SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.

Slides:



Advertisements
Similar presentations
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Advertisements

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Stupid Columnsort Tricks Geeta Chaudhry Tom Cormen Dartmouth College Department of Computer Science.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
A method for electronic voting with Coercion-free receipt David J. Reynolds (unaffiliated)
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Maths for Computer Graphics
Problem 1 3/10/2011Practical Aspects of Modern Cryptography.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Applying Cryptography --lottery, anonymous authentication, and voting-- Kazue Sako
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
Completely Anonymous, Secure, Verifiable, and Secrecy Preserving Auctions Michael O. Rabin, Harvard University and Google Research Joint work with Yishay.
Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before.
PRESENTED BY CHRIS ANDERSON JULY 29, 2009 Using Zero Knowledge Proofs to Validate Electronic Votes.
Chapter 7 Matrix Mathematics Matrix Operations Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
Efficient Zero-Knowledge Proofs Jens Groth University College London.
4.4 & 4.5 Notes Remember: Identity Matrices: If the product of two matrices equal the identity matrix then they are inverses.
Topic 22: Digital Schemes (2)
Targil 6 Notes This week: –Linear time Sort – continue: Radix Sort Some Cormen Questions –Sparse Matrix representation & usage. Bucket sort Counting sort.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
An Analysis of Parallel Mixing with Attacker-Controlled Inputs Nikita Borisov formerly of UC Berkeley.
WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.
The Paillier Cryptosystem
4.4 Identify and Inverse Matrices Algebra 2. Learning Target I can find and use inverse matrix.
Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.
4.5 Inverse of a Square Matrix
A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University.
Usable Security Lab Crypto Lab Efficiency Comparison of Various Approaches in E-Voting Protocols Oksana Kulyk, Melanie Volkamer.
Voting System Properties Most voting systems assume no collusion between more than one party for keys Most voting systems require a consistency check by.
3 3 x =5 When you see a Multiplication problem, you can use the DIVISION Property of Equality to solve it! Remember – a FRACTION means to divide! CHECK.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
Secure, verifiable online voting 29 th June 2016.
Topic 36: Zero-Knowledge Proofs
CSE 4095 Lecture 22 – BlockChain Slides adapted from Claudio Orlandi.
Linear Algebra review (optional)
On the Size of Pairing-based Non-interactive Arguments
MPC and Verifiable Computation on Committed Data
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Helger Lipmaa University of Tartu, Estonia
Re(AC)t Reputation and Anonymous Credentials for Access Control (t=2)
Formal Analysis and Applications of Direct Anonymous Attestation
Parallel build blocks.
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Linear Algebra review (optional)
Presentation transcript:

SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets

INDEX Introduction  Counting methods for electronic voting.  Verifiability of the counting process. Verifiable Mixnets  Verificatum:  Properties of a permutation matrix.  Commitment to a permutation matrix.  Other approaches:  Vector Commitments.  Cryptographic Accumulators. 2

INTRODUCTION Counting methods for electronic voting:  In case encrypted votes are linked to voter identities (digitally signed), the counting phase has to implement procedures for preserving vote secrecy. 3

INTRODUCTION Counting methods for providing vote secrecy:  Homomorphic tally:  Poor scalability and flexibility. 4

INTRODUCTION Verifiability of the counting process:  Homomorphic tally: 5

VERIFICATUM 6 Verifiable Mixnets

Verificatum: a verifiable mixnet 7 Based in two papers:  D. Wikström. A Commitment-Consistent Proof of a Shuffle  Generic design of a mixnet verification process divided in two phases.  The heavier computations are moved to a pre-computation phase.  B. Terelius, D. Wikström. Proofs of Restricted Shuffles. AfricaCrypt  Use a matrix commitment to prove the properties of this matrix.  Define the properties of a permutation matrix.

8 D. Wikström. A Commitment- Consistent Proof of a Shuffle How to proof that the mixing has been performed correctly? Operations:  Shuffle or permutation.  Re-encryption.

