Universal Unconditional Verifiability in E-Voting without Trusted Parties

In e-voting protocols, cryptographers must balance usability with strong security guarantees, such as privacy and verifiability. In traditional e-voting protocols, privacy is often provided by a trusted authority that learns the votes and computes the tally. Some protocols replace the trusted authority by a set of authorities, and privacy is guaranteed if less than a threshold number of authorities are corrupt. For verifiability, stronger security is demanded. Typically, corrupt authorities that try to fake the tally result must always be detected.To provide verifiability, many e-voting protocols use Non-Interactive Zero-Knowledge proofs (NIZK). Thanks to their non-interactive nature, NIZK allow anybody, including third parties that do not participate in the protocol, to verify the correctness of the tally. Therefore, NIZK can be used to obtain universal verifiability. Additionally, NIZK also improve usability because they allow voters to cast a vote non-interactively.The disadvantage of NIZK is that their security is based on setup assumptions such as the common reference string (CRS) or the random oracle model. The former requires a trusted party to generate a CRS. The latter, though a popular model for secure protocol design, has been shown to be unsound.We address the design of e-voting protocols that provide verifiability without any trust assumptions. We show that Non-Interactive Witness-Indistinguishable proofs can be used for this purpose. Our e-voting protocols are private under the Decision Linear assumption, while perfect individual verifiability, i.e. a fake tally is detected with probability 1, holds unconditionally. Perfect universal verifiability requires a trusted public bulletin board. We remark that our definition of verifiability does not consider eligibility or end-to-end verifiability. First, we present a general construction that supports any tally function. Then, we show how to efficiently instantiate it for specific types of elections through Groth-Sahai proofs.

[1]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[2]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[3]  Jens Groth,et al.  Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast , 2004, Financial Cryptography.

[4]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[5]  Salil P. Vadhan,et al.  Derandomization in Cryptography , 2003, SIAM J. Comput..

[6]  Véronique Cortier,et al.  SoK: A Comprehensive Analysis of Game-Based Ballot Privacy Definitions , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Yael Tauman Kalai,et al.  Reusable garbled circuits and succinct functional encryption , 2013, STOC '13.

[8]  Nir Bitansky,et al.  Why "Fiat-Shamir for Proofs" Lacks a Proof , 2013, TCC.

[9]  Nir Bitansky,et al.  ZAPs and Non-Interactive Witness Indistinguishability from Indistinguishability Obfuscation , 2015, TCC.

[10]  Véronique Cortier,et al.  Election Verifiability for Helios under Weaker Trust Assumptions , 2014, ESORICS.

[11]  Brian Randell,et al.  Voting Technologies and Trust , 2006, IEEE Security & Privacy.

[12]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[13]  Georg Fuchsbauer,et al.  NIZKs with an Untrusted CRS: Security in the Face of Parameter Subversion , 2016, IACR Cryptol. ePrint Arch..

[14]  Peter Y. A. Ryan,et al.  Prêt à Voter with Re-encryption Mixes , 2006, ESORICS.

[15]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[16]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[17]  Véronique Cortier,et al.  Verifiability Notions for E-Voting Protocols , 2016, IACR Cryptol. ePrint Arch..

[18]  Josh Benaloh,et al.  Receipt-Free Secret-Ballot Elections , 1994, STOC 1994.

[19]  Feng Hao,et al.  Anonymous voting by two-round public discussion , 2010, IET Inf. Secur..

[20]  Georg Fuchsbauer,et al.  BeleniosRF: A Non-interactive Receipt-Free Electronic Voting Scheme , 2016, CCS.

[21]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[22]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[23]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[24]  Jeremy Clark,et al.  Scantegrity II: End-to-End Verifiability by Voters of Optical Scan Elections Through Confirmation Codes , 2009, IEEE Transactions on Information Forensics and Security.

[25]  Aggelos Kiayias,et al.  Self-tallying Elections and Perfect Ballot Secrecy , 2002, Public Key Cryptography.

[26]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[27]  Rafail Ostrovsky,et al.  New Techniques for Noninteractive Zero-Knowledge , 2012, JACM.

[28]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[29]  Peter Y. A. Ryan Pretty Good Democracy , 2009, Security Protocols Workshop.

[30]  Andrew Chi-Chih Yao,et al.  How to Generate and Exchange Secrets (Extended Abstract) , 1986, FOCS.

[31]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[32]  Matthew Green,et al.  Blind Identity-Based Encryption and Simulatable Oblivious Transfer , 2007, ASIACRYPT.

[33]  Adi Shamir,et al.  Multiple non-interactive zero knowledge proofs based on a single random string , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[34]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[35]  Bogdan Warinschi,et al.  Groth-Sahai proofs revisited , 2010, IACR Cryptol. ePrint Arch..

