Lattice-Based Zero-Knowledge Proofs in Action: Applications to Electronic Voting

Abstract

This paper studies several building blocks needed for electronic voting in order to prepare for the post-quantum era. In particular, we present lattice-based constructions for a generic zero-knowledge (ZK) proof of ballot correctness, a ZK proof of ballot correctness applicable for the homomorphic tallying scenario, and a ZK proof to achieve cast-as-intended verification during the vote casting period. We implement and benchmark our ballot correctness proofs, giving concrete estimations comparing the performance of homomorphic tallying and mix-net based e-voting systems in case of our lattice-based constructions.

1 Introduction

Lattice-based algorithms are currently among the most mature ones to build candidates for quantum-resistant schemes. For example, out of the four finalists in the post-quantum algorithm standardization process chosen by NIST in 2022, three were based on lattices.¹

However, the NIST standardization process has focused only on signature schemes and key encapsulation mechanisms (KEMs). These are definitely two of the most common applications of public key cryptography, but they are not the only ones.

A significant domain where we need more flexible algorithms is remote electronic voting (also referred to as Internet voting). One of the main requirements for such schemes is to protect the secrecy of the votes while in transit – hence we need to encrypt them. In order to keep key management reasonable, the encryption scheme should be asymmetric. In light of quantum computing making steady progress, quantum-resistant asymmetric encryption is required for electronic voting in the near future.

Of course, threats to vote secrecy do not end with the transit channel. If the votes were decrypted one by one in the order in which they arrived to the vote collection server, it would be possible to break voter privacy by utilizing some side channels. For example, the collection server may access the IP addresses of the voters, allowing it to link the encrypted votes with their sources.

In order to fight such side channel leakages, two main strategies are proposed for vote decryption – mixing and homomorphic tallying [39]. Both of these approaches assume certain homomorphic properties of the underlying cryptosystem, which cannot be achieved with IND-CCA2 secure encryption schemes (a property that NIST has explicitly required from the post-quantum KEM candidates).

Several constructions for lattice-based mix-nets have been proposed in the literature [5, 22, 27]. In this paper, however, we will look at the currently less studied homomorphic tallying approach, building a concrete lattice-based scheme for cumulative voting.

Even though homomorphic vote aggregation can be performed on encrypted votes without having access to the private decryption key, the aggregation operation alone is insufficient to guarantee tally integrity. First, it is necessary to ensure that the decrypted tally actually corresponds to the aggregated cryptogram. Note that we can not just publish the decryption key as this would enable decrypting individual votes. Thus, we need to augment the process with an appropriate zero-knowledge proof of correct decryption.

Second, homomorphic tallying is susceptible to a fraudulent vote attack where the voter encodes, say, two votes instead of just one into the representation of her ballot. In order to prevent such attacks, the submitted vote must come with a zero-knowledge proof that the encrypted ballot actually contains a valid vote. We note that proofs of plaintext correctness also help to fight several attacