Towards Everlasting Privacy and Efficient Coercion Resistance in Remote Electronic Voting

Abstract

In this work, we propose a first version of an e-voting scheme that achieves end-to-end verifiability, everlasting privacy and efficient coercion resistance in the JCJ setting. Everlasting privacy is achieved assuming an anonymous channel, without resorting to dedicated channels between the election authorities to exchange private data. In addition, the proposed scheme achieves coercion resistance under standard JCJ assumptions. As a core building block of our scheme, we also propose a new primitive called publicly auditable conditional blind signature (PACBS), where a client receives a token from the signing server after interaction; the token is a valid signature only if a certain condition holds and the validity of the signature can only be checked by a designated verifier. We utilize this primitive to blindly mark votes under coercion in an auditable manner.

This is work in progress; some properties rely on assumptions which should be lifted in order to lead to a fully functional practical solution.

B. Zhang was partially supported by EPSRC grant EP/P034578/1 and Petras PRF.

Appendices

A Analysis of Coercion Resistance

We prove the coercion resistance property of the proposed voting scheme by closely following the JCJ techniques. We slightly modify the games c-resist and c-resist-ideal of JCJ to account for the extra authorization phase. We treat the \(\text {auth}\) functionality as a function that provides a valid or invalid ballot in relation to its private input.

Firstly, we examine the options of a coerced voter. Such a voter, can simply supply the adversary with a fake random element of \(\mathbb {G}\). Having a fake credential, the signature she receives will be invalid, a fact undetectable by \(\mathcal {A}\) due to the design of the PACBS protocol. The voter can authenticate and cast her real vote during her moment of privacy. The coercer cannot decrypt the corresponding entry in the voter roll and find out if he was presented with the real one or not. If he tries to vote, when he receives the signature he will not be able to validate it himself. In the tallying phase the shuffle will make him lose track of the vote.

The Games c-resist and c-resist-ideal. The only change in the c-resist game of JCJ is the extra authorization phase. During this phase voters supply the essential information, based on their secret credential, and they get a ballot which can be either valid or invalid. We assume that all messages are exchanged via the bulletin board and thus are available to the adversary.

In the c-resist-ideal game an extra ideal functionality is needed, which we call idauth and its purpose is to authenticate and cast the ballots to the \(\mathsf {BB}\). This functionality gets the inputs of the players and computes the ballots as follows:

• It gives only one valid ballot for each valid credential.

• For honest voters it extracts the underlying credential and responds with a valid/invalid ballot based on it.

• Adversarial requests with credentials of corrupted players are answered normally. For the credential of the coerced voter the validity of the ballot computed is determined by the coin toss.

• The outputs are written directly to the \(\mathsf {BB}\).

In both games, \(\lambda \) is the security parameter, n is the number of voters and \(n_V\) is the number of voters the adversary can corrupt. Further inputs include the candidate slate \(\mathbf C \) and the distribution D that governs the behaviour of the uncontrolled voters. In c-resist-game, the adversary corrupts a subset V of the voters and obtains their credentials after registration. We denote by U the rest of the voters. They perform the registration process and receive their credential. Subsequently the coercer chooses the voter j to coerce and her uncoerced vote \(\beta \). Of course the voter should not be already corrupted and the vote should be a valid choice. A coin is flipped and if it is 0, the coerced voter fools \(\mathcal {A}\) by invoking the functionality \(fakekey \) and generating a fake credential while voting with her real one. If it is 1 she obeys and gives her real credential \(sk_j\) to \(\mathcal {A}\). Honest voters perform the authorization phase and cast their votes, while \(\mathcal {A}\) invokes the auth functionality with any input of his choice using the information gathered so far.

The tallying phase is then performed and \(\mathcal {A}\) tries to guess the result of the coin, using the data on the \(\mathsf {BB}\), the final tally X and the proofs provided. In c-resist-ideal-game the same things happen with minor differences. The keys obtained by \(\mathcal {A}\) do not assist him with the choice of the voter to coerce. He is always given the real credential and auth is replaced with idauth. Finally, the only data \(\mathcal {A}\) can use to guess the coin flip is the final tally X and the number of invalid votes \(\varGamma \).

We now present the simulation for the proof that our scheme is coercion resistant.

1. 1.

   Input: The simulator \(\mathcal {S}\) takes as input the elements \(g_1,g_2,h_1,h_2\) of a group \(\mathbb {G}\) of order q and a vector w from a distribution D, which mirrors \(\mathcal {A}\)’s uncertainty. Each element of w is a set of valid and invalid votes, taking into account that each voter casts more than one ballot. \(\mathcal {S}\) tries to answer whether \((g_1,g_2,h_1,h_2)\) is a DH quadruple or not.

2. 2.

   Parameter generation: Initially the \(\mathcal {S}\) creates the M-El Gamal encryption key by randomly choosing \(x_1,x_2\in \mathbb {Z}_q\) and computing \(h=g_1^{x_1}g_2^{x_2}\). The public key is \((g_1,g_2,h)\). He then creates a signing key pair for the CBS scheme by choosing \(g_3,g_4,y\leftarrow _R \mathbb {G}\), \(s\in \mathbb {Z}_q\) and \(k=g_3^s\). The secret key is s and the public key is \((g_3,g_4,y,k)\).

3. 3.

