BeleniosRF: A Non-interactive Receipt-Free Electronic ... · BeleniosRF: A Non-interactive...

BeleniosRFA Non-interactive Receipt-Free Electronic Voting Scheme

Pyrros ChaidosUniversity College London

Gower St London WC1E 6BT UKpyrroschaidos10uclacuk

Veacuteronique CortierLORIA CNRS amp INRIA amp Universiteacute de Lorraine

54500 Vandœuvre-legraves-Nancy Franceveroniquecortierloriafr

Georg FuchsbauerInria ENS CNRS PSL Research University

45 rue drsquoUlm 75005 Paris Francegeorgfuchsbauerensfr

David GalindoUniversity of Birmingham

Edgbaston Birmingham B15 2TT UKDGalindocsbhamacuk

ABSTRACTWe propose a new voting scheme BeleniosRF that offers bothreceipt-freeness and end-to-end verifiability It is receipt-freein a strong sense meaning that even dishonest voters cannotprove how they voted We provide a game-based definitionof receipt-freeness for voting protocols with non-interactiveballot casting which we name strong receipt-freeness (sRF)To our knowledge sRF is the first game-based definitionof receipt-freeness in the literature and it has the meritof being particularly concise and simple Built upon theHelios protocol BeleniosRF inherits its simplicity and doesnot require any anti-coercion strategy from the voters Weimplement BeleniosRF and show its feasibility on a numberof platforms including desktop computers and smartphones

1 INTRODUCTIONElectronic voting protocols should achieve two antagonistic

security goals privacy and verifiability Additionally theymust be practical from a usability operational and efficiencypoint of view Privacy can be expressed via several increas-ingly demanding security properties

bull Basic ballot privacy guarantees that no one can learnhow a voter voted

bull Receipt-freeness ensures that a voter cannot prove toanyone how she voted While privacy protects honestvoters receipt-freeness aims at protecting vote privacyeven when voters willingly interact with an attacker

bull Coercion-resistance should allow an honest voter tocast her vote even if she is during some time fullyunder the control of an attacker Coercion-resistancetypically requires revoting

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page Copyrights for components of this work owned by others than theauthor(s) must be honored Abstracting with credit is permitted To copy otherwise orrepublish to post on servers or to redistribute to lists requires prior specific permissionandor a fee Request permissions from permissionsacmorg

CCSrsquo16 October 24 - 28 2016 Vienna Austriaccopy 2016 Copyright held by the ownerauthor(s) Publication rights licensed to ACM

ISBN 978-1-4503-4139-41610 $1500

DOI httpdxdoiorg10114529767492978337

Conversely verifiability ensures that votersrsquo ballots are in-cluded in the ballot box (individual verifiability) that theresult corresponds to the content of the ballot box (universalverifiability) and that ballots come only from voters entitledto vote (eligibility verifiability)

Helios [3 4] is a scheme that ldquoonlyrdquo achieves privacy andverifiability and is based on a voting system by CramerGennaro and Schoenmakers [25] with modifications proposedby Benaloh [7] It has been used in several elections such asthat of the president of UC Louvain in Belgium and of theBoard of Directors of the IACR since 2011 [1] As emphasizedby its authors Helios should only be used in low-coercionenvironments Indeed a voter may reveal the randomnessused to compute her ballot one can then re-encrypt theclaimed vote and check if the encryption is contained in thepublic bulletin board Helios is thus not receipt-free

To our knowledge Civitas [2137] is the only scheme thatachieves both verifiability and coercion-resistance withoutrequiring a great deal of interaction between the ballot box orthe election authorities and the voter (such as [820]) Whilethe scheme is a foundational work it seems difficult to useit in large-scale elections mainly for two reasons First thetally phase requires O(n2) operations where n is the numberof received ballots which opens the way to denial-of-serviceattacks Second to achieve coercion-resistance a voter shouldbe able to adopt an anti-coercion strategy (in Civitas a voterhas to lie about her true credential) and then later revotefor her true choice once she is freed from the attacker Webelieve that this scenario is unrealistic in many cases as itrequires cryptographic skills and a heavy infrastructure torealize an untappable channel (eg in-person registration)

It is also worth noticing that in most countries revotingis not allowed as for example in Australia France SpainSwitzerland and the United Kingdom The only exceptions weare aware of are Estonia and the Internet voting pilots for theparliamentary elections in 2011 and 2013 in Norway Whilethis way of thinking might be a cultural aspect inheritedfrom traditional paper ballot systems it is foreseeable thatit will take time before countries change their electoral rulesin order to adopt a revote policy

11 Our ContributionsBuilding upon a recent variant of Helios called Belenios

[2230] and a cryptographic primitive called signatures on

randomizable ciphertexts [12] we propose a receipt-free ver-sion of Helios which we call BeleniosRF In our scheme avoter cannot prove how she voted even if she is providedwith all the ballot material by the coercer Interestingly ourscheme does not demand any strategy of the voter in partic-ular it does not require the active participation of a voterto deceive a coercer that is asking for a receipt For examplea voter does not need to lie or produce fake credentials as inCivitas she simply has no way to prove how she voted Thisrepresents a huge improvement in usability from the voterrsquospoint of view all that is required of the voter is to vote

We show that our scheme BeleniosRF is receipt-free ina strong sense meaning that even a dishonest voter usinga voting client that has been tampered with cannot provehow she voted We formalize this property called strongreceipt-freeness (sRF) via a game-based definition buildingon the privacy definition recently proposed by Bernhard etal [9] We view this formal definition of receipt-freeness whichapplies to non-interactive ballot casting protocols as the firstcontribution of this work We call it strong receipt-freenessto emphasize that in non-interactive protocols an attackerhas less room to build a receipt Indeed in the absence ofinteraction the adversary does not obtain information fromthe voting server apart from what is displayed on the bulletinboard hence any receipt must be built by the adversarylocally and before submitting the ballot

We claim sRF is the first game-based receipt-freeness defini-tion in the literature accounting for a voter that is corruptedduring the voting phase Additionally sRF has the merit ofbeing simple and concise potentially allowing for simplerproofs In doing so we give a new formulation for the receipt-freeness definition by Benaloh and Tuinstra [8] and highlightthat receipt-freeness can be achieved without asking the vot-ers to vote several times and cancel previously submittedballots and without requiring an untappable channel All weneed to assume is that the attacker is not permanently eaves-dropping the communication between the voting server andthe voter an assumption made by all previous constructionsof receipt-free or coercion-resistant voting schemes

A key ingredient of BeleniosRF is a randomization service arole that we assume is played by the voting server but whichcould be played by a different server The randomizationservice is in charge of re-randomizing the ballot cast by avoter BeleniosRFrsquos receipt-freeness then relies on the factthat the randomness contained in the ballot displayed inthe bulletin board is not under the control of the voterBoth the voter and the randomization service contributeto the randomness of the voterrsquos ballot as displayed on thebulletin board In fact in light of the impossibility resultof [19] the existence of a randomization agent is assumedin most constructions that claim to be receipt-free Herehowever we do not rely on letting voters vote multiple timesor on the existence of a trusted token for each voter (such aseg [20343543])

The foremost challenge in achieving receipt-freeness non-interactively and via a randomization service is to preventthe latter from changing the voterrsquos intent The only existingnon-interactive proposal [12] claiming receipt-freeness uses apowerful cryptographic primitive called signatures on ran-domizable ciphertexts It consists of a signature scheme and apublic-key encryption scheme that is randomizable (that isgiven a ciphertext anyone can create a fresh ciphertext of thesame plaintextmdashwithout knowing it) The primitive provides

an additional functionality given a signature on a ciphertextanyone can randomize the ciphertext and adapt the signatureto the new ciphertext that is produce a signature that isvalid on the new ciphertextmdashand all that knowing neither thedecryption key nor the signing key nor the plaintext On theother hand unforgeability guarantees that it is infeasible tocompute a signature on a ciphertext that encrypts a messageof which no encryption has been signed

Alas Blazy et al [12] did not provide a receipt-freenessdefinition nor a proof By exhibiting a ballot-copying at-tack adapted from [24] we demonstrate that their schemeis not receipt-free worse it is not even ballot-private Ourscheme fixes the Blazy et al construction by binding the ci-phertexts to voters while still inheriting the randomizabilityfrom Groth-Sahai non-interactive proofs [32]

We start with giving a new instantiation of signatures onrandomizable ciphertexts which we show yields an RCCA-secure public-key encryption scheme [16] from which we builda non-interactive1 receipt-free e-voting scheme as follows

bull As in Belenios each voter is provided with a signaturekey pair in addition to authentication means to theballot box (typically a login and password)

bull Each voter encrypts and signs their ballot and includesa proof of knowledge to prevent ballot malleability

bull Upon receiving a ballot the server re-randomizes theballot and adapts the corresponding signature and proofbefore publishing it

Receipt-freeness comes from the fact that a voter no longerhas control over nor knowledge of the randomness used toform the final ballot stored in the ballot box On the otherhand even after the voting server re-randomizes the ballotcast by the voterrsquos voting device the voter can still verifythat her legitimate ballot is present as the re-randomizedciphertext comes with a signature that is valid under thevoterrsquos verification key By unforgeability of the signatureprimitive the vote cannot have been altered by the ballotbox which we show implies verifiability

Our final contribution consists of assessing the feasibility ofBeleniosRF for this purpose we implemented and measuredthe efficiency of a Javascript voting client (see Section 5)

12 Related WorkOur definition requires that an adversary cannot distin-

guish whether a voter votes for either a or b even if theattacker provides the voter in advance with all the crypto-graphic material (such as randomness to be used to castthe ballot) Interestingly this definition does not require thevoter to follow a ldquostrategyrdquo to fool the coercer

The early definitions of receipt-freeness [8 43] introducedthe idea that an attacker should not be able to distinguish be-tween a real transcript and a fake one but their descriptionsare rather informal A weaker definition of receipt-freenessproposed in [1538] lets the attacker only interact with thevoter after the election (in particular the attacker cannotcontrol the randomness of the voterrsquos device) A simulation-based definition for receipt-freeness (UC-RF) was given in [42]It assumes however that the voters adopt an ldquoanti-coercionstrategyrdquo and is therefore closer to coercion-resistance as de-fined in [37] even if it does not cover for instance abstention

