Random Block Verification: Improving the Norwegian Electoral Mix Net

Transcription

1 Radom Block Verificatio: Improvig the Norwegia Electoral Mix Net Deise Demirel 1,2, Hugo Joker 3, Melaie Volkamer 1,2 1 CASED, Darmstadt 2 SeCuSo group, TU Darmstadt 3 SaToSS group, Uiversity of Luxembourg Abstract. The VALG project is itroducig evotig for muicipal ad couty electios to Norway. Part of the evotig system is a mix et alog the lies of Puiggalí et al. a mix et which ca be efficietly verified by combiig the beefits of optimistic mixig ad radomized partial checkig. This paper ivestigates their mix et ad proposes a verificatio method which improves both efficiecy ad privacy compared to Puiggalí et al.. 1 Itroductio To esure aoymity, evotig systems eed to icorporate a mechaism to break the lik betwee voter ad cast vote. Oe popular method is the use of mix ets [2], which shuffle the list of ecrypted votes while chagig the appearace of the ciphertexts ad keepig the used permutatio secret. To reduce the trust assumptio, uiversally verifiable mix ets have bee developed [15, 4, 19, 13, 10]. I votig, efficiecy is a prime cocer. To be usable i practice, a mix et should be able to mix all votes ad prove correctess withi a few hours after the pollig statios closed. Attempts at efficiecy improvemet did ot raise the bar sufficietly for such a demadig task. Two separate directios i verificatio sought to address this: Optimistic Mixig (OM, [9]) ad Radomized Partial Checkig (RPC, [12]). Ituitively, OM achieves its speed-up of verificatio by provig correct mixig for the whole group of iputs: the mix proves that the product of the iput ciphertexts is equal to the product of the output ciphertexts (see Figure 1a). While more efficiet (oly oe proof is eeded, istead of oe per iput), some fraud is ot detected (ituitively, 4 6 = 3 8). The proposal by Golle et al. [9] uses double ecryptio ad a cryptographic checksum to prevet this attack, however, Wikström idetified [18] multiple fatal flaws i their particular desig. Aother optimistic approach by Boeh ad Golle, Proof of Subproduct (PoS, [1]), is slightly faster as it does ot use a cryptographic checksum or double ecryptio. A drawback of this approach is that the verificatio oly guaratees almost etirely correct mixig. Boeh et al. recommed the use of a slower verificatio protocol i parallel to guaratee correctess. RPC lets each mix ode first produce a itermediate shuffle, ad the shuffle agai to produce the fial result. For each elemet of the itermediate result,

2 2 a) Optimistic mixig b) Radomized partial checkig Fig. 1. Two approaches to tradig verificatio for efficiecy i mix ets a coi is flipped to reveal the lik to either its correspodig iput (heads) or output (tails) elemet (see Figure 1b). This approach does t require ay proof (just revealig half the reradomizatio values used), but there s a 50% chace per elemet for the mix to cheat udetected. Puiggalí et al. combied the advatages of OM ad RPC to arrive at a mix et desig that improves upo privacy ad verifiability while retaiig efficiecy. Their work was icorporated ito the Norwegia Evote Project 4 ad used for a limited umber of muicipality electios i Norway. I the recet past, advaces have bee made i efficiet provably secure mixig (e.g., [19, 10, 17]). However, these approaches do ot alig with the curret Norwegia implemetatio. Our goal is to propose a improved verificatio approach that remais close to that desig, such that the curret implemetatio may be easily updated. Cotributio. The cotributio of this paper is twofold. Firstly, this paper idetifies several areas for improvemet (icludig a privacy weakess) i the scheme proposed by Puiggalí et al.. These improvemets are icorporated ito Radom Block Verificatio (RBV), a scheme which is more efficiet, more secure, ad more precisely detailed. The architecture of RBV remais sufficietly close to the scheme by Puiggalí et al. to allow for easy adoptatio ito the Norwegia system. Secodly, we aalyze verifiability, privacy ad efficiecy of RBV, ad compare these properties to properties of other mix ets that offer a trade off betwee verifiability ad efficiecy. Structure of the paper. The rest of this paper is structured as follows: we first discuss some ElGamal mix ets (Sectio 2). As this work improves the cotributios of Puiggalí et al, their research is discussed i more detail (Sectios 3). 4 about-the-e-vote-project.html

