Secret-chain zero-knowledge proofs and their applications

Thesis (M.S.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1994.Includes bibliographical references (p. 61-64).by Tony Liang Eng.M.S

Ballot secrecy: Security definition, sufficient conditions, and analysis of Helios

We propose a definition of ballot secrecy as an indistinguishability game in the computational model of cryptography. Our definition improves upon earlier definitions to ensure ballot secrecy is preserved in the presence of an adversary that controls ballot collection. We also propose a definition of ballot independence as an adaptation of an indistinguishability game for asymmetric encryption. We prove relations between our definitions. In particular, we prove ballot independence is sufficient for ballot secrecy in voting systems with zero-knowledge tallying proofs. Moreover, we prove that building systems from non-malleable asymmetric encryption schemes suffices for ballot secrecy, thereby eliminating the expense of ballot-secrecy proofs for a class of encryption-based voting systems. We demonstrate applicability of our results by analysing the Helios voting system and its mixnet variant. Our analysis reveals that Helios does not satisfy ballot secrecy in the presence of an adversary that controls ballot collection. The vulnerability cannot be detected by earlier definitions of ballot secrecy, because they do not consider such adversaries. We adopt non-malleable ballots as a fix and prove that the fixed system satisfies ballot secrecy

Zero Knowledge Protocols and Applications

The historical goal of cryptography is to securely transmit or store a message in an insecure medium. In that era, before public key cryptography, we had two kinds of people: those who had the correct key, and those who did not. Nowadays however, we live in a complex world with equally complex goals and requirements: securely passing a note from Alice to Bob is not enough. We want Alice to use her smartphone to vote for Carol, without Bob the tallier, or anyone else learning her vote; we also want guarantees that Alice’s ballot contains a single, valid vote and we want guarantees that Bob will tally the ballots properly. This is in fact made possible because of zero knowledge protocols. This thesis presents research performed in the area of zero knowledge protocols across the following threads: we relax the assumptions necessary for the Damgard, Fazio and ˚ Nicolosi (DFN) transformation, a technique which enables one to collapse a number of three round protocols into a single message. This approach is motivated by showing how it could be used as part of a voting scheme. Then we move onto a protocol that lets us prove that a given computation (modeled as an arithmetic circuit) was performed correctly. It improves upon the state of the art in the area by significantly reducing the communication cost. A second strand of research concerns multi-user signatures, which enable a signer to sign with respect to a set of users. We give new definitions for important primitives in the area as well as efficient instantiations using zero knowledge protocols. Finally, we present two possible answers to the question posed by voting receipts. One is to maximise privacy by building a voting system that provides receipt-freeness automatically. The other is to use them to enable conventual and privacy preserving vote copying

Extending the Helios Internet Voting Scheme Towards New Election Settings

Internet voting has long been a topic both of public discussion and also of scientific research. While the introduction of Internet voting may bring many advantages, it is further important to ensure an adequate level of security of the systems and underlying schemes that are used for casting and tallying the votes in order to encourage faith and acceptance for this relatively new way of voting. A number of cryptographic schemes have been proposed, that enable secure Internet voting. One of the most established and well-researched solutions is the Helios scheme, which is also implemented as an open-source system. Both its implementation and the scheme behind it has been extensively studied in the literature, and the Helios system has been used for numerous elections in practice, such as the IACR elections. However, there are election settings for which Helios is currently not appropriate, either due to infrastructure demands, required functionality for the voters or assurance of the security requirements. These kinds of election settings could benefit from the advantages that secure Internet voting provides. In this thesis we identify the election settings not currently supported by Helios, propose our extensions for each one of these settings and evaluate their security. Hence, this work describes four Internet voting schemes that are build upon Helios, with each scheme developed towards a specific setting. The first scheme presented here enables elections within the so-called boardroom voting setting. This setting is characterized by its decentralization, whereby all the tasks within the election are distributively performed by the voters themselves, without the support of a centralized infrastructure. The election in the boardroom voting setting are further conducted in an ad-hoc manner, so that limited time is available for preparation beforehand. We propose an extension of Helios that distributes the tasks of the voting system components in Helios among the voters. For this, we use cryptographic primitives such as decentralized key exchange with short authentication strings, distributed secret sharing and distributed decryption and Byzantine agreement. The second scheme extends Helios with proxy voting functionality. Proxy voting, as a newly emerged form of voting, enables the voter to delegate her voting right in the election to a trusted third-party, the so-called proxy, who is authorized to vote on the voter's behalf. This extension facilitates such delegation while assuring the security for delegating voters and for the proxies and preserves the security guarantees provided by Helios for the voters who vote directly (instead of delegating). For ensuring the security of our extension, we introduce the so-called delegation credentials that are assigned to the voters and are used to compute anonymized delegation tokens sent to the proxies to enable delegation. We further use cryptographic primitives such as proofs of knowledge and signatures of knowledge. The third scheme combines the first two settings to extend Helios towards the proxy boardroom voting setting, namely, a setting in which the elections are performed in a decentralized way as in boardroom voting, yet the voters who cannot participate in the election themselves are allowed to delegate their voting right to a trusted proxy before the election. The security of our extension is assured with threshold secret sharing and Pedersen commitments. The fourth scheme extends Helios by improving its security. As such, it introduces participation privacy, meaning that the voting system does not reveal which voters have participated in the election, while supporting verification that only the eligible voters have cast their ballots in the election. The extension furthermore introduces receipt-freeness, ensuring that the voter cannot create a receipt that proves to a third party how she voted, thus preventing vote selling. To ensure the security of the extension, a new kind of entity is introduced, the posting trustee, and a new kind of ballot, the so-called dummy ballot that is indistinguishable from a normal ballot cast by the voter, but does not modify the election result. We furthermore use disjunctive zero-knowledge proofs and proofs of signature knowledge to prove, that a sender of a particular ballot knows the private signature key of an eligible voter, or that the ballot is a dummy ballot. For each one of the extensions, the security model is provided, which describes the security requirements and the assumptions that are necessary for ensuring the security requirements (i.e. vote privacy or vote integrity), is provided. For the first three extensions, the security model is used as a base for the informal security evaluation, in which an informal argument is used to show, that the security requirements hold under the described assumptions. Conducting a formal security evaluation for these extensions is considered an important part of the future work, in which new formal definitions have to be developed. For the fourth extension, we provide a formal security analysis that relies on the formal definitions for the security requirements of vote privacy, vote integrity and eligibility, available in the literature. We furthermore introduce new formal definitions for participation privacy, receipt-freeness and fairness, which we also use for the formal proofs of our extension

