1 / 64

More Techniques for Elections with Homomorphic Tallying

Learn about homomorphic encryption and its applications in elections. Discover various encoding techniques and cryptosystems to ensure secure and efficient voting.

irodriguez
Télécharger la présentation

More Techniques for Elections with Homomorphic Tallying

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. More Techniques for Elections with Homomorphic Tallying Jens Groth University College London

  2. Homomorphic encryption • Public key PK EPK(v; R) EPK(w; S) = EPK(v+w; RS) • Example: Exponent-ElGamal with public key (G,H) (GR,HRGv) (GS, HSGw) = (GR+S, HR+SGv+w)

  3. Elections based on homomorphic encryption Yes = 1, No = 0 EPK(0;R) EPK(1;S) EPK(1;T) Voters Authorities

  4. Homomorphic tallying Yes = 1, No = 0 PK public, SK shared EPK(0;R) Discard ineligible or double votes EPK(1;S) Compute and decrypt EPK(1;T) C1C2C3 = EPK(2;RST) to get the result Yes: 2, No: 1

  5. Complex elections • Many candidates • 1, 2, ..., K options • Many votes per voter • Limited vote: Can vote for fixed number of candidates • Approval vote: Can vote for any number of candidates • Divisible vote: Can distribute many votes between candidates (e.g. shareholder elections) • Borda vote: K votes to preferred candidate, K-1 votes to second choice, etc.

  6. Several candidates • Could encrypt votes for each candidate separately EPK(0;R1) EPK(1;R2) EPK(0;R3) EPK(0;R4) EPK(0;S1) EPK(0;S2) EPK(0;S3) EPK(1;S4) EPK(0;T1) EPK(1;T2) EPK(0;T3) EPK(0;T4) gives products EPK(0;U1) EPK(2;U2) EPK(0;U3) EPK(1;U4) decrypting to the result K1: 0 K2: 2 K3: 0 K4: 1 • Inefficient when there are many candidates

  7. Many candidates • Strict upper bound B on votes a candidate can get • Encrypted vote on candidate Ki EPK(Bi-1;R) • Example of tallying encrypted votesEPK(B2;R) EPK(B0;S) EPK(B2;T) EPK(B3;U) EPK(B2;V) = EPK(1+0B+2B2+2B3;RSTUV) decrypts to the result K1: 1, K2: 0, K3: 2, K4: 0, K5: 2

  8. Encoding votes when many candidates • Strict upper bound B on votes a candidate can get • Encoded vote on candidate Ki: Bi-1 • Sum of encoded votes Bi1-1 + Bi2-1 + Bi3-1 + Bi4-1 + Bi5-1 + ... + BiV-1 = t1 + t2B + t3B2 + t4B3 + t5B4 + ... + tKBK-1 encodes the result K1: t1 , K2: t2 , K3: t3 , K4: t4 , K5: t5 , ..., KK: tK

  9. Generalized encoding • Voter i encodes vote as vi = vi,1 + vi,2B + vi,3B2 + ... + vi,KBK-1 • Sum of encodes votes (v1,1+...+vV,1) + (v1,2+...+vV,2)B + (v1,3+...+vV,3)B2 + ... + (v1,K+...+vV,K)BK-1 = t1 + t2B + t3B2 + ... + tKBK-1

  10. Encodings for complex elections • Encode vote as v1+ v2B + v3B2 +...+ vKBK-1 • Limited vote v1,v2,...,vK {0,1} and v1+v2+v3+...+vK = N • Approval vote v1,v2,...,vK {0,1} • Divisible vote v1,v2,...,vK {0,...,N} and v1+v2+v3+...+vK = N • Borda vote v1,v2,...,vK is a permutation of 1,2,...,K

  11. Quality of encoding • Encoding a vote as multiple 0/1-votes is inefficient • How about encoding a vote as Bi-1? • Turns out is close to optimal when using homomorphic tallying • With T votes cast freely on K candidates the number of possible results is

  12. Quality of encoding • We have • Taking logarithms (base 2) we get • In comparison the size of our encoded result is at most

  13. Not too far from optimality of our encoding • Example:K = 100, T = 10000, B = 10001 • The optimal encoding of the result uses 0.7 kbits • Our encoding uses 1.3 kbits