3 3 Possible improvemets to the verificatio process are discussed i Sectio 3.1, all of which are implemeted by the ew verificatio process detailed i Sectio 4. Correctess, privacy, ad efficiecy of the ewly proposed verificatio process are determied i Sectio 5 ad compared to other mix ets that trade off privacy for efficiecy. This is followed by coclusios ad future work i Sectio 6. 2 Re-ecryptio mix ets with expoetial elgamal I this sectio we briefly describe the uderlyig cryptographic system (elgamal) ad the mixig processes i the cotext of a electroic votig scheme. We assume that votes are ecrypted usig expoetial elgamal ad stored o a Web Bulleti Board (BB) where some coectio betwee each ecrypted vote ad the correspodig voter exist. ElGamal is a radomized public key ecryptio scheme with homomorphic properties itroduced i [5]. Cosider two large primes p ad q, where q p 1. Z q is a q-order subgroup of Z p ad g is a geerator of G q. The secret key x Z q is geerated ad the correspodig public key is (g, y) with y = g x. A plai text s (or here a vote) is ecrypted i the followig way: Ec y (s, r 1 ) = (g r1, g s y r1 ) = (α, β) with radom value r 1 Z q. To esure aoymity, the votes are processed by a re-ecryptio mix et. The output of this mix et is a set of aoymized re-ecrypted votes that ca the be decrypted ad couted. A re-ecryptio mix et with m mix odes works as follows: The first mix ode loads all ecrypted votes (while removig ay possible lik to the voter - like sigatures) published o the BB as iput. Every iput ciphertext is re-ecrypted by expoetiatig (α, β) with a geerated radom value r 2 Z q : ReEc y = ((α, β), r 2 ) = (αg r2, βy r2 ) = (g r1 g r2, g s y r1 y r2 ) = (g r1+r2, g s y r1+r2 ) = (α, β ). (Note that while the plaitext remais uchaged, the ciphertext is completely altered.) Next, the re-ecrypted ciphertexts are shuffled with a radom permutatio π ad the resultig output ciphertexts are published o the BB. Afterwards, the secod mix ode loads the output ciphertexts from the first oe published o the BB ad re-ecrypts ad shuffles them, as well. This process is repeated util the last oe publishes its output ciphertexts o the BB. These are the ciphertexts which are decrypted ad couted. Privacy is esured if at least oe mix ode is hoest ad keeps the permutatio secret. I order to also esure that mix odes caot cheat by replacig ecrypted votes with ew oes, verifiability eeds to be implemeted, ideally without decreasig the level of privacy. 3 Norwegia mix et by Puiggalí et al. I [14], Puiggalí et al. describe a approach to verify a re-ecryptio mix et (with expoetial elgamal) which combies the idea of optimistic mixig ad RPC. This verificatio is executed after the last mix ode has published its output o the Bulleti Board. The aalysis of the Norwegia Electio system [8] treated this mix et as a solid buildig block. Nevertheless, there is room for improvemet i particular, verificatio efficiecy of the mix et ca be improved.