1After successful authentication between the voter and theballot box ballot casting is non-interactive

attacks Since BeleniosRF does not require any anti-coercionstrategy from the voters and game-based security definitionsare known to be easier to work with we opted not to useUC-RF to analyze the receipt-freeness of our new protocolThe coercion-resistance and receipt-freeness definitions in [40]also assume a strategy from the voter Our definition can beseen as a formalization of one of the other possible strategiessketched in the paper

Similarly the symbolic definition of receipt-freeness in [26]also requires the voter to adopt a strategy to fool the ad-versary Other definitions in symbolic models aim at charac-terizing the notion of a receipt [14 33 36] but (as usual insymbolic models) they are much more abstract than standardcomputational models

Previous receipt-free schemes The scheme by Kiayiaset al [38] only achieves receipt-freeness for honest voters asdiscussed above Other well-known and deployed schemesinclude Pret-a-voter [44] and Scantegrity [18] These sys-tems however are designed for elections with physical votingbooths The system used in Estonia [46] and the one de-ployed in Norway [5 29] might possibly satisfy some level ofreceipt-freeness as the corresponding ballot boxes are notpublicly available But because of this they do not achieveuniversal verifiability (in contrast to BeleniosRF) Kulyk etal [39] propose an extension of Helios where voters may latercancel their vote still being indistinguishable from null votessubmitted by the crowd In addition to being difficult todeploy in practice this scheme strongly relies on revotingHirtrsquos scheme [34] heavily depends on the existence of un-tappable channels Selene [45] proposes an enhancement forreceipt-free schemes applicable to BeleniosRF to ease theverification step made by voters through tracking numbers

BeleniosRF can be seen as realizing receipt-freeness underthe assumption that the voting server which is in charge ofrunning the ballot box can be trusted to re-randomize ballotsand not reveal the randomness used for that procedure Incontrast Helios [41] and [38] achieve receipt-freeness underthe assumption that the voting client is not going to revealthe randomness it used for sealing the vote The latter seemsdifficult to ensure in practice unless voters are provided withsecure hardware tokens In contrast BeleniosRF only needsthe voting server to be protected against randomness leakage

BeleniosRF has one disadvantage compared to Helios andBelenios if the registrar and the voting server collude theycan undetectably change a voterrsquos choice This is due to thefeatures that guarantee receipt-freeness namely that signa-tures on different ciphertexts encrypting the same messagecannot be linked and that the registrar generates the votersrsquosigning keys (and thus can vote on their behalf) This can beprevented by defining a less powerful registrar that simplygrants voting rights to signing keys that are generated by thevoters themselves (cf Section 43) This solution differs fromthe Belenios approach where voters receive their signingkeys from the registrar for the sake of usability This is justanother manifestation of the usual tension between usabilityprivacy and verifiability in e-voting systems (and computersecurity systems in general) in the sense that increasing oneof them entails a decrease of at least one of the others

2 RECEIPT-FREENESSWe now formally define receipt-freeness and start by pro-

viding the syntax of a voting system inspired by [922]

21 Syntax of a Voting SystemElection systems typically involve several entities For the

sake of simplicity we consider each entity to consist of only oneindividual but note that all of them could be thresholdized

1 Election administrator denoted by E is responsible forsetting up the election it publishes the identities idof eligible voters the list of candidates and the resultfunction ρ of the election (typically counting the numberof votes received by every candidate)

2 Registrar denoted by R is responsible for distributingsecret credentials to voters and registering the corre-sponding public credentials

3 Trustee denoted by T is in charge of tallying andpublishing a final result

4 Voters the eligible voters are denoted by id1 idτ

5 Ballot-box (voting server) manager denoted by B isresponsible for processing and storing valid ballots inthe ballot box BB and for publishing PBB the publicview of BB also called (public) bulletin board

The following syntax considers single-pass schemes that issystems where voters only have to post a single message to theboard ie ballot casting is non-interactive A voting protocolV = (SetupRegisterVoteValidAppendPublishVerifyVoteTallyVerify) is relative to a family of result functions ρττge1

for τ isin N with ρτ Vτ rarr R where V is the set of admissiblevotes and R is the result space

Setup(1λ) on input a security parameter 1λ outputs anelection publicsecret key pair (pk sk) where pk couldcontain a list of credentials L We let pk be an implicitinput of the remaining algorithms

Register(id) on input an identifier id outputs the secretpart of the credential uskid and its public credentialupkid which is added to the list L = upkid

Vote(idupkusk v) is run by voter id with credentials upkusk to cast her vote v isin V It outputs a ballot b whichis sent to the voting server (possibly through an au-thenticated channel)

Valid(BB b) takes as input the ballot box BB and a ballot band checks the validity of the latter It returns gt forvalid ballots and perp for invalid ones (eg ill-formed con-taining duplicated ciphertext from the ballot box )

Append(BB b) updates BB with the ballot b Typically thisconsists in adding b as a new entry to BB but moreinvolved actions might be possible (as in our scheme)

Publish(BB) outputs the public view PBB of BB Often onesimply has Publish(BB) = BB

VerifyVote(PBB idupk usk b) is run by voters for checkingthat their ballots will be included in the tally On inputsthe public board PBB a ballot b and the voterrsquos identityand credentials id uskupk it returns gt or perp

Tally(BB sk) on inputs the ballot box BB and the secretkey sk outputs the tally r and a proof of correct tabu-lation Π If the election is declared invalid then r = perp

Verify(PBB rΠ) on inputs the public bulletin board PBBand (rΠ) checks whether Π is a valid proof of correcttallying for r If so it returns gt and perp otherwise

The exact implementation of these algorithms dependson the concrete voting protocol In particular the notionof public and private credentials of a voter varies a lot Forexample upkid might be simply the identity of the voter ormay correspond to her signature-verification key

22 Strong Receipt-FreenessIntuitively privacy ensures that an adversary cannot learn

the vote of an honest voter Receipt-freeness furthermoreguarantees that a voter cannot prove how she voted even ifshe willingly provides information to or follows instructionsby the adversary This captures the seminal intuition fromBenaloh and Tuinstra [8] The latter insisted that a reasonablyprivate electronic voting protocol should emulate traditionalvoting in a voting booth it should allow voters to concealtheir individual votes and at the same time prevent themfrom revealing their vote Voters should not be able to giveaway the privacy of their vote granted by the voting protocoleven if they are willing to

Building upon a definition of privacy recently introduced [9]we argue that this requirement can be formalized for single-pass schemes by simply providing the adversary with anadditional oracle OreceiptLR which allows him to submit hisown ballots on behalf of a dishonest voter Apart from im-mediately implying ballot privacy this simple formalizationcaptures several important scenarios

bull A voter who wants to convince a vote buyer of howshe voted may prepare her ballot in an arbitrary waythat allows him to construct a convincing receipt (egconsider a voter that uses biased random coins to buildher ballot and to prove how she voted [28])

bull A voter that might have been corrupted before theballot casting phase may just follow the instructionsgiven to her by the adversary (as in [37])

bull A voter can record but also forge its interaction withthe ballot box (as in [8])

As in previous formal or intuitive definitions of receipt-freeness we assume the adversary is not monitoring theinteraction between the voter and the voting server Howeverthe voter can record this interaction and later on present thisinformation (or any transformation thereof) to the adversary

Formally we consider two games Game 0 and Game 1defined by the oracles in Figure 1 In both games BB0 and BB1

are ballot boxes that start out empty Box BB0 corresponds tothe real election (that will be tallied) and BB1 is a fake ballotbox which the adversaryrsquos task is to distinguish from BB0In Game β the adversary has indirect access to BBβ thatis she can see the public part of that box at any time Thegame Expsrfβ

AV provides an adversary A access to the oraclesdefined in Figure 1 which intuitively proceed as follows

Oinit generates secret and public keys for the election thepublic key is returned to the adversary If β = 1 italso returns auxiliary information aux to be used by asimulator SimProof introduced below

Oreg on input an identifier id initializes idrsquos credentials(upk usk) by running Register(id) It gives upk to theadversary

Ocorrupt is used by the attacker to obtain the credentials(upk usk) of a registered voter

OvoteLR a left-or-right oracle takes two potential votes(v0 v1) for an honest user id produces ballots b0 andb1 for these votes and places them in the ballot boxes(one in BB0 and one in BB1) provided that v0 v1 isin V

Ocast allows the adversary to cast a ballot b on behalf ofany party If the ballot is valid with respect to BBβ itis placed in both ballot boxes

OreceiptLR allows an adversarial voter id to cast a ballot b1in BB1 and a ballot b0 in BB0 If each ballot b0 b1 isvalid with respect to its respective ballot box then theballots are appended by running Append(BB0 b0) andAppend(BB1 b1) This allows the adversary to encodespecial instructions in the ballots that could later serveas the basis for a vote receipt (eg as in [28])

Oboard models the adversaryrsquos ability to see the publishablepart of the board It returns Publish(BBβ)

Otally allows the adversary to see the result of the elec-tion In both games the result is obtained by tallyinga valid BB0 the proof of correct tabulation is howeversimulated in the second world ie for β = 1

We demand that the adversary first calls Oinit then oraclesOregOcorruptUOvoteLROcastOreceiptLROboard in anyorder and any number of times Finally A can call Otallyafter it receives its reply A must return a guess of the bit βThe guess bit is the result returned by the game

Inherited from ballot privacy [9] Definition 1 uses simula-tors SimSetup and SimProof to model the fact that the proofshould not reveal anything as it is ldquozero-knowledgerdquo

Definition 1 (sRF) Let V=(SetupRegisterVoteValidAppendVerifyVotePublishTallyVerify) be a voting pro-tocol for a set ID of voter identities and a result function ρWe say that V has strong receipt-freeness if there exist algo-rithms SimSetup and SimProof such that no efficient adver-sary can distinguish between games Expsrf0

BV(λ) and Expsrf1BV(λ)

defined by the oracles in Figure 1 that is for any efficientalgorithm A the following is negligible in λ∣∣ Pr

