Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) - - PowerPoint PPT Presentation

Verifiable Elections That Scale for Free

Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego)

1

10,000-foot view of cryptographic voting

2

10,000-foot view of cryptographic voting

2

Phase 1: users encrypt votes to cast ballots

10,000-foot view of cryptographic voting

2

Phase 1: users encrypt votes to cast ballots

v1

10,000-foot view of cryptographic voting

2

Phase 1: users encrypt votes to cast ballots

b1 v1

10,000-foot view of cryptographic voting

2

Phase 1: users encrypt votes to cast ballots

b1 v1 v2

10,000-foot view of cryptographic voting

2

Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2

10,000-foot view of cryptographic voting

2

Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 3: threshold decrypt the shuffled ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 3: threshold decrypt the shuffled ballots Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 3: threshold decrypt the shuffled ballots

sec ret k ey

Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 3: threshold decrypt the shuffled ballots

sec ret k ey

Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 3: threshold decrypt the shuffled ballots

sec ret k ey

Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

10,000-foot view of cryptographic voting

2

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Phase 3: threshold decrypt the shuffled ballots

v1 v2 v3 v4 v5

sec ret k ey

Phase 1: users encrypt votes to cast ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Verifiable elections [Ben87,Neff01,...,GL07]

3

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

If we want to make this verifiable, meaning anyone can check that things went as they should, then one solution is to just add proofs everywhere

Verifiable elections [Ben87,Neff01,...,GL07]

3

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

If we want to make this verifiable, meaning anyone can check that things went as they should, then one solution is to just add proofs everywhere

Verifiable elections [Ben87,Neff01,...,GL07]

3

π1 π2 πM . . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

If we want to make this verifiable, meaning anyone can check that things went as they should, then one solution is to just add proofs everywhere Then to check that election was fair, need to verify each πi separately (for non- interactive solution; for interactive have [Abe98,FI07])

Verifiable elections [Ben87,Neff01,...,GL07]

3

π1 π2 πM . . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

If we want to make this verifiable, meaning anyone can check that things went as they should, then one solution is to just add proofs everywhere Then to check that election was fair, need to verify each πi separately (for non- interactive solution; for interactive have [Abe98,FI07]) This means verifier input is of size O(LM + LN) (L = # voters, M = # shufflers, N = # decrypters)

Verifiable elections [Ben87,Neff01,...,GL07]

3

π1 π2 πM . . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

If we want to make this verifiable, meaning anyone can check that things went as they should, then one solution is to just add proofs everywhere Then to check that election was fair, need to verify each πi separately (for non- interactive solution; for interactive have [Abe98,FI07]) This means verifier input is of size O(LM + LN) (L = # voters, M = # shufflers, N = # decrypters)

Verifiable elections [Ben87,Neff01,...,GL07]

3

π1 π2 πM . . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

M proofs of size O(L) for shuffle

If we want to make this verifiable, meaning anyone can check that things went as they should, then one solution is to just add proofs everywhere Then to check that election was fair, need to verify each πi separately (for non- interactive solution; for interactive have [Abe98,FI07]) This means verifier input is of size O(LM + LN) (L = # voters, M = # shufflers, N = # decrypters)

Verifiable elections [Ben87,Neff01,...,GL07]

3

π1 π2 πM . . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

M proofs of size O(L) for shuffle N proofs of size O(L) for threshold decryption

Our contributions

4

Our contributions

4

In this work we present an election with verifier input of size O(L+M+N)

Our contributions

4

In this work we present an election with verifier input of size O(L+M+N)

• Do so by using controlled-malleable zero-knowledge proofs [CKLM12]

Our contributions

4

In this work we present an election with verifier input of size O(L+M+N)

• Do so by using controlled-malleable zero-knowledge proofs [CKLM12]
• Define compact threshold decryption (like compactly verifiable shuffle) and

a notion of vote privacy in an election

Our contributions

4

In this work we present an election with verifier input of size O(L+M+N)

• Do so by using controlled-malleable zero-knowledge proofs [CKLM12]
• Define compact threshold decryption (like compactly verifiable shuffle) and

a notion of vote privacy in an election

• Give efficient instantiations of shuffle and threshold decryption schemes

based on Decision Linear [BBS04] and two static assumptions [GL07]

