Vote Validatability in Mix-Net-Based eVoting

Abstract

One way to build secure electronic voting systems is to use Mix-Nets, which break any correlation between voters and their votes. One of the characteristics of Mix-Net-based eVoting is that ballots are usually decrypted individually and, as a consequence, invalid votes can be detected during the tallying of the election. In particular, this means that the ballot does not need to contain a proof of the vote being valid.

However, allowing for invalid votes to be detected only during the tallying of the election can have bad consequences on the reputation of the election. First, casting a ballot for an invalid vote might be considered as an attack against the eVoting system by non-technical people, who might expect that the system does not accept such ballots. Besides, it would be impossible to track the attacker due to the anonymity provided by the Mix-Net. Second, if a ballot for an invalid vote is produced by a software bug, it might be only detected after the election period has finished. In particular, voters would not be able to cast a valid vote again.

In this work we formalize the concept of having a system that detects invalid votes during the election period. In addition, we give a general construction of an eVoting system satisfying such property and an efficient concrete instantiation based on well-studied assumptions.

P. Bibiloni was partially supported by the Spanish project TIN 2013-42795-P and the fellowship FPI/1645/2014, which was cofinanced by the European Social Fund.

A Proofs of Security Theorems

We prove the security for the construction given in Sect. 4.2.

Theorem 1

Let \(({\mathsf {KeyGenEnc}},{\mathsf {Enc}},{\mathsf {Dec}})\) be a NM-CPA secure encryption scheme, let \(F_{(\cdot )}\) be a PRP family and let \(({\mathsf {GenCRS}},{\mathsf {Prove}},{\mathsf {VerifyProof}})\) be a NIZK proof system. Then, the protocol defined in Sect. 4.2 has ballot privacy.

Proof. Recall that privacy is defined as the indistinguishability of two experiments which depend on a bit \(\beta \). We will refer to them as \({\mathsf {Exp}}_\beta \) for \(\beta \in \{0,1\}\).

Let \({\mathsf {SimVote}}_1(pk,v)\) be the \({\mathsf {Vote}}\) algorithm of the protocol given in Sect. 4.2 but, instead of using the \({\mathsf {Prove}}\) algorithm to generate \(\pi \) it uses the \({\mathsf {SimProve}}\) algorithm. Moreover, let \({\mathsf {SimVote}}_2(pk,v)\) to be the \({\mathsf {SimVote}}_1\) algorithm but, instead of using a PRP it uses a truly random permutation.

Consider experiments \({\mathsf {Exp}}_{\beta ,0}={\mathsf {Exp}}_\beta \), \({\mathsf {Exp}}_{\beta ,1}\) to be the experiment which are the same as \({\mathsf {Exp}}_{\beta ,0}\) but the challenger runs \({\mathsf {SimGenCRS}}\) instead of \({\mathsf {GenCRS}}\) and it runs \({\mathsf {SimProve}}\) instead of \({\mathsf {Prove}}\). Finally, let \({\mathsf {Exp}}_{\beta ,2}\) be the experiments which are identical to \({\mathsf {Exp}}_{\beta ,1}\) but in which the challenger uses a truly random function instead of a PRP in order to cast ballots.

Due to the zero-knowledge property of the NIZK proof system, \({\mathsf {Exp}}_{\beta ,0}\) and \({\mathsf {Exp}}_{\beta ,1}\) are indistinguishable for \(\beta \in \{0,1\}\). Besides, \({\mathsf {Exp}}_{\beta ,1}\) and \({\mathsf {Exp}}_{\beta ,2}\) are indistinguishable for \(\beta \in \{0,1\}\) due to the pseudo-randomness of the PRP. Now the only thing left is to prove that \({\mathsf {Exp}}_{0,2}\) and \({\mathsf {Exp}}_{1,2}\) are indistinguishable.

