[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content

How to Challenge and Cast Your e-Vote

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9603))

Included in the following conference series:

Abstract

An electronic voting protocol provides cast-as-intended verifiability if the voter can verify that her encrypted vote contains the voting options that she selected. There are some proposals of protocols with cast-as-intended verifiability in the literature, but all of them have drawbacks either in terms of usability or in terms of security. In this paper, we propose a new voting scheme with cast-as-intended verifiability which allows to audit the vote to be cast, while providing measures for avoiding coercion by allowing the voter to create fake proofs of the content of her vote. We provide an efficient implementation and formally analize its security properties.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Wombat voting system (2015). http://www.wombat-voting.com/

  2. Adida, B.: Helios: web-based open-audit voting. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 335–348. USENIX Association (2008)

    Google Scholar 

  3. Bayer, S., Groth, J.: Efficient zero-knowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_17

    Chapter  Google Scholar 

  4. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of CCS 1993, NY, USA, pp. 62–73 (1993)

    Google Scholar 

  5. Bernhard, D., Cortier, V., Galindo, D., Pereira, O., Warinschi, B.: A comprehensive analysis of game-based ballot privacy definitions. IACR Cryptology ePrint Archive 2015, 255 (2015)

    Google Scholar 

  6. Bernhard, D., Pereira, O., Warinschi, B.: On necessary and sufficient conditions for private ballot submission. IACR Cryptology ePrint Archive 2012, 236 (2012)

    Google Scholar 

  7. Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. J. Comput. Syst. Sci. 37(2), 156–189 (1988)

    Article  MathSciNet  MATH  Google Scholar 

  8. Chaum, D.: Surevote: Technical report (2001). http://www.iavoss.org/mirror/wote01/pdfs/surevote.pdf

  9. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). doi:10.1007/3-540-48071-4_7

    Google Scholar 

  10. Chen, X., Wu, Q., Zhang, F., Tian, H., Wei, B., Lee, B., Lee, H., Kim, K.: New receipt-free voting scheme using double-trapdoor commitment. Inf. Sci. 181(8), 1493–1502 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  11. Cortier, V., Galindo, D., Glondu, S., Izabachène, M.: Election verifiability for helios under weaker trust assumptions. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 327–344. Springer, Cham (2014). doi:10.1007/978-3-319-11212-1_19

    Google Scholar 

  12. Cramer, R., Gennaro, R., Schoenmakers, B.: A secure and optimally efficient multi-authority election scheme. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 103–118. Springer, Heidelberg (1997). doi:10.1007/3-540-69053-0_9

    Google Scholar 

  13. Damgård, I.: Commitment schemes and zero-knowledge protocols. In: Damgård, I.B. (ed.) EEF School 1998. LNCS, vol. 1561, pp. 63–86. Springer, Heidelberg (1999). doi:10.1007/3-540-48969-X_3

    Chapter  Google Scholar 

  14. Damgård, I., Mikkelsen, G.L.: Efficient, robust and constant-round distributed RSA key generation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 183–200. Springer, Heidelberg (2010). doi:10.1007/978-3-642-11799-2_12

    Chapter  Google Scholar 

  15. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). doi:10.1007/3-540-39568-7_2

    Chapter  Google Scholar 

  16. Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). doi:10.1007/3-540-47721-7_12

    Google Scholar 

  17. Gharadaghy, R., Volkamer, M.: Verifiability in electronic voting - explanations for non security experts. In: Proceedings of EVOTE 2010. LNI, vol. 167, pp. 151–162. GI (2010)

    Google Scholar 

  18. Gjøsteen, K.: Analysis of an internet voting protocol. IACR Cryptology ePrint Archive 2010, 380 (2010)

    Google Scholar 

  19. Guasch, S., Morillo, P.: How to challenge and cast your e-vote. IACR Cryptology ePrint Archive (2016). To be published

    Google Scholar 

  20. Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996). doi:10.1007/3-540-68339-9_13

    Google Scholar 

  21. Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Proceedings of WPES 2005, pp. 61–70. ACM (2005)

    Google Scholar 

  22. Krawczyk, H., Rabin, T.: Chameleon hashing and signatures. IACR Cryptology ePrint Archive 1998, 010 (1998)

    Google Scholar 

  23. Moran, T., Naor, M.: Receipt-free universally-verifiable voting with everlasting privacy. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 373–392. Springer, Heidelberg (2006). doi:10.1007/11818175_22

    Chapter  Google Scholar 

  24. Neff, C.A.: Practical high certainty intent verification for encrypted votes (2004)

    Google Scholar 

  25. Pedersen, T.P.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991). doi:10.1007/3-540-46416-6_47

    Google Scholar 

  26. Ryan, P.Y.A., Teague, V.: Pretty good democracy. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 111–130. Springer, Heidelberg (2013). doi:10.1007/978-3-642-36213-2_15

    Chapter  Google Scholar 

  27. Sako, K., Kilian, J.: Receipt-free mix-type voting scheme. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 393–403. Springer, Heidelberg (1995). doi:10.1007/3-540-49264-X_32

    Google Scholar 

  28. Santis, A.D., Persiano, G.: Zero-knowledge proofs of knowledge without interaction (extended abstract). In: FOCS, pp. 427–436. IEEE Computer Society (1992)

    Google Scholar 

  29. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). doi:10.1007/0-387-34805-0_22

    Chapter  Google Scholar 

  30. Schnorr, C.P., Jakobsson, M.: Security of signed ElGamal encryption. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 73–89. Springer, Heidelberg (2000). doi:10.1007/3-540-44448-3_7

    Chapter  Google Scholar 

  31. Smyth, B., Frink, S., Clarkson, M.R.: Computational election verifiability: definitions and an analysis of helios and JCJ. IACR Cryptology ePrint Archive 2015, 233 (2015)

    Google Scholar 

  32. Wikström, D.: A commitment-consistent proof of a shuffle. IACR Cryptology ePrint Archive 2011, 168 (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sandra Guasch .

Editor information

Editors and Affiliations

A Security Definitions and Analysis Results

A Security Definitions and Analysis Results

1.1 A.1 Definitions

In this section we define the notions of ballot privacy, and cast as intended verifiability for an electronic voting scheme such as that described in Sect. 3. We take as basis the definitions from [5] and then adapt them to the particularities of our scheme. Other definitions such as strong consistency or strong correctness are available in the full version [19].

Ballot Privacy. It is defined by means of an experiment where an adversary is presented with two experiments and has to be able to distinguish between them. In each experiment the adversary has indirect access to a ballot box which receives the ballots created by honest voters, as well as ballots cast by the adversary itself on behalf of corrupted voters. In the case of honest voters, we let the adversary choose two possible votes which they will use to create their ballots. Which vote is used to cast a voter’s ballot that goes to a specific ballot box depends on the experiment that is taking place.

At the end of the experiment, the adversary is presented with the result of tallying the ballot box, which is the same regardless of the experiment. As noted in [5], revealing the true tally in each experiment would easily allow the adversary to distinguish between both ballot boxes. Additionally, for the votes cast by honest voters, we provide the resulting encryption proof data to the adversary in order to model a coercer which uses it to learn something about the vote. We will use a simulation functionality to generate fake proofs when required.

\({{\mathbf {\mathsf{{Exp}}}}}_{\mathcal {A}, V}^{{{\mathbf {\mathsf{{priv}}}}}, \beta }\) :

  1. 1.

    Setup phase: The challenger \(\mathcal {C}\) sets up two empty bulletin boards \(\mathsf {BB}_0\) and \(\mathsf {BB}_1\) and runs the \(\mathsf {Setup}(1^\lambda )\) algorithm to obtain the election key pair \((pk, sk)\) and the empty list of credentials \(\mathsf {ID}\). \(\mathcal {A}\) is given access to \(\mathsf {BB}_0\) when \(\beta =0\) and to \(\mathsf {BB}_1\) when \(\beta =1\).

  2. 2.

    Registration phase: The adversary may make the following query:

    • \({\varvec{\mathcal {O}}}\) Register(\(\mathtt {id}\)): \(\mathcal {A}\) provides an identity \(\mathtt {id}\not \in \mathsf {ID}\). \(\mathcal {C}\) runs \(\mathsf {Register}(1^\lambda , \mathtt {id})\), provides the voter key pair \((pk_{\mathtt {id}}, sk_{\mathtt {id}})\) to \(\mathcal {A}\), and adds \((\mathtt {id}, pk_{\mathtt {id}})\) to \(\mathsf {ID}\).

  3. 3.

