Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Published byFrida Latchford Modified over 9 years ago

Similar presentations

Presentation on theme: "Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1."— Presentation transcript:

1 Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1

2 Aims and objectives Models are useful, desirable Cryptographic proofs are not difficult Have y’all do one cryptographic proof Have y’all develop a zero-knowledge protocol Have y’all prove one property for a zero-knowledge protocol 2

3 Models 3

4 Voting scheme 4 v1v1 vnvn v2v2

5 Wish list Eligibility: only legitimate voters vote; each voter votes once Fairness: voting does not reveal early results Verifiability: individual, universal Privacy: no information about the individual votes is revealed Receipt-freeness: a voter cannot prove s/he voted in a certain way Coercion-resistance: a voter cannot interact with a coercer to prove that s/he voted in a certain way 5

6 Design-then-break paradigm 6 …attack found …no attack found Guarantees: no attack has been found yet

7 Security models 7 Mathematical descriptions: What a system is How a system works What is an attacker What is a break Advantages: clarify security notion; allows for security proofs (guarantees within clearly established boundaries) Shortcomings: abstraction – implicit assumptions, details are missing (e.g. trust in hardware, side- channels)

8 This talk Privacy-relevant cryptographic primitives Asymmetric encryption Noninteractive zero-knowledge proofs Privacy-relevant techniques Homomorphicity Rerandomization Threshold cryptography Security models for encryption Security models for vote secrecy (Helios) 8

9 Cryptographic security models 9

10 Game based models 10 Challenger Query Answer 0/1

11 ASYMMETRIC ENCRYPTION SCHEMES 11

12 Syntax 12 Setup(ν): fixes parameters for the scheme KG(params): randomized algorithm that generates (PK,SK) ENC PK (m): randomized algorithm that generates an encryption of m under PK DEC SK (C): deterministic algorithm that calculates the decryption of C under sk

13 Functional properties 13

14 (exponent) ElGamal 14

15 Functional properties 15

16 IND-CPA 16 Public Key PK win M 0,M I C Guess d Theorem:If the DDH problem is hard in G then the ElGamal encryption scheme is IND- CPA secure. Good definition?

17 SINGLE PASS VOTING SCHEME 17

18 Informal 18 P 1 : v 1 P 2 : v 2 P n : v n C1C1 C2C2 CnCn SK PK

19 Syntax of SPS schemes Setup(ν): generates (x,y,BB) secret information for tallying, public information parameters of the scheme, initial BB Vote(y,v): the algorithm run by each voter to produce a ballot b Ballot(BB,b): run by the bulleting board; outputs new BB and accept/reject Tallying(BB,x): run by the tallying authorities to calculate the final result 19

20 An implementation: Enc2Vote 20

21 PK Attack against privacy 21 SK P 1 : v 1 P 2 : v 2 C1C1 P3P3 Assume that votes are either 0 or 1 If the result is 0 or 1 then v 1 was 0, otherwise v 1 was 1 C1C1 C2C2 C1C1 FIX: weed out equal ciphertexts

22 New attack 22 P 1 : v 1 P 2 : v 2 C P3P3 PK C1C1 C2C2 C FIX: Make sure ciphertexts cannot be mauled and weed out equal ciphertexts SK

23 Non-malleable encryption (NM-CPA) 23 Public Key PK win M 0,M 1 C Guess d C 1, C 2 …,C n M 1, M 2,…,M n Good definition?

24 ElGamal is not non-malleable 24

25 Ballot secrecy for SPS [BCPSW11] 25 C h 0,h 1 C1C1 C Sees BB b d result C0C0 C C PK SK win

26 26 PK SK h 0,h 1 C d result h 0,h 1 C 1, C 2,…, C t d v 1, v 2,…, v t PK C1C1 C

27 27 PK SK h 0,h 1 C’ d result h 0,h 1 C 1, C 2,…, C t d v 1, v 2,…, v t PK C C’ PK

28 ZERO KNOWLEDGE PROOFS 28

29 Interactive proofs 29 w X M1M1 M2M2 M3M3 MnMn Prover Verifier X Wants to convince the Verifier that something is true about X. Formally that: Rel(X,w) for some w. Variant: the prover actually knows such a w Accept/ Reject Examples: Rel g,h ((X,Y),z) iff X=g z and Y=h z Rel g,X ((R,C),r) iff R=g r and C=X r Rel g,X ((R,C),r) iff R=g r and C/g=X r Rel g,X ((R,C),r) iff (R=g r and C=X r ) or (R=g r and C/g=X r ) Examples: Rel g,h ((X,Y),z) iff X=g z and Y=h z Rel g,X ((R,C),r) iff R=g r and C=X r Rel g,X ((R,C),r) iff R=g r and C/g=X r Rel g,X ((R,C),r) iff (R=g r and C=X r ) or (R=g r and C/g=X r )

