Results 1  10
of
16
Attacking and fixing helios: An analysis of ballot secrecy
, 2010
"... Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been success ..."
Abstract

Cited by 36 (16 self)
 Add to MetaCart
(Show Context)
Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been successfully exploited to break privacy in a mock election using the current Helios implementation. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a real threat to ballot secrecy in such settings. Finally, we present a fix and show that our solution satisfies a formal definition of ballot secrecy using the applied pi calculus.
Ballot secrecy and ballot independence coincide
"... Abstract. We study ballot independence for election schemes: – We formally define ballot independence as a cryptographic game and prove that ballot secrecy implies ballot independence. – We introduce a notion of controlled malleability and show that it is sufficient for ballot independence. We also ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
Abstract. We study ballot independence for election schemes: – We formally define ballot independence as a cryptographic game and prove that ballot secrecy implies ballot independence. – We introduce a notion of controlled malleability and show that it is sufficient for ballot independence. We also show that nonmalleable ballots are sufficient, but not necessary, for ballot independence. – We prove that ballot independence is sufficient for ballot secrecy under practical assumptions. Our results show that ballot independence is necessary in election schemes satisfying ballot secrecy. Furthermore, our sufficient conditions will enable simpler proofs of ballot secrecy. 1
Election Verifiability or Ballot Privacy: Do We Need to Choose?
"... Abstract. We propose a new encryption primitive, commitment consistent encryption (CCE), and instances of this primitive that enable building the first universally verifiable voting schemes with a perfectly private audit trail (PPAT) and practical complexity. That is: – the audit trail that is publi ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new encryption primitive, commitment consistent encryption (CCE), and instances of this primitive that enable building the first universally verifiable voting schemes with a perfectly private audit trail (PPAT) and practical complexity. That is: – the audit trail that is published for verifying elections guarantees everlasting privacy, and – the computational load required from the participants is only increased by a small constant factor compared to traditional voting schemes, and is optimal in the sense of Cramer, Gennaro and Schoenmakers [16]. These properties make it possible to introduce election verifiability in large scale elections as a pure benefit, that is, without loss of privacy compared to a nonverifiable scheme and at a similar level of efficiency. We propose different approaches for constructing voting schemes with PPAT from CCE, as well as two efficient CCE constructions: one is tailored for elections with a small number of candidates, while the second is suitable for elections with complex ballots. 1
S.: Verifiable elections that scale for free
 In: Proceedings of PKC 2013
"... Abstract. In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are submitted to a public bulletin board in encrypted form, verifiably shuffled by several mix servers (thus guaranteeing anonymity), and then verifiably decrypted by an appropriate threshold decryption mechanism. To guarantee transparency, the intermediate shuffles and decryption results, together with proofs of their correctness, are posted on the bulletin board throughout this process. In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N)) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question. The linchpin of each construction is a controlledmalleable proof (cmNIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server. 1
Endtoend verifiable elections in the standard model
 Advances in Cryptology  EUROCRYPT 2015, volume 9057 of Lecture Notes in Computer Science
, 2015
"... We present the cryptographic implementation of “DEMOS”, a new evoting system that is endtoend verifiable in the standard model, i.e., without any additional “setup ” assumption or access to a random oracle (RO). Previously known endtoend verifiable evoting systems required such additional assu ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
We present the cryptographic implementation of “DEMOS”, a new evoting system that is endtoend verifiable in the standard model, i.e., without any additional “setup ” assumption or access to a random oracle (RO). Previously known endtoend verifiable evoting systems required such additional assumptions (specifically, either the existence of a “randomness beacon ” or were only shown secure in the RO model). In order to analyze our scheme, we also provide a modeling of endtoend verifiability as well as privacy and receiptfreeness that encompasses previous definitions in the form of two concise attack games. Our scheme satisfies endtoend verifiability information theoretically in the standard model and privacy/receiptfreeness under a computational assumption (subexponential Decisional Diffie Helman). In our construction, we utilize a number of techniques used for the first time in the context of evoting schemes that include utilizing randomness from bitfixing sources, zeroknowledge proofs with imperfect verifier randomness and complexity leveraging. 1
On CCAsecure somewhat homomorphic encryption
 In Selected Areas in Cryptography
, 2011
