Hardness of Online Voting

Online VotingGiuliana Carullo
Cryptographic Protocols Course
University of Salerno
2012/2013
Hardness of

Talk overview
1
2
3
4
5
Voting protocols:
a big picture
What makes
voting so hard
Cryptographic
primitives
Voting
with Helios
Helios: Security
model and Threats
Complexity
Time

2
3
4
5
What makes
voting so hard
Cryptographic
primitives
Voting
with Helios
Helios: Security
model and Threats
Complexity
Talk overview
1
Voting protocols:
a big picture
Time

Setup
Ballot Preparation
Ballot Recording
Anonymization & Aggregation
Results
1
2
3
4
5
Voting Protocols: A Big Picture
VOTING PROCESS
parameters generated and
published

Setup
Ballot Preparation
Ballot Recording
Results
1
2
3
4
5
VOTING PROCESS
the voter prepares own ballot
the result is an encrypted vote

Setup
Ballot Preparation
Ballot Recording
Results
1
2
3
4
5
VOTING PROCESS
identity and encrypted ballot
are publicly available

Setup
Ballot Preparation
Ballot Recording
Results
1
2
3
4
5
VOTING PROCESS
publicly-verifiable shuffling, with
intermediate results posted on
the bulleting board

Setup
Ballot Preparation
Ballot Recording
Results
1
2
3
4
5
VOTING PROCESS
Election officials cooperate to produce
a plaintext tally for each race (with
publicly-verifiable proofs)

3
4
5
Cryptographic
primitives
Voting
with Helios
Helios: Security
model and Threats
Talk overview
1
Voting protocols:
a big picture
What makes
voting so hard
2
Complexity
Time

voting
process
Alice
A
AHardness of voting
COERCION
B
Bob
Others

voting
process
A
B
AHardness of voting
COERCION
B
Alice
Bob
Others
Carl

voting
process
B
B
AHardness of voting
COERCION
B
Alice
Bob
Others
Carl

Verifiability Secrecy
Verify the entire
process: own vote
properly counted

Verify the entire
process: own vote
properly counted
Vote selling becomes
a threat

Verify the entire
process: own vote
properly counted
a threat
Enough information
to personally verify
own vote

Verify the entire
process: own vote
properly counted
a threat
Enough information
own vote
But not so much to
convince the
coercer

Verify the entire
process: own vote
properly counted
a threat
Enough information
own vote
But not so much to
convince the
coercer
Tell the truth or lie

Verify the entire
process: own vote
properly counted
a threat
Enough information
own vote
But not so much to
convince the
coercer
Tell the truth or lie Cannot tell the
difference

integrityverifiability
accuracy

accuracy
Each vote should be counted correctly (completeness)
and only valid votes should be counted (soundness)

accuracy
NO altered,
duplicated or
deleted votes

accuracy
NO invalid
votes in the
final tally

accuracy
Votes must not be compromised unnoticed

accuracy
Integrity of votes must be verifiable
by voters
by public

Auditing Process
PROPERTIES
Helpers
Bulletin Board
Alice
Bob
Carl
Bulletin Board
Intermediate
Computation
Bulletin Board
Tally
RESULTS
Ballot
Casting
Assurance
Universal
Verifiability
Verification
Ballot
Anyone can verify the
proper processing of the
bulletin board data

Auditing Process
Helpers
Bulletin Board
Alice
Bob
Carl
Bulletin Board
Intermediate
Computation
Bulletin Board
Tally
RESULTS
Ballot
Casting
Assurance
Universal
Verifiability
Verification
Ballot
bulletin board data
PROPERTIES
An authenticated bulletin board is used, where voter’s
identity and the ciphertext of the relative ballot are published.
All observers can check that only eligible voters cast a ballot.
(anonymizing mixnet)

Auditing Process
Helpers
Bulletin Board
Alice
Bob
Carl
Bulletin Board
Intermediate
Computation
Bulletin Board
Tally
RESULTS
Ballot
Casting
Assurance
Universal
Verifiability
Verification
Ballot
bulletin board data
PROPERTIES
Two properties:
End-to-end verification: typical voting security analyses
distinguish the properties cast as intended and recorded as
cast.

