Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

Published byRiley Wiltshire Modified over 9 years ago

Similar presentations

Presentation on theme: "1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal."— Presentation transcript:

1 1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast

2 2 Types of Adversary 1)Passive Static 2)Active Adaptive(or Dynamic) 3)Fail-Stop

3 3 Requirements Privacy: Ensures the secrecy of the ballots. Universal Verifiability: Anyone, having or not participated in the elections, can be convinced that all valid votes have been included in the final tally. Robustness: The system can tolerate a certain number of faulty participants. Receipt-freeness: The voters cannot provide a “receipt” that shows what they voted. Fairness: No partial tally is revealed before the end of the elections.

4 4 Further requirements  Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.  Self-tallying: The post-ballot-phase can be performed by any interested third party.  Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result.  Perfect Message Secrecy: Nothing is revealed about who sent which message, no matter how many parties are corrupted.(Groth2004)

5 5 Propositions  A self-tallying scheme cannot be robust and support privacy at the same time.  A voting scheme with robustness based on secret sharing cannot satisfy Perfect Ballot Secrecy.

6 6 New Notion Corrective Fault Tolerance (More relaxed form of robustness)

7 7 Bulletin Board  Public-broadcast channel with memory (no one can erase what is written).  Any party (or simple observer) can read information of it.  All active parties can write on it in designated areas (this means that the communication transcript is secure).  The bulletin board authority (server) is responsible for administrating the election (starting, terminating, and maintaining a registry of voters).

8 8 Voting Scheme (Kiayias-Yung2002) G k : family of groups, such that the DLP is hard G en : a probabilistic polynomial-time algorithm that, given 1 generates the description of a group G G k and three random elements from G: f, g, h, known to all parties (k: number of bits of q,p ; G: of order q).  Every voter V i selects randomly a i q, and publishes h i :=h (voter’s public key). k a i

9 9 Pre-Voting Stage(1) Each V i selects randomly s i,j q, j=1,…,n s.t. s i,j =0. (select n-1 values and set s i,n :=- s i,j ).  Each V i then publishes the pairs s.t R i,j :=g and R’ i,j :=h j along with a proof of knowledge that log R i,j =log R’ i,j.  The bulletin board authority computes the product R’ j = R’ i,j, and publishes it on the board. s i,j s gh j

10 10 Pre-Voting Stage(2) Interactive Proof of Knowledge

11 11 Pre-Voting Stage(3) Theorem: After the completion of the pre-voting phase i)Any third-party can verify that log R i,j =log R’ i,j. ii)Any third-party can verify that s i,j =0. iii)If at least one voter chose the s i,j values randomly, then the values t j = s i.,j are random in q, with the property that t j =0. gh j

12 12 Voting Phase(1) Voter V j reads R’ j on the board and raises it to a j in order to obtain h.  Voter V j selects v j {-1(no),1(yes)} and publishes the ballot B j :=h f, along with a proof of knowledge that j t t j v j

13 13 Voting Phase(2)

14 14 Self-Tallying The tally T:= B j = f, since t j =0. T {f,f }, so a brute force attack can check all possible values with 2n steps worst case. Shanks’ “Baby Step-Giant Step” method gives even better results. v j -n+1n-1

15 15 Corrective Fault Tolerance Two cases:  When some registered voters do not participate in the pre-voting phase.  When some voters do not cast a ballot before the deadline of the election.  In both cases the remaining active voters must react to reveal the shares that were intended for the ones that failed.

16 16 Corrective Fault Tolerance(1)  No participation in the pre-voting phase: S:=set of voters who didn’t participate S:=set of remaining voters Each voter V k, k S, publishes R’’ :=h, together with a non-interactive proof of knowledge for Then the bulletin board authority modifies the values _ _ k s k k,j

17 17 Corrective Fault Tolerance(2) The values R’ k are changed to satisfy the properties of Theorem, especially (iii), with t k :=log R’ k. It is easy to see that t k =0 and that the values t k are random in q, if at least one voter chose the s i,j randomly. h k

18 18 Corrective Fault Tolerance(3) No participation in the voting phase: S’:=set of voters who didn’t cast a vote S’:=set of remaining voters Each Voter V k, k S’ publishes e k := s k,j and Φ k :=( R’ j,k ). The value of e k can be publicly verified by checking g := R k,j Φ k must be accompanied by a PK as before. _ _ a k e k

19 19 Corrective Fault Tolerance(4) The tally computation can be performed by any third party: T:= B h (Φ ) It is easy to see that T {f,…,f }, so the number of the positive votes can be found with a brute force attack as before. k e k k -

20 20 Multi-Way Elections In the initialization phase, instead of f, the values f 1, f 2,…,f n G are given to all parties. Whenever V j wants to cast a vote v j he publishes the ballot h f v j, along with a proof of knowledge. In the final stage the product T 1 T 2 …T c is revealed, where T k {f k,…,f k }. A total of n search steps in the worst case is required, to reveal the votes each candidate received. tjtj 0n-1 c-1

21 21 Conclusion  Assuming the existence of an homomorphic encryption with an associated discrete logarithm problem which is secure, and a random oracle hash: Theorem: The described protocol satisfies privacy, fairness(assuming the existence of an honest authority that casts the lest 0-vote), universal verifiability, corrective-fault tolerance, dispute- freeness, self-tallying and perfect ballot secrecy.