Outline

5

Outline

5

Definitions

Outline

5

Definitions Shuffling and decrypting

Outline

5

Definitions Shuffling and decrypting A voting scheme

Outline

5

Definitions Shuffling and decrypting A voting scheme Conclusions

Outline

5

Definitions Shuffling and decrypting A voting scheme Conclusions Definitions

Malleable proofs [CKLM12] Compact shuffles [CKLM12] Threshold decryption

Malleability for proofs [CKLM12]

6

Malleability for proofs [CKLM12]

Example: take a proof π1 that b1 is a bit and a proof π2 that b2 is a bit, and “maul” them somehow to get a proof that b1⋅b2 is a bit

6

Malleability for proofs [CKLM12]

Example: take a proof π1 that b1 is a bit and a proof π2 that b2 is a bit, and “maul” them somehow to get a proof that b1⋅b2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{xi,πi}), outputs a proof π for T({xi})

6

Malleability for proofs [CKLM12]

Example: take a proof π1 that b1 is a bit and a proof π2 that b2 is a bit, and “maul” them somehow to get a proof that b1⋅b2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{xi,πi}), outputs a proof π for T({xi})

• E.g., T = ×, xi = “bi is a bit”

6

Malleability for proofs [CKLM12]

Example: take a proof π1 that b1 is a bit and a proof π2 that b2 is a bit, and “maul” them somehow to get a proof that b1⋅b2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{xi,πi}), outputs a proof π for T({xi})

• E.g., T = ×, xi = “bi is a bit”

Can define zero knowledge in the usual way as long as proofs are malleable

• nly with respect to operations under which the language is closed

6

Malleability for proofs [CKLM12]

Example: take a proof π1 that b1 is a bit and a proof π2 that b2 is a bit, and “maul” them somehow to get a proof that b1⋅b2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{xi,πi}), outputs a proof π for T({xi})

• E.g., T = ×, xi = “bi is a bit”

Can define zero knowledge in the usual way as long as proofs are malleable

• nly with respect to operations under which the language is closed

But how to define a strong notion of soundness like extractability?

6

Controlled-malleable proofs (cm-NIZKs) [CKLM12]

7

Consider an allowable set of transformations T

Controlled-malleable proofs (cm-NIZKs) [CKLM12]

7

Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof)

Controlled-malleable proofs (cm-NIZKs) [CKLM12]

7

Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x,π) the extractor outputs (w,x′,T) such that either (1) (x,w)∈R or (2) x′ was queried (to simulator) and x = T(x′) for T∈T

Controlled-malleable proofs (cm-NIZKs) [CKLM12]

7

Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x,π) the extractor outputs (w,x′,T) such that either (1) (x,w)∈R or (2) x′ was queried (to simulator) and x = T(x′) for T∈T We call the proof CM-SSE (controlled malleable simulation sound extractable) if no PPT adversary A can violate these two conditions

Controlled-malleable proofs (cm-NIZKs) [CKLM12]

7

Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x,π) the extractor outputs (w,x′,T) such that either (1) (x,w)∈R or (2) x′ was queried (to simulator) and x = T(x′) for T∈T We call the proof CM-SSE (controlled malleable simulation sound extractable) if no PPT adversary A can violate these two conditions If a proof is zero knowledge, CM-SSE, and strongly derivation private, then we call it a cm-NIZK

Controlled-malleable proofs (cm-NIZKs) [CKLM12]

7

(like function privacy for homomorphic encryption)

Compactly verifiable shuffles [CKLM12]

8

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Compactly verifiable shuffles [CKLM12]

8

. . . π

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Initial mix server still outputs a fresh proof π, but now subsequent servers “maul” this proof using permutation φi, re-randomization Ri, and secret key ski

Compactly verifiable shuffles [CKLM12]

8

. . . π

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Initial mix server still outputs a fresh proof π, but now subsequent servers “maul” this proof using permutation φi, re-randomization Ri, and secret key ski

Compactly verifiable shuffles [CKLM12]

8

. . . π

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

π(2)=Eval(T2,π)

T2=(φ2,R2,sk2)