Auditing Process
Helpers
Bulletin Board
Alice
Bob
Carl
Bulletin Board
Intermediate
Computation
Bulletin Board
Tally
RESULTS
Ballot
Casting
Assurance
Universal
Verifiability
Verification
Ballot
bulletin board data
PROPERTIES
Two properties:
End-to-end verification: typical voting security analyses
distinguish the properties cast as intended and recorded as
cast.
Direct verification: Alice, the voter, should get direct and
immediate verification that her vote was correctly recorded.

What makes
voting so hard
4
5
Voting
with Helios
Helios: Security
model and Threats
Talk overview
1
Voting protocols:
a big picture
Cryptographic
primitives
2
Complexity
Time
3

What makes
voting so hard
4
5
Voting
with Helios
Helios: Security
model and Threats
Talk overview
1
Voting protocols:
a big picture
Cryptographic
primitives
ElGamal
2
Time
Complexity
3
DDH
Assumption
Chaum - Pedersen
Protocol
Zero Knowledge
Proofs
Mixnet

KNOWLEDGE
ZERO
Interactive
Proof

Cryptographic Primitives
INTERACTIVEZERO KNOWLEDGE PROOF
In an interactive zero knowledge
proof, a prover P interacts with a
verifier V to demonstrate the validity of
an assertion without revealing anything
about the assertion to the verifier V.
Ref. 4

COMPLETENESS
1

COMPLETENESS
1
SOUNDNESS
2

COMPLETENESS
1
SOUNDNESS
2
ZERO
KNOWLEDGE
3

INTERACTIVEZERO KNOWLEDGE PROOF – VOTING PROTOCOLS
COMPLETENESS
1
SOUNDNESS
2
ZERO
KNOWLEDGE
3
between authorities authorities and voters

INTERACTIVEZERO KNOWLEDGE PROOF - HONEST VERIFIER
A Honest-Verifier Zero-Knowledge
(HVZK) is a variation of ZK, in which
the verifier V is expected to perform
according to the protocol.

KNOWLEDGE
ZERO
NonInteractive
Proof

NON INTERACTIVEZERO KNOWLEDGE PROOF - A SCENARIO

I have a new
Theorem!

My new
theorem is
true!
Sincerely,
Persiano
Alfredo De Santis

NON INTERACTIVEZERO KNOWLEDGE PROOF - CREDITS
Ref. 7

EL GAMAL ENCRYPTION SCHEME
key generation
encryption
decryption
asymmetric key encryption algorithm for public-key cryptography

EL GAMAL ENCRYPTION SCHEME key generation
Sender Receiver
large prime p ꞊ 2q+1 with q
also prime

Sender Receiver
also prime
generator g of the q order
subgroup of ℤp*

Sender Receiver
also prime
subgroup of ℤp*
Kpriv d in ℤq
Kpub e ꞊ gd mod p

Sender Receiver
also prime
subgroup of ℤp*
Kpriv d in ℤq
Kpub e ꞊ gd mod p
(e, g, p)

Sender Receiver
chooses r in ℤq
encryption

Sender Receiver
chooses r in ℤq
KE ꞊ gr mod p
encryption

Sender Receiver
chooses r in ℤq
KE ꞊ gr mod p
KM ꞊ er mod p
encryption

Sender Receiver
chooses r in ℤq
KE ꞊ gr mod p
KM ꞊ er mod p
chooses m of the q
order subgroup of ℤp*
encryption

Sender Receiver
chooses r in ℤq
KE ꞊ gr mod p
KM ꞊ er mod p
chooses m of the q
order subgroup of ℤp*
c ꞊ (KE , mKM)
encryption

decryption
Sender Receiver
let c be the
received ciphertext

Sender Receiver
let c be the
received ciphertext
KM ꞊ KE
d mod p
꞊ grd mod p
decryption