4 4 Below their verificatio process is described ad several poits for improvemet are highlighted. The Puiggalí et al. verificatio process operates as follows: 1. A idepedet verifier provides a radom permutatio (the challege) of all iput votes of the first mix ode. 2. To verify, the list of votes is divided ito l = m equally-sized blocks, for m mix odes ad iput ciphertexts (i.e., votes). Sice l is well defied, this ca be executed by either the idepedet verifier, the BB, or the mix ode. 3. For every iput block, the first mix ode idetifies the correspodig output block. Moreover, for every block, the mix ode publishes the product of the ciphertexts i that block. Fially, the mix ode publishes a zero kowledge proof (e.g. usig the Chaum-Pederse protocol [3] or Schorr s sigature scheme [16]) to prove that the ciphertext product of the iput block is equal to that of the correspodig output block. 4. The verifier checks the proofs of the first mix ode. 5. This process cotiues for each mix ode, where the assigmet of odes to blocks depeds o the previous ode s assigmet thus esurig a equal distributio of iput ciphertexts over all blocks. Regardig privacy, Puiggalí et al. state that every output block of the last mix ode is composed of at least oe ciphertext of every iput block of the first mix ode. Regardig correctess, the authors determie that the probability of detectig two modified votes is p = 1 l 1 1 for block size l ad a total umber of ciphertexts. Note that such a maipulatio will remai udetected if a malicious mix ode chages two votes without chagig the product of the two (1 1 = 1 2 2), ad these two votes are assiged to the same block. 3.1 Remarks There are some remarks to this approach, discussed below. Correspodig improvemets are sketched i this sectio ad worked out i Sectio 4. Iefficiet zero-kowledge proofs. I [14], the correct processig of each block is prove with computatioally costly zero kowledge proofs. A more efficiet solutio is to publish the sum of the radom values used for the re-ecryptio per block. As this does ot reveal aythig but radom oise, this value ca serve as a zero kowledge proof. This is very efficiet (as it does ot require ay zero kowledge proof). However, provig that this does ideed ot reveal ay usable iformatio whatsoever i a mathematically rigid fashio is a ope questio. Therefore, as a alterative while work o this proof cotiues, is to use efficiet zero kowledge proofs as those from [11]. With this improvemet, proof geeratio ad verificatio requires either 2 expoetiatios per block (reecryptig the ciphertext of the block s sum with the claimed radomess), or 3 expoetiatios (1 for proof geeratio, 2 to verify the zero kowledge proof).

5 Therefore, to verify all blocks of oe mix ode, this would require either expoetiatios or 3 m expoetiatios for all blocks of a mix ode (where m is the total umber of mix odes). Both improve upo the 6 m expoetiatios eeded by Puiggalí et al. to geerate the proofs (2 expoetiatios) ad verify (4 expoetiatios) each of these for ciphertexts ad m mix odes. Itroducig parallelisatio. Durig the mixig process every mix ode of the mix et re-ecrypts ad shuffles the iput ciphertexts. The origi idea of Puiggalí et al. was to process the ecrypted votes by oe mix ode after the other. It is possible to speed up this process by parallelizig i the followig way: the set of iput ciphertexts is divided ito m subsets (where m is the umber of mix odes). The all mix odes start with oe of the subsets ad forward that to their eighbor after shufflig. This improvemet 5 icreases the efficiecy by factor m. Reducig trust assumptios. Optimal privacy i [14] is oly esured if all mix odes are hoest. However, this is ot the idea of a mix et where privacy should be esured if oe sigle mix ode is hoest. Therefore, we propose to build sigle mix odes similar to RPC where each mix ode shuffles twice. Furthermore, correctess i [14] depeds o the assumptio that the verifier ad the first mix ode do ot maliciously collaborate. (Otherwise, the first mix kows what the block selectio will be ad therefore kows how to cheat udetectably). As such, it is essetial for correctess that the challege is upredictable ad geerated after the mixig process. We sketch a method for esurig this. Clarifyig block sizes. The approach by Puiggalí et al. assumes that the total umber of ciphertexts ca be grouped i equally sized blocks with block size l = m, for m mix odes ad votes. I geeral, there will be a remaider whe computig l. We make this explicit 6 ad icorporate its hadlig ito our desig. 5 m 4 RBV: Verifyig Itegrity of Radom Blocks I this sectio we describe Radom Block Verificatio, a mix et with a detailed verificatio process, based o the proposal of Puiggalí et al., which icludes all improvemets proposed above. Notatio. I the remaider of this sectio, we cosider ciphertexts posted o the bulleti board (BB) ad a mix et cosistig of m mix odes. We use the followig otatio: the set of iput ciphertexts of mix ode j is C j, the set of output ciphertexts after the first re-ecryptio/shufflig step is C j, ad the 5 This improvemet was implemeted for the Norwegia votig trials. 6 The Norwegia implemetatio of [14] addresses this as well.

