More Techniques for Elections with Homomorphic Tallying presentation

About This Presentation

Title:

More Techniques for Elections with Homomorphic Tallying

Description:

More Techniques for Elections with Homomorphic Tallying Jens Groth University College London Security in the random oracle model The Fiat-Shamir heuristic yields ... –

Number of Views:69

Avg rating:3.0/5.0

Slides: 65

Provided by: SimonB161

Category:

more less

Transcript and Presenter's Notes

Title: More Techniques for Elections with Homomorphic Tallying

1
More Techniques for Elections with Homomorphic
Tallying

Jens Groth
University College London

2
Homomorphic encryption

Public key PK
EPK(v R) EPK(w S) EPK(vw RS)
Example Exponent-ElGamal with public key (G,H)
(GR,HRGv) (GS, HSGw) (GRS, HRSGvw)

3
Elections based on homomorphic encryption

Yes 1, No 0
EPK(0R)
EPK(1S)
EPK(1T)
Voters Authorities

4
Homomorphic tallying
Yes 1, No 0 PK public, SK shared
EPK(0R) Discard ineligible or double
votes EPK(1S) Compute and
decrypt EPK(1T) C1C2C3
EPK(2RST) to get the result Yes 2,
No 1
5
Complex elections

Many candidates
1, 2, ..., K options
Many votes per voter
Limited vote Can vote for fixed number of
candidates
Approval vote Can vote for any number of
candidates
Divisible vote Can distribute many votes between
candidates (e.g. shareholder elections)
Borda vote K votes to preferred candidate, K-1
votes to second choice, etc.

6
Several candidates

Could encrypt votes for each candidate
separately EPK(0R1) EPK(1R2) EPK(0R3) EPK(0R
4)
EPK(0S1) EPK(0S2) EPK(0S3) EPK(1S4)
EPK(0T1) EPK(1T2) EPK(0T3) EPK(0T4)
gives products
EPK(0U1) EPK(2U2) EPK(0U3) EPK(1U4)
decrypting to the result
K1 0 K2 2 K3 0 K4 1
Inefficient when there are many candidates

7
Many candidates

Strict upper bound B on votes a candidate can get
Encrypted vote on candidate Ki EPK(Bi-1R)
Example of tallying encrypted votesEPK(B2R)
EPK(B0S) EPK(B2T) EPK(B3U) EPK(B2V)
EPK(10B2B22B3RSTUV)
decrypts to the result K1 1, K2 0, K3 2, K4
0, K5 2

8
Encoding votes when many candidates

Strict upper bound B on votes a candidate can get
Encoded vote on candidate Ki Bi-1
Sum of encoded votes Bi1-1 Bi2-1 Bi3-1
Bi4-1 Bi5-1 ... BiV-1
t1 t2B t3B2 t4B3 t5B4 ... tKBK-1
encodes the result
K1 t1 , K2 t2 , K3 t3 , K4 t4 , K5 t5
, ..., KK tK

9
Generalized encoding

Voter i encodes vote as vi vi,1 vi,2B
vi,3B2 ... vi,KBK-1
Sum of encodes votes (v1,1...vV,1)
(v1,2...vV,2)B
(v1,3...vV,3)B2 ... (v1,K...vV,K)BK-1
t1 t2B t3B2 ... tKBK-1

10
Encodings for complex elections

Encode vote as v1 v2B v3B2 ... vKBK-1
Limited vote v1,v2,...,vK ? 0,1 and
v1v2v3...vK N
Approval vote
v1,v2,...,vK ? 0,1
Divisible vote
v1,v2,...,vK ? 0,...,N and v1v2v3...vK
N
Borda vote
v1,v2,...,vK is a permutation of 1,2,...,K

11
Quality of encoding

Encoding a vote as multiple 0/1-votes is
inefficient
How about encoding a vote as Bi-1?
Turns out is close to optimal when using
homomorphic tallying
With T votes cast freely on K candidates the
number of possible results is

12
Quality of encoding

We have
Taking logarithms (base 2) we get
In comparison the size of our encoded result is
at most

13
Not too far from optimality of our encoding

ExampleK 100, T 10000, B 10001
The optimal encoding of the result uses 0.7 kbits
Our encoding uses 1.3 kbits

14
Problems with exponent-ElGamal

Suppose we have an encrypted result
(GR,HRGResult)
Authorities can jointly decrypt to get GResult
But hard to compute discrete logarithm for
complex elections since there are possible
results and this is hard tobrute force search
when K and T are large

15
Cryptosystems

Will use cryptosystem with message space ZN
Must have N gt TBK-1 to compute correct result
Must have efficient threshold decryption so the
authorities can get the result out
There are various types of such cryptosystems
such as Okamoto-Uchiyama, Paillier,
ElGamal-Paillier and Damgård-Jurik encryption

16
Paillier encryption

Public key NPQ(2p1)(2q1)
Secret key d satisfying d1 mod N, d0 mod 4pq
Encrypt vote v ? ZN using randomness R ? ZN C
(1N)vRN mod N2
Decrypt by computing v (Cd-1 mod N2)/N

17
Correct decryption

Public key NPQ(2p1)(2q1)
Secret key d satisfying d1 mod N, d0 mod 4pq
The multiplicative group ZN2 has size 4Npq
We also have (1N)N 1 NN ... 1 mod N2
Correctness Cd ((1N)vRN)d (1N)vd RNd
(1N)vd R4Npqk (1N)v mod N2
(1N)v 1vN N2... 1vN mod N2
(Cd-1 mod N2)/N v

18
Homomorphic

Public key NPQ(2p1)(2q1)
Encrypt vote v ? ZN using randomness R ? ZN C
(1N)vRN mod N2
Homomorphic (1N)vRN (1N)wSN
(1N)vw(RS)N mod N2

19
Homomorphic cryptosystem

Public key PK
Secret key SK shared between authorities
Message space ZN
Homomorphic EPK(vR) EPK(wS) EPK(vw mod
NRS)
Root extraction
Given (e,w,S) such that Ce EPK(wS)
possible to extract (v,R) such that C EPK(vR)

20
Elections based on homomorphic encryption

EPK(uR)
EPK(vS)
EPK(wT)
Voters Authorities

21
Attacks

The voting scheme described so far is insecure
Attacks on correctness
Submit vote of the form EPK(100B-99B2R)
Corresponds to voting for K2 and additionally
taking 99 votes from K3 and giving them to K2
Attacks on anonymity
If voter i submits C as the encrypted vote
another voter may copy the vote by submitting
CEPK(0R)
If K3 only gets 1 vote, then we learn the voter
did not vote for K3

22
Countering the attacks

Will use non-interactive zero-knowledge arguments
of knowledge for validity of the vote
The voter submits (C,?)
The NIZK argument ? guarantees that the voter
knows the plaintext and that the plaintext is a
valid vote
The NIZK argument does not reveal the vote

23
Zero-knowledge argument
Accept/Reject

Statement C contains a valid vote
Prover Verifier

a
e
z
24
Zero-knowledge argument

Complete
An honest voter who encrypted a valid vote can
convince the verifier
Sound
Infeasible to find an argument convincing the
verifier if the ciphertext does not encrypt a
valid vote
Zero-knowledge
The proof only reveals that the vote is valid, it
does not reveal anything else. In particular, the
actual vote remains secret

25
Non-interactive ZK argument
Accept/Reject

Statement C contains a valid vote
Prover Verifier

?
26
Advantages of non-interactivity

Voters do not need to interact with verifiers and
do not need to keep state during interaction
Election authorities do not need to coordinate
which challenges to send to the voters
Can be publicly verifiable so anybody, including
neutral third parties, can verify validity of all
votes

27
Fiat-Shamir heuristic

An argument is public coin if the verifier just
sends uniformly random challenges to the prover
In the Fiat-Shamir heuristic the prover uses a
cryptographic hash-function to compute the
challenges instead of asking the verifier
ExampleA three round argument as described
before gives an NIZK argument looking like
this ? (a,e,z) where eHash(C,a)

28
Example C contains 0

Common input PK, C
Prover knows R such that C EPK(0R)
Initial message P ? V A EPK(0S)
Challenge P ? V e ?R 0,...,2k-1
Answer P ? V Z ReS
Verification Accept if CeA EPK(0Z)

29
Completeness

An honest prover uses
C EPK(0R) A EPK(0S) Z ReS
This gives usCeA EPK(0,R)eEPK(0S)
EPK(0ReS) EPK(0Z)
An honest verifier always accepts an argument
made by an honest prover

30
Soundness

We will show the prover has at most 2-k
probability of cheating the verifier into falsely
believing that C contains 0 when it does not
If for instance k 256, then this is a
negligible probability of 2-256 for cheating the
verifier
Suppose for contradiction that there is a prover
that has more than 2-k chance of fooling the
verifier after having produced some C and A
This implies there are at least two challenges e
and e that can be used in a convincing argument

31
Soundness

This means there exists Z and Z such that CeA
EPK(0Z) and CeA EPK(0Z)
Dividing the equalities with each other gives us
Ce-e EPK(0Z/Z)
The root extraction property gives an opening
(w,R) such that C EPK(wR)
The equation above gives us (e-e)w 0 mod N
Assuming gcd(e-e,N)1 we get w0

32
Honest verifier zero-knowledge

The verifier could simulate the argument without
knowing anything about C except that it contains
0
Simulation Pick e and Z at random Compute A
EPK(0Z)C-e
Compare real argument and simulated argument
In both types of arguments e and Z are random
Given PK, C, e, Z the verification equation CeA
EPK(0Z) uniquely determines A
So they have identical distributions
Since the verifier could simulate the argument
itself she gains zero knowledge from the real
argument

33
Non-interactive argument for C containing 0

Fiat-Shamir heuristic conversion ? (A,Z)
where A EPK(0S) and ZRHash(C,a)S
Verifier computes e Hash(C,a) and accepts the
argument if CeA EPK(0Z)

34
Security in the random oracle model

The Fiat-Shamir heuristic yields secure NIZK
arguments in the random oracle model, where the
hash-function is modelled as a random function
In the random oracle model the challenge e
Hash(C,a) is random, which gives us soundness as
in the interactive setting
In the random oracle model, we can pick the
challenge e first and then associate it with
(C,a), which still gives us a random function and
also gives us zero-knowledge

35
The random oracle model

The random oracle model captures the intuition
that cryptographic functions are complex and the
adversary may not gain more than if the function
was truly random
There are artificial counter-examples where the
random oracle model yields insecure protocols
We hope the Fiat-Shamir heuristic yields sound
protocols for natural arguments

36
Argument for C containing 0 or 1

Common input PK, C
Provers input C EPK(vR) where v?0,1
Strategy C0 C or C1 CEPK(-11) contains 0
Initial message
Simulate (A1-v,e1-v,Z1-v) for C1-v containing
0 Give initial message Av EPK(0S)
Challenge e ?R 0,...,2k-1
Answer Split e e0 e1 and set Zv RevS
Verification C0e0A0EPK(0Z0) C1e1A1EPK(0Z1)

37
Soundness

Corresponds to running two 0-arguments in
parallel for respectively C and CEPK(-11)
At least one of them is not 0. By the soundness
of the 0-argument the initial message A1-v has
exactly one challenge e1-v that can be answered
When picking e random the split e e0e1
therefore uniquely defines ev, which is random
The soundness of the 0-argument therefore implies
Cv contains 0

38
Complexity

Consider the case with K candidates
We can prove v1 or vB or vB2 or ... or vBK-1
But the argument has complexity O(K) ciphertexts,
which is expensive when K is large
Goal Efficient argument with O(1) complexity
for encryption of valid vote

39
Homomorphic integer commitments

Commitment key ck
Commitment c comck(mr)
Opening (m,r)
Messages and randomizers in Z
Homomorphic comck(vr)comck(ws)
comck(vwrs)
Root extraction

40
Homomorphic integer commitment

Hiding The committed value is secret
Information-theoretically hidden
Binding Not possible to open a commitment to two
different values
Information-theoretically commitments can be
opened to an infinite number of integers, but
there is negligible probability for a
computationally bounded committer to guess or
compute two openings to different integers