Sender Receiver
let c be the
received ciphertext
KM ꞊ KE
d mod p
꞊ grd mod p
m ꞊ KE
-d m KM
꞊ g-dr m grd
꞊ grd-dr m
꞊ g0 m
decryption

s in ℤq
c' = ( gsKE , es mKM )
re-encryptionRecall
Kpub e ꞊ gd mod p c ꞊ (KE , mKM)
KE ꞊ gr mod p KM ꞊ er mod p
Re-encryption
c‘ decrypted using
randomness s+r
Decryption

ASSUMPTION
Decisional
Diffie-Hellman

DDH Assumption
WHAT IS IT?
Computational hardness assumption
about a certain problem involving discrete
logarithms in cyclic groups.
Used to prove the security of many
cryptographic protocols (e.g. ElGamal!!!)

DDH Assumption
INFORMALDEFINITION
Consider a (multiplicative) cyclic group G of
order q, and with generator g.
The DDH assumption states that, given ga and
gb for uniformly and independently chosen a, b
in ℤq, the value gab is indistinguishable from a
random element in G.

DDH Assumption
FORMAL DEFINITION
Consider a (multiplicative) cyclic group G of order
q, and with generator g.
The following two probability distributions are
computationally indistinguishable (in the security
parameter q):
(ga , gb , gab) where a, b are randomly and
independently chosen in ℤq.
(ga , gb , gc) where a, b, c are randomly and
independently chosen in ℤq.

DDH Assumption
DISCRETE LOG ASSUMPTION
DDH is stronger than discrete log
detecting DDH tuples is easy, DL is believed to be hard
requiring DDH assumption is a more
restricting requirement.

DDH Assumption
DISCRETE LOG ASSUMPTION
The DDH assumption does not hold for
all groups.
If the it holds for a certain group
G, then the El Gamal encryption
scheme is IND-CPA secure.

CHAUMPEDERSEN
Demonstrate that (g, y, w, u) = (g, gx , gr , grx) is a DDH tuple.
P V
s ∈ ℤq ( α, β ) = (gs , ys )
c ∈ ℤq
t = s + cr accepts iff
gt = α gc and
yt = β uc

MIXNET SCENARIO
S1
Sn
Si
...
...
SHUFFLE
m1
mi
mn
mπ(1)
mπ(i)
mπ(n)
who is the
sender?

MIXNET NOTATION
C0,1
C0,2
C0,n
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
ciphertext
M1 Mi Ml

MIXNET TOPOLOGY
Cascade topology
i

MIXNET TOPOLOGY
Free routing topology
i

CHAUMIAN MIXNET
Design Principle 1 (Encrypted Onion)
A plaintext is repeatedly wrapped using a
different public key and random padding at
every layer. Each layer is unwrapped by the
corresponding mix server.
Ref. 39-thesis

CHAUMIAN MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Encryption

CHAUMIAN MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mi has (pki , ski) and a randomness ri
c0, j = Epk1 ( r1,j , Epk2 ( r2,j , …. Epkn ( rl,j , m) )

CHAUMIAN MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mixing Stage

CHAUMIAN MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
At each stage, Mi does:
decrypt
remove random padding
send results lexicographically ordered to Mi+1

CHAUMIAN MIXNET
modifiable messages
refuse to take part in the protocol
cipher size proportional to the number of
mix servers (concatenation of randomness)

PARK ET AL REENCRYPTION MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mi generates ski = xi ← ℤ*p-1 and pki = yi = gxi mod p
Consider the Mixnet’s joint public key:
PK = ∏ pki = g
∑ xi
The input c0,i = EPK (m) and each mixserver reencrypts
its input with a fresh randomness.
Computation parameters
A prime p and factorization of p-1 ~ g generator of ℤp*
R
i = 1
l
i = 1
l