    Voting phase: The adversary may make the following types of queries:

    • \({\varvec{\mathcal {O}}}\) VoteLR(\(\mathtt {id}, v_0, v_1\)): this query models the votes cast by honest voters. \(\mathcal {A}\) provides an identity \(\mathtt {id}\in \mathsf {ID}\) and two possible votes \(v_0\), \(v_1\) \(\in V\). The challenger \(\mathcal {C}\) does the following:

      • It picks the corresponding \(pk_{\mathtt {id}}\) from \(\mathsf {ID}\) and executes \(\mathsf {CreateVote} (v_0, pk_{\mathtt {id}})\) and \(\mathsf {CreateVote}(v_1, pk_{\mathtt {id}})\) which produce the ballots \(b^0\) and \(b^1\) respectively and their encryption proof data \(\sigma _0\) and \(\sigma _1\).

      • Then it executes \(\mathsf {CastVote}(b^0, sk_{\mathtt {id}}, \mathtt {id})\), \(\mathsf {CastVote}(b^1, sk_{\mathtt {id}}, \mathtt {id})\) to obtain the authenticated ballots \(b^0_a\) and \(b^1_a\), and \(\mathsf {ProcessBallot}(BB_0, b^0_a)\) and \(\mathsf {ProcessBallot}(BB_1, b^1_a)\). If both processes return 1, the ballot boxes \(\mathsf {BB}_0\) and \(\mathsf {BB}_1\) are updated with \(b^0_a\) and \(b^1_a\) respectively. Otherwise, \(\mathcal {C}\) stops and returns \(\perp \).

      • Finally, \(\mathcal {C}\) executes \(\mathsf {FakeProof}(b^\beta , sk_{\mathtt {id}}, pk_{\mathtt {id}}, v_{\overline{\beta }})\) and provides \(\sigma _\beta \) and the simulated encryption proof data \(\sigma _\beta ^*\) to \(\mathcal {A}\).

    • \({\varvec{\mathcal {O}}}\) Cast(\(b_a\)): this query models the votes cast by corrupted voters. \(\mathcal {A}\) provides an authenticated ballot \(b_a\), and then \(\mathcal {C}\) executes \(\mathsf {ProcessBallot}\) with \(b_a\) and each ballot box. If both algorithms return 1, both ballot boxes are updated with \(b_a\). Otherwise, \(\mathcal {C}\) halts and none of the ballot boxes are updated.

  4. 4.

    Counting phase: The challenger runs \(\textsf {Tally}(\mathsf {BB}_0, sk)\) and obtains the result r and the tally proof \(\varPi \), which are provided to \(\mathcal {A}\) in case \(\beta =0\). In case \(\beta =1\), \(\mathcal {C}\) runs \(\mathsf {SimProof}(\mathsf {BB}_1, r)\) to obtain \(\varPi ^*\), and provides \((r, \varPi ^*)\) to \(\mathcal {A}\).

  5. 5.

    Output: The output of the experiment is the guess of the adversary for the bit \(\beta \).

We say that a voting protocol as defined in Sect. 3 has ballot privacy if there exists an algorithm \(\mathsf {SimProof}\) such that for any probabilistic polynomial time (p.p.t.) adversary \(\mathcal {A}\), the following advantage is negligible in the security parameter \(\lambda \):

$$\textsf {Adv}_{\mathcal {A}}^\textsf {priv}= |\,\text {Pr}[\textsf {Exp}_{\mathcal {A}, V}^{\textsf {priv}, 0} = 1] - \text {Pr}[\textsf {Exp}_{\mathcal {A}, V}^{\textsf {priv}, 1} = 1] \,|$$

Cast-as-Intended Verifiability. A voting system is defined to be cast-as-intended verifiable if a corrupt voting device is unable to cast a vote on behalf of a voter, with a voting option different than the one chosen by the voter, without being detected. In our definition, we consider an adversary who posts ballots in the bulletin board on behalf of honest and corrupt voters. In case of honest voters, they follow the protocol and perform some validations before approving the ballot to be cast. Corrupt voters provide their approval without doing any prior verification.

\({{\mathbf {\mathsf{{Exp}}}}}_{\mathcal {A}, V}^{{{\mathbf {\mathsf{{CaI}}}}}}\) :

  1. 1.

    Setup phase: The challenger \(\mathcal {C}\) runs the \(\mathsf {Setup}(1^\lambda )\) algorithm and provides the election key pair \((pk, sk)\) to \(\mathcal {A}\). Then it publishes the empty lists of voter credentials \(\mathsf {ID}_h\) and \(\mathsf {ID}_c\) such that \(\mathsf {ID}= (\mathsf {ID}_h \cup \mathsf {ID}_c)\). Finally \(\mathcal {A}\) is given read access to \(\mathsf {BB}\).

  2. 2.