30 Properties (informal) Completeness: an honest prover always convinces an honest verifier of the validity of the statement Soundness: a dishonest prover can cheat only with small probability Zero knowledge: no other information is revealed Proof of knowledge: can extract witness from a successful prover 30

31 Equality of discrete logs [CP92] 31

32 Completeness 32

33 (Special) Soundness 33

34 (HV) zero-knowledge 34 R c s Rel(X,w) X,w X There exists a simulator SIM that produces transcripts that are indistinguishable from those of the real execution. R c s X

35 Special zero-knowledge 35 R c s Rel(X,w) X,w X R c s X

36 Special zero-knowledge for CP 36

37 OR-proofs [CDS95,C96] 37 R1 c1 s1 Rel1(X,w) X,w X R2 c2 s2 Rel2(Y,w) Y,w Y Design a protocol for Rel3(X,Y,w) where: Rel3(X,Y,w) iff Rel1(X,w) or Rel2(Y,w)

38 OR-proofs 38 X,Y,w R1R2 c1c2s1s2 X,Y c

39 OR-proofs 39 Rel1(X,w) X,Y,w R1R2 c1=c-c2c2 s1s2 X,Y c

40 OR-proofs 40 Rel1(X,w1) X,Y,w R1R2 c1=c-c2c2 c1,s1c2,s2 X,Y c To verify: check that c1+c2=c and that (R1,c1,s1) and (R2,c2,s2) are accepting transcripts for the respective relations.

41 Non-interactive proofs 41 Prover Verifier X,w X

42 The Fiat-Shamir/Blum transform 42 R c s Rel(X,w) X,w X R s X c=H(X,R) The proof is (R,s). To verify: compute c=H(R,s). Check (R,c,s) as before

43 ElGamal + PoK 43

44 ElGamal + PoK 44 Theorem: ElGamal+PoK as defined is NM-CPA, in the random oracle model. Theorem: Enc2Vote(ElGamal+PoK) has vote secrecy, in the random oracle model.

45 Random oracle [BR93,CGH98] Unsound heuristic There exists schemes that are secure in the random oracle model for which any instantiation is insecure Efficiency vs security 45

46 Exercise: Distributed ElGamal decryption 46 Design a non interactive zero knowledge proof that Pi behaves correctly

47 Ballot secrecy vs. vote privacy 47

48 AN INFORMATION THEORETIC APPROACH TO VOTE PRIVACY [BCPW12?] 48

49 Information theory 49

50 Conditional privacy measure 50

51 Computational variant 51 F(M| Enc PK (M)) = ?

52 Computational variant 52

53 Example 53

54 Variation 54

55 Application to voting 55

56 Measure(s) for vote privacy 56

57 Privacy of idealized protocols 57

58 Recall: vote secrecy for SPS 58 PK C h 0,h 1 C1C1 C Sees BB b d result C0C0 C C SK win

59 Recall: vote secrecy for SPS 59 PK C h 0,0 C1C1 C Sees BB b d result C0C0 C C SK win D

60 Relation with d-privacy Set F to be average min-entropy 60

61 Choice of entropy Average min-entropy: measures the probability that an observer guesses the target function of the votes Min min-entropy: measures the probability that an observer guesses the target function of the votes for the worst possible election outcome Min Hartley entropy: measures the minimum number of values that the target function can take for any assignment of votes 61

62 NOT COVERED 62

63 Threshold decryption 63

64 Simulation-based models [Groth05] 64

65 Games vs. simulation security Games Not always intuitive Difficult to design: challenger/queries should reflect all potential uses of the system and permit access to all the information that can be gleaned Simulation More intuitive (for simple systems) Too demanding (e.g. adaptive security) 65

66 Relation with d-privacy Set F to be average min-entropy 66

67 Dolev-Yao models [DKR09] Protocols specified in a process algebra (applied-pi calculus) Vote secrecy: P[vote1/v1, vote2/v2] ≈ P[vote2/v1, vote1/v2] Abstraction? Relation with the game-based definition? 67

68 Incoercibility/Receipt freeness 68

69 Mix-nets 69

70 Everlasting privacy 70

71 Commitments 71

72 Fully homomorphic encryption 72

73 Conclusions Models (symbolic, computational) are important Models, models, models… Proofs (symbolic, computational) are important Proofs, proofs? A first step towards a privacy measure 73

74 Thanks 74

Download ppt "Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1."

Similar presentations

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Cryptography for electronic voting

Cryptography for electronic voting
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
SECURITY AND VERIFICATION

SECURITY AND VERIFICATION
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.

Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Jens Groth BRICS, University of Aarhus Cryptomathic

Jens Groth BRICS, University of Aarhus Cryptomathic

Similar presentations

Ads by Google