election verifiability or ballot privacy do we need to
play

Election Verifiability or Ballot Privacy Do We Need to Choose? - PowerPoint PPT Presentation

Jun 22, 2023 •284 likes •451 views

Election Verifiability or Ballot Privacy Do We Need to Choose? Edouard Cuvelier Thomas Peters Olivier Pereira Universit e catholique de Louvain ICTEAM Crypto Group SecVote 2012 UCL Crypto Group PPAT - Jul. 2012 1

  1. Election Verifiability or Ballot Privacy Do We Need to Choose? Edouard Cuvelier – Thomas Peters – Olivier Pereira Universit´ e catholique de Louvain ICTEAM – Crypto Group SecVote 2012 UCL Crypto Group PPAT - Jul. 2012 1 Microelectronics Laboratory

  2. Privacy and Verifiability UCL Crypto Group PPAT - Jul. 2012 2 Microelectronics Laboratory

  3. Privacy and Verifiability 19th century: ◮ increasing concerns about bribery and coercion ◮ secret ballots become mandatory in most countries ◮ and there are the troubles for correctness UCL Crypto Group PPAT - Jul. 2012 3 Microelectronics Laboratory

  4. Privacy and Verifiability UCL Crypto Group PPAT - Jul. 2012 4 Microelectronics Laboratory

  5. Privacy and Verifiability ? UCL Crypto Group PPAT - Jul. 2012 5 Microelectronics Laboratory

  6. Setting and Goals ◮ Large scale elections: single asynchronous pass by the voters ◮ Confidentiality rests on a set of trustees who perform the tally ◮ Offer verifiability without impacting privacy ◮ Solutions for both homomorphic and mixnet-based tallying ◮ Preserve optimal efficiency [CGS97]: (workload taken as � modexp � ) ◮ workload by voters independent of number of trustees ◮ workload by voters logarithmic in number of choices ◮ workload by trustees linear in number of ballots ◮ ballot size linear in number of choices ◮ workload independent of security parameter UCL Crypto Group PPAT - Jul. 2012 6 Microelectronics Laboratory

  7. Voting with Perfectly Private Audit Trail Consider: 1. A private bulletin board ◮ Used by authorities ◮ Corresponds to the view in the non-verifiable system ◮ Should offer usual computational privacy [BCPSW11] 2. A public bulletin board ◮ Used for universal verifiability ◮ Should offer perfect/statistical privacy [BCPSW11] privacy with unbounded adversary ◮ UCL Crypto Group PPAT - Jul. 2012 7 Microelectronics Laboratory

  8. A New Primitive Commitment Consistent (CC) Encryption: ◮ Regular (threshold) encryption + Extract C that extracts a commitment from and on encrypted message (could formally just be the identity) + Extract E that extracts an encryption of the opening of that commitment “Naive” way of building this: ◮ Take Enc and Com schemes ◮ Gen uses Gen E twice and Gen C to get keys from these two schemes ◮ Enc CC ( m ) computes ( c , a ) = Com ck ( m ), c 1 = Enc pk 1 ( m ) and c 2 = Enc pk 2 ( a ) and outputs ( c , c 1 , c 2 ). Application: have c perfectly hiding and use it for verifiability UCL Crypto Group PPAT - Jul. 2012 8 Microelectronics Laboratory

  9. A New Primitive CC Encryption with Validity Augmentation (CCVA): ◮ For privacy: Augmentation that makes the scheme NM-CPA ◮ For accountability: Augmentation that convinces the trustees that the output of Extract E really makes it possible to open Extract C UCL Crypto Group PPAT - Jul. 2012 9 Microelectronics Laboratory

  10. Summing Up the Process CCEnc 2 Vote (Π) works as follows from CCVA scheme Π ◮ Generate public key of Π and publish it ◮ Voters submit e i = Enc Π ( v i ) ◮ Authorities verify the augmentations and publish c i = Extract C ( e i ) For homomorphic tallying: ◮ Authorities publish an opening of � c i ◮ Verifiability follows from the binding property of Com For mixnet-based tallying: ◮ Authorities publish openings of verifiably shuffled c i (using a statistical ZK proof) ◮ Verifiability follows from the binding property of Com UCL Crypto Group PPAT - Jul. 2012 10 Microelectronics Laboratory

  11. Privacy and Verifiability Privacy: ◮ The BB contains perfectly hiding commitments this satisfies an IT version of ballot privacy definition ◮ The BB contains opening of the election outcome an unbounded adversary can derive this opening from the outcome ◮ The BB may contain extra proofs this does not give more as long as they are statistical ZK Universal Verifiability: ◮ Offered by computational binding property of commitments ◮ And soundness of ZK proofs UCL Crypto Group PPAT - Jul. 2012 11 Microelectronics Laboratory

