Mike Graf, Ralf Küsters, und Daniel Rausch, „AUC: Accountable Universal Composability“, Cryptology ePrint Archive, Technical Report 2022/1606, 2022.
Zusammenfassung
Accountability is a well-established and widely used security concept that allows for obtaining undeniable cryptographic proof of misbehavior, thereby incentivizing honest behavior. There already exist several general purpose accountability frameworks for formal game-based security analyses. Unfortunately, such game-based frameworks do not support modular security analyses, which is an important tool to handle the complexity of modern protocols.
Universal composability (UC) models provide native support for modular analyses, including re-use and composition of security results. So far, accountability has mainly been modeled and analyzed in UC models for the special case of MPC protocols, with a general purpose accountability framework for UC still missing. That is, a framework that among others supports arbitrary protocols, a wide range of accountability properties, handling and mixing of accountable and non-accountable security properties, and modular analysis of accountable protocols.
To close this gap, we propose AUC, the first general purpose accountability framework for UC models, which supports all of the above, based on several new concepts. We exemplify AUC in three case studies not covered by existing works. In particular, AUC unifies existing UC accountability approaches within a single framework.BibTeX
Nicolas Huber, Ralf Küsters, Toomas Krips, Julian Liedtke, Johannes Müller, Daniel Rausch, Pascal Reisert, und Andreas Vogt, „Kryvos: Publicly Tally-Hiding Verifiable E-Voting“, in CCS ’22: ACM Conference on Computer and Communications Security,
November 7--11, 2022, Los Angeles, USA, 2022.
Zusammenfassung
Elections are an important corner stone of democratic processes. In
addition to publishing the final result (e.g., the overall winner),
elections typically publish the full tally consisting of all
(aggregated) individual votes. This causes several issues, including
loss of privacy for both voters and election candidates as well as
so-called Italian attacks that allow for easily coercing voters.
Several e-voting systems have been proposed to address these issues
by hiding (parts of) the tally. This property is called
tally-hiding. Existing tally-hiding e-voting systems in the
literature aim at hiding (part of) the tally from everyone,
including voting authorities, while at the same time offering
verifiability, an important and standard feature of modern e-voting
systems which allows voters and external observers to check that the
published election result indeed corresponds to how voters actually
voted. In contrast, real elections often follow a different common practice
for hiding the tally: the voting authorities internally compute (and
learn) the full tally but publish only the final result (e.g., the
winner). This practice, which we coin publicly tally-hiding,
indeed solves the aforementioned issues for the public, but
currently has to sacrifice verifiability due to a lack of practical
systems.
In this paper, we close this gap. We formalize the common notion of
publicly tally-hiding and propose the first provably secure
verifiable e-voting system, called Kryvos, which directly
targets publicly tally-hiding elections. We
instantiate our system for a wide range of both simple and complex
voting methods and various result functions. We provide an extensive
evaluation which shows that Kryvos is practical and able to
handle a large number of candidates, complex voting methods and
result functions. Altogether, Kryvos shows that the concept of
publicly tally-hiding offers a new trade-off between privacy and
efficiency that is different from all previous tally-hiding systems
and which allows for a radically new protocol design resulting in a
practical e-voting system.BibTeX
Nicolas Huber, Ralf Küsters, Toomas Krips, Julian Liedtke, Johannes Müller, Daniel Rausch, Pascal Reisert, und Andreas Vogt, „Kryvos: Publicly Tally-Hiding Verifiable E-Voting“, Cryptology ePrint Archive, Technical Report 2022/1132, 2022.
Zusammenfassung
Elections are an important corner stone of democratic processes. In
addition to publishing the final result (e.g., the overall winner),
elections typically publish the full tally consisting of all
(aggregated) individual votes. This causes several issues, including
loss of privacy for both voters and election candidates as well as
so-called Italian attacks that allow for easily coercing voters.
Several e-voting systems have been proposed to address these issues
by hiding (parts of) the tally. This property is called
tally-hiding. Existing tally-hiding e-voting systems in the
literature aim at hiding (part of) the tally from everyone,
including voting authorities, while at the same time offering
verifiability, an important and standard feature of modern e-voting
systems which allows voters and external observers to check that the
published election result indeed corresponds to how voters actually
voted. In contrast, real elections often follow a different common practice
for hiding the tally: the voting authorities internally compute (and
learn) the full tally but publish only the final result (e.g., the
winner). This practice, which we coin publicly tally-hiding,
indeed solves the aforementioned issues for the public, but
currently has to sacrifice verifiability due to a lack of practical
systems.
In this paper, we close this gap. We formalize the common notion of
publicly tally-hiding and propose the first provably secure
verifiable e-voting system, called Kryvos, which directly
targets publicly tally-hiding elections. We
instantiate our system for a wide range of both simple and complex
voting methods and various result functions. We provide an extensive
evaluation which shows that Kryvos is practical and able to
handle a large number of candidates, complex voting methods and
result functions. Altogether, Kryvos shows that the concept of
publicly tally-hiding offers a new trade-off between privacy and
efficiency that is different from all previous tally-hiding systems
and which allows for a radically new protocol design resulting in a
practical e-voting system.BibTeX
Daniel Rausch, Ralf Küsters, und Céline Chevalier, „Embedding the UC Model into the IITM Model“, in Advances in Cryptology - EUROCRYPT 2022 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Trondheim, Norway, May 30 - June 3, 2022, Proceedings, Part II, 2022, S. 242--272.
Zusammenfassung
Universal Composability is a widely used concept for the design and analysis of protocols. Since Canetti's original UC model and the model by Pfitzmann and Waidner several different models for universal composability have been proposed, including, for example, the IITM model, GNUC, CC, but also extensions and restrictions of the UC model, such as JUC, GUC, and SUC. These were motivated by the lack of expressivity of existing models, ease of use, or flaws in previous models. Cryptographers choose between these models based on their needs at hand (e.g., support for joint state and global state) or simply their familiarity with a specific model. While all models follow the same basic idea, there are huge conceptually differences, which raises fundamental and practical questions: (How) do the concepts and results proven in one model relate to those in another model? Do the different models and the security notions formulated therein capture the same classes of attacks? Most importantly, can cryptographers re-use results proven in one model in another model, and if so, how? In this paper, we initiate a line of research with the aim to address this lack of understanding, consolidate the space of models, and enable cryptographers to re-use results proven in other models. As a start, here we focus on Canetti's prominent UC model and the IITM model proposed by Kuesters et al. The latter is an interesting candidate for comparison with the UC model since it has been used to analyze a wide variety of protocols, supports a very general protocol class and provides, among others, seamless treatment of protocols with shared state, including joint and global state. Our main technical contribution is an embedding of the UC model into the IITM model showing that all UC protocols, security and composition results carry over to the IITM model. Hence, protocol designers can profit from the features of the IITM model while being able to use all their results proven in the UC model. We also show that, in general, one cannot embed the full IITM model into the UC model.BibTeX
Daniel Rausch, Ralf Küsters, und Céline Chevalier, „Embedding the UC Model into the IITM Model“, Cryptology ePrint Archive, Technical Report 2022/224, 2022.
Zusammenfassung
Universal Composability is a widely used concept for the design and analysis of protocols. Since Canetti's original UC model and the model by Pfitzmann and Waidner several different models for universal composability have been proposed, including, for example, the IITM model, GNUC, CC, but also extensions and restrictions of the UC model, such as JUC, GUC, and SUC. These were motivated by the lack of expressivity of existing models, ease of use, or flaws in previous models. Cryptographers choose between these models based on their needs at hand (e.g., support for joint state and global state) or simply their familiarity with a specific model. While all models follow the same basic idea, there are huge conceptually differences, which raises fundamental and practical questions: (How) do the concepts and results proven in one model relate to those in another model? Do the different models and the security notions formulated therein capture the same classes of attacks? Most importantly, can cryptographers re-use results proven in one model in another model, and if so, how? In this paper, we initiate a line of research with the aim to address this lack of understanding, consolidate the space of models, and enable cryptographers to re-use results proven in other models. As a start, here we focus on Canetti's prominent UC model and the IITM model proposed by Kuesters et al. The latter is an interesting candidate for comparison with the UC model since it has been used to analyze a wide variety of protocols, supports a very general protocol class and provides, among others, seamless treatment of protocols with shared state, including joint and global state. Our main technical contribution is an embedding of the UC model into the IITM model showing that all UC protocols, security and composition results carry over to the IITM model. Hence, protocol designers can profit from the features of the IITM model while being able to use all their results proven in the UC model. We also show that, in general, one cannot embed the full IITM model into the UC model.BibTeX
Marc Rivinius, Pascal Reisert, Daniel Rausch, und Ralf Küsters, „Publicly Accountable Robust Multi-Party Computation“, in 43rd IEEE Symposium on Security and Privacy (S&P 2022), 2022, S. 2430--2449.
Zusammenfassung
In recent years, lattice-based secure multi-party computation (MPC) has seen a rise in popularity and is used more and more in large scale applications like privacy-preserving cloud computing, electronic voting, or auctions. Many of these applications come with the following high security requirements: a computation result should be publicly verifiable, with everyone being able to identify a malicious party and hold it accountable, and a malicious party should not be able to corrupt the computation, force a protocol restart, or block honest parties or an honest third-party (client) that provided private inputs from receiving a correct result. The protocol should guarantee verifiability and accountability even if all protocol parties are malicious. While some protocols address one or two of these often essential security features, we present the first publicly verifiable and accountable, and (up to a threshold) robust SPDZ-like MPC protocol without restart. We propose protocols for accountable and robust online, offline, and setup computations. We adapt and partly extend the lattice-based commitment scheme by Baum et al. (SCN 2018) as well as other primitives like ZKPs. For the underlying commitment scheme and the underlying BGV encryption scheme we determine ideal parameters. We give a performance evaluation of our protocols and compare them to state-of-the-art protocols both with and without our target security features: public accountability, public verifiability and robustness.BibTeX
Marc Rivinius, Pascal Reisert, Daniel Rausch, und Ralf Küsters, „Publicly Accountable Robust Multi-Party Computation“, Cryptology ePrint Archive, Technical Report 2022/436, 2022.
Zusammenfassung
In recent years, lattice-based secure multi-party computation (MPC) has seen a rise in popularity and is used more and more in large scale applications like privacy-preserving cloud computing, electronic voting, or auctions. Many of these applications come with the following high security requirements: a computation result should be publicly verifiable, with everyone being able to identify a malicious party and hold it accountable, and a malicious party should not be able to corrupt the computation, force a protocol restart, or block honest parties or an honest third-party (client) that provided private inputs from receiving a correct result. The protocol should guarantee verifiability and accountability even if all protocol parties are malicious. While some protocols address one or two of these often essential security features, we present the first publicly verifiable and accountable, and (up to a threshold) robust SPDZ-like MPC protocol without restart. We propose protocols for accountable and robust online, offline, and setup computations. We adapt and partly extend the lattice-based commitment scheme by Baum et al. (SCN 2018) as well as other primitives like ZKPs. For the underlying commitment scheme and the underlying BGV encryption scheme we determine ideal parameters. We give a performance evaluation of our protocols and compare them to state-of-the-art protocols both with and without our target security features: public accountability, public verifiability and robustness.BibTeX