E voting requirements protocols l.jpg
Sponsored Links
This presentation is the property of its rightful owner.
1 / 36

e-voting (requirements & protocols) PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

e-voting (requirements & protocols). 1) Aggelos Kiayias, Moti Yung : Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth : Efficient Maximal Privacy in Boardroom Voting an d A nonymous Broadcas t. Types of Adversary. 1)Passive

Download Presentation

e-voting (requirements & protocols)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


e-voting(requirements & protocols)

1) Aggelos Kiayias, Moti Yung:

Self-tallying Elections and Perfect BallotSecrecy

2) Jens Groth:

Efficient Maximal Privacy in Boardroom Voting and

Anonymous Broadcast


Types of Adversary

1)Passive

Static

2)Active

Adaptive(or Dynamic)

3)Fail-Stop


Requirements

  • Privacy: Ensures the secrecy of the ballots.

  • Universal Verifiability: Anyone, having or not participated in the elections, can be convinced that all valid votes have been included in the final tally.

  • Robustness: The system can tolerate a certain number of faulty participants.

  • Receipt-freeness: The voters cannot provide a “receipt” that shows what they voted.

  • Fairness: No partial tally is revealed before the end of the elections.


Further requirements

  • Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.

  • Self-tallying: The post-ballot-phase can be performed by any interested third party.

  • Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result.

  • Perfect Message Secrecy: Nothing is revealed about who sent which message, no matter how many parties are corrupted.(Groth2004)


Propositions

  • A self-tallying scheme cannot be robust and support privacy at the same time.

  • A voting scheme with robustness based on secret sharing cannot satisfy Perfect Ballot Secrecy.


New Notion

Corrective Fault Tolerance

(More relaxed form of robustness)


Bulletin Board

  • Public-broadcast channel with memory (no one can erase what is written).

  • Any party (or simple observer) can read information of it.

  • All active parties can write on it in designated areas (this means that the communication transcript is secure).

  • The bulletin board authority (server) is responsible for administrating the election (starting, terminating, and maintaining a registry of voters).


Voting Scheme (Kiayias-Yung2002)

  • Gk: family of groups, such that the DLP is hard

  • Gen: a probabilistic polynomial-time algorithm that, given 1 generates the description of a group G Gk and three random elements from G: f, g, h, known to all parties (k: number of bits of q,p ; G: of order q).

  • Every voter Vi selects randomly aiq, and publishes

    hi:=h (voter’s public key).

k

a

i


Pre-Voting Stage(1)

  • Each Vi selects randomly s i,j q , j=1,…,n s.t. s i,j=0.

    (select n-1 values and set s i,n:=- s i,j ).

  • Each Vi then publishes the pairs <R i,j,R’i,j> s.t

    R i,j:=g and R’i,j:=hj

    along with a proof of knowledge that log R i,j=logR’i,j.

  • The bulletin board authority computes the product

    R’j = R’i,j, and publishes it on the board.

s

s

i,j

i,j

g

h

j


Pre-Voting Stage(2)

Interactive Proof of Knowledge


Pre-Voting Stage(3)

Theorem: After the completion of the pre-voting phase

i)Any third-party can verify that log R i,j=logR’i,j.

ii)Any third-party can verify that s i,j=0.

iii)If at least one voter chose the s i,j values randomly, then the values t j= s i.,j are random in q, with the

property that tj=0.

g

h

j


Voting Phase(1)

  • Voter Vj reads R’j on the board and raises it to aj in order to obtain h .

  • Voter Vj selects vj {-1(no),1(yes)} and publishes the ballot Bj:=h f , along with a proof of knowledge that

-1

t

j

t

v

j

j


Voting Phase(2)


Self-Tallying

  • The tally T:= Bj = f , since tj=0.

  • T {f ,f }, so a brute force attack can check all possible values with 2n steps worst case. Shanks’ “Baby Step-Giant Step” method gives even better results.

v

j

-n+1

n-1


Corrective Fault Tolerance

Two cases:

  • When some registered voters do not participate in the pre-voting phase.

  • When some voters do not cast a ballot before the deadline of the election.

  • In both cases the remaining active voters must react to reveal the shares that were intended for the ones that failed.


Corrective Fault Tolerance(1)

  • No participation in the pre-voting phase:

    S:=set of voters who didn’t participate

    S:=set of remaining voters

    Each voter Vk, k S, publishes R’’:=h , together with a non-interactive proof of knowledge for

    Then the bulletin board authority modifies the values

_

_

s

k,j

k

k


Corrective Fault Tolerance(2)

The values R’k are changed to satisfy the properties

of Theorem, especially (iii), with tk:=log R’k . It is

easy to see that tk=0 and that the values tk are

random in q, if at least one voter chose the si,j

randomly.

h

k


Corrective Fault Tolerance(3)

  • No participation in the voting phase:

    S’:=set of voters who didn’t cast a vote

    S’:=set of remaining voters

    Each Voter Vk, k S’ publishes ek:= sk,j and

    Φk:=( R’j,k) .

    The value of ek can be publicly verified by checking

    g := Rk,j

    Φk must be accompanied by a PK as before.

_

_

a

-1

k

e

k


Corrective Fault Tolerance(4)

The tally computation can be performed by any third party:

T:= B h (Φ )

It is easy to see that T {f ,…,f }, so the number of the positive votes can be found with a brute force attack as before.

e

-1

k

k

k

-


Multi-Way Elections

  • In the initialization phase, instead of f, the values f1, f2,…,fn G are given to all parties.

  • Whenever Vj wants to cast a vote vj he publishes the ballot h fvj, along with a proof of knowledge.