PARK ET AL REENCRYPTION MIXNET
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mi generates ski = xi ← ℤ*p-1 and pki = yi = gxi mod p
PK = ∏ pki = g
∑ xi
The final output is then joint-decrypted by the mix
servers (El Gamal shared decryption)
Computation parameters
A prime p and factorization of p-1 ~ g generator of ℤp*
R
i = 1
l
i = 1
l

PARK ET AL REENCRYPTION MIXNET - VARIATION
C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Partial Decryption (PD)
Reencryption and decryption performed simultaneously:
mix-servers perform PD at each reencryption stage
PKi = ∏ pki' = g
∑ xi'
l
i' = i
l
i‘ = i

C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
PKi = ∏ pki' = g
∑ xi'
l
i' = i
l
i‘ = i
joint PK starting from Mi

C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
PKi = ∏ pki' = g
∑ xi‘
PK1 = PK , the joint public key for all mix servers
PKl = pkl , since Ml is the last mix server.
l
i' = i
l
i‘ = i

C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Mi transforms Ci-1 , j under PKi into ci , j under PKi+1 (joint PK
of the remaining mix servers)
Ci-1 , j=(αi-1, βi-1)

C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
PDski (c) = (α, β · α−xi ) PDski (EPKi(m)) = EPKi+1 (m)←
Ci-1 , j=(αi-1, βi-1)

C1,1
C1,2
C1,n
Ci,1
Ci,2
Ci,n
Cl,1
Cl,2
Cl,n
…
…
…
…
…
…
M1 Mi Ml
C0,1
C0,2
C0,n
Ci-1 , j=(αi-1, βi-1)
ci , j = REPKi+1 (PDski (ci -1, j ), ri , j )

MIXNET SECURITY LEVEL
In the first conception, the ElGamal
scheme was not semantically secure

In the first conception, the ElGamal
scheme was not semantically secure
Pfitzmann Solution
p safe prime g generator of a q-order
subgroup of ℤp* and m ∈ ⟨g⟩
(presented ElGamal scheme)

Moreover, non malleability is a
required property.
Solution
Inputs are made not malleable
including, for example, redundancy

SAKO KILIAN
Sako Kilian: the first
universally verifiable mixnet

SAKO KILIAN
What’s new in Sako Kilian mixnet?
proof of correct reencryption and shuffling
proof of correct partial decryption
PDski (ci, j) is published

SAKO KILIAN – PROOF OF CORRECT SHUFFLING
typical zero-knowledge proof

SAKO KILIAN – PROOF OF CORRECT RANDOMIZATION VALUES BY
HVZK
Let π and (rj) be the permutation and randomization
values used by a certain mix server.
Secondary shuffle output: generated reencryping
and shuffling using a new permutation λ and a list of
randomization values (tj)
The verifier can then challenge the mix server to
reveal either (λ, (tj)) or (λ π-1, (rj -tj) )
50% soundness

SAKO KILIAN – PROOF OF CORRECT SHUFFLING BY SECOND SHUFFLE
Ci,1
Ci,2
Ci,n
Ci-1,1
Ci-1,2
Ci-1,n
Mi
Mi'
C'i,1
C'i,2
C'i,n
challenge = 0
reveal (λ, tj)
c'i, λ(j) = RE(ci-1, j , tj)
challenge = 1
reveal (λ π-1, (ri - ti) )
ci, λ π-1 = RE(c'i, j , (ri - ti))

SAKO KILIAN – PROOF OF CORRECT PARTIAL DECRYPTION
A decrypted ElGamal ciphertext can be proved to be correct
using Chaum-Pedersen protocol.
Given a ciphertext c = ( α, β ) and claimed m the prover shows
that PD(c) = ( α’ , β’ ) yields β/ β’ = αxi

that PD(c) = ( α’ , β’ ) yields β/ β’ = αxi .
secret key of Mi

P must prove that (g, y, α, β/β’) is a DDH tuple.
The mix server must then prove that
(g, y, α, β/β’ ) forms a DDH tuple