[Expsrf0AV(λ) = 1

]minus Pr

[Expsrf1AV(λ) = 1

] ∣∣ In protocols with non-interactive ballot casting an adver-

sary does not receive any output from its interaction withthe ballot box (apart from the public view of the protocolrun) the sRF adversary must therefore build a receipt usinglocal data only and before casting the ballot An adversarymight encode arbitrary instructions in bβ for instance mak-ing those instructions dependent on the vote vβ eg he couldset the least significant bit of bβ equal to vβ isin 0 1 Intu-itively strong receipt-freeness implies that a ballot b0 couldbe replaced by a ballot b1 both submitted via the oracleOreceiptLR without the adversary noticing Thus a receiptie a proof for a certain vote having been cast cannot existas OreceiptLR captures all what a RF adversary can do

This definition does not assume that the voter is capable ofsuccessfully applying some anti-coercion strategy (in contrastto [42]) We believe this to be important in practice for tworeasons First this is of course much easier to use with ourdefinition the system is receipt-free by construction and thereis no need to instruct voters how they should proceed to lieabout their vote Second we need not assume that revotingis allowed (our definition accommodates any revoting policythough including no revote) This is important since mostcountries forbid revoting

Oinit for β = 0

(pk sk)larr Setup(1k)return pk

Oinit for β = 1

(pk sk aux)larr SimSetup(1k)return pk

Oreg(id)

If id was not previously queriedthen run Register(id) and setU = U cup (id upkid uskid)return upkid

OcorruptU(id)

On a registered voter id output (upkiduskid)and set CU = CU cup (id upkid)

Ocast(id b)If Valid(BBβ b) = perp then return perpElse Append(BB0 b) and Append(BB1 b)

OvoteLR(id v0 v1)

If v0 isin V or v1 isin V then return perpb0 = Vote(idupkiduskid v0)b1 = Vote(id upkiduskid v1)Append(BB0 b0) Append(BB1 b1)

OreceiptLR(id b0 b1)

If id isin CU return perpIf Valid(BB0 b0) = perp or Valid(BB1 b1) = perpreturn perpElse Append(BB0 b0) and Append(BB1 b1)

Oboard()

Return Publish(BBβ)

Otally() for β = 0

(rΠ)larr Tally(BB0 sk)return (rΠ)

Otally() for β = 1

(rΠ)larr Tally(BB0 sk)

Πprime larr SimProofaux(BB1 r)return (rΠprime)

Figure 1 Oracles defining experiments ExpsrfβAV (λ) for β = 0 1 The games differ in the way the tallying oracle creates auxiliary

data in the board displayed in response to Oboard queries and the board against which ballots are validated

As expected strong receipt-freeness trivially implies BPRIVprivacy [9] since BPRIV equals sRF except that there is nooracle OreceiptLR

Helios Under the RF definition provided in [38] the He-lios protocol would be receipt-free In contrast under ourdefinition Helios is not receipt-free Indeed if the adver-sary is allowed to cast different ballots b0 b1 to the ballotboxes BB0BB1 respectively then distinguishing Game 0from Game 1 is trivial This is due to the fact that in HeliosPBB contains the encryption of the votes so it suffices foran adversary to produce different encryptions c d and checkwhich one is showing up when calling oracle Oboard

Interestingly we believe that a Helios instantiation in whichvoting devices are built upon trusted hardware tokens thatconceal the randomness used for encryption (as proposed byMagkos et al [41]) satisfies sRF when interpreting trustedtokens as preventingA from accessing theOreceiptLR oraclemdashin which case sRF collapses to ballot privacy This shows theflexibility of our definition Moreover we are confident thatthe same result applies to [38]

3 BUILDING BLOCKSBefore describing our voting scheme we first present the

necessary cryptographic building blocks

31 Assumptions and PrimitivesWe will work in asymmetric bilinear groups and assume

the existence of a bilinear-group generator GrpGen which oninput 1λ outputs (pG1G2 g1 g2GT e) where p is a primeof length λ G1G2 and GT are cyclic groups of order p g1 isa generator of G1 g2 is a generator of G2 and e is a bilinearmap e G1timesG2 rarr GT such that e(g1 g2) generates GT Thefollowing was discussed in [13 p 304] and defined in [12]

Definition 2 (CDH+) The CDH+ assumption forGrpGen holds if for G = (pG1G2 g1 g2GT e)larr$ GrpGen(1λ)and for a blarr$ Zp for every ppt adversary given (G ga1 ga2 gb1)the probability that it outputs gab1 is negligible in λ

The next assumption implies the security of ElGamal encryp-tion in both groups G1 and G2

Definition 3 (SXDH) The Symmetric externalDiffie-Hellman assumption (SXDH) holds for GrpGen if forG = (pG1G2 g1 g2GT e)larr$ GrpGen(1λ) a b clarr$ Zp andfor both i isin 1 2 ppt adversaries only distinguish (G gai gbi gabi ) from (G gai gbi gci ) with advantage negligible in λ

ElGamal Encryption We define encryption for messagesin G1 from an asymmetric bilinear group G = (pG1G2 g1g2GT e) and show that it is randomizable

KeyGen(G i) Choose dlarr$ Zp and define P = gd1 Return(pk = Pdk = d)

Encrypt(PM r) Using randomness r isin Zp output c =(c1 = gr1 c2 = M middot P r)

Decrypt(d c = (c1 c2)) Output M = c2 middot cminusd1

Random(P c = (c1 c2) rprime) Using randomness rprime isin Zp out-

put cprime = (c1 middot grprime

1 c2 middot P rprime)

This scheme is IND-CPA secure assuming hardness of DDH inG1 which follows from SXDH It is perfectly randomizable asRandom(pkEncrypt(pkM r) rprime) = Encrypt(pkM r + rprime)

Groth-Sahai Proofs Groth-Sahai (GS) proofs [32] allowus to prove satisfiability of equations involving group ele-ments from G1 or G2 and scalars We will use them to proveconsistency and knowledge of encryptions On input a bilineargroup G Setupgs outputs a common reference string (CRS)crs isin G4

1timesG42 The CRS is used to commit to group elements

X isin G1 which we denote by C1(X) and elements Y isin G2denoted by C2(Y ) Moreover Cprimei(x) denotes a commitmentto a scalar which can be made in G1 (i = 1) and G2 (i = 2)The GS system lets us prove that committed values satisfycertain equations

Under a CRS computed via Setupgs commitments areperfectly binding and the proofs are perfectly sound That

is the values uniquely determined by the commitments sat-isfy the proved equation Moreover the committed valuescan be extracted using an extraction trapdoor ξ that canbe computed together with the CRS We denote this by

(crs ξ)larr$ Setup(x)gs (G)

There is an alternative CRS-generation algorithm Setup(h)gs

which outputs (crsprime td) Commitments made under crsprime con-tain no information about the committed value and thetrapdoor td allows simulation of proofs As CRSs output by

Setupgs and Setup(h)gs are indistinguishable under SXDH GS

proofs are computationally zero-knowledge Moreover GSproofs are randomizable [27] that is given commitments andproofs one can (without knowing the witness) create a freshset of commitments and proofs

32 Signatures on Randomizable CiphertextsThe primitive introduced by Blazy et al [12] consists of

the following algorithms Setup on input the security param-eter 1λ outputs the parameters (such as the bilinear group)SKeyGen outputs a pair of signing key and verification key(sk vk) EKeyGen outputs a pair of encryption and decryp-tion key (pkdk) SKeyGen together with Sign and Verifyconstitutes a signature scheme and EKeyGen with Encryptand Decrypt a public-key encryption scheme

As the signature and the encryption scheme are used to-gether these algorithms have extensions Sign+ and Verify+which additionally take the encryption key pk as input andEncrypt+ Decrypt+ which also take the verification key vk

Randomizability The main feature of signatures on ran-domizable ciphertexts (SRC) is an algorithm Random+ whichtakes pk vk a ciphertext c under pk and a signature σ onc valid under vk and outputs a re-randomization cprime of ctogether with a signature σprime valid on cprime

An output of Random+ is distributed like a fresh encryp-tion of the plaintext of c and a fresh signature on it for-mally for all messages m (pkdk) isin [EKeyGen(G)] (vk sk) isin[SKeyGen(G)] c isin [Encrypt+(pk vkm)]σ isin [Sign+(sk pk c)]the following two random variables are equally distributed[

(cprime σprime)larr$ Random+(pk vk c σ) (cprime σprime)]

asymp[cprimelarr$ Encrypt+(pk vkm)

σprimelarr$ Sign+(sk pk cprime) (cprime σprime)

]

Unforgeability Unforgeability of signatures on random-izable ciphertext is defined via the following experimentThe challenger computes a signature key pair and an en-cryption key pair (sk vk) (dkpk) and runs the adversary on(vkpkdk) It is also given access to an oracle Sign+(sk pk middot)which it can query adaptively on ciphertexts c1 cq of itschoice Finally the adversary outputs a pair (clowast σlowast) and winsif Verify+(vk pk clowast σlowast) = 1 and m = Decrypt+(dk vk clowast) isdifferent from all mi = Decrypt+(dk vk ci)

33 Our SRC ConstructionAt a high level we need a construction that enforces our

restricted message space and is malleable enough to be re-randomized but no more The first requirement ensures thatvoters can only submit valid ballots while the second givesus privacy via randomization while preventing copying ortampering attacks Specifically we use GS proofs to ensurevalidity and prevent copying or producing ballots related to

those of another user We use signatures to ensure integritymeaning a randomizer cannot change the ballot contents

Asymmetric Waters signature scheme Blazy et al [12]define a variant of Watersrsquo signature scheme [47] for asym-metric groups that is perfectly randomizable and which theyprove secure under the CDH+ assumption

Setup(1λ 1k) To sign messagesm = (m1 mk) isin 0 1kgenerate (pG1G2 g1 g2GT e)larr$ GrpGen(1λ) choosezlarr$ G1 u = (u0 uk) larr$ Gk+1

1 define F(m) =

u0

prodki=1 u

mii Output pp = (pG1G2GT e g1 g2 zu)

SKeyGen(pp) Choose xlarr$ Zp define X1 = gx1 X2 = gx2 Y = zx output the public key vk = (ppX1X2) andthe secret key sk = (pp Y )