6 6 Fig. 2. Verificatio of oe Mixode for 5 ciphertexts, 2 blocks set of ciphertexts after the secod re-ecryptio/shufflig step is C j. Durig verificatio, C j will be divided ito l blocks a j 1, aj 2, aj l. The correspodig output blocks (cotaiig the same plaitexts) i C j are a j 1, a j 2, a j l, the iput blocks for the secod verificatio step are b j 1, bj 2, bj l, ad the correspodig output blocks i C j are b j 1, b j 2, b j l. Mixig. For m mix odes the set of iput ciphertexts is divided ito m subsets. To esure the privacy of the ciphertexts, eve though they are grouped, the subsets should be selected for example by district or muicipality. The j th subset becomes the iput of the j th mix ode, which re-ecrypts ad shuffles the ciphertexts two times ad publishes itermediate result C j ad fial result C j o the BB. After mix ode j 1 publishes its results, this becomes the iput of mix ode j ad the fial result of the last mix ode m becomes the iput of mix ode oe. This is repeated util every subset has bee mixed by all m mix odes. Verificatio setup. The verificatio parameters are set as follows: the umber of blocks l is determied by l = ; there are r = l l blocks with l + 1 elemets, ad l r blocks with l elemets. Verificatio begis by geeratig a radom distributio of ciphertexts over verificatio blocks. Distributig ciphertexts over blocks. Each mix ode is verified i a optimistic fashio: both iput ad output ciphertexts are grouped ito blocks, ad equivalece of the blocks is prove. As remarked above, if the assigmet of ciphertexts to blocks is kow to the mix ode prior to mixig, the mix kows how to cheat without beig detected. Hece, this iitial distributio must be geerated radomly. Puiggalí et al. rely o a idepedet party to provide a itial radom distributio. I cotrast, we leverage the Fiat-Shamir techique [6] to determie

7 7 how ciphertexts are grouped ito blocks. Simply put, the first verifier computes the hash of its ow output, ad uses that as the seed for a publicly kow radom umber geerator. The resultig radom stream is the used to assig ciphertexts radomly to blocks for the first mix (see Appedix A for details). As Fiat ad Shamir poit out [7], there is o way to tweak the iput to the hash fuctio to get a predictable output. Therefore, the resultig output is sufficietly upredictable for the first mix ad may be used as described. For all other mix odes j, the iput blocks are determied by the output blocks of the previous mix ode j 1, meaig a j 1 = b j 1 1, a j 2 = b j 1 2,.... After dividig the iput ciphertexts ito blocks, the mix ode proves the correspodece betwee iput block a j 1 ad output block a j 1, betwee iput block a j 2 ad output block a j 2, etc. I the ext step, the verifier distributes the ciphertexts of the output blocks a j 1, a j 2,..., a j l over iput blocks b j 1, bj 2,..., bj l. As each block cotais roughly as may ciphertexts as there are blocks, this is doe to maximize privacy: the blocks of the iput are chose such that each iput block b j y cotais oe ciphertext from every output block a j x. Of course, there are two block sizes: l ad l + 1. So, to be specific: the first r iput blocks cotai l + 1 ciphertexts, oe ciphertext of every block ad oe additioal ciphertext of block r (iput block oe cotais two votes of output block oe, iput block two cotais two votes of output block two,... ). All other l r blocks cotai l ciphertexts, oe from each block. The mix ode j proves the correspodece betwee output blocks b j 1, b j 2,..., b j l ad iput blocks b j 1, bj 2,..., bj l. Verifyig blocks. To verify that a block of iput ciphertexts was correctly processed by a mix ode, there are two optios. Either the ode reveals the sum of the used re-ecryptio radom umbers (believed to be secure, but ot prove so), or the ode uses the zero kowledge proofs of [11]. I either case, the ode proves that the sum of the plaitexts of the block was ot chaged by the mixig step (Figure 2). 5 Aalysis I this sectio we aalyse Radom Block Verificatio regardig fraud detectio, privacy, ad efficiecy. I additio, the results are compared with those of of Radomized Partial Checkig, the Proof of Subproduct mix by Golle et al., ad the Norwegia mix by Puiggalí et al Detectig malicious mixes The optimistic verificatio approach is ot perfect a error (e.g., chagig a 1 to a 3) ca be couterbalaced (e.g., = 3 + 2) ad pass udetected. To achieve udetected corruptio of the mix result, a malicious mix has to chage (drops, alters, iserts) at least two ciphertexts to esure balacig the itroduced error. This will remai udetected if ad oly if the itroduced errors are