  12. How to make this work? Based on ElGamal and Pedersen? ◮ Commitment g v h r and ciphertext ( g s , h r y s )? But r is full size, so we cannot extract DL ◮ Commitment g v h r and ciphertext ( g s , ” r ” y s )? But not additively homomorphic and seems to require cut-and-choose validity proofs Based on Paillier and Pedersen? ◮ Commitment g v h r and ciphertext (1 + N ) r s N ? [MN07] But : ◮ Paillier distributed key generation extremely challenging (needs N = pq with unknown primes p and q ) ◮ Paillier works mod N 2 which can be too expensive ◮ Still, we proved that it is secure for our generic construction UCL Crypto Group PPAT - Jul. 2012 12 Microelectronics Laboratory

  13. CC encryption for Homomorphic Tallying Use EC groups with asymmetric pairing e : G 1 × G 2 → G T with DDH assumption on G 1 and G 2 (e.g., BN or BLS curves) The PPAT1 scheme: ◮ Public key: random g , g 1 generating G 1 , h , h 1 generating G 2 Private key: x 1 : g 1 = g x 1 ◮ Enc( v ) := ( c 0 , c 1 , c 2 ) = ( g s , g r g s 1 , h r h v 1 ) ◮ Extract C ( c 0 , c 1 , c 2 ) := c 2 ◮ Dec( c 0 , c 1 , c 2 ) := DL of e ( c x 1 0 c − 1 1 , h ) · e ( g , c 2 ) in basis e ( g , h 1 ) ◮ The opening of c 2 is g r – verification: e ( g r , h ) ? = e ( g , c 2 / h v 1 ) Observations: ◮ This scheme is homomorphic and IND-CPA under DDH ◮ VA can be made from usual sigma protocols ◮ Looks like Pedersen, but actually quite different UCL Crypto Group PPAT - Jul. 2012 13 Microelectronics Laboratory

  14. CC encryption for Mixnet-based Tallying PPAT1 scheme requires DL extraction in decryption Mixnets only require reencryption possibility The PPAT2 scheme: ◮ Public key: random g , g 1 , g 2 generating G 1 , h , h 1 generating G 2 Private key: x 1 : g 1 = g x 1 and x 2 : g 2 = g x 2 1 g r 2 2 , vg r 1 1 , h r h r 1 ◮ Enc( v ) := ( a 1 , a 2 , b , c 1 , c 2 ) = ( g r 1 , g r 2 , g r 1 ) ◮ Extract C ( a 1 , a 1 , b , c 1 , c 2 ) := ( c 1 , c 2 ) ◮ Dec( c 0 , c 1 , c 2 ) := c 1 / a x 1 1 1 ( e ( g , c 2 ) ? ◮ The opening of ( c 1 , c 2 ) is g r = e ( g r 1 , h ) e ( c 1 / v , h 1 )) Observations: ◮ Same remarks for IND-CPA and VA ◮ Homomorphic for EC point addition (but we do not care) ◮ Looks like Pedersen/PPAT1, but again fairly different UCL Crypto Group PPAT - Jul. 2012 14 Microelectronics Laboratory

  15. Efficiency Comparisons Assuming: ◮ 256 bit multiplication costs 1 ◮ multiplication has quadratic complexity ◮ exponentiation/point multiplication by square and multiply Cost of 1 encryption (+ 0/1 proof for PPAT1) Scheme Total Cost Z ∗ Z ∗ G 1 G 2 p N 2 Pedersen/Paillier 4 10 0 0 8.650.752 PPAT1 0 0 6 6 115.200 PPAT2 0 0 9 4 96.000 Implementation estimates for JavaScript implementation: ◮ Standard techniques provide a PPAT2 ciphertext in < 1s ◮ Ongoing implementation expected to improve this by ≈ 20 UCL Crypto Group PPAT - Jul. 2012 15 Microelectronics Laboratory

  16. Conclusions We provide a model and tools for building universally verifiable voting systems with a perfectly private audit trail: ◮ Our CCVA schemes make it possible to get a perfectly private audit trail efficiently ◮ Can be plugged into most voting systems based on homomorphic encryption, inherit the properties of those systems + PPAT ◮ Standard “sigma” ZK protocols can be used for validity proofs and mixing UCL Crypto Group PPAT - Jul. 2012 16 Microelectronics Laboratory

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Swiss E-Voting Workshop September 6, 2010 TRANSPARENCY SECURITY 2 VERIFIABILITY PRIVACY 3

Swiss E-Voting Workshop September 6, 2010 TRANSPARENCY SECURITY 2 VERIFIABILITY PRIVACY 3