Initial mix server still outputs a fresh proof π, but now subsequent servers “maul” this proof using permutation φi, re-randomization Ri, and secret key ski

Compactly verifiable shuffles [CKLM12]

8

. . . π

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

π(2)=Eval(T2,π)

T2=(φ2,R2,sk2)

Initial mix server still outputs a fresh proof π, but now subsequent servers “maul” this proof using permutation φi, re-randomization Ri, and secret key ski

Compactly verifiable shuffles [CKLM12]

8

. . . π

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

π(2)=Eval(T2,π)

T2=(φ2,R2,sk2) TM=(φM,RM,skM)

Initial mix server still outputs a fresh proof π, but now subsequent servers “maul” this proof using permutation φi, re-randomization Ri, and secret key ski

Compactly verifiable shuffles [CKLM12]

8

. . . π

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

π(2)=Eval(T2,π) π(M)=Eval(Tk,π(M-1))

T2=(φ2,R2,sk2) TM=(φM,RM,skM)

Initial mix server still outputs a fresh proof π, but now subsequent servers “maul” this proof using permutation φi, re-randomization Ri, and secret key ski We call this shuffle compactly verifiable, as the last proof π(M) can now be used to verify the correctness of the whole shuffle (under an appropriate definition)

Compactly verifiable shuffles [CKLM12]

8

. . . π

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

π(2)=Eval(T2,π) π(M)=Eval(Tk,π(M-1))

T2=(φ2,R2,sk2) TM=(φM,RM,skM)

Initial mix server still outputs a fresh proof π, but now subsequent servers “maul” this proof using permutation φi, re-randomization Ri, and secret key ski We call this shuffle compactly verifiable, as the last proof π(M) can now be used to verify the correctness of the whole shuffle (under an appropriate definition) So if there are L ciphertexts and M servers, proof size can be O(L+M)

Compact threshold decryption

9

Compact threshold decryption

9

C=Enc(pk,m)

Compact threshold decryption

9

C=Enc(pk,m) KeyGen Enc

Compact threshold decryption

9

sec

C=Enc(pk,m) KeyGen Enc

Compact threshold decryption

9

sec

C=Enc(pk,m) s1 KeyGen Enc

Compact threshold decryption

9

sec ret

C=Enc(pk,m) s1 KeyGen Enc

Compact threshold decryption

9

sec ret

C=Enc(pk,m) s1 s2 KeyGen Enc

Compact threshold decryption

9

sec ret

C=Enc(pk,m) s1 s2 KeyGen Enc ShareDec (ShareProve)

Formed with ShareDec(C,s1)

Shares contain proof of correctness

Compact threshold decryption

9

sec ret k

C=Enc(pk,m) s1 s2 KeyGen Enc ShareDec (ShareProve) ShareVerify

Formed with ShareDec(C,s1)

Shares contain proof of correctness

Compact threshold decryption

9

sec ret k

C=Enc(pk,m) s1 s2 s3 KeyGen Enc ShareDec (ShareProve) ShareVerify

Formed with ShareDec(C,s1)

Shares contain proof of correctness

Compact threshold decryption

9

sec ret k ey

C=Enc(pk,m) s1 s2 s3 KeyGen Enc ShareDec (ShareProve) ShareVerify

Formed with ShareDec(C,s1)

Shares contain proof of correctness

Compact threshold decryption

9

sec ret k ey

C=Enc(pk,m) s1 s2 s3 KeyGen Enc ShareDec (ShareProve) ShareVerify m

Formed with ShareDec(C,s1)

Shares contain proof of correctness

π(N)

Compact threshold decryption

9

sec ret k ey

C=Enc(pk,m) s1 s2 s3 KeyGen Enc ShareDec (ShareProve) ShareVerify m

Formed with ShareDec(C,s1)

Shares contain proof of correctness Servers can decrypt in any order; not fixed

π(N)

Compact threshold decryption

9

sec ret k ey

C=Enc(pk,m) s1 s2 s3 KeyGen Enc ShareDec (ShareProve) ShareVerify m

Formed with ShareDec(C,s1)

