A Blind Coupon Mechanism Enabling Veto Voting over Unreliable - - PowerPoint PPT Presentation

A Blind Coupon Mechanism Enabling Veto Voting

• ver Unreliable Networks

Colin Boyd, Kristian Gjøsteen, Clémentine Gritti and Thomas Haines

INDOCRYPT 2019 Hyderabad, India December 16, 2019

1

Introduction

What is Blind Coupon Mechanism?

◮ Idea: spreading an alarm quietly and quickly throughout a network

◮ signal coupons (alarm) broadcast among a large quantity of dummy coupons ◮ anything joined with a signal coupon becomes a signal coupon

◮ Cryptographic primitive with the following features:

◮ Generation: creating coupons, either dummy or signal ◮ Verification: checking whether a coupon is valid ◮ Combination: obtaining a new coupon from two valid coupons ◮ Decoding: getting the nature of a coupon

◮ Security properties:

◮ Indistinguishability: the adversary cannot distinguish signal and dummy coupons ◮ Unforgeability: the adversary cannot forge valid signal coupons

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

2

Contributions

New Scheme, Security Property and Application

◮ Generalized Blind Coupon Mechanism:

◮ coupons can signal multiple events instead of a single one ◮ minimal additional overhead

◮ Untraceability:

◮ the adversary cannot track and follow coupons, and gain information on individual choices

◮ Veto voting protocol:

◮ signal coupons override dummy coupons ◮ Rewording: signal coupons veto the effect of dummy coupons

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

3

Blind Coupon Mechanism

Existing Solutions

◮ Limitations: coupons can only transmit one bit of information ◮ Aspnes et al. (ASIACRYPT’05)

◮ AND-homomorphic authenticated bit commitment scheme ◮ finite set U, cyclic group G ⊆ U and G’s proper subgroup D ◮ dummy coupons in D and signal coupons in G \ D

◮ Blazy and Chevalier (ARES’18)

◮ AND-homomorphic BCM scheme by combining:

◮ OR-homomorphic BCM scheme ◮ one-time linearly homomorphic structure preserving signature scheme (Libert et al., DCC, 2015)

◮ groups of prime order p ◮ asymmetric pairing ◮ relying on standard assumptions

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

4

Blind Coupon Mechanism

Our Generalized Solution

◮ Extending Blazy-Chevalier scheme into a multivariate setting:

◮ 2 elements g1, h1 from a cyclic group G1 of prime order p ◮ n − 1 elements h2, · · · , hn from G1 ◮ Signal coupon: tuple of n + 1 random elements from G1 ◮ Dummy coupon: tuple (gr

1, hr 1, hr 2, · · · , hr n) with random exponent r

◮ Keeping the combination of the OR-homomorphic BCM scheme with Libert et al.’s signature scheme ◮ Keeping the asymmetric pairing framework and standard assumptions for security

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

5

Blind Coupon Mechanism

Security Properties

◮ Indistinguishability:

◮ the adversary is given oracle access to any coupons ◮ given a valid coupon, she cannot tell whether it is dummy or signal

◮ Unforgeability:

◮ the adversary is given oracle access to dummy and single signal coupons (the latter are each requested once) ◮ she cannot generate a valid signal coupon which is not a combination of coupons already seen

◮ Untraceability:

◮ the adversary is given oracle access to any coupons ◮ given 2 sets of valid coupons embedding identical signals, she cannot tell which set was used to generate the resulting combined coupon

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

6

Veto Voting Protocol

Context

◮ Political demonstration ◮ Restrictive communication and unreliable network infrastructures ◮ Demonstrators can broadcast vetoes quietly and quickly ◮ The nature of their votes must be securely hidden

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

7

Veto Voting Protocol

Overview

◮ Participants:

◮ election authorities ◮ voters

◮ Phases:

• 1. Setup: election authorities set up the veto election collectively
• 2. Voting: voters express their veto choices by communicating among them
• 3. Closing: election authorities retrieve the election results collectively

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

8

Veto Voting Protocol

Setup Phase Election Authorities Voters

Public parameters Initial coupons Secret parameters

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

9

Veto Voting Protocol

Setup Phase

◮ Election authorities share a secret key ◮ Election authorities and voters have access to the public election parameters ◮ Election authorities generate the initial (n + 1) coupons and distribute them to each voter:

◮ one coupon c0 representing a blank vote (i.e. no veto) ◮ n coupons where the coupon ci represents a veto on the option opti (e.g. candidate, law)

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

10

Veto Voting Protocol

Voting and Closing Phases Election Authorities Voters

Initial coupons Final coupons

V1 V2 V3 V4 V5 V6 V7 V8 V9

Decoding final coupons and retrieving veto results

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

11

Veto Voting Protocol

Voting Phase

• 1. Voters transmit their blank coupons c0 to their neighbors continuously
• 2. When voting decisions are reached, voters use their n initial signal

coupons to veto:

◮ voters choose the coupon ci to veto on opti ◮ voters combine the initial coupons ci and cj to veto on both opti and optj ◮ combining c0 with ci with veto on opti results in c′

i with veto on opti

• 3. Voters transmit the coupons to their neighbors continuously:

◮ resulting from the combination of coupons obtained from their voting decisions and from other voters

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

12

Veto Voting Protocol

Closing Phase

◮ Election authorities intercept coupons at random time from random voters ◮ Election authorities decode them collectively:

◮ veto election results are obtained ◮ one veto on an option is enough to stop the related action (no vote counting)

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

13

Veto Voting Protocol

An Example

◮ Coupons transmitted to V4

◮ c1 with veto on option 5 from V1 ◮ c2 with veto on option 7 from V2 ◮ c3 with veto on options 1 and 2 from V3

◮ Voter V4 creates c4 with veto on option 5 ◮ Coupons transmitted from V4

◮ c, c’ and c” with veto on options 1, 2, 5, 7 to V5, V6 and V7 respectively

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

14

Veto Voting Protocol

Properties

◮ Privacy: non-veto and veto votes remain secret ◮ Anonymity and fairness: no one can discover which voter vetoed which

• ptions and obtain early results from voting

◮ Partial verifiability: tallying and counting can be partially verified as performed correctly ◮ Correctness and robustness: no one can submit incorrect votes and prevent the election results from being declared

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

15

Conclusion

Observations and Future Work

◮ Enhancing unforgeability

◮ Now: the adversary submits unique coupons with one signal option to the oracle ◮ Next: she requests coupons with multiple signal options

◮ Enhancing untraceability

◮ Now: the adversary receives the public parameters and accesses a coupon generation oracle ◮ Next: she receives either the secret parameters or accesses a coupon decoding oracle

◮ Unauthorized voters

◮ Election authorities forbid some voters to veto by giving them n + 1 dummy coupons

Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks

Thank you for your attention