is privacy-preserving.

3.2.4 Paillier Algorithm 4

Similar to algorithm 3, by applying algorithm 1 or algorithm 2, each user

will get the number of usages in time slot j when the user uses time slot j,

denote by Vi = [V 1i , V

2i , . . . , V

ji ], where i ∈ [1, . . . , N ], j ∈ [1, . . . ,m]. Here if

V ji = None, reassign it to 0. Now we want to send an approximated number

of usages in each time slot j, so that the server can make an aggregate sched-

ule of occupancy without knowing the exact number of users usage in each time slot.

Algorithm 4 Aggregate schedule of occupancy calculation.

Require: The set of users’ usages in each time slot when user i usages for time slot

j, denote by Vi, where Vi = [V 1i , V

2i , . . . , V

mi ]; The approximated plan, denote

by I1,I2,. . . , Ik, here k is the number of types of approximated plan.

1: Each user first uses the rule to generate the approximated usage individually. If

V ji ∈ (Ix, Ix+1], then Xj

i = bR·IxV jic, where R ∈ N is a random large integer and

x ∈ [1, . . . , k]. If V ji = 0, then Xj

i = 0.

2: Each user encrypts own approximated usage using paillier cryptography.

3: Ei = [Ekp,rij (Xji ), EKp,rij (X

2i ), . . . , EKp,rij (X

mi )]. User sends own encrypted ap-

proximated usage to server privately.

4: Server process multiplication for users’ approximated usages in each time slot.

EKp,rj(Hj) = Ekp,rj(∑N

i=1(Xji )) = (

∏Ni=1EKp,rj(X

ji )) mod n2, j ∈ [1 . . .m].

5: Server then sends EKp,rj(Hj) back to each user.

6: Hj = b∑N

i=1(Xji )e = bR ·Ixe, then user divides R to get the approximated usage

plan Ix

7: return Ix;

By algorithm 1 or 2, each user has the number of usages in time slot j if he

usages for time slot j, denote by Vi, where Vi = [V 1i , V

2i , . . . , V

mi ]. If V j

i = None,

reassign it to 0. We have k types of plans, denote by I1,I2,. . . , Ik, where Ik is the

number of approximated usages of type k and I1 = 0, I2 < I3 < · · · < Ik. Here if

the number of usages in time slot j is 0 or None, then the approximated type is I1,

so the approximated number of usages is 0. First initialize the approximated usage

Xji for each user. Here Xj

i = bR·IxV jic if V j

i 6= 0, otherwise Xji = 0, where R ∈ N is

a random large integer and x ∈ [1, . . . , k]. For example, if the approximated plan

I1 = 1 and I2 = 5, which means the true number of usages of type I1 is greater than

1 and less than or equal to 5. Then if the true usages for time slot j is V ji = 2, then

the approximated usage plan for user i in time slot j will be Xji = bR·1

2c. Next,

the user uses the paillier cryptosystem to encrypt the approximated individual

usage plan and sends it to the server. Then for each time slot, server calculates

the aggregated of approximated individual usage plan, denote by EKp,rj(Hj), where

j = [1, . . . , k]. The server then sends the aggregated encrypted plan back to the

user. Then the user uses the private key to decrypt, thus will get the aggregated

approximated usage plan Hj = bR · Ixe. Then the user can divide R to get

the approximated plan Ix for each time slot. Thus sever can make an aggregate

schedule of occupancy according to the apprixmated plan.


Proof The ideal output for the approximated number of usages in each time slot

calculation is that the server will get the approximated number for all time slots,

I = [I1, I2, . . . , Im] without knowing the exact number of usages in each time slots.

