Outline Efficient Receipt-Freeness for e-Voting David Pointcheval - PowerPoint PPT Presentation

Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Outline Efficient Receipt-Freeness for e-Voting David Pointcheval 1 Introduction Joint work with Olivier Blazy, Georg Fuchsbauer and Damien Vergnaud 2 Cryptographic Tools Ecole normale sup´ erieure, CNRS & INRIA 3 Electronic Voting: State-of-the-Art 4 Signatures on Randomizable Ciphertexts Chinacrypt – Beijing – China October 17th, 2010 David Pointcheval – 1/43 David Pointcheval – 2/43 Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Electronic Voting Outline Dessert Choice If one wants to get preferences for the desserts, one asks people to vote for Introduction 1 � Chocolate Cake Electronic Voting � Cheese Cake Homomorphic Encryption � Ice Cream Apple � 2 Cryptographic Tools with e.g. , possibly 2 choices 3 Electronic Voting: State-of-the-Art After collection of the ballots, one counts the number of choices: Chocolate Cake 243 1 Chocolate Cake 4 Signatures on Randomizable Ciphertexts Cheese Cake 111 2 Ice Cream → Ice Cream 167 3 Cheese Cake Apple 52 4 Apple David Pointcheval – 3/43 David Pointcheval – 4/43

Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Electronic Voting Homomorphic Encryption Electronic Voting: Basic Properties General Approach: Homomorphic Encryption Authentication Homomorphic Encryption & Signature Only people authorized to vote should be able to vote The voter generates his vote v ∈ { 0 , 1 } (for each � ) Voters should vote only once The voter encrypts v to the server → c = E pk ( v ; r ) The voter signs his vote → σ = S usk ( c ; s ) Anonymity Such a pair ( c , σ ) is a ballot Votes and voters should be unlinkable unique per voter, because it is signed by the voter anonymous, because the vote is encrypted Main Approaches Counting: granted homomorphic encryption, anybody can compute Blind Signatures Homomorphic Encryption ← the most promising � � � � C = c = E pk ( v i ; r i ) = E pk ( v i ; r i ) = E pk ( V ; R ) The server decrypts the tally V = D sk ( C ) , and proves it David Pointcheval – 5/43 David Pointcheval – 6/43 Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Homomorphic Encryption Homomorphic Encryption General Approach: Homomorphic Encryption General Approach: Homomorphic Encryption Weaknesses Security Anonymity: the server can decrypt any individual vote uniqueness per voter: the voter signs his vote → use of distributed decryption (threshold decryption) anonymity: the voter encrypts his vote Receipt: if a voter wants to sell his vote, r i is a proof (a coercer can also provide a modified voting client system Universal Verifiability in order to generate a receipt or even receive it directly) Soundness: every step can be proven and publicly checked → re-randomization of the ciphertext identity of voter: proof of identity = signature Distributed decryption is easy (ElGamal, Linear, etc), validity of the vote: proof of bit encryption + more while re-randomization of the ciphertext requires more work! decryption: proof of decryption Receipt-Freeness All the steps (voting + counting) can be checked afterwards Our goal is to prevent receipts Helios is from this family: the IACR e-voting process → receipt-free electronic system David Pointcheval – 7/43 David Pointcheval – 8/43

Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Computational Assumptions Outline Assumptions: Diffie-Hellman Definition (The Computational Diffie-Hellman problem ( CDH )) Introduction 1 G a cyclic group of prime order p . The CDH assumption in G states: Cryptographic Tools for any generator g $ ← G , and any scalars a , b $ 2 ← Z ∗ p , Computational Assumptions given ( g , g a , g b ) , it is hard to compute g ab . Signature & Encryption Security Definition (The Decisional Diffie-Hellman problem ( DDH )) Groth-Sahai Methodology G a cyclic group of prime order p . The DDH assumption in G states: Electronic Voting: State-of-the-Art 3 for any generator g $ ← G , and any scalars a , b , c $ ← Z ∗ p , given ( g , g a , g b , g c ) , it is hard to decide whether c = ab or not. Signatures on Randomizable Ciphertexts 4 In some pairing-friendly groups, the latter assumption is wrong. David Pointcheval – 9/43 David Pointcheval – 10/43 Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Computational Assumptions Signature & Encryption Assumptions: Linear Problem General Tools: Signature Definition (Decision Linear Assumption ( DLin )) Definition (Signature Scheme) G a cyclic group of prime order p . S = ( Setup , SKeyGen , Sign , Verif ) : The DLin assumption states: Setup ( 1 k ) → global parameters param ; for any generator g $ ← G , and any scalars a , b , x , y , c $ ← Z ∗ p , SKeyGen ( param ) → pair of keys ( sk , vk ) ; given ( g , g x , g y , g xa , g yb , g c ) , Sign ( sk , m ; s ) → signature σ , using the random coins s ; it is hard to decide whether c = a + b or not. Verif ( vk , m , σ ) → validity of σ Equivalently, given a reference triple ( u = g x , v = g y , g ) and a new triple ( U = u a = g xa , V = v b = g yb , T = g c ) , If one signs F = F ( M ) , for any function F , one extends the above decide whether T = g a + b or not (that is c = a + b ). definitions: Sign ( sk , ( F , F , Π M ); s ) and Verif ( vk , ( F , F , Π M ) , σ ) where F details the function that is applied to the message M yielding F , and Π M is a proof of knowledge of a preimage of F under F . David Pointcheval – 11/43 David Pointcheval – 12/43

Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Signature & Encryption Signature & Encryption Signature: Example General Tools: Encryption In a group G of order p , with a generator g , Definition (Encryption Scheme) and a bilinear map e : G × G → G T E = ( Setup , EKeyGen , Encrypt , Decrypt ) : Waters Signature [Waters, 2005] Setup ( 1 k ) → global parameters param ; For a message M = ( M 1 , . . . , M k ) ∈ { 0 , 1 } k , EKeyGen ( param ) → pair of keys ( pk , dk ) ; u = ( u 0 , . . . , u k ) $ � k i = 1 u M i we define F ( M ) = u 0 i , where � ← G k + 1 . Encrypt ( pk , m ; r ) → ciphertext c , using the random coins r ; For an additional generator h $ ← G . Decrypt ( dk , c ) → plaintext, or ⊥ if the ciphertext is invalid. SKeyGen : vk = X = g x , sk = Y = h x , for x $ ← Z p ; Sign ( sk = Y , M ; s ) , for M ∈ { 0 , 1 } k and s $ ← Z p Homomorphic Encryption � σ 1 = Y · F ( M ) s , σ 2 = g − s � → σ = ; For some group laws: ⊕ on the plaintext, ⊗ on the ciphertext, Verif ( vk = X , M , σ = ( σ 1 , σ 2 )) checks whether and ⊙ on the randomness e ( g , σ 1 ) · e ( F ( M ) , σ 2 ) = e ( X , h ) . Encrypt ( pk , m 1 ; r 1 ) ⊗ Encrypt ( pk , m 2 ; r 2 ) = Encrypt ( pk , m 1 ⊕ m 2 ; r 1 ⊙ r 2 ) Decrypt ( sk , Encrypt ( pk , m 1 ; r 1 ) ⊗ Encrypt ( pk , m 2 ; r 2 )) = m 1 ⊕ m 2 David Pointcheval – 13/43 David Pointcheval – 14/43 Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Introduction Cryptographic Tools State-of-the-Art Signatures on Ciphertexts Signature & Encryption Security Encryption: Example Security Notions: Signature In a group G of order p , with a generator g : Signature: EF-CMA Linear Encryption [Boneh, Boyen, Shacham, 2004] Existential Unforgeability EKeyGen : dk = ( x 1 , x 2 ) $ under Chosen-Message ← Z 2 p , pk = ( X 1 = g x 1 , X 2 = g x 2 ) ; Attacks Encrypt ( pk = ( X 1 , X 2 ) , m ; ( r 1 , r 2 )) , for m ∈ G and ( r 1 , r 2 ) $ ← Z 2 p An adversary should not be c 1 = X r 1 1 , c 2 = X r 2 2 , c 3 = g r 1 + r 2 · m � � → c = ; able to generate a new valid m = c 3 / c 1 / x 1 c 1 / x 2 message-signature pair Decrypt ( dk = ( x 1 , x 2 ) , c = ( c 1 , c 2 , c 3 )) → . 1 2 even if it is allowed to ask signatures on any message Homomorphism of its choice ( ⊕ M = × , ⊗ C = × , ⊙ R = +) -homomorphism With m = g M → ( ⊕ M = + , ⊗ C = × , ⊙ R = +) -homomorphism Impossibility to forge signatures Waters signature reaches EF-CMA under the CDH assumption David Pointcheval – 15/43 David Pointcheval – 16/43