e voting requirements protocols
Download
Skip this Video
Download Presentation
e-voting (requirements & protocols)

Loading in 2 Seconds...

play fullscreen
1 / 36

E-voting requirements protocols - PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on

e-voting (requirements & protocols). 1) Aggelos Kiayias, Moti Yung : Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth : Efficient Maximal Privacy in Boardroom Voting an d A nonymous Broadcas t. Types of Adversary. 1)Passive

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'E-voting requirements protocols' - vic


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
e voting requirements protocols

e-voting(requirements & protocols)

1) Aggelos Kiayias, Moti Yung:

Self-tallying Elections and Perfect BallotSecrecy

2) Jens Groth:

Efficient Maximal Privacy in Boardroom Voting and

Anonymous Broadcast

types of adversary
Types of Adversary

1)Passive

Static

2)Active

Adaptive(or Dynamic)

3)Fail-Stop

requirements
Requirements
  • Privacy: Ensures the secrecy of the ballots.
  • Universal Verifiability: Anyone, having or not participated in the elections, can be convinced that all valid votes have been included in the final tally.
  • Robustness: The system can tolerate a certain number of faulty participants.
  • Receipt-freeness: The voters cannot provide a “receipt” that shows what they voted.
  • Fairness: No partial tally is revealed before the end of the elections.
further requirements
Further requirements
  • Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.
  • Self-tallying: The post-ballot-phase can be performed by any interested third party.
  • Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result.
  • Perfect Message Secrecy: Nothing is revealed about who sent which message, no matter how many parties are corrupted.(Groth2004)
propositions
Propositions
  • A self-tallying scheme cannot be robust and support privacy at the same time.
  • A voting scheme with robustness based on secret sharing cannot satisfy Perfect Ballot Secrecy.
new notion
New Notion

Corrective Fault Tolerance

(More relaxed form of robustness)

bulletin board
Bulletin Board
  • Public-broadcast channel with memory (no one can erase what is written).
  • Any party (or simple observer) can read information of it.
  • All active parties can write on it in designated areas (this means that the communication transcript is secure).
  • The bulletin board authority (server) is responsible for administrating the election (starting, terminating, and maintaining a registry of voters).
voting scheme kiayias yung2002
Voting Scheme (Kiayias-Yung2002)
  • Gk: family of groups, such that the DLP is hard
  • Gen: a probabilistic polynomial-time algorithm that, given 1 generates the description of a group G Gk and three random elements from G: f, g, h, known to all parties (k: number of bits of q,p ; G: of order q).
  • Every voter Vi selects randomly aiq, and publishes

hi:=h (voter’s public key).

k

a

i

pre voting stage 1
Pre-Voting Stage(1)
  • Each Vi selects randomly s i,j q , j=1,…,n s.t. s i,j=0.

(select n-1 values and set s i,n:=- s i,j ).

  • Each Vi then publishes the pairs <R i,j,R’i,j> s.t

R i,j:=g and R’i,j:=hj

along with a proof of knowledge that log R i,j=logR’i,j.

  • The bulletin board authority computes the product

R’j = R’i,j, and publishes it on the board.

s

s

i,j

i,j

g

h

j

pre voting stage 2
Pre-Voting Stage(2)

Interactive Proof of Knowledge

pre voting stage 3
Pre-Voting Stage(3)

Theorem: After the completion of the pre-voting phase

i)Any third-party can verify that log R i,j=logR’i,j.

ii)Any third-party can verify that s i,j=0.

iii)If at least one voter chose the s i,j values randomly, then the values t j= s i.,j are random in q, with the

property that tj=0.

g

h

j

voting phase 1
Voting Phase(1)
  • Voter Vj reads R’j on the board and raises it to aj in order to obtain h .
  • Voter Vj selects vj {-1(no),1(yes)} and publishes the ballot Bj:=h f , along with a proof of knowledge that