41
Example

Let N PQ (2p1)(2q1)
Let g,h be two elements in QRN
Commitment key ck (N,g,h)
Commitment comck(vr) gvhr mod N
Homomorphic gvhr gwhs gvwhrs mod N
Hidden order pq, so cannot reduce vw mod pq,
which is what makes it an integer commitment
Secure under the strong RSA assumption

42
NIZK arguments for complex votes

Strategy
Prove ciphertext C and commitment c contain the
same message
Prove c is a commitment to a valid vote
Advantage
Commitments are smaller
Commitments contain integers
Can use unique factorization and other properties
of integers

43
Argument for same message

Common input ck, PK, c, C
Provers input c comck(vr) C EPK(vR)
Initial message a comck(ds) A EPK(dS)
Challenge e ?R 0,...,2k-1
Answer f evd z ers Z ReS
Verification cea comck(fz) CeA EPK(fZ)

44
Soundness

Answers to two challenges e ? e gives us
cea comck(fz) CeA EPK(fZ)
cea comck(fz) CeA EPK(fZ)
Giving us
ce-e comck(f-fz-z) Ce-e EPK(f-fZ/Z)
The second equality shows f-f (e-e)v mod N
The root extraction property of the commitments
shows f-f (e-e)v
We have v v mod N (assuming gcd(e-e,N)1)
With 0 v lt N (shown later) we get v v

45
Multiplication argument

Common input ck, a, b, c
Provers input
acomck(ur) bcomck(vs) ccomck(uvt)
Initial message
Acomck(dR) Bcomck(-dvS)
Challenge e ?R 0,...,2k-1
Answer f eud za erR zbfsS-et
Verification
aeA comck(fza) bfB ce comck(0zb)

46
Soundness

Imagine given A, B we get answers to e ? e
Verification gives us
aeA comck(fza) bfB ce comck(0zb)
aeA comck(fza) bfB ce comck(0zb)
Dividing the equations with each other gives us
ae-e comck(f-fza-za) bf-f ce-e
comck(0zb-zb)
Root extraction shows a contains u so
f-fu(e-e)
This means (buc-1)e-e is commitment to 0
Root extraction shows (buc-1) contains 0
If v is inside b this means c is a commitment to
uv

47
NIZK argument for committed valid vote

We want to prove a commitment c contains a vote
v ? 1,B,B2,...,BK-1
Let B p2 where p is prime then we want to
show v ? 1,p2,p4,...,p2(K-1)
Do this by committing to u, w and making a
trivial commitment with randomness 0 to pk-1 and
using two multiplication arguments to show uw
pK-1 and u2 v

48
Soundness

Suppose we prove that uw pK-1 then u
divides pk-1 so u ? ?1,?p,..., ?pK-1
If u ? ?1,?p,..., ?pK-1 and v u2 then
v ? 1,p2,..., p2(K-1) 1,B,...,BK-1

49
Goal achieved

The combined argument for C and c containing the
same message and c containing a valid vote costs
one ciphertext and a small constant number of
commitments
Since commitments are smaller and cheaper than
encryptions the single ciphertext may actually be
the most expensive part of the NIZK argument
This compares well to the O(K) ciphertexts used
in the straightforward NIZK argument

50
Encodings for complex elections

Encode vote as v1 v2B v3B2 ... vKBK-1
Limited vote (think of N as small) v1,v2,...,vK
? 0,1 and v1v2v3...vK N
Approval vote
v1,v2,...,vK ? 0,1
Divisible vote (think of N as large)
v1,v2,...,vK ? 0,...,N and v1v2v3...vK
N
Borda vote
v1,v2,...,vK is a permutation of 1,2,...,K

51
Approval vote

Want to show v1,v2,...,vK ? 0,1
Commit to v1,v2,...,vK
Show C and c1c2B...cKBK contain same message
Use multiplication arguments to show
v1(v1-1) 0 v2(v2-1) 0 ... vK(vK-1) 0
Some saving by using additive homomorphic
property to instead show
(v12-v1) (v22-v2) ... (vK2-vK) 0
Communication complexity 3K commitments
other stuff
Can reduce further to just K integers