Consider the \(\mathsf {Enc2Vote}\) scheme [5], where the result function \(\rho \) is the multiset function. The scheme is defined as follows: the \({\mathsf {Setup}}\) algorithm runs \({\mathsf {KeyGenEnc}}\) to produce a public key \(pk_e\) and a secret key \(sk_e\). Then, pk is set to be \(pk_e\) and sk is set to be \((pk_e,sk_e)\). The \({\mathsf {Vote}}\) algorithm takes as input a vote v and a public key \(pk_e\) and outputs b defined by \(b={\mathsf {Enc}}(pk_e,v,r)\) for some fresh randomness r. \(\mathsf{ValidateBallot }\) looks if the ballot b already appears on the bulletin board BB: it returns 1 if it does already appear and 0 otherwise. \({\mathsf {Tally}}\) decrypts all ballots \(\varvec{b}\) on the bulletin board obtaining votes \(\varvec{v}\) and evaluates \(r=\rho (\varvec{v})\), outputting an empty proof of correct tabulation. Observe that \(\mathsf {Enc2Vote}\) implicitly assumes that \({\mathbb {V}}=M_e\), the message space of the encryption scheme. As shown in [5], the following is satisfied:

Theorem 2

Let \(({\mathsf {KeyGenEnc}},{\mathsf {Enc}},{\mathsf {Dec}})\) be an NM-CPA secure encryption scheme. Then, \(\mathsf {Enc2Vote}\) has ballot privacy.

Finally, we reduce the privacy of our scheme to the privacy of \(\mathsf {Enc2Vote}\).

Lemma 1

Let \({\mathcal {A}}^1\) be a p.p.t. adversary that interacts which challenger \(\mathcal {C}\) and outputs a bit \(\alpha ^{{\mathcal {A}}_1}\) such that \(|\Pr [\alpha ^{{\mathcal {A}}_1}=1|{\mathsf {Exp}}_{0,2}]-\Pr [\alpha ^{{\mathcal {A}}_1}=1|{\mathsf {Exp}}_{1,2}]|\) is non-negligible. Then, there exists an adversary \({\mathcal {A}}^2\) that breaks the ballot privacy property of the \(\mathsf {Enc2Vote}\) scheme.

In our reduction, \({\mathcal {A}}^1\) will interact with \({\mathcal {A}}^2\), which will act as the challenger for \({\mathcal {A}}^1\). At the same time, \({\mathcal {A}}^2\) will interact with the privacy challenger \(\mathcal {C}\). The reduction is as follows:

In the Setup phase, \(\mathcal {C}\) will run \({\mathsf {ComSetupGen}}\), outputing \({\mathsf {cs}}\) and posting it to the bulletin board. It will also run \({\mathsf {KeyGenEnc}}\), keeping the private key for itself and publishing the public key \(pk_e\) to the bulletin board. Then, \(A^2\) will run the \({\mathsf {GenCRS}}\) and the \({\mathsf {KeyGenSign}}\) algorithms and will produce signatures on each voting option, posting all the information to the bulletin board.

In the Voting phase, when \({\mathcal {A}}^1\) submits a Vote query, \(A^2\) will submit n Vote queries to \(\mathcal {C}\), one for each pair of candidates. The challenger \(\mathcal {C}\) will answer with n pairs of ciphertexts \((C_{0,1},\dots ,C_{0,n})\) and \((C_{1,1},\dots ,C_{1,n})\). \(A^2\) will then sample two pairs of random values \((p_{0,1},\dots ,p_{0,n})\) and \((p_{1,1},\dots ,p_{1,n})\) of the target space of the PRP. Finally, it will create ballots \(b_0=(C_{0,1},\dots ,C_{0,n},p_{0,1},\dots ,p_{0,n},\pi _0)\) and \(b_1=(C_{1,1},\dots ,C_{1,n},p_{1,1},\dots ,p_{1,n},\pi _1)\) where \(\pi _0\) and \(\pi _1\) will be simulated. \({\mathcal {A}}^2\) will post these ballots to the respective bulletin boards. Finally, when \({\mathcal {A}}^1\) submits a Ballot(b) query, \({\mathcal {A}}^2\) will run the \(\mathsf{ValidateBallot }\) algorithm and will create a Ballot \((b')\) for \(\mathcal {C}\) with \(b'=(C_1,\dots ,C_n)\) from b.

