This talk has been presented for the Cryptographic Protocol Course at University of Salerno. It is about the hardness of online voting protocols. Other then describing which are the issues that need to be addressed while designing a voting protocol, it focuses on a web-based application: Helios 1.0. Any feedback is welcome.
Feedbacks are welcome! If you get inspired by this presentation, please let me know and add credits to your work ;)
2. Talk overview
1
2
3
4
5
Voting protocols:
a big picture
What makes
voting so hard
Cryptographic
primitives
Voting
with Helios
Helios: Security
model and Threats
Complexity
Time
3. 2
3
4
5
What makes
voting so hard
Cryptographic
primitives
Voting
with Helios
Helios: Security
model and Threats
Complexity
Talk overview
1
Voting protocols:
a big picture
Time
7. Setup
Ballot Preparation
Ballot Recording
Anonymization & Aggregation
Results
1
2
3
4
5
Voting Protocols: A Big Picture
VOTING PROCESS
publicly-verifiable shuffling, with
intermediate results posted on
the bulleting board
8. Setup
Ballot Preparation
Ballot Recording
Anonymization & Aggregation
Results
1
2
3
4
5
Voting Protocols: A Big Picture
VOTING PROCESS
Election officials cooperate to produce
a plaintext tally for each race (with
publicly-verifiable proofs)
15. Verifiability Secrecy
Verify the entire
process: own vote
properly counted
Vote selling becomes
a threat
Enough information
to personally verify
own vote
16. Verifiability Secrecy
Verify the entire
process: own vote
properly counted
Vote selling becomes
a threat
Enough information
to personally verify
own vote
But not so much to
convince the
coercer
17. Verifiability Secrecy
Verify the entire
process: own vote
properly counted
Vote selling becomes
a threat
Enough information
to personally verify
own vote
But not so much to
convince the
coercer
Tell the truth or lie
18. Verifiability Secrecy
Verify the entire
process: own vote
properly counted
Vote selling becomes
a threat
Enough information
to personally verify
own vote
But not so much to
convince the
coercer
Tell the truth or lie Cannot tell the
difference
26. Auditing Process
Helpers
Bulletin Board
Alice
Bob
Carl
Bulletin Board
Intermediate
Computation
Bulletin Board
Tally
RESULTS
Ballot
Casting
Assurance
Universal
Verifiability
Verification
Ballot
Anyone can verify the
proper processing of the
bulletin board data
PROPERTIES
An authenticated bulletin board is used, where voter’s
identity and the ciphertext of the relative ballot are published.
All observers can check that only eligible voters cast a ballot.
(anonymizing mixnet)
27. Auditing Process
Helpers
Bulletin Board
Alice
Bob
Carl
Bulletin Board
Intermediate
Computation
Bulletin Board
Tally
RESULTS
Ballot
Casting
Assurance
Universal
Verifiability
Verification
Ballot
Anyone can verify the
proper processing of the
bulletin board data
PROPERTIES
Two properties:
End-to-end verification: typical voting security analyses
distinguish the properties cast as intended and recorded as
cast.
28. Auditing Process
Helpers
Bulletin Board
Alice
Bob
Carl
Bulletin Board
Intermediate
Computation
Bulletin Board
Tally
RESULTS
Ballot
Casting
Assurance
Universal
Verifiability
Verification
Ballot
Anyone can verify the
proper processing of the
bulletin board data
PROPERTIES
Two properties:
End-to-end verification: typical voting security analyses
distinguish the properties cast as intended and recorded as
cast.
Direct verification: Alice, the voter, should get direct and
immediate verification that her vote was correctly recorded.
29. What makes
voting so hard
4
5
Voting
with Helios
Helios: Security
model and Threats
Talk overview
1
Voting protocols:
a big picture
Cryptographic
primitives
2
Complexity
Time
3
30. What makes
voting so hard
4
5
Voting
with Helios
Helios: Security
model and Threats
Talk overview
1
Voting protocols:
a big picture
Cryptographic
primitives
ElGamal
2
Time
Complexity
3
DDH
Assumption
Chaum - Pedersen
Protocol
Zero Knowledge
Proofs
Mixnet
32. Cryptographic Primitives
INTERACTIVEZERO KNOWLEDGE PROOF
In an interactive zero knowledge
proof, a prover P interacts with a
verifier V to demonstrate the validity of
an assertion without revealing anything
about the assertion to the verifier V.
Ref. 4
37. Cryptographic Primitives
INTERACTIVEZERO KNOWLEDGE PROOF - HONEST VERIFIER
A Honest-Verifier Zero-Knowledge
(HVZK) is a variation of ZK, in which
the verifier V is expected to perform
according to the protocol.
46. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME key generation
Sender Receiver
large prime p ꞊ 2q+1 with q
also prime
generator g of the q order
subgroup of ℤp*
47. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME key generation
Sender Receiver
large prime p ꞊ 2q+1 with q
also prime
generator g of the q order
subgroup of ℤp*
Kpriv d in ℤq
Kpub e ꞊ gd mod p
48. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME key generation
Sender Receiver
large prime p ꞊ 2q+1 with q
also prime
generator g of the q order
subgroup of ℤp*
Kpriv d in ℤq
Kpub e ꞊ gd mod p
(e, g, p)
52. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
Sender Receiver
chooses r in ℤq
KE ꞊ gr mod p
KM ꞊ er mod p
chooses m of the q
order subgroup of ℤp*
encryption
53. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
Sender Receiver
chooses r in ℤq
KE ꞊ gr mod p
KM ꞊ er mod p
chooses m of the q
order subgroup of ℤp*
c ꞊ (KE , mKM)
encryption
55. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
Sender Receiver
let c be the
received ciphertext
KM ꞊ KE
d mod p
꞊ grd mod p
decryption
56. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
Sender Receiver
let c be the
received ciphertext
KM ꞊ KE
d mod p
꞊ grd mod p
m ꞊ KE
-d m KM
꞊ g-dr m grd
꞊ grd-dr m
꞊ g0 m
decryption
57. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
s in ℤq
c' = ( gsKE , es mKM )
re-encryptionRecall
Kpub e ꞊ gd mod p c ꞊ (KE , mKM)
KE ꞊ gr mod p KM ꞊ er mod p
Re-encryption
c‘ decrypted using
randomness s+r
Decryption
59. DDH Assumption
WHAT IS IT?
Computational hardness assumption
about a certain problem involving discrete
logarithms in cyclic groups.
Used to prove the security of many
cryptographic protocols (e.g. ElGamal!!!)
60. DDH Assumption
INFORMALDEFINITION
Consider a (multiplicative) cyclic group G of
order q, and with generator g.
The DDH assumption states that, given ga and
gb for uniformly and independently chosen a, b
in ℤq, the value gab is indistinguishable from a
random element in G.
61. DDH Assumption
FORMAL DEFINITION
Consider a (multiplicative) cyclic group G of order
q, and with generator g.
The following two probability distributions are
computationally indistinguishable (in the security
parameter q):
(ga , gb , gab) where a, b are randomly and
independently chosen in ℤq.
(ga , gb , gc) where a, b, c are randomly and
independently chosen in ℤq.
62. DDH Assumption
DISCRETE LOG ASSUMPTION
DDH is stronger than discrete log
detecting DDH tuples is easy, DL is believed to be hard
requiring DDH assumption is a more
restricting requirement.
63. DDH Assumption
DISCRETE LOG ASSUMPTION
The DDH assumption does not hold for
all groups.
If the it holds for a certain group
G, then the El Gamal encryption
scheme is IND-CPA secure.
71. Cryptographic Primitives
CHAUMIAN MIXNET
Design Principle 1 (Encrypted Onion)
A plaintext is repeatedly wrapped using a
different public key and random padding at
every layer. Each layer is unwrapped by the
corresponding mix server.
Ref. 39-thesis
77. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mi generates ski = xi ← ℤ*p-1 and pki = yi = gxi mod p
Consider the Mixnet’s joint public key:
PK = ∏ pki = g
∑ xi
The input c0,i = EPK (m) and each mixserver reencrypts
its input with a fresh randomness.