Shares contain proof of correctness Servers can decrypt in any order; not fixed Once again, final proof π(N) suffices for whole decryption, meaning total proof size can again be O(L+N) instead of O(LN) (again, under an appropriate definition)

π(N)

Outline

10

Cryptographic background Shuffling and decrypting A voting scheme Conclusions Definitions Shuffling and decrypting

A compact verifiable shuffle Threshold decryption

Preliminary: BBS encryption [BBS04]

11

Preliminary: BBS encryption [BBS04]

11

Setup: generate a symmetric prime-order bilinear group (p,G,GT,e,g)

Preliminary: BBS encryption [BBS04]

11

Setup: generate a symmetric prime-order bilinear group (p,G,GT,e,g) KeyGen(crs): α,β ← Fp; f = gα, h = gβ; output sk = (α,β) and pk = (f,h)

Preliminary: BBS encryption [BBS04]

11

Setup: generate a symmetric prime-order bilinear group (p,G,GT,e,g) KeyGen(crs): α,β ← Fp; f = gα, h = gβ; output sk = (α,β) and pk = (f,h) Enc(crs,pk,M): r,s ← Fp; u = fr, v = hs, w = gr+sM; return (u,v,w)

Preliminary: BBS encryption [BBS04]

11

Setup: generate a symmetric prime-order bilinear group (p,G,GT,e,g) KeyGen(crs): α,β ← Fp; f = gα, h = gβ; output sk = (α,β) and pk = (f,h) Enc(crs,pk,M): r,s ← Fp; u = fr, v = hs, w = gr+sM; return (u,v,w) Dec(crs,sk,(u,v,w)): return u-1/αv-1/βw

Part 1: Compact verifiable shuffle

12

Part 1: Compact verifiable shuffle

12

Our concrete shuffle is based on the Groth-Lu shuffle [GL07]

Part 1: Compact verifiable shuffle

12

Our concrete shuffle is based on the Groth-Lu shuffle [GL07]

• CRS of size O(M), proofs of size O(L) (but M of them)
• Based on static pairing-based assumptions

Part 1: Compact verifiable shuffle

12

Our concrete shuffle is based on the Groth-Lu shuffle [GL07]

• CRS of size O(M), proofs of size O(L) (but M of them)
• Based on static pairing-based assumptions

Basically, alter their proofs and make them malleable (i.e., show they satisfy CM-friendliness)

Part 1: Compact verifiable shuffle

12

Our concrete shuffle is based on the Groth-Lu shuffle [GL07]

• CRS of size O(M), proofs of size O(L) (but M of them)
• Based on static pairing-based assumptions

Basically, alter their proofs and make them malleable (i.e., show they satisfy CM-friendliness) End up with CRS of size O(M), proofs of size O(L+M) (improvement over [CKLM12], which had constant-sized CRS but proofs of size O(L2+M))

Part 2: Compact threshold decryption (KeyGen)

13

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Part 2: Compact threshold decryption (KeyGen)

13

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Part 2: Compact threshold decryption (KeyGen)

13

sec ret k ey

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Part 2: Compact threshold decryption (KeyGen)

13

sec ret k ey

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Part 2: Compact threshold decryption (KeyGen)

13

sec ret k ey

ski = (αi,βi)

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Observe that for c = (u,v,w) = Enc(pk,m):

Part 2: Compact threshold decryption (KeyGen)

13

sec ret k ey

ski = (αi,βi)

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Observe that for c = (u,v,w) = Enc(pk,m): w ∏ uαj⋅vβj = uα1+...+αk⋅vβ1+...+βk⋅w = u-1/α⋅v-1/βw

Part 2: Compact threshold decryption (KeyGen)

13

sec ret k ey

ski = (αi,βi)

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Observe that for c = (u,v,w) = Enc(pk,m): w ∏ uαj⋅vβj = uα1+...+αk⋅vβ1+...+βk⋅w = u-1/α⋅v-1/βw = m

Part 2: Compact threshold decryption (KeyGen)

13

sec ret k ey

ski = (αi,βi)

To split BBS decryption key sk = (α,β), just pick α1,β1,...,αN-1,βN-1 ← Fp and set αN = -1/α - ∑ αi and βN = -1/β - ∑ βi; then α1 + ... + αN = -1/α and β1 + ... + βN =