8 8 properly balaced withi the same block. Sice the divisio of ciphertexts ito blocks is ot kow to the mix durig mixig, the malicious mix caot esure this. Below, we ivestigate the probability of this happeig by chace. As a aside, ote that i ay optimistic approach, a chage must be couterbalaced. Therefore, to affect a chage of k votes, at least oe ciphertext extra has to be tweaked, leadig to at least k + 1 chaged ciphertexts. This is i cotrast to RPC, where chages to ciphertexts caot be balaced by other chages. Hece, below we compare the chace of chagig k ciphertexts i RPC to k + 1 ciphertexts i optimistic approaches. Radomized Partial Checkig. To cheat, a mix would drop/alter a ciphertext either i the first or i the secod mixig stage. Sice the mix has to reveal either the first or the secod mixig stage, the chace of gettig away with this is 1 2. Sice this is idepedet, the chace of remaiig udetected for k chages is P rpc (k udetected chages) = 2 k. Proof of Subproduct. Durig the verificatio α radom blocks (for α 5) are geerated with a average size of 2 ad compared with the correspodig output blocks. I case a malicious mix ode adapted k ciphertexts, the prover has to a fid aother set of output ciphertexts which has the desired properties. The chace of doig this i polyomial time is at most ( 5 8 )α [1]. Thus a high umber of used radom blocks icreases the probability that the modified ciphertext is checked. For α = 5, for istace, the chace of gettig away is ( 5 8 )5. The maximum probability of chagig k ciphertexts without detectio is reached at α = 1. Thus, i geeral, ( ) α 5 P PoS (k + 1 udetected chages) =. 8 Norwegia mix. Puiggalí et al. claim i [14] that the chace of ot detectig that two ciphertexts have bee altered by oe mix is P (udetected) = l 1 1 the first ciphertext ca be i ay block, as log as the secod is i the same. Give that i their proposal, l = m (with m beig the umber of mixes), this gives the followig chace of chagig k + 1 ciphertexts without beig detected: P Norway (k + 1 udetected chages) = ( m ) k 1. 1 Radom Block Verificatio. The chace of affectig a chage of size k requires chagig k + 1 ciphertexts. I the case of two chaged ciphertexts, the RVB mix et performs as good as Puiggalí et al.. I case of more tha two, the Norwegia mix et performs slightly better, as their block size is iversely proportioal to the umber of mix odes, whereas ours is costat i this regard. Ituitively, our approach has blocks of (almost) equal size, ad therefore the chace of a ciphertext occurrig i oe block is roughly ( ) 1. The chace of k + 1