By algorithm 1 or 2, each user will get a plan which contains the number of

usages of certain time slots when he uses these time slots. For those time slots

that he does not know the number, reassign it to be 0. After initializing the

approximated usage Xji for each user, where Xj

i = bR·IxV jic. Here R is a large integer

which guarantees that the new Xji will not influence the calculation and bR·Ix

V jic will

be a big integer which can be used in Paillier cryptosystem. If R is small, then

bR·IxV jic will be largely influenced by Ix

V jiand thus generating a meaningless result for

individual approximated usage plan. By applying algorithm 4, each user will get

the approximated plan in each time slot, Hj = b∑N

i=1(Xji )e = bR · Ixe. We know

that if the user does not know the number of usages, we assign it to 0 and otherwise

the approximated number is bR · Ixe. By dividing the large integer R, each user

can get the final approximated number of usages in each time slot and the server

can get aggregate schedule of occupancy.




slot. In algorithm 4, we know that firstly each user encryped his message privately

and send it to the server. Therefore, each user cannot know any other user’s message

in encryption stage. By the homomorphic properties of paillier algorithm and public

cryptography, the server does not have private key and hence cannot know about the

information about users. In decryption, the user will use the private key to decrypt

their schedule, and they will know the type of usages for each time slot without the

exact number. So the users cannot know any other user’s schedule and the server

cannot know the information. Therefore, algorithm 4 is privacy-preserving.

4. Experiment ResultThe experiment result part contains the computation time analysis for the four

algorithms and the simulation results of four algorithms.

4.1 Experiment

All the experiments are under such condition. The number of time slots is from

20 to 100 with the increment of 20 and the number of users is from 20 to 200 with

the increment of 20. The computation time is the average of 10 experiments.

4.1.1 Paillier algorithm 1 Computation time

Figure 8 shows the total computation time of using Paillier cryptosystem to get

the number of usages in the used time slots for current user. From the figure, we

can see that with the increasing number of users and time slots, the computation

time is increased. The computation time is largely influenced by the number of

time slots. From the image we can observe that even when the number of users is

200 and the number of time slots is 20, the approximated running time is around

100 seconds. However when the number of time slots goes to 100, the approximated

computation time is around 320 seconds, which is much slower compared to only

have a few time slots. So we can conclude that Paillier cryptosystem algorithm 1

takes a lot of time to compute.

• Client Encryption time

Figure 9 shows the client encryption time of using Paillier cryptosystem to

get the number of usages in the used slots for current user. We can observe

that the client encryption time has taken a large percentage in the total com-

putation time, which is almost 100 percent. We can see that when the number

of time slots increases, the encryption time will increase significantly. So we

can conclude that the most time consuming part in Paillier cryptosystem is

encryption procedure.

• Client Decryption time

22

Figure 8: Paillier algorithm 1 total computation time

Figure 9: Paillier algorithm 1 encryption time

Figure 10: Paillier algorithm 1 decryption time

Figure 11: Paillier algorithm 1 server processing time

Figure 12: ELGamal algorithm 2 total computation time

As shown in figure 10, the client decryption of using Paillier cryptosystem

to get the number of usages in the used slots for current user barely takes any

time. The performance of decryption procedure is good.

• Server processing time

As it can be seen in figure 11, the server processing time of Paillier algorithm

is increased with the raise of number of time slots and users. However, even

when the number of time slots and users is very big, the server processing

time is still very low. This proves that the server performance is very good

and efficient in Paillier algorithm.

Figure 13: ELGamal algorithm 2 encryption time

Figure 14: ELGamal algorithm 2 decryption time

Figure 15: ELGamal algorithm 2 server processing time

4.1.2 ELGamal algorithm 2 Computation time

Figure 12 shows that the total computation time for ELGamal algorithm to

calculate the number of usages for the current user in his used time slots is less

than paillier algorithm 1. As it can be seen, the computation time of ELGamal will

increase when the number of users or the number of time slots raises up. We can

see that the ELGamal algorithm have better performance when there are only a

few time slots. However when the number of time slots goes up, it will take more

time. However, it is still much more efficient than paillier algorithm. This can show

that the number of time slots will influence the efficiency of the ELGamal algorithm

more than the number of users. We can conclude that the ELGamal algorithm is

very efficient when there are a few time slots.