• 1/β

Observe that for c = (u,v,w) = Enc(pk,m): w ∏ uαj⋅vβj = uα1+...+αk⋅vβ1+...+βk⋅w = u-1/α⋅v-1/βw = m Also want verification key vk = (Com(sk1)=(Com(α1),Com(β1)),...,Com(skN))

Part 2: Compact threshold decryption (KeyGen)

13

sec ret k ey

ski = (αi,βi)

Part 2: Compact threshold decryption (ShareDec)

14

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

partial decryption

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

partial decryption participants

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

partial decryption participants proof of correct partial decryption

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

• First check ShareVerify(s,I,π)

partial decryption participants proof of correct partial decryption

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

• First check ShareVerify(s,I,π)
• Then compute sj = uαj⋅vβj (initial decrypter does uαkvβkw)

partial decryption participants proof of correct partial decryption

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

• First check ShareVerify(s,I,π)
• Then compute sj = uαj⋅vβj (initial decrypter does uαkvβkw)
• Compute vkc = ∏i∈I vki

partial decryption participants proof of correct partial decryption

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

• First check ShareVerify(s,I,π)
• Then compute sj = uαj⋅vβj (initial decrypter does uαkvβkw)
• Compute vkc = ∏i∈I vki
• Compute s′ = s⋅sj and π′ ← Eval(crs,T,(vkc,c,s),π) for T = (sj,gαj,gβj)

partial decryption participants proof of correct partial decryption

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

• First check ShareVerify(s,I,π)
• Then compute sj = uαj⋅vβj (initial decrypter does uαkvβkw)
• Compute vkc = ∏i∈I vki
• Compute s′ = s⋅sj and π′ ← Eval(crs,T,(vkc,c,s),π) for T = (sj,gαj,gβj)

partial decryption participants proof of correct partial decryption

}

“the participants represented in vkc have correctly partially decrypted c to produce s”

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

• First check ShareVerify(s,I,π)
• Then compute sj = uαj⋅vβj (initial decrypter does uαkvβkw)
• Compute vkc = ∏i∈I vki
• Compute s′ = s⋅sj and π′ ← Eval(crs,T,(vkc,c,s),π) for T = (sj,gαj,gβj)

partial decryption participants proof of correct partial decryption

}

“the participants represented in vkc have correctly partially decrypted c to produce s” (1) folds sj into s (2) folds commitments into vkc

Part 2: Compact threshold decryption (ShareDec)

14

So say decrypter with skj = (αj,βj) gets share (s,I,π)

• First check ShareVerify(s,I,π)
• Then compute sj = uαj⋅vβj (initial decrypter does uαkvβkw)
• Compute vkc = ∏i∈I vki
• Compute s′ = s⋅sj and π′ ← Eval(crs,T,(vkc,c,s),π) for T = (sj,gαj,gβj)
• Output (s′, I∪{j}, π′)

partial decryption participants proof of correct partial decryption

}

“the participants represented in vkc have correctly partially decrypted c to produce s” (1) folds sj into s (2) folds commitments into vkc

Outline

15

Cryptographic background Shuffling and decrypting A voting scheme Conclusions Definitions A voting scheme

Instantiating cryptographic voting

16

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

Instantiating cryptographic voting

16

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots Set up KeyGen for BBS encryption, vk and crs for threshold decryption proofs, crs for shuffle proofs

Instantiating cryptographic voting

16

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots Set up KeyGen for BBS encryption, vk and crs for threshold decryption proofs, crs for shuffle proofs For voter i, bi = (ci=BBSEnc(pk,vi),πi=PoK(ci,vi))

Instantiating cryptographic voting

16

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots Set up KeyGen for BBS encryption, vk and crs for threshold decryption proofs, crs for shuffle proofs For voter i, bi = (ci=BBSEnc(pk,vi),πi=PoK(ci,vi)) The vk for threshold decryption is size O(N); for shuffles the crs is size O(M)

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

Instantiating cryptographic voting

17

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

Instantiating cryptographic voting

17

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

Instantiating cryptographic voting

17

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Intermediate mix server j mauls the previous proof using Tj = (φj,Rj,skj)

