DRE-i with enforced privacy (DRE-ip) • Motivation • DRE-i works by pre-computing encrypted ballots • However, pre-computed ballots need to be stored securely • Can we remove this secure storage requirement? • Naturally, that leads us to a different strategy • DRE-ip works by computing encrypted ballots in the real-time • Still three phases: setup, voting and tallying
Phase 1: setup • Two generators g 1 and g 2 with unknown log relation • E.g., use a one-way hash o obtain g 2 from g 1 (in our implementation)
Phase 2: Voting • Encrypted vote • DRE keeps in memory , • At the end, DRE posts t, s on bulletin board
Phase 3: Tallying • DRE publishes t and s and all receipts on bulletin board • The public verify ,
DRE-ip in practice • Google Pixel to implement the DRE • DRE connected to a thermal printer • The backend is a web server hosted in the university campus
Gateshead trial using DRE-ip (2 May 2019) • Voters voted as normal using paper ballots • Upon exit, they were invited to trial a new e-polling system • They were then asked which system they preferred * Approved by Gateshead council and Warwick University’s Ethics Committee
Polling station E-polling trial station Gateshead Civic Center, 6:30 am, 2 May 2019
Research team for the e-voting trial
Introductory video
A dummy election
Election results
Survey result (91 responses) Based on your experience of using paper ballots and e-voting, which system do you prefer? Strongly Prefer Neutral Prefer Strongly prefer paper paper e-voting prefer e-voting
Those who prefer e-voting (55 voters)
Those who prefer paper ballots (20 voters)
Those who are neutral (16) ● Don’t see much difference if one has to come to the polling station ● Want to vote from home
Our vision about future e-voting
An overview of existing e-voting systems
Outline of the tutorial 1. Boolean-OR function: Anonymous Veto 2. Boolean-Count function: Boardroom voting 3. Equality function: PAKE 4. Tallying function: E-voting 5. Max function: E-Auction
Acknowledgement ● Joint work with Bag, Shahandashti and Ray. ● Based on the following paper Samiran Bag, Feng Hao, Siamak Shahandashti, and Indranil G. Ray, "SEAL: Sealed-bid Auction without Auctioneers," IEEE Transactions on Information Security and Forensics, 2020, https://eprint.iacr.org/2019/1332.pdf.
Background in auction ● A very common practice: US treasury sells trillions of securities via auction ● Open cry ○ Ascending: English auction ○ Deceding: Dutch auction ● Sealed-bid ○ First-price (equivalent to Dutch auction based on game theory) ○ Second-price (equivalent to English auction when voters evaluate items in private) ● We will focus on sealed-bid auctions
Sealed-bid auction Bid price 4 Bid price 1 Bid price 3 Bid price 2
Two types of sealed-bid auction ● First price sealed-bid auction ○ The highest bidder wins, and pays the highest bid price ● Second price sealed-bid auction ○ The highest bidder wins, but pays the second-highest bid price ○ Also called “Vickrey auction”, named after William Vickrey who first developed theory for this type of auction (won Nobel Prize in 1996) William Vickrey (1914-1996)
Vickrey auction ● Extremely important in the auction theory ● Based on game theory, this scheme is “strategy-proof”: when values are evaluated in private, the best strategy for bidders is to bid their true evaluation ● Unfortunately, rarely used in practice
Practical concerns in Vickrey auction ● Two main security concerns ○ (Privacy) The true evaluation is a commercial secret but the auctioneer sees my bid ○ (Integrity) How do I know I really pay the 2nd highest price (auctioneer didn’t change)? ● Completely trustworthy auctioneers do not exist ● In this talk, I’ll present a solution that removes the need for auctioneers
Overview of e-auction research ● A very active field since the seminal paper by Franklin-Reiter in 1996 ● A large amount of e-auction systems proposed ● However, almost all of them assume the role of a trustworthy auctioneer ● They apply threshold crypto or MPC to distribute the trust
Summary of previous work In general two types of solutions 1. Use two or more auctioneers: Franklin-Reiter, 1996; Sako, 2000; Kurosawa-Ogata, 2002; Bogetoft et al., 2006; Cartlidge et al., 2019, … 2. Add other trusted third parties: Naor-Pinkas-Sumner, 1999; Juels-Szydlo, 2002; Lipmaa-Asokan-Niemi, 2002; Abe-Suzuki, 2002, Montenegro-Fischer-Lopez-Peralta, 2013 … However, we want to get rid of “trustworthy auctioneers” completely
Can’t we just use MPC without auctioneers? ● In theory, general MPC allows secure computation on any function ○ n players, each with a secret input x i , i=1,2,...,n ○ Each player learns nothing more than f(x 1 , x 2 , ... , x n ) ● So we simply apply it to a max function without involving auctioneers ● Problem trivially solved? ● However, not that simple …
Typical assumptions in MPC ● Pairwise secret channels + a public authenticated channel O(n 2 ) complexity of setting up pairwise secret channels ○ ○ The existence of secret channels makes the protocol not publicly verifiable ● The honest majority ○ In practice, the vast majority of participants may be corrupted (e.g., 3 players)
A real-world MPC application on auction ● Bogetoft, Damgard, Jakobsen, Nielsen, Pragter, Toft, 2006 ● Used in Denmark for auction sales on sugar beets ● Assume 2 out of 3 pub2/prv2 pub3/prv3 pub1/prv3 auctioneers honest ● Public key pairs for DKS Researchers Danisco pairwise secure communication Bid price 3 Bid price 1 Bid price 2 Bid price 4
Is e-auction without auctioneers possible? ● Yes, but a trivial method will give you an exponential complexity ● For example: each bidder encrypts “Yes”/”No” for all possible bid prices ● Similar ideas proposed by Brandt, 2002; Brandt, 2003; Wu et al, 2004; Brandt 2005; Brandt, 2006. They all incur O(2 c ) complexity, c being the bit length of the bid ● ● We will show a solution with O(c) complexity
Communication setting in our solution Public bulletin board (Ethereum blockchain) Bid price 4 Bid price 1 Bid price 3 Bid price 2 ● No secret channels ● An authenticated public channel (required in all schemes) ● No trustworthy auctioneers
Security definitions
Overview of the auction protocol ● Called Self-Enforcing Auction Lot (SEAL) ● Based on a single primitive: boolean-OR (modified AV-net, Hao-Zielinski’06) ● Two phases: commitment and bidding
Commitment Phase
Bidding Phase
An example
Efficiency analysis Computational load (no of exponentiations) Communication bandwidth (No of group elements) Notations: c the bit length of the bid. n the total number of bidders. the number of iterations of stage 1
Proof-of-concept implementation ● Using Java on Linux Platform ● Experiment done on an Asus Core i3 laptop (2.1 GHz with 4 GB RAM)
Commitment phase Bit length of the bid fixed at 10 10 bidders
Bidding Phase 10 bidders Bit length of the bid fixed at 10
Security analysis - integrity of auction outcome
Security analysis - privacy of losing bids
Can we achieve inclusive-privacy? ● Yes, simple to do ○ Just replace AV-net with another anonymous veto protocol that satisfies “inclusive privacy” (e.g., PriVeto by Bag, Zad, Hao, IET Information Security , 2019) ● However, the resultant scheme will be less interesting and less useful ...
Practical concerns Auction (inclusive privacy) Auction (exclusive privacy) Resolving tie Adaptive Extension to Vickrey
Extension to Vickrey auction ● Image a (perfect) MPC protocol that limits you to learn nothing more than the output of the max function ● You run the protocol twice to get the second highest bid ● But the highest bid is trivially revealed!
Recommend
More recommend