Abstract
In this work, we propose a first version of an e-voting scheme that achieves end-to-end verifiability, everlasting privacy and efficient coercion resistance in the JCJ setting. Everlasting privacy is achieved assuming an anonymous channel, without resorting to dedicated channels between the election authorities to exchange private data. In addition, the proposed scheme achieves coercion resistance under standard JCJ assumptions. As a core building block of our scheme, we also propose a new primitive called publicly auditable conditional blind signature (PACBS), where a client receives a token from the signing server after interaction; the token is a valid signature only if a certain condition holds and the validity of the signature can only be checked by a designated verifier. We utilize this primitive to blindly mark votes under coercion in an auditable manner.
This is work in progress; some properties rely on assumptions which should be lifted in order to lead to a fully functional practical solution.
B. Zhang was partially supported by EPSRC grant EP/P034578/1 and Petras PRF.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For compactness we omit the encryption randomness, except when it is absolutely necessary for the operation of our scheme. We also use the plain ElGamal to describe the protocol and refer to M-El Gamal only in the coercion resistance analysis.
References
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_66
Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_3
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_13
Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052233
Ohkubo, M., Miura, F., Abe, M., Fujioka, A., Okamoto, T.: An improvement on a practical secret voting scheme. ISW 1999. LNCS, vol. 1729, pp. 225–234. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-47790-X_19
Jakobsson, M., Juels, A.: Mix and match: secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 162–177. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_13
Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, pp. 61–70. ACM (2005)
Smith, W.D.: New cryptographic voting scheme with best-known theoretical properties. In: Frontiers in Electronic Elections (FEE 2005), June 2005
Benaloh, J.: Simple verifiable elections. In: EVT 2006 (2006)
Moran, T., Naor, M.: Receipt-free universally-verifiable voting with everlasting privacy. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 373–392. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_22
Araújo, R., Foulle, S., Traoré, J.: A practical and secure coercion resistant scheme for remote elections. In: Frontiers of Electronic Voting (2007)
Weber, S.G., Araujo, R., Buchmann, J.: On coercion-resistant electronic elections with linear work. In: ARES, pp. 908–916. IEEE (2007)
Adida, B.: Helios: web-based open-audit voting. In: Proceedings of the 17th Conference on Security Symposium, pp. 335–348. USENIX Association (2008)
Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: toward a secure voting system. In: IEEE Security and Privacy Symposium (2008)
Araújo, R., Ben Rajeb, N., Robbana, R., Traoré, J., Youssfi, S.: Towards practical and secure coercion-resistant electronic elections. In: Heng, S.-H., Wright, R.N., Goi, B.-M. (eds.) CANS 2010. LNCS, vol. 6467, pp. 278–297. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17619-7_20
Moran, T., Naor, M.: Split-ballot voting: everlasting privacy with distributed trust. ACM Trans. Inf. Syst. Secur. 13(2), 16 (2010)
Koenig, R., Haenni, R., Fischli, S.: Preventing board flooding attacks in coercion-resistant electronic voting schemes. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IAICT, vol. 354, pp. 116–127. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21424-0_10
Schläpfer, M., Haenni, R., Koenig, R., Spycher, O.: Efficient vote authorization in coercion-resistant internet voting. In: Kiayias, A., Lipmaa, H. (eds.) Vote-ID 2011. LNCS, vol. 7187, pp. 71–88. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32747-6_5
Schröder, D., Unruh, D.: Security of blind signatures revisited. IACR Cryptology ePrint Archive, p. 316 (2011)
Bayer, S., Groth, J.: Efficient zero-knowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_17
Spycher, O., Koenig, R., Haenni, R., Schläpfer, M.: A new approach towards coercion-resistant remote E-voting in linear time. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 182–189. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0_15
Clark, J., Hengartner, U.: Selections: internet voting with over-the-shoulder coercion-resistance. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 47–61. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27576-0_4
Arapinis, M., Cortier, V., Kremer, S., Ryan, M.: Practical everlasting privacy. In: Basin, D., Mitchell, J.C. (eds.) POST 2013. LNCS, vol. 7796, pp. 21–40. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36830-1_2