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

Instantiating cryptographic voting

17

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Intermediate mix server j mauls the previous proof using Tj = (φj,Rj,skj) Resulting proof at the end is of size O(L+M)

Instantiating cryptographic voting

18

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots

Instantiating cryptographic voting

18

Phase 3: threshold decrypt the shuffled ballots

B1 B2 B3 B4 B5 v1 v2 v3 v4 v5 sec ret k ey

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots

Instantiating cryptographic voting

18

Phase 3: threshold decrypt the shuffled ballots

B1 B2 B3 B4 B5 v1 v2 v3 v4 v5 sec ret k ey

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Resulting proof from cumulative threshold decryption is O(L+N), so total verifier input size? O(M) + O(N) + O(L+M) + O(L+N) = O(L+M+N)

Instantiating cryptographic voting

18

Phase 3: threshold decrypt the shuffled ballots

B1 B2 B3 B4 B5 v1 v2 v3 v4 v5 sec ret k ey

b1 v1 b2 v2 b3 v3 b4 v4 b5 v5

Phase 1: users encrypt votes to cast ballots

. . .

b1 b2 b3 b4 b5 B1 B2 B3 B4 B5

Phase 2: shuffle (permute and re-randomize) the ballots Resulting proof from cumulative threshold decryption is O(L+N), so total verifier input size? O(M) + O(N) + O(L+M) + O(L+N) = O(L+M+N) Also show this satisfies notion of vote privacy for elections

Outline

19

Cryptographic background Shuffling and decrypting A voting scheme Conclusions Definitions Conclusions

Conclusions and open problems

20

The notion of compact threshold decryption allows for proofs of size O(L+N)

Conclusions and open problems

20

The notion of compact threshold decryption allows for proofs of size O(L+N) This means, theoretically, that election verification size can be O(L+M+N)

Conclusions and open problems

20

The notion of compact threshold decryption allows for proofs of size O(L+N) This means, theoretically, that election verification size can be O(L+M+N) Provided a concrete election meeting this bound

Conclusions and open problems

20

The notion of compact threshold decryption allows for proofs of size O(L+N) This means, theoretically, that election verification size can be O(L+M+N) Provided a concrete election meeting this bound Full version is online at eprint.iacr.org/2012/697

Conclusions and open problems

20

The notion of compact threshold decryption allows for proofs of size O(L+N) This means, theoretically, that election verification size can be O(L+M+N) Provided a concrete election meeting this bound Full version is online at eprint.iacr.org/2012/697

Conclusions and open problems

Thanks! Any questions?

20

Regular verifiable threshold decryption [SG98]

21

Regular verifiable threshold decryption [SG98]

21

C=Enc(pk,m)

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m)

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) KeyGen

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) KeyGen

Formed with KeyGen

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) KeyGen Enc

Formed with KeyGen

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) KeyGen Enc

Formed with KeyGen

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc

Formed with KeyGen

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc ShareDec

Formed with KeyGen Formed with ShareDec(C)

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc ShareDec

Formed with KeyGen Formed with ShareDec(C)

π4 π1 π2 π3

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc ShareDec ShareProve

Formed with KeyGen Formed with ShareDec(C)

π4

Formed with ShareProve(C,s4)

π1 π2 π3

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc ShareDec ShareProve ShareVerify

Formed with KeyGen Formed with ShareDec(C)

π4

Formed with ShareProve(C,s4)

π1 π2 π3

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc ShareDec ShareProve ShareVerify

Formed with KeyGen Formed with ShareDec(C)

π4

Formed with ShareProve(C,s4)

π1 π2 π3

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc ShareDec ShareProve ShareVerify Combine

Formed with KeyGen Formed with ShareDec(C)

Combine({si}) π4

Formed with ShareProve(C,s4)

π1 π2 π3

Regular verifiable threshold decryption [SG98]

21

sec ret k ey

C=Enc(pk,m) s1 s2 s3 s4 KeyGen Enc ShareDec ShareProve ShareVerify Combine

Formed with KeyGen Formed with ShareDec(C)

Combine({si}) m π4

Formed with ShareProve(C,s4)

π1 π2 π3