A Shuffle Argument Secure in the Generic Model

2020 IEEE Symposium on Security and Privacy (SP)

Lewis²,

Pereira

et al. 2020

The Scytl/SwissPost e-voting solution was intended to provide complete verifiability for Swiss government elections. We show failures in both individual verifiability and universal verifiability (as defined in Swiss Federal Ordinance 161.116), based on mistaken implementations of cryptographic components. These failures allow for the construction of "proofs" of an accurate election outcome that pass verification though the votes have been manipulated. Using sophisticated cryptographic protocols without a proper consideration of what properties they offer, and under which conditions, can introduce opportunities for undetectable fraud even though the system appears to allow verification of the outcome.Our findings are immediately relevant to systems in use in Switzerland and Australia, and probably also elsewhere.

Section: Group Methods Securitymentioning

confidence: 99%

How not to prove your election outcome

2020 IEEE Symposium on Security and Privacy (SP)

Lewis²,

Pereira

et al. 2020

“…However, when verifiability in the presence of quantum attackers is required, the trade-offs get more complicated. In general, there are two different approaches for making re-encryption mix nets verifiable, namely, by using randomized partial checking (RPC) [17] or by a proof of correct shuffle [1,2,4,8,9,12,13,15,16,25,26,30,31,34]. On the positive side, RPC could potentially be used for making a lattice-based re-encryption mix net verifiable, for instance using one of three recently proposed lattice-based proofs of correct shuffle [8,9,30], although it is unclear whether or not these are practical.…”

Section: Feasibility Of Post-quantum Secure Mixingmentioning

confidence: 99%

A Verifiable and Practical Lattice-Based Decryption Mix Net with External Auditing

Boyen

Computer Security – ESORICS 2020

Müller

2020

Mix nets are often used to provide privacy in modern security protocols, through shuffling. Some of the most important applications, such as secure electronic voting, require mix nets that are verifiable. In the literature, numerous techniques have been proposed to make mix nets verifiable. Some of them have also been employed for securing real political elections. With the looming possibility of quantum computers and their threat to cryptosystems based on classical hardness assumptions, there is significant pressure to migrate mix nets to post-quantum alternatives. At present, no verifiable and practical post-quantum mix net with external auditing is available as a drop-in replacement of existing constructions. In this paper, we give the first such construction. We propose a verifiable decryption mix net which solely employs practical lattice-based primitives. We formally prove that our mix net provides a high level of verifiability, and even accountability which guarantees that misbehaving mix servers can also be identified. Verification is executed by a (temporarily trusted) public auditor whose role can easily be distributed. We have implemented our completely lattice-based mix net from the bottom up, and provide detailed benchmarks which demonstrate its practicality for real-world post-quantum-secure e-voting.

“…They apply to any public-key encryption scheme which allows for re-encryption and for which a sigma protocol for correct re-encryption is known. There are also more efficient proofs of correct shuffle which have since emerged [16][17][18]. These new proofs are roughly three times faster than [4,44,49] and the cost of the verifiable mixing is close to optional, meaning little further improvement is possible.…”

Section: Propertiesmentioning

confidence: 99%

“…Fortunately, in this case, there are standards such as the one contained in FIPS 186.4 [19] (A.2.3) which allow the verifiable generation of the CRS without any trust assumptions. Some of the newer, and more efficent, proofs of correct shuffle [16][17][18] use more complicated CRSs which it is unclear how to generate without creating trust assumptions.…”

Section: Propertiesmentioning

confidence: 99%

SoK: Techniques for Verifiable Mix Nets

2020 IEEE 33rd Computer Security Foundations Symposium (CSF)

Müller

2020

Since David Chaum introduced the idea of mix nets 40 years ago, they have become widely used building blocks for privacy-preserving protocols. Several important applications, such as secure e-voting, require that the employed mix net be verifiable. In the literature, numerous techniques have been proposed to make mix nets verifiable. Some of them have also been employed in politically binding elections. Verifiable mix nets differ in many aspects, including their precise verifiability levels, possible trust assumptions, and required cryptographic primitives; unfortunately, these differences are often opaque, making comparison painful. To shed light on this intransparent state of affairs, we provide the following contributions. For each verifiability technique proposed to date, we first precisely describe how the underlying basic mix net is to be extended and which (additional) cryptographic primitives are required, and then study its verifiability level, including possible trust assumptions, within one generic and expressive verifiability framework. Based on our uniform treatment, we are able to transparently compare all known verifiability techniques for mix nets, including their advantages and limitations. Altogether, our work offers a detailed and expressive reference point for the design, employment, and comparison of verifiable mix nets.