CHAUMPEDERSEN APPLIED TO MIXNET
Demonstrate that (g, y, w, u) = (g, gx , gr , grx) is a DDH tuple.
P V
s ∈ ℤq ( α, β ) = (gs , ys )
c ∈ ℤq
t = s + cr accepts iff
gt = α gc and
yt = β uc

Demonstrate that (g, y, w, u) = (g, y, α, β/β’ ) is a DDH tuple.
P V
s ∈ ℤq ( α, β ) = (gs , ys )
c ∈ ℤq
t = s + cx accepts iff
gt = α gc and
yt = β uc
Let c = (α, β ), c’ = (α’, β’), y is the PK, c’ is obtained from c
by partial decryption, x is the private key

P V
s ∈ ℤq ( α’’, β’’ ) = (gs , ys )
c ∈ ℤq
gt = α gc and
yt = β uc

P V
s ∈ ℤq ( α’’, β’’ ) = (gs , ys )
c ∈ ℤq
gt = α’’ yc and
yt = β’’ (β/β’)c

Cryptographic
primitives
What makes
voting so hard
2
5
Voting
with Helios
Helios: Security
model and Threats
Talk overview
1
Voting protocols:
a big picture
Time
3
Complexity
4

UNIVERSAL
VERIFIABILITY
EL
GAMAL
VOTING
SAKO
KILIAN
MIXNET
Put it all together: Helios
NON
INTERACTIVE
PROOF
ANONYMITY

Voting with Helios
HELIOS – MAIN GOALS
Open-Audit
Ballot Casting Assurance
Unconditional Integrity
Unconditional Privacy
Universal Verifiability
Usability
Web-Based
Educate about Coercion
Low Coercion Elections

Voting with Helios
HELIOS – BULLETIN BOARD OF VOTES
Bulletin Board publicly available
run by a single server
integrity ensured if enough voters
check their votes

Voting with Helios
HELIOS – THE WHOLE PROCESS
Inspired by Benaloh’s Protocol
(next talk!)

Voting with Helios
Alice prepares and audits as many ballots she
wants, ensuring that all of the audited
ballots are consistent
Helios Bulletin Board posts Alice’s name and
encrypted ballot
Election closes: Helios shuffles all ballots and
produces Non-Interactive Proof of correct
shuffling (with overwhelming probability)
1
2
3

Voting with Helios
After a reasonable compliant period to let
auditors check the shuffling, Helios
decrypts all shuffled ballots and provides a
decryption proof for each and performs the
tally
An auditor can download the entire election
data and verify shuffle, decryption and tally.
4
5

Voting with Helios
After a reasonable compliant period to let
auditors check the shuffling, Helios
decrypts all shuffled ballots and provides a
decryption proof for each and performs the
tally
An auditor can download the entire election
data and verify shuffle, decryption and tally.
4
5
Bulletin board performs its own independent shuffle
and decryption (with relative proofs) if an election is
made up of more than one race.

Voting with Helios
SAKO KILIAN –INCREASING ASSURANCEOF INTEGRITY
t shadow
mixes
challenge
with t bits
mixnet is correct with
probability 1 – 2-t
Cut and Choose
technique

Voting with Helios
SAKO KILIAN – PROOF OF CORRECT SHUFFLING AND DECRYPTION
There are many verifiers, and it is not suitable to have a
heavy computation for each of them.
The HVZK proof previously described is transformed into
a NIZK Proof using the Fiat-Shamir heuristic.