9 D. Wikström. A Commitment- Consistent Proof of a Shuffle Division in two processes:  Offline or computed before mixing.  Online or computed during mixing.

B. Terelius, D. Wikström. Proofs of restricted shuffles Product of a matrix and a vector: Permutation matrix: Characteristics:  The product of the output elements is equal to the product of the input elements:  No linear combinations are done: That means: the output contains the same elements than the input.

Commitment to a permutation matrix 11 Pedersen commitment:  Commitment to a value m:  Commit to a vector : Commit to a matrix:  Commit to each column j:  Commit all the columns a j together:

Commitment to a permutation matrix 12 Note that: Remember: The result of multiplying vector e by matrix M. Vector e permuted as defined by matrix M.

Commitment to a permutation matrix 13 Remember characteristics of M:  The output contains the same elements than the input vector:  We will use:  No linear combinations are done:  We will use:

Commitment to a permutation matrix 14 Proofs over the commitment of M:  From the commitment of :  Where is the permutation of  Prove that  The verifier checks that has an exponential form.  This is the heaviest part of the computation, but it’s done in the offline phase. The prover has to do step-by-step the product of the values e’ i. …

Verificatum times 15 minutes Offline:87,09 Commitment to a matrix23,17 Check matrix commitment:59,17 Pre-generate re-encryption exponents: 4,76 Online:18,04 Perform mixing:0,02 Prove mixing:3,97 Validate mixing:14,05 Java implementation. Commitment to an initial matrix of votes, mixing of votes. I GB RAM 3VMs (1 core, 2GB RAM) VirtualBox Verificatum

OTHER APPROACHES 16 Verifiable Mixnets

17 D. Catalano and D. Fiore. Vector Commitments and their Applications * Commitment to a vector of q messages. * The commitment can be opened to a specific position. * Position binding: the commitment cannot be opened to two different values for the same position. * Size of commitment and openings is independent of q. * Commitment and openings are updatable.

Proving mixing with Vector Commitments 18 Idea: we want to prove that we have commited to a permutation matrix (like Wikström).  Commit to each row of M with a Vector Commitment.  Make an opening to value ‘0’ that can be used for all positions but one.  Make an opening to value ‘1’ for one position.  Without revealing that position.  Vector Commitments shall allow relating the commited matrix to the operations of the Mixnet. Only one ‘1’per column and row.

Idea: what does it mean to make a shuffle?  Messages before and after are the same, but in different order.  Vector Commitments are position binding: prove both vectors have the same elements in different positions.  Pass a test vector through the permutation matrix (hidden) and give the Vector Commitment of the output.  Prove properties of the commited output. Proving mixing with Vector Commitments 19 Prove them in zero knowledge.

20 J. Camenish and A. Lysyanskaya. Dynamic Accumulators and Application to Efficient Revocation of Anonymous credentials * Compress a list of q elements into a single accumulator value. * For each element, a witness w attests that it is in the accumulator. * Camenish and Lysyanskaya: prove in zero knowledge that an element is in the accumulator. * Can be used to prove in zero knowledge that an element belongs to a set. * The accumulator can be updated to allocate new values. * Universal accumulators (J. Li, N. Li, R. Xue. Universal Accumulators with Efficient Non-membership Proofs ) allow also to issue proofs of non-membership.

Proving mixing with Vector Commitments and Accumulators 21 Idea: we want to prove that two vectors contain the same values but in different order (without learning that order).  Compare the vector commitment of the output does not open to the same values than in the input for all the positions  in zero knowledge!  Use a cryptographic accumulator to represent the set of input values, and demostrate that all the output values in the vector commitment are contained in the accumulator.

Challenges Make Vector Commitments homomorphic in some way:  Vector Commitments shall allow relating the committed values to the operations of the mixnet.  We want to be able to relate a committed vector to values in an accumulator. Achieve Zero-Knowledge properties:  We want to prove a position can be opened to a value without revealing that position. 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.