Figure 13 shows the client encryption time of using ELGamal cryptosystem

to get the number of usages when the user is going to use the time slots. The

client encryption time raises up when the number of time slots or the number

of users is increasing. As it can be seen, the encryption time does not increase

a lot with the raise of users. It takes around 0.2 seconds while there are 200

users and 20 time slots. When there are more time slots, the encryption time

is increased. We can see that the encryption time increases to approximated

1.4 second when there are 100 time slots. We can conclude that the client

encryption time will mainly depends on the number of time slots and the

encryption process is very efficient in ELGamal algorithm.


Figure 14 shows the client decryption time for each user of algorithm 2.

We can see that the decryption time goes up when the number of time slots

increases. From the figure, the decryption time is about 0.8 seconds when there

are 100 time slots. We can conclude that the decryption time will influenced

by the number of time slots and take large percentage of the total computation

time.


Figure 16: Transition algorithm 3 computation time

As it can be seen in figure 15, the server processing time of ELGamal al-

gorithm is increased with the raise of number of time slots and users. We

can observe that the computation time of server is very low and is under 0.1

seconds even where there are 200 users and 100 time slots. We can conclude

thatthe server performance is efficient and good.

4.1.3 Transition algorithm 3 Computation time

Figure 16 shows the total computation time of using transition algorithm to get the

aggregate schedule of occupancy. The experiment is testing from 20 to 100 time

slots and 20 to 200 users respectively. It is the average computation time of 10

experiments. From the figure, we can see that the performance of algorithm 3 is

very good. It only uses 0.05 seconds when there are 100 time slots and 200 users.

Therefore, the algorithm can be applied in real time.

4.1.4 Paillier algorithm 4 Computation time

Paillier algorithm 4 has very similar performance to the Paillier algorithm 1.

Figure 17 shows the total computation time of using Paillier cryptosystem to get

the aggregate schedule of occupancy. It does not have very good performance

even when the number of time slots is low. The algorithm takes approximated 90

seconds to compute when there are 200 users and 20 time slots. So we can conclude

that Paillier cryptosystem takes a lot of time to compute.


Figure 17: Paillier algorithm 4 total computation time

Figure 18: Paillier algorithm 4 encryption time

Figure 19: Paillier algorithm 4 decryption time

Figure 20: Paillier algorithm 4 server processing time

Figure 18 shows the client encryption time of using Paillier cryptosystem

to get the aggregate schedule of occupancy. We can observe that the client

encryption time has taken a large percentage in the total computation time,

which is almost 100 percent. And the efficiency is largely influenced by the

number of time slots. So we can conclude that the most time consuming part

in Paillier cryptosystem is encryption procedure.


As shown in figure 19, the client decryption of using Paillier cryptosystem

to get the aggregate schedule of occupancy takes little time. So the process of

decryption is very efficient.


As it can be seen in figure 20, the server processing time of Paillier algorithm

is increased with the raise of number of time slots and users. The server

processing time is under 0.1 seconds even the number of users and time slots

is large. This proves that the server performance is very good and efficient in

Paillier algorithm.

4.2 Experiment result

The experiment settings is 10 users and 5 time slots. The group of user share a same

pair of public key and private key. The original information stored in the Client is

username time slot 1 time slot 2 time slot 3 time slot 4 time slot 5

test user 1 0 0 1 0 0

test user 2 1 0 0 1 0

test user 3 1 0 1 1 0

test user 4 0 0 0 0 0

test user 5 1 1 1 1 1

test user 6 0 0 1 0 1

test user 7 1 1 0 0 0

test user 8 1 0 0 1 0

test user 9 1 0 1 1 1

test user 10 0 0 0 0 1

Table 1: Original usage of users

Figure 21: Paillier algorithm 1 key generation

shown in the table 1.

4.2.1 Algorithm 1 simulation

The Client will first generate the private key and public key, which is shown below.

From the Paillier cryptosystem, we know that there will be two large primes with

128 bits. The key generation process can be shown in figure 21.