Computation parameters
A prime p and factorization of p-1 ~ g generator of ℤp*
R
i = 1
l
i = 1
l
78. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mi generates ski = xi ← ℤ*p-1 and pki = yi = gxi mod p
Consider the Mixnet’s joint public key:
PK = ∏ pki = g
∑ xi
The final output is then joint-decrypted by the mix
servers (El Gamal shared decryption)
Computation parameters
A prime p and factorization of p-1 ~ g generator of ℤp*
R
i = 1
l
i = 1
l
79. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET - VARIATION
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Partial Decryption (PD)
Reencryption and decryption performed simultaneously:
mix-servers perform PD at each reencryption stage
Consider the Mixnet’s joint public key:
PKi = ∏ pki' = g
∑ xi'
l
i' = i
l
i‘ = i
80. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET - VARIATION
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Partial Decryption (PD)
Reencryption and decryption performed simultaneously:
mix-servers perform PD at each reencryption stage
Consider the Mixnet’s joint public key:
PKi = ∏ pki' = g
∑ xi'
l
i' = i
l
i‘ = i
joint PK starting from Mi
81. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET - VARIATION
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Partial Decryption (PD)
Reencryption and decryption performed simultaneously:
mix-servers perform PD at each reencryption stage
Consider the Mixnet’s joint public key:
PKi = ∏ pki' = g
∑ xi‘
PK1 = PK , the joint public key for all mix servers
PKl = pkl , since Ml is the last mix server.
l
i' = i
l
i‘ = i
82. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET - VARIATION
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mi transforms Ci-1 , j under PKi into ci , j under PKi+1 (joint PK
of the remaining mix servers)
Ci-1 , j=(αi-1, βi-1)
83. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET - VARIATION
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
PDski (c) = (α, β · α−xi ) PDski (EPKi(m)) = EPKi+1 (m)←
Ci-1 , j=(αi-1, βi-1)
84. Cryptographic Primitives
PARK ET AL REENCRYPTION MIXNET - VARIATION
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Ci-1 , j=(αi-1, βi-1)
ci , j = REPKi+1 (PDski (ci -1, j ), ri , j )
86. Cryptographic Primitives
MIXNET SECURITY LEVEL
In the first conception, the ElGamal
scheme was not semantically secure
Pfitzmann Solution
p safe prime g generator of a q-order
subgroup of ℤp* and m ∈ ⟨g⟩
(presented ElGamal scheme)
87. Cryptographic Primitives
MIXNET SECURITY LEVEL
Moreover, non malleability is a
required property.
Solution
Inputs are made not malleable
including, for example, redundancy
89. Cryptographic Primitives
SAKO KILIAN
What’s new in Sako Kilian mixnet?
proof of correct reencryption and shuffling
proof of correct partial decryption
PDski (ci, j) is published
91. Cryptographic Primitives
SAKO KILIAN – PROOF OF CORRECT RANDOMIZATION VALUES BY
HVZK
Let π and (rj) be the permutation and randomization
values used by a certain mix server.
Secondary shuffle output: generated reencryping
and shuffling using a new permutation λ and a list of
randomization values (tj)
The verifier can then challenge the mix server to
reveal either (λ, (tj)) or (λ π-1, (rj -tj) )
50% soundness
93. Cryptographic Primitives
SAKO KILIAN – PROOF OF CORRECT PARTIAL DECRYPTION
A decrypted ElGamal ciphertext can be proved to be correct
using Chaum-Pedersen protocol.
Given a ciphertext c = ( α, β ) and claimed m the prover shows
that PD(c) = ( α’ , β’ ) yields β/ β’ = αxi
94. Cryptographic Primitives
SAKO KILIAN – PROOF OF CORRECT PARTIAL DECRYPTION
A decrypted ElGamal ciphertext can be proved to be correct
using Chaum-Pedersen protocol.
Given a ciphertext c = ( α, β ) and claimed m the prover shows
that PD(c) = ( α’ , β’ ) yields β/ β’ = αxi .
secret key of Mi
95. Cryptographic Primitives
SAKO KILIAN – PROOF OF CORRECT PARTIAL DECRYPTION
A decrypted ElGamal ciphertext can be proved to be correct
using Chaum-Pedersen protocol.
