Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast Jens Groth BRICS, University of Aarhus Cryptomathic A/S

Election Privacy Ballot box V1V1 V2V2 V3V3 Result Vote1 = Result – Vote2 – Vote3

Properties  Perfect ballot secrecy coalition information = own votes and result  Self-tallying result reveals itself  Dispute-freeness dishonest behavior detectable

Assumptions  Bulletin board system  Semi-synchronous adversary: phases and activations  Static corruption  Group order q, decision diffie-hellman  Random oracle model, NIZK arguments BBS V2V2 V3V3 V1V1

Protocol  Public keys: h 1  g x1,..., h n  g xn private keys: x1,..., xn  Votes: V 1 : (u,v)  (g r1,(h 2 ···h n ) r1 g v1 ) V 2 : (u,v)  (ug r2,vu -x2 (h 3 ···h n ) r2 g v2 ) = (g r1+r2,(h 3 ···h n ) r1+r2 g v1+v2 ).. V n : (u,v)  (ug rn,vu -xn g vn ) = (g r1+...+rn,g v1+...+Vn )  Result: v1+...+vn

Complexity  Key generation: O(1) expos verification of proofs: O(n) expos  Voting: O(log c) expos verification of proofs: O(n log c) expos Previous protocols:  Key generation: O(n) expos verification of proofs: O(n 2 ) expos  Voting: O(log c) expos verification of proofs: O(n log c) expos c = number of candidates

Security V2V2 V3V3 V1V1 V2V2 V3V3 V1V1 v1 v2 w2 v3 Partial result: v1+v3 Reveal:last honest vote (u,v) result cont s result cont s

Anonymous Broadcast  Public keys: h 1  g x1,..., h n  g xn private keys: x1,..., xn  Messages: P 1 : (u 1,v 1 )  (g r1,(h 2 ···h n ) r1 m 1 ) P 2 : (u 2,v 2 )  (g r2,(h 2 ···h n ) r2 m 2 ) shuffle (u 1,v 1 ), (u 2,v 2 ) (u 1,v 1 )  (u 1,v 1 u 1 -x2 ) (u 2,v 2 )  (u 2,v 2 u 2 -x2 )...

Anonymous Broadcast  P n : (u n,v n )  (g rn,h n rn m n ) shuffle (u 1,v 1 ),...,(u n,v n ) (u 1,v 1 )  (u 1,v 1 u 1 -xn )... (u n,v n )  (u n,v n u n -xn )  {v 1,...,v n } = {m 1,...,m n } Output: m 1,...,m n

Complexity  Key generation: O(1) expos verification of proofs: O(n) expos  Message submission: O(n) expos verification of proofs: O(n 2 ) expos