   Registration: Each voter is assigned a random \(\sigma _i \leftarrow _R \mathbb {G}\). Using the public key, \(\mathcal {S}\) publishes the voter roll. Finally, the candidate slate C is published.

4. 4.

   Corruption: \(\mathcal {A}\) corrupts voters.

5. 5.

   Coercion: \(\mathcal {A}\) chooses the player to coerce and her honest vote \((j,\beta )\). The appropriate tests are performed in \((j,\beta )\) according to the games’ definitions.

6. 6.

   Coin Flip: \(\mathcal {S}\) chooses \(b\leftarrow _R\{0,1\}\). If \(b=0\), \(\mathcal {A}\) is given a random group element \(\sigma ^*\leftarrow _R \mathbb {G}\), else she is given the real credential \(\sigma ^*\leftarrow \sigma _j\).

7. 7.

   Authorization Requests: \(\mathcal {S}\) issues the signature requests for the honest voters according to w. For each element of w she issues \((\texttt {E}_h(\sigma _i),ID_i,PoK _1)\) where \(\texttt {E}_h(\sigma _i) = (h_1^{u_i},h_2^{u_i},h_1^{u_ix_1}h_2^{u_ix_2}\sigma _i)\) for random \(u_i\) and the proof \(PoK _1\) is simulated by the programmability of the random oracle by using standard techniques. \(\mathcal {A}\) issues his authorization requests.

8. 8.

   Double requests elimination: Using the secret key \(x_1,x_2\), \(\mathcal {S}\) decrypts and eliminates double requests with the same credential.

9. 9.

   Authorization: \(\mathcal {S}\) simulates this phase using her PACBS signing key. The messages are encrypted votes according to w. Encryptions are done in the same way as before. \(\mathcal {A}\) is given signatures in a straightforward manner.

10. 10.

    Vote Casting: \(\mathcal {S}\) submits ballots for the honest voters. \(\mathcal {A}\) submits ballots for the corrupt and the coerced voters.

11. 11.

    Tallying: Using his secret keys and standard techniques for proofs, \(\mathcal {S}\) simulates tallying in a straightforward manner.

12. 12.

    Guess: \(\mathcal {A}\) decides \(b'\).

13. 13.

    Output: \(\mathcal {S}\) outputs 1 iff \(b=b'\).

Let’s examine the view of \(\mathcal {A}\). Apart from the data he produces, in the authorization phase he sees the encrypted credentials with the proofs that accompany them, and the signatures given. These include a message x uniformly distributed in \(\mathbb {G}\), an encrypted first part of a signature and the second part of the signature which is a uniformly distributed element in \(\mathbb {Z}_q\). In the tallying phase he sees the encrypted ballots, their proofs and the signatures. The signatures include two random elements \(x^*,sig_2\) and an encrypted first part. Finally he gets the intermediate results and the tally with the proof. Apart from the encrypted messages and the proofs, all other data are random and do not assist him in deciding b.

Suppose that the input of \(\mathcal {S}\) is a Diffie-Hellman (DH) tuple. Then all the encryptions done by \(\mathcal {S}\) are valid and the view of \(\mathcal {A}\) is the same as the c-resist experiment. If the input is not a DH tuple then every encryption \(\mathcal {S}\) did results in uniformly distributed elements in \(\mathbb {G}^3\). \(\mathcal {A}\)’s view is the same as in the c-resist-ideal experiment.

These imply that

$$\begin{aligned} \mathbf Adv _{ES,\mathcal {A}}^{\text {c-resist}} = |\Pr [\mathcal {S}=1|DH (g_1,g_2,h_1,h_2)]-\Pr [\mathcal {S}=1|\lnot DH (g_1,g_2,h_1,h_2)]| \end{aligned}$$

which is equal to \(\mathbf Adv _\mathcal {S}^{DDH}\) and so it is negligible if the DDH assumption holds.

Finally, we must note that the exact level of protection each voter receives depends on the size of the anonymity set, i.e. the number of decoy votes cast with their ID by other honest voters or organizations. We plan to incorporate this analysis in future versions of our work.

B Plain Okamoto-Schnorr CBS Scheme

We briefly present the simple Okamoto Shnorr CBS Scheme from [41]. The secret signing key consists of the values \(s_1,s_2\in \mathbb {Z}_q\) as in [5] with corresponding public verification key \(v=g_1^{-s_1}g_2^{-s_2}\). During the signing and unblinding phases the public key k of the verifier is used. For the verification algorithm, the verifier checks the verification equation using the hash of the message and the commitment using the secret key \(s \in \mathbb {Z}_q\). If the secret signer bit is 1, then the signature will be valid, otherwise the verification equation will not hold. Thus the verifier will learn the secret bit of the signer. We also assume the existence of a random oracle \(\mathcal {H}\).

Fig. 5.

The original CBS Scheme based on Okamoto Schnorr signatures

Fig. 6.

Modified conditional blind signatures

C Modified Okamoto-Schnorr CBS Scheme

The protocol in Fig. 5 can be combined with a multiplicatively homomorphic encryption scheme. It can also be made more practical if the parties agree in a common method to randomly generate the commitment message x. Moreover, we can let the signer play the role of the verifier, as a way to send the secret bit to oneself in the future.

We present this modified version in Fig. 6. Note that the unblinding of the first part of the signature, still occurs on the exponent, but this time in encrypted form.