Araújo, R., Traoré, J.: A practical coercion resistant voting scheme revisited. In: Heather, J., Schneider, S., Teague, V. (eds.) Vote-ID 2013. LNCS, vol. 7985, pp. 193–209. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39185-9_12
Buchmann, J., Demirel, D., van de Graaf, J.: Towards a publicly-verifiable mix-net providing everlasting privacy. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 197–204. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_16
Cuvelier, É., Pereira, O., Peters, T.: Election verifiability or ballot privacy: do we need to choose? In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 481–498. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40203-6_27
Grewal, G.S., Ryan, M.D., Bursuc, S., Ryan, P.Y.A.: Caveat coercitor: coercion-evidence in electronic voting. In: IEEE Security and Privacy Symposium. IEEE (2013)
Kiayias, A., Zacharias, T., Zhang, B.: End-to-end verifiable elections in the standard model. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 468–498. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_16
Araújo, R., Barki, A., Brunet, S., Traoré, J.: Remote electronic voting can be efficient, verifiable and coercion-resistant. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 224–232. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_15
Cortier, V., Galindo, D., Kuesters, R., Mueller, J., Truderung, T.: SoK: verifiability notions for e-voting protocols. In: IEEE Security and Privacy Symposium, pp. 779–798 (2016)
Locher, P., Haenni, R., Koenig, R.E.: Coercion-resistant internet voting with everlasting privacy. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 161–175. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_11
Ryan, P.Y.A., Rønne, P.B., Iovino, V.: Selene: voting with transparent verifiability and coercion-mitigation. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 176–192. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_12
Grontas, P., Pagourtzis, A., Zacharakis, A.: Coercion resistance in a practical secret voting scheme for large scale elections. In: ISPAN-FCST-ISCC 2017, pp. 514–519 (2017)
Iovino, V., Rial, A., Rønne, P.B., Ryan, P.Y.A.: Using selene to verify your vote in JCJ. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 385–403. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_24
Yang, N., Clark, J.: Practical governmental voting with unconditional integrity and privacy. In: Brenner, M., et al. (eds.) FC 2017. LNCS, vol. 10323, pp. 434–449. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70278-0_27
Zacharakis, A., Grontas, P., Pagourtzis, A.: Conditional blind signatures. In: 7th International Conference on Algebraic Informatics (Short Version) (2017). http://eprint.iacr.org/2017/682
Acknowledgements
The authors would like to thank Peter Browne Roenne and the anonymous reviewers for their helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Analysis of Coercion Resistance
We prove the coercion resistance property of the proposed voting scheme by closely following the JCJ techniques. We slightly modify the games c-resist and c-resist-ideal of JCJ to account for the extra authorization phase. We treat the \(\text {auth}\) functionality as a function that provides a valid or invalid ballot in relation to its private input.
Firstly, we examine the options of a coerced voter. Such a voter, can simply supply the adversary with a fake random element of \(\mathbb {G}\). Having a fake credential, the signature she receives will be invalid, a fact undetectable by \(\mathcal {A}\) due to the design of the PACBS protocol. The voter can authenticate and cast her real vote during her moment of privacy. The coercer cannot decrypt the corresponding entry in the voter roll and find out if he was presented with the real one or not. If he tries to vote, when he receives the signature he will not be able to validate it himself. In the tallying phase the shuffle will make him lose track of the vote.
The Games c-resist and c-resist-ideal. The only change in the c-resist game of JCJ is the extra authorization phase. During this phase voters supply the essential information, based on their secret credential, and they get a ballot which can be either valid or invalid. We assume that all messages are exchanged via the bulletin board and thus are available to the adversary.
In the c-resist-ideal game an extra ideal functionality is needed, which we call idauth and its purpose is to authenticate and cast the ballots to the \(\mathsf {BB}\). This functionality gets the inputs of the players and computes the ballots as follows:
-
It gives only one valid ballot for each valid credential.
-
For honest voters it extracts the underlying credential and responds with a valid/invalid ballot based on it.