Sign(sk = (pp Y )m s) For randomness s isin Zp return thesignature σ defined as(

σ1 = Y middot F(m)s σ2 = gs1 σ3 = gs2)

Verif(vk = (ppX1X2)m σ) Output 1 if both of thefollowing hold and 0 otherwise

e(σ1 g2) = e(zX2) middot e(F(m) σ3) e(σ2 g2) = e(g1 σ3)

Random((pp X1 X2) F σ sprime) For randomness sprime isin Zp out-

put σprime = (σ1 middot F sprime σ2 middot gs

prime1 σ3 middot gs

prime2 )

Note that for Random it suffices to know the hash F = F(m)of the signed message The scheme is perfectly randomiz-able as for any ((pp X1 X2) (pp Y )) isin [SKeyGen(pp)] andm s sprime we have Random((X1 X2)F(m)Sign(Ym s) sprime) =Sign(Ym s+ sprime)

Remark 1 Blazy et al [12] show that their signaturescheme also satisfies a (stronger) EUF-CMA notion wherethe adversaryrsquos signing queries are of the form (mR T ) andif e(T g2) = e(RX2) then the oracle returns an additionalsignature element σ4 = Rs

We will combine ElGamal encryption Groth-Sahai proofsand Waters signatures to create an SRC scheme Our con-struction extends that of [12] so that it immediately yieldsan RCCA-secure encryption scheme (defined below) andultimately a strongly receipt-free e-voting scheme

Our SRC scheme Our scheme is defined for a polynomial-size message space M = 0 1k that is we assume k tobe logarithmic in the security parameter Messages m areencrypted as ElGamal ciphertexts of F(m) Decryption worksby decrypting a ciphertext to F and then looking for m withF = F(m) We define a function H and add a third ciphertextelement c3 = H(vk)r which will tie the ciphertext to theverification key for which it is produced

We moreover add Cm Groth-Sahai commitments to themessage bits and a commitment CT to Xr

1 which is neededfor the security reduction (it corresponds to T from Re-mark 1) Finally we add GS proofs which show consistencyof these commitments and consistency of the additionalciphertext element c3 In more detail in order to show a com-ponent Cmi of Cm contains a bit we require commitmentsin both groups (C1mi C2mi) and proofs πprimei A commitmentCr to the randomness r is used to prove consistency of thevalues c1 with Cr c2 with Cr and Cmiki=1 c3 with Cr aswell as CT with X1 and Cr

Now given ciphertext elements c1 = gr1 and c2 = F(m)middotP rthe crucial observation is that due to the interoperabilityof ElGamal encryption and Waters signatures a signer canproduce an encryption of a signature on the plaintext withoutknowing the latter setting σ1 = cs1 = grs1 and σ2 = Y middot cs2 =Y middot F(m)s middot P rs yields an encryption under P of the firstWaters signature element Y middot F(m)s This is completed toa full signature by (gs1 g

s2) Finally in order to enable full

randomization of ciphertextsignature pairs we also includeP s in the signature

Let Setup (for Waters signatures) Setupgs (for Groth-Sahaiproofs) and KeyGen (for ElGamal encryption) be defined asabove and H 0 1 rarr G1 be defined as

H(x) = h1 middot hHprime(vk)

2 (1)

for h = (h1 h2) isin G21 and a collision-resistant hash function

H prime 0 1 rarr Zp Our scheme is given in Figure 2 It isbased on the scheme from [12] to which we add the crucialciphertext elements c3 and πV

Correctness follows as Verify+ checks via the pairings thatσ is of the form in (2) for some s From a ciphertextsignaturepair (c σ) with randomness (r s) Random+ creates a freshpair (cprime σprime) with randomness r+ rprime s+ sprime (and with random-ized proofs) We omit the specific structure of the proofs inπ as they will not be relevant to the rest of this work

Theorem 1 The SRC scheme (SetupEKeyGenSKeyGenEncrypt+Decrypt+ Sign+Verify+Random+) defined in Fig-ure 2 is unforgeable under the CDH+ assumption

Remark 2 We will prove a stronger statement namelythat our SRC scheme is unforgeable even when the adversaryonly needs to output a ldquopartialrdquo forgery (c1 c2 C1mi C2miCr πr πm) (σ1 σ2 σ3 σ4) ie it need not contain c3 CT πT πV and σ5

Moreover note that one can also decrypt ciphertexts usingthe extraction trapdoor ξ for GS proofs to recover m from Cmsidestepping the inefficient hash inversion We let EKeyGen(x)

denote key generation that returns ξ instead of dk

Proof The proof is by reduction from unforgeability ofWaters signatures The reduction obtains a verification keyvk including parameters pp It simulates EKeyGen by run-

ning (crs ξ)larr$ Setup(x)gs (G) (P d)larr$ KeyGen(G 1) and choos-

ing hlarr$ G21 and runs the adversary on vkpk = (pp crs h P )

and dk = d If the adversary queries a signature on a validtuple c = (c1 c2 c3Cπ) the reduction uses ξ to extract mand T = Xr

1 from C (note that by soundness of π we havem = Decrypt+(dk vk c)) The reduction makes a specialquery as defined in Remark 1 (m c1 T ) to its signing oracle(note that c1 T satisfy e(T g2) = e(c1X2)) it obtains asignature (τ1 = Y F(m)s τ2 = gs1 τ3 = gs2 τ4 = cs1) it de-fines (letting r be the unknown randomness in (c1 c2 c3))σ1 = τ4 = grs1 σ2 = τ1 middot τd4 = Y F(m)sP rs σ3 = τ2 = gs1σ4 = τ3 = gs2 σ5 = τd2 = P s which is distributed as anSCR signature on c

Let m1 mq be the extracted (equivalently decrypted)messages of the signing queries Assume the adversary out-puts a (partial) valid forgery namely one which only contains(c1 c2 σ1 σ2 σ3 σ4) commitments Cm Cr and proofs πr πmThe reduction extracts m from Cm Then soundness of πr andπm ensures that for some r we have c1 = gr1 and c2 = F(m)P r

(and thus m = Decrypt+(dk vk c))

Moreover let s be such that σ4 = gs2 Since the forgeryis valid from Verify+ we have σ1 = grs1 (from (3a)) σ2 =Y F(m)sP rs (from (3b)) and σ3 = gs1 (from (3c)) The re-duction sets σlowast1 = σ2 middot σminusd1 = Y F(m)s σlowast2 = σ3 = gs1 andσlowast3 = σ4 = gs2 and returns (mσlowast) This is a valid Watersforgery as σlowast is valid for m and m isin m1 mq (otherwisethe adversary would not have won the SRC unforgeabilitygame)

34 RCCA-Secure Encryption from SRCAs a next step towards our voting protocol we show that

our SRC scheme contrary to the one from [12] yields anRCCA-secure [16] encryption scheme as defined next

CCA-security is the standard notion for public-key encryp-tion and implies that ciphertexts are non-malleable It statesthat for an efficient adversary which after choosing m0m1

receives clowast it should be impossible to decide whether clowast en-crypts m0 or m1 even when given an oracle that decryptsany ciphertext c 6= clowast For randomizable schemes this notionis unachievable as the adversary could submit a random-ization of the challenge ciphertext to the decryption oracleThe strongest achievable notion for randomizable schemes isRCCA where whenever the oracle receives an encryption ofm0 or m1 it returns a special symbol gt

Based on our SRC scheme we define the following encryp-tion scheme for a polynomial-size message space 0 1k

KeyGen is defined as EKeyGen

Encrypt(pkm) Run (vk sk)larr$ SKeyGen(pp)clarr$ Encrypt+(pk vkm) σlarr$ Sign+(skpk c)return c = (c σ vk)

Decrypt(dk (c σ vk)) If Verify+(vkpk c σ) = 1 returnm = Decrypt+(dk vk c) else return perp

Random is defined as Random+

Theorem 2 The above encryption scheme for polynomial-size message spaces is RCCA-secure under the SXDH andthe CDH+ assumption

Proof Sketch We will give a proof sketch and re-fer to the full version for a detailed proof Intuitively ci-phertexts hide the message since under SXDH we couldreplace the commitments and proofs in the challenge cipher-text by simulated ones and under DDH we could replacec2 = F(m)P r by a random element so the ciphertext wouldcontain no more information about the message The diffi-culty is that we need to simulate the decryption oracle Forthis we program the hash function H let vklowast be the keycontained in the challenge ciphertext we choose a blarr$ Zpand set h1 = PminusamiddotH

prime(vklowast) middot gb1 and h2 = P a which is dis-

tributed correctly and set H(vk) = P a(Hprime(vk)minusHprime(vklowast)) middot gb1For a well-formed ciphertext containing vki 6= vklowast we then

have c2 middot (c3 middotcminusb1 )minus1(a(Hprime(vk)minusHprime(vklowast))) = c2 middotPminusr = c2 middotcminusd1 =Decrypt(d (c1 c2)) meaning we can use c3 to decrypt with-out knowing d for the challenge ciphertext under vklowast wehave c3 = gbr1 so we can embed a DDH challenge

The reduction can thus answer decryption queries contain-ing some vk 6= vklowast but not if it contains vklowast However ifan adversary submits a valid ciphertext with vklowast which doesnot encrypt the challenge message then it would break SRCunforgeability so security of our SRC scheme implies thatthe adversary cannot make this type of query

EKeyGen(1λ 1k)

pp = (G zu)larr$ Setup(1λ 1k) crslarr$ Setupgs(G) hlarr$ G21

(P dk)larr$ KeyGen(G 1) return pk = (pp crs h P ) dk

Encrypt+((pp crs h P ) vk = (pp X1 X2)m r)Compute with H defined by h as in (1)

c1 = gr1 c2 = F(m) middot P r c3 = H(vk)r

Make commitments C For i = 1 k

C1mi = Cprime1(mi) C2mi = Cprime2(mi)

CT = C1(Xr1 ) Cr = Cprime2(r)

Compute GS proofs π for the following (with r being thevalue committed in Cr mi in C2mi and w in CT )

bull πr proves gr1 = c1

bull πm consists ofπprimei proving mi is a bit for all i

πprimem proving c2 = u0prodki=1 u

mii middot P r

bull πT proves Xr1 = w

bull πV proves H(vk)r = c3

Return c = (c1 c2 c3Cπ)

