1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast

2 Types of Adversary 1)Passive Static 2)Active Adaptive(or Dynamic) 3)Fail-Stop

3 Requirements Privacy: Ensures the secrecy of the ballots. Universal Verifiability: Anyone, having or not participated in the elections, can be convinced that all valid votes have been included in the final tally. Robustness: The system can tolerate a certain number of faulty participants. Receipt-freeness: The voters cannot provide a “receipt” that shows what they voted. Fairness: No partial tally is revealed before the end of the elections.

4 Further requirements  Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.  Self-tallying: The post-ballot-phase can be performed by any interested third party.  Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result.  Perfect Message Secrecy: Nothing is revealed about who sent which message, no matter how many parties are corrupted.(Groth2004)

5 Propositions  A self-tallying scheme cannot be robust and support privacy at the same time.  A voting scheme with robustness based on secret sharing cannot satisfy Perfect Ballot Secrecy.

6 New Notion Corrective Fault Tolerance (More relaxed form of robustness)

7 Bulletin Board  Public-broadcast channel with memory (no one can erase what is written).  Any party (or simple observer) can read information of it.  All active parties can write on it in designated areas (this means that the communication transcript is secure).  The bulletin board authority (server) is responsible for administrating the election (starting, terminating, and maintaining a registry of voters).

8 Voting Scheme (Kiayias-Yung2002) G k : family of groups, such that the DLP is hard G en : a probabilistic polynomial-time algorithm that, given 1 generates the description of a group G G k and three random elements from G: f, g, h, known to all parties (k: number of bits of q,p ; G: of order q).  Every voter V i selects randomly a i q, and publishes h i :=h (voter’s public key). k a i

9 Pre-Voting Stage(1) Each V i selects randomly s i,j q, j=1,…,n s.t. s i,j =0. (select n-1 values and set s i,n :=- s i,j ).  Each V i then publishes the pairs s.t R i,j :=g and R’ i,j :=h j along with a proof of knowledge that log R i,j =log R’ i,j.  The bulletin board authority computes the product R’ j = R’ i,j, and publishes it on the board. s i,j s gh j

10 Pre-Voting Stage(2) Interactive Proof of Knowledge

11 Pre-Voting Stage(3) Theorem: After the completion of the pre-voting phase i)Any third-party can verify that log R i,j =log R’ i,j. ii)Any third-party can verify that s i,j =0. iii)If at least one voter chose the s i,j values randomly, then the values t j = s i.,j are random in q, with the property that t j =0. gh j

12 Voting Phase(1) Voter V j reads R’ j on the board and raises it to a j in order to obtain h.  Voter V j selects v j {-1(no),1(yes)} and publishes the ballot B j :=h f, along with a proof of knowledge that j t t j v j

13 Voting Phase(2)

14 Self-Tallying The tally T:= B j = f, since t j =0. T {f,f }, so a brute force attack can check all possible values with 2n steps worst case. Shanks’ “Baby Step-Giant Step” method gives even better results. v j -n+1n-1

15 Corrective Fault Tolerance Two cases:  When some registered voters do not participate in the pre-voting phase.  When some voters do not cast a ballot before the deadline of the election.  In both cases the remaining active voters must react to reveal the shares that were intended for the ones that failed.

16 Corrective Fault Tolerance(1)  No participation in the pre-voting phase: S:=set of voters who didn’t participate S:=set of remaining voters Each voter V k, k S, publishes R’’ :=h, together with a non-interactive proof of knowledge for Then the bulletin board authority modifies the values _ _ k s k k,j

17 Corrective Fault Tolerance(2) The values R’ k are changed to satisfy the properties of Theorem, especially (iii), with t k :=log R’ k. It is easy to see that t k =0 and that the values t k are random in q, if at least one voter chose the s i,j randomly. h k

18 Corrective Fault Tolerance(3) No participation in the voting phase: S’:=set of voters who didn’t cast a vote S’:=set of remaining voters Each Voter V k, k S’ publishes e k := s k,j and Φ k :=( R’ j,k ). The value of e k can be publicly verified by checking g := R k,j Φ k must be accompanied by a PK as before. _ _ a k e k

19 Corrective Fault Tolerance(4) The tally computation can be performed by any third party: T:= B h (Φ ) It is easy to see that T {f,…,f }, so the number of the positive votes can be found with a brute force attack as before. k e k k -

20 Multi-Way Elections In the initialization phase, instead of f, the values f 1, f 2,…,f n G are given to all parties. Whenever V j wants to cast a vote v j he publishes the ballot h f v j, along with a proof of knowledge. In the final stage the product T 1 T 2 …T c is revealed, where T k {f k,…,f k }. A total of n search steps in the worst case is required, to reveal the votes each candidate received. tjtj 0n-1 c-1

21 Conclusion  Assuming the existence of an homomorphic encryption with an associated discrete logarithm problem which is secure, and a random oracle hash: Theorem: The described protocol satisfies privacy, fairness(assuming the existence of an honest authority that casts the lest 0-vote), universal verifiability, corrective-fault tolerance, dispute- freeness, self-tallying and perfect ballot secrecy.