"... Abstract. It is well known that any encryption scheme which supports any form of homomorphic operation cannot be secure against adaptive chosen ciphertext attacks. The question then arises as to what is the most stringent security definition which is achievable by homomorphic encryption schemes. Pri ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. It is well known that any encryption scheme which supports any form of homomorphic operation cannot be secure against adaptive chosen ciphertext attacks. The question then arises as to what is the most stringent security definition which is achievable by homomorphic encryption schemes. Prior work has shown that various schemes which support a single homomorphic encryption scheme can be shown to be INDCCA1, i.e. secure against lunchtime attacks. In this paper we extend this analysis to the recent fully homomorphic encryption scheme proposed by Gentry, as refined by Gentry, Halevi, Smart and Vercauteren. We show that the basic Gentry scheme is not INDCCA1; indeed a trivial lunchtime attack allows one to recover the secret key. We then show that a minor modification to the variant of the somewhat homomorphic encryption scheme of Smart and Vercauteren will allow one to achieve INDCCA1, indeed PA1, in the standard model assuming a lattice based knowledge assumption. We also examine the security of the scheme against another security notion, namely security in the presence of ciphertext validity checking oracles; and show why CCAlike notions are important in applications in which multiple parties submit encrypted data to the “cloud ” for secure processing. 1
Replay attacks that violate ballot secrecy in Helios
, 2012
"... Abstract. Helios 2.0 is a webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper we identify a vulnerability in Helios which allows an adversary to compromise the privacy of voters whom cast abstention votes. The vulnerability can be at ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Abstract. Helios 2.0 is a webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper we identify a vulnerability in Helios which allows an adversary to compromise the privacy of voters whom cast abstention votes. The vulnerability can be attributed to the absence of ballot independence and the use of homomorphic ElGamal encryption, in particular, these properties can be exploited by an adversary to construct a ballot related to an abstention vote cast by an honest voter and this ballot can be submitted by a corrupt voter to influence the election outcome, thereby introducing information that can be used to violate privacy. We demonstrate the attack by breaking privacy in a mock election using the current Helios implementation. It is unlikely that the vulnerability will be exploited in a realworld election and therefore our results are largely theoretical. Nonetheless, we cannot expect any computational proofs of ballot secrecy without fixing this vulnerability and, moreover, the attack methodology may be of interest – in particular, it could represent a viable threat to existing protocols in the literature – thus providing motivation to report these results.
Ballot secrecy with malicious bulletin boards
, 2014
"... This letter proposes a formal definition of ballot secrecy in the computational model of cryptography. The definition builds upon and strengthens earlier definitions by Bernhard et al. (ASIACRYPT’12, ESORICS’11 & ESORICS’13). The new definition is intended to ensure that ballot secrecy is pres ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
This letter proposes a formal definition of ballot secrecy in the computational model of cryptography. The definition builds upon and strengthens earlier definitions by Bernhard et al. (ASIACRYPT’12, ESORICS’11 & ESORICS’13). The new definition is intended to ensure that ballot secrecy is preserved in the presence of malicious bulletin boards, whereas earlier definitions by Bernhard et al. only consider honest bulletin boards. 1
Privacy and Verifiability in Voting Systems: Methods, Developments and Trends
, 2013
"... One of the most challenging aspects in computersupported voting is to combine the apparently conflicting requirements of privacy and verifiability. On the one hand, privacy requires that a vote cannot be traced back from the result to a voter, while on the other hand, verifiability states that a vo ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
One of the most challenging aspects in computersupported voting is to combine the apparently conflicting requirements of privacy and verifiability. On the one hand, privacy requires that a vote cannot be traced back from the result to a voter, while on the other hand, verifiability states that a voter can trace the effect of her vote on the result. This can be addressed using various privacyenabling cryptographic primitives which also offer verifiability. As more and more refined voting systems were proposed, understanding of first privacy and later verifiability in voting increased, and notions of privacy as well as notions of verifiability in voting became increasingly more refined. This has culminated in a variety of verifiable systems that use cryptographic primitives to ensure specific kinds of privacy. However, the corresponding privacy and verifiability claims are not often verified independently. When they are investigated, claims have been invalidated sufficiently often to warrant a cautious approach to them. The multitude of notions, primitives and proposed solutions that claim to achieve both privacy and verifiability form an interesting but complex landscape. The purpose of this paper is to survey this landscape by providing an overview of the methods, developments and current trends regarding privacy and verifiability in voting systems.
Chosen Ciphertext Secure KeyedHomomorphic PublicKey Encryption ∗
, 2013
"... In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely ” perform the operation inevitably means that ciphertexts are malleable, and it is well ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely ” perform the operation inevitably means that ciphertexts are malleable, and it is wellknown that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic publickey encryption, which we call keyedhomomorphic publickey encryption (KHPKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KHPKE schemes, we introduce a new concept, a homomorphic transitional universal hash family, and present a number of KHPKE schemes through hash proof systems. We also present a practical construction of KHPKE from the DDH assumption. For ℓbit security, our DDHbased scheme yields only ℓbit longer ciphertext size than that of the CramerShoup PKE scheme.