Sign+(sk = (pp Y ) (pp crs h P ) c s)If π is not valid for C vk P return perp Else return

σ1 = cs1 σ2 = Y middot cs2 (2)

σ3 = gs1 σ4 = gs2 σ5 = P s

Random+(vk (pp crs h P ) c σ (rprime sprime))Let c = (c1 c2 c3Cπ) set

c1prime = c1 middot gr

prime1 c2

prime = c2 middot P rprime

c3prime = c3 middotH(vk)r

prime

σ1prime = σ1 middot cs

prime1 middot σr

prime3 middot gr

primemiddotsprime1


prime2 middot σr

prime5 middot P r

primemiddotsprime

σ3prime = σ3 middot gs

prime1 σ4

prime = σ4 middot gsprime

2

σ5prime = σ5 middot P s

prime

Set Cprimer = Cr middot C2(rprime) adapt πr πT πV accordinglyRandomize all commitments and proofs to Cprime and πprimeReturn (cprime1 c

prime2 cprime3Cprimeπprime) and σprime

Verify+((pp X1 X2) (pp crs h P ) (c1 c2 c3Cπ) σ)Return 1 iff π verifies and the following hold

e(σ1 g2) = e(c1 σ4) (3a)

e(σ2 g2) = e(zX2) e(c2 σ4) (3b)

e(σ3 g2) = e(g1 σ4) e(σ5 g2) = e(P σ4) (3c)

Decrypt+(dk (pp crs h P ) vk c)Let c = (c1 c2 c3Cπ) If π is not valid return perpelse let F = Decrypt(dk c = (c1 c2))browse M and return the first m with F(m) = F

Figure 2 Our SRC scheme

4 BELENIOSRFIn this section we define Belenios Receipt-Free (BeleniosRF)

a strongly receipt-free voting protocol that builds on [12 22]

41 OverviewThe election publicsecret key pair (pk sk) is an encryp-

tionextraction key pair generated via EKeyGen(x) (cf Re-mark 2) and user key pairs (upkusk) are signature keysgenerated by SKeyGen A user casts a vote by encrypting itvia Encrypt+ under pk wrt his upk and uses usk to thensign the ciphertext via Sign+ (together this corresponds toa ciphertext of our RCCA encryption scheme)

When the ballot box receives a valid ballot it randomizes itvia Random+ and publishes the resulting ciphertextsignaturepair on the public bulletin board PBB Users can verify thattheir vote is present since they can verify the adaptation oftheir signature on their now-randomized ciphertexts

Tallying follows standard techniques of e-voting our con-struction allows for homomorphic tallying as well as shufflingIn the first case we take advantage of the special structure ofGS commitments which allow us to calculate a partial tallyfor each option by adding the corresponding commitmentacross voters and then decrypting the resulting commitment(with proof of correctness)

Using shuffling the encrypted votes are re-randomized andshuffled (and a proof of correct execution of this is generated)via an algorithm Shuffle Then the ballots are decrypted(again accompanied with a proof that this was done correctly)and the result is published These proofs make the tallyingprocess publicly verifiable

We now describe the homomorphic tallying version where

V = 0 1k and the result function is simple vector additionThe scheme VBeleniosRF is based on the SCR scheme from

Section 33 and consists of the following algorithms

Setup(1λ 1k) Compute (pk sk)larr$ EKeyGen(x)(1λ 1k) pro-duce a Fiat-Shamir random oracle proof Πσ that crs con-tained in pk is binding Return (pklowast = (pkΠσ) sk)

Register(id) On (implicit) input pk = (pp crs h P ) return(upkid uskid)larr$ SKeyGen(pp)

Vote (idupk usk v) is used by a voter to create a ballot bfor vote v isin V It computes c larr Encrypt+(pkupk v) andσ larr Sign+(uskpk c) and returns b = (id upk c σ)

Valid(BB b) first checks that the ballot b is valid ie thatit is well-formed and the signature is correct Formally itparses b as (id upk c σ) and checks if

ndash id corresponds to an eligible voter from ID and upkcorresponds to the registration of user id

ndash Verify+(upkpk c σ) = 1

If any step fails it returns perp otherwise it returns gt

Append(BB b=(idupk c σ)) randomizes (c σ) as (cprime σprime)larrRandom+(upkpk c σ) and appends to BB a randomizedversion bprime = (id upk cprime σprime) of b

Publish(BB) takes every entry b= (idupk c σ) in BB and

removes elements id c3 CT πT πV and σ5 constructing b =(upk (c1 c2 Cm Cr πr πm) (σ1 σ2 σ3 σ4)

) It then adds b

to PBB2 and returns PBB2As noted in Remark 2 these are precisely the elementsthat guarantee unforgeability which assures a voter that theplaintext of his encrypted vote was not altered

VerifyVote(PBB idupkusk b) browses PBB for an entry b

containing upk If none exists it returns perp For entry b =(upk=(ppX1X2) (c1 c2 Cm Cr πr πm) (σ1 σ2 σ3 σ4)

)if πr and πm are valid and

e(σ1 g2) = e(c1 σ4) e(σ2 g2) = e(zX2) middot e(c2 σ4)

e(σ3 g2) = e(g1 σ4)

then return gt else return perp

Tally(BB sk) consists of the following steps Let N be thenumber of ballots

ndash Parse each ballot b isin BB as b = (id(b) upk(b) c(b) σ(b))

ndash If there is any ballot b that does not pass Valid(BB b)output (r = perpPBBΠd = empty)

ndash Let C(b)1mi

ki=1 be the commitments in C

(b)m contained

in c(b) Compute Ti =sumbisinBB C

(b)1mi The tally ti for

candidate i is produced by decrypting Ti with the GSextraction key ξ = sk

ndash Produce the result r = (t1 tk) and Πd a Fiat-Shamir proof of correct extraction

ndash Output (rPBBΠd)

Verify(PBB rΠσΠd) verifies Πσ wrt crs and Πd wrtPBB and the result r

42 Receipt-FreenessWe now show that BeleniosRF satisfies strong receipt-

freeness as defined in Definition 1 Note that this in particularimplies vote privacy of BeleniosRF

Theorem 3 VBeleniosRF is strongly receipt-free under theSXDH assumption in the random-oracle model

Proof The proof uses the ideas of that of Theorem 2The main one is again to use hash-function programmabilityand to decrypt a ciphertext (c1 c2 c3) using componentsc2 and c3 instead of the GS commitments This will allowus to switch to a hiding CRS for which the commitmentswould not be extractable By randomizability of our SCRscheme and of Groth-Sahai proofs instead of re-randomizingthe ballots in PBB we can simply recompute them Finallyhaving switched to a hiding CRS and a simulated ROMproof thereof we are able to replace the adversaryrsquos viewwith uniformly distributed values irrespective of β

We proceed by a sequence of hybrid games which we showare indistinguishable

Hybrid (β0) is the sRF game ExpsrfβAV (Definition 1 and

Figure 1)

Hybrid (β1) is the same game as Hybrid (β0) for β = 1for β = 0 the difference is that the Fiat-Shamir proofs forthe CRS and the tally are simulated

Hybrid (β0) rarr Hybrid (β1) Since ROM proofs can beperfectly simulated by using random-oracle programmabilitythe two hybrid games are distributed equivalently

Hybrid (β2) is defined as Hybrid (β1) except for how his chosen For a blarr$ Zp we define h1 = gb1 and h2 = P a (asin Theorem 2 but setting H prime(vklowast) = 0)

Hybrid (β1) rarr Hybrid (β2) It is immediate that bothgames are distributed equivalently

Hybrid (β3) is defined as Hybrid (β2) but the result iscomputed differently each ballot bi = (idi upki ci σi) is

decrypted as Fi = ci2 middot (ci3 middot cminusbi1)minus1(amiddotupki) and vote vi is

defined as the smallest vi isin 0 1k satisfying F(vi) = FiThe result is r = (t1 tk) with tj =

sumi vij

Hybrid (β2) rarr Hybrid (β3) Perfect soundness of the GSproofs contained in ci guarantees that this alternative wayof decryption leads to the same result as extracting the bitsof vi from the commitments (we ignore collisions in F whichonly occur with negligible probability)

Hybrid (β4) is defined as Hybrid (β3) except that PBB iscomputed differently for ballot bi after extracting vi insteadof re-randomizing bi we freshly compute bi for user i withuski = (pp Yi) as follows we pick ri silarr$ Zp to set

ci1 = gri1 ci2 = F(vi) middot P ri σi1 = csi1

σi2 = Yi middot csi2 σi3 = gsi1 σi4 = gsi2

and using witnesses ri and vi we compute Cim Cir and

πir πim We set bi =(upki (ci1 ci2 Cim Cir πir πim)

(σi1 σi2 σi3 σi4))

Hybrid (β3) rarr Hybrid (β4) By re-randomizability of ourSCR scheme and GS proofs re-randomized ciphertexts signa-tures and proofs are distributed exactly as freshly computedones The two hybrids are thus equally distributed

Hybrid (β5) is defined as Hybrid (β4) except that theCRS contained in pk is set up in hiding mode ie computed

via Setup(h)gs

Hybrid (β4) rarr Hybrid (β5) By the properties of GS proofsthe two hybrids are indistinguishable under the SXDH as-sumption

Hybrid (β6) is defined as Hybrid (β5) except that thecommitments and proofs published in PBB are simulated

Hybrid (β5) rarr Hybrid (β6) By the properties of GS proofsunder a hiding CRS regularly computed proofs and simulatedproofs are distributed equivalently the two hybrids are thusequally distributed

Hybrid (β7) is defined as Hybrid (β6) except that for

every i when computing PBB entry bi ci2 is computed asci2 = F(vi) middot gwi

1 for wilarr$ Zp

Hybrid (β6) rarr Hybrid (β7) The two hybrids are indistin-guishable under the DDH assumption in G1 which is provedas follows we first note that in Hybrid (β6) d (the decryp-tion key with P = gd1) is not used anywhere and ri is onlyused to compute ci1 and ci2 (since the GS commitmentsand proofs are simulated)