22 22 Voting Schemes(Jens Groth2004)  Simple self-tallying voting scheme with perfect ballot secrecy, which is more efficient than [KiayiasYung].  Anonymous broadcast channel with perfect message secrecy (Nothing is revealed about who sent which message, no matter how many parties are corrupted), built on top of a broadcast channel.

23 23 Remember notions!  Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.  Self-tallying: The post-ballot-phase can be performed by any interested third party.  Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result. Fairness: No partial tally is revealed before the end of the elections.

24 24 Properties Bulletin(message)-board with memory. The adversary A is polynomial-time, active and static. The parties work semi-synchronously; the protocol proceeds in phases and the parties act in random order in each phase. We let A decide when to switch phase. decide when to change

25 25 Simple Protocol(1) Simple protocol in the honest-but-curious case (Passive),and a yes-or-no voting. Initialization:  The voters agree on a group G q, of order q, where the DDH problem is hard and on g: generator of G q.  All voters select randomly a x j q which is kept secret, and they publish h j :=g. x j

26 26 Simple Protocol(2) Casting votes:  v 1,…,v n {0,1}.  Voter 1 chooses random r 1 q, and publishes (g,( h i ) g ).  Voter 2 chooses random r 2 q, and publishes (g, ( h i ) g ). …  Voter n chooses random r n q, and publishes (g,g ). r1r1 r1r1 v1v1 r 1 +r 2 v 1 +v 2 r 1 +r 2 vivi riri

27 27 Simple Protocol(3) Tallying:  Finally from the last voter’s output we can read off g. v i n, so we can compute the 1-votes.  To deal with active adversaries too, all we have to do is add zero-knowledge proofs for correctness. vivi

28 28 Voting Protocol n : number of voters c : number of candidates k : the security parameter W : set of possible votes. We encode the vote for candidate i as (n+1). In this way we can know the exact number of votes each candidate took. i

29 29 Voting Protocol(1) Initialization:  The voters agree on a group G q, of order q, where the DDH problem is hard and on g: generator of G q.  All voters select randomly a x i q which is kept secret, and they publish h i :=g, along with a proof of knowledge for x i.  Set current state of election (1,1). i x

30 30 Voting Protocol(2) Voting Phase:  Voter i wants to cast a vote v i W. He downloads the current state of election (u,v) and verifies the correctness of the keys and all votes cast till now.  He selects random r i from q. He sets: u:=ug v:=vu ( h j ) g, where T: the set of remaining voters.  He broadcasts (u,v) along with a proof of knowledge. riri -x i riri vivi

31 31 Voting Protocol(3) Tallying: The state of the election is (u,v) with v=g. If there are not too many voters and candidates, the discrete logarithm can be computed. Fault-correction: The remaining voters have to repeat the voting phase, with the reduced set of voters. They can gain a factor logc by proving that they cast the same vote… vivi

32 32 Comparison KiayiasYung 1. O(n) exponentiations in the key regi- stration phase 2. O(nk) size of the key 3. O(n ) exponentiations for the verifi- cation of the keys 4. O(logc) exponentiations in the voting phase Groth 1. O(1) exponentiations in the key regi- stration phase 2. O(k) size of the key 3. O(n) exponentiations for the verifi- cation of the keys 4. O(logc) exponentiations in the voting phase 2  The size of the votes and the exponentiations necessary to verify the votes(the voters’ proofs resp.) are the same in both protocols.  In KiayiasYung, many voters can vote simultaneously.

33 33 Anonymous Broadcast with PMS Requirements:  Perfect message secrecy: A sender is hidden completely among the group of honest senders.  Self-disclosing: Once the last sender has submitted his message, anybody can see the messages broadcasted.  Fairness: There is no access to a partial tally before the end of the election(assuming the existence of an honest authority that casts the lest 0-vote).  Dispute-freeness: Anybody can verify if the senders follow the protocol or not.

34 34 Anonymous Broadcast Protocol(1) The senders agree on a group G q of order q, where the DHP is hard, and on a generator g for G q. Each sender i selects random x i q and publishes h i :=g, with a proof of knowledge for it. Sender i wants to send a message m i G q. We denote S: the set of senders who already sent a message, and T: the set of those who didn’t. The state of the election are the ciphertexts {(u j, v j )}. xixi j S\{i}

35 35 Anonymous Broadcast Protocol(2) Message submission:  Sender i checks all proofs of the previous senders. Then he encrypts m i as (u i, v i ):=(g, ( h j ) m i ).  He picks random permutation π i over S, permutes all ciphertexts {(u j, v j )} and rerandomizes them into {(U j,V j ’)}.  Finally he removes one layer of encryption, meaning he computes {(U j,V j ’U j )}.  He broadcasts the list of ciphertexts with a Proof of knowledge for having done all that correctly. riri riri j S -x i j S

36 36 Theorem: The described protocol is self-disclosing, dispute-free, anonymous broadcast protocol with perfect message secrecy.Assuming the existence of an honest authority that doesn’t submit a message himself, the protocol is fair.

Download ppt "1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal."

Similar presentations

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Similar presentations

Ads by Google