According to pallier algorithm 1, each user will get a value Rj if bji = 1. Here

R = [R1, . . . , Rm]. The result is shown in table 2.

Then the user using the encrypt personal schedule and send it to the server.

The result of encryption is shown in figure 22. Then the server will aggregate the

encrypted schedule for each time slot. Figure 23 shows the aggregated encrypted

schedule. Then the server will return the aggregated encrypted schedule back to

each user, then user uses the public key and private key to decrypt. The table 3

shows the result of descryption for each user.

Figure 22: Paillier algorithm 1 encryption

Figure 23: Paillier algorithm 1 server process


test user 1 0 0 5887306919477435809 0 0

tset user 2 7624858340458734075 0 0 4729471728074494971 0

test user 3 7624858340458734075 0 5887306919477435809 4729471728074494971 0

test user 4 0 0 0 0 0

test user 5 7624858340458734075 2929017782384013705 5887306919477435809 4729471728074494971 7633210599468489860

test user 6 0 0 5887306919477435809 0 7633210599468489860

test user 7 7624858340458734075 2929017782384013705 0 0 0

test user 8 7624858340458734075 0 0 4729471728074494971 0

test user 9 7624858340458734075 0 5887306919477435809 4729471728074494971 7633210599468489860

test user 10 0 0 0 0 7633210599468489860

Table 2: Input of Paillier Algorithm 1


test user 1 0 0 5 0 0

test user 2 6 0 0 5 0

test user 3 6 0 5 5 0

test user 4 0 0 0 0 0

test user 5 6 2 5 5 4

test user 6 0 0 5 0 4

test user 7 6 2 0 0 0

test user 8 6 0 0 5 0

test user 9 6 0 5 5 4

test user 10 0 0 0 0 4

Table 3: Paillier algorithm 1 result: Number of usages in used time slots for each

user


The Client will first generate the private key and public key, which is shown below.

From the ELGamal cryptosystem, we know that there will be one large primes with

128 bits. Figure 24 shows the key generation for algorithm 2.

There are two kinds of input in algorithm 2. The first input is the original input

for the additive ELGamal encryption and the second one is for the multiplicative

encryption.

In order to get the number of people in each time slots, the user should also

encrypt their usage with multiplicative ELGamal encryption. Here bji = R if the

user does not vote for time slot j, where R is a random integer. The multiplicative

encrypted usage is shown in figure 26. The additive encrypted usages is shown in

figure 25.

Then the server do the multiplication to get the aggregated plan for each time

slots. The result is shown in figure 27.

Last, the user who will use the time slots can use their private key to decrypt

Figure 24: ELGamal algorithm 2 key generation

Figure 25: ELGamal algorithm 2 additive encryption

and get the number of usages in the time slot. The result is shown in figure 27.


In algorithm 3, first the operator will generate a random group of float

Zi = [Z1i , Z

2i , . . . , Z

mi ] to each user. By applying algorithm 1 or algorithm 2,

the user will get the number of votes for each time slots when he votes for the time

slots, the result is shown in table 5. The number of usages for each user is shown

in table 8, and the generated Z for each time slot is shown in table 6.

Then each user should determine the type of usage by the rules. For the

Figure 26: ELGamal algorithm 2 multiplicative encryption

Figure 27: ELGamal algorithm 2 server process

experiment, the number of type is 3. The number of usages from user i in time slot

j is denoted by uji . We say if xk·N ≤ uji ≤ x+1

k·N , then uji belongs to type x. Then

we reassign uji to be x

uji, which is shown in table 7. The final input will be (Zi + ui).

After applying the transition algorithm, the users and server will finally know

the type of usages in each time slot. The type is shown in figure 28.


The Client will first generate the private key and public key. From the Paillier

cryptosystem, we know that there will be two large primes with 128 bits. The key

generation process is shown in figure 29. The original schedule is provided by the

algorithm 1 or algorithm 2, which is shown below in table 5.

