Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA

Voting process VotersAuthorities E(vote) + NIZK argument + signature E(vote) + NIZK argument + signature... Check signatures Check NIZK arguments Multi-party computation Result

Encryption Homomorphic property E(m 1 +m 2 ) = E(m 1 ) * E(m 2 ) Threshold property t authorities can decrypt t-1 authorities cannot decrypt

Single vote elections Candidates 0, 1,..., L-1M > # voters Encoding M 0, M 1,..., M L-1 Encrypted votes E(M 2 ), E(M 1 ), E(M 2 ),... Authorities E k = E(M 2 ) E(M 1 ) E(M 2 )... = E(M 2 +M 1 +M ) = E( v i M i ) Threshold decrypt v i M i Result

Contributions Many types of elections - Single vote - Limited vote (each voter N votes) - Shareholder election (each voter N k votes) - Approval voting (each voter up to L votes) - Borda voting (preferential vote) Many types of elections - Single vote - Limited vote (each voter N votes) - Shareholder election (each voter N k votes) - Approval voting (each voter up to L votes) - Borda voting (preferential vote) Efficient NIZK arguments - random oracle model Efficient NIZK arguments - random oracle model

Encoding votes Voter k i v ik M i Single vote v ik = 0,1 and i v ik = 1 Limited vote v ik = 0,1 and i v ik = N Approval vote v ik = 0,1 and i v ik L Shareholder vote v ik 0 and i v ik = N k Borda vote v ik = π k (i+1) for permutation π k

Tallying Encrypted vote E( i v ik M i ) M > # votes receivable Product k E k = k E( i v ik M i ) = E( k i v ik M i ) = E( i ( k v ik )M i ) = E( i v i M i ) Threshold decryption v i M i v i = # votes on candidate i

Homomorphic integer commitment Homomorphic commit(m 1 +m 2 ) = commit(m 1 ) commit(m 2 ) Message space Z Unique prime factorization

-protocols -protocols Statement E = E(v;r) contains a valid vote Voter (v,r)Authorities a c z Fiat-Shamir heuristic c = hash(E,a,ID) Random oracle model: NIZK argument

NIZK arguments Equivalence E = E(a) a = bc = commit(b) Multiplicationc a = commit(a) c b = commit(b) c = abc c = commit(c) Squarec a = commit(a) b = a 2 c b = commit(b) Divisorc a = commit(a) a|bc b = commit(b)

Single vote Encrypted vote E = E(M i )M = p 2, p prime NIZK argument c a = commit(p i ) Divisor NIZK (c a, commit(p L-1 ;0))a|p L-1 c b = commit(M i ) Square NIZK (c a, c b )a 2 = p 2i Equivalence NIZK (E, c b )for 0i<L

Limited vote Encrypted vote M = p 2 E = E( M i j )0 i 1 <...< i N <L NIZK argument c aj = commit(p i j ), c aN+1 = commit(p L ;0) Divisor NIZK (c aj p, c aj+1 ) pa 1 |a 2,...,pa N |p L c bj = commit(M i j ) Square NIZK (c aj, c bj )a j 2 = M i j Equivalence NIZK(E, c bj )0i 1 <...<i N <L

Approval vote Encrypted vote E = E( a i M i )a i = 0,1 NIZK argument c ai = commit(a i ) Square NIZK (c ai, c ai )a i 2 = a i a i = 0,1 Equivalence NIZK (E, c ai M i ) a i M i

Non-negativity Commitment c = commit(m)m 0 Idea4m+1 = x 2 + y 2 + z 2 NIZK argument c x = commit(x)c x 2 = commit(x 2 ) c y = commit(y)c y 2 = commit(y 2 ) c z = commit(z)c z 2 = commit(z 2 ) Square NIZKs (c x, c x 2 ) (c y, c y 2 ) (c z, c z 2 ) Equivalence NIZK (c 4 commit(1;0), c x 2 c y 2 c z 2 )

Shareholder vote Encrypted vote E = E( a i M i )a i 0 and a i = N NIZK argument c ai = commit(a i ) Non-negative NIZK (c ai ) a i 0 Equivalence NIZK (commit(N;0), c ai ) a i = N Equivalence NIZK (E, c ai M i ) a i M i

Borda vote Encrypted vote E = E( a i M i-1 )a i = π(i) NIZK argument c ai = commit(a i ) Known shuffle NIZK (1, 2,..., L, c a1,..., c aL ) commitments contain 1, 2,..., L permuted Equivalence NIZK (E, c ai M i-1 ) a i M i-1

Comparison ProverVerifier Prior art ProverVerifier Limited E + 6N E + 3N DGS03 E + 8N E + 7N Approval E + 2L E + L None Share- holder E + 10L E + 5L IMO03 2.5L logN E 2L logN E Borda E + 4L E + 2L Flawed Non-negative NIZK4m+1 = x 2 + y 2 + z 2