on the possibility of non-interactive e-votingfc16.ifca.ai/voting/slides/pbrtalkvoting16.pdf ·...

February 26, 2016

On the Possibility ofNon-Interactive E-Voting

in the Public-Key SettingRosario Giustolisi (SICS Swedish ICT),Vincenzo Iovino (University of Luxembourg),Peter B. Rønne (INRIA & SnT, University of Luxembourg)

Outline

1. Introduction

2. Voting without Trusted Authorities

3. Non-interactive Voting in the Public Key Setting

4. Conclusions & Outlook

Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 2

Introduction

MotivationThe holy grail of e-voting:

An efficient protocol with good verifiability, privacy and usabilityproperties.

• Not possible without trust!Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 3

Introduction

Trusted Authorities

Usability demands like Vote & Go and efficiency issues are often solved byintroducing trusted authorities


Introduction

Whom to trust – and for what?Trust examples• Eligibility [Voter Registration Authority]• Verifiability [Registration Tellers in Civitas (jointly)]• Privacy [Tabulation Teller in Helios]• Receipt-freeness [Vote Server in BeleniosRF]• Coercion-resistance [Tellers in Selene]

Ways to minimize trust assumptions• ZKPs – theoretically very strong possibilities, in practice often

restrained by efficiency requirements• Distribute trust – we do not want to trust someone too much

- ... but in real world applications often single authority – single point offailure

- Not always “the more, the merrier”: Eg. distributed privacy trust mayrisk coercion-resistance [JCJ/Civitas, Selene]


Voting without Trusted Authorities

Decentralised Voting – No trusted authoritiesHow well can we do without any trusted authority? Surprisingly well!

“Anonymous voting by two-round public discussion”,F. Hao, P.Y.A. Ryan & P. Zielinski ’10

– but at cost: Two-round elections.

Earlier schemes by Kiayias & Yung and Groth – but with more roundsPeter B. Rønne - Non-Interactive E-Voting February 26, 2016 6


HRZ ProtocolAdvantages• Decentralised• Does not require channels between voters (like MPC)• Efficient

Security guarantees• Maximum ballot secrecy [ballots are indistuingishable from random]• Self-tallying [Anyone can calculate the result]• Dispute-free [Everybody can check that all voters acted according to

protocol]

Assumptions• Use authenticated channels - e.g. using a public bulletin board (BB)

and digital signatures• Cryptography relies only on DDH



HRZ Protocol – Setup

Participating parties [a very short list!]• n voters Pi , i = 1, . . . , n• BB

Cryptography• DDH secure group G , generator g of order p



HRZ Protocol – The roundsFirst round• xi ←$ Zp

Pi → BB : gxi

• plus NIZKPoKSecond round• Pi calculate (note only multiplications)

gyi =

∏j<i gxj∏j>i gxj

• Cast vote gvi with vi ∈ {0, 1} (simplest case of a YES/NO election)

Pi → BB : Blti = gxi yi gvi

• plus NIZKP of well-formedness



HRZ Protocol – Privacy and NIZKP

Maximal ballot secrecy:In ballot bi = gxi yi gvi

gxi yi

like DH-key, looks random unless all other voters collude – in which casethey can anyway break privacy.

NIZKP of well-formedness of gxi yi gvi :Note that

(gxi , (gyi )xi gvi )

is ElGamal encryption of gvi – then use the Cramer, Damg̊ard andSchoenmakers proof.



HRZ Protocol – TallyingUse trick from Veto protocol by Hao & Zielinski

∏i

gxi yi =∏

i

(∏j<i gxj∏j>i gxj

)xi

=

∏j<i gxi xj∏j>i gxi xj

!= 1

− − − −

+ − − −+ + − −+ + + −+ + + +

Anybody seeing BB can tally∏

iBlti =

∏i

gxi yi gvi = g∑

i vi

Brute force approach to get∑

i vi .Peter B. Rønne - Non-Interactive E-Voting February 26, 2016 11


No Coercion-Resistance

A main problem without trusted authorities is the lack of coercionresistance and vote buyer resistance• Should not be used in environments with coercion• Better suited for small scale elections

We work on improving this situation.



