october 2017 - e-vote-id · objective: build an efficient online voting system with long-term...

October 2017

Núria Costa

nuria.costa@scytl.com

Mix-nets for long-term privacy

Index

1. Introdution: Previous work

2. Mix-nets

3. Lattice-based cryptography

4. Proof of a shuffle for lattice-based cryptography

5. Future work

2

Previous work

Introduction

4

Objective: build an efficient online voting system with long-term privacy

5

Objective: build an efficient online voting system with long-term privacy

The European Network of Excellence of Cryptology (ECRYPT) – 2015

“…systems currently being deployed may need to be resistant against the future development of

a quantum computer..”

“…If the development of quantum computers became imminent, then all this documents guidelines

would need to be seriously reassessed…”

National Security Agency (NSA) – 2015

“…a transition to quantum resistant algorithms in the not too distant future…”

“…Our ultimate goal is to provide cost effective security against a potential quantum computer…”

National Institute of Standards and Technology (NIST) – 2016

“… Cryptosystems offering 112 bits [...] may be breakable […] in 30 to 40 years using classical

computers… …”

“… a quantum computer capable of breaking 2000-bit RSA in a matter of hours could be built by 2030 for

a budget of about a billion dollars …”

Post-quantum cryptography: What can we do?

• The security of the published information does not depend on any

computational assumption Commitment of the vote

• Publish information non related with a voter identity Anonymous

authentication.

• Use stronger computational assumptions secure under quantum attacks

Lattices

6

Commitment Consistent Encryption (CCE) [Cuvelier, Pereira and Peters13]

Publish a commitment of the vote

Vote perfectly hidden

Mix-nets

8

The first mix-net was introduced by Chaum in 1981 in order to provide

anonymous communications.

• Electronic Voting

• Electronic Auctions

• Electronic Exam Systems

• Anonymous e-mail

• Anonymous Telecommunications

• Anonymous Internet Communications

Mix-nets

Definition

9

A mix-net is a multi-party protocol that, given a number of encrypted

messages at the input, performs a permutation over them followed by

a cryptographic transformation using a re-encryption and/or a

decryption algorithm

Mix-nets

Definition

A mix-net is a multi-party protocol that, given a number of encrypted

messages at the input, performs a permutation over them followed by

a cryptographic transformation using a re-encryption and/or a

decryption algorithm

10

Mix-nets

Definition

11

A mix-net is a multi-party protocol that, given a number of encrypted

messages at the input, performs a permutation over them followed by

a cryptographic transformation using a re-encryption and/or a

decryption algorithm

Mix-nets

Definition

12

A mix-net is a multi-party protocol that, given a number of encrypted

messages at the input, performs a permutation over them followed by

a cryptographic transformation using a re-encryption and/or a

decryption algorithm

Mix-nets

Definition

13

A mix-net is a multi-party protocol that, given a number of encrypted

messages at the input, performs a permutation over them followed by

a cryptographic transformation using a re-encryption and/or a

decryption algorithm

Mix-nets

Proof of a shuffle

14

A proof of a shuffle allows to prove that the contents at the output are

the same as the contents at the input, but permuted and re-

encrypted/decrypted.

Mix-nets

Proof of a shuffle

15

A proof of a shuffle allows to prove that the contents at the output are

the same as the contents at the input, but permuted and re-

encrypted/decrypted.

Mixing Node 1 Mixing Node N

Mix-nets

Proof of a shuffle

16

A proof of a shuffle allows to prove that the contents at the output are

the same as the contents at the input, but permuted and re-

encrypted/decrypted.

Mixing Node 1 Mixing Node N

Mix-nets

Bulletin Board

17

Election

Results

Mathematical

Proofs

Encrypted

votes

Vote

Receipt

Ballot

Mix-nets

Bulletin Board

18

Mix-nets

Bulletin Board

19

FACTORIZATION

𝐺𝑖𝑣𝑒𝑛 𝒏, 𝑓𝑖𝑛𝑑 𝒑𝒊 𝑠𝑢𝑐ℎ 𝑡ℎ𝑎𝑡

𝑛 = 𝑝1𝑒1𝑝2

𝑒2 ··· 𝑝𝑘𝑒𝑘 𝑤ℎ𝑒𝑟𝑒 𝑒𝑖 ≥ 1

DISCRETE LOGARITHM

𝐺𝑖𝑣𝑒𝑛 𝛽 = 𝛼𝑥, 𝑓𝑖𝑛𝑑 𝒙 = 𝐥𝐨𝐠𝜶𝜷

Efficient quantum algorithms for all

these problems [Shor 97]

Security based on:

Mix-nets

Bulletin Board

20

“I will store this

information until

quantum

computers are

available”

Mix-nets

Bulletin Board

21

“I will store this

information until

quantum

computers are

available”

20 years later…

Voter A voted for Party 1

Voter B voted for Party 2

Voter C voted for Party 3

Mix-nets

Post-quantum cryptography

22

The goal of post-quantum cryptography is to develop cryptographic

systems that are secure against both quantum and classical computers,

and can interoperate with existing communications protocols and

networks.