-1

t

j

t

v

j

j

self tallying
Self-Tallying
  • The tally T:= Bj = f , since tj=0.
  • T {f ,f }, so a brute force attack can check all possible values with 2n steps worst case. Shanks’ “Baby Step-Giant Step” method gives even better results.

v

j

-n+1

n-1

corrective fault tolerance
Corrective Fault Tolerance

Two cases:

  • When some registered voters do not participate in the pre-voting phase.
  • When some voters do not cast a ballot before the deadline of the election.
  • In both cases the remaining active voters must react to reveal the shares that were intended for the ones that failed.
corrective fault tolerance 1
Corrective Fault Tolerance(1)
  • No participation in the pre-voting phase:

S:=set of voters who didn’t participate

S:=set of remaining voters

Each voter Vk, k S, publishes R’’:=h , together with a non-interactive proof of knowledge for

Then the bulletin board authority modifies the values

_

_

s

k,j

k

k

corrective fault tolerance 2
Corrective Fault Tolerance(2)

The values R’k are changed to satisfy the properties

of Theorem, especially (iii), with tk:=log R’k . It is

easy to see that tk=0 and that the values tk are

random in q, if at least one voter chose the si,j

randomly.

h

k

corrective fault tolerance 3
Corrective Fault Tolerance(3)
  • No participation in the voting phase:

S’:=set of voters who didn’t cast a vote

S’:=set of remaining voters

Each Voter Vk, k S’ publishes ek:= sk,j and

Φk:=( R’j,k) .

The value of ek can be publicly verified by checking

g := Rk,j

Φk must be accompanied by a PK as before.

_

_

a

-1

k

e

k

corrective fault tolerance 4
Corrective Fault Tolerance(4)

The tally computation can be performed by any third party:

T:= B h (Φ )

It is easy to see that T {f ,…,f }, so the number of the positive votes can be found with a brute force attack as before.

e

-1

k

k

k

-

multi way elections
Multi-Way Elections
  • In the initialization phase, instead of f, the values f1, f2,…,fn G are given to all parties.
  • Whenever Vj wants to cast a vote vj he publishes the ballot h fvj, along with a proof of knowledge.
  • In the final stage the product T1T2…Tc is revealed, where Tk {fk,…,fk }. A total of n search steps in the worst case is required, to reveal the votes each candidate received.

tj

0

n-1

c-1

conclusion
Conclusion
  • Assuming the existence of an homomorphic encryption with an associated discrete logarithm problem which is secure, and a random oracle hash:

Theorem: The described protocol satisfies privacy, fairness(assuming the existence of an honest authority that casts the lest 0-vote), universalverifiability, corrective-fault tolerance, dispute-freeness, self-tallying and perfect ballot secrecy.

voting schemes jens groth2004
Voting Schemes(Jens Groth2004)
  • Simple self-tallying voting scheme with perfect ballot secrecy, which is more efficient than [KiayiasYung].
  • Anonymous broadcast channel with perfect message secrecy (Nothing is revealed about who sent which message, no matter how many parties are corrupted), built on top of a broadcast channel.
remember notions
Remember notions!
  • Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party.
  • Self-tallying: The post-ballot-phase can be performed by any interested third party.
  • Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result.
  • Fairness: No partial tally is revealed before the end of the elections.
properties
Properties
  • Bulletin(message)-board with memory.
  • The adversary A is polynomial-time, active and static.
  • The parties work semi-synchronously; the protocol proceeds in phases and the parties act in random order in each phase. We let A decide when to switch phase. decide when to change
simple protocol 1
Simple Protocol(1)

Simple protocol in the honest-but-curious case (Passive),and a yes-or-no voting.

Initialization:

  • The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq.
  • All voters select randomly a xj q which is kept secret, and they publish hj:=g .

x

j

simple protocol 2
Simple Protocol(2)

Casting votes:

  • v1,…,vn {0,1}.
  • Voter 1 chooses random r1q, and publishes

(g ,( hi) g ).

  • Voter 2 chooses random r2q, and publishes

(g , ( hi) g ).