Similar to algorithm 3, each user should determine the type of usage by the rules.

For the experiment, the number of type is 3. The number of usages from user i in

time slot j is denoted by uji . We say if xk· N ≤ uji ≤ x+1

k· N , then uji belongs to


test user 1 0 0 5 0 0

test user 2 6 0 0 5 0

test user 3 6 0 5 5 0

test user 4 0 0 0 0 0

test user 5 6 2 5 5 4

test user 6 0 0 5 0 4

test user 7 6 2 0 0 0

test user 8 6 0 0 5 0

test user 9 6 0 5 5 4

test user 10 0 0 0 0 4

Table 4: ELGamal algorithm 2 result: The number of usages for current user


test user 1 0 0 5 0 0

test user 2 6 0 0 5 0

test user 3 6 0 5 5 0

test user 4 0 0 0 0 0

test user 5 6 2 5 5 4

test user 6 0 0 5 0 4

test user 7 6 2 0 0 0

test user 8 6 0 0 5 0

test user 9 6 0 5 5 4

test user 10 0 0 0 0 4

Table 5: Algorithm 3,4 Number of usages for current user

type x. Then we reassign uji to be bR·xujic. The final input is shown in table 8.

Then each user encrypt the their own schedule using Paillier cryptosystem. The

result is shown in figure 30.

Then the sever process multiplication for each time slot to calculate the aggre-

gated encrypted schedule of occupancy, the result is shown in figure 31.

Last, each user decrypts the aggregated approximated schedule of occupancy

and divide by R. The result is shown in the figure 32.


test user 1 6133825661.004535 9520672597.35969 8405837383.193862 4327655796.1112585 7864545369.506094

test user 2 2992151461.5632224 504821273.1439457 9471603388.137575 3237697154.892989 9203262866.357733

test user 3 7305254021.267426 4061490610.7923 2777103028.3574977 2485090983.115836 1110056189.1761496

test user 4 4384517818.087211 8562086562.592957 4248644570.473121 9045502746.488913 7636019224.24958

test user 5 8559192630.512426 1175162581.814306 926687807.4156541 1200908760.6308684 1809427597.4236963

test user 6 1243865485.9794579 7932198509.076439 5674139354.320666 9257491607.207678 8236453205.65442

test user 7 4534214932.944109 8657776386.902678 790630190.3961891 4932376227.505535 447840540.3780162

test user 8 97394024.3230636 7895998972.403568 5191109435.086829 7635357311.097881 4174138361.021781

test user 9 1461048857.3608153 8771973525.172302 2325406356.177332 3318649217.3142753 9926439712.675196

test user 10 1635448096.0305316 6603338572.97395 2803988510.046929 5902442092.86887 2203921091.8938384

Table 6: Transition algorithm 3 Z vector for each user


test user 1 0 0 0.2 0 0

test user 2 0.33333 0 0 0.2 0

test user 3 0.33333 0 0.2 0.2 0

test user 4 0 0 0 0 0

test user 5 0.33333 2 0.2 0.2 0.25

test user 6 0 0 0.2 0 4

test user 7 0.33333 2 0 0 0

test user 8 0.33333 0 0 0.2 0

test user 9 0.33333 0 0.2 0.2 0.25

test user 10 0 0 0 0 0.25

Table 7: Transition algorithm 3 reassigned usage for each time slot


test user 1 0 0 2808876771237379584 0 0

test user 2 3511095964046724608 0 0 2808876771237379584 0

test user 3 3511095964046724608 0 2808876771237379584 2808876771237379584 0

test user 4 0 0 0 0 0

test user 5 3511095964046724608 3511095964046724608 2808876771237379584 2808876771237379584 3511095964046724608

test user 6 0 0 2808876771237379584 0 3511095964046724608

test user 7 3511095964046724608 3511095964046724608 0 0 0

test user 8 3511095964046724608 0 0 2808876771237379584 0

test user 9 3511095964046724608 0 2808876771237379584 2808876771237379584 3511095964046724608