Robustness

Robustness issue• If even a single voter abandons before second round, the tally cannot

be performed ∏i∈{1,...,n}\L

gxi yi 6= 1

Solution: Extra recovery round

“A Fair and Robust Voting System by Broadcast”,D. Khader, B. Smyth, P. Y. A. Ryan & F. Hao ’12

• Tally can be obtained• Tally is done on already cast ballots – no revoting necessary



It’s Not Fair!... well life is not fair

Protocol is not fair• The last voter to cast a vote can calculate the result before casting

her voteSolution: Extra commitment round• Voters first commit to their ballots


Non-interactive Voting in the Public Key Setting

Non-interactive Voting in the Public Key SettingTwo-round protocol not completely satisfactory. We really wantone-round, i.e. non-interactive, voting• Vote & Go• Minimize waiting times

- Board room election vs. large or geographically spread election• Decrease robustness issue



The idea

• We already assumed authenticated channels• The first round establishes public keys

Why not assume that we are in a public key setting?

• Each voter Pi has public key

Pki = gxi

This can be used to authenticate the channels – simply add signature.



The Problem

We cannot use the same public key in two different elections

• Election 1: Blt(1)i = gxi yi gv (1)i

• Election 2: Blt(2)i = gxi yi gv (2)i

Anonymity broken: We now know the difference of the vote choices

Blt(1)i /Blt(2)i = gv (1)i −v (2)

i



The Solution

The solution: Use bilinear maps• Introduce an identifier for each election, id

- Consecutive number- Election title & date- . . .

Find mapping (id,Pki ) 7→ Pk(id)i such that• Pk(id)i ’s still secure PK system• Everyone can calculate Pk(id)i from Pki• Secret keys are unchanged• Ballot privacy preserved when using Pk(id)i over multiple elections



The Setup• Bilinear instance: I = (p,G, g ,GT , e)

- Bilinear map e : G×G→ GT- e(ax , by ) = e(a, b)xy

• Master Public Keys in G

Pki = gxi , xi ←$ Zp

• Election public keys Pk(id)i ∈ GT using Hash function Hash(I, id) ∈ G

Pk(id)i = e(Pki ,Hash(I, id))

= e(gxi ,Hash(I, id))

= e(g ,Hash(I, id))xi

= gidxi

where gid4= e(g ,Hash(I, id))



The protocol

Vote casting• Pi → BB :

Blti = gidxi yi gid

vi = e(gxi yi ,Hash(I, id)) · e(gvi ,Hash(I, id))

• Plus NIZKP of well-formedness

Tallying ∏i

Blti = gid∑

i vi



Efficiency

To calculateBlti = e(gxi yi ,Hash(I, id)) · e(gvi ,Hash(I, id)) = e(gxi yi gvi ,Hash(I, id))

• 1 hash function• 1 bilinear map• 1 exponentiation (in principle for all elections with the same set of

voters)• 1 exponentiation for NIZKP

Preliminary implementation using pbc library has already been made



Definitional contribution

NIVS – Non-Interactive Voting System in the PK setting

(n,D,Σ,F )-NIVS• General tally function F : Dn → Σ

Set of 5 PPT algorithms• Setup(1λ): Outputs pp• KeyGen(pp): Gives Pk’s and Sk’s• Cast(pp, j , id, Skj , (Pk)i∈[n]−{j}, v): Casts vote for voter j given

remaining Pk’s• VerifyBallot(pp,Pk, id,Blt): Checks the ballots (NIZKPs etc.)• EvalTally(pp,Pk1, . . . ,Pkn, id,Blt1, . . . ,Bltn): Tallies



Security DefinitionsVerifiability definitions• Correctness [self-tally]: EvalTally gives correct result on ballots

created by Cast• Verifiability: E.g. EvalTally of ballots that have been checked by

VerifyBallot does not give errorBallot privacy definition• Not a definition for ballot independence [future work]• Proof for YES/NO elections (hybrid proof, game hopping)• Follows from Bilinear Decision Diffie-Hellman Assumption: Given

g , ga, gb, gc ∈ G, a PPT adversary cannot distinguish, in anon-negligible way, between (z random)

T0 = e(g , g)abc and T1 = e(g , g)z



Multi-candidate ElectionsWe can do standard multi-candidate election• Every voter has one vote for a candidate 0, 1, . . . , c − 1• Ballot casting scales with c• Tally scales with n only (∼fast as YES/NO election)

Introduce ga = e(g ,Hash(I, id, a)) a ∈ {0, . . . , c − 1}• Cast c ballots

Bltj,a = gaxj yj ga

vj,a

• vj,a is 1 for the chosen candidate and 0 otherwise• NIZKP of

∑c−1a=0 vj,a = 1 (1-out-of-c OR-proof)

Tally• Votes for candidate a:

c−1∏a=0

Bltj,a = ga∑

j vj,a



Non-Standard Tally Functions

We can do unanimity elections• Tally function checks if everybody voted YES

Ballot castingBltj = gid

xj yj gidvj

• vj = 0 to vote YES• vj ←$ Zp to vote NO

Tally ∏i

Blti = gid∑

i vi ?= 1

• Result is YES iff this equals 1



Caveat Anonymity

Note that in the special case where only a single voter cast the vote NOby setting vj = r , she will know this since∏

iBlti = gid

r

However, this is the best we can do in a NIVS• You can always recalculate what the result of the tally would have

been if you voted differently• No difference to standard election schemes for standard sum tally• With non-standard tally functions this is certainly different from

standard electionsThe NIVS privacy definition needs to include this



Privacy DefinitionGame-based privacy definition

• Corruption phase. A corrupts S ⊂ [n]• Key Generation Phase. A gets (Pki , Ski)i∈S and (Pki)i∈[n]−S .• Query phase. The adversary A1 has access to a stateful oracle Vote. Vote takes

input id and a pair of vote vectors ~v04= (v0,1, . . . , v0,n) and ~v1

4= (v1,1, . . . , v1,n)

and outputs the set of ballots(Cast(pp, 1, id, Sk1, (Pki)i∈[n]−{1}, vb,1), . . . ,Cast(pp, n, id, Skn, (Pki)i∈[n]−{n}, vb,n).

• Output. At some point the adversary outputs its guess b′.• Winning condition. The adversary wins the game if the following conditions hold:

1. b′ = b.2. v0,i = v1,i for any i ∈ S.3. for any pair of vectors (~v0, ~v1) for which A asked a query to the oracle

Vote it holds that: for any vector ~v , F (~v ′0) = F (~v ′

1) where for b = 0, 1~v ′

b is the vector equal to ~v in all indices in S and equal to ~vb elsewhere.4. S has cardinality < n, ~v0 and ~v1 are vectors of n values in D and

id ∈ {0, 1}λ.



Caveat: No Trust Needed?

We still need setup for• Group• Hash function• ZKP (hash or CRS)

Could be set up in a distributed way


Conclusions & Outlook

Conclusions & Outlook• Multi-election non-interactive voting is possible – in the public key

setting• Efficient• Provable secure• Supports multiple candidate elections• Supports unanimity tally function• Preliminary implementation

Future directions• More special tally functions• Remove Random Oracle assumption• Refine privacy definition to include e.g. vote copying attacks• Robustness in the non-interactive case• Receipt-freeness?


on the possibility of non-interactive e-votingfc16.ifca.ai/voting/slides/pbrtalkvoting16.pdf ·...

Documents