Limited vote (NltK) v1,v2,...,vK ? 0,1 and
v1v2v3...vK N
Commit to w1Bi1-1, ..., wNBiN-1
Show C contains w1...wN
Commit to u1pi1-1, ..., uNpiN-1
Show w1 u12 , ... , wN uN2
Commit to t1pi2-i1-1, ..., tN-1piN-iN-1-1,
tNpK-iN-1
Use multiplication arguments to show
u2u1t1p, u3u2t2p, ..., uNuN-1tN-1p ,
pKuNtNp
Communication complexity 7K commitments
other stuff
Can reduce further to just 2K integers

53
Divisible vote

Divisible vote (N large)
v1,v2,...,vK ? 0,...,N and v1v2v3...vK
N
Commit to v1,v2,...,vK
Show C and c1c2B...cKBK contain same message
Positive vi can be written 4vi1
xi2yi2zi2Demonstrated using multiplication
arguments
Can use homomorphic property of commitment scheme
to show v1v2v3...vK N
Can get complexity down to 4K integers

54
Borda vote

Borda vote v1,v2,...,vK is a permutation of
1,2,...,K
Commit to v1,v2,...,vK
Show C and c1c2B...cKBK contain same message
Show v1,v2,...,vK is permutation of 1,2,...,K
Can be done with complexity O(K) using an NIZK
argument for shuffle of known messages

55
Complex elections

Single vote O(1) commitments
v1,v2,...,vK ? 0,1 and v1v2v3...vK 1
Limited vote (N small) O(N) integers v1,v2,...,vK
? 0,1 and v1v2v3...vK N
Approval vote O(K) integers
v1,v2,...,vK ? 0,1
Divisible vote (N large) O(K) integers
v1,v2,...,vK ? 0,...,N and v1v2v3...vK
N
Borda vote O(K) integers
v1,v2,...,vK is a permutation of 1,2,...,K

56
Elections based on homomorphic encryption

EPK(uR), ?
EPK(vS), ?
EPK(wT), ?
Voters Authorities

57
Correctness of result

Bulletin board guarantees that only registered
voters can vote and only vote once
NIZK arguments guarantee that valid votes are
encrypted and also that voters know their votes
The homomorphic property ensures that the product
of the encrypted votes contains the result
Correctness of the threshold decryption process
guarantees that the result is decrypted correctly

58
Privacy of votes

The NIZK arguments are indistinguishable from
simulated arguments (in the Random Oracle Model)
so they do not compromise the privacy
With simulated arguments for validity, the only
information about the votes is contained in the
ciphertexts. The security of the cryptosystem
guarantees that votes remain secret, except for
what can be deduced from the result

59
Ideal voting functionality
Secure private and authenticated channels
Ideal voting functionality On valid vote vi from
voter Vi store (vi,Vi) and ignore future inputs
from Vi When the election is over output the
result and halt
60
UC security of voting with homomorphic tallying

Running the homomorphic tallying protocol we have
discussed is equivalent to letting the voters use
the ideal voting functionality
Assumptions
Cryptographic assumptions, e.g., strong RSA,
Paillier,...
That a minority of authorities are corrupt
Bulleting board
...

61
Implications of UC security

Privacy
Ideal functionality only reveals the result
Accuracy
Ideal functionality computes result correctly
Impossible to copy votes
Ideally secure channels to ideal functionality
...

62
Limitations of UC security

UC model treats voters as honest or corrupt
Voter with hacked computer is corrupt and has no
security guarantees
Coerced voter using special inputs not specified
by the protocol is also corrupt and has no
security guarantees
UC model only concerns itself with security
Availability not guaranteed
...

63
Summary

Votes in certain types of elections can be
encoded such that they can be tallied
homomorphically
Limited, approval, divisible, Borda, ...
Need additively homomorphic cryptosystem with
large enough message space
Paillier, Okamoto-Uchiyama, ...
Using homomorphic integer commitments possible to
make the NIZK arguments for validity of the
encrypted vote very efficient
Same message argument, multiplication argument
Yields secure protocols
UC secure realization of ideal voting
functionality