We give a reduction from DDH to distinguishing Hybrids 6and 7 Let (P = gd1 R = gr1 W ) be a DDH instance where ei-ther W is random or W = gdmiddotr1 By random self-reducibility ofDDH [6] we can create arbitrarily many instances (PRiWi)where Ri = gri1 for some uniformly random ri and Wi is

independently random if W was or Wi = gdmiddotri1 if W = gdmiddotr1 The simulator now sets pk = (pp crs P ) with P from the

instance and ci1 = Ri and ci2 = F(vi) middotWi If Wi = P ri

then this is distributed as in Hybrid (β6) whereas if Wi israndom this is distributed as in Hybrid (β7)

Observe that Hybrid (07) and Hybrid (17) are equally dis-tributed since in both games every ciphertext (ci1 ci2) is a

uniformly random pair We have thus constructed a sequenceof hybrid games Hybrid (00) Hybrid (07) Hybrid (17) Hybrid (10) which are indistinguishable under SXDHand of which the first one corresponds to the sRF gamewith β = 0 and the last is the sRF game with β = 1 Thisconcludes the proof of strong receipt-freeness

Remark 3 We note that our scheme can be easily mod-ified and proven secure in the standard model if we assume atrusted CRS drop Πσ in Setup and use GS proofs fro Πd

43 VerifiabilityWe consider strong verifiability from [22] which intuitively

ensures that the result of the election reflects the votes of

bull All voters who properly checked that their ballot ap-pears in the bulletin board at the end of the electionIn BeleniosRF a voter should check that one ballot inPBB is signed with her credential

bull A subset of the voters who did not perform that finalcheck A voters may stop after casting her vote thusthere is no guarantee that her ballot made it into theballot box However if the ballot is present it shouldnot be possible to modify the corresponding vote

bull At most all corrupted voters In particular an adversaryshould not be able to add more votes than the numberof voters he controls

We refer the reader to [22] for the formal definition and pointout that strong verifiability assumes that voting devices arehonest We first note that BeleniosRF cannot be stronglyverifiable if revoting is allowed Indeed if a voter first castsa ballot b1 for a candidate v1 but later changes her mindand votes for v2 casting a new ballot b2 a malicious votingserver may force the voter to keep the initial vote v1 byre-randomizing b1 instead of b2 and the voter would not beable to detect it Therefore in what follows we assume thata no-revote policy is applied We believe that no-revoting isnot a real restriction since as discussed in the introductionthis actually corresponds to the most common setting usedin practice By slightly generalizing the strong-verifiabilitytransformation in [22 Section 4] we are able to show

Theorem 4 BeleniosRF is strongly verifiable if the un-derlying signature on randomizable ciphertexts scheme isunforgeable

The transformation to strong verifiability in [22] consistsin the voter signing with her private signing key usk a bal-lot b obtained via an existing voting protocol that is weaklyverifiable (roughly speaking weak verifiability assumes thatthe voting server is honest eg it does not modify nor eraseballots) Next the voter sends the triple (upk b σ) to thevoting server The latter after validating the ballot b andverifying its signature σ adds the triple (upk b σ) to theballot box At the end of the election the voter checks thather ballot (upk b σ) appears in PBB by a simple search

We generalize this transformation by allowing the votingserver to add a transformed triple (upk bprime σprime) to the ballotbox on input the voterrsquos ballot (upk b σ) such that poten-tially b 6= bprime and σ 6= σprime (in the original construction onesimply sets bprime = b and σprime = σ) In our generalized transfor-mation the voter on input her cast ballot (upk b σ) checkswhether there exists an entry (upk bprime σprime) in PBB such that

(bprime σprime) verifies under her key upk Due to unforgeability ofrandomizable signatures on ciphertexts (cf Section 33) andbecause of the no-revoting policy this check guarantees thatthe new ballot bprime displayed in the bulletin board contains thesame vote as the original ballot b cast by the voter

Strong verifiability assumes that either the ballot box (iethe re-randomization server) or the registrar is honest Aspointed out in Section 12 the security of the generalizedtransformation described in the previous paragraph is jeopar-dized if this trust assumption is violated as the existence ofan entry (upk bprime σprime) in PBB would no longer guarantee thatbprime contains the choice cast by the voter In fact an attackercontrolling both the registrar and the voting server can insertentries (upk bprime σprime) in PBB that pass all tests but modifiedthe voterrsquos choice This is due to the fact that the registrarknows each voterrsquos private signing key An obvious counter-measure is to let each voter generate their own signing keypair and simply ask the registrar to include the correspondingverification key in the list of eligible keys for the election

Alternatively one can thresholdize the role of the registrar(who simply sends a private signing key to each voter) so itbecomes less likely for the attacker to obtain a voterrsquos privatekey

5 EFFICIENCY OF BELENIOSRFThe ballot encryption scheme we introduced is somewhat

involved especially since we use bit-by-bit Groth-Sahai proofsFor this reason we benchmarked ballot creation on a numberof potential client devices We built a JavaScript implementa-tion [2] of the voting process (encrypt sign prove) using theCertiVox IoT Crypto Library [17] We used a BN curve on a254-bit prime field We considered the values k = 1 5 10 and25 For homomorphic tallying as used in Section 4 k repre-sents the number of candidates in an election If we switch toshuffle-based tallying k is the length of the message whichmeans we can support up to 2k candidates

As seen in Table 1 recent devices can complete the requiredcryptographic operations in reasonable time for small valuesof k We see that while the linear cost associated with themessage size is the dominant factor the constant factor is notnegligible for low-end devices While slower than the currentHelios or Belenios implementation (which do not use ellipticcurves) performance is acceptable especially for modern de-vices Moreover our implementation is single-threaded withonly rudimentary optimizations By constructing proofs in-crementally as the ballot is filled we could amortize the linearpart of the cost Alternatively we may increase performanceby coding a native client eg a smartphone app

We expect that server performance for BeleniosRF will beless of a bottleneck Compared to Helios the main additional

Device k = 1 k = 5 k = 10 k = 252013 Laptop ndashi7-4650U 100s 243s 402s 924s

2010 Desktop ndashi3-530 149s 346s 592s 1362s

2014 Tablet ndashExynos 5420 697s 1291s 2192s 4726s

2016 Phone ndashSD 810 275s 626s 1039s 2219s


2012 Phone ndashA6 904s 1865s 2996s 6377s

Table 1 Time to encrypt sign and perform GS proofsfor ballots with a k-bit payload This allows for up to kcandidates with homomorphic tallying or 2k using shuffles

cost is verifying our Groth-Sahai proofs which is dominatedby ca 64(k + 1) pairings reducible to 4(k + 35) using tech-niques from [11] and [31] Given the timings provided byBeuchat et al [10] we expect a throughput of roughly 5ballotssecondcore for k = 10 Additionally checks can beamortized throughout the voting period as ballots come in

6 THE BLAZY ET AL VOTING PROTO-COL IS NOT BALLOT-PRIVATE

Blazy et al [12] who introduced the notion of signatureson randomizable ciphertexts proposed to use this primitivefor a receipt-free e-voting protocol Their ballot-creation and-casting protocol workflow is as follows

bull The voter sends ballot

b =(vk c = vrpk σvks

c πtvisin01pk

)

where r s t isin Zp denote the randomness used for encryptingthe vote v signing the resulting ciphertext c and creatingthe NIZK proof π respectively

bull The server re-randomizes the ballot b to bprime as follows(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk

) where rprime sprime tprimelarr$ Zp

Similarly to BeleniosRF the server can only re-randomizelegitimate signatures meaning that any new ballot bprime thatcontains a valid signature wrt vk must originate from aballot b that has been previously created by the voter andthus b and bprime contain the same vote

An attack on ballot privacy However the above ballotcasting workflow is not ballot private let alone receipt-freeThe following is a ballot replay attack which is known tobreak ballot privacy [23]

bull Honest voter sends b =(vk c = vrpk σvks

c πtvisin01pk

)

bull Server re-randomizes the ballot b as

bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk

)and displays it on the public bulletin board

bull Dishonest voter with credentials (vk sk) and knowledgeof target ballot bprime

ndash Copies c = vrprime

pk πtprimev isin01pk and re-randomizes it to

c = vrpk πtv isin01pk

ndash Signs c with sk yielding σvksc

ndash Sends ballot b =(vk c = vrpk σvks

c πtv isin01pk

)

These instructions allow any voter with knowledge of aballot b to produce an independent-looking ballot b thatwill be accepted by the voting server and effectively containsa copy of the vote in b Thus the voting protocol [12] isnot ballot-private (Note that due to re-randomizing beingallowed the ballot box cannot discard copied votes as theylook like legitimate ones)

7 CONCLUSIONSWe introduced the notion of strong receipt-freeness where

a malicious voter (ie vote-selling or coerced) cannot producea receipt proving how she voted whether the voter decidedto act maliciously before during or after casting the ballot

Our adversarial model is close to the spirit of the sem-inal work on receipt-freeness by Benaloh and Tuinstra [8]

Moreover our definition builds on the recent work [9] in-heriting a simple concise and game-based definition Suchdefinitions are well-known for easing the job of conceivingand writing security proofs a point we confirm by giving anew e-voting protocol that satisfies our definition in bilineargroups under the SXDH assumption in pairing groups inthe random oracle model The protocol is built using ideasfrom a previous work [12] that claimed to have solved thisproblem We show however that the previous voting schemewas not ballot-private which is weaker than receipt-freeness

To the best of our knowledge this is the first scheme thatis both receipt-free (in a strong sense) and has universalverifiability (in the sense of strong verifiability [22]) withoutrequiring the existence of an untappable channel or the useof secure hardware tokens We only require that the receipt-freeness adversary is not eavesdropping the communicationbetween the voter and the voting server and the existenceof a re-randomization service As a result we overcome theimpossibility result [19] stating no scheme can be receipt-freeand universally verifiable without an untappable channel Weachieve this by relying on a ballot box server that is entrustedto re-randomize ballots without changing its contents in apublicly verifiable way [12] Finally we showed the feasibilityof our approach by implementing a voting client in Javascriptand measuring its performance in a number of platforms