22 Voting Schemes(Jens Groth2004)  Simple self-tallying voting scheme with perfect ballot secrecy, which is more efficient than [KiayiasYung].  Anonymous broadcast channel with perfect message secrecy (Nothing is revealed about who sent which message, no matter how many parties are corrupted), built on top of a broadcast channel.

23 Remember notions!  Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.  Self-tallying: The post-ballot-phase can be performed by any interested third party.  Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result. Fairness: No partial tally is revealed before the end of the elections.

24 Properties Bulletin(message)-board with memory. The adversary A is polynomial-time, active and static. The parties work semi-synchronously; the protocol proceeds in phases and the parties act in random order in each phase. We let A decide when to switch phase. decide when to change

25 Simple Protocol(1) Simple protocol in the honest-but-curious case (Passive),and a yes-or-no voting. Initialization:  The voters agree on a group G q, of order q, where the DDH problem is hard and on g: generator of G q.  All voters select randomly a x j q which is kept secret, and they publish h j :=g. x j

26 Simple Protocol(2) Casting votes:  v 1,…,v n {0,1}.  Voter 1 chooses random r 1 q, and publishes (g,( h i ) g ).  Voter 2 chooses random r 2 q, and publishes (g, ( h i ) g ). …  Voter n chooses random r n q, and publishes (g,g ). r1r1 r1r1 v1v1 r 1 +r 2 v 1 +v 2 r 1 +r 2 vivi riri

27 Simple Protocol(3) Tallying:  Finally from the last voter’s output we can read off g. v i n, so we can compute the 1-votes.  To deal with active adversaries too, all we have to do is add zero-knowledge proofs for correctness. vivi

28 Voting Protocol n : number of voters c : number of candidates k : the security parameter W : set of possible votes. We encode the vote for candidate i as (n+1). In this way we can know the exact number of votes each candidate took. i

29 Voting Protocol(1) Initialization:  The voters agree on a group G q, of order q, where the DDH problem is hard and on g: generator of G q.  All voters select randomly a x i q which is kept secret, and they publish h i :=g, along with a proof of knowledge for x i.  Set current state of election (1,1). i x

30 Voting Protocol(2) Voting Phase:  Voter i wants to cast a vote v i W. He downloads the current state of election (u,v) and verifies the correctness of the keys and all votes cast till now.  He selects random r i from q. He sets: u:=ug v:=vu ( h j ) g, where T: the set of remaining voters.  He broadcasts (u,v) along with a proof of knowledge. riri -x i riri vivi

31 Voting Protocol(3) Tallying: The state of the election is (u,v) with v=g. If there are not too many voters and candidates, the discrete logarithm can be computed. Fault-correction: The remaining voters have to repeat the voting phase, with the reduced set of voters. They can gain a factor logc by proving that they cast the same vote… vivi

32 Comparison KiayiasYung 1. O(n) exponentiations in the key regi- stration phase 2. O(nk) size of the key 3. O(n ) exponentiations for the verifi- cation of the keys 4. O(logc) exponentiations in the voting phase Groth 1. O(1) exponentiations in the key regi- stration phase 2. O(k) size of the key 3. O(n) exponentiations for the verifi- cation of the keys 4. O(logc) exponentiations in the voting phase 2  The size of the votes and the exponentiations necessary to verify the votes(the voters’ proofs resp.) are the same in both protocols.  In KiayiasYung, many voters can vote simultaneously.

33 Anonymous Broadcast with PMS Requirements:  Perfect message secrecy: A sender is hidden completely among the group of honest senders.  Self-disclosing: Once the last sender has submitted his message, anybody can see the messages broadcasted.  Fairness: There is no access to a partial tally before the end of the election(assuming the existence of an honest authority that casts the lest 0-vote).  Dispute-freeness: Anybody can verify if the senders follow the protocol or not.

34 Anonymous Broadcast Protocol(1) The senders agree on a group G q of order q, where the DHP is hard, and on a generator g for G q. Each sender i selects random x i q and publishes h i :=g, with a proof of knowledge for it. Sender i wants to send a message m i G q. We denote S: the set of senders who already sent a message, and T: the set of those who didn’t. The state of the election are the ciphertexts {(u j, v j )}. xixi j S\{i}

35 Anonymous Broadcast Protocol(2) Message submission:  Sender i checks all proofs of the previous senders. Then he encrypts m i as (u i, v i ):=(g, ( h j ) m i ).  He picks random permutation π i over S, permutes all ciphertexts {(u j, v j )} and rerandomizes them into {(U j,V j ’)}.  Finally he removes one layer of encryption, meaning he computes {(U j,V j ’U j )}.  He broadcasts the list of ciphertexts with a Proof of knowledge for having done all that correctly. riri riri j S -x i j S

36 Theorem: The described protocol is self-disclosing, dispute-free, anonymous broadcast protocol with perfect message secrecy.Assuming the existence of an honest authority that doesn’t submit a message himself, the protocol is fair.