LNCS

Composable notions of incoercibility aim to forbid a coercer from using anything beyond the coerced parties’ inputs and outputs to catch them when they try to deceive him. Existing definitions are restricted to weak coercion types, and/or are not universally composable. Furthermore, they often make too strong assumptions on the knowledge of coerced parties—e.g., they assume they known the identities and/or the strategies of other coerced parties, or those of corrupted parties— which makes them unsuitable for applications of incoercibility such as e-voting, where colluding adversarial parties may attempt to coerce honest voters, e.g., by offering them money for a promised vote, and use their own view to check that the voter keeps his end of the bargain. In this work we put forward the first universally composable notion of incoercible multi-party computation, which satisfies the above intuition and does not assume collusions among coerced parties or knowledge of the corrupted set. We define natural notions of UC incoercibility corresponding to standard coercion-types, i.e., receipt-freeness and resistance to full-active coercion. Importantly, our suggested notion has the unique property that it builds on top of the well studied UC framework by Canetti instead of modifying it. This guarantees backwards compatibility, and allows us to inherit results from the rich UC literature. We then present MPC protocols which realize our notions of UC incoercibility given access to an arguably minimal setup—namely honestly generate tamper-proof hardware performing a very simple cryptographic operation—e.g., a smart card. This is, to our knowledge, the first proposed construction of an MPC protocol (for more than two parties) that is incoercibly secure and universally composable, and therefore the first construction of a universally composable receipt-free e-voting protocol

Public Evidence from Secret Ballots

Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.Comment: To appear in E-Vote-Id '1

Towards Multiparty Computation Withstanding Coercion of All Parties

Incoercible multi-party computation (Canetti-Gennaro ’96) allows parties to engage in secure computation with the additional guarantee that the public transcript of the computation cannot be used by a coercive outsider to verify representations made by the parties regarding their inputs, outputs, and local random choices. That is, it is guaranteed that the only deductions regarding the truthfulness of such representations, made by an outsider who has witnessed the communication among the parties, are the ones that can be drawn just from the represented inputs and outputs alone. To date, all incoercible secure computation protocols withstand coercion of only a fraction of the parties, or else assume that all parties use an execution environment that makes some crucial parts of their local states physically inaccessible even to themselves. We consider, for the first time, the setting where all parties are coerced, and the coercer expects to see the entire history of the computation. We allow both protocol participants and external attackers to access a common reference string which is generated once and for all by an uncorruptable trusted party. In this setting we construct: - A general multi-party function evaluation protocol, for any number of parties, that withstands coercion of all parties, as long as all parties use the prescribed ``faking algorithm\u27\u27 upon coercion. This holds even if the inputs and outputs represented by coerced parties are globally inconsistent with the evaluated function. - A general two-party function evaluation protocol that withstands even the %``mixed\u27\u27 case where some of the coerced parties do follow the prescribed faking algorithm. (For instance, these parties might collude with the coercer and disclose their true local states.) This protocol is limited to functions where the input of at least one of the parties is taken from a small (poly-size) domain. It uses fully deniable encryption with public deniability for one of the parties; when instantiated using the fully deniable encryption of Canetti, Park, and Poburinnaya (Crypto\u2720), it takes 3 rounds of communication. Both protocols operate in the common reference string model, and use fully bideniable encryption (Canetti Park and Poburinnaya, Crypto\u2720) and sub-exponential indistinguishability obfuscation. Finally, we show that protocols with certain communication pattern cannot be incoercible, even in a weaker setting where only some parties are coerced

Efficient Receipt-Free Ballot Casting Resistant to Covert Channels

We present an efficient, covert-channel-resistant, receipt-free ballot casting scheme that can be used by humans without trusted hardware. In comparison to the recent Moran-Naor proposal, our scheme produces a significantly shorter ballot, prevents covert channels in the ballot, and opts for statistical soundness rather than everlasting privacy (achieving both seems impossible). The human interface remains the same, based on Neff\u27s MarkPledge scheme, and requires of the voter only short-string operations

A Scalable Coercion-resistant Blockchain Decision-making Scheme

Typically, a decentralized collaborative blockchain decision-making mechanism is realized by remote voting. To date, a number of blockchain voting schemes have been proposed; however, to the best of our knowledge, none of these schemes achieve coercion-resistance. In particular, for most blockchain voting schemes, the randomness used by the voting client can be viewed as a witness/proof of the actual vote, which enables improper behaviors such as coercion and vote-buying. Unfortunately, the existing coercion-resistant voting schemes cannot be directly adopted in the blockchain context. In this work, we design the first scalable coercion-resistant blockchain decision-making scheme that supports private differential voting power and 1-layer liquid democracy as introduced by Zhang et al. (NDSS\u2719). Its overall complexity is $O(n)$, where $n$ is the number of voters. Moreover, the ballot size is reduced from Zhang et al.\u27s $\Theta(m)$ to $\Theta(1)$, where $m$ is the number of experts and/or candidates. Its incoercibility is formally proven under the UC incoercibility framework by Alwen et al. (Crypto\u2715). We implement a prototype of the scheme and the evaluation result shows that our scheme\u27s tally execution time is more than 6x faster than VoteAgain (USENIX\u2720) in an election with over 10,000 voters and over 50\% extra ballot rate

New Techniques for Electronic Voting

This paper presents a novel unifying framework for electronic voting in the universal composability model that includes a property which is new to universal composability but well-known to voting systems: universal verifiability. Additionally, we propose three new techniques for secure electronic voting and prove their security and universal verifiability in the universal composability framework. 1. A tally-hiding voting system, in which the tally that is released consists of only the winner without the vote count. Our proposal builds on a novel solution to the millionaire problem which is of independent interest. 2. A self-tallying vote, in which the tally can be calculated by any observer as soon as the last vote has been cast --- but before this happens, no information about the tally is leaked. 3. Authentication of voting credentials, which is a new approach for electronic voting systems based on anonymous credentials. In this approach, the vote authenticates the credential so that it cannot afterwards be used for any other purpose but to cast that vote. We propose a practical voting system that instantiates this high-level concept

Advances in cryptographic voting systems

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2006.Includes bibliographical references (p. 241-254).Democracy depends on the proper administration of popular elections. Voters should receive assurance that their intent was correctly captured and that all eligible votes were correctly tallied. The election system as a whole should ensure that voter coercion is unlikely, even when voters are willing to be influenced. These conflicting requirements present a significant challenge: how can voters receive enough assurance to trust the election result, but not so much that they can prove to a potential coercer how they voted? This dissertation explores cryptographic techniques for implementing verifiable, secret-ballot elections. We present the power of cryptographic voting, in particular its ability to successfully achieve both verifiability and ballot secrecy, a combination that cannot be achieved by other means. We review a large portion of the literature on cryptographic voting. We propose three novel technical ideas: 1. a simple and inexpensive paper-base cryptographic voting system with some interesting advantages over existing techniques, 2. a theoretical model of incoercibility for human voters with their inherent limited computational ability, and a new ballot casting system that fits the new definition, and 3. a new theoretical construct for shuffling encrypted votes in full view of public observers.by Ben Adida.Ph.D

The art of post-truth in quantum cryptography

L’établissement de clé quantique (abrégé QKD en anglais) permet à deux participants distants, Alice et Bob, d’établir une clé secrète commune (mais aléatoire) qui est connue uniquement de ces deux personnes (c’est-à-dire inconnue d’Ève et de tout autre tiers parti). La clé secrète partagée est inconditionnellement privée et peut être plus tard utilisée, par Alice et Bob, pour transmettre des messages en toute confidentialité, par exemple sous la forme d’un masque jetable. Le protocole d’établissement de clé quantique garantit la confidentialité inconditionnelle du message en présence d’un adversaire (Ève) limité uniquement par les lois de la mécanique quantique, et qui ne peut agir sur l’information que se partagent Alice et Bob que lors de son transit à travers des canaux classiques et quantiques. Mais que se passe-t-il lorsque Ève a le pouvoir supplémentaire de contraindre Alice et/ou Bob à révéler toute information, jusqu’alors gardée secrète, générée lors de l’exécution (réussie) du protocole d’établissement de clé quantique (éventuellement suite à la transmission entre Alice et Bob d’un ou plusieurs messages chiffrés classique à l’aide de cette clé), de manière à ce qu’Ève puisse reproduire l’entièreté du protocole et retrouver la clé (et donc aussi le message qu’elle a chiffré) ? Alice et Bob peuvent-ils nier la création de la clé de manière plausible en révélant des informations mensongères pour qu’Ève aboutisse sur une fausse clé ? Les protocoles d’établissement de clé quantiques peuvent-ils tels quels garantir la possibilité du doute raisonnable ? Dans cette thèse, c’est sur cette énigme que nous nous penchons. Dans le reste de ce document, nous empruntons le point de vue de la théorie de l’information pour analyser la possibilité du doute raisonnable lors de l’application de protocoles d’établissement de clé quantiques. Nous formalisons rigoureusement différents types et degrés de doute raisonnable en fonction de quel participant est contraint de révéler la clé, de ce que l’adversaire peut demander, de la taille de l’ensemble de fausses clés qu’Alice et Bob peuvent prétendre établir, de quand les parties doivent décider de la ou des clés fictives, de quelle est la tolérance d’Ève aux événements moins probables, et du recours ou non à des hypothèses de calcul. Nous définissons ensuite rigoureusement une classe générale de protocoles d’établissement de clé quantiques, basée sur un canal quantique presque parfait, et prouvons que tout protocole d’établissement de clé quantique appartenant à cette classe satisfait la définition la plus générale de doute raisonnable : à savoir, le doute raisonnable universel. Nous en fournissons quelques exemples. Ensuite, nous proposons un protocole hybride selon lequel tout protocole QKD peut être au plus existentiellement déniable. De plus, nous définissons une vaste classe de protocoles d’établissement de clé quantiques, que nous appelons préparation et mesure, et prouvons l’impossibilité d’instiller lors de ceux-ci tout degré de doute raisonnable. Ensuite, nous proposons une variante du protocole, que nous appelons préparation et mesure floues qui offre un certain niveau de doute raisonnable lorsque Ève est juste. Par la suite, nous proposons un protocole hybride en vertu duquel tout protocole d’établissement de clé quantique ne peut offrir au mieux que l’option de doute raisonnable existentiel. Finalement, nous proposons une variante du protocole, que nous appelons mono-déniable qui est seulement Alice déniable ou Bob déniable (mais pas les deux).Quantum Key Establishment (QKD) enables two distant parties Alice and Bob to establish a common random secret key known only to the two of them (i.e., unknown to Eve and anyone else). The common secret key is information-theoretically secure. Later, Alice and Bob may use this key to transmit messages securely, for example as a one-time pad. The QKD protocol guarantees the confidentiality of the key from an information-theoretic perspective against an adversary Eve who is only limited by the laws of quantum theory and can act only on the signals as they pass through the classical and quantum channels. But what if Eve has the extra power to coerce Alice and/or Bob after the successful execution of the QKD protocol forcing either both or only one of them to reveal all their private information (possibly also after one or several (classical) ciphertexts encrypted with that key have been transmitted between Alice and Bob) then Eve could go through the protocol and obtain the key (hence also the message)? Can Alice and Bob deny establishment of the key plausibly by revealing fake private information and hence also a fake key? Do QKD protocols guarantee deniability for free in this case? In this Thesis, we investigate this conundrum. In the rest of this document, we take an information-theoretic perspective on deniability in quantum key establishment protocols. We rigorously formalize different levels and flavours of deniability depending on which party is coerced, what the adversary may ask, what is the size of the fake set that surreptitious parties can pretend to be established, when the parties should decide on the fake key(s), and what is the coercer’s tolerance to less likely events and possibly also computational assumptions. We then rigorously define a general class of QKD protocols, based on an almost-perfect quantum channel, and prove that any QKD protocol that belongs to this class satisfies the most general flavour of deniability, i.e.,universal deniability. Moreover, we define a broad class of QKD protocols, which we call prepare-and-measure, and prove that these protocols are not deniable in any level or flavour. Moreover, we define a class of QKD protocols, which we refer to as fuzzy prepare-andmeasure, that provides a certain level of deniability conditioned on Eve being fair. Furthermore, we propose a hybrid protocol under which any QKD protocol can be at most existentially deniable. Finally, we define a class of QKD protocols, which we refer to as mono-deniable, which is either Alice or Bob (but not both) deniable

On the Incoercibility of Digital Signatures

We introduce incoercible digital signature schemes, a variant of a standard digital signature. Incoercible signatures enable signers, when coerced to produce a signature for a message chosen by an attacker, to generate fake signatures that are indistinguishable from real signatures, even if the signer is compelled to reveal their full history (including their secret signing keys and any randomness used to produce keys/signatures) to the attacker. Additionally, we introduce an authenticator that can detect fake signatures, which ensures that coercion is identified. We present a formal security model for incoercible signature schemes that comprises an established definition of unforgeability and captures new notions of weak receipt-freeness, strong receipt-freeness and coercion-resistance. We demonstrate that an incoercible signature scheme can be viewed as a transformation of any generic signature scheme. Indeed, we present two incoercible signature scheme constructions that are built from a standard signature scheme and a sender-deniable encryption scheme. We prove that our first construction satisfies coercion-resistance, and our second satisfies strong receipt-freeness. We conclude by presenting an extension to our security model: we show that our security model can be extended to the designated verifier signature scheme setting in an intuitive way as the designated verifier can assume the role of the authenticator and detect coercion during the verification process