test user 10 0 0 0 0 3511095964046724608

Table 8: Paillier algorithm 4 reassigned usage for each time slot

Figure 28: Transition algorithm 3 aggregate schedule of occupancy

Figure 29: Paillier algorithm 4 key generation

Figure 30: Paillier algorithm 4 encryption

Figure 31: Paillier algorithm 4 server process

Figure 32: Paillier algorithm 4 aggregate schedule of occupancy

5. Conclusion and Future WorkThis chapter is my conclusion about what I have done and the result of experi-

ments. Also it contains the future work I need to focus on.

5.1 Conclusion

Resource allocation has been a problem for service and facility operators. In

order to reduce the cost operations and generate reasonable resource allocation

schedule, there should be a dynamic resource allocation algorithm to solve such

problems due to the actual demands of the users. Also, I want to protect the

privacy of the users. Therefore, I designed four algorithms to solve the dynamic

resource allocation problem.

For the algorithm, each user should first submit their own schedules to the

facility operator. There will be two results for the algorithm. The first one is the

privacy-preserving aggregation, which contains the number of usages for the current

users in his used time slots. The second one is an aggregated schedule of coarse

occupancy. The operator cannot know the exact number of usages in each time

slots, but it can generate the type of usages in each time slot.

I developed four algorithms to solve the problem. The first two are to calculate

the number of usages in the current user’s used time slots. The last two algorithms

are to generate the aggregated schedule of coarse occupancy.

The first algorithm is based on Paillier cryptosystem, which is a public cryp-

tosystem and has the additive homomorphic property. After the user modify their

schedule by the requirement of algorithm 1, the user can get the correct number of

usages in each time slot when he is going to use.

The second algorithm is based on ELGamal cryptosystem, which is a public

cryptosystem and has the additive homomorphic property also the multiplicative

homomorphic property due to different encryption. After the user modify their

schedule by the requirement of algorithm 2, the user can get the correct number of

39

usages in each time slot when he is going to use.

The third algorithm is based on transition algorithm. After the user modify

their schedule by the requirement of algorithm 3, the user and server can get the

aggregate schedule of occupancy.

The last algorithm is based on Paillier cryptosystem. The structure of algorithm

4 is very similar to algorithm 1. The only difference is the process of input and

output. After user modify their schedules due to the requirement of algorithm 4,

each user can finally get the aggregate schedule of occupancy.

Based on the experiment results, I can see that algorithm 1 and algorithm 4 has

to take a lot of time to compute, which cannot satisfy the ”real-time” requirement

of my experiment. However, algorithm 2 has good performance when the num-

ber of time slots is not a lot. Algorithm 3 has good performance under any condition.

I have also implemented a simple Android application to show the output of the

project, which is based on algorithm 2 and algorithm 3. Because the algorithm 1 and

4, which are both based on Paillier cryptosystem, takes too long time to compute.

This may reduce the user experience while using it.

5.2 Future work

Due to the experiment results and the algorithms I make, I want to improve the

project from two aspects.

One aspect is on improving the speed of algorithm 1 and algorithm 4, which

is based on the Paillier cryptosystem. From the expermient results we can see,

the encryption time of paillier cryptosystem almost takes 100 percent of the total

computation time. Therefore, find a method to reduce the time to encrypt is the

way to lower the total computation time.

The second aspect is to improve algorithm 2, which is based on the ELGamal

cryptosystem. As described in the implementation part, algorithm 2 only supports

binary input. Although it meet the requirements for my current goals, but if I want

to use the input other than the binary one, this algorithm will not work properly.

Therefore, find a method to improve the input limit of algorithm 2 is also necessary.

This are the two aspects I will mainly focus on in the future. In this way, the

method to solve the dynamic resource allocation problem will be better.

Bibliography[1] G. Marois and A. Belanger. Analyzing the impact of urban planning on pop-

ulation distribution in the montreal metropolitan area using a small-area mi-

crosimulation projection model. Population and Environment, 37(2):131–156,

2015.

