Paillier/ZKP Ballot encryption, ZKP and weighted tallying in the - PowerPoint PPT Presentation

Introduction Theoretical background Implementation Paillier/ZKP Ballot encryption, ZKP and weighted tallying in the Paillier cryptosystem Reto B¨ urki, Adrian-Ken R¨ uegsegger University of Applied Sciences Rapperswil, Switzerland 6/11/2012 Master seminar: E-Voting

Introduction Theoretical background Implementation Outline 1 Introduction System Architecture Our Modules 2 Theoretical background ZKP verification Weighted tallying 3 Implementation Overview Source Demo

Introduction Theoretical background Implementation System Architecture

Introduction Theoretical background Implementation Our Modules (I) Module 2 Ballot encryption Zero-knowledge proof for ballot of voter v Input Public key generated by module 1 Vote instruction (Candidate choice) Output Encrypted vote (ballot) ZKP for vote (a, e, z) Election & voter id

Introduction Theoretical background Implementation Our Modules (II) Module 3 Zero-knowledge proof check of ballot Weighted tallying Input Encrypted vote (ballot) ZKP for vote (a, e, z) Election & voter id Voter registry (shares per voter) Output Encrypted weighted tally (ct) Election id

Introduction Theoretical background Implementation ZKP verification (I) Prover must show that all u k ’s are n th powers c = g m i · r n mod n 2 (1) u k = c · ( g m k ) − 1 mod n 2 (2) number of candidates k i selected candidate valid voting messages m k u k bulletin board values Only possible for k = i Without disclosing random r ! ✙ Use a k , e k and z k arrays to prove it

Introduction Theoretical background Implementation ZKP verification (II) Sum of all e k ’s must be equal to challenge e � k � = i e k mod 2 b e − � k = i e k = (3) k � = i e k � e k ≡ e mod 2 b (4) b = size 2 ( n ) (5) 2 size of challenge in bits (768) b e challenge (hashed voter/election data & commitment) response array e e k

Introduction Theoretical background Implementation ZKP verification (III) All z k ’s must be n th powers � a i = z n i mod n 2 k = i a k = (6) � − 1 mod n 2 u e k a k = z n � k � = i k · k � z i = z i · r e i mod n k = i z k = (7) k � = i z k k ≡ a k · u e k z n k mod n 2 (8) a k commitment response array e e k z k response array z

Introduction Theoretical background Implementation Weighted tallying Encrypted tally is product of all encrypted votes modulo n 2 N v � c w i mod n 2 ct = (9) i =1 weighted encrypted vote cw w weight (number of shares) encrypted tally ct N v number of voters Additive homomorphic properties � E ( m 1 ) · E ( m 2 ) mod n 2 � = m 1 + m 2 mod n D � E ( m ) k mod n 2 � D = k · m mod n

Introduction Theoretical background Implementation Overview Project information Programming Language: Ada Methodology: Test driven development (TDD) Coverage: -ftest-coverage -fprofile-arcs -fprofile-generate lcov genhtml Dependencies: Ahven (Unit test library) GMP (Bignum) GNATCOLL (JSON)

Introduction Theoretical background Implementation Project source Source code is freely available Opensource license: GPLv3+ http://git.codelabs.ch/?p=paillier-zkp.git git clone http://git.codelabs.ch/git/paillier-zkp.git

Introduction Theoretical background Implementation Demo Talk is cheap. Show me the code. - Linus Torvalds

Introduction Theoretical background Implementation Questions Thank you for your attention!