Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Index
1. Introdution: Previous work
2. Mix-nets
3. Lattice-based cryptography
4. Proof of a shuffle for lattice-based cryptography
5. Future work
2
Previous work
Introduction
4
Objective: build an efficient online voting system with long-term privacy
5
Objective: build an efficient online voting system with long-term privacy
The European Network of Excellence of Cryptology (ECRYPT) – 2015
“…systems currently being deployed may need to be resistant against the future development of
a quantum computer..”
“…If the development of quantum computers became imminent, then all this documents guidelines
would need to be seriously reassessed…”
National Security Agency (NSA) – 2015
“…a transition to quantum resistant algorithms in the not too distant future…”
“…Our ultimate goal is to provide cost effective security against a potential quantum computer…”
National Institute of Standards and Technology (NIST) – 2016
“… Cryptosystems offering 112 bits [...] may be breakable […] in 30 to 40 years using classical
computers… …”
“… a quantum computer capable of breaking 2000-bit RSA in a matter of hours could be built by 2030 for
a budget of about a billion dollars …”
Post-quantum cryptography: What can we do?
• The security of the published information does not depend on any
computational assumption Commitment of the vote
• Publish information non related with a voter identity Anonymous
authentication.
• Use stronger computational assumptions secure under quantum attacks
Lattices
6
Commitment Consistent Encryption (CCE) [Cuvelier, Pereira and Peters13]
Publish a commitment of the vote
Vote perfectly hidden
Mix-nets
8
The first mix-net was introduced by Chaum in 1981 in order to provide
anonymous communications.
• Electronic Voting
• Electronic Auctions
• Electronic Exam Systems
• Anonymous e-mail
• Anonymous Telecommunications
• Anonymous Internet Communications
Mix-nets
Definition
9
A mix-net is a multi-party protocol that, given a number of encrypted
messages at the input, performs a permutation over them followed by
a cryptographic transformation using a re-encryption and/or a
decryption algorithm
Mix-nets
Definition
A mix-net is a multi-party protocol that, given a number of encrypted
messages at the input, performs a permutation over them followed by
a cryptographic transformation using a re-encryption and/or a
decryption algorithm
10
Mix-nets
Definition
11
A mix-net is a multi-party protocol that, given a number of encrypted
messages at the input, performs a permutation over them followed by
a cryptographic transformation using a re-encryption and/or a
decryption algorithm
Mix-nets
Definition
12
A mix-net is a multi-party protocol that, given a number of encrypted
messages at the input, performs a permutation over them followed by
a cryptographic transformation using a re-encryption and/or a
decryption algorithm
Mix-nets
Definition
13
A mix-net is a multi-party protocol that, given a number of encrypted
messages at the input, performs a permutation over them followed by
a cryptographic transformation using a re-encryption and/or a
decryption algorithm
Mix-nets
Proof of a shuffle
14
A proof of a shuffle allows to prove that the contents at the output are
the same as the contents at the input, but permuted and re-
encrypted/decrypted.
Mix-nets
Proof of a shuffle
15
A proof of a shuffle allows to prove that the contents at the output are
the same as the contents at the input, but permuted and re-
encrypted/decrypted.
Mixing Node 1 Mixing Node N
Mix-nets
Proof of a shuffle
16
A proof of a shuffle allows to prove that the contents at the output are
the same as the contents at the input, but permuted and re-
encrypted/decrypted.
Mixing Node 1 Mixing Node N
Mix-nets
Bulletin Board
17
Election
Results
Mathematical
Proofs
Encrypted
votes
Vote
Receipt
Ballot
Mix-nets
Bulletin Board
18
Mix-nets
Bulletin Board
19
FACTORIZATION
𝐺𝑖𝑣𝑒𝑛 𝒏, 𝑓𝑖𝑛𝑑 𝒑𝒊 𝑠𝑢𝑐ℎ 𝑡ℎ𝑎𝑡
𝑛 = 𝑝1𝑒1𝑝2
𝑒2 ··· 𝑝𝑘𝑒𝑘 𝑤ℎ𝑒𝑟𝑒 𝑒𝑖 ≥ 1
DISCRETE LOGARITHM
𝐺𝑖𝑣𝑒𝑛 𝛽 = 𝛼𝑥, 𝑓𝑖𝑛𝑑 𝒙 = 𝐥𝐨𝐠𝜶𝜷
Efficient quantum algorithms for all
these problems [Shor 97]
Security based on:
Mix-nets
Bulletin Board
20
“I will store this
information until
quantum
computers are
available”
Mix-nets
Bulletin Board
21
“I will store this
information until
quantum
computers are
available”
20 years later…
Voter A voted for Party 1
Voter B voted for Party 2
Voter C voted for Party 3
Mix-nets
Post-quantum cryptography
22
The goal of post-quantum cryptography is to develop cryptographic
systems that are secure against both quantum and classical computers,
and can interoperate with existing communications protocols and
networks.