9 9 ciphertexts occurrig i the same block is therefore roughly ( ) k. I reality, it is slightly better as some blocks are smaller tha others. To be precise, P rbv (k + 1 udetected chages) = ( ) k 1. 1 I RBV, the values for m ad l are fixed at m = l =. As a result the correctess is idepedet of the umber of mix odes m. I cotrast the values for the approach proposed by Puiggalí et al. depeds o the umber of mix odes ad are give by l = m ad m = l. 5.2 Privacy I mix ets, privacy is the questio of how traceable a give ciphertext is through the mix et. I geeral, there remais some imprecisio some output ciphertexts ca be ruled out, but others may or may ot be a re-ecryptio of the sought ciphertext. The size of the group that caot be ruled out (which we will call Aoymity group or AG) gives a measure for how much privacy is achieved by the mix et. I the followig we cosider the case that oly oe mix et is hoest ad keeps the iput-output ciphertext relatio secret. Radomized Partial Checkig. Depedig o a coi flip, the verificatio procedure reveals either the lik betwee a itermediate ciphertext ad the iput, or its lik with a output ciphertext. I the worst case, the coi is completely fair, ad hece 50% of the liks with iput ciphertexts are liked, ad similarly 50% of the liks with output ciphertexts. Hece, 2 output ciphertexts are ot liked yet ad must belog to the iput ciphertexts whose lik was revealed. Thus, for each ciphertext whose iput lik is revealed, the aoymity group has a size of 2. A similar reasoig holds for ciphertexts whose output lik is revealed. Thus, the aoymity group of a RPC mix et with oe hoest mix is AG rpc = 2. Proof of Subproduct. Usig PoS the ciphertexts are grouped i up to α radom blocks (with α beig the security parameter, 0 < α 5). The authors show that the average aoymity group size is AG PoS = 2 α. Thus, icreasig the security (i.e., the assuredess afforded by the verifiability) has a egative effect o privacy: the larger α, the smaller the aoymity group. Cosequetly, PoS achieves the best privacy result for α = 1, ad the smallest amout of privacy is achieved for α = 5 i this case, AG PoS = 32.

10 10 Norwegia mix. The approach proposed by Puiggalí et al. reduce the blocksize depedet o the umber of used mix odes. For m mix odes a blocksize of m is used. Thus, assumig that just oe mixode is hoest the aoymity group has a size of AG Norway = m. Radom Block Verificatio. I RBV, each mix ode shuffles twice. For verificatio, the ciphertexts are grouped ito blocks of size. So, after the first shuffle, the size of the aoymity group is. However, for the secod process, the blocks for the secod shuffle are chose such, that they iclude at least 7 oe ciphertext of each of the output blocks of the first shuffle. Therefore, to trace the ciphertext through the secod shuffle, all iput blocks eed to be cosidered, which meas i tur that all output blocks eed to be cosidered. Hece, for oe mix, AG rbv =. 5.3 Efficiecy I this sectio the efficiecy of our approach is determied. Note, we oly cosider the umber of eeded expoetiatios because performig ay other arithmetic operatio requires less computatioal effort. The total umber of eeded expoetiatios is determied by two compoets: proof geeratio by the mix et ad verificatio by the verifier. We compute the computatioal costs oly for oe mix ode. For re-ecryptio our approach, like RPC, eeds twice as may expoetiatio per mix ode as the approach by Puiggalí et al. ad PoS. That is because re-ecryptio ad shufflig are performed twice. But the impact of this is reduced as the mix odes all process a subset of ciphertexts i parallel. Radomized Partial Checkig. Durig the verificatio of RPC two times the associatio betwee 2 ciphertexts is show. This ca be doe by revealig the radom value ad be verified by recalculatig the re-ecryptio. Therefore two times 2 expoetiatios for α of the ciphertext ad two times 2 for β of the ciphertext are eeded. I total the computatioal costs per mix ode are E rpc = = 2. Proof of Subproduct. The umber of expoetiatios durig the PoS verificatio is 2α(2m 1)[1] per mix ode (for a total umber of m mix odes) ad depeds o the security parameter α (for α 5). Therefore the maximum umber of expoetiatios per mix ode is 10(2m 1) which is achieved for α = 5. Thus, efficiecy also depeds o the security parameter, ad is give by E PoS = 2α (2m 1). 7 Sice, i geeral, N, exactly oe per block is ot possible. However, our approach remais as close to that ideal as possible.