[2] C.M. Fisher. THE PROBLEMATICS OF PUBLIC SECTOR RESOURCE

ALLOCATION. Routledge, 1998.

[3]

[4] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. Cryptographic com-

munications system and method, 20 1983. US Patent 4,405,829A.

[5] Craig Gentry. Computing arbitrary functions of encrypted data. Commun.

ACM, 53(3):97–105, March 2010.

[6] Shai Halevi. Homomorphic Encryption. Springer, 2017.

[7] Craig Gentry. A Fully Homomorphic Encryption Scheme. PhD thesis, Stanford,

CA, USA, 2009. AAI3382729.

[8] Techopedia explains public key cryptography (pkc). https://www.

techopedia.com/definition/9021/public-key-cryptography-pkc. Ac-

cessed April 20, 2019.

[9] Pascal Paillier. Public-key cryptosystems based on composite degree residu-

osity classes. In Advances in Cryptology — EUROCRYPT ’99: International

Conference on the Theory and Application of Cryptographic Techniques Prague,

Czech Republic, pages 223–228. Springer, 1999.

[10] Taher ElGamal. A public-key cryptosystem and a signature scheme based on

discrete logarithms. IEEE Transactions on Information Theory, 31(4):469–472,

1985.

.1 Appendix A

42

https://www.techopedia.com/definition/9021/public-key-cryptography-pkc

https://www.techopedia.com/definition/9021/public-key-cryptography-pkc

Figure 33: User process

.2 Appendix B

.2.1 Application

I design a user-server application for the dynamic resource allocation algorithm.

First, I introduce the basic information about the software developed for the algo-

rithm. Next, I introduce the functions and details of the application.

Figure 34: Server process

Figure 35: Log in interface

.2.2 System of application

Here the algorithm is implemented on python, the application is implemented and

experimented using kivy, which is a multi platform of python, Android and so on.

It can also be built into an android apk requires API 27.0. The database is built on

MySQL 5.6 using Amazon Web Service.

.2.2.1 User-Server Application

• Main function

The main function of the application includes: (a) Store the users’ accounts

and personal usage schedule in the user database. (b) User can set their usage

individually and privately. (c) Using ELGamal cryptosystem to encrypt the

personal votes and send to server. (d) Server conducts the ELGamal algorithm

2 and transition algorithm 3 to return the number of usages for the current user

and aggregated schedule of coarse occupancy. (e) Users will get the number

Figure 36: Sign up interface

of usages in the time slots that he or she votes for. (f) Users use own private

key to decrypt the plans and getting the approximated plan in each time slots

and send it to the server.

• User

The user first need to sign up or log in to the application. Then the user

should set the usages for the time slots. After the user saves or updates

their personal usage schedule, he or she can click ”save” button to start the

calculation of the approximated aggregate plan and the number of usages in

the used time slots. The user will first encrypt own schedule using the shared

public key and their private key, then send the encrypted usage plan to the

server. The process is shown in figure 33.

• Server-user After receiving a user’s encrypted usage plan, the server begins

to process the privacy preserving algorithms and get the encrypted shared

Figure 37: Usage interface

usages plan A and the encrypted personal usage plan B for the users. Then

the server sends the two encrypted usage plan back to the users. The users

can use their own private key and shared common key to decrypt plan A and

plan B. The first personal usage plan is different from users to users, which

includes the number of usages when the user is going to use the time slot. The

second plan is the approximated usage schedule calculated by the server. The

flow of process is shown in figure 34.

• GUI

The GUI of the application is shown in figure 35, figure 36, figure 37, figure 38

and figure 39. First, a user should log in or sign up into the system. Next, the

user can set usages for different time slots based on the use of the application.

The the user can click the ”Save” button to send their encrypted usage plan

to the server. Then the server will start to calculate the approximated plan

for the users. Figure 35 shows the process of log in and figure 36 shows the

sign up process.