Acknowledgements The authors are grateful to the anony-mous reviewers for their comments and suggestions that havehelped improve this work This work has received fundingfrom the European Research Council (ERC) under the EUrsquosHorizon 2020 research and innovation program (grant agree-ment No 645865-SPOOC) the ERC FP7 programme (grantNo 307937) EPSRC grant EPG0372641 and COST ActionIC1306

8 REFERENCES[1] International Association for Cryptologic Research

elections Page at httpwwwiacrorgelections

[2] BeleniosRF ndash Javascript Implementation of the VotingClient Core httpsdldropboxusercontentcomu16959859bel-100JSindexhtml 2016

[3] B Adida Helios Web-based Open-Audit Voting InUSENIX 2008 2008 httpheliosvotingorg

[4] B Adida O de Marneffe O Pereira and J-JQuisquater Electing a university president usingopen-audit voting Analysis of real-world use of HeliosIn EVTWOTE 2009 2009

[5] J P Allepuz and S G Castello Internet voting systemwith cast as intended verification In VoteID 2011Springer 2011

[6] M Bellare A Boldyreva and S Micali Public-keyencryption in a multi-user setting Security proofs andimprovements In EUROCRYPT 2000 Springer 2000

[7] J Benaloh Ballot casting assurance via voter-initiatedpoll station auditing In EVTWOTE 2007 2007

[8] J C Benaloh and D Tuinstra Receipt-freesecret-ballot elections (extended abstract) In ACMSTOC 94 ACM Press 1994

[9] D Bernhard V Cortier D Galindo O Pereira andB Warinschi A comprehensive analysis of game-basedballot privacy definitions In IEEE Security andPrivacy 2015 IEEE Computer Society 2015

[10] J-L Beuchat J E Gonzalez-Dıaz S MitsunariE Okamoto F Rodrıguez-Henrıquez and T TeruyaHigh-speed software implementation of the optimal atepairing over barretondashnaehrig curves In Pairing-BasedCryptography 2010 Springer 2010

[11] O Blazy G Fuchsbauer M Izabachene A JambertH Sibert and D Vergnaud Batch grothndashsahai InACNS 2010 Springer 2010

[12] O Blazy G Fuchsbauer D Pointcheval andD Vergnaud Signatures on randomizable ciphertextsIn PKC 2011 Springer 2011

[13] D Boneh B Lynn and H Shacham Short signaturesfrom the Weil pairing J of Cryptology 17(4) 2004

[14] K Braunlich and R Grimm Formalization ofreceipt-freeness in the context of electronic voting InAvailability Reliability and Security 2011 IEEEComputer Society 2011

[15] R Canetti and R Gennaro Incoercible multipartycomputation (extended abstract) In FOCS rsquo96 IEEEComputer Society 1996

[16] R Canetti H Krawczyk and J B Nielsen Relaxingchosen-ciphertext security In CRYPTO 2003 Springer2003

[17] CertiVox A Cryptographic Library for the Internet ofThings httpsgithubcomCertiVoxMiotCL 2015

[18] D Chaum A Essex R Carback J ClarkS Popoveniuc A Sherman and P Vora Scantegrityend-to-end voter-verifiable optical-scan voting IEEESecurity and Privacy 6(3) 2008

[19] B Chevallier-Mames P Fouque D PointchevalJ Stern and J Traore On some incompatibleproperties of voting schemes In EVTWOTE 2010

[20] S S M Chow J K Liu and D S Wong Robustreceipt-free election system with ballot secrecy andverifiability In Network and Distributed SystemSecurity Symposium 2008 The Internet Society 2008

[21] M R Clarkson S Chong and A C Myers CivitasToward a secure voting system In IEEE Security andPrivacy 2008 IEEE Computer Society 2008

[22] V Cortier D Galindo S Glondu and M IzabacheneElection verifiability for Helios under weaker trustassumptions In ESORICS 2014 Springer 2014

[23] V Cortier and B Smyth Attacking and fixing HeliosAn analysis of ballot secrecy In CSF 2011 IEEE 2011

[24] V Cortier and B Smyth Attacking and fixing HeliosAn analysis of ballot secrecy Journal of ComputerSecurity 21(1) 2013

[25] R Cramer R Gennaro and B Schoenmakers Asecure and optimally efficient multi-authority electionscheme In EUROCRYPTrsquo97 Springer 1997

[26] S Delaune S Kremer and M RyanCoercion-resistance and receipt-freeness in electronicvoting In CSFW 2006 IEEE Computer Society 2006

[27] G Fuchsbauer and D Pointcheval Proofs on encryptedvalues in bilinear groups and an application toanonymity of signatures In Pairing-BasedCryptographyndashPairing 2009 Springer 2009

[28] R W Gardner S Garera and A D Rubin Coercionresistant end-to-end voting In FC 2009 Springer 2009

[29] K Gjoslashsteen The Norwegian internet voting protocolIACR Cryptology ePrint Archive 2013 2013

[30] S Glondu V Cortier and P Gaudry Belenios ndashVerifiable online voting systemhttpbeleniosgforgeinriafr 2015

[31] A Gonzalez A Hevia and C Rafols Qa-nizkarguments in asymmetric groups new tools and newconstructions In ASIACRYPT 2015 Springer 2015

[32] J Groth and A Sahai Efficient non-interactive proofsystems for bilinear groups In EUROCRYPT 2008Springer 2008

[33] J Heather and S Schneider A formal framework formodelling coercion resistance and receipt freeness InFormal Methods 2012 Springer 2012

[34] M Hirt Receipt-free K -out-of-L voting based onElGamal encryption In EVTWOTE 2010 Springer2010

[35] M Hirt and K Sako Efficient receipt-free voting basedon homomorphic encryption In EUROCRYPT 2000Springer 2000

[36] H L Jonker and E P de Vink Formalisingreceipt-freeness In Information Security 2006 Springer2006

[37] A Juels D Catalano and M JakobssonCoercion-resistant electronic elections In Workshop onPrivacy in the Electronic Society 2005 ACM 2005

[38] A Kiayias T Zacharias and B Zhang End-to-endverifiable elections in the standard model InEUROCRYPT 2015 Springer 2015

[39] O Kulyk V Teague and M Volkamer ExtendingHelios towards private eligibility verifiability InE-Voting and Identity 2015 Springer 2015

[40] R Kusters and T Truderung An epistemic approachto coercion-resistance for electronic voting protocols InSampP 2009 IEEE Computer Society 2009

[41] E Magkos M Burmester and V ChrissikopoulosReceipt-freeness in large-scale elections withoutuntappable channels In E-Commerce E-BusinessE-Government 2001 Kluwer 2001

[42] T Moran and M Naor Receipt-freeuniversally-verifiable voting with everlasting privacy InCRYPTO 2006 Springer 2006

[43] T Okamoto Receipt-free electronic voting schemes forlarge scale elections In Security Protocols 97 Springer1997

[44] P Ryan D Bismark J Heather S Schneider andZ Xia The Pret a Voter verifiable election systemIEEE Transactions on Information Forensics andSecurity 4 2009

[45] P Y A Ryan P B Roenne and V Iovino SeleneVoting with transparent verifiability andcoercion-mitigation Cryptology ePrint Archive Report20151105 2015 httpeprintiacrorg

[46] D Springall T Finkenauer Z Durumeric J KitcatH Hursti M MacAlpine and J A HaldermanSecurity analysis of the estonian internet voting systemIn ACM CCS 2014 ACM Press 2014

[47] B R Waters Efficient identity-based encryptionwithout random oracles In EUROCRYPT 2005Springer 2005

Introduction

Our Contributions

Related Work

Receipt-Freeness

Syntax of a Voting System

Strong Receipt-Freeness

Building Blocks

Assumptions and Primitives

Signatures on Randomizable Ciphertexts

Our SRC Construction

RCCA-Secure Encryption from SRC

BeleniosRF

Overview

Receipt-Freeness

Verifiability

Efficiency of BeleniosRF

The Blazy et al Voting Protocol is not Ballot-Private

Conclusions

References

randomizable ciphertexts [12] we propose a receipt-free ver-sion of Helios which we call BeleniosRF In our scheme avoter cannot prove how she voted even if she is providedwith all the ballot material by the coercer Interestingly ourscheme does not demand any strategy of the voter in partic-ular it does not require the active participation of a voterto deceive a coercer that is asking for a receipt For examplea voter does not need to lie or produce fake credentials as inCivitas she simply has no way to prove how she voted Thisrepresents a huge improvement in usability from the voterrsquospoint of view all that is required of the voter is to vote

We show that our scheme BeleniosRF is receipt-free ina strong sense meaning that even a dishonest voter usinga voting client that has been tampered with cannot provehow she voted We formalize this property called strongreceipt-freeness (sRF) via a game-based definition buildingon the privacy definition recently proposed by Bernhard etal [9] We view this formal definition of receipt-freeness whichapplies to non-interactive ballot casting protocols as the firstcontribution of this work We call it strong receipt-freenessto emphasize that in non-interactive protocols an attackerhas less room to build a receipt Indeed in the absence ofinteraction the adversary does not obtain information fromthe voting server apart from what is displayed on the bulletinboard hence any receipt must be built by the adversarylocally and before submitting the ballot

We claim sRF is the first game-based receipt-freeness defini-tion in the literature accounting for a voter that is corruptedduring the voting phase Additionally sRF has the merit ofbeing simple and concise potentially allowing for simplerproofs In doing so we give a new formulation for the receipt-freeness definition by Benaloh and Tuinstra [8] and highlightthat receipt-freeness can be achieved without asking the vot-ers to vote several times and cancel previously submittedballots and without requiring an untappable channel All weneed to assume is that the attacker is not permanently eaves-dropping the communication between the voting server andthe voter an assumption made by all previous constructionsof receipt-free or coercion-resistant voting schemes

A key ingredient of BeleniosRF is a randomization service arole that we assume is played by the voting server but whichcould be played by a different server The randomizationservice is in charge of re-randomizing the ballot cast by avoter BeleniosRFrsquos receipt-freeness then relies on the factthat the randomness contained in the ballot displayed inthe bulletin board is not under the control of the voterBoth the voter and the randomization service contributeto the randomness of the voterrsquos ballot as displayed on thebulletin board In fact in light of the impossibility resultof [19] the existence of a randomization agent is assumedin most constructions that claim to be receipt-free Herehowever we do not rely on letting voters vote multiple timesor on the existence of a trusted token for each voter (such aseg [20343543])

