Remote electronic voting: studying and improving Helios

Dissertação de mestrado em Engenharia InformáticaA former North American President once said that the ballot is stronger than the bullet. In fact, the most civilized and organized way for a people express their opinion is by voting. However, there are people with bad intentions that affect voting and elections, being normal situations of coercion, collusion, fraud or forgery that disturb and cause alterations in the outcome of a vote. Thus, it becomes necessary to find ways to protect the voters, through vote secrecy and transparency, so that in end of a voting, democracy and justice prevail. Since the secret ballot papers until the electronic voting machines, passing through punched cards, technology in voting systems is evolving to ensure a greater security in elections, as well as greater efficiency, lower costs and other characteristics wanted in this type of systems. Nowadays, remote electronic voting is seen as the ultimate goal to achieve. The difficulty of developing such system is to ensure that it meets all the security requirements without infringing each other and without compromising the usability of the system itself. Thus, cryptography becomes an essential tool for obtaining security and integrity on electronic voting systems. This master thesis focuses on the world of electronic voting, in particular, the remote electronic voting. The objective is to find a system of this kind, with real world applications, to be studied and analyzed in a security point of view. Hence, we made a research on voting and, more deeply, a research on electronic voting schemes, in order to learn how to conceive it, which include the different stages that compose an election, types of voting and the entities involved, and what requirements to fulfill, both the security and functional. Because cryptography is used in most schemes, a detailed study was also performed on the primitives most common in protocols of electronic voting. However, there are not many schemes that pass from theory to practice. Fortunately, we found Helios, a well known scheme that implements various cryptographic techniques for everyone, under certain assumptions, be able to audit polls conducted with this system. A study was performed in order to explain how it was constructed and to identify its strengths and weaknesses. We also present some ongoing work by different people to improve Helios. Finally, we propose improvements on our own, to fight against coercion, to decrease the levels of assumptions and overcome corruption issues. Furthermore, we propose measures to protect the virtual voting booth and a mobile application to cast votes.Um antigo Presidente norte americano disse um dia que o voto é 'mais forte que a bala. De facto, a forma mais civilizada e organizada de um povo exprimir as suas opiniões é através de votações. Infelizmente, também este mundo é afectado por pessoas com más intenções, sendo normais as situações de coação, conluio, fraude ou falsificação que perturbam e causam alterações no resultado de urna votação. Assim, torna-se necessário arranjar formas de proteger os votantes, através de segredo de voto e transparência, de forma que, no final, a democracia e justiça de uma votação prevaleçam. Desde dos boletins de papel secreto até às máquinas de voto electrónico, passando pelas punched cards, a tecnologia em sistemas de votação vem evoluindo de modo a garantir uma maior segurança em eleições, assim como maior eficiência, menor custos e outras características que se querem neste tipo de sistemas. Nos dias de hoje, o voto electrónico remoto é visto como o grande objectivo a cumprir. A grande dificuldade de se desenvolver tal sistema é garantir que o sistema cumpra todos os requisitos de segurança sem que se violem entre si e sem que isso prejudique a usabilidade do sistema em si. Assim, a criptografia torna-se uma ferramenta essencial para se obter segurança e integridade em sistemas de voto electrónico. Esta tese de mestrado foca-se no mundo do voto electrónico, mais especificamente o voto electrónico remoto. O grande objectivo seria arranjar um sistema desse tipo, que tivesse aplicação real, para ser estudado e analisado do ponto de vista de segurança. Fez-se então uma pesquisa necessária sobre votações e, mais aprofundada, uma sobre esquemas de voto electrónico, de modo a aprender como se concebem, tanto as fases que a constituem como as entidades que normalmente fazem parte, e quais os requisitos a cumprir, tanto os funcionais como os de segurança. Como a criptografia entra em grande parte dos esquemas, também um estudo aprofundado foi realizado sobre as primitivas mais comuns em protocolos de voto electrónico. No entanto, não existem muitos esquemas que passem da teoria à prática. Felizmente, encontrou-se o Helios, um sistema que põe em prática diversas técnicas criptográficas para que qualquer pessoa, dentro de certas assumpções, possa auditar votações conduzidas por este sistema, ficando a privacidade nas mãos do Helios. Um estudo foi realizado de modo a explicar como foi construído e identificar os seus pontos fortes e fracos. Também são apresentados alguns trabalhos em curso sobre este sistema. Finalmente, propõem-se outros tipos de melhoramentos que visam: combater coação, diminuir o nível das assumpções e ultrapassar problemas de corrupção. Propõem-se ainda medidas para proteger a cabine virtual de votação e uma aplicação móvel

LUSA: the HPC library for lattice-based cryptanalysis

This paper introduces LUSA - the Lattice Unified Set of Algorithms library - a C++ library that comprises many high performance, parallel implementations of lattice algorithms, with particular focus on lattice-based cryptanalysis. Currently, LUSA offers algorithms for lattice reduction and the SVP. % and the CVP. LUSA was designed to be 1) simple to install and use, 2) have no other dependencies, 3) be designed specifically for lattice-based cryptanalysis, including the majority of the most relevant algorithms in this field and 4) offer efficient, parallel and scalable methods for those algorithms. LUSA explores paralellism mainly at the thread level, being based on OpenMP. However the code is also written to be efficient at the cache and operation level, taking advantage of carefully sorted data structures and data level parallelism. This paper shows that LUSA delivers these promises, by being simple to use while consistently outperforming its counterparts, such as NTL, plll and fplll, and offering scalable, parallel implementations of the most relevant algorithms to date, which are currently not available in other libraries

Attribute-based encryption implies identity-based encryption

In this study, the author formally proves that designing attribute-based encryption schemes cannot be easier than designing identity-based encryption schemes. In more detail, they show how an attribute-based encryption scheme which admits, at least, and policies can be combined with a collision-resistant hash function to obtain an identity-based encryption scheme. Even if this result may seem natural, not surprising at all, it has not been explicitly written anywhere, as far as they know. Furthermore, it may be an unknown result for some people: Odelu et al. in 2016 and 2017 have proposed both an attribute-based encryption scheme in the discrete logarithm setting, without bilinear pairings, and an attribute-based encryption scheme in the RSA setting, both admitting and policies. If these schemes were secure, then by using the implication proved in this study, one would obtain secure identity-based encryption schemes in both the RSA and the discrete logarithm settings, without bilinear pairings, which would be a breakthrough in the area. Unfortunately, the author presents here complete attacks of the two schemes proposed by Odelu et al.Postprint (updated version

Proofs of Knowledge on Monotone Predicates and its Application to Attribute-Based Identifications and Signatures

We propose a concrete procedure of the $\Sigma$-protocol introduced by Cramer, Damgård and Schoenmakers at CRYPTO \u2794, which is for proving knowledge that a set of witnesses satisfies a monotone predicate in witness-indistinguishable way; that is, hiding the assignment of truth in the predicate. We provide a detailed procedure by extending the so-called OR-proof

Efficient Batch Zero-Knowledge Arguments for Low Degree Polynomials

Bootle et al. (EUROCRYPT 2016) construct an extremely efficient zero-knowledge argument for arithmetic circuit satisfiability in the discrete logarithm setting. However, the argument does not treat relations involving commitments, and furthermore, for simple polynomial relations, the complex machinery employed is unnecessary. In this work, we give a framework for expressing simple relations between commitments and field elements, and present a zero-knowledge argument which, by contrast with Bootle et al., is constant-round and uses fewer group operations, in the case where the polynomials in the relation have low degree. Our method also directly yields a batch protocol, which allows many copies of the same relation to be proved and verified in a single argument more efficiently with only a square-root communication overhead in the number of copies. We instantiate our protocol with concrete polynomial relations to construct zero-knowledge arguments for membership proofs, polynomial evaluation proofs, and range proofs. Our work can be seen as a unified explanation of the underlying ideas of these protocols. In the instantiations of membership proofs and polynomial evaluation proofs, we also achieve better efficiency than the state of the art

Multi-Protocol UC and its Use for Building Modular and Efficient Protocols

We want to design and analyze protocols in a modular way by combining idealized components that we realize individually. While this is in principle possible using security frameworks that provide generic composition theorems, we notice that actually applying this methodology in practical protocols is far from trivial and, worse, is sometimes not even possible. As an example, we use a natural combination of zero-knowledge proofs with signature and commitment schemes, where the goal to have a party prove in zero-knowledge that it knows a signature on a committed message, i.e., prove knowledge of a witness to a statement involving algorithms of the signature and commitment scheme. We notice that, unfortunately, the composition theorem of the widely used UC framework does allow one to modularly prove the security of this example protocol. We then describe a new variant of the UC framework, multi-protocol UC, and show a composition theorem that generalizes the one from the standard framework. We use this new framework to provide a modular analysis of a practical protocol that follows the above structure and is based on discrete-logarithm-based primitives. Besides the individual security proofs of the protocol components, we also describe a new methodology for idealizing them as components that can then be composed

The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption

In this paper we present a system for maintaining a membership list of users in a group, designed for use in the Signal Messenger secure messaging app. The goal is to support $\mathit{private}$ $\mathit{groups}$ where membership information is readily available to all group members but hidden from the service provider or anyone outside the group. In the proposed solution, a central server stores the group membership in the form of encrypted entries. Members of the group authenticate to the server in a way that reveals only that they correspond to some encrypted entry, then read and write the encrypted entries. Authentication in our design uses a primitive called a keyed-verification anonymous credential (KVAC), and we construct a new KVAC scheme based on an algebraic MAC, instantiated in a group $\mathbb{G}$ of prime order. The benefit of the new KVAC is that attributes may be elements in $\mathbb{G}$, whereas previous schemes could only support attributes that were integers modulo the order of $\mathbb{G}$. This enables us to encrypt group data using an efficient Elgamal-like encryption scheme, and to prove in zero-knowledge that the encrypted data is certified by a credential. Because encryption, authentication, and the associated proofs of knowledge are all instantiated in $\mathbb{G}$ the system is efficient, even for large groups

A framework for World Wide Web client-authentication protocols

Existing client-authentication protocols deployed on the World Wide Web today are based on conventional distributed systems and fail to address the problems specific to the application domain. Some of the protocols restrict the mobility of the client by equating user identity to a machine or network address, others depend on sound password management strategies, and yet others compromise the privacy of the user by transmitting personal information for authentication. We introduce a new framework for client-authentication by separating two goals that current protocols achieve simultaneously: 1. Maintain persistent sense of identity across different sessions. 2. Prove facts about the user to the site. These problems are independent, in the sense that any protocol for solving the first problem can be combined with any protocol for solving the second. Separation of the two purposes opens up the possibility of designing systems which balance two conflicting goals, authentication and anonymity. We propose a solution to the first problem, based on the Digital Signature Standard. The implications of this framework from the point of view of user privacy are examined. The paper is concluded with suggestions for integrating the proposed scheme into the existing WWW architecture