11 11 Norwegia mix. The verificatio process by Puiggalí et al. uses a zero kowledge proof to show the correctess of every block. The computatioal cost to verify the plaitext equivalece depeds o the umber of blocks. For ciphertexts m blocks are used. The calculatio of the proof for each blocks requires 2 expoetiatios ad the verificatio of the correct mixig takes 4. Therefore the total umber of expoetiatios doe by the mix et ad the verifier are E Norway = 6 m. Radom Block Verificatio. Also the efficiecy of our approach depeds o the umber of blocks. For ciphertexts m = blocks are used. Durig proof geeratio it takes oe expoetiatio per block to calculate the witess. From this follows that for m blocks 2m expoetiatios are eeded (m for each mixig step). Afterwards it takes the verifier two expoetiatios per block to check the itegrity of all blocks ad thus 4m expoetiatios for both verificatio steps. This leads to a total umber of E rbc = Coclusio I Table 1, we summarise our fidigs. The Fraud row gives the chace of gettig away with affectig the result with k votes (i.e., k chages for RPC, k +1 chages for the others). Privacy is expressed i terms of the aoymity group of oe mix, ad efficiecy is expressed i terms of the umber of expoetiatios. The bold umbers are the top scores i each row. RPC PoS Puiggalí et al. RBV ( Fraud (P (udetected)) 2 k 5 ) α ( m )k ( 1 1 )k Privacy ( AG ) 2 2 α m Efficiecy (# exp.) 2 2α (2m 1) 6 m 6 Table 1. Compariso (for ciphertexts ad m mix-odes) of fraud detectio (for oe modified ciphertext), privacy ad efficiecy (for verificatio of oe mix-ode). The table illustrates that RBV sigificatly improves privacy ad efficiecy over Puiggalí et al., at the cost of a slightly reduced ability to detect fraud. To get a feelig for how serious this reductio i fraud detectio is, cosider the followig example. Suppose 3 ciphertexts are chaged i a set of 1000 votes. The chace of ot detectig this is less tha ( 1000 ) 2 0.1%.

12 12 6 Coclusio ad Future Work We discussed the mix et verificatio scheme by Puiggalí et al., a mix of Radomized Partial Checkig (RPC) ad Optimistic Mixig (OM). We highlighted several possibilities to improve efficiecy, idetified a privacy risk i case just oe mix et is hoest (keepig the re-ecryptio ad shufflig secret), ad oted several uclarities cocerig verificatio block size ad allocatio of elemets to verificatio blocks. We proposed a improved verificatio scheme, based o radomized partial checkig of blocks, to address these issues. We provided a detailed aalysis of the effectiveess (i terms of privacy, efficiecy ad correctess) of our scheme ad compared this with other schemes that eable a trade off betwee privacy, correctess ad efficiecy. We showed that the privacy ad correctess of our scheme improve upo that offered by RPC ad OM, as well as other approaches that offer a trade off betwee efficiecy, privacy ad correctess. I additio, our scheme is less computatioally expesive tha RPC. Specifically, our scheme provides a high probability of correctess for all elemets for low computatioal cost. This cotrasts starkly with RPC, which validates some elemets at a elevated computatioal cost. There are several directios i which this work ca be exteded further. I this paper we did ot address malicious iputs. These could occur e.g. i the case of a coerced voter. Fially, we re iterested i applyig this verificatio approach to improve the efficiecy of a actual mix et, such as Verificatum 8. We also pla to discuss which probabilities satisfy legal requiremets with legal scietists. Ackowledgemets. This paper has bee developed withi the project VerKoWa Verfassugskoforme Umsetzug vo elektroische Wahle which is fuded by the Deutsche Forschugsgemeischaft (DFG, Germa Sciece Foudatio) ad coducted i cooperatio of provet (Project Group Costitutioally Compatible Techology Desig at the Uiversity of Kassel) ad CASED (Ceter for Advaced Security Research Darmstadt). Refereces 1. Boeh, D., Golle, P.: Almost etirely correct mixig with applicatios to votig. I: Proc. CCS 02. pp ACM (2002) 2. Chaum, D.: Utraceable electroic mail, retur addresses, ad digital pseudoyms. Commuicatios of the ACM 24(2), (1981) 3. Chaum, D., Pederse, T.: Wallet databases with observers. I: Brickell, E. (ed.) CRYPTO 92, LNCS, vol. 740, pp Spriger Verlag (1993) 4. Desmedt, Kurosawa: How to break a practical mix ad desig a ew oe. I: Proceedigs of the 19th iteratioal coferece o Theory ad applicatio of cryptographic techiques. LNCS, vol. 1807, pp Spriger-Verlag, Berli, Heidelberg (2000), 8