The foremost challenge in achieving receipt-freeness non-interactively and via a randomization service is to preventthe latter from changing the voterrsquos intent The only existingnon-interactive proposal [12] claiming receipt-freeness uses apowerful cryptographic primitive called signatures on ran-domizable ciphertexts It consists of a signature scheme and apublic-key encryption scheme that is randomizable (that isgiven a ciphertext anyone can create a fresh ciphertext of thesame plaintextmdashwithout knowing it) The primitive provides

an additional functionality given a signature on a ciphertextanyone can randomize the ciphertext and adapt the signatureto the new ciphertext that is produce a signature that isvalid on the new ciphertextmdashand all that knowing neither thedecryption key nor the signing key nor the plaintext On theother hand unforgeability guarantees that it is infeasible tocompute a signature on a ciphertext that encrypts a messageof which no encryption has been signed

Alas Blazy et al [12] did not provide a receipt-freenessdefinition nor a proof By exhibiting a ballot-copying at-tack adapted from [24] we demonstrate that their schemeis not receipt-free worse it is not even ballot-private Ourscheme fixes the Blazy et al construction by binding the ci-phertexts to voters while still inheriting the randomizabilityfrom Groth-Sahai non-interactive proofs [32]

We start with giving a new instantiation of signatures onrandomizable ciphertexts which we show yields an RCCA-secure public-key encryption scheme [16] from which we builda non-interactive1 receipt-free e-voting scheme as follows

bull As in Belenios each voter is provided with a signaturekey pair in addition to authentication means to theballot box (typically a login and password)

bull Each voter encrypts and signs their ballot and includesa proof of knowledge to prevent ballot malleability

bull Upon receiving a ballot the server re-randomizes theballot and adapts the corresponding signature and proofbefore publishing it

Receipt-freeness comes from the fact that a voter no longerhas control over nor knowledge of the randomness used toform the final ballot stored in the ballot box On the otherhand even after the voting server re-randomizes the ballotcast by the voterrsquos voting device the voter can still verifythat her legitimate ballot is present as the re-randomizedciphertext comes with a signature that is valid under thevoterrsquos verification key By unforgeability of the signatureprimitive the vote cannot have been altered by the ballotbox which we show implies verifiability

Our final contribution consists of assessing the feasibility ofBeleniosRF for this purpose we implemented and measuredthe efficiency of a Javascript voting client (see Section 5)

12 Related WorkOur definition requires that an adversary cannot distin-

guish whether a voter votes for either a or b even if theattacker provides the voter in advance with all the crypto-graphic material (such as randomness to be used to castthe ballot) Interestingly this definition does not require thevoter to follow a ldquostrategyrdquo to fool the coercer

The early definitions of receipt-freeness [8 43] introducedthe idea that an attacker should not be able to distinguish be-tween a real transcript and a fake one but their descriptionsare rather informal A weaker definition of receipt-freenessproposed in [1538] lets the attacker only interact with thevoter after the election (in particular the attacker cannotcontrol the randomness of the voterrsquos device) A simulation-based definition for receipt-freeness (UC-RF) was given in [42]It assumes however that the voters adopt an ldquoanti-coercionstrategyrdquo and is therefore closer to coercion-resistance as de-fined in [37] even if it does not cover for instance abstention

1After successful authentication between the voter and theballot box ballot casting is non-interactive


















































[Expsrf0AV(λ) = 1

]minus Pr

[Expsrf1AV(λ) = 1




Oinit for β = 0


Oinit for β = 1


Oreg(id)


OcorruptU(id)



OvoteLR(id v0 v1)




Oboard()


Otally() for β = 0


Otally() for β = 1









































]







1 define F(m) =

u0

prodki=1 u










prime2 )












2 (1)































EKeyGen(1λ 1k)












mii middot P r






σ3 = gs1 σ4 = gs2 σ5 = P s



prime1 c2



prime


prime1 middot σr

prime3 middot gr

primemiddotsprime1


prime2 middot σr

prime5 middot P r

primemiddotsprime


prime1 σ4


2


prime




e(σ1 g2) = e(c1 σ4) (3a)

e(σ2 g2) = e(zX2) e(c2 σ4) (3b)

e(σ3 g2) = e(g1 σ4) e(σ5 g2) = e(P σ4) (3c)























) It then adds b






e(σ3 g2) = e(g1 σ4)





ndash Let C(b)1mi


(b)m contained













Figure 1)








sumi vij










via Setup(h)gs






1 for wilarr$ Zp





































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References


















































[Expsrf0AV(λ) = 1

]minus Pr

[Expsrf1AV(λ) = 1




Oinit for β = 0


Oinit for β = 1


Oreg(id)


OcorruptU(id)



OvoteLR(id v0 v1)




Oboard()


Otally() for β = 0


Otally() for β = 1









































]







1 define F(m) =

u0

prodki=1 u










prime2 )












2 (1)































EKeyGen(1λ 1k)












mii middot P r






σ3 = gs1 σ4 = gs2 σ5 = P s



prime1 c2



prime


prime1 middot σr

prime3 middot gr

primemiddotsprime1


prime2 middot σr

prime5 middot P r

primemiddotsprime


prime1 σ4


2


prime




e(σ1 g2) = e(c1 σ4) (3a)

e(σ2 g2) = e(zX2) e(c2 σ4) (3b)

e(σ3 g2) = e(g1 σ4) e(σ5 g2) = e(P σ4) (3c)























) It then adds b






e(σ3 g2) = e(g1 σ4)





ndash Let C(b)1mi


(b)m contained













Figure 1)








sumi vij










via Setup(h)gs






1 for wilarr$ Zp





































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References

Oinit for β = 0


Oinit for β = 1


Oreg(id)


OcorruptU(id)



OvoteLR(id v0 v1)




Oboard()


Otally() for β = 0


Otally() for β = 1









































]







1 define F(m) =

u0

prodki=1 u










prime2 )












2 (1)































EKeyGen(1λ 1k)












mii middot P r






σ3 = gs1 σ4 = gs2 σ5 = P s



prime1 c2



prime


prime1 middot σr

prime3 middot gr

primemiddotsprime1


prime2 middot σr

prime5 middot P r

primemiddotsprime


prime1 σ4


2


prime




e(σ1 g2) = e(c1 σ4) (3a)

e(σ2 g2) = e(zX2) e(c2 σ4) (3b)

e(σ3 g2) = e(g1 σ4) e(σ5 g2) = e(P σ4) (3c)























) It then adds b






e(σ3 g2) = e(g1 σ4)





ndash Let C(b)1mi


(b)m contained













Figure 1)








sumi vij










via Setup(h)gs






1 for wilarr$ Zp





































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References















]







1 define F(m) =

u0

prodki=1 u










prime2 )












2 (1)































EKeyGen(1λ 1k)












mii middot P r






σ3 = gs1 σ4 = gs2 σ5 = P s



prime1 c2



prime


prime1 middot σr

prime3 middot gr

primemiddotsprime1


prime2 middot σr

prime5 middot P r

primemiddotsprime


prime1 σ4


2


prime




e(σ1 g2) = e(c1 σ4) (3a)

e(σ2 g2) = e(zX2) e(c2 σ4) (3b)

e(σ3 g2) = e(g1 σ4) e(σ5 g2) = e(P σ4) (3c)























) It then adds b






e(σ3 g2) = e(g1 σ4)





ndash Let C(b)1mi


(b)m contained













Figure 1)








sumi vij










via Setup(h)gs






1 for wilarr$ Zp





































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References






2 (1)































EKeyGen(1λ 1k)












mii middot P r






σ3 = gs1 σ4 = gs2 σ5 = P s



prime1 c2



prime


prime1 middot σr

prime3 middot gr

primemiddotsprime1


prime2 middot σr

prime5 middot P r

primemiddotsprime


prime1 σ4


2


prime




e(σ1 g2) = e(c1 σ4) (3a)

e(σ2 g2) = e(zX2) e(c2 σ4) (3b)

e(σ3 g2) = e(g1 σ4) e(σ5 g2) = e(P σ4) (3c)























) It then adds b






e(σ3 g2) = e(g1 σ4)





ndash Let C(b)1mi


(b)m contained













Figure 1)








sumi vij










via Setup(h)gs






1 for wilarr$ Zp





































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References

EKeyGen(1λ 1k)












mii middot P r






σ3 = gs1 σ4 = gs2 σ5 = P s



prime1 c2



prime


prime1 middot σr

prime3 middot gr

primemiddotsprime1


prime2 middot σr

prime5 middot P r

primemiddotsprime


prime1 σ4


2


prime




e(σ1 g2) = e(c1 σ4) (3a)

e(σ2 g2) = e(zX2) e(c2 σ4) (3b)

e(σ3 g2) = e(g1 σ4) e(σ5 g2) = e(P σ4) (3c)























) It then adds b






e(σ3 g2) = e(g1 σ4)





ndash Let C(b)1mi


(b)m contained













Figure 1)








sumi vij










via Setup(h)gs






1 for wilarr$ Zp





































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References





e(σ3 g2) = e(g1 σ4)





ndash Let C(b)1mi


(b)m contained













Figure 1)








sumi vij










via Setup(h)gs






1 for wilarr$ Zp





































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References































c πtvisin01pk

)



primepk σ

vksprimec π

tprimevisin01pk





c πtvisin01pk

)


bprime =(vk c = vr

primepk σ

vksprimec π

tprimevisin01pk








c πtv isin01pk

)
























































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References







































Introduction

Our Contributions

Related Work

Receipt-Freeness



Building Blocks





BeleniosRF

Overview

Receipt-Freeness

Verifiability



Conclusions

References

BeleniosRF: A Non-interactive Receipt-Free Electronic ... · BeleniosRF: A Non-interactive...

Documents

Transcript of BeleniosRF: A Non-interactive Receipt-Free Electronic ... · BeleniosRF: A Non-interactive...