58 research outputs found

    Voting Mix-Net Implementing a mix-net for use in electronic voting systems

    Get PDF
    Abstract In this report I present a partial implementation of the mixnet protocol described by Khazaei, Moran and Wikström in "A Mix-Net From Any CCA2 Secure Cryptosystem" for use in electronic voting. The report goes into detail how the different components of the mix-net work and how the voting system works. The implementation is not complete, but is seen as a good start towards what could become a secure electronic voting system. Referat Mix-nĂ€t för röstning I denna rapport presenterar jag en partiellt genomförande av protokollet som beskrivs av Khazaei, Moran och Wikström i rapporten Ä Mix-Net From Any CCA2 Secure Cryptosystemför anvĂ€ndning i elektronisk röstning. Den hĂ€r rapporten gĂ„r in pĂ„ detaljer om hur de olika komponenterna i mix-nĂ€tets implementationen och röstningssystemet fungerar. Implementationen anses inte vara fullstĂ€ndig, men ses som en bra start mot vad som kan bli ett sĂ€kert elektroniskt röstningssystem

    Conscript Your Friends into Larger Anonymity Sets with JavaScript

    Full text link
    We present the design and prototype implementation of ConScript, a framework for using JavaScript to allow casual Web users to participate in an anonymous communication system. When a Web user visits a cooperative Web site, the site serves a JavaScript application that instructs the browser to create and submit "dummy" messages into the anonymity system. Users who want to send non-dummy messages through the anonymity system use a browser plug-in to replace these dummy messages with real messages. Creating such conscripted anonymity sets can increase the anonymity set size available to users of remailer, e-voting, and verifiable shuffle-style anonymity systems. We outline ConScript's architecture, we address a number of potential attacks against ConScript, and we discuss the ethical issues related to deploying such a system. Our implementation results demonstrate the practicality of ConScript: a workstation running our ConScript prototype JavaScript client generates a dummy message for a mix-net in 81 milliseconds and it generates a dummy message for a DoS-resistant DC-net in 156 milliseconds.Comment: An abbreviated version of this paper will appear at the WPES 2013 worksho

    Cast-as-Intended Mechanism with Return Codes Based on PETs

    Full text link
    We propose a method providing cast-as-intended verifiability for remote electronic voting. The method is based on plaintext equivalence tests (PETs), used to match the cast ballots against the pre-generated encrypted code tables. Our solution provides an attractive balance of security and functional properties. It is based on well-known cryptographic building blocks and relies on standard cryptographic assumptions, which allows for relatively simple security analysis. Our scheme is designed with a built-in fine-grained distributed trust mechanism based on threshold decryption. It, finally, imposes only very little additional computational burden on the voting platform, which is especially important when voters use devices of restricted computational power such as mobile phones. At the same time, the computational cost on the server side is very reasonable and scales well with the increasing ballot size

    Receipt Freeness of PrĂȘt Ă  Voter Provably Secure

    Get PDF
    PrĂȘt Ă  Voter is an end-to-end verifiable voting scheme that is also receipt free. Formal method analysis was used to prove that PrĂȘt Ă  Voter is receipt free. In this paper we use one of the latest versions of PrĂȘt Ă  Voter[XCH+10] to prove receipt freeness of the scheme using computational methods. We use provable security game models for the first time to prove a paper based voting scheme receipt free. In this paper we propose a game model that defines receipt freeness. We show that in order to simulate the game we require IND-CCA2 encryption scheme to create the ballots. The usual schemes used in constructing PrĂȘt Ă  Voter are either exponential ElGamal or Paillier because of their homomorphic properties that are needed for tallying, however both are IND-CPA secure. We propose a new verifiable shuffle ``D-shuffle\u27\u27 to be used together with an IND-CPA encryption schemes that guarantees that the outputs of the shuffle are IND-CCA2 secure ciphertexts and they are used for constructing the ballots. The idea is based on Naor-Yung transformation[NY95]. We prove that if there exist an adversary that breaks receipt freeness then there exist an adversary that breaks the IND-CCA2 security of Naor-Yung encryption scheme. We further show that the ``D-Shuffle\u27\u27 provides us with the option of having multiple authorities creating the ballots such that no single authority can break voter\u27s privacy

