Noninteractive ZeroKnowledge Arguments for Voting

About This Presentation

Title:

Noninteractive ZeroKnowledge Arguments for Voting

Description:

Unique prime factorization -protocols. Statement. E = E(v;r) contains a valid vote ... E = E(Mi) M = p2, p prime. NIZK argument. ca = commit(pi) ... – PowerPoint PPT presentation

Number of Views:23

Avg rating:3.0/5.0

Slides: 18

Provided by: JensG3

Category:

more less

Transcript and Presenter's Notes

Title: Noninteractive ZeroKnowledge Arguments for Voting

1
Non-interactive Zero-Knowledge Arguments for
Voting

Jens Groth
UCLA

2
Voting process
Voters Authorities E(vote) NIZK argument
signature ? E(vote) NIZK argument
signature ? ... Check
signatures Check NIZK arguments Multi-par
ty computation ?
Result
3
Encryption
Homomorphic property E(m1m2) E(m1)
E(m2) Threshold property t authorities can
decrypt t-1 authorities cannot decrypt
4
Single vote elections
Candidates 0, 1, ..., L-1 M gt voters Encoding
M0, M1, ..., ML-1 Encrypted votes E(M2), E(M1),
E(M2), ... Authorities ?Ek E(M2) E(M1)
E(M2) ... E(M2M1M2...)
E(?viMi) Threshold decrypt ? ?viMi ? Result
5
Contributions

Many types of elections- Single vote- Limited
vote (each voter N votes)- Shareholder election
(each voter Nk votes)- Approval voting (each
voter up to L votes)- Borda voting (preferential
vote)
Efficient NIZK arguments- random oracle model

6
Encoding votes
Voter k ?ivikMi Single vote vik 0,1 and
?ivik 1 Limited vote vik 0,1 and ?ivik N
Approval vote vik 0,1 and ?ivik L
Shareholder vote vik 0 and ?ivik Nk Borda
vote vik pk(i1) for permutation pk
7
Tallying
Encrypted vote E(?ivikMi) M gt votes
receivable Product ?kEk ?kE(?ivikMi)
E(?k?ivikMi) E(?i(?kvik)Mi)
E(?iviMi) Threshold decryption ?viMi vi
votes on candidate i
8
Homomorphic integer commitment
Homomorphic commit(m1m2) commit(m1)
commit(m2) Message space Z Unique prime
factorization
9
?-protocols
Statement E E(vr) contains a valid vote Voter
(v,r) Authorities a
c z Fiat-Shamir heuristic c
hash(E,a,ID) Random oracle model NIZK argument
10
NIZK arguments
Equivalence E E(a) a b c
commit(b) Multiplication ca commit(a) cb
commit(b) c ab cc commit(c) Square ca
commit(a) b a2 cb commit(b) Divisor ca
commit(a) ab cb commit(b)
11
Single vote
Encrypted vote E E(Mi) M p2, p
prime NIZK argument ca commit(pi) Divisor
NIZK (ca, commit(pL-10)) apL-1 cb
commit(Mi) ? Square NIZK (ca,
cb) a2 p2i Equivalence NIZK (E, cb) for
0iltL
12
Limited vote
Encrypted vote M p2 E E(?Mij) 0 i1
lt...lt iN ltL NIZK argument caj commit(pij),
caN1 commit(pL0) Divisor NIZK (cajp, caj1)
pa1a2,...,paNpL cbj commit(Mij)
? Square NIZK (caj, cbj) aj2
Mij Equivalence NIZK(E, ?cbj) 0i1lt...ltiNltL
13
Approval vote
Encrypted vote E E(?aiMi) ai 0,1 NIZK
argument cai commit(ai) Square NIZK (cai,
cai) ai2 ai ? ai
0,1 Equivalence NIZK (E, ?caiMi) ?aiMi
14
Non-negativity
Commitment c commit(m) m 0 Idea 4m1 x2
y2 z2 NIZK argument cx commit(x) cx2
commit(x2) cy commit(y) cy2 commit(y2) cz
commit(z) cz2 commit(z2) Square NIZKs (cx,
cx2) (cy, cy2) (cz, cz2) Equivalence NIZK (c4
commit(10), cx2 cy2 cz2)
15
Shareholder vote
Encrypted vote E E(?aiMi) ai 0 and ?ai
N NIZK argument cai commit(ai)
Non-negative NIZK (cai) ai 0
Equivalence NIZK (commit(N0), ?cai) ?ai
N Equivalence NIZK (E, ?caiMi) ?aiMi
16
Borda vote
Encrypted vote E E(?aiMi-1) ai p(i) NIZK
argument cai commit(ai) Known shuffle NIZK
(1, 2, ..., L, ca1, ..., caL) commitments
contain 1, 2, ..., L permuted Equivalence NIZK
(E, ?caiMi-1) ?aiMi-1
17
Comparison
Non-negative NIZK 4m1 x2 y2 z2

Write a Comment

User Comments (0)