Election Creation Registered users can create elections
Ballot Setup: election name, start and end dates
Voters Management: add or remove voters
Freeze Election: ElGamal keypair is generated and election starts
Voting
Fill in the ballot: Alice chooses a candidate
Sealing: vote is encrypted and the ciphertext’s hash is showed
Audit: Helios returns the randomness (verification via own code
or Ballot Encryption Verification)
Cast: Helios discards plaintext and randomness. Alice after
logging in, receives a confirmation of her vote and its SHA1
Anonymization
Shuffle, Shuffle Proof, Decrypt Proof, Tally
1
2
3
SUMMARIZING HELIOS’ VOTING PROCESS

Election Creation Registered users can create elections
Ballot Setup: election name, start and end dates
Voters Management: add or remove voters
Freeze Election: ElGamal keypair is generated and election starts
Voting
Fill in the ballot: Alice chooses a candidate
Sealing: vote is encrypted and the ciphertext’s hash is showed
Audit: Helios returns the randomness (verification via own code
or Ballot Encryption Verification)
Cast: Helios discards plaintext and randomness. Alice after
logging in, receives a confirmation of her vote and its SHA1
Anonymization
Shuffle, Shuffle Proof, Decrypt Proof, Tally
1
2
SUMMARIZING HELIOS’ VOTING PROCESS
3

Voting with Helios
HELIOS – WEB COMPONENTS
Ballot loaded:
no network
communication until
the ballot is encrypted
and the plaintext is
discarded

Voting with Helios
HELIOS – SERVER
Python Web App
CherryPie 3.0
Lighttpd web server

What makes
voting so hard
Voting
with Helios
1
Voting protocols:
a big picture
Time
3
Cryptographic
primitives
4
Talk overview
Helios: Security
model and Threats
2
Complexity
5

HELIOS
Incorrect shuffle
or decryption
Occurs with overwhelming
probability thanks the
cryptographic verification.

HELIOS
Changing Ballot
Impersonating
Substitute a new ciphertext or
inject a vote. Succeed since it
occurs before encryption

Auditing is crucial!
Helios ensures that if a large majority of voters
verifies their vote, then the outcome is correct

Present
Future
First publicly available
Implementation web
based.
It focuses on
trustworthy elections
without the overhead
of coercion-freeness.
Support for other
types of elections.
Distributed shuffling
and decryption.
Improving
authentication.

References
1. Ben Adida. Advances in Cryptographic Voting Systems. PhD thesis,
August 2006. http://assets.adida.net/research/phd-thesis.pdf
2. Lucie Langer, Axel Schmidt, Johannes Buchmann, and Melanie
Volkamer. A Taxonomy Refining the Security Requirements for
Electronic Voting: Analyzing: Helios as a Proof of Concept. In Fifth
International Conference on Availability, Reliability and Security (ARES),
pages 475–480. IEEE Computer Society, 2010.
3. Ben Adida. Helios: web-based open-audit voting, in SS’08:
Proceedings of the 17th conference on Security symposium. USENIX
Association, 2008, pp. 335–348.
4. Laure Fouard, Mathilde Duclos, and Pascal Lafourcade. Survey on
Electronic Voting Schemes. supported by the ANR project AVOTÉ,
2007.
5. Choonsik Park, Kazutomo Itoh, and Kaoru Kurosawa. Efficient
anonymous channel and all/nothing election scheme. In Tor
Helleseth, editor, EUROCRYPT, volume 765 of Lecture Notes in
Computer Science, pages 248–259. Springer, 1994.

References
6. Sampigethaya K., Poovendran R., A Survey on Mix Networks and
Their Secure Applications. Proceedings of the IEEE
, vol.94, no.12, pp.2142,2181, Dec. 2006 doi:
10.1109/JPROC.2006.889687
7. Manuel Blum, Alfredo De Santis, Silvio Micali, Giuseppe Persiano.
Noninteractive Zero-Knowledge, 1991
8. David Chaum and Torben P. Pedersen. Wallet databases with
observers. In Ernest F. Brickell, editor, CRYPTO, volume 740 of Lecture
Notes in Computer Science, pages 89–105. Springer, 1992.
9. Amos Fiat and Adi Shamir. How to prove your-self: Practical
solutions to identification and signature problems. In Andrew M.
Odlyzko, editor, CRYPTO, volume 263 of Lecture Notes in Computer
Science, pages 186–194. Springer, 1986.
10. Kazue Sako and Joe Kilian. Receipt-free mix-type voting scheme -
a practical solution to the implementation of a voting booth. In
EUROCRYPT, pages 393–403, 1995.

