Extending Helios Towards Private Eligibility Verifiability

Oksana Kulyk; Vanessa Teague; Melanie Volkamer

doi:10.1007/978-3-319-22270-7_4

International Conference on E-Voting and Identity

Vote-ID 2015: E-Voting and Identity pp 57-73 | Cite as

Extending Helios Towards Private Eligibility Verifiability

Authors
Authors and affiliations

Oksana Kulyk
Vanessa Teague
Melanie Volkamer

Conference paper

First Online: 13 August 2015

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9269)

Abstract

We show how to extend the Helios voting system to provide eligibility verifiability without revealing who voted which we call private eligibility verifiability. The main idea is that real votes are hidden in a crowd of null votes that are cast by others but are indistinguishable from those of the eligible voter. This extended Helios scheme also improves Helios towards receipt-freeness.

Keywords

Bulletin Board Modular Exponentiation Eligible Voter Cast Vote Participation Privacy

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, to check access.

Notes

Acknowledgment

This project (HA project no. 435/14-25) is funded in the framework of Hessen ModellProjekte, financed with funds of LOEWE – Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz, Förderlinie 3: KMU-Verbundvorhaben (State Offensive for the Development of Scientific and Economic Excellence).

A Cryptographic Building Blocks

A.1 Proof of an Encryption of 1

In order to prove that a given ciphertext (a, b) encrypts 1, one has to present a zero-knowledge proof:

$$ ZKP\{\exists r: a = g^r\,\text {mod}\,p \wedge b = h^r\,\text {mod}\,p\}$$

The proof, presented in [9], is as follows:

1.

Prover chooses a random $w \in _R\mathbb {Z}_q$, computes $\alpha = g^w\,\text {mod}\,p$, $\beta = h^w\,\text {mod}\,p$ and sends $\alpha $, $\beta $ to the Verifier.
2.

Verifier sends the challenge $c \in _R\mathbb {Z}_q$ to the prover
3.

Prover computes $u = w + cr\,\text {mod}\,q$ and sends u to Verifier
4.

Verifier checks, that $g^u \equiv \alpha a^c\,\text {mod}\,p$ and $h^u \equiv \beta b^c\,\text {mod}\,p$ hold.

The proof has the soundness error of 1 / q.

A.2 Proof of Knowledge of Discrete Log

The following proof can be used to prove knowledge of a DSA or ElGamal signing key, or knowledge of an ElGamal ciphertext.

$$ \mathtt{Proof~of~knowledge } \{s: h = g^s \} $$

Public Parameters: ElGamal/DSA parameters (g, h, p, q)

Prover knows: $s : h = g^s\,\text {mod}\,p$.

1.

Prover selects a random value $w \in _R\mathbb {Z}_q$ and publishes $a = g^w$.
2.

Verifier sends the challenge $c \in _R\mathbb {Z}_q$
3.

Prover calculates and publishes $u = w + cs$
4.

Verifier checks $g^u = ah^c$

The soundness error of the proof is 1 / q.

A.3 Proof of Knowledge of RSA Signature

$$ \mathtt{Proof~of~knowledge } \{s: s^e \equiv h(m)\,\text {mod}\,N\} $$

Public Parameters: Message m, encoding function h(m), RSA public key (N, e) with e prime

Prover knows: $s: s^e \equiv h(m)\,\text {mod}\,N$, $d: d = e^{-1}\,\text {mod}\,\phi (N)$.

1.

Prover selects a random value $r \in _R\mathbb {Z}^*_N$ and calculates $x = r^e\,\text {mod}\,N$
2.

Verifier sends the challenge $c \in _R\mathbb {Z}_e$
3.

Prover calculates $z = rs^c\,\text {mod}\,N$ and sends z to Verifier
4.

Verifier checks $z^e \equiv x\cdot h(m)^c\,\text {mod}\,N$.