Michael Clarkson Cornell University with Stephen Chong (Harvard) and Andrew Myers (Cornell) Swiss E-Voting Workshop September 6, 2010 TRANSPARENCY SECURITY 2 VERIFIABILITY PRIVACY 3 VERIFIABILITY PRIVACY Remote 4 KEY PRINCIPLE:

722 views • 44 slides
Lagrangian E-Voting: e-Voting Concept Our contribution Verifiability on Demand and Strong

Lagrangian E-Voting: e-Voting Concept Our contribution Verifiability on Demand and Strong

Lagrangian E-Voting Lagrangian E-Voting: e-Voting Concept Our contribution Verifiability on Demand and Strong Privacy Scheme Description Registration Ballot Structure Casting a Vote ukasz Krzywiecki, Mirosaw Kutyowski Mixing

708 views • 66 slides
Streamlining the inbound ballot process COVID-19 and Election Administration: Approaches for

Streamlining the inbound ballot process COVID-19 and Election Administration: Approaches for

Streamlining the inbound ballot process COVID-19 and Election Administration: Approaches for Election Officials June 18, 2020 Housekeeping Be gracious about work-from-home setups Restart Zoom if needed Slides and captioned

790 views • 50 slides
The future of voting in California February 8, 2010 Runbeck Election Services Runbeck Election

The future of voting in California February 8, 2010 Runbeck Election Services Runbeck Election

The future of voting in California February 8, 2010 Runbeck Election Services Runbeck Election Services Bill ONeill, V.P. of Sentio Operation 33 Years of election printing experience Certified ballot printer for Certified ballot

439 views • 10 slides
2020 Election Alabama Ballot Access A Roadmap for Independent Candidates by the Office of the

2020 Election Alabama Ballot Access A Roadmap for Independent Candidates by the Office of the

2020 Election Alabama Ballot Access A Roadmap for Independent Candidates by the Office of the Alabama Secretary of State Introduction Candidates who choose to not run as a political party candidate may obtain ballot access by submitting a

661 views • 17 slides
Special Election Tuesday Novem ber 1 0 th 2 0 1 5 Ballot items: 1. Relocation of the Department

Special Election Tuesday Novem ber 1 0 th 2 0 1 5 Ballot items: 1. Relocation of the Department

Special Election Tuesday Novem ber 1 0 th 2 0 1 5 Ballot items: 1. Relocation of the Department of Public Works Garage 2. Salt Shed 3. Junk Ordinance Article 1 Shall the Legal Voters authorize the Selectboard to construct a Department of

679 views • 18 slides
1 Components 2 Unique Features 3 Election Preparation 4 Election Day 1 Provide Ballots to

1 Components 2 Unique Features 3 Election Preparation 4 Election Day 1 Provide Ballots to

1 Components 2 Unique Features 3 Election Preparation 4 Election Day 1 Provide Ballots to IVS: PDF &amp; US Mail 2 Proof Audio 3 Download Dataset IVS Downloader 4 Perform Logic &amp; Accuracy 5 Prepare Ballot Marking Devices 1

1.19k views • 91 slides
Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira, Ben Smyth, Bogdan Warinschi September 2, 2011 ESORICS 2011 Adapting Helios for Provable Ballot Privacy 1 / 26 Helios Helios is a web-based voting

629 views • 40 slides
Ballot privacy in elections: new metrics and constructions. Olivier Pereira Universit e

Ballot privacy in elections: new metrics and constructions. Olivier Pereira Universit e

Ballot privacy in elections: new metrics and constructions. Olivier Pereira Universit e catholique de Louvain Based on joint works with: D. Bernhard, V. Cortier, E. Cuvelier, T. Peters and B. Warinschi March 2015 UCL Crypto Group Vote

415 views • 29 slides
Ballot Propositions November 2016 Election Dr. Nadine Koch October 2016 Agenda n The Initiative

Ballot Propositions November 2016 Election Dr. Nadine Koch October 2016 Agenda n The Initiative

Ballot Propositions November 2016 Election Dr. Nadine Koch October 2016 Agenda n The Initiative Process in California n Overview of the 17 Propositions (Props.51-67) n A closer look at the most high profile propositions 2 Progressive reforms,

952 views • 40 slides
Ballot Programs Barry C. Burden (University of Wisconsin) Brian J. Gaines (University of

Ballot Programs Barry C. Burden (University of Wisconsin) Brian J. Gaines (University of

Administration of Absentee Ballot Programs Barry C. Burden (University of Wisconsin) Brian J. Gaines (University of Illinois) Key Terminology Precinct, Election-Day Voting Secret ballot cast at official polling place on official

93 views • 5 slides
ELECTION UPDATE October 2, 2017 10/2/2017 Election Update 2 Questions and Discussion Key

ELECTION UPDATE October 2, 2017 10/2/2017 Election Update 2 Questions and Discussion Key

10/2/2017 Election Update 1 ELECTION UPDATE October 2, 2017 10/2/2017 Election Update 2 Questions and Discussion Key Questions: Should the Board place an initiative on the ballot to reduce the size of the Board? If so, should

277 views • 17 slides
Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi

Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi

Swiss E-Voting Workshop 2010 Verifiability in Remote Voting Systems September 2010 Jordi Puiggali VP Research &amp; Development Jordi.Puiggali@scytl.com Index Auditability in e-voting Types of verifiability Verifiability methods

719 views • 27 slides
Registrars of Voters FALL CONFERENCE SEPTEMBER 29, 2017 1 Election Management System (EMS) EMS

Registrars of Voters FALL CONFERENCE SEPTEMBER 29, 2017 1 Election Management System (EMS) EMS

Registrars of Voters FALL CONFERENCE SEPTEMBER 29, 2017 1 Election Management System (EMS) EMS offers ROVs an effective communication tool to provide the mandated election reports, questions on the ballot approval, and candidates/Questions

474 views • 30 slides
Leader Election Chapter 3 Observations Election in the Ring Election in the Mesh Election in

Leader Election Chapter 3 Observations Election in the Ring Election in the Mesh Election in

Leader Election Chapter 3 Observations Election in the Ring Election in the Mesh Election in the Hypercube Election in an arbitrary graph - Leader Election = Breaking Symmetry Getting into the restricted world with Unique Initiator so

512 views • 35 slides
1 The People Not Politicians Campaign is proposing a series of statewide ballot initiatives for

1 The People Not Politicians Campaign is proposing a series of statewide ballot initiatives for

1 The People Not Politicians Campaign is proposing a series of statewide ballot initiatives for Oregons November 2020 General Election. We need to act now to make sure the process for drawing new district boundaries is fair and transparent.

358 views • 18 slides
Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi &amp; Nobuko Yoshida VeTSS PhD school / FMATS workshop Microsoft Research Cambridge, 25 September 2018 Problem Introduction Calculus Types

870 views • 57 slides
Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure

Outline Operating System Security, Buffer overflows Continued Designing secure operating systems CS 239 Assuring OS security Computer Security Logging and auditing February 27, 2006 Lecture 12 Lecture 12 Page 1 Page 2

329 views • 9 slides
Information security audits &amp; certification Security in Organizations 2011 Eric Verheul 1

Information security audits &amp; certification Security in Organizations 2011 Eric Verheul 1

Information security audits &amp; certification Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this lecture: 1. NOREA beroepsregels http://www.norea.nl/Norea/Thema's/Gedrags-

1.26k views • 69 slides
Knowledge Framework (PHKSF) Opportunity to COMMENT December 2015 This presentation gives you -

Knowledge Framework (PHKSF) Opportunity to COMMENT December 2015 This presentation gives you -

Revised Public Health Skills and Knowledge Framework (PHKSF) Opportunity to COMMENT December 2015 This presentation gives you - feedback on the consultation that took place earlier this year an outline of the work that we have done

567 views • 28 slides
AFPEO BES MISSION Rapidly acquire, operate, sustain, and enable flexible w ar-w inning business

AFPEO BES MISSION Rapidly acquire, operate, sustain, and enable flexible w ar-w inning business

AFPEO BES MISSION Rapidly acquire, operate, sustain, and enable flexible w ar-w inning business system capabilities 80+ STAKEHOLDERS 24 AF AF/SGD AFPOA Joint Staff (J7) 33 NWS AFC2IC AFSC/LG Joint Staff (J8) BUSINESS AREAS 83 NOS

524 views • 27 slides
Hypothesis Tests using Excel T.TEST function V1e 11/12/2013 Two group hypothesis tests using

Hypothesis Tests using Excel T.TEST function V1e 11/12/2013 Two group hypothesis tests using

Hypothesis Tests using Excel T.TEST function V1e 11/12/2013 Two group hypothesis tests using Excel T.TEST Two group hypothesis tests using Excel T.TEST 1 2 Two-Group Hypothesis Tests Excel T.TEST Function Using Excel T.TEST Function

562 views • 28 slides
1 Terminology Security services: Authentication, confidentiality, integrity,

1 Terminology Security services: Authentication, confidentiality, integrity,

Fundamentals of Cryptography: Algorithms, and Security Services Professor Guevara Noubir Northeastern University noubir@ccs.neu.edu Network Security: Private Communication in a Public World [Chap. 2-8] Charles Kaufman, Mike Speciner, Radia

454 views • 20 slides
1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition

1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition

1 / 25 Elliptic Curve Cryptography EC crypto consists of geometric points with an addition operator. Such a set is a group. Any group element G can be multiplied by an integer n by adding G to itself repeatedly. G + G + + G

363 views • 25 slides

More recommend