13 13 5. El Gamal, T.: A public key cryptosystem ad a sigature scheme based o discrete logarithms. I: Proceedigs CRYPTO 84. pp Spriger-Verlag New York, Ic., New York, NY, USA (1985) 6. Fiat, A., Shamir, A.: How to prove yourself: Practical solutios to idetificatio ad sigature problems. I: Advaces i Cryptology CRYPTO 86. LNCS, vol. 263, pp Spriger (1986) 7. Fiat, A., Shamir, A.: How to prove yourself: practical solutios to idetificatio ad sigature problems. I: Proc. CRYPTO 86. pp Spriger-Verlag, Lodo, UK (1987), 8. Gjøstee, K.: Aalysis of a iteret votig protocol. Cryptology eprit Archive, Report 2010/380 (2010), 9. Golle, P., Zhog, S., Boeh, D., Jakobsso, M., Juels, A.: Optimistic mixig for exit-polls. I: Asiacrypt 2002, LNCS pp Spriger-Verlag (2002) 10. Groth, J.: A verifiable secret shuffle of homomorphic ecryptios. vol. 23, pp (2010) 11. Jakobsso, M., Juels, A.: Millimix: Mixig i small batches. Tech. rep., Ceter for Discrete Mathematics & Theoretical Computer Sciece (1999) 12. Jakobsso, M., Juels, A., Rivest, R.L.: Makig mix ets robust for electroic votig by radomized partial checkig. I: Proceedigs of USENIX 02 (2002) 13. Neff, C.A.: A verifiable secret shuffle ad its applicatio to e-votig. I: CCS 01. pp ACM, New York, NY, USA (2001) 14. Puiggalí Allepuz, J., Guasch Castelló, S.: Uiversally verifiable efficiet reecryptio mixet. I: Proc. EVOTE LNI, vol. P-167, pp GI (2010) 15. Sako, K., Kilia, J.: Receipt-free mix-type votig scheme. I: Guillou, L., Quisquater, J.J. (eds.) Proc. EUROCRYPT 95. LNCS, vol. 921, pp (1995) 16. Schorr, C.P.: Efficiet sigature geeratio by smart cards. Joural of Cryptology 4, (1991), Terelius, B., Wikström, D.: Proofs of restricted shuffles. I: AFRICACRYPT. LNCS, vol. 6055, pp (2010) 18. Wikström, D.: Five practical attacks for optimistic mixig for exit-polls. I: Selected Areas i Cryptography. pp (2003) 19. Wikström, D.: A commitmet-cosistet proof of a shuffle. I: Proceedigs of the 14th Australasia Coferece o Iformatio Security ad Privacy, LNCS, vol. 5594, pp Spriger-Verlag, Berli, Heidelberg (2009) A Radom distributio of ciphertexts over blocks usig Fiat-Shamir This sectio details how to arrive at a radom distributio of ciphertexts over blocks. Cosider a settig with m mixes ad iput ciphertexts, ad thus with l = blocks, idetified as i {0,..., l 1}. Of these, r = l l should have l +1 elemets, ad the others are to ed up with l elemets. To esure the iitial assigmet of ciphertexts to blocks is radom, the first mix takes a hash of its iput (by cocateatig all ciphertexts), ad uses the resultig umber as seed of a radom umber geerator. The stream of radom bits from the geerator is chopped ito parts of size s = log 2 l. The, the first ciphertext is assiged to the block with the umber give by the first part. Should this be a umber

14 14 > l, this part is dropped. The secod ciphertext is assiged the block idetified by the secod part, ad so o. I case a part idetifies a umber for which there is o correspodig block, the part is dropped. Whe a block is full, its idex umber is dropped. Iitially, blocks are cosidered full whe they have l + 1 elemets. As soo as r blocks have bee filled, blocks are cosidered full (ad their idexes dropped) whe they have l elemets. To speed up the assigmet, the available blocks ca be reidexed ad s ca be updated to limit the umber of parts for which there is o correspodig block.