The soundness error of the proof is 1 / e. Note, that often the small prime values of e are used as public key in RSA system: commonly, $e = 3$ or $e = 2^{16} + 1$. This leads to the proof being insufficiently sound. For this cases, a modification has been proposed in [12], where in order to prove the knowledge of e-th root s of h(m), one proves the knowledge of $e^t$-th root $s'$ of $h(m)\,\text {mod}\,N$, which can be calculated as $s' = h(m)^{d^t}\,\text {mod}\,N$. The modified proof has the soundness error of $1/e^t$.

References

1.
Adida, B.: Helios: web-based open-audit voting. USENIX Security Symposium. vol. 17, pp. 335–348 (2008)Google Scholar
2.
Araújo, R., Traoré, J.: A practical coercion resistant voting scheme revisited. In: Heather, J., Schneider, S., Teague, V. (eds.) Vote-ID 2013. LNCS, vol. 7985, pp. 193–209. Springer, Heidelberg (2013) CrossRefGoogle Scholar
3.
Bell, S., Benaloh, J., Byrne, M.D., DeBeauvoir, D., Eakin, B., Fisher, G., Kortum, P., McBurnett, N., Montoya, J., Parker, M., Pereira, O., Stark, P.B., Wallach, D.S., Winn, M.: STAR-vote: a secure, transparent, auditable, and reliable voting system. USENIX J. Election Technol. Syst. (JETS) 1(1), 18–37 (2013)Google Scholar
4.
Ben-Nun, J., Fahri, N., Llewellyn, M., Riva, B., Rosen, A., Ta-Shma, A., Wikström, D.: A new implementation of a dual (paper and cryptographic) voting system. In: 5th International Conference on Electronic Voting (EVOTE) (2012). http://www.wombat-voting.com
5.
Benaloh, J.: Simple verifiable elections. In: Proceedings of the USENIX/Accurate Electronic Voting Technology Workshop 2006 on Electronic Voting Technology Workshop, pp. 5–5. USENIX Association (2006)Google Scholar
6.
Bernhard, D., Cortier, V., Pereira, O., Smyth, B., Warinschi, B.: Adapting helios for provable ballot privacy. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 335–354. Springer, Heidelberg (2011) CrossRefGoogle Scholar
7.
Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-shamir heuristic and applications to Helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012) CrossRefGoogle Scholar
8.
Carback, R., Chaum, D., Clark, J., Conway, J., Essex, A., Herrnson, P.S., Mayberry, T., Popoveniuc, S., Rivest, R.L., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity II municipal election at Takoma Park: the first E2E binding governmental election with ballot privacy. In: Proceedings of USENIX Security (2010)Google Scholar
9.
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993) Google Scholar
10.
Clark, J., Hengartner, U.: Selections: internet voting with over-the-shoulder coercion-resistance. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 47–61. Springer, Heidelberg (2012) CrossRefGoogle Scholar
11.
Cortier, V., Galindo, D., Glondu, S., Izabachène, M.: Distributed Elgamal à la Pedersen: application to Helios. In: Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, pp. 131–142. ACM (2013)Google Scholar
12.
Cramer, R., Damgård, I.B., MacKenzie, P.D.: Efficient zero-knowledge proofs of knowledge without intractability assumptions. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 354–373. Springer, Heidelberg (2000) CrossRefGoogle Scholar
13.
Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994) Google Scholar
14.
Culnane, C., Schneider, S.: A peered bulletin board for robust use in verifiable voting systems. In: 2014 IEEE 27th Computer Security Foundations Symposium (CSF), pp. 169–183. IEEE (2014)Google Scholar
15.
Essex, A., Clark, J., Hengartner, U.: Cobra: toward concurrent ballot authorization for internet voting. In: Proceedings of the 2012 International Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE, p. 3 (2012)Google Scholar
16.
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) CrossRefGoogle Scholar
17.
Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 368. Springer, Heidelberg (2001) CrossRefGoogle Scholar
18.
Grewal, G.S., Ryan, M.D., Bursuc, S., Ryan, P.Y.: Caveat coercitor: coercion-evidence in electronic voting. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 367–381. IEEE (2013)Google Scholar
19.
Groth, J.: A verifiable secret shuffe of homomorphic encryptions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 145–160. Springer, Heidelberg (2002) CrossRefGoogle Scholar
20.
