58 research outputs found
Voting Mix-Net Implementing a mix-net for use in electronic voting systems
Abstract In this report I present a partial implementation of the mixnet protocol described by Khazaei, Moran and Wikström in "A Mix-Net From Any CCA2 Secure Cryptosystem" for use in electronic voting. The report goes into detail how the different components of the mix-net work and how the voting system works. The implementation is not complete, but is seen as a good start towards what could become a secure electronic voting system. Referat Mix-nÀt för röstning I denna rapport presenterar jag en partiellt genomförande av protokollet som beskrivs av Khazaei, Moran och Wikström i rapporten à Mix-Net From Any CCA2 Secure Cryptosystemför anvÀndning i elektronisk röstning. Den hÀr rapporten gÄr in pÄ detaljer om hur de olika komponenterna i mix-nÀtets implementationen och röstningssystemet fungerar. Implementationen anses inte vara fullstÀndig, men ses som en bra start mot vad som kan bli ett sÀkert elektroniskt röstningssystem
Conscript Your Friends into Larger Anonymity Sets with JavaScript
We present the design and prototype implementation of ConScript, a framework
for using JavaScript to allow casual Web users to participate in an anonymous
communication system. When a Web user visits a cooperative Web site, the site
serves a JavaScript application that instructs the browser to create and submit
"dummy" messages into the anonymity system. Users who want to send non-dummy
messages through the anonymity system use a browser plug-in to replace these
dummy messages with real messages. Creating such conscripted anonymity sets can
increase the anonymity set size available to users of remailer, e-voting, and
verifiable shuffle-style anonymity systems. We outline ConScript's
architecture, we address a number of potential attacks against ConScript, and
we discuss the ethical issues related to deploying such a system. Our
implementation results demonstrate the practicality of ConScript: a workstation
running our ConScript prototype JavaScript client generates a dummy message for
a mix-net in 81 milliseconds and it generates a dummy message for a
DoS-resistant DC-net in 156 milliseconds.Comment: An abbreviated version of this paper will appear at the WPES 2013
worksho
Cast-as-Intended Mechanism with Return Codes Based on PETs
We propose a method providing cast-as-intended verifiability for remote
electronic voting. The method is based on plaintext equivalence tests (PETs),
used to match the cast ballots against the pre-generated encrypted code tables.
Our solution provides an attractive balance of security and functional
properties. It is based on well-known cryptographic building blocks and relies
on standard cryptographic assumptions, which allows for relatively simple
security analysis. Our scheme is designed with a built-in fine-grained
distributed trust mechanism based on threshold decryption. It, finally, imposes
only very little additional computational burden on the voting platform, which
is especially important when voters use devices of restricted computational
power such as mobile phones. At the same time, the computational cost on the
server side is very reasonable and scales well with the increasing ballot size
Receipt Freeness of PrĂȘt Ă Voter Provably Secure
PrĂȘt Ă Voter is an end-to-end verifiable voting scheme that is also receipt free. Formal method analysis was used to prove that PrĂȘt Ă Voter is receipt free. In this paper we use one of the latest versions of PrĂȘt Ă Voter[XCH+10] to prove receipt freeness of the scheme using computational methods. We use provable security game models for the first time to prove a paper based voting scheme receipt free. In this paper we propose a game model that defines receipt freeness. We show that in order to simulate the game we require IND-CCA2 encryption scheme to create the ballots. The usual schemes used in constructing PrĂȘt Ă Voter are either exponential ElGamal or Paillier because of their homomorphic