170 likes | 277 Views
Non-interactive Zero-Knowledge Arguments for Voting. Jens Groth UCLA. Voting process. Voters Authorities E(vote) + NIZK argument + signature E(vote) + NIZK argument + signature ... Check signatures Check NIZK arguments Multi-party computation
E N D
Non-interactive Zero-Knowledge Arguments for Voting Jens Groth UCLA
Voting process Voters Authorities E(vote) + NIZK argument + signature E(vote) + NIZK argument + signature ... Check signatures Check NIZK arguments Multi-party computation Result
Encryption Homomorphic property E(m1+m2) = E(m1) * E(m2) Threshold property t authorities can decrypt t-1 authorities cannot decrypt
Single vote elections Candidates 0, 1, ..., L-1 M > # voters Encoding M0, M1, ..., ML-1 Encrypted votes E(M2), E(M1), E(M2), ... Authorities Ek = E(M2) E(M1) E(M2) ... = E(M2+M1+M2+...) = E(viMi) Threshold decrypt viMi Result
Contributions • Many types of elections- Single vote- Limited vote (each voter N votes)- Shareholder election (each voter Nk votes)- Approval voting (each voter up to L votes)- Borda voting (preferential vote) • Efficient NIZK arguments- random oracle model
Encoding votes Voter k ivikMi Single vote vik = 0,1 andivik = 1 Limited vote vik = 0,1 andivik = N Approval vote vik = 0,1andivik ≤ L Shareholder vote vik ≥ 0andivik = Nk Borda vote vik = πk(i+1) for permutationπk
Tallying Encrypted vote E(ivikMi) M > # votes receivable Product kEk = kE(ivikMi) = E(kivikMi) = E(i(kvik)Mi) = E(iviMi) Threshold decryption viMi vi = # votes on candidate i
Homomorphic integer commitment Homomorphiccommit(m1+m2) = commit(m1) commit(m2) Message space Z Unique prime factorization
-protocols Statement E = E(v;r) contains a valid vote Voter (v,r) Authorities a c z Fiat-Shamir heuristic c = hash(E,a,ID) Random oracle model: NIZK argument
NIZK arguments Equivalence E = E(a) a = b c = commit(b) Multiplication ca = commit(a) cb = commit(b) c = ab cc = commit(c) Square ca = commit(a) b = a2 cb = commit(b) Divisor ca = commit(a) a|b cb = commit(b)
Single vote Encrypted vote E = E(Mi) M = p2, p prime NIZK argument ca = commit(pi) Divisor NIZK (ca, commit(pL-1;0)) a|pL-1 cb = commit(Mi) Square NIZK (ca, cb) a2 = p2i Equivalence NIZK (E, cb) for 0≤i<L
Limited vote Encrypted vote M = p2 E = E(Mij) 0 ≤ i1 <...< iN <L NIZK argument caj = commit(pij), caN+1 = commit(pL;0) Divisor NIZK (cajp, caj+1) pa1|a2,...,paN|pL cbj = commit(Mij) Square NIZK (caj, cbj) aj2 = Mij Equivalence NIZK(E, cbj) 0≤i1<...<iN<L
Approval vote Encrypted vote E = E(aiMi) ai = 0,1 NIZK argument cai = commit(ai) Square NIZK (cai, cai) ai2 = ai ai = 0,1 Equivalence NIZK (E, caiMi) aiMi
Non-negativity Commitment c = commit(m) m ≥ 0 Idea 4m+1 = x2 + y2 + z2 NIZK argument cx = commit(x) cx2 = commit(x2) cy = commit(y) cy2 = commit(y2) cz = commit(z) cz2 = commit(z2) Square NIZKs (cx, cx2) (cy, cy2) (cz, cz2) Equivalence NIZK (c4 commit(1;0), cx2 cy2 cz2)
Shareholder vote Encrypted vote E = E(aiMi) ai ≥ 0 and ai = N NIZK argument cai = commit(ai) Non-negative NIZK (cai) ai ≥ 0 Equivalence NIZK (commit(N;0), cai) ai = N Equivalence NIZK (E, caiMi) aiMi
Borda vote Encrypted vote E = E(aiMi-1) ai = π(i) NIZK argument cai = commit(ai) Known shuffle NIZK (1, 2, ..., L, ca1, ..., caL) commitments contain 1, 2, ..., L permuted Equivalence NIZK (E, caiMi-1) aiMi-1
Comparison Non-negative NIZK 4m+1 = x2 + y2 + z2