Credits
Thanks to all users that published their pictures under creative
commons:
1. http://www.flickr.com/photos/71167649@N03/6435866935/
2. http://www.flickr.com/photos/citizen_poeta/1446906402/sizes/z/in/ph
otostream/
3. http://kwicsys.com/wp-content/uploads/2012/10/Free-HD-Twins-
Cherry-Wallpapers.jpg
I also want to thank Jon Froehlich for getting inspired by his
presentations’ design.

TAXONOMY
Verifiability
Secrecy

Taxonomy
INTEGRITY
INTEGRITY
universal
tallying phase

Taxonomy
INTEGRITY
INTEGRITY
individual
voting and
tallying phases

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual
VERIFIABILITY
outer
4
individual

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual
VERIFIABILITY
outer
4
individual
IVbefore casting
(3-4).1

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual
VERIFIABILITY
outer
4
individual
IVbefore casting
(3-4).1
IVafter casting
(3-4).2

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual
VERIFIABILITY
outer
4
individual
IVbefore casting
(3-4).1
IVafter casting
(3-4).2
IVafter tallying
(3-4).3

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual
VERIFIABILITY
outer
4
individual
OBJECTION
change of
5
IVbefore casting
(3-4).1
IVafter casting
(3-4).2
IVafter tallying
(3-4).3

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual
VERIFIABILITY
outer
4
individual
OBJECTION
change of
5
OBJECTION
secrecy
5.1
preserving
IVbefore casting
(3-4).1
IVafter casting
(3-4).2
IVafter tallying
(3-4).3

Taxonomy
VERIFICABILITY
VERIFIABILITY
continuous
1
universal
VERIFIABILITY
discrete
2
universal
VERIFIABILITY
inner
3
individual
VERIFIABILITY
outer
4
individual
OBJECTION
change of
5
OBJECTION
secrecy
5.2
compromising
OBJECTION
secrecy
5.1
preserving
IVbefore casting
(3-4).1
IVafter casting
(3-4).2
IVafter tallying
(3-4).3

Taxonomy
SECRECY
UNLINKABILITY
voter
vote/ballot

Taxonomy
SECRECY
UNLINKABILITY
voter
vote

Taxonomy
SECRECY
UNPROVABLE
LINKABILITY
voter
ballot

Taxonomy
SECRECY
UNPROVABLE
LINKABILITY
voter
vote

c' = ( gsKE , es mKM ) = ( K'E , K'M )
re-encryptionRecall
Decryption proof

c' = ( gsKE , es mKM ) = ( K'E , K'M )
K'M ꞊ K'E
d mod p = gsKE mod p = gs gr mod p = gs+r mod p
re-encryptionRecall
Decryption proof

c' = ( gsKE , es mKM ) = ( K'E , K'M )
K'M ꞊ K'E
d mod p = gsKE mod p = gs gr mod p = gs+r mod p
m = K'E
-d m K'M = g(s+r)-d
m g(s+r)d
= g(s+r)-d+ (s+r)d
m
= g(d-d)(s+r) m
re-encryptionRecall
Decryption proof

P must prove that (g, y, α, β/β’) is a DDH tuple.
The mix server must then prove that
(g, y, α, β/β’ ) forms a DDH tuple
meaning that:
logg (y) = logα (β/β’ ) mod p.

Hardness of Online Voting

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Hardness of Online Voting

Similaire à Hardness of Online Voting (20)

Dernier

Dernier (20)

Hardness of Online Voting