In the experiment, figure 37 shows the time slots to be used is from Monday

to Friday and from Morning to the evening. In this example, the user votes

for Monday morning, Tuesday noon and Wednesday afternoon.

Figure 38 shows the number of usages in the time slots that the user is going

to use. The user can see the number of usages in Monday morning, Tuesday

noon and Wednesday afternoon. From the figure we can see, there are 7 people

in total using on Monday morning, 3 people on Tuesday noon and 4 people on

Wednesday afternoon. All the number of usages for other time slots is invisible

and is represented by the question mark.

Figure 39 shows the aggregate schedule of occupancy for all the users. Here

each user can clearly see the final result of the algorithm. The user and server

will know the type of usages in each time slots from the result without knowing

the exact number of votes in each time slot. In this case, we set there should be

four plans(”most”, ”medium”, ”little” and ”no one”). The result can clearly

show the type of the aggregate schedule.

.2.3 List of files

main.py: The GUI of android application based on kivy. This needs kivy and

pymysql library to run it. Also needs access to the internet.

calculation.py: If the user does not want to run with GUI, then use terminal to

run calculation.py to get the result of algorithm 1, 2, 3 and 4.

paillier.py: The paillier cryptosystem.

elgamal.py: The elgamal cryptosystem.

transition.py: The transition algorithm.

primes.py: Used to generate large primes for paillier and elgamal cryptosystem.

testalg1.py: Used to simulate algorithm 1 in experiment part. The function is

also used in calculation.py







.3 Appendix C

Privacy-preserving systems for dynamic resource

reallocation ==========================================================

====================

About

This is a Python implementation privacy-preserving systems for dynamic resource

reallocation. This includes an implementation of paillier crytosystem, ELGamal

cryptosystem, transition algorithm, an Android application and the kivy-based GUI.

Usage

The main.py includes the kivy-based GUI. If you want to run this .py file you need to have

the kivy library and pymysql library. Also you need to have the access to the internet.

Notice that in the application I use the 20 time slots and the number of type for aggregate

schedule is 4.

I have provided an installation script (install.sh) to install the libraries.

"""

1) chmod +x

2) ./install.sh

"""

Also you can run the Android application with Android device with at least API 27.0(This

doesn't work on the Android emulator).

To run without GUI, you can run the calculation.py. You need to type in the parameters

using the terminal.

There are 5 parameters for you to test.

You could run "python calculation.py -h" for help.

usage: calculation.py [-h] [-a Int] [-b Int] [-N Int] [-m Int] [-k Int]

optional arguments:

-h, --help show this help message and exit

-a Int, --usage_algorithm Int

Choose algorithm 1 or algorithm 2

-b Int, --schedule_algorithm Int

Choose algorithm 3 or algorithm 4

-N Int, --Users Int Number of users

-m Int, --Time_slots Int

Number of time slots

-k Int, --Type_usages Int

Number of type

For example, if you want to run algorithm 1 and algorithm 3 and the number of users are 5,

the number of time slots are 5, the number of types are 3, then you should run the

following command:

python calculation.py -a 1 -b 3 -N 5 -m 5 -k 3

If you want to run algorithm 2 and algorithm 4 with the same settings,run

python use.py -a 2 -b 4 -N 5 -m 5 -k 3

>>Using algorithm 2 to calculate the number of usages

>>The original usage for each user is: [[1, 1, 0, 1, 0], [1, 1, 1, 0, 1], [1, 1, 1, 1, 0], [0, 1, 1, 1, 0],

[0, 0, 1, 1, 0]]

>>The number of usages for user 0 is [3, 4, 0, 4, 0]





>>Using algorithm 4 to calculate the aggregate schedule of occupancy

>>The final type for the time slot 0 is: 1





Figure 38: Number of usages for current user interface

Figure 39: Aggregate schedule of occupancy schedule interface

privacy preserving systems for dynamic resource …...services. resource allocation matters in...

Documents