• Lattice-based cryptography

• Code-based cryptography

• Multivariate polynomial cryptography

• Hash-based signatures

1Report on Post-Quantum Cryptography – NIST 2016: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf.

Mix-nets

Post-quantum cryptography

23

The goal of post-quantum cryptography is to develop cryptographic

systems that are secure against both quantum and classical computers,

and can interoperate with existing communications protocols and

networks.

• Lattice-based cryptography

• Code-based cryptography

• Multivariate polynomial cryptography

• Hash-based signatures

1Report on Post-Quantum Cryptography – NIST 2016: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf.

Mix-net

Lattice-based cryptosystems

24

• Collision-resistant hash functions [Goldreich, Goldwasser and Halevi 96]

• Identification schemes [Kawachi, Tanaka and Xagawa 08] [Lyubashewsky 08] [Micciancio and Voulgaris

03]

• Digital signatures [Boyen 10] [Peikert, et al 10] [Lyubashewsky 12] [Gentry, et al 08] [Micciancio and

Peikert 12]

• Public key encryption [Regev 05] [Linder and Peikert 11] [Peikert, Vaikuntanathan and Waters 08]

• Universal re-encryption [Singh, Pandu Rangan and Banerjee 14]

• Identity-based encryption [Gentry, et al 08] [Cash, Hofheinz, Kiltz and Peikert 10] [Agrawal, Boneh and

Boyen 10]

• Fully homomorphic encryption [Brakerski and Vaikuntanathan 11] [ Brakerski, Gentry and

Vaikuntanathan 12]

• Zero-knowledge proofs [Benhamouda, Krenn, Lyubashewsky and Pietrzak 14]

• Electronic Voting protocol [Chillotti, Gama, Georgieva and Izabachène 16]

Lattice-based cryptography

Lattice-based cryptography

Definition

26

𝑏1

𝑏2

𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =

𝑖=1

𝑛

𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ

where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖

A lattice is a set of points in an n-dimensional space with a periodic structure

Lattice-based cryptography

Definition

27

𝑏1

𝑏2

𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =

𝑖=1

𝑛

𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ

where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖

A lattice is a set of points in an n-dimensional space with a periodic structure

Lattice-based cryptography

Definition

28

𝑏1

𝑏2

A lattice is a set of points in an n-dimensional space with a periodic structure

𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =

𝑖=1

𝑛

𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ

where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖

Lattice-based cryptography

Definition

29

𝑏1

𝑏2

𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =

𝑖=1

𝑛

𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ

where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖

A lattice is a set of points in an n-dimensional space with a periodic structure

Lattice-based cryptography

Definition

30

𝑏1′

𝑏2′

𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =

𝑖=1

𝑛

𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ

where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖

A lattice is a set of points in an n-dimensional space with a periodic structure

Lattice-based cryptography

Definition

31

Lattice-based cryptography Standard cryptography

Security based on a worst-case

problem

Security based on an average-case

problem

Based on hardness of lattice

problems

Based on hardness of factoring,

discrete logarithm, etc

(Still) not broken by quantum

algorithms

Broken by quantum algorithms

Simple computations (vector

additions, component-wise vector

product,etc)

Require modular exponentiations

Lattice-based cryptography

• Shortest Vector Problem (SVP)

• Closest Vector Probelm (CVP)

• Shortest Independent Vector Problem (SIVP)

• Bounded Distance Decoding Problem (BDD)

• Short Integer Solution (SIS)

• Learning With Errors Problem (LWE)

Lattice-based problems

32

Lattice-based cryptography

• Shortest Vector Problem (SVP)

• Closest Vector Probelm (CVP)

• Shortest Independent Vector Problem (SIVP)

• Bounded Distance Decoding Problem (BDD)

• Short Integer Solution (SIS)

• Learning With Errors Problem (LWE)

Lattice-based problems

33

Lattice-based cryptography

Learning With Errors

34

Learning With Errors (LWE) [Regev 05]

Distinguish random linear equations, which have been perturbed

by a small amount of noise, from truly uniform ones.