  14. Problems with exponent-ElGamal • Suppose we have an encrypted result (GR,HRGResult) • Authorities can jointly decrypt to get GResult • But hard to compute discrete logarithm for complex elections since there are possible results and this is hard tobrute force search when K and T are large

  15. Cryptosystems • Will use cryptosystem with message space ZN • Must have N > TBK-1 to compute correct result • Must have efficient threshold decryption so the authorities can get the result out • There are various types of such cryptosystems such as Okamoto-Uchiyama, Paillier, ElGamal-Paillier and Damgård-Jurik encryption

  16. Paillier encryption • Public key N=PQ=(2p+1)(2q+1) • Secret key d satisfying d=1 mod N, d=0 mod 4pq • Encrypt vote v  ZNusing randomness R  ZN* C = (1+N)vRN mod N2 • Decrypt by computing v = (Cd-1 mod N2)/N

  17. Correct decryption • Public key N=PQ=(2p+1)(2q+1) • Secret key d satisfying d=1 mod N, d=0 mod 4pq • The multiplicative group ZN2* has size 4Npq • We also have (1+N)N = 1 + N·N + ... ≡ 1 mod N2 • Correctness Cd = ((1+N)vRN)d = (1+N)vd RNd • = (1+N)vd R4Npqk ≡ (1+N)v mod N2 • (1+N)v = 1+vN+ N2+... ≡ 1+vN mod N2 • (Cd-1 mod N2)/N = v

  18. Homomorphic • Public key N=PQ=(2p+1)(2q+1) • Encrypt vote v  ZNusing randomness R  ZN* C = (1+N)vRN mod N2 • Homomorphic (1+N)vRN · (1+N)wSN • ≡ (1+N)v+w(RS)N mod N2

  19. Homomorphic cryptosystem • Public key PK • Secret key SK shared between authorities • Message space ZN • Homomorphic EPK(v;R) EPK(w;S) = EPK(v+w mod N;RS) • Root extraction: Given (e,w,S) such that Ce = EPK(w;S) possible to extract (v,R) such that C = EPK(v;R)

  20. Elections based on homomorphic encryption EPK(u;R) EPK(v;S) EPK(w;T) Voters Authorities

  21. Attacks • The voting scheme described so far is insecure • Attacks on correctness: • Submit vote of the form EPK(100B-99B2;R) • Corresponds to voting for K2 and additionally taking 99 votes from K3 and giving them to K2 • Attacks on anonymity: • If voter i submits C as the encrypted vote another voter may copy the vote by submitting C·EPK(0;R) • If K3 only gets 1 vote, then we learn the voter did not vote for K3

  22. Countering the attacks • Will use non-interactive zero-knowledge arguments of knowledge for validity of the vote • The voter submits (C,) • The NIZK argument  guarantees that the voter knows the plaintext and that the plaintext is a valid vote • The NIZK argument does not reveal the vote

  23. Zero-knowledge argument Accept/Reject Statement: C contains a valid vote Prover Verifier a e z

  24. Zero-knowledge argument • Complete: • An honest voter who encrypted a valid vote can convince the verifier • Sound: • Infeasible to find an argument convincing the verifier if the ciphertext does not encrypt a valid vote • Zero-knowledge: • The proof only reveals that the vote is valid, it does not reveal anything else. In particular, the actual vote remains secret

  25. Non-interactive ZK argument Accept/Reject Statement: C contains a valid vote Prover Verifier 

  26. Advantages of non-interactivity • Voters do not need to interact with verifiers and do not need to keep state during interaction • Election authorities do not need to coordinate which challenges to send to the voters • Can be publicly verifiable so anybody, including neutral third parties, can verify validity of all votes

  27. Fiat-Shamir heuristic • An argument is public coin if the verifier just sends uniformly random challenges to the prover • In the Fiat-Shamir heuristic the prover uses a cryptographic hash-function to compute the challenges instead of asking the verifier • Example:A three round argument as described before gives an NIZK argument looking like this = (a,e,z) where e=Hash(C,a)