It is straightforward to see that the output of \({\mathcal {A}}^2\) in its interaction with \({\mathcal {A}}^1\) is correctly distributed, which implies that the reduction is sound.

Theorem 3

Let \(\rho \) be the counting function which outputs its inputs randomly permuted. Let \(({\mathsf {GenCRS}},{\mathsf {Prove}},{\mathsf {VerifyProof}})\) be a NIZKPK proof system and let \(({\mathsf {KeyGenSign}},\) \({\mathsf {Sign}},{\mathsf {VerifySign}})\) be an EUF-CMA signature scheme. Let \({\mathsf {Extract}}\) be the decryption procedure of the \({\mathsf {Tally}}\) algorithm of the protocol defined in Sect. 4.2. Then, the protocol defined in Sect. 4.2 has vote validatability for any \({\mathbb {V}}\), with respect to \(\rho ,{\mathsf {Extract}}\).

Proof

Strong consistency of the protocol follows by construction. Therefore we only need to show that, on correctly generated (pk, sk) no adversary can construct a ballot b such that \(\mathsf{ValidateBallot }\) returns 1 but \({\mathsf {Extract}}\) returns \(\perp \).

Let \({\mathsf {Exp}}_0\) be the vote validatability experiment and let \({\mathsf {Exp}}_1\) be identical to \({\mathsf {Exp}}_0\) but instead of using \({\mathsf {GenCRS}}\) the challenger uses \({\mathsf {ExtGenCRS}}\). These two experiments are indistinguishable by the properties of the NIZKPK. Now assume that an adversary \({\mathcal {A}}^1\) is able to output a ballot b in the experiment \({\mathsf {Exp}}_1\) such that \(\mathsf{ValidateBallot }=1\) and \({\mathsf {Extract}}(sk,b)=\perp \). Then, we build an adversary \({\mathcal {A}}^2\) which breaks the EUF-CMA of the signature scheme.

The reduction is straightforward: \({\mathcal {A}}^2\), interacting with an EUF-CMA challenger asks for signatures on \(\{\nu \}_{\nu \in {\mathcal {V}}}\). Then, it interacts with \({\mathcal {A}}^1\), posing as a vote validatability challenger. It runs all the algorithms as in the protocol but uses \({\mathsf {ExtGenCRS}}\), keeping the trapdoor key tk for itself, and using the answers from the EUF-CMA challenger as the signatures on the voting options. When \({\mathcal {A}}^1\) outputs a ballot b, \({\mathcal {A}}^2\) uses \({\mathsf {Extract}}\) on \(\pi \) to obtain a witness \(w=(\tilde{\nu }_1,\dots ,\tilde{\nu }_n,r_1,\dots ,r_n,\sigma _{\tilde{\nu }_1},\dots ,\sigma _{\tilde{\nu }_n},k))\) such that \((x,w)\in R\). This means that \({\mathsf {VerifySign}}(pk_s,\sigma _{\tilde{\nu }_i},\tilde{\nu }_i)=1\) for \(i\in \{1,\dots ,n\}\). \({\mathsf {Extract}}(sk,b)\) might return \(\perp \) either because (i) some \({\mathsf {Dec}}(sk_e,C_i)=\perp \), (ii) some \(\tilde{\nu }_i=\tilde{\nu }_j\) for \(i\ne j\) or (iii) some \(\tilde{\nu }_i\not \in {\mathcal {V}}\). However, (i) and (ii) are ruled out due to w being a valid witness, so the only possibility is (iii). Then, \({\mathcal {A}}^2\) can submit \((\tilde{\nu }_i,\sigma _{\tilde{\nu }_i})\) as its EUF-CMA forgery.