-
Adversarial requests with credentials of corrupted players are answered normally. For the credential of the coerced voter the validity of the ballot computed is determined by the coin toss.
-
The outputs are written directly to the \(\mathsf {BB}\).
In both games, \(\lambda \) is the security parameter, n is the number of voters and \(n_V\) is the number of voters the adversary can corrupt. Further inputs include the candidate slate \(\mathbf C \) and the distribution D that governs the behaviour of the uncontrolled voters. In c-resist-game, the adversary corrupts a subset V of the voters and obtains their credentials after registration. We denote by U the rest of the voters. They perform the registration process and receive their credential. Subsequently the coercer chooses the voter j to coerce and her uncoerced vote \(\beta \). Of course the voter should not be already corrupted and the vote should be a valid choice. A coin is flipped and if it is 0, the coerced voter fools \(\mathcal {A}\) by invoking the functionality \(fakekey \) and generating a fake credential while voting with her real one. If it is 1 she obeys and gives her real credential \(sk_j\) to \(\mathcal {A}\). Honest voters perform the authorization phase and cast their votes, while \(\mathcal {A}\) invokes the auth functionality with any input of his choice using the information gathered so far.
The tallying phase is then performed and \(\mathcal {A}\) tries to guess the result of the coin, using the data on the \(\mathsf {BB}\), the final tally X and the proofs provided. In c-resist-ideal-game the same things happen with minor differences. The keys obtained by \(\mathcal {A}\) do not assist him with the choice of the voter to coerce. He is always given the real credential and auth is replaced with idauth. Finally, the only data \(\mathcal {A}\) can use to guess the coin flip is the final tally X and the number of invalid votes \(\varGamma \).
We now present the simulation for the proof that our scheme is coercion resistant.
-
1.
Input: The simulator \(\mathcal {S}\) takes as input the elements \(g_1,g_2,h_1,h_2\) of a group \(\mathbb {G}\) of order q and a vector w from a distribution D, which mirrors \(\mathcal {A}\)’s uncertainty. Each element of w is a set of valid and invalid votes, taking into account that each voter casts more than one ballot. \(\mathcal {S}\) tries to answer whether \((g_1,g_2,h_1,h_2)\) is a DH quadruple or not.
-
2.
Parameter generation: Initially the \(\mathcal {S}\) creates the M-El Gamal encryption key by randomly choosing \(x_1,x_2\in \mathbb {Z}_q\) and computing \(h=g_1^{x_1}g_2^{x_2}\). The public key is \((g_1,g_2,h)\). He then creates a signing key pair for the CBS scheme by choosing \(g_3,g_4,y\leftarrow _R \mathbb {G}\), \(s\in \mathbb {Z}_q\) and \(k=g_3^s\). The secret key is s and the public key is \((g_3,g_4,y,k)\).
-
3.
Registration: Each voter is assigned a random \(\sigma _i \leftarrow _R \mathbb {G}\). Using the public key, \(\mathcal {S}\) publishes the voter roll. Finally, the candidate slate C is published.
-
4.
Corruption: \(\mathcal {A}\) corrupts voters.
-
5.
Coercion: \(\mathcal {A}\) chooses the player to coerce and her honest vote \((j,\beta )\). The appropriate tests are performed in \((j,\beta )\) according to the games’ definitions.
-
6.
Coin Flip: \(\mathcal {S}\) chooses \(b\leftarrow _R\{0,1\}\). If \(b=0\), \(\mathcal {A}\) is given a random group element \(\sigma ^*\leftarrow _R \mathbb {G}\), else she is given the real credential \(\sigma ^*\leftarrow \sigma _j\).
-
7.
Authorization Requests: \(\mathcal {S}\) issues the signature requests for the honest voters according to w. For each element of w she issues \((\texttt {E}_h(\sigma _i),ID_i,PoK _1)\) where \(\texttt {E}_h(\sigma _i) = (h_1^{u_i},h_2^{u_i},h_1^{u_ix_1}h_2^{u_ix_2}\sigma _i)\) for random \(u_i\) and the proof \(PoK _1\) is simulated by the programmability of the random oracle by using standard techniques. \(\mathcal {A}\) issues his authorization requests.
