Abstract
We show how to extend the Helios voting system to provide eligibility verifiability without revealing who voted which we call private eligibility verifiability. The main idea is that real votes are hidden in a crowd of null votes that are cast by others but are indistinguishable from those of the eligible voter. This extended Helios scheme also improves Helios towards receipt-freeness.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Usually a hash value of m and/or padding, according to common RSA signature standards.
- 2.
As the complexity of the computations in the tallying stage depends on the amount of eligible voters rather than total cast votes, and the complexity of the computations in the voting stage is linear in the number of cast votes, we presume board flooding is less likely to significantly hinder the election than it is in [25].
- 3.
This prevents manipulating someone’s vote by re-posting something they have genuinely contributed.
- 4.
This can be done by checking whether \(b^q = 1\) for a ciphertext (a, b) with a valid proof of plaintext knowledge, and is needed to prevent information leakage about plaintext from \(\mathcal {PET}s\) during tallying.
- 5.
This and other assumptions are further discussed in Sect. 5.
- 6.
She can do this for the ciphertext \((g^r, c\cdot h^r)\) by disclosing the randomness r to the adversary.
- 7.
Note, that \(v'\) can be the legitimate vote for another candidate (i.e. the one the voter actually intends to vote for), but also some random or even unknown to the voter value that results in an invalid vote.
References
Adida, B.: Helios: web-based open-audit voting. USENIX Security Symposium. vol. 17, pp. 335–348 (2008)
Araújo, R., Traoré, J.: A practical coercion resistant voting scheme revisited. In: Heather, J., Schneider, S., Teague, V. (eds.) Vote-ID 2013. LNCS, vol. 7985, pp. 193–209. Springer, Heidelberg (2013)
Bell, S., Benaloh, J., Byrne, M.D., DeBeauvoir, D., Eakin, B., Fisher, G., Kortum, P., McBurnett, N., Montoya, J., Parker, M., Pereira, O., Stark, P.B., Wallach, D.S., Winn, M.: STAR-vote: a secure, transparent, auditable, and reliable voting system. USENIX J. Election Technol. Syst. (JETS) 1(1), 18–37 (2013)
Ben-Nun, J., Fahri, N., Llewellyn, M., Riva, B., Rosen, A., Ta-Shma, A., Wikström, D.: A new implementation of a dual (paper and cryptographic) voting system. In: 5th International Conference on Electronic Voting (EVOTE) (2012). http://www.wombat-voting.com
Benaloh, J.: Simple verifiable elections. In: Proceedings of the USENIX/Accurate Electronic Voting Technology Workshop 2006 on Electronic Voting Technology Workshop, pp. 5–5. USENIX Association (2006)
Bernhard, D., Cortier, V., Pereira, O., Smyth, B., Warinschi, B.: Adapting helios for provable ballot privacy. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 335–354. Springer, Heidelberg (2011)
Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-shamir heuristic and applications to Helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012)
Carback, R., Chaum, D., Clark, J., Conway, J., Essex, A., Herrnson, P.S., Mayberry, T., Popoveniuc, S., Rivest, R.L., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity II municipal election at Takoma Park: the first E2E binding governmental election with ballot privacy. In: Proceedings of USENIX Security (2010)
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)
Clark, J., Hengartner, U.: Selections: internet voting with over-the-shoulder coercion-resistance. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 47–61. Springer, Heidelberg (2012)
Cortier, V., Galindo, D., Glondu, S., Izabachène, M.: Distributed Elgamal à la Pedersen: application to Helios. In: Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, pp. 131–142. ACM (2013)
Cramer, R., Damgård, I.B., MacKenzie, P.D.: Efficient zero-knowledge proofs of knowledge without intractability assumptions. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 354–373. Springer, Heidelberg (2000)
Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)
Culnane, C., Schneider, S.: A peered bulletin board for robust use in verifiable voting systems. In: 2014 IEEE 27th Computer Security Foundations Symposium (CSF), pp. 169–183. IEEE (2014)
Essex, A., Clark, J., Hengartner, U.: Cobra: toward concurrent ballot authorization for internet voting. In: Proceedings of the 2012 International Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE, p. 3 (2012)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)
Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 368. Springer, Heidelberg (2001)
Grewal, G.S., Ryan, M.D., Bursuc, S., Ryan, P.Y.: Caveat coercitor: coercion-evidence in electronic voting. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 367–381. IEEE (2013)
Groth, J.: A verifiable secret shuffe of homomorphic encryptions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 145–160. Springer, Heidelberg (2002)
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)
Guillou, L.C., Quisquater, J.-J.: A “paradoxical” identity-based signature scheme resulting from zero-knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)
Haenni, R., Spycher, O.: Secure internet voting on limited devices with anonymized dsa public keys. In: Proceedings of the 2011 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, pp. 8–8. EVT/WOTE 2011. USENIX Association (2011)
Heiberg, S., Laud, P., Willemson, J.: The application of i-voting for estonian parliamentary elections of 2011. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 208–223. Springer, Heidelberg (2012)
Jakobsson, M., Juels, A.: Mix and match: secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 162. Springer, Heidelberg (2000)
Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pp. 61–70. ACM (2005)
