New approaches for electronic voting paradigms

La democràcia es el sistema de govern més utilitzat al món. No obstant, en un món cada vegada més globalitzat, la idea de mobilitzar la gent per votar en un col·legi electoral gestionat per persones resulta antiquada tot i ser la implementació més comú en l'actualitat. Millorar aquesta situació mitjançant l'ús de les tecnologies de la informació sembla una evolució òbvia i molt demanada però, malgrat l'existència d'algunes implementacions en entorns reals, encara no ha estat utilitzada excepte en comptades ocasions. Obrir la porta d'unes eleccions a les tecnologies de la informació implica l'obertura dels protocols de votació a un nou conjunt d'atacs contra aquests. Tenint en compte els requisits d'una elecció: privacitat del votant i integritat de l'elecció, les solucions actuals passen per implementar l'elecció seguint un dels tres paradigmes de vot segurs: barreja de vots, recompte homomòrfic o signatura cega. En aquesta tesi, es proposen nous protocols per als diferents paradigmes. La primera proposta consisteix en un sistema de vot que, basant-se en una informació redundant enviada pel votant, és capaç de realitzar una barreja de vots amb cost negligible incrementant lleugerament el cost del recompte. Per al paradigma de recompte homomòrfic, es proposa una prova de validesa del vot basada en les proves utilitzades per demostrar la correctesa en sistemes amb barreja de vots. Aquesta solució permet utilitzar les millores realitzades sobre el paradigma de barreja de vots per al seu ús en el paradigma de recompte homomòrfic. Finalment, es plantegen dues solucions per a eleccions del paradigma de signatura cega. La primera utilitza credencials generades amb signatura cega per permetre als votants vàlids enviar el seu vot sense que es conegui la seva identitat. La segona resol el problema del vot doble en aquest paradigma mitjan cant una construcció que utilitza un sistema de moneda electrònica off-line.La democracia es el sistema de gobierno más usado en el mundo. No obstante, en un mundo cada vez más globalizado, la idea de movilizar a la gente para votar en un colegio electoral gestionado por personas resulta anticuada a pesar de ser la implementación más común en la actualidad. Mejorar esta situación mediante el uso de las tecnologías de la información parece una evolución obvia y muy solicitada pero, a pesar de unas pocas adaptaciones, aún no ha sido usada salvo en escasas ocasiones. Abrir la puerta de unas elecciones a las tecnologías de la información lleva implícita la apertura de los protocolos de voto a un nuevo conjunto de ataques contra estos. Teniendo en cuenta los requisitos de una elección: privacidad del votante e integridad de la elección, las soluciones actuales pasan por implementar la elección siguiendo uno de los tres paradigmas de voto seguros: mezcla de votos, recuento homomórfico o firma ciega. En esta tesis, se proponen nuevos protocolos para los distintos paradigmas. La primera propuesta consiste en un sistema de voto bajo el paradigma de mezcla de votos que, basándose en una información redundante enviada por el votante, es capaz de realizar una mezcla de votos con un coste negligible incrementando ligeramente el coste del recuento. Para el paradigma de recuento homomórfico, se propone una prueba para verificar que el voto es válido basada en las pruebas de correctitud en sistemas con mezcla de votos. Esta solución permite usar las mejoras realizadas en el paradigma de mezcla de votos para su uso en el paradigma de recuento homomórfico. Finalmente, se proponen dos nuevos protocolos del paradigma de firma ciega. El primero utiliza credenciales generadas con firma ciega para permitir a votantes válidos enviar su voto sin que se conozca su identidad. El segundo resuelve el problema del voto doble en el paradigma de firma ciega mediante una construcción que utiliza un sistema de moneda electrónica off-line.Democracy is the most established government system in the world. However, in an increasingly globalized world, the idea of requiring people to move in order to cast their vote in the polling station seems outdated, even though it is, nowadays, the most common implementation. An obvious and widely demanded evolution is to improve the election framework by enabling the use of information technologies. Nevertheless, this solution has been implemented few times in real environment elections and the global success of these solutions have been called into question. The use of information technologies in voting protocols improves the quality of the election but, at the same time, it also opens up the voting protocols to new threats. Keeping this attacks in mind and given the election requirements: voter's privacy and election's integrity, the solutions proposed up to date are to implement one of the three secure voting paradigms: mixtype based, homomorphic tally, and blind signature. In this thesis, we present new protocols for the di erent paradigms. Our rst proposal, based on the mix-type paradigm, consists in a voting protocol which is able to perform the ballot mix with negligible cost but slightly increasing the tally cost. The proposed protocol makes use of a proper vote generation based on sending secret redundant information with the ballot when it is cast. For the homomorphic tally paradigm, we propose a zero knowledge proof of correctness of the ballot based on the proofs used to demonstrate the correctness of a shu e in the mix-type paradigm. This protocol makes possible to use the improvements on the shu e correctness proofs in the homomorphic tally paradigm. Finally, two di erent protocols are also proposed for the blind signature paradigm. The rst one uses credentials generated by means of a blind signature which allow eligible voters to cast their vote without leaking information about their identity. The second one is focused on solving the double voting problem in this paradigm. The protocol proposed uses o -line e-coin systems to provide anonymity disclosure in case of double voting

NetVote: A strict-coercion resistance re-voting based internet voting scheme with linear filtering

This paper is an extended of: Querejeta-Azurmendi, I.; Hernández Encinas, L.; Arroyo Guardeño, D.; Hernandez-Ardieta, J.L. An internet voting proposal towards improving usability and coercion resistance. Proceedings of the International Joint Conference: 12th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2019) and 10th International Conference on EUropean Transnational Education (ICEUTE 2019), Seville, Spain, 13-15 May 2019.This paper proposes NetVote, an internet voting protocol where usability and ease in deployment are a priority. We introduce the notion of strict coercion resistance, to distinguish between vote-buying and coercion resistance. We propose a protocol with ballot secrecy, practical everlasting privacy, verifiability and strict coercion resistance in the re-voting setting. Coercion is mitigated via a random dummy vote padding strategy to hide voting patterns and make re-voting deniable. This allows us to build a filtering phase with linear complexity, based on zero knowledge proofs to ensure correctness while maintaining privacy of the process. Voting tokens are formed by anonymous credentials and pseudorandom identifiers, achieving practical everlasting privacy, where even if dealing with a future computationally unbounded adversary, vote intention is still hidden. It is not assumed for voters to own cryptographic keys prior to the election, nor store cryptographic material during the election. This property allows voters not only to vote multiple times, but also from different devices each time, granting the voter a vote-from-anywhere experience. This paper builds on top of the paper published in CISIS'19. In this version, we modify the filtering. Moreover, we formally define the padding technique, which allows us to perform the linear filtering scheme. Similarly we provide more details on the protocol itself and include a section of the security analysis, where we include the formal definitions of strict coercion resistance and a game based definition of practical everlasting privacy. Finally, we prove that NetVote satisfies them all.This research has been partially supported by Ministerio de Economía, Industria y Competitividad (MINECO), Agencia Estatal de Investigación (AEI), and European Regional Development Fund (ERDF, EU), through project COPCIS, grant number TIN2017-84844-C2-1-R, and by Comunidad de Madrid (Spain) through project CYNAMON, grant number P2018/TCS-4566-CM, co-funded along with ERDF

Private votes on untrusted platforms: models, attacks and provable scheme

International audienceModern e-voting systems deploy cryptographic protocols on a complex infrastructure involving different computing platforms and agents. It is crucial to have appropriate specification and evaluation methods to perform rigorous analysis of such systems, taking into account the corruption and computational capabilities of a potential attacker. In particular, the platform used for voting may be corrupted, e.g. infected by malware, and we need to ensure privacy and integrity of votes even in that case. We propose a new definition of vote privacy, formalized as a computational indistinguishability game, that allows to take into account such refined attacker models; we show that the definition captures both known and novel attacks against several voting schemes; and we propose a scheme that is provably secure in this setting. We moreover formalize and machine-check the proof in the EasyCrypt theorem prover

Universally Verifiable MPC with Applications to IRV Ballot Counting

We present a very simple universally verifiable MPC protocol. The first component is a threshold somewhat homomorphic cryptosystem that permits an arbitrary number of additions (in the source group), followed by a single multiplication, followed by an arbitrary number of additions in the target group. The second component is a black-box construction of universally verifiable distributed encryption switching between any public key encryption schemes supporting shared setup and key generation phases, as long as the schemes satisfy some natural additive-homomorphic properties. This allows us to switch back from the target group to the source group, and hence perform an arbitrary number of multiplications. The key generation algorithm of our prototypical cryptosystem, which is based upon concurrent verifiable secret sharing, permits robust re-construction of powers of a shared secret. We demonstrate the scalability of distribution switching as a viable approach to secure vote tallying by implementing a private verifiable form of Instant Runoff Voting on real Australian election data comprising 40,000 votes

An Analysis of Chaum's Voter-Verifiable Election Scheme

Chaum's Voter-Verifiable election scheme introduces a new direction for electronic voting. The scheme eliminates the need to trust any machinery or authority, and instead relies on mathematical proof to certify the trustworthiness of an election. Audits at every stage of the election create transparency that should restore voter confidence in the election process. We survey and categorize the field of electronic voting, and place Chaum's scheme within this context. We then define a framework of formal requirements of a voting system. We present Chaum's scheme itself, and give an analysis. Based on our technical analysis, we find the scheme to be secure. However, after considering other implementation concerns, we recognize various minor obstacles limiting its widespread adoption in today's elections. Despite this, we believe that the substance of the scheme is promising and maybe an improved, simpler variant might better suit future elections

A Cost-Effective Approach to Key Management in Online Voting Scenarios

The problem of key management is an information security issue at the core of any cryptographic protocol where identity is involved (e.g. encryption, digital signature). In particular for the case of online voting, it is critical to ensure that no single actor (or small group of colluding actors) can impact the result of the election nor break the secrecy of the ballot. The concept of threshold encryption is present at the core of many Multi-Party Computation (MPC) protocols, even more so in the scenario of online voting protocols. On the other hand, the generic key management problem has led to the design of certifiably secure hardware for cryptographic purposes. There are three families of these kind of designed-for-security devices: Hardware Security Modules (HSMs), Trusted Platform Modules (TPMs) and smart cards. Since smart cards both offer reasonable prices and expose an API for development, this document evaluates different approaches to implement threshold encryption over smart cards to support an electoral process

VeriVoting: A decentralized, verifiable and privacy-preserving scheme for weighted voting

Decentralization, verifiability, and privacy-preserving are three fundamental properties of modern e-voting. In this paper, we conduct extensive investigations into them and present a novel e-voting scheme, VeriVoting, which is the first to satisfy these properties. More specifically, decentralization is realized through blockchain technology and the distribution of decryption power among competing entities, such as candidates. Furthermore, verifiability is satisfied when the public verifies the ballots and decryption keys. And finally, bidirectional unlinkability is achieved to help preserve privacy by decoupling voter identity from ballot content. Following the ideas above, we first leverage linear homomorphic encryption schemes and non-interactive zero-knowledge argument systems to construct a voting primitive, SemiVoting, which meets decentralization, decryption-key verifiability, and ballot privacy. To further achieve ballot ciphertext verifiability and anonymity, we extend this primitive with blockchain and verifiable computation to finally arrive at VeriVoting. Through security analysis and per-formance evaluations, VeriVoting offers a new trade-off between security and efficiency that differs from all previous e-voting schemes and provides a radically novel practical ap-proach to large-scale elections