Given a ciphertext c = ( α, β ) and claimed m the prover shows
that PD(c) = ( α’ , β’ ) yields β/ β’ = αxi .
P must prove that (g, y, α, β/β’) is a DDH tuple.
The mix server must then prove that
(g, y, α, β/β’ ) forms a DDH tuple
96. Cryptographic Primitives
CHAUMPEDERSEN APPLIED TO MIXNET
Demonstrate that (g, y, w, u) = (g, gx , gr , grx) is a DDH tuple.
P V
s ∈ ℤq ( α, β ) = (gs , ys )
c ∈ ℤq
t = s + cr accepts iff
gt = α gc and
yt = β uc
97. Cryptographic Primitives
CHAUMPEDERSEN APPLIED TO MIXNET
Demonstrate that (g, y, w, u) = (g, y, α, β/β’ ) is a DDH tuple.
P V
s ∈ ℤq ( α, β ) = (gs , ys )
c ∈ ℤq
t = s + cx accepts iff
gt = α gc and
yt = β uc
Let c = (α, β ), c’ = (α’, β’), y is the PK, c’ is obtained from c
by partial decryption, x is the private key
98. Cryptographic Primitives
CHAUMPEDERSEN APPLIED TO MIXNET
Demonstrate that (g, y, w, u) = (g, y, α, β/β’ ) is a DDH tuple.
P V
s ∈ ℤq ( α’’, β’’ ) = (gs , ys )
c ∈ ℤq
t = s + cx accepts iff
gt = α gc and
yt = β uc
Let c = (α, β ), c’ = (α’, β’), y is the PK, c’ is obtained from c
by partial decryption, x is the private key
99. Cryptographic Primitives
CHAUMPEDERSEN APPLIED TO MIXNET
Demonstrate that (g, y, w, u) = (g, y, α, β/β’ ) is a DDH tuple.
P V
s ∈ ℤq ( α’’, β’’ ) = (gs , ys )
c ∈ ℤq
t = s + cx accepts iff
gt = α’’ yc and
yt = β’’ (β/β’)c
Let c = (α, β ), c’ = (α’, β’), y is the PK, c’ is obtained from c
by partial decryption, x is the private key
103. Voting with Helios
HELIOS – MAIN GOALS
Open-Audit
Ballot Casting Assurance
Unconditional Integrity
Unconditional Privacy
Universal Verifiability
Usability
Web-Based
Educate about Coercion
Low Coercion Elections
104. Voting with Helios
HELIOS – BULLETIN BOARD OF VOTES
Bulletin Board publicly available
run by a single server
integrity ensured if enough voters
check their votes
106. Voting with Helios
HELIOS – THE WHOLE PROCESS
Alice prepares and audits as many ballots she
wants, ensuring that all of the audited
ballots are consistent
Helios Bulletin Board posts Alice’s name and
encrypted ballot
Election closes: Helios shuffles all ballots and
produces Non-Interactive Proof of correct
shuffling (with overwhelming probability)
1
2
3
107. Voting with Helios
HELIOS – THE WHOLE PROCESS
Alice prepares and audits as many ballots she
wants, ensuring that all of the audited
ballots are consistent
Helios Bulletin Board posts Alice’s name and
encrypted ballot
Election closes: Helios shuffles all ballots and
produces Non-Interactive Proof of correct
shuffling (with overwhelming probability)
1
2
3
108. Voting with Helios
HELIOS – THE WHOLE PROCESS
Alice prepares and audits as many ballots she
wants, ensuring that all of the audited
ballots are consistent
Helios Bulletin Board posts Alice’s name and
encrypted ballot
Election closes: Helios shuffles all ballots and
produces Non-Interactive Proof of correct
shuffling (with overwhelming probability)
1
2
3
109. Voting with Helios
HELIOS – THE WHOLE PROCESS
After a reasonable compliant period to let
auditors check the shuffling, Helios
decrypts all shuffled ballots and provides a
decryption proof for each and performs the
tally
An auditor can download the entire election
data and verify shuffle, decryption and tally.