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988) Google Scholar
21.
Guillou, L.C., Quisquater, J.-J.: A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990) Google Scholar
22.
Haenni, R., Spycher, O.: Secure internet voting on limited devices with anonymized dsa public keys. In: Proceedings of the 2011 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, pp. 8–8. EVT/WOTE 2011. USENIX Association (2011)Google Scholar
23.
Heiberg, S., Laud, P., Willemson, J.: The application of i-voting for estonian parliamentary elections of 2011. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 208–223. Springer, Heidelberg (2012) CrossRefGoogle Scholar
24.
Jakobsson, M., Juels, A.: Mix and match: secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 162. Springer, Heidelberg (2000) CrossRefGoogle Scholar
25.
Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pp. 61–70. ACM (2005)Google Scholar
26.
Koenig, R., Haenni, R., Fischli, S.: Preventing board flooding attacks in coercion-resistant electronic voting schemes. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 116–127. Springer, Heidelberg (2011) CrossRefGoogle Scholar
27.
Kutyłowski, M., Zagórski, F.: Verifiable internet voting solving secure platform problem. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 199–213. Springer, Heidelberg (2007) CrossRefGoogle Scholar
28.
Neff, C.A.: A verifiable secret shuffle and its application to e-voting. In: Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 116–125. ACM (2001)Google Scholar
29.
Neumann, S., Feier, C., Volkamer, M., Koenig, R.: Towards a practical jcj/civitas implementation. In: INF13 - Workshop: Elektronische Wahlen: Ich sehe was, das Du nicht siehst - öffentliche und geheime Wahl, pp. 804–818 (2013)Google Scholar
30.
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992) Google Scholar
31.
Pfitzmann, B.: Breaking an efficient anonymous channel. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 332–340. Springer, Heidelberg (1995) Google Scholar
32.
Raykova, M., Wagner, D.: Verifable remote voting with large scale coercion resistance. Technical report CUCS-041-11, Columbia (2011)Google Scholar
33.
Ryan, P.Y., Bismark, D., Heather, J., Schneider, S., Xia, Z.: Prêt à voter: a voter-verifiable voting system. IEEE Trans. Inf. Forensics Secur. 4(4), 662–673 (2009)CrossRefGoogle Scholar
34.
Schläpfer, M., Haenni, R., Koenig, R., Spycher, O.: Efficient vote authorization in coercion-resistant internet voting. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 71–88. Springer, Heidelberg (2012) CrossRefGoogle Scholar
35.
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)MathSciNetCrossRefGoogle Scholar
36.
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
37.
Springall, D., Finkenauer, T., Durumeric, Z., Kitcat, J., Hursti, H., MacAlpine, M., Halderman, J.A.: Security analysis of the estonian internet voting system. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 703–715. ACM (2014)Google Scholar
38.
Spycher, O., Koenig, R., Haenni, R., Schläpfer, M.: A new approach towards coercion-resistant remote e-voting in linear time. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 182–189. Springer, Heidelberg (2012) CrossRefGoogle Scholar
39.
Spycher, O., Volkamer, M., Koenig, R.: Transparency and technical measures to establish trust in Norwegian internet voting. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 19–35. Springer, Heidelberg (2012) CrossRefGoogle Scholar
40.
Srinivasan, S., Culnane, C., Heather, J., Schneider, S., Xia, Z.: Countering ballot stuffing and incorporating eligibility verifiability in Helios. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 335–348. Springer, Heidelberg (2014) Google Scholar
41.
Terelius, B., Wikström, D.: Proofs of restricted shuffles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 100–113. Springer, Heidelberg (2010) CrossRefGoogle Scholar

Copyright information

Authors and Affiliations

Oksana Kulyk
- 1
Email author
Vanessa Teague
- 2
Melanie Volkamer
- 1
- 3

1.Technische Universität Darmstadt/CASEDDarmstadtGermany
2.University of MelbourneMelbourneAustralia
3.Karlstad UniversityKarlstadSweden

Extending Helios Towards Private Eligibility Verifiability

Abstract

Keywords

Notes

Acknowledgment

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite paper