-
8.
Double requests elimination: Using the secret key \(x_1,x_2\), \(\mathcal {S}\) decrypts and eliminates double requests with the same credential.
-
9.
Authorization: \(\mathcal {S}\) simulates this phase using her PACBS signing key. The messages are encrypted votes according to w. Encryptions are done in the same way as before. \(\mathcal {A}\) is given signatures in a straightforward manner.
-
10.
Vote Casting: \(\mathcal {S}\) submits ballots for the honest voters. \(\mathcal {A}\) submits ballots for the corrupt and the coerced voters.
-
11.
Tallying: Using his secret keys and standard techniques for proofs, \(\mathcal {S}\) simulates tallying in a straightforward manner.
-
12.
Guess: \(\mathcal {A}\) decides \(b'\).
-
13.
Output: \(\mathcal {S}\) outputs 1 iff \(b=b'\).
Let’s examine the view of \(\mathcal {A}\). Apart from the data he produces, in the authorization phase he sees the encrypted credentials with the proofs that accompany them, and the signatures given. These include a message x uniformly distributed in \(\mathbb {G}\), an encrypted first part of a signature and the second part of the signature which is a uniformly distributed element in \(\mathbb {Z}_q\). In the tallying phase he sees the encrypted ballots, their proofs and the signatures. The signatures include two random elements \(x^*,sig_2\) and an encrypted first part. Finally he gets the intermediate results and the tally with the proof. Apart from the encrypted messages and the proofs, all other data are random and do not assist him in deciding b.
Suppose that the input of \(\mathcal {S}\) is a Diffie-Hellman (DH) tuple. Then all the encryptions done by \(\mathcal {S}\) are valid and the view of \(\mathcal {A}\) is the same as the c-resist experiment. If the input is not a DH tuple then every encryption \(\mathcal {S}\) did results in uniformly distributed elements in \(\mathbb {G}^3\). \(\mathcal {A}\)’s view is the same as in the c-resist-ideal experiment.
These imply that
which is equal to \(\mathbf Adv _\mathcal {S}^{DDH}\) and so it is negligible if the DDH assumption holds.
Finally, we must note that the exact level of protection each voter receives depends on the size of the anonymity set, i.e. the number of decoy votes cast with their ID by other honest voters or organizations. We plan to incorporate this analysis in future versions of our work.
B Plain Okamoto-Schnorr CBS Scheme
We briefly present the simple Okamoto Shnorr CBS Scheme from [41]. The secret signing key consists of the values \(s_1,s_2\in \mathbb {Z}_q\) as in [5] with corresponding public verification key \(v=g_1^{-s_1}g_2^{-s_2}\). During the signing and unblinding phases the public key k of the verifier is used. For the verification algorithm, the verifier checks the verification equation using the hash of the message and the commitment using the secret key \(s \in \mathbb {Z}_q\). If the secret signer bit is 1, then the signature will be valid, otherwise the verification equation will not hold. Thus the verifier will learn the secret bit of the signer. We also assume the existence of a random oracle \(\mathcal {H}\).
C Modified Okamoto-Schnorr CBS Scheme
The protocol in Fig. 5 can be combined with a multiplicatively homomorphic encryption scheme. It can also be made more practical if the parties agree in a common method to randomly generate the commitment message x. Moreover, we can let the signer play the role of the verifier, as a way to send the secret bit to oneself in the future.
We present this modified version in Fig. 6. Note that the unblinding of the first part of the signature, still occurs on the exponent, but this time in encrypted form.
Rights and permissions
Copyright information
© 2019 International Financial Cryptography Association
About this paper
Cite this paper
Grontas, P., Pagourtzis, A., Zacharakis, A., Zhang, B. (2019). Towards Everlasting Privacy and Efficient Coercion Resistance in Remote Electronic Voting. In: Zohar, A., et al. Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10958. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58820-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-662-58820-8_15
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-58819-2
Online ISBN: 978-3-662-58820-8
eBook Packages: Computer ScienceComputer Science (R0)