Professional Documents
Culture Documents
Types of Adversary
1)Passive Static
2)Active
Adaptive(or Dynamic) 3)Fail-Stop
Requirements
Privacy: Ensures the secrecy of the ballots. Universal Verifiability: Anyone, having or not participated in the elections, can be convinced that all valid votes have been included in the final tally. Robustness: The system can tolerate a certain number of faulty participants. Receipt-freeness: The voters cannot provide a receipt that shows what they voted. Fairness: No partial tally is revealed before the end of the elections.
3
Further requirements
Dispute-freeness: The fact that the participants
follow the protocol at any phase can be publicly verified by any casual third party. Self-tallying: The post-ballot-phase can be performed by any interested third party. Perfect Ballot Secrecy: The only thing revealed about the voters choice is the final result. Perfect Message Secrecy: Nothing is revealed about who sent which message, no matter how many parties are corrupted.(Groth2004)
4
Propositions
A self-tallying scheme cannot be robust and
support privacy at the same time.
New Notion
Bulletin Board
Public-broadcast channel with memory (no one can
erase what is written). Any party (or simple observer) can read information of it. All active parties can write on it in designated areas (this means that the communication transcript is secure). The bulletin board authority (server) is responsible for administrating the election (starting, terminating, and maintaining a registry of voters).
7
Pre-Voting Stage(1)
Each Vi selects randomly s i,j q , j=1,,n s.t. n 1 (select n-1 values and set s i,n:=- s i,j ).
j 1
i i,j i,j
s
j 1
i,j
=0.
Pre-Voting Stage(2)
Interactive Proof of Knowledge
10
Pre-Voting Stage(3)
Theorem: After the completion of the pre-voting phase i)Any third-party can verify that log R i,j=log h R i,j. j n g ii)Any third-party can verify that s i,j=0. j 1 iii)If at least one votern chose the s i,j values randomly, then the values t j= s i.,j are random in q, with the n i 1 property that tj=0.
j 1
11
Voting Phase(1)
Voter Vj reads Rj on the board and raises it to a-1 j in order to obtain h t j. Voter Vj selects vj {-1(no),1(yes)} and publishes the tj v j ballot Bj:=h f , along with a proof of knowledge that
12
Voting Phase(2)
13
Self-Tallying
n j 1
Bj = f
j 1
vj
, since
t =0.
j 1
j
T {f ,f }, so a brute force attack can check all possible values with 2n steps worst case. Shanks Baby Step-Giant Step method gives even better results.
14
16
17
No participation in the voting phase: S:=set of voters who didnt cast a vote _ S:=set of remaining voters _ Each Voter Vk,-1 kS publishes ek:= sk,j and jS ' ak k:=( Rj,k) . jS ' The value of ek can be publicly verified by checking gek := Rk,j jS ' k must be accompanied by a PK as before.
18
It is easy to see that }, so the number of the positive votes can be found with a brute force attack as before.
S S
T {f ,,f
19
Multi-Way Elections
In the initialization phase, instead of f, the values f1, f2,,fn G are given to all parties. Whenever Vj wants to cast a vote vj he publishes the tj ballot h fvj, along with a proof of knowledge. In the final stage the product T1T2Tc is revealed, 0 n-1 c-1 where Tk {fk,,fk }. A total of n search steps in the worst case is required, to reveal the votes each candidate received.
20
Conclusion
Assuming the existence of an homomorphic
encryption with an associated discrete logarithm problem which is secure, and a random oracle hash:
Theorem: The described protocol satisfies privacy, fairness(assuming the existence of an honest authority that casts the lest 0-vote), universal verifiability, corrective-fault tolerance, disputefreeness, self-tallying and perfect ballot secrecy.
21
message secrecy (Nothing is revealed about who sent which message, no matter how many parties are corrupted), built on top of a broadcast channel.
22
Remember notions!
Dispute-freeness: The fact that the participants
follow the protocol at any phase can be publicly verified by any casual third party. Self-tallying: The post-ballot-phase can be performed by any interested third party. Perfect Ballot Secrecy: The only thing revealed about the voters choice is the final result. Fairness: No partial tally is revealed before the end of the elections.
23
Properties
Bulletin(message)-board with memory. The adversary A is polynomial-time, active and static. The parties work semi-synchronously; the protocol proceeds in phases and the parties act in random order in each phase. We let A decide when to switch phase. decide when to change
24
Simple Protocol(1)
Simple protocol in the honest-but-curious case (Passive),and a yes-or-no voting. Initialization: The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq. All voters select randomly a xj q which is kept xj secret, and they publish hj:=g .
25
Simple Protocol(2)
Casting votes: v1,,vn {0,1}. Voter n1 chooses random r1 r1 v1 r1 (g ,( hi) g ). i 2 Voter 2 nchooses random r2 (g r1+r , 2 (hi) r1+r2gv1+v2 ). i 3 Voter n chooses random rn (g ri ,g vi ).
n n i 1 i 1
, and publishes
, and publishes
, and publishes
26
Simple Protocol(3)
Tallying: Finally from the last voters output we can read off g
vi
i 1 n
27
Voting Protocol
n : number of voters c : number of candidates k : the security parameter W : set of possible votes. We encode the vote for i candidate i as (n+1) . In this way we can know the exact number of votes each candidate took.
28
Voting Protocol(1)
Initialization: The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq. All voters select randomly a xi q which is kept xi secret, and they publish hi:=g , along with a proof of knowledge for xi. Set current state of election (1,1).
29
Voting Protocol(2)
Voting Phase: Voter i wants to cast a vote vi W. He downloads the current state of election (u,v) and verifies the correctness of the keys and all votes cast till now. He selects random ri from q. He sets: ri u:=ug ri vi -xi v:=vu (hj) g , jT where T: the set of remaining voters. He broadcasts (u,v) along with a proof of knowledge.
30
Voting Protocol(3)
Tallying: vi The state of the election is (u,v) with v=g . If there are not too many voters and candidates, the discrete logarithm can be computed.
n i 1
Fault-correction: The remaining voters have to repeat the voting phase, with the reduced set of voters. They can gain a factor logc by proving that they cast the same vote
31
Comparison
KiayiasYung
1. O(n) exponentiations in the key registration phase 2. O(nk) size of the key 3. O(n2) exponentiations for the verification of the keys 4. O(logc) exponentiations in the voting phase
Groth
1. O(1) exponentiations in the key registration phase 2. O(k) size of the key 3. O(n) exponentiations for the verification of the keys 4. O(logc) exponentiations in the voting phase
verify the votes(the voters proofs resp.) are the same in both protocols.
Requirements: Perfect message secrecy: A sender is hidden completely among the group of honest senders. Self-disclosing: Once the last sender has submitted his message, anybody can see the messages broadcasted. Fairness: There is no access to a partial tally before the end of the election(assuming the existence of an honest authority that casts the lest 0-vote). Dispute-freeness: Anybody can verify if the senders follow the protocol or not.
33
The senders agree on a group Gq of order q, where the DHP is hard, and on a generator g for Gq. Each sender i selects random xi q and publishes hi:=gxi, with a proof of knowledge for it. Sender i wants to send a message mi Gq. We denote S: the set of senders who already sent a message, and T: the set of those who didnt. The state of the election are the ciphertexts {(uj, vj)} j S\{i}.
34
jT {i}
Theorem: The described protocol is self-disclosing, dispute-free, anonymous broadcast protocol with perfect message secrecy.Assuming the existence of an honest authority that doesnt submit a message himself, the protocol is fair.
36