  • Voter n chooses random rnq, and publishes

(g ,g ).

r1

v1

r1

r1+r2

r1+r2

v1+v2

ri

vi

simple protocol 3
Simple Protocol(3)

Tallying:

  • Finally from the last voter’s output we can read off

g . vin, so we can compute the 1-votes.

  • To deal with active adversaries too, all we have to do is add zero-knowledge proofs for correctness.

vi

voting protocol
Voting Protocol
  • n : number of voters
  • c : number of candidates
  • k : the security parameter
  • W : set of possible votes. We encode the vote for candidate i as (n+1) . In this way we can know the exact number of votes each candidate took.

i

voting protocol 1
Voting Protocol(1)

Initialization:

  • The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq.
  • All voters select randomly a xi q which is kept secret, and they publish hi:=g , along with a proof of knowledge for xi.
  • Set current state of election (1,1).

x

i

voting protocol 2
Voting Protocol(2)

Voting Phase:

  • Voter i wants to cast a vote vi W. He downloads the current state of election (u,v) and verifies the correctness of the keys and all votes cast till now.
  • He selects random ri from q. He sets:

u:=ug

v:=vu ( hj) g ,

where T: the set of remaining voters.

  • He broadcasts (u,v) along with a proof of knowledge.

ri

ri

vi

-xi

voting protocol 3
Voting Protocol(3)

Tallying:

The state of the election is (u,v) with v=g .

If there are not too many voters and candidates, the

discrete logarithm can be computed.

Fault-correction:

The remaining voters have to repeat the voting phase,

with the reduced set of voters. They can gain a factor

logc by proving that they cast the same vote…

vi

comparison
KiayiasYung

1. O(n) exponentiations in thekey regi-

stration phase

2. O(nk) size of the key

3. O(n ) exponentiations for the verifi-

cation of the keys

4. O(logc) exponentiations in the

voting phase

Groth

1. O(1) exponentiations in the key regi-

stration phase

2. O(k) size of the key

3. O(n) exponentiations for the verifi-

cation of the keys

4. O(logc) exponentiations in the

voting phase

Comparison

2

  • The size of the votes and the exponentiations necessary to verify the votes(the voters’ proofs resp.) are the same in both protocols.
  • In KiayiasYung, many voters can vote simultaneously.
anonymous broadcast with pms
Anonymous Broadcast with PMS

Requirements:

  • Perfect message secrecy: A sender is hidden completely among the group of honest senders.
  • Self-disclosing: Once the last sender has submitted his message, anybody can see the messages broadcasted.
  • Fairness: There is no access to a partial tally before the end of the election(assuming the existence of an honest authority that casts the lest 0-vote).
  • Dispute-freeness: Anybody can verify if the senders follow the protocol or not.
anonymous broadcast protocol 1
Anonymous Broadcast Protocol(1)
  • The senders agree on a group Gq of order q, where the DHP is hard, and on a generator g for Gq.
  • Each sender i selects random xiq and publishes hi:=g , with a proof of knowledge for it.
  • Sender i wants to send a message mi Gq. We denote S: the set of senders who already sent a message, and T: the set of those who didn’t. The state of the election are the ciphertexts {(uj, vj)} .

xi

j S\{i}

anonymous broadcast protocol 2
Anonymous Broadcast Protocol(2)

Message submission:

  • Sender i checks all proofs of the previous senders. Then he encrypts mi as (ui, vi):=(g , ( hj) mi).
  • He picks random permutation πi over S, permutes all ciphertexts {(uj, vj)} and rerandomizes them into {(Uj,Vj’)} .
  • Finally he removes one layer of encryption, meaning he computes {(Uj,Vj’Uj )} .
  • He broadcasts the list of ciphertexts with a Proof of knowledge for having done all that correctly.

ri

ri

j S

j S

-xi

j S

slide36
Theorem: The described protocol is self-disclosing, dispute-free, anonymous broadcast protocol with perfect message secrecy.Assuming the existence of an honest authority that doesn’t submit a message himself, the protocol is fair.
ad