Lattice-based cryptography

Learning With Errors

35

Ring Learning With Errors (RLWE) [Lyubashevsky, Peikert and Regev 13]

Distinguish random linear equations, which have been perturbed

by a small amount of noise, from truly uniform ones.

Lattice-based cryptography

Ideal lattices

36

Lattice Ideal lattice

Ideal Lattices: introduces algebraic structure into Lattices

Lattice-based cryptography

R-LWE public key encryption scheme

37

• Parameters: Choose 𝑎 ∈ 𝑅𝑞 and 𝑠, 𝑒 ∈𝐷 𝑅

• Private key: 𝑠

• Public key: (𝑎, 𝑏 = 𝑎 · 𝑠 + 𝑒) ∈ 𝑅𝑞2

• Encryption: choose 𝑟, 𝑒1, 𝑒2 ∈𝐷 𝑅 and a message Ԧ𝑧 ∈ 0,1 𝑛

• Decryption:

𝑢 = 𝑎 · 𝑟 + 𝑒1

𝑣 = 𝑏 · 𝑟 + 𝑒2 + ൗ𝑞2 · 𝑧

𝑣 − 𝑢 · 𝑠 = 𝑟 · 𝑒 − 𝑠 · 𝑒1 + 𝑒2 + ൗ𝑞2 · 𝑧

𝑅𝑞 = ℤ𝑞 𝑥 /(𝑥𝑛 + 1)Ideal Lattice

Proof of a shuffle for lattice-based

cryptography

• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an

RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)

Proof of a shuffle for lattice-based cryptography

39

• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an

RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)

• Follows Wikström’s proposal :

• Permutation matrix

• Offline and online phase

Proof of a shuffle for lattice-based cryptography

40

• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an

RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)

• Follows Wikström’s proposal :

• Permutation matrix

• Offline and online phase

0 1 00 0 11 0 0

∙𝑉1𝑉2𝑉3

=𝑉2𝑉3𝑉1

Proof of a shuffle for lattice-based cryptography

41

• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an

RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)

• Follows Wikström’s proposal :

• Permutation matrix

• Offline and online phase

• Security

• RLWE encryption scheme is semantically secure given the

pseudo- randomness of the RLWE samples.

• Zero-knowledge proofs satisfy special soundness and special

honest verifier zero-knowledge.

• Commitments are perfectly hiding and computationally binding

under the discrete logarithm assumption.

Proof of a shuffle for lattice-based cryptography

42

Proof of a shuffle for lattice-based cryptography

• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an

RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)

• Follows Wikström’s proposal :

• Permutation matrix

• Offline and online phase

• Security

• RLWE encryption scheme is semantically secure given the

pseudo- randomness of the RLWE samples.

• Zero-knowledge proofs satisfy special soundness and special

honest verifier zero-knowledge.

• Commitments are perfectly hiding and computationally binding

under the discrete logarithm assumption.

43

Two party protocol between a prover and a

verifier, which allows the former to convince

the latter that it knows some secret piece of

information without revealing anything about

the secret apart from what the claim itself

already reveals.

• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an

RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)

• Follows Wikström’s proposal :

• Permutation matrix

• Offline and online phase

• Security

• RLWE encryption scheme is semantically secure given the

pseudo- randomness of the RLWE samples.

• Zero-knowledge proofs satisfy special soundness and special

honest verifier zero-knowledge.

• Commitments are perfectly hiding and computationally binding

under the discrete logarithm assumption.

Proof of a shuffle for lattice-based cryptography

44

Two party protocol that allows one party (A) to

commit to other party (B) to a value. At a later

stage A reveals the value (kept hidden until

this moment) and B can verify that this is

indeed the value to which A has committed.

Proof of a shuffle for lattice-based cryptography

OFFLINE PHASE

1. Commit to the permutation matrix

2. Prove that the commited matrix corresponds to a permutation

3. Commit to the re-encryption parameters

4. Prove that the re-encryption parameters are ‘small’.

ONLINE PHASE

1. Shuffle the encrypted votes.

2. Prove that the commited permutation has been used to perform the

shuffle.

3. Prove that the commited re-encryption parameters have been used

to perform the shuffle.

45

Future work

Future work

• Build proof of a shuffle with post-quantum commitments.

• Write full security proof.

• Implement proof of a shuffle.

• Compare efficiency of proof of a shuffle for lattice-based cryptography with

Wikström’s proof of a shuffle.

47

48