Download presentation

Presentation is loading. Please wait.

Published byFrida Latchford Modified about 1 year ago

1
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1

2
Aims and objectives Models are useful, desirable Cryptographic proofs are not difficult Have y’all do one cryptographic proof Have y’all develop a zero-knowledge protocol Have y’all prove one property for a zero-knowledge protocol 2

3
Models 3

4
Voting scheme 4 v1v1 vnvn v2v2

5
Wish list Eligibility: only legitimate voters vote; each voter votes once Fairness: voting does not reveal early results Verifiability: individual, universal Privacy: no information about the individual votes is revealed Receipt-freeness: a voter cannot prove s/he voted in a certain way Coercion-resistance: a voter cannot interact with a coercer to prove that s/he voted in a certain way 5

6
Design-then-break paradigm 6 …attack found …no attack found Guarantees: no attack has been found yet

7
Security models 7 Mathematical descriptions: What a system is How a system works What is an attacker What is a break Advantages: clarify security notion; allows for security proofs (guarantees within clearly established boundaries) Shortcomings: abstraction – implicit assumptions, details are missing (e.g. trust in hardware, side- channels)

8
This talk Privacy-relevant cryptographic primitives Asymmetric encryption Noninteractive zero-knowledge proofs Privacy-relevant techniques Homomorphicity Rerandomization Threshold cryptography Security models for encryption Security models for vote secrecy (Helios) 8

9
Cryptographic security models 9

10
Game based models 10 Challenger Query Answer 0/1

11
ASYMMETRIC ENCRYPTION SCHEMES 11

12
Syntax 12 Setup(ν): fixes parameters for the scheme KG(params): randomized algorithm that generates (PK,SK) ENC PK (m): randomized algorithm that generates an encryption of m under PK DEC SK (C): deterministic algorithm that calculates the decryption of C under sk

13
Functional properties 13

14
(exponent) ElGamal 14

15
Functional properties 15

16
IND-CPA 16 Public Key PK win M 0,M I C Guess d Theorem:If the DDH problem is hard in G then the ElGamal encryption scheme is IND- CPA secure. Good definition?

17
SINGLE PASS VOTING SCHEME 17

18
Informal 18 P 1 : v 1 P 2 : v 2 P n : v n C1C1 C2C2 CnCn SK PK

19
Syntax of SPS schemes Setup(ν): generates (x,y,BB) secret information for tallying, public information parameters of the scheme, initial BB Vote(y,v): the algorithm run by each voter to produce a ballot b Ballot(BB,b): run by the bulleting board; outputs new BB and accept/reject Tallying(BB,x): run by the tallying authorities to calculate the final result 19

20
An implementation: Enc2Vote 20

21
PK Attack against privacy 21 SK P 1 : v 1 P 2 : v 2 C1C1 P3P3 Assume that votes are either 0 or 1 If the result is 0 or 1 then v 1 was 0, otherwise v 1 was 1 C1C1 C2C2 C1C1 FIX: weed out equal ciphertexts

22
New attack 22 P 1 : v 1 P 2 : v 2 C P3P3 PK C1C1 C2C2 C FIX: Make sure ciphertexts cannot be mauled and weed out equal ciphertexts SK

23
Non-malleable encryption (NM-CPA) 23 Public Key PK win M 0,M 1 C Guess d C 1, C 2 …,C n M 1, M 2,…,M n Good definition?

24
ElGamal is not non-malleable 24

25
Ballot secrecy for SPS [BCPSW11] 25 C h 0,h 1 C1C1 C Sees BB b d result C0C0 C C PK SK win

26
26 PK SK h 0,h 1 C d result h 0,h 1 C 1, C 2,…, C t d v 1, v 2,…, v t PK C1C1 C

27
27 PK SK h 0,h 1 C’ d result h 0,h 1 C 1, C 2,…, C t d v 1, v 2,…, v t PK C C’ PK

28
ZERO KNOWLEDGE PROOFS 28

29
Interactive proofs 29 w X M1M1 M2M2 M3M3 MnMn Prover Verifier X Wants to convince the Verifier that something is true about X. Formally that: Rel(X,w) for some w. Variant: the prover actually knows such a w Accept/ Reject Examples: Rel g,h ((X,Y),z) iff X=g z and Y=h z Rel g,X ((R,C),r) iff R=g r and C=X r Rel g,X ((R,C),r) iff R=g r and C/g=X r Rel g,X ((R,C),r) iff (R=g r and C=X r ) or (R=g r and C/g=X r ) Examples: Rel g,h ((X,Y),z) iff X=g z and Y=h z Rel g,X ((R,C),r) iff R=g r and C=X r Rel g,X ((R,C),r) iff R=g r and C/g=X r Rel g,X ((R,C),r) iff (R=g r and C=X r ) or (R=g r and C/g=X r )

30
Properties (informal) Completeness: an honest prover always convinces an honest verifier of the validity of the statement Soundness: a dishonest prover can cheat only with small probability Zero knowledge: no other information is revealed Proof of knowledge: can extract witness from a successful prover 30

31
Equality of discrete logs [CP92] 31

32
Completeness 32

33
(Special) Soundness 33

34
(HV) zero-knowledge 34 R c s Rel(X,w) X,w X There exists a simulator SIM that produces transcripts that are indistinguishable from those of the real execution. R c s X

35
Special zero-knowledge 35 R c s Rel(X,w) X,w X R c s X

36
Special zero-knowledge for CP 36

37
OR-proofs [CDS95,C96] 37 R1 c1 s1 Rel1(X,w) X,w X R2 c2 s2 Rel2(Y,w) Y,w Y Design a protocol for Rel3(X,Y,w) where: Rel3(X,Y,w) iff Rel1(X,w) or Rel2(Y,w)

38
OR-proofs 38 X,Y,w R1R2 c1c2s1s2 X,Y c

39
OR-proofs 39 Rel1(X,w) X,Y,w R1R2 c1=c-c2c2 s1s2 X,Y c

40
OR-proofs 40 Rel1(X,w1) X,Y,w R1R2 c1=c-c2c2 c1,s1c2,s2 X,Y c To verify: check that c1+c2=c and that (R1,c1,s1) and (R2,c2,s2) are accepting transcripts for the respective relations.

41
Non-interactive proofs 41 Prover Verifier X,w X

42
The Fiat-Shamir/Blum transform 42 R c s Rel(X,w) X,w X R s X c=H(X,R) The proof is (R,s). To verify: compute c=H(R,s). Check (R,c,s) as before

43
ElGamal + PoK 43

44
ElGamal + PoK 44 Theorem: ElGamal+PoK as defined is NM-CPA, in the random oracle model. Theorem: Enc2Vote(ElGamal+PoK) has vote secrecy, in the random oracle model.

45
Random oracle [BR93,CGH98] Unsound heuristic There exists schemes that are secure in the random oracle model for which any instantiation is insecure Efficiency vs security 45

46
Exercise: Distributed ElGamal decryption 46 Design a non interactive zero knowledge proof that Pi behaves correctly

47
Ballot secrecy vs. vote privacy 47

48
AN INFORMATION THEORETIC APPROACH TO VOTE PRIVACY [BCPW12?] 48

49
Information theory 49

50
Conditional privacy measure 50

51
Computational variant 51 F(M| Enc PK (M)) = ?

52
Computational variant 52

53
Example 53

54
Variation 54

55
Application to voting 55

56
Measure(s) for vote privacy 56

57
Privacy of idealized protocols 57

58
Recall: vote secrecy for SPS 58 PK C h 0,h 1 C1C1 C Sees BB b d result C0C0 C C SK win

59
Recall: vote secrecy for SPS 59 PK C h 0,0 C1C1 C Sees BB b d result C0C0 C C SK win D

60
Relation with d-privacy Set F to be average min-entropy 60

61
Choice of entropy Average min-entropy: measures the probability that an observer guesses the target function of the votes Min min-entropy: measures the probability that an observer guesses the target function of the votes for the worst possible election outcome Min Hartley entropy: measures the minimum number of values that the target function can take for any assignment of votes 61

62
NOT COVERED 62

63
Threshold decryption 63

64
Simulation-based models [Groth05] 64

65
Games vs. simulation security Games Not always intuitive Difficult to design: challenger/queries should reflect all potential uses of the system and permit access to all the information that can be gleaned Simulation More intuitive (for simple systems) Too demanding (e.g. adaptive security) 65

66
Relation with d-privacy Set F to be average min-entropy 66

67
Dolev-Yao models [DKR09] Protocols specified in a process algebra (applied-pi calculus) Vote secrecy: P[vote1/v1, vote2/v2] ≈ P[vote2/v1, vote1/v2] Abstraction? Relation with the game-based definition? 67

68
Incoercibility/Receipt freeness 68

69
Mix-nets 69

70
Everlasting privacy 70

71
Commitments 71

72
Fully homomorphic encryption 72

73
Conclusions Models (symbolic, computational) are important Models, models, models… Proofs (symbolic, computational) are important Proofs, proofs? A first step towards a privacy measure 73

74
Thanks 74

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google