• Lattice-based cryptography
• Code-based cryptography
• Multivariate polynomial cryptography
• Hash-based signatures
1Report on Post-Quantum Cryptography – NIST 2016: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf.
Mix-nets
Post-quantum cryptography
23
The goal of post-quantum cryptography is to develop cryptographic
systems that are secure against both quantum and classical computers,
and can interoperate with existing communications protocols and
networks.
• Lattice-based cryptography
• Code-based cryptography
• Multivariate polynomial cryptography
• Hash-based signatures
1Report on Post-Quantum Cryptography – NIST 2016: http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf.
Mix-net
Lattice-based cryptosystems
24
• Collision-resistant hash functions [Goldreich, Goldwasser and Halevi 96]
• Identification schemes [Kawachi, Tanaka and Xagawa 08] [Lyubashewsky 08] [Micciancio and Voulgaris
03]
• Digital signatures [Boyen 10] [Peikert, et al 10] [Lyubashewsky 12] [Gentry, et al 08] [Micciancio and
Peikert 12]
• Public key encryption [Regev 05] [Linder and Peikert 11] [Peikert, Vaikuntanathan and Waters 08]
• Universal re-encryption [Singh, Pandu Rangan and Banerjee 14]
• Identity-based encryption [Gentry, et al 08] [Cash, Hofheinz, Kiltz and Peikert 10] [Agrawal, Boneh and
Boyen 10]
• Fully homomorphic encryption [Brakerski and Vaikuntanathan 11] [ Brakerski, Gentry and
Vaikuntanathan 12]
• Zero-knowledge proofs [Benhamouda, Krenn, Lyubashewsky and Pietrzak 14]
• Electronic Voting protocol [Chillotti, Gama, Georgieva and Izabachène 16]
Lattice-based cryptography
Lattice-based cryptography
Definition
26
𝑏1
𝑏2
𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =
𝑖=1
𝑛
𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ
where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖
A lattice is a set of points in an n-dimensional space with a periodic structure
Lattice-based cryptography
Definition
27
𝑏1
𝑏2
𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =
𝑖=1
𝑛
𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ
where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖
A lattice is a set of points in an n-dimensional space with a periodic structure
Lattice-based cryptography
Definition
28
𝑏1
𝑏2
A lattice is a set of points in an n-dimensional space with a periodic structure
𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =
𝑖=1
𝑛
𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ
where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖
Lattice-based cryptography
Definition
29
𝑏1
𝑏2
𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =
𝑖=1
𝑛
𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ
where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖
A lattice is a set of points in an n-dimensional space with a periodic structure
Lattice-based cryptography
Definition
30
𝑏1′
𝑏2′
𝐿 𝑩 = 𝐿 𝑏1, … , 𝑏𝑛 =
𝑖=1
𝑛
𝑥𝑖𝑏𝑖 : 𝑥𝑖 ∈ ℤ
where 𝑏𝑖 = 𝑏1𝑖 , … , 𝑏𝑚𝑖
A lattice is a set of points in an n-dimensional space with a periodic structure
Lattice-based cryptography
Definition
31
Lattice-based cryptography Standard cryptography
Security based on a worst-case
problem
Security based on an average-case
problem
Based on hardness of lattice
problems
Based on hardness of factoring,
discrete logarithm, etc
(Still) not broken by quantum
algorithms
Broken by quantum algorithms
Simple computations (vector
additions, component-wise vector
product,etc)
Require modular exponentiations
Lattice-based cryptography
• Shortest Vector Problem (SVP)
• Closest Vector Probelm (CVP)
• Shortest Independent Vector Problem (SIVP)
• Bounded Distance Decoding Problem (BDD)
• Short Integer Solution (SIS)
• Learning With Errors Problem (LWE)
Lattice-based problems
32
Lattice-based cryptography
• Shortest Vector Problem (SVP)
• Closest Vector Probelm (CVP)
• Shortest Independent Vector Problem (SIVP)
• Bounded Distance Decoding Problem (BDD)
• Short Integer Solution (SIS)
• Learning With Errors Problem (LWE)
Lattice-based problems
33
Lattice-based cryptography
Learning With Errors
34
Learning With Errors (LWE) [Regev 05]
Distinguish random linear equations, which have been perturbed
by a small amount of noise, from truly uniform ones.