  • In the final stage the product T1T2…Tc is revealed, where Tk {fk,…,fk }. A total of n search steps in the worst case is required, to reveal the votes each candidate received.

tj

0

n-1

c-1


Conclusion

  • Assuming the existence of an homomorphic encryption with an associated discrete logarithm problem which is secure, and a random oracle hash:

    Theorem: The described protocol satisfies privacy, fairness(assuming the existence of an honest authority that casts the lest 0-vote), universalverifiability, corrective-fault tolerance, dispute-freeness, self-tallying and perfect ballot secrecy.


Voting Schemes(Jens Groth2004)

  • Simple self-tallying voting scheme with perfect ballot secrecy, which is more efficient than [KiayiasYung].

  • Anonymous broadcast channel with perfect message secrecy (Nothing is revealed about who sent which message, no matter how many parties are corrupted), built on top of a broadcast channel.


Remember notions!

  • Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.

  • Self-tallying: The post-ballot-phase can be performed by any interested third party.

  • Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result.

  • Fairness: No partial tally is revealed before the end of the elections.


Properties

  • Bulletin(message)-board with memory.

  • The adversary A is polynomial-time, active and static.

  • The parties work semi-synchronously; the protocol proceeds in phases and the parties act in random order in each phase. We let A decide when to switch phase. decide when to change


Simple Protocol(1)

Simple protocol in the honest-but-curious case (Passive),and a yes-or-no voting.

Initialization:

  • The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq.

  • All voters select randomly a xj q which is kept secret, and they publish hj:=g .

x

j


Simple Protocol(2)

Casting votes:

  • v1,…,vn {0,1}.

  • Voter 1 chooses random r1q, and publishes

    (g ,( hi) g ).

  • Voter 2 chooses random r2q, and publishes

    (g , ( hi) g ).

  • Voter n chooses random rnq, and publishes

    (g ,g ).

r1

v1

r1

r1+r2

r1+r2

v1+v2

ri

vi


Simple Protocol(3)

Tallying:

  • Finally from the last voter’s output we can read off

    g . vin, so we can compute the 1-votes.

  • To deal with active adversaries too, all we have to do is add zero-knowledge proofs for correctness.

vi


Voting Protocol

  • n : number of voters

  • c : number of candidates

  • k : the security parameter

  • W : set of possible votes. We encode the vote for candidate i as (n+1) . In this way we can know the exact number of votes each candidate took.

i


Voting Protocol(1)

Initialization:

  • The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq.

  • All voters select randomly a xi q which is kept secret, and they publish hi:=g , along with a proof of knowledge for xi.

  • Set current state of election (1,1).

x

i


Voting Protocol(2)

Voting Phase:

  • Voter i wants to cast a vote vi W. He downloads the current state of election (u,v) and verifies the correctness of the keys and all votes cast till now.

  • He selects random ri from q. He sets:

    u:=ug

    v:=vu ( hj) g ,

    where T: the set of remaining voters.

  • He broadcasts (u,v) along with a proof of knowledge.

ri

ri

vi

-xi


Voting Protocol(3)

Tallying:

The state of the election is (u,v) with v=g .

If there are not too many voters and candidates, the

discrete logarithm can be computed.

Fault-correction:

The remaining voters have to repeat the voting phase,

with the reduced set of voters. They can gain a factor

logc by proving that they cast the same vote…

vi


KiayiasYung

1. O(n) exponentiations in thekey regi-

stration phase

2. O(nk) size of the key

3. O(n ) exponentiations for the verifi-

cation of the keys

4. O(logc) exponentiations in the

voting phase

Groth

1. O(1) exponentiations in the key regi-

stration phase

2. O(k) size of the key

3. O(n) exponentiations for the verifi-

cation of the keys

4. O(logc) exponentiations in the

voting phase

Comparison

2

  • The size of the votes and the exponentiations necessary to verify the votes(the voters’ proofs resp.) are the same in both protocols.

  • In KiayiasYung, many voters can vote simultaneously.


Anonymous Broadcast with PMS

Requirements:

  • Perfect message secrecy: A sender is hidden completely among the group of honest senders.

  • Self-disclosing: Once the last sender has submitted his message, anybody can see the messages broadcasted.

  • Fairness: There is no access to a partial tally before the end of the election(assuming the existence of an honest authority that casts the lest 0-vote).

  • Dispute-freeness: Anybody can verify if the senders follow the protocol or not.


Anonymous Broadcast Protocol(1)

  • The senders agree on a group Gq of order q, where the DHP is hard, and on a generator g for Gq.

  • Each sender i selects random xiq and publishes hi:=g , with a proof of knowledge for it.

  • Sender i wants to send a message mi Gq. We denote S: the set of senders who already sent a message, and T: the set of those who didn’t. The state of the election are the ciphertexts {(uj, vj)} .

xi

j S\{i}


Anonymous Broadcast Protocol(2)

Message submission:

  • Sender i checks all proofs of the previous senders. Then he encrypts mi as (ui, vi):=(g , ( hj) mi).

  • He picks random permutation πi over S, permutes all ciphertexts {(uj, vj)} and rerandomizes them into {(Uj,Vj’)} .

  • Finally he removes one layer of encryption, meaning he computes {(Uj,Vj’Uj )} .

  • He broadcasts the list of ciphertexts with a Proof of knowledge for having done all that correctly.

ri

ri

j S

j S

-xi

j S


Theorem: The described protocol is self-disclosing, dispute-free, anonymous broadcast protocol with perfect message secrecy.Assuming the existence of an honest authority that doesn’t submit a message himself, the protocol is fair.


  • Login