4
5
110. Voting with Helios
HELIOS – THE WHOLE PROCESS
After a reasonable compliant period to let
auditors check the shuffling, Helios
decrypts all shuffled ballots and provides a
decryption proof for each and performs the
tally
An auditor can download the entire election
data and verify shuffle, decryption and tally.
4
5
111. Voting with Helios
HELIOS – THE WHOLE PROCESS
After a reasonable compliant period to let
auditors check the shuffling, Helios
decrypts all shuffled ballots and provides a
decryption proof for each and performs the
tally
An auditor can download the entire election
data and verify shuffle, decryption and tally.
4
5
Bulletin board performs its own independent shuffle
and decryption (with relative proofs) if an election is
made up of more than one race.
112. Voting with Helios
SAKO KILIAN –INCREASING ASSURANCEOF INTEGRITY
t shadow
mixes
challenge
with t bits
mixnet is correct with
probability 1 – 2-t
Cut and Choose
technique
113. Voting with Helios
SAKO KILIAN – PROOF OF CORRECT SHUFFLING AND DECRYPTION
There are many verifiers, and it is not suitable to have a
heavy computation for each of them.
The HVZK proof previously described is transformed into
a NIZK Proof using the Fiat-Shamir heuristic.
114. Election Creation Registered users can create elections
Ballot Setup: election name, start and end dates
Voters Management: add or remove voters
Freeze Election: ElGamal keypair is generated and election starts
Voting
Fill in the ballot: Alice chooses a candidate
Sealing: vote is encrypted and the ciphertext’s hash is showed
Audit: Helios returns the randomness (verification via own code
or Ballot Encryption Verification)
Cast: Helios discards plaintext and randomness. Alice after
logging in, receives a confirmation of her vote and its SHA1
Anonymization
Shuffle, Shuffle Proof, Decrypt Proof, Tally
1
2
3
Voting Protocols: A Big Picture
SUMMARIZING HELIOS’ VOTING PROCESS
115. Election Creation Registered users can create elections
Ballot Setup: election name, start and end dates
Voters Management: add or remove voters
Freeze Election: ElGamal keypair is generated and election starts
Voting
Fill in the ballot: Alice chooses a candidate
Sealing: vote is encrypted and the ciphertext’s hash is showed
Audit: Helios returns the randomness (verification via own code
or Ballot Encryption Verification)
Cast: Helios discards plaintext and randomness. Alice after
logging in, receives a confirmation of her vote and its SHA1
Anonymization
Shuffle, Shuffle Proof, Decrypt Proof, Tally
1
2
3
Voting Protocols: A Big Picture
SUMMARIZING HELIOS’ VOTING PROCESS
116. Election Creation Registered users can create elections
Ballot Setup: election name, start and end dates
Voters Management: add or remove voters
Freeze Election: ElGamal keypair is generated and election starts
Voting
Fill in the ballot: Alice chooses a candidate
Sealing: vote is encrypted and the ciphertext’s hash is showed
Audit: Helios returns the randomness (verification via own code
or Ballot Encryption Verification)
Cast: Helios discards plaintext and randomness. Alice after
logging in, receives a confirmation of her vote and its SHA1
Anonymization
Shuffle, Shuffle Proof, Decrypt Proof, Tally
1
2
Voting Protocols: A Big Picture
SUMMARIZING HELIOS’ VOTING PROCESS
3
120. What makes
voting so hard
Voting
with Helios
1
Voting protocols:
a big picture
Time
3
Cryptographic
primitives
4
Talk overview
Helios: Security
model and Threats
2
Complexity
5
123. Auditing is crucial!
Helios ensures that if a large majority of voters
verifies their vote, then the outcome is correct
124. Present
Future
First publicly available
Implementation web
based.
It focuses on
trustworthy elections
without the overhead
of coercion-freeness.
Support for other
types of elections.
Distributed shuffling
and decryption.
Improving
authentication.
125. References
1. Ben Adida. Advances in Cryptographic Voting Systems. PhD thesis,
August 2006. http://assets.adida.net/research/phd-thesis.pdf
2. Lucie Langer, Axel Schmidt, Johannes Buchmann, and Melanie
Volkamer. A Taxonomy Refining the Security Requirements for
Electronic Voting: Analyzing: Helios as a Proof of Concept. In Fifth
International Conference on Availability, Reliability and Security (ARES),
pages 475–480. IEEE Computer Society, 2010.