  28. Example: C contains 0 • Common input: PK, C • Prover knows R such that C = EPK(0;R) • Initial message: P  V: A = EPK(0;S) • Challenge: P  V: e R {0,...,2k-1} • Answer:P  V: Z = ReS • Verification: Accept if CeA = EPK(0;Z)

  29. Completeness • An honest prover uses C = EPK(0;R) A = EPK(0;S) Z = ReS • This gives usCeA = EPK(0,R)eEPK(0;S) = EPK(0;ReS) = EPK(0;Z) • An honest verifier always accepts an argument made by an honest prover

  30. Soundness • We will show the prover has at most 2-k probability of cheating the verifier into falsely believing that C contains 0 when it does not • If for instance k = 256, then this is a negligible probability of 2-256 for cheating the verifier • Suppose for contradiction that there is a prover that has more than 2-k chance of fooling the verifier after having produced some C and A • This implies there are at least two challenges e and e’ that can be used in a convincing argument

  31. Soundness • This means there exists Z and Z’ such that CeA = EPK(0;Z) and Ce’A = EPK(0;Z’) • Dividing the equalities with each other gives us Ce-e’ = EPK(0;Z/Z’) • The root extraction property gives an opening (w,R) such that C = EPK(w;R) • The equation above gives us (e-e’)w ≡ 0 mod N • Assuming gcd(e-e’,N)=1 we get w=0

  32. Honest verifier zero-knowledge • The verifier could simulate the argument without knowing anything about C except that it contains 0 • Simulation: Pick e and Z at random Compute A = EPK(0;Z)C-e • Compare real argument and simulated argument • In both types of arguments e and Z are random • Given PK, C, e, Z the verification equation CeA = EPK(0;Z) uniquely determines A • So they have identical distributions • Since the verifier could simulate the argument itself she gains zero knowledge from the real argument

  33. Non-interactive argument for C containing 0 • Fiat-Shamir heuristic conversion = (A,Z) where A = EPK(0;S) and Z=RHash(C,a)S • Verifier computes e = Hash(C,a) and accepts the argument if CeA = EPK(0;Z)

  34. Security in the random oracle model • The Fiat-Shamir heuristic yields secure NIZK arguments in the random oracle model, where the hash-function is modelled as a random function • In the random oracle model the challenge e = Hash(C,a) is random, which gives us soundness as in the interactive setting • In the random oracle model, we can pick the challenge e first and then associate it with (C,a), which still gives us a random function and also gives us zero-knowledge

  35. The random oracle model • The random oracle model captures the intuition that cryptographic functions are complex and the adversary may not gain more than if the function was truly random • There are “artificial” counter-examples where the random oracle model yields insecure protocols • We hope the Fiat-Shamir heuristic yields sound protocols for “natural” arguments

  36. Argument for C containing 0 or 1 • Common input: PK, C • Prover’s input: C = EPK(v;R) where v{0,1} • Strategy: C0 = C or C1 = C·EPK(-1;1) contains 0 • Initial message: Simulate (A1-v,e1-v,Z1-v) for C1-v containing 0 Give initial message Av = EPK(0;S) • Challenge: e R {0,...,2k-1} • Answer: Split e = e0 + e1 and set Zv = RevS • Verification: C0e0A0=EPK(0;Z0) C1e1A1=EPK(0;Z1)

  37. Soundness • Corresponds to running two 0-arguments in parallel for respectively C and C·EPK(-1;1) • At least one of them is not 0. By the soundness of the 0-argument the initial message A1-v has exactly one challenge e1-v that can be answered • When picking e random the split e = e0+e1 therefore uniquely defines ev, which is random • The soundness of the 0-argument therefore implies Cv contains 0

  38. Complexity • Consider the case with K candidates • We can prove v=1 or v=B or v=B2 or ... or v=BK-1 • But the argument has complexity O(K) ciphertexts, which is expensive when K is large • Goal: Efficient argument with O(1) complexity for encryption of valid vote

  39. Homomorphic integer commitments • Commitment key: ck • Commitment: c = comck(m;r) • Opening: (m,r) • Messages and randomizers in Z • Homomorphic comck(v;r)·comck(w;s) = comck(v+w;r+s) • Root extraction

