A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks Colin Boyd, Kristian Gjøsteen, Clémentine Gritti and Thomas Haines INDOCRYPT 2019 Hyderabad, India December 16, 2019
Introduction What is Blind Coupon Mechanism? 1 ◮ Idea: spreading an alarm quietly and quickly throughout a network ◮ signal coupons (alarm) broadcast among a large quantity of dummy coupons ◮ anything joined with a signal coupon becomes a signal coupon ◮ Cryptographic primitive with the following features: ◮ Generation: creating coupons, either dummy or signal ◮ Verification: checking whether a coupon is valid ◮ Combination: obtaining a new coupon from two valid coupons ◮ Decoding: getting the nature of a coupon ◮ Security properties: ◮ Indistinguishability: the adversary cannot distinguish signal and dummy coupons ◮ Unforgeability: the adversary cannot forge valid signal coupons Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Contributions New Scheme, Security Property and Application 2 ◮ Generalized Blind Coupon Mechanism: ◮ coupons can signal multiple events instead of a single one ◮ minimal additional overhead ◮ Untraceability: ◮ the adversary cannot track and follow coupons, and gain information on individual choices ◮ Veto voting protocol: ◮ signal coupons override dummy coupons ◮ Rewording: signal coupons veto the effect of dummy coupons Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Blind Coupon Mechanism Existing Solutions 3 ◮ Limitations: coupons can only transmit one bit of information ◮ Aspnes et al. (ASIACRYPT’05) ◮ AND-homomorphic authenticated bit commitment scheme ◮ finite set U , cyclic group G ⊆ U and G ’s proper subgroup D ◮ dummy coupons in D and signal coupons in G \ D ◮ Blazy and Chevalier (ARES’18) ◮ AND-homomorphic BCM scheme by combining: ◮ OR-homomorphic BCM scheme ◮ one-time linearly homomorphic structure preserving signature scheme (Libert et al., DCC, 2015) ◮ groups of prime order p ◮ asymmetric pairing ◮ relying on standard assumptions Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Blind Coupon Mechanism Our Generalized Solution 4 ◮ Extending Blazy-Chevalier scheme into a multivariate setting: ◮ 2 elements g 1 , h 1 from a cyclic group G 1 of prime order p ◮ n − 1 elements h 2 , · · · , h n from G 1 ◮ Signal coupon: tuple of n + 1 random elements from G 1 ◮ Dummy coupon: tuple ( g r 2 , · · · , h r n ) with random exponent r 1 , h r 1 , h r ◮ Keeping the combination of the OR-homomorphic BCM scheme with Libert et al.’s signature scheme ◮ Keeping the asymmetric pairing framework and standard assumptions for security Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Blind Coupon Mechanism Security Properties 5 ◮ Indistinguishability: ◮ the adversary is given oracle access to any coupons ◮ given a valid coupon, she cannot tell whether it is dummy or signal ◮ Unforgeability: ◮ the adversary is given oracle access to dummy and single signal coupons (the latter are each requested once) ◮ she cannot generate a valid signal coupon which is not a combination of coupons already seen ◮ Untraceability: ◮ the adversary is given oracle access to any coupons ◮ given 2 sets of valid coupons embedding identical signals, she cannot tell which set was used to generate the resulting combined coupon Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Context 6 ◮ Political demonstration ◮ Restrictive communication and unreliable network infrastructures ◮ Demonstrators can broadcast vetoes quietly and quickly ◮ The nature of their votes must be securely hidden Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Overview 7 ◮ Participants: ◮ election authorities ◮ voters ◮ Phases: 1. Setup: election authorities set up the veto election collectively 2. Voting: voters express their veto choices by communicating among them 3. Closing: election authorities retrieve the election results collectively Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Setup Phase 8 Election Authorities Voters Public parameters Initial coupons Secret parameters Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Setup Phase 9 ◮ Election authorities share a secret key ◮ Election authorities and voters have access to the public election parameters ◮ Election authorities generate the initial ( n + 1 ) coupons and distribute them to each voter: ◮ one coupon c 0 representing a blank vote (i.e. no veto) ◮ n coupons where the coupon c i represents a veto on the option opt i (e.g. candidate, law) Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Voting and Closing Phases 10 Voters Election Authorities Initial coupons V1 Final coupons V2 V3 V4 V9 Decoding final coupons and V5 retrieving veto results V6 V7 V8 Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Voting Phase 11 1. Voters transmit their blank coupons c 0 to their neighbors continuously 2. When voting decisions are reached, voters use their n initial signal coupons to veto: ◮ voters choose the coupon c i to veto on opt i ◮ voters combine the initial coupons c i and c j to veto on both opt i and opt j ◮ combining c 0 with c i with veto on opt i results in c ′ i with veto on opt i 3. Voters transmit the coupons to their neighbors continuously: ◮ resulting from the combination of coupons obtained from their voting decisions and from other voters Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Closing Phase 12 ◮ Election authorities intercept coupons at random time from random voters ◮ Election authorities decode them collectively: ◮ veto election results are obtained ◮ one veto on an option is enough to stop the related action (no vote counting) Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol An Example 13 ◮ Coupons transmitted to V4 ◮ c1 with veto on option 5 from V1 ◮ c2 with veto on option 7 from V2 ◮ c3 with veto on options 1 and 2 from V3 ◮ Voter V4 creates c4 with veto on option 5 ◮ Coupons transmitted from V4 ◮ c, c’ and c” with veto on options 1, 2, 5, 7 to V5, V6 and V7 respectively Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Veto Voting Protocol Properties 14 ◮ Privacy: non-veto and veto votes remain secret ◮ Anonymity and fairness: no one can discover which voter vetoed which options and obtain early results from voting ◮ Partial verifiability: tallying and counting can be partially verified as performed correctly ◮ Correctness and robustness: no one can submit incorrect votes and prevent the election results from being declared Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Conclusion Observations and Future Work 15 ◮ Enhancing unforgeability ◮ Now: the adversary submits unique coupons with one signal option to the oracle ◮ Next: she requests coupons with multiple signal options ◮ Enhancing untraceability ◮ Now: the adversary receives the public parameters and accesses a coupon generation oracle ◮ Next: she receives either the secret parameters or accesses a coupon decoding oracle ◮ Unauthorized voters ◮ Election authorities forbid some voters to veto by giving them n + 1 dummy coupons Clémentine Gritti | A Blind Coupon Mechanism Enabling Veto Voting over Unreliable Networks
Thank you for your attention
Recommend
More recommend