[36]  Feng Hao,et al.  A Fair and Robust Voting System by Broadcast , 2012, Electronic Voting.

[37]  Yehuda Lindell,et al.  A Proof of Security of Yao’s Protocol for Two-Party Computation , 2009, Journal of Cryptology.

[38]  Vincenzo Iovino,et al.  On the Possibility of Non-interactive E-Voting in the Public-Key Setting , 2015, Financial Cryptography Workshops.

[39]  Véronique Cortier,et al.  SoK: Verifiability Notions for E-Voting Protocols , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[40]  Amit Sahai,et al.  Verifiable Functional Encryption , 2016, ASIACRYPT.

[41]  Omer Paneth,et al.  On the Achievability of Simulation-Based Security for Functional Encryption , 2013, CRYPTO.

[42]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[43]  Yael Tauman Kalai,et al.  Attacks on the Fiat-Shamir paradigm and program obfuscation , 2006 .

[44]  Moni Naor,et al.  Receipt-Free Universally-Verifiable Voting with Everlasting Privacy , 2006, CRYPTO.

[45]  Patrick Horster,et al.  Some Remarks on a Receipt-Free and Universally Verifiable Mix-Type Voting Scheme , 1996, ASIACRYPT.

[46]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[47]  Aggelos Kiayias,et al.  DEMOS-2: Scalable E2E Verifiable Elections without Random Oracles , 2015, CCS.

[48]  Markulf Kohlweiss,et al.  Verifiable Elections That Scale for Free , 2013, Public Key Cryptography.

[49]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[50]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[51]  Silvio Micali,et al.  Non-Interactive Zero-Knowledge Proof Systems , 1987, CRYPTO.

[52]  Jens Groth,et al.  Making Sigma-Protocols Non-interactive Without Random Oracles , 2015, Public Key Cryptography.

[53]  Ivan Damgård,et al.  Non-interactive Zero-Knowledge from Homomorphic Encryption , 2006, TCC.

[54]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[55]  Josh Benaloh,et al.  Receipt-free secret-ballot elections (extended abstract) , 1994, STOC '94.

[56]  Rafail Ostrovsky,et al.  Cryptography in the Multi-string Model , 2007, Journal of Cryptology.

[57]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[58]  Mark Ryan,et al.  Election Verifiability in Electronic Voting Protocols , 2010, ESORICS.

[59]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[60]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[61]  Amit Sahai,et al.  Worry-free encryption: functional encryption with public keys , 2010, CCS '10.

[62]  Hossein Bidgoli Information warfare; social, legal, and international issues; and security foundations , 2006 .

[63]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[64]  Aggelos Kiayias,et al.  D-DEMOS: A Distributed, End-to-End Verifiable, Internet Voting System , 2015, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[65]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[66]  Jens Groth,et al.  Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures , 2006, ASIACRYPT.

[67]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[68]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[69]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[70]  Ivan Visconti,et al.  A Transform for NIZK Almost as Efficient and General as the Fiat-Shamir Transform Without Programmable Random Oracles , 2016, IACR Cryptol. ePrint Arch..

[71]  Amit Sahai,et al.  Multi-Input Functional Encryption , 2014, IACR Cryptol. ePrint Arch..

[72]  Carla Ràfols Stretching Groth-Sahai: NIZK Proofs of Partial Satisfiability , 2015, TCC.

[73]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[74]  Markus Jakobsson,et al.  Coercion-resistant electronic elections , 2005, WPES '05.

[75]  Moni Naor,et al.  Zaps and their applications , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[76]  Georg Fuchsbauer,et al.  Subversion-Zero-Knowledge SNARKs , 2018, Public Key Cryptography.

[77]  Vinod Vaikuntanathan,et al.  Functional Encryption with Bounded Collusions via Multi-party Computation , 2012, CRYPTO.

[78]  Aggelos Kiayias,et al.  End-to-End Verifiable Elections in the Standard Model , 2015, EUROCRYPT.

[79]  Ivan Damgård,et al.  A Length-Flexible Threshold Cryptosystem with Applications , 2003, ACISP.

[80]  Yehuda Lindell,et al.  An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-programmable Random Oracle , 2015, TCC.

[81]  Helger Lipmaa Secure Electronic Voting Protocols , 2005 .

[82]  Vincenzo Iovino,et al.  Selene: Voting with Transparent Verifiability and Coercion-Mitigation , 2016, Financial Cryptography Workshops.

[83]  Senator,et al.  The ThreeBallot Voting System , 2006 .

[84]  Craig Gentry,et al.  Functional Encryption Without Obfuscation , 2016, TCC.

[85]  Josh Benaloh Verifiable secret-ballot elections , 1987 .