Public Evidence from Secret Ballots

Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.Comment: To appear in E-Vote-Id '1

Coercion-resistant Proxy Voting

In general, most elections follow the principle of equality, or as it came to be known, the principle of “one man – one vote”. However, this principle might pose difficulties for voters, who are not well informed regarding the particular matter that is voted on. In order to address this issue, a new form of voting has been proposed, namely proxy voting. In proxy voting, each voter has the possibility to delegate her voting right to another voter, so called proxy, that she considers a trusted expert on the matter. In this paper we propose an end-to-end verifiable Internet voting scheme, which to the best of our knowledge is the first scheme to address voter coercion in the proxy voting setting

Securing Abe\u27s Mix-net Against Malicious Verifiers via Witness Indistinguishability

We show that the simple and appealing unconditionally sound mix-net due to Abe (Asiacrypt\u2799) can be augmented to further guarantee anonymity against malicious verifiers. This additional guarantee implies, in particular, that when applying the Fiat-Shamir transform to the mix-net\u27s underlying sub-protocols, anonymity is provably guaranteed for {\em any} hash function. As our main contribution, we demonstrate how anonymity can be attained, even if most sub-protocols of a mix-net are merely witness indistinguishable (WI). We instantiate our framework with two variants of Abe\u27s mix-net. In the first variant, ElGamal ciphertexts are replaced by an alternative, yet equally efficient, lossy encryption scheme. In the second variant, new dummy vote ciphertexts are injected prior to the mixing process, and then removed. Our techniques center on new methods to introduce additional witnesses to the sub-protocols within the proof of security. This, in turn, enables us to leverage the WI guarantees against malicious verifiers. In our first instantiation, these witnesses follow somewhat naturally from the lossiness of the encryption scheme, whereas in our second instantiation they follow from leveraging combinatorial properties of the Benes-network. These approaches may be of independent interest. Finally, we demonstrate cases in Abe\u27s original mix-net (without modification) where only one witness exists, such that if the WI proof leaks information on the (single) witness in these cases, then the system will not be anonymous against malicious verifiers

A Non-Interactive Shuffle Argument With Low Trust Assumptions

A shuffle argument is a cryptographic primitive for proving correct behaviour of mix-networks without leaking any private information. Several recent constructions of non-interactive shuffle arguments avoid the random oracle model but require the public key to be trusted. We augment the most efficient argument by Fauzi et al. [Asiacrypt 2017] with a distributed key generation protocol that assures soundness of the argument if at least one party in the protocol is honest and additionally provide a key verification algorithm which guarantees zero-knowledge even if all the parties are malicious. Furthermore, we simplify their construction and improve security by using weaker assumptions while retaining roughly the same level of efficiency. We also provide an implementation to the distributed key generation protocol and the shuffle argument

Lattice-based proof of a shuffle

In this paper we present the first fully post-quantum proof of a shuffle for RLWE encryption schemes. Shuffles are commonly used to construct mixing networks (mix-nets), a key element to ensure anonymity in many applications such as electronic voting systems. They should preserve anonymity even against an attack using quantum computers in order to guarantee long-term privacy. The proof presented in this paper is built over RLWE commitments which are perfectly binding and computationally hiding under the RLWE assumption, thus achieving security in a post-quantum scenario. Furthermore we provide a new definition for a secure mixing node (mix-node) and prove that our construction satisfies this definition

An airdrop that preserves recipient privacy

A common approach to bootstrapping a new cryptocurrency is an airdrop, an arrangement in which existing users give away currency to entice new users to join. But current airdrops offer no recipient privacy: they leak which recipients have claimed the funds, and this information is easily linked to off-chain identities. In this work, we address this issue by defining a private airdrop and describing concrete schemes for widely-used user credentials, such as those based on ECDSA and RSA. Our private airdrop for RSA builds upon a new zero-knowledge argument of knowledge of the factorization of a committed secret integer, which may be of independent interest. We also design a private genesis airdrop that efficiently sends private airdrops to millions of users at once. Finally, we implement and evaluate. Our fastest implementation takes 40--180 ms to generate and 3.7--10 ms to verify an RSA private airdrop signature. Signatures are 1.8--3.3 kiB depending on the security parameter

Improving the Performance of Cryptographic Voting Protocols

Cryptographic voting protocols often rely on methods that require a large number of modular exponentiations. Corresponding performance bottlenecks may appear both on the server and the client side. Applying existing optimization techniques is often mentioned and rec- ommended in the literature, but their potential has never been analyzed in depth. In this paper, we investigate existing algorithms for computing fixed-base exponentiations and product exponentiations. Both of them appear frequently in voting protocols. We also explore the potential of applying small-exponent techniques. It turns out that using these techniques in combination, the overall computation time can be reduced by two or more orders of magnitude

E-Demokratie: E-Voting

Der Einsatz von elektronischen Wahlsystemen oder E-Voting-Systemen bei politischen Abstimmungen oder Wahlen wird sowohl unter Fachleuten wie auch Bürgerinnen und Bürger kontrovers diskutiert. Die einen sehen E-Voting-Systeme als eine natürliche Weiterentwicklung verbreiterter Dienste wie E-Shopping oder E-Banking, während bei den anderen die möglichen Gefahren oder gar die Gefährdung der Demokratie im Vordergrund stehen. Aufbauend auf allgemeinen Anforderungen und entsprechenden Herausforderungen bei der Umsetzung werden im Folgenden generelle vertrauensbildende Massnahmen für den Einsatz von E-Voting-Systemen dargestellt. Kryptografische Verfahren und Bausteine für E-Voting-Systeme werden beschrieben. Sie ermöglichen gewisse widersprüchliche Anforderungen aufzulösen, wie zum Beispiel die Wahrung des Stimm- und Wahlgeheimisses in Verbindung mit der individuellen und universellen Verifikation. Zwei Synthesen dieser Bausteine bilden den Schluss dieses Beitrags: Ein E-Voting-System mit postalischer Zustellung des Stimmrechtsausweises sowie ein medienbruchfreien E-Voting-System, welches vollständig übers Internet funktioniert. Das Fazit rundet den Beitrag ab