    Rational Modular Encoding in the DCR Setting: Non-Interactive Range Proofs and Paillier-Based Naor-Yung in the Standard Model

    Get PDF
    International audienceRange proofs allow a sender to convince a verifier that committed integers belong to an interval without revealing anything else. So far, all known non-interactive range proofs in the standard model rely on groups endowed with a bilinear map. Moreover, they either require the group order to be larger than the range of any proven statement or they suffer from a wasteful rate. Recently (Eurocrypt'21), Couteau et al. introduced a new approach to efficiently prove range membership by encoding integers as a modular ratio between small integers. We show that their technique can be transposed in the standard model under the Composite Residuosity (DCR) assumption. Interestingly, with this modification, the size of ranges is not a priori restricted by the common reference string. It also gives a constant ratio between the size of ranges and proofs. Moreover, we show that their technique of encoding messages as bounded rationals provides a secure standard model instantiation of the Naor-Yung CCA2 encryption paradigm under the DCR assumption

    Cryptographic Shuffles and Their Applications

    Get PDF
    í•™ìœ„ë…ŒëŹž (ë°•ì‚Ź)-- 서욞대학ꔐ 대학원 : ìˆ˜ëŠŹêłŒí•™ë¶€, 2012. 8. ìČœì •íŹ.For anonymization purposes, one can use a mix-net. A mix-net is a multi-party protocol to shuffle elements so that neither of the parties knows the permutation linking the input and output. One way to construct a mix-net is to let a set of mixers, so called mix-servers, take turns in permuting and re-encrypting or decrypting the inputs. If at least one of the mixers is honest, the input data and the output data can no longer be linked. In this role, shuffling constitutes an important building block in anonymization protocols and voting schemes. The problem is that the standard shuffle requires anyone who shuffles the input messages to keep his random permutation and randomizers secret. The assumption of a party keeping the secret information may be in some ways quite strong. Secondly, for this anonymization guarantee to hold we do need to ensure that all mixers act according to the protocol. In general, zero-knowledge proofs (ZKPs) are used for this purpose. However, ZKPs requires the expensive cost in the light of computation and communication. In TCC 2007, Adida and Wikstr\"{o}m proposed a novel approach to shuffle, called a public shuffle, in which a shuffler can perform shuffle publicly without needing information kept secret. Their scheme uses an encrypted permutation matrix to shuffle ciphertexts publicly. This approach significantly reduces the cost of constructing a mix-net to verifiable joint decryption. Though their method is successful in making shuffle to be a public operation, their scheme still requires that some trusted parties should choose a permutation to be encrypted and construct zero-knowledge proofs on the well-formedness of this permutation. In this dissertation, we study a method to construct a public shuffle without relying on permutations generated privately: Given an nn-tuple of ciphertext (c1,
,cn)(c_1,\dots,c_n), our shuffle algorithm computes fi(c1,
,cn)f_i(c_1,\dots,c_n) for i=1,
,ℓi=1,\dots,\ell where each fi(x1,
,xn)f_i(x_1,\dots,x_n) is a symmetric polynomial in x1,
,xnx_1,\dots,x_n. Depending on the symmetric polynomials we use, we propose two concrete constructions. One is to use ring homomorphic encryption with a constant ciphertext complexity and the other is to use simple ElGamal encryption with a linear ciphertext complexity in the number of users. Both constructions are free of zero-knowledge proofs and publicly verifiable.Abstract i 1 Introduction 1 1.1 ABriefHistoryofShuffles .................... 1 1.2 WhyShufflinginPublicHard?.................. 2 1.3 CryptographicShuffleSchemes.................. 4 1.4 ContributionsofThisWork ................... 6 1.4.1 OurDefinitionalApproach................ 6 1.4.2 OurConstructions .................... 6 1.5 Organization ........................... 8 2 Preliminaries 9 2.1 Basics ............................... 9 2.2 PublicKeyEncryption...................... 10 2.2.1 IND-CPASecurity .................... 11 2.2.2 IND-CCASecurity .................... 14 2.3 HomomorphicPublic-keyEncryption . . . . . . . . . . . . . . 15 2.4 Zero-KnowledgeProofs...................... 18 2.4.1 Zero-KnowledgeVariants................. 19 2.4.2 ProofofKnowledge.................... 20 2.5 Public-KeyObfuscation ..................... 21 3 Verifiable Secret Shuffles: A Review 24 3.1 Introduction............................ 24 3.2 NotationandDefinitions..................... 25 3.3 Security .............................. 27 3.3.1 VerifiabilityforSecretShuffles.............. 27 3.3.2 UnlinkabilityExperiments ................ 28 3.4 SelectedPriorWork ....................... 29 3.4.1 Furukawa-SakoProtocol ................. 30 3.4.2 GrothProtocol ...................... 31 3.5 PublicShuffleswithPrivatePermutation . . . . . . . . . . . . 33 3.5.1 Introduction........................ 33 3.5.2 AdidaandWikstro ̈mProtocol.............. 33 4 Verifiable Public Shuffles 36 4.1 Introduction............................ 36 4.2 GeneralizedShuffle ........................ 38 4.2.1 SyntaxofGeneralizedShuffle .............. 38 4.2.2 SecurityModel ...................... 39 4.2.3 CryptographicAssumption................ 43 4.3 Constructions from Ring Homomorphic Encryption . . . . . . 44 4.3.1 Construction from (n,n−1)-E . . . . . . . . . . 44 4.3.2 Construction from (1,n)-E ................ 45 4.4 Constructions from Group Homomorphic Encryption . . . . . 47 4.4.1 BuildingBlocks...................... 47 4.4.2 A Generalized Public Shuffle Scheme Based on Poly- nomialFactorization ................... 50 4.4.3 A Generalized Public Shuffle Scheme Based on Integer Factorization ....................... 58 5 Conclusion and Further Work 63 Abstract (in Korean) 72 Acknowledgement (in Korean) 74Docto

    Making Code Voting Secure against Insider Threats using Unconditionally Secure MIX Schemes and Human PSMT Protocols

    Full text link
    Code voting was introduced by Chaum as a solution for using a possibly infected-by-malware device to cast a vote in an electronic voting application. Chaum's work on code voting assumed voting codes are physically delivered to voters using the mail system, implicitly requiring to trust the mail system. This is not necessarily a valid assumption to make - especially if the mail system cannot be trusted. When conspiring with the recipient of the cast ballots, privacy is broken. It is clear to the public that when it comes to privacy, computers and "secure" communication over the Internet cannot fully be trusted. This emphasizes the importance of using: (1) Unconditional security for secure network communication. (2) Reduce reliance on untrusted computers. In this paper we explore how to remove the mail system trust assumption in code voting. We use PSMT protocols (SCN 2012) where with the help of visual aids, humans can carry out mod  10\mod 10 addition correctly with a 99\% degree of accuracy. We introduce an unconditionally secure MIX based on the combinatorics of set systems. Given that end users of our proposed voting scheme construction are humans we \emph{cannot use} classical Secure Multi Party Computation protocols. Our solutions are for both single and multi-seat elections achieving: \begin{enumerate}[i)] \item An anonymous and perfectly secure communication network secure against a tt-bounded passive adversary used to deliver voting, \item The end step of the protocol can be handled by a human to evade the threat of malware. \end{enumerate} We do not focus on active adversaries

    Security Analysis of Accountable Anonymity in Dissent

    Get PDF
    Users often wish to communicate anonymously on the Internet, for example in group discussion or instant messaging forums. Existing solutions are vulnerable to misbehaving users, however, who may abuse their anonymity to disrupt communication. Dining Cryptographers Networks (DC-nets) leave groups vulnerable to denial-of-service and Sybil attacks, mix networks are difficult to protect against traffic analysis, and accountable voting schemes are unsuited to general anonymous messaging. DISSENT is the first general protocol offering provable anonymity and accountability for moderate-size groups, while efficiently handling unbalanced communication demands among users. We present an improved and hardened DISSENT protocol, define its precise security properties, and offer rigorous proofs of these properties. The improved protocol systematically addresses the delicate balance between provably hiding the identities of well-behaved users, while provably revealing the identities of disruptive users, a challenging task because many forms of misbehavior are inherently undetectable. The new protocol also addresses several non-trivial attacks on the original DISSENT protocol stemming from subtle design flaws
    • 

    corecore