properties that are needed for tallying, however both are IND-CPA secure. We propose a new verifiable shuffle ``D-shuffle\u27\u27 to be used together with an IND-CPA encryption schemes that guarantees that the outputs of the shuffle are IND-CCA2 secure ciphertexts and they are used for constructing the ballots. The idea is based on Naor-Yung transformation[NY95]. We prove that if there exist an adversary that breaks receipt freeness then there exist an adversary that breaks the IND-CCA2 security of Naor-Yung encryption scheme. We further show that the ``D-Shuffle\u27\u27 provides us with the option of having multiple authorities creating the ballots such that no single authority can break voter\u27s privacy
Rational Modular Encoding in the DCR Setting: Non-Interactive Range Proofs and Paillier-Based Naor-Yung in the Standard Model
International audienceRange proofs allow a sender to convince a verifier that committed integers belong to an interval without revealing anything else. So far, all known non-interactive range proofs in the standard model rely on groups endowed with a bilinear map. Moreover, they either require the group order to be larger than the range of any proven statement or they suffer from a wasteful rate. Recently (Eurocrypt'21), Couteau et al. introduced a new approach to efficiently prove range membership by encoding integers as a modular ratio between small integers. We show that their technique can be transposed in the standard model under the Composite Residuosity (DCR) assumption. Interestingly, with this modification, the size of ranges is not a priori restricted by the common reference string. It also gives a constant ratio between the size of ranges and proofs. Moreover, we show that their technique of encoding messages as bounded rationals provides a secure standard model instantiation of the Naor-Yung CCA2 encryption paradigm under the DCR assumption
Cryptographic Shuffles and Their Applications
íìë
ŒëŹž (ë°ìŹ)-- ììžëíê” ëíì : ìëŠŹêłŒíë¶, 2012. 8. ìČì íŹ.For anonymization purposes, one can use a mix-net.
A mix-net is a multi-party protocol to
shuffle elements so that neither of the parties knows the permutation linking the
input and output.
One way to construct
a mix-net is to let a set of mixers, so called mix-servers, take turns in permuting and re-encrypting or
decrypting the inputs. If at least one of the mixers is honest, the input data and
the output data can no longer be linked.
In this role, shuffling
constitutes an important building block in anonymization protocols and voting
schemes.
The problem is that
the standard shuffle requires anyone who shuffles the input messages
to keep his random permutation and randomizers secret.
The assumption of a party keeping the secret information
may be in some ways quite strong.
Secondly, for this anonymization guarantee to
hold we do need to ensure that all mixers act according to the protocol.
In general, zero-knowledge proofs (ZKPs) are used for this purpose.
However, ZKPs requires the expensive cost in the light of
computation and communication.
In TCC 2007, Adida and Wikstr\"{o}m proposed a novel approach to
shuffle, called a public shuffle,
in which a shuffler can perform shuffle publicly without needing information kept secret.
Their scheme uses an encrypted permutation matrix to shuffle
ciphertexts publicly.
This approach significantly reduces the cost of constructing a mix-net
to verifiable joint decryption. Though their method is successful in making
shuffle to be a public operation, their scheme
still requires that some trusted parties should choose a permutation
to be encrypted and construct zero-knowledge proofs on the
well-formedness of this permutation.
In this dissertation, we study a method to construct a public shuffle
without relying on permutations generated privately: Given an
-tuple of ciphertext , our shuffle algorithm
computes for where each
is a symmetric polynomial in .
Depending on the symmetric polynomials we use, we propose two concrete constructions.
One is to use ring homomorphic encryption with a constant ciphertext
complexity and the other is to use simple ElGamal encryption with a
linear ciphertext complexity in the number of users. Both
constructions are free of zero-knowledge proofs and publicly
verifiable.Abstract i
1 Introduction 1
1.1 ABriefHistoryofShuffles .................... 1
1.2 WhyShufflinginPublicHard?.................. 2
1.3 CryptographicShuffleSchemes.................. 4
1.4 ContributionsofThisWork ................... 6
1.4.1 OurDefinitionalApproach................ 6
1.4.2 OurConstructions .................... 6
1.5 Organization ........................... 8
2 Preliminaries 9
2.1 Basics ............................... 9
2.2 PublicKeyEncryption...................... 10
2.2.1 IND-CPASecurity .................... 11
2.2.2 IND-CCASecurity .................... 14
2.3 HomomorphicPublic-keyEncryption . . . . . . . . . . . . . . 15
2.4 Zero-KnowledgeProofs...................... 18
2.4.1 Zero-KnowledgeVariants................. 19
2.4.2 ProofofKnowledge.................... 20
2.5 Public-KeyObfuscation ..................... 21
3 Verifiable Secret Shuffles: A Review 24
3.1 Introduction............................ 24
3.2 NotationandDefinitions..................... 25
3.3 Security .............................. 27
3.3.1 VerifiabilityforSecretShuffles.............. 27
3.3.2 UnlinkabilityExperiments ................ 28
3.4 SelectedPriorWork ....................... 29
3.4.1 Furukawa-SakoProtocol ................. 30
3.4.2 GrothProtocol ...................... 31
3.5 PublicShuffleswithPrivatePermutation . . . . . . . . . . . . 33
3.5.1 Introduction........................ 33
3.5.2 AdidaandWikstro ÌmProtocol.............. 33
4 Verifiable Public Shuffles 36
4.1 Introduction............................ 36
4.2 GeneralizedShuffle ........................ 38
4.2.1 SyntaxofGeneralizedShuffle .............. 38
4.2.2 SecurityModel ...................... 39
4.2.3 CryptographicAssumption................ 43
4.3 Constructions from Ring Homomorphic Encryption . . . . . . 44
4.3.1 Construction from (n,nâ1)-E . . . . . . . . . . 44
4.3.2 Construction from (1,n)-E ................ 45
4.4 Constructions from Group Homomorphic Encryption . . . . . 47 4.4.1 BuildingBlocks...................... 47
4.4.2 A Generalized Public Shuffle Scheme Based on Poly- nomialFactorization ................... 50
4.4.3 A Generalized Public Shuffle Scheme Based on Integer Factorization ....................... 58
5 Conclusion and Further Work 63
Abstract (in Korean) 72
Acknowledgement (in Korean) 74Docto
Making Code Voting Secure against Insider Threats using Unconditionally Secure MIX Schemes and Human PSMT Protocols
Code voting was introduced by Chaum as a solution for using a possibly
infected-by-malware device to cast a vote in an electronic voting application.
Chaum's work on code voting assumed voting codes are physically delivered to
voters using the mail system, implicitly requiring to trust the mail system.
This is not necessarily a valid assumption to make - especially if the mail
system cannot be trusted. When conspiring with the recipient of the cast
ballots, privacy is broken.
It is clear to the public that when it comes to privacy, computers and
"secure" communication over the Internet cannot fully be trusted. This
emphasizes the importance of using: (1) Unconditional security for secure
network communication. (2) Reduce reliance on untrusted computers.
In this paper we explore how to remove the mail system trust assumption in
code voting. We use PSMT protocols (SCN 2012) where with the help of visual
aids, humans can carry out addition correctly with a 99\% degree of
accuracy. We introduce an unconditionally secure MIX based on the combinatorics
of set systems.
Given that end users of our proposed voting scheme construction are humans we
\emph{cannot use} classical Secure Multi Party Computation protocols.
Our solutions are for both single and multi-seat elections achieving:
\begin{enumerate}[i)]
\item An anonymous and perfectly secure communication network secure against
a -bounded passive adversary used to deliver voting,
\item The end step of the protocol can be handled by a human to evade the
threat of malware. \end{enumerate} We do not focus on active adversaries
Security Analysis of Accountable Anonymity in Dissent
Users often wish to communicate anonymously on the Internet, for example in group discussion or instant messaging forums. Existing solutions are vulnerable to misbehaving users, however, who may abuse their anonymity to disrupt communication. Dining Cryptographers Networks (DC-nets) leave groups vulnerable to denial-of-service and Sybil attacks, mix networks are difficult to protect against traffic analysis, and accountable voting schemes are unsuited to general anonymous messaging. DISSENT is the first general protocol offering provable anonymity and accountability for moderate-size groups, while efficiently handling unbalanced communication demands among users. We present an improved and hardened DISSENT protocol, define its precise security properties, and offer rigorous proofs of these properties. The improved protocol systematically addresses the delicate balance between provably hiding the identities of well-behaved users, while provably revealing the identities of disruptive users, a challenging task because many forms of misbehavior are inherently undetectable. The new protocol also addresses several non-trivial attacks on the original DISSENT protocol stemming from subtle design flaws
- âŠ