  40. Homomorphic integer commitment • Hiding: The committed value is secret • Information-theoretically hidden • Binding: Not possible to open a commitment to two different values • Information-theoretically commitments can be opened to an infinite number of integers, but there is negligible probability for a computationally bounded committer to guess or compute two openings to different integers

  41. Example • Let N = PQ = (2p+1)(2q+1) • Let g,h be two elements in QRN • Commitment key: ck = (N,g,h) • Commitment: comck(v;r) = gvhr mod N • Homomorphic gvhr gwhs ≡ gv+whr+s mod N • Hidden order pq, so cannot reduce v+w mod pq, which is what makes it an integer commitment • Secure under the strong RSA assumption

  42. NIZK arguments for complex votes • Strategy: • Prove ciphertext C and commitment c contain the same message • Prove c is a commitment to a valid vote • Advantage: • Commitments are smaller • Commitments contain integers • Can use unique factorization and other properties of integers

  43. Argument for same message • Common input: ck, PK, c, C • Prover’s input: c = comck(v;r) C = EPK(v;R) • Initial message a = comck(d;s) A = EPK(d;S) • Challenge: e R {0,...,2k-1} • Answer: f = ev+d z = er+s Z = ReS • Verification: cea = comck(f;z) CeA = EPK(f;Z)

  44. Soundness • Answers to two challenges e ≠ e’ gives us cea = comck(f;z) CeA = EPK(f;Z) ce’a = comck(f’;z’) Ce’A = EPK(f’;Z’) • Giving us ce’-e = comck(f’-f;z’-z) Ce’-e = EPK(f’-f;Z’/Z) • The second equality shows f’-f ≡ (e’-e)v mod N • The root extraction property of the commitments shows f’-f = (e-e’)v’ • We have v’ ≡ v mod N (assuming gcd(e-e’,N)=1) • With 0 ≤ v’ < N (shown later) we get v’ = v

  45. Multiplication argument • Common input: ck, a, b, c • Prover’s input: a=comck(u;r) b=comck(v;s) c=comck(uv;t) • Initial message: A=comck(d;R) B=comck(-dv;S) • Challenge: e R {0,...,2k-1} • Answer: f = eu+d za = er+R zb=fs+S-et • Verification: aeA = comck(f;za) bfB = ce · comck(0;zb)

  46. Soundness • Imagine given A, B we get answers to e ≠ e’ • Verification gives us aeA = comck(f;za) bfB = ce · comck(0;zb) ae’A = comck(f’;za’) bf’B = ce’ · comck(0;zb’) • Dividing the equations with each other gives us ae-e’ = comck(f-f’;za-za’) bf-f’ = ce-e’ · comck(0;zb-zb’) • Root extraction shows a contains u so f-f’=u(e-e’) • This means (buc-1)e-e’ is commitment to 0 • Root extraction shows (buc-1) contains 0 • If v is inside b this means c is a commitment to uv

  47. NIZK argument for committed valid vote • We want to prove a commitment c contains a vote v  {1,B,B2,...,BK-1} • Let B = p2 where p is prime then we want to show v {1,p2,p4,...,p2(K-1)} • Do this by committing to u, w and making a trivial commitment with randomness 0 to pk-1 and using two multiplication arguments to show uw = pK-1 and u2 = v

  48. Soundness • Suppose we prove that uw = pK-1then u divides pk-1 so u  {1,p,..., pK-1} • If u  {1,p,..., pK-1} and v = u2then v  {1,p2,..., p2(K-1)} = {1,B,...,BK-1}

  49. Goal achieved • The combined argument for C and c containing the same message and c containing a valid vote costs one ciphertext and a small constant number of commitments • Since commitments are smaller and cheaper than encryptions the single ciphertext may actually be the most expensive part of the NIZK argument • This compares well to the O(K) ciphertexts used in the straightforward NIZK argument

  50. Encodings for complex elections • Encode vote as v1+ v2B + v3B2 +...+ vKBK-1 • Limited vote (think of N as small) v1,v2,...,vK {0,1} and v1+v2+v3+...+vK = N • Approval vote v1,v2,...,vK {0,1} • Divisible vote (think of N as large) v1,v2,...,vK {0,...,N} and v1+v2+v3+...+vK = N • Borda vote v1,v2,...,vK is a permutation of 1,2,...,K

More Related