3. Ben Adida. Helios: web-based open-audit voting, in SS’08:
Proceedings of the 17th conference on Security symposium. USENIX
Association, 2008, pp. 335–348.
4. Laure Fouard, Mathilde Duclos, and Pascal Lafourcade. Survey on
Electronic Voting Schemes. supported by the ANR project AVOTÉ,
2007.
5. Choonsik Park, Kazutomo Itoh, and Kaoru Kurosawa. Efficient
anonymous channel and all/nothing election scheme. In Tor
Helleseth, editor, EUROCRYPT, volume 765 of Lecture Notes in
Computer Science, pages 248–259. Springer, 1994.
126. References
6. Sampigethaya K., Poovendran R., A Survey on Mix Networks and
Their Secure Applications. Proceedings of the IEEE
, vol.94, no.12, pp.2142,2181, Dec. 2006 doi:
10.1109/JPROC.2006.889687
7. Manuel Blum, Alfredo De Santis, Silvio Micali, Giuseppe Persiano.
Noninteractive Zero-Knowledge, 1991
8. David Chaum and Torben P. Pedersen. Wallet databases with
observers. In Ernest F. Brickell, editor, CRYPTO, volume 740 of Lecture
Notes in Computer Science, pages 89–105. Springer, 1992.
9. Amos Fiat and Adi Shamir. How to prove your-self: Practical
solutions to identification and signature problems. In Andrew M.
Odlyzko, editor, CRYPTO, volume 263 of Lecture Notes in Computer
Science, pages 186–194. Springer, 1986.
10. Kazue Sako and Joe Kilian. Receipt-free mix-type voting scheme -
a practical solution to the implementation of a voting booth. In
EUROCRYPT, pages 393–403, 1995.
127. Credits
Thanks to all users that published their pictures under creative
commons:
1. http://www.flickr.com/photos/71167649@N03/6435866935/
2. http://www.flickr.com/photos/citizen_poeta/1446906402/sizes/z/in/ph
otostream/
3. http://kwicsys.com/wp-content/uploads/2012/10/Free-HD-Twins-
Cherry-Wallpapers.jpg
I also want to thank Jon Froehlich for getting inspired by his
presentations’ design.
148. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
c' = ( gsKE , es mKM ) = ( K'E , K'M )
re-encryptionRecall
Kpub e ꞊ gd mod p c ꞊ (KE , mKM)
KE ꞊ gr mod p KM ꞊ er mod p
Decryption proof
149. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
c' = ( gsKE , es mKM ) = ( K'E , K'M )
K'M ꞊ K'E
d mod p = gsKE mod p = gs gr mod p = gs+r mod p
re-encryptionRecall
Kpub e ꞊ gd mod p c ꞊ (KE , mKM)
KE ꞊ gr mod p KM ꞊ er mod p
Decryption proof
150. Cryptographic Primitives
EL GAMAL ENCRYPTION SCHEME
c' = ( gsKE , es mKM ) = ( K'E , K'M )
K'M ꞊ K'E
d mod p = gsKE mod p = gs gr mod p = gs+r mod p
m = K'E
-d m K'M = g(s+r)-d
m g(s+r)d
= g(s+r)-d+ (s+r)d
m
= g(d-d)(s+r) m
re-encryptionRecall
Kpub e ꞊ gd mod p c ꞊ (KE , mKM)
KE ꞊ gr mod p KM ꞊ er mod p
Decryption proof
151. Cryptographic Primitives
SAKO KILIAN – PROOF OF CORRECT PARTIAL DECRYPTION
A decrypted ElGamal ciphertext can be proved to be correct
using Chaum-Pedersen protocol.
Given a ciphertext c = ( α, β ) and claimed m the prover shows
that PD(c) = ( α’ , β’ ) yields β/ β’ = αxi .
P must prove that (g, y, α, β/β’) is a DDH tuple.
The mix server must then prove that
(g, y, α, β/β’ ) forms a DDH tuple
meaning that:
logg (y) = logα (β/β’ ) mod p.