Diseños de protocolos criptográficos: nuevas propuestas basadas en grafos

Se destaca el papel que la teoría de grafos puede jugar en el entorno de la criptografía moderna. Se introduce también una nueva metodología de diseño en el campo de los protocolos criptográficos. Entre los protocolos estudiados destacan as de transferencia inconsciente y compromiso de bits por se considerados primitivos esenciales para el diseño de esquemas criptográficos más complejos. También se presta especial atención a las demostraciones de conocimiento nulo aportando nuevos algoritmos orientados a resolver el problema de la identificación

Automated Security Analysis of Web Application Technologies

TheWeb today is a complex universe of pages and applications teeming with interactive content that we use for commercial and social purposes. Accordingly, the security of Web applications has become a concern of utmost importance. Devising automated methods to help developers to spot security flaws and thereby make the Web safer is a challenging but vital area of research. In this thesis, we leverage static analysis methods to automatically discover vulnerabilities in programs written in JavaScript or PHP. While JavaScript is the number one language fueling the client-side logic of virtually every Web application, PHP is the most widespread language on the server side. In the first part, we use a series of program transformations and information flow analysis to examine the JavaScript Helios voting client. Helios is a stateof- the-art voting system that has been exhaustively analyzed by the security community on a conceptual level and whose implementation is claimed to be highly secure. We expose two severe and so far undiscovered vulnerabilities. In the second part, we present a framework allowing developers to analyze PHP code for vulnerabilities that can be freely modeled. To do so, we build socalled code property graphs for PHP and import them into a graph database. Vulnerabilities can then be modeled as appropriate database queries. We show how to model common vulnerabilities and evaluate our framework in a large-scale study, spotting hundreds of vulnerabilities.DasWeb hat sich zu einem komplexen Netz aus hochinteraktiven Seiten und Anwendungen entwickelt, welches wir täglich zu kommerziellen und sozialen Zwecken einsetzen. Dementsprechend ist die Sicherheit von Webanwendungen von höchster Relevanz. Das automatisierte Auffinden von Sicherheitslücken ist ein anspruchsvolles, aber wichtiges Forschungsgebiet mit dem Ziel, Entwickler zu unterstützen und das Web sicherer zu machen. In dieser Arbeit nutzen wir statische Analysemethoden, um automatisiert Lücken in JavaScript- und PHP-Programmen zu entdecken. JavaScript ist clientseitig die wichtigste Sprache des Webs, während PHP auf der Serverseite am weitesten verbreitet ist. Im ersten Teil nutzen wir eine Reihe von Programmtransformationen und Informationsflussanalyse, um den JavaScript HeliosWahl-Client zu untersuchen. Helios ist ein modernesWahlsystem, welches auf konzeptueller Ebene eingehend analysiert wurde und dessen Implementierung als sehr sicher gilt. Wir enthüllen zwei schwere und bis dato unentdeckte Sicherheitslücken. Im zweiten Teil präsentieren wir ein Framework, das es Entwicklern ermöglicht, PHP Code auf frei modellierbare Schwachstellen zu untersuchen. Zu diesem Zweck konstruieren wir sogenannte Code-Property-Graphen und importieren diese anschließend in eine Graphdatenbank. Schwachstellen können nun als geeignete Datenbankanfragen formuliert werden. Wir zeigen, wie wir herkömmliche Schwachstellen modellieren können und evaluieren unser Framework in einer groß angelegten Studie, in der wir hunderte Sicherheitslücken identifizieren.CISP