    Registration phase: The adversary may make the following queries:

    • \({\varvec{\mathcal {O}}}\) RegisterHonest(\(\mathtt {id}\)): \(\mathcal {A}\) provides an identity \(\mathtt {id}\not \in \mathsf {ID}\). The challenger \(\mathcal {C}\) runs \(\mathsf {Register}(1^\lambda , \mathtt {id})\), and adds \((\mathtt {id}, pk_{\mathtt {id}})\) to \(\mathsf {ID}_h\).

    • \({\varvec{\mathcal {O}}}\) RegisterCorrupt(\(\mathtt {id}\)): \(\mathcal {A}\) provides an identity \(\mathtt {id}\not \in \mathsf {ID}\). The challenger \(\mathcal {C}\) runs \(\mathsf {Register}(1^\lambda , \mathtt {id})\), and adds \((\mathtt {id}, pk_{\mathtt {id}})\) to \(\mathsf {ID}_c\).

  3. 3.

    Voting phase: The adversary may make the following types of queries:

    • \({\varvec{\mathcal {O}}}\) VoteHonest(\(\mathtt {id}, v_i, b, \sigma \)): this query models the votes cast by honest voters. \(\mathcal {A}\) provides an identity \(\mathtt {id}\in \mathsf {ID}_h\), a ballot b, an encryption proof data \(\sigma \) and the voting option \(v_i\). The challenger \(\mathcal {C}\) runs \(\mathsf {AuditVote}(v_i, b, \sigma , pk_{\mathtt {id}})\), and only if the result is 1 it provides \(sk_{\mathtt {id}}\) to \(\mathcal {A}\).

    • \({\varvec{\mathcal {O}}}\) VoteCorrupt(\(b, \mathtt {id}\)): this query models the votes cast by corrupted voters. \(\mathcal {A}\) provides a ballot b and an identity \(\mathtt {id}\in \mathsf {ID}_c\). \(\mathcal {C}\) answers with \(sk_{\mathtt {id}}\).

  4. 4.

    Output: The adversary submits an authenticated ballot \(b_a' = (\mathtt {id}', b', \psi ')\). The output of the experiment is 1 if the following conditions hold:

    • \(\mathtt {id}' \in \mathsf {ID}_h\)

    • \(\mathsf {ProcessBallot}(\mathsf {BB},b_a')=1\)

    • \(\mathsf {VerifyVote}(\mathsf {BB}, b',\mathtt {id}')=1\)

    • \(\mathsf {Extract}(b_a'; sk)\ne v_i'\), where \(v_i'\) is the voting option submitted by the adversary in the \(\mathcal {O}\)VoteHonest query.

We say that a voting protocol as defined in Sect. 3 has cast-as-intended verifiability if, given an \(\mathsf {Extract}\) algorithm for which the protocol is consistent with respect to \(\rho \), the following advantage is negligible in the security parameter \(\lambda \) for any probabilistic polynomial time (p.p.t.) adversary \(\mathcal {A}\):

$$\textsf {Adv}_{\mathcal {A}}^\textsf {CaI}= |\,\text {Pr}[\textsf {Exp}_{\mathcal {A}, V}^{\textsf {CaI}, 0} = 1]\,|$$

1.2 A.2 Security Analysis Results

In this section we provide the results of our security analysis, which is available in the full version of this paper [19].

Theorem 1

Let \((\mathsf {Gen_e}, \mathsf {Enc}, \mathsf {Dec})\) be an NM-CPA secure encryption scheme and \((\mathsf {GenCRS}, \mathsf {NIZKProve}, \mathsf {NIZKVerify}, \mathsf {NIZKSimulate})\) a NIZKPK which provides zero-knowledge. Then the protocol presented in Sect. 3 satisfies the ballot privacy property.

Theorem 2

Let \((\mathsf {Gen_e}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {EncVerify})\) be a probabilistic encryption scheme, \((\mathsf {GenCRS}, \mathsf {NIZKProve}, \mathsf {NIZKVerify}, \mathsf {NIZKSimulate})\) a NIZKPK which is sound and \((\mathsf {Gen_s}, \mathsf {Sign}, \mathsf {SignVerify})\) an unforgeable signature scheme. Then the protocol presented in Sect. 3 satisfies the cast-as-intended verifiability property.

Rights and permissions

Reprints and permissions

Copyright information

© 2017 International Financial Cryptography Association

About this paper

Cite this paper

Guasch, S., Morillo, P. (2017). How to Challenge and Cast Your e-Vote. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-54970-4_8

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-54969-8

  • Online ISBN: 978-3-662-54970-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics