Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1

Aims and objectives Models are useful, desirable Cryptographic proofs are not difficult Have y’all do one cryptographic proof Have y’all develop a zero-knowledge protocol Have y’all prove one property for a zero-knowledge protocol 2

Models 3

Voting scheme 4 v1v1 vnvn v2v2

Wish list Eligibility: only legitimate voters vote; each voter votes once Fairness: voting does not reveal early results Verifiability: individual, universal Privacy: no information about the individual votes is revealed Receipt-freeness: a voter cannot prove s/he voted in a certain way Coercion-resistance: a voter cannot interact with a coercer to prove that s/he voted in a certain way 5

Design-then-break paradigm 6 …attack found …no attack found Guarantees: no attack has been found yet

Security models 7 Mathematical descriptions: What a system is How a system works What is an attacker What is a break Advantages: clarify security notion; allows for security proofs (guarantees within clearly established boundaries) Shortcomings: abstraction – implicit assumptions, details are missing (e.g. trust in hardware, side- channels)

This talk Privacy-relevant cryptographic primitives Asymmetric encryption Noninteractive zero-knowledge proofs Privacy-relevant techniques Homomorphicity Rerandomization Threshold cryptography Security models for encryption Security models for vote secrecy (Helios) 8

Cryptographic security models 9

Game based models 10 Challenger Query Answer 0/1

ASYMMETRIC ENCRYPTION SCHEMES 11

Syntax 12 Setup(ν): fixes parameters for the scheme KG(params): randomized algorithm that generates (PK,SK) ENC PK (m): randomized algorithm that generates an encryption of m under PK DEC SK (C): deterministic algorithm that calculates the decryption of C under sk

Functional properties 13

(exponent) ElGamal 14

Functional properties 15

IND-CPA 16 Public Key PK win M 0,M I C Guess d Theorem:If the DDH problem is hard in G then the ElGamal encryption scheme is IND- CPA secure. Good definition?

SINGLE PASS VOTING SCHEME 17

Informal 18 P 1 : v 1 P 2 : v 2 P n : v n C1C1 C2C2 CnCn SK PK

Syntax of SPS schemes Setup(ν): generates (x,y,BB) secret information for tallying, public information parameters of the scheme, initial BB Vote(y,v): the algorithm run by each voter to produce a ballot b Ballot(BB,b): run by the bulleting board; outputs new BB and accept/reject Tallying(BB,x): run by the tallying authorities to calculate the final result 19

An implementation: Enc2Vote 20

PK Attack against privacy 21 SK P 1 : v 1 P 2 : v 2 C1C1 P3P3 Assume that votes are either 0 or 1 If the result is 0 or 1 then v 1 was 0, otherwise v 1 was 1 C1C1 C2C2 C1C1 FIX: weed out equal ciphertexts

New attack 22 P 1 : v 1 P 2 : v 2 C P3P3 PK C1C1 C2C2 C FIX: Make sure ciphertexts cannot be mauled and weed out equal ciphertexts SK

Non-malleable encryption (NM-CPA) 23 Public Key PK win M 0,M 1 C Guess d C 1, C 2 …,C n M 1, M 2,…,M n Good definition?

ElGamal is not non-malleable 24

Ballot secrecy for SPS [BCPSW11] 25 C h 0,h 1 C1C1 C Sees BB b d result C0C0 C C PK SK win

26 PK SK h 0,h 1 C d result h 0,h 1 C 1, C 2,…, C t d v 1, v 2,…, v t PK C1C1 C

27 PK SK h 0,h 1 C’ d result h 0,h 1 C 1, C 2,…, C t d v 1, v 2,…, v t PK C C’ PK

ZERO KNOWLEDGE PROOFS 28

Interactive proofs 29 w X M1M1 M2M2 M3M3 MnMn Prover Verifier X Wants to convince the Verifier that something is true about X. Formally that: Rel(X,w) for some w. Variant: the prover actually knows such a w Accept/ Reject Examples: Rel g,h ((X,Y),z) iff X=g z and Y=h z Rel g,X ((R,C),r) iff R=g r and C=X r Rel g,X ((R,C),r) iff R=g r and C/g=X r Rel g,X ((R,C),r) iff (R=g r and C=X r ) or (R=g r and C/g=X r ) Examples: Rel g,h ((X,Y),z) iff X=g z and Y=h z Rel g,X ((R,C),r) iff R=g r and C=X r Rel g,X ((R,C),r) iff R=g r and C/g=X r Rel g,X ((R,C),r) iff (R=g r and C=X r ) or (R=g r and C/g=X r )

Properties (informal) Completeness: an honest prover always convinces an honest verifier of the validity of the statement Soundness: a dishonest prover can cheat only with small probability Zero knowledge: no other information is revealed Proof of knowledge: can extract witness from a successful prover 30

Equality of discrete logs [CP92] 31

Completeness 32

(Special) Soundness 33

(HV) zero-knowledge 34 R c s Rel(X,w) X,w X There exists a simulator SIM that produces transcripts that are indistinguishable from those of the real execution. R c s X

Special zero-knowledge 35 R c s Rel(X,w) X,w X R c s X

Special zero-knowledge for CP 36

OR-proofs [CDS95,C96] 37 R1 c1 s1 Rel1(X,w) X,w X R2 c2 s2 Rel2(Y,w) Y,w Y Design a protocol for Rel3(X,Y,w) where: Rel3(X,Y,w) iff Rel1(X,w) or Rel2(Y,w)

OR-proofs 38 X,Y,w R1R2 c1c2s1s2 X,Y c

OR-proofs 39 Rel1(X,w) X,Y,w R1R2 c1=c-c2c2 s1s2 X,Y c

OR-proofs 40 Rel1(X,w1) X,Y,w R1R2 c1=c-c2c2 c1,s1c2,s2 X,Y c To verify: check that c1+c2=c and that (R1,c1,s1) and (R2,c2,s2) are accepting transcripts for the respective relations.

Non-interactive proofs 41 Prover Verifier X,w X

The Fiat-Shamir/Blum transform 42 R c s Rel(X,w) X,w X R s X c=H(X,R) The proof is (R,s). To verify: compute c=H(R,s). Check (R,c,s) as before

ElGamal + PoK 43

ElGamal + PoK 44 Theorem: ElGamal+PoK as defined is NM-CPA, in the random oracle model. Theorem: Enc2Vote(ElGamal+PoK) has vote secrecy, in the random oracle model.

Random oracle [BR93,CGH98] Unsound heuristic There exists schemes that are secure in the random oracle model for which any instantiation is insecure Efficiency vs security 45

Exercise: Distributed ElGamal decryption 46 Design a non interactive zero knowledge proof that Pi behaves correctly

Ballot secrecy vs. vote privacy 47

AN INFORMATION THEORETIC APPROACH TO VOTE PRIVACY [BCPW12?] 48

Information theory 49

Conditional privacy measure 50

Computational variant 51 F(M| Enc PK (M)) = ?

Computational variant 52

Example 53

Variation 54

Application to voting 55

Measure(s) for vote privacy 56

Privacy of idealized protocols 57

Recall: vote secrecy for SPS 58 PK C h 0,h 1 C1C1 C Sees BB b d result C0C0 C C SK win

Recall: vote secrecy for SPS 59 PK C h 0,0 C1C1 C Sees BB b d result C0C0 C C SK win D

Relation with d-privacy Set F to be average min-entropy 60

Choice of entropy Average min-entropy: measures the probability that an observer guesses the target function of the votes Min min-entropy: measures the probability that an observer guesses the target function of the votes for the worst possible election outcome Min Hartley entropy: measures the minimum number of values that the target function can take for any assignment of votes 61

NOT COVERED 62

Threshold decryption 63

Simulation-based models [Groth05] 64

Games vs. simulation security Games Not always intuitive Difficult to design: challenger/queries should reflect all potential uses of the system and permit access to all the information that can be gleaned Simulation More intuitive (for simple systems) Too demanding (e.g. adaptive security) 65

Relation with d-privacy Set F to be average min-entropy 66

Dolev-Yao models [DKR09] Protocols specified in a process algebra (applied-pi calculus) Vote secrecy: P[vote1/v1, vote2/v2] ≈ P[vote2/v1, vote1/v2] Abstraction? Relation with the game-based definition? 67

Incoercibility/Receipt freeness 68

Mix-nets 69

Everlasting privacy 70

Commitments 71

Fully homomorphic encryption 72

Conclusions Models (symbolic, computational) are important Models, models, models… Proofs (symbolic, computational) are important Proofs, proofs? A first step towards a privacy measure 73

Thanks 74