Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Slides:



Advertisements
Similar presentations
Perfect Non-interactive Zero-Knowledge for NP
Advertisements

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
A Pairing-Based Blind Signature
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Vanessa Teague Department of Computer Science and Software Engineering University of Melbourne Australia.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Jens Groth BRICS, University of Aarhus Cryptomathic
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut.
Paillier Threshold Encryption WebService by Brett Wilson.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast Jens Groth BRICS, University of Aarhus Cryptomathic A/S.
Cryptography in Subgroups of Z n * Jens Groth UCLA.
1/11/2007 bswilson/eVote-PTCWS 1 Enhancing PTC based Secure E-Voting System (note: modification of Brett Wilson’s Paillier Threshold Cryptography Web Service.
Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
Masked Ballot Voting for Receipt-Free Online Elections Sam Heinith, David Humphrey, and Maggie Watkins.
Topic 22: Digital Schemes (2)
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.
SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.
The Paillier Cryptosystem
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
POON TENG HIN.  RSA  Shamir’s Three-Pass Protocol  Other issues.
MSN lab1 A novel deniable authentication protocol using generalized ElGamal signature scheme Source: Information Sciences, vol. 177, pp , 2007.
Usable Security Lab Crypto Lab Efficiency Comparison of Various Approaches in E-Voting Protocols Oksana Kulyk, Melanie Volkamer.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
@Yuan Xue 285: Network Security CS 285 Network Security Digital Signature Yuan Xue Fall 2012.
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
Recipt-free Voting Through Distributed Blinding
On the Size of Pairing-based Non-interactive Arguments
1.3 The Borda Count Method.
Perfect Non-interactive Zero-Knowledge for NP
Cryptographic Protocols
Practical Aspects of Modern Cryptography
Helger Lipmaa University of Tartu, Estonia
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Start by talking about lattice assumption on which protocol is based
Cryptographic Protocols
Masayuki Fukumitsu Hokkaido Information University, Japan
Fiat-Shamir for Highly Sound Protocols is Instantiable
Post-Quantum Security of Fiat-Shamir
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Introduction to Modern Cryptography
Ronald L. Rivest MIT ShafiFest January 13, 2019
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Jens Groth and Mary Maller University College London
Presentation transcript:

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA

Voting process VotersAuthorities E(vote) + NIZK argument + signature E(vote) + NIZK argument + signature... Check signatures Check NIZK arguments Multi-party computation Result

Encryption Homomorphic property E(m 1 +m 2 ) = E(m 1 ) * E(m 2 ) Threshold property t authorities can decrypt t-1 authorities cannot decrypt

Single vote elections Candidates 0, 1,..., L-1M > # voters Encoding M 0, M 1,..., M L-1 Encrypted votes E(M 2 ), E(M 1 ), E(M 2 ),... Authorities E k = E(M 2 ) E(M 1 ) E(M 2 )... = E(M 2 +M 1 +M ) = E( v i M i ) Threshold decrypt v i M i Result

Contributions Many types of elections - Single vote - Limited vote (each voter N votes) - Shareholder election (each voter N k votes) - Approval voting (each voter up to L votes) - Borda voting (preferential vote) Many types of elections - Single vote - Limited vote (each voter N votes) - Shareholder election (each voter N k votes) - Approval voting (each voter up to L votes) - Borda voting (preferential vote) Efficient NIZK arguments - random oracle model Efficient NIZK arguments - random oracle model

Encoding votes Voter k i v ik M i Single vote v ik = 0,1 and i v ik = 1 Limited vote v ik = 0,1 and i v ik = N Approval vote v ik = 0,1 and i v ik L Shareholder vote v ik 0 and i v ik = N k Borda vote v ik = π k (i+1) for permutation π k

Tallying Encrypted vote E( i v ik M i ) M > # votes receivable Product k E k = k E( i v ik M i ) = E( k i v ik M i ) = E( i ( k v ik )M i ) = E( i v i M i ) Threshold decryption v i M i v i = # votes on candidate i

Homomorphic integer commitment Homomorphic commit(m 1 +m 2 ) = commit(m 1 ) commit(m 2 ) Message space Z Unique prime factorization

-protocols -protocols Statement E = E(v;r) contains a valid vote Voter (v,r)Authorities a c z Fiat-Shamir heuristic c = hash(E,a,ID) Random oracle model: NIZK argument

NIZK arguments Equivalence E = E(a) a = bc = commit(b) Multiplicationc a = commit(a) c b = commit(b) c = abc c = commit(c) Squarec a = commit(a) b = a 2 c b = commit(b) Divisorc a = commit(a) a|bc b = commit(b)

Single vote Encrypted vote E = E(M i )M = p 2, p prime NIZK argument c a = commit(p i ) Divisor NIZK (c a, commit(p L-1 ;0))a|p L-1 c b = commit(M i ) Square NIZK (c a, c b )a 2 = p 2i Equivalence NIZK (E, c b )for 0i<L

Limited vote Encrypted vote M = p 2 E = E( M i j )0 i 1 <...< i N <L NIZK argument c aj = commit(p i j ), c aN+1 = commit(p L ;0) Divisor NIZK (c aj p, c aj+1 ) pa 1 |a 2,...,pa N |p L c bj = commit(M i j ) Square NIZK (c aj, c bj )a j 2 = M i j Equivalence NIZK(E, c bj )0i 1 <...<i N <L

Approval vote Encrypted vote E = E( a i M i )a i = 0,1 NIZK argument c ai = commit(a i ) Square NIZK (c ai, c ai )a i 2 = a i a i = 0,1 Equivalence NIZK (E, c ai M i ) a i M i

Non-negativity Commitment c = commit(m)m 0 Idea4m+1 = x 2 + y 2 + z 2 NIZK argument c x = commit(x)c x 2 = commit(x 2 ) c y = commit(y)c y 2 = commit(y 2 ) c z = commit(z)c z 2 = commit(z 2 ) Square NIZKs (c x, c x 2 ) (c y, c y 2 ) (c z, c z 2 ) Equivalence NIZK (c 4 commit(1;0), c x 2 c y 2 c z 2 )

Shareholder vote Encrypted vote E = E( a i M i )a i 0 and a i = N NIZK argument c ai = commit(a i ) Non-negative NIZK (c ai ) a i 0 Equivalence NIZK (commit(N;0), c ai ) a i = N Equivalence NIZK (E, c ai M i ) a i M i

Borda vote Encrypted vote E = E( a i M i-1 )a i = π(i) NIZK argument c ai = commit(a i ) Known shuffle NIZK (1, 2,..., L, c a1,..., c aL ) commitments contain 1, 2,..., L permuted Equivalence NIZK (E, c ai M i-1 ) a i M i-1

Comparison ProverVerifier Prior art ProverVerifier Limited E + 6N E + 3N DGS03 E + 8N E + 7N Approval E + 2L E + L None Share- holder E + 10L E + 5L IMO03 2.5L logN E 2L logN E Borda E + 4L E + 2L Flawed Non-negative NIZK4m+1 = x 2 + y 2 + z 2