Koenig, R., Haenni, R., Fischli, S.: Preventing board flooding attacks in coercion-resistant electronic voting schemes. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds.) SEC 2011. IFIP AICT, vol. 354, pp. 116–127. Springer, Heidelberg (2011)
Kutyłowski, M., Zagórski, F.: Verifiable internet voting solving secure platform problem. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) IWSEC 2007. LNCS, vol. 4752, pp. 199–213. Springer, Heidelberg (2007)
Neff, C.A.: A verifiable secret shuffle and its application to e-voting. In: Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 116–125. ACM (2001)
Neumann, S., Feier, C., Volkamer, M., Koenig, R.: Towards a practical jcj/civitas implementation. In: INF13 - Workshop: Elektronische Wahlen: Ich sehe was, das Du nicht siehst - öffentliche und geheime Wahl, pp. 804–818 (2013)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)
Pfitzmann, B.: Breaking an efficient anonymous channel. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 332–340. Springer, Heidelberg (1995)
Raykova, M., Wagner, D.: Verifable remote voting with large scale coercion resistance. Technical report CUCS-041-11, Columbia (2011)
Ryan, P.Y., Bismark, D., Heather, J., Schneider, S., Xia, Z.: Prêt à voter: a voter-verifiable voting system. IEEE Trans. Inf. Forensics Secur. 4(4), 662–673 (2009)
Schläpfer, M., Haenni, R., Koenig, R., Spycher, O.: Efficient vote authorization in coercion-resistant internet voting. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 71–88. Springer, Heidelberg (2012)
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Springall, D., Finkenauer, T., Durumeric, Z., Kitcat, J., Hursti, H., MacAlpine, M., Halderman, J.A.: Security analysis of the estonian internet voting system. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 703–715. ACM (2014)
Spycher, O., Koenig, R., Haenni, R., Schläpfer, M.: A new approach towards coercion-resistant remote e-voting in linear time. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 182–189. Springer, Heidelberg (2012)
Spycher, O., Volkamer, M., Koenig, R.: Transparency and technical measures to establish trust in Norwegian internet voting. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 19–35. Springer, Heidelberg (2012)
Srinivasan, S., Culnane, C., Heather, J., Schneider, S., Xia, Z.: Countering ballot stuffing and incorporating eligibility verifiability in Helios. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 335–348. Springer, Heidelberg (2014)
Terelius, B., Wikström, D.: Proofs of restricted shuffles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 100–113. Springer, Heidelberg (2010)
Acknowledgment
This project (HA project no. 435/14-25) is funded in the framework of Hessen ModellProjekte, financed with funds of LOEWE – Landes-Offensive zur Entwicklung Wissenschaftlich-ökonomischer Exzellenz, Förderlinie 3: KMU-Verbundvorhaben (State Offensive for the Development of Scientific and Economic Excellence).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Cryptographic Building Blocks
A Cryptographic Building Blocks
1.1 A.1 Proof of an Encryption of 1
In order to prove that a given ciphertext (a, b) encrypts 1, one has to present a zero-knowledge proof:
The proof, presented in [9], is as follows:
-
1.
Prover chooses a random \(w \in _R\mathbb {Z}_q\), computes \(\alpha = g^w\,\text {mod}\,p\), \(\beta = h^w\,\text {mod}\,p\) and sends \(\alpha \), \(\beta \) to the Verifier.
-
2.
Verifier sends the challenge \(c \in _R\mathbb {Z}_q\) to the prover
-
3.
Prover computes \(u = w + cr\,\text {mod}\,q\) and sends u to Verifier
-
4.
Verifier checks, that \(g^u \equiv \alpha a^c\,\text {mod}\,p\) and \(h^u \equiv \beta b^c\,\text {mod}\,p\) hold.
The proof has the soundness error of 1 / q.
1.2 A.2 Proof of Knowledge of Discrete Log
The following proof can be used to prove knowledge of a DSA or ElGamal signing key, or knowledge of an ElGamal ciphertext.
Public Parameters: ElGamal/DSA parameters (g, h, p, q)
Prover knows: \(s : h = g^s\,\text {mod}\,p\).
-
1.
Prover selects a random value \(w \in _R\mathbb {Z}_q\) and publishes \(a = g^w\).
-
2.
Verifier sends the challenge \(c \in _R\mathbb {Z}_q\)
-
3.
Prover calculates and publishes \(u = w + cs\)
-
4.
Verifier checks \(g^u = ah^c\)
The soundness error of the proof is 1 / q.
1.3 A.3 Proof of Knowledge of RSA Signature
Public Parameters: Message m, encoding function h(m), RSA public key (N, e) with e prime
Prover knows: \(s: s^e \equiv h(m)\,\text {mod}\,N\), \(d: d = e^{-1}\,\text {mod}\,\phi (N)\).
-
1.
Prover selects a random value \(r \in _R\mathbb {Z}^*_N\) and calculates \(x = r^e\,\text {mod}\,N\)
-
2.
Verifier sends the challenge \(c \in _R\mathbb {Z}_e\)
-
3.
Prover calculates \(z = rs^c\,\text {mod}\,N\) and sends z to Verifier
-
4.
Verifier checks \(z^e \equiv x\cdot h(m)^c\,\text {mod}\,N\).
The soundness error of the proof is 1 / e. Note, that often the small prime values of e are used as public key in RSA system: commonly, \(e = 3\) or \(e = 2^{16} + 1\). This leads to the proof being insufficiently sound. For this cases, a modification has been proposed in [12], where in order to prove the knowledge of e-th root s of h(m), one proves the knowledge of \(e^t\)-th root \(s'\) of \(h(m)\,\text {mod}\,N\), which can be calculated as \(s' = h(m)^{d^t}\,\text {mod}\,N\). The modified proof has the soundness error of \(1/e^t\).
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kulyk, O., Teague, V., Volkamer, M. (2015). Extending Helios Towards Private Eligibility Verifiability. In: Haenni, R., Koenig, R., Wikström, D. (eds) E-Voting and Identity. Vote-ID 2015. Lecture Notes in Computer Science(), vol 9269. Springer, Cham. https://doi.org/10.1007/978-3-319-22270-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-22270-7_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22269-1
Online ISBN: 978-3-319-22270-7
eBook Packages: Computer ScienceComputer Science (R0)