Lattice-based cryptography
Learning With Errors
35
Ring Learning With Errors (RLWE) [Lyubashevsky, Peikert and Regev 13]
Distinguish random linear equations, which have been perturbed
by a small amount of noise, from truly uniform ones.
Lattice-based cryptography
Ideal lattices
36
Lattice Ideal lattice
Ideal Lattices: introduces algebraic structure into Lattices
Lattice-based cryptography
R-LWE public key encryption scheme
37
• Parameters: Choose 𝑎 ∈ 𝑅𝑞 and 𝑠, 𝑒 ∈𝐷 𝑅
• Private key: 𝑠
• Public key: (𝑎, 𝑏 = 𝑎 · 𝑠 + 𝑒) ∈ 𝑅𝑞2
• Encryption: choose 𝑟, 𝑒1, 𝑒2 ∈𝐷 𝑅 and a message Ԧ𝑧 ∈ 0,1 𝑛
• Decryption:
𝑢 = 𝑎 · 𝑟 + 𝑒1
𝑣 = 𝑏 · 𝑟 + 𝑒2 + ൗ𝑞2 · 𝑧
𝑣 − 𝑢 · 𝑠 = 𝑟 · 𝑒 − 𝑠 · 𝑒1 + 𝑒2 + ൗ𝑞2 · 𝑧
𝑅𝑞 = ℤ𝑞 𝑥 /(𝑥𝑛 + 1)Ideal Lattice
Proof of a shuffle for lattice-based
cryptography
• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an
RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)
Proof of a shuffle for lattice-based cryptography
39
• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an
RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)
• Follows Wikström’s proposal :
• Permutation matrix
• Offline and online phase
Proof of a shuffle for lattice-based cryptography
40
• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an
RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)
• Follows Wikström’s proposal :
• Permutation matrix
• Offline and online phase
0 1 00 0 11 0 0
∙𝑉1𝑉2𝑉3
=𝑉2𝑉3𝑉1
Proof of a shuffle for lattice-based cryptography
41
• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an
RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)
• Follows Wikström’s proposal :
• Permutation matrix
• Offline and online phase
• Security
• RLWE encryption scheme is semantically secure given the
pseudo- randomness of the RLWE samples.
• Zero-knowledge proofs satisfy special soundness and special
honest verifier zero-knowledge.
• Commitments are perfectly hiding and computationally binding
under the discrete logarithm assumption.
Proof of a shuffle for lattice-based cryptography
42
Proof of a shuffle for lattice-based cryptography
• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an
RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)
• Follows Wikström’s proposal :
• Permutation matrix
• Offline and online phase
• Security
• RLWE encryption scheme is semantically secure given the
pseudo- randomness of the RLWE samples.
• Zero-knowledge proofs satisfy special soundness and special
honest verifier zero-knowledge.
• Commitments are perfectly hiding and computationally binding
under the discrete logarithm assumption.
43
Two party protocol between a prover and a
verifier, which allows the former to convince
the latter that it knows some secret piece of
information without revealing anything about
the secret apart from what the claim itself
already reveals.
• Proof of a shuffle for a mix-net that shuffles ciphertexts encrypted using an
RLWE encryption scheme. [NordSec 2017] (https://eprint.iacr.org/2017/900)
• Follows Wikström’s proposal :
• Permutation matrix
• Offline and online phase
• Security
• RLWE encryption scheme is semantically secure given the
pseudo- randomness of the RLWE samples.
• Zero-knowledge proofs satisfy special soundness and special
honest verifier zero-knowledge.
• Commitments are perfectly hiding and computationally binding
under the discrete logarithm assumption.
Proof of a shuffle for lattice-based cryptography
44
Two party protocol that allows one party (A) to
commit to other party (B) to a value. At a later
stage A reveals the value (kept hidden until
this moment) and B can verify that this is
indeed the value to which A has committed.
Proof of a shuffle for lattice-based cryptography
OFFLINE PHASE
1. Commit to the permutation matrix
2. Prove that the commited matrix corresponds to a permutation
3. Commit to the re-encryption parameters
4. Prove that the re-encryption parameters are ‘small’.
ONLINE PHASE
1. Shuffle the encrypted votes.
2. Prove that the commited permutation has been used to perform the
shuffle.
3. Prove that the commited re-encryption parameters have been used
to perform the shuffle.
45
Future work
Future work
• Build proof of a shuffle with post-quantum commitments.
• Write full security proof.
• Implement proof of a shuffle.
• Compare efficiency of proof of a shuffle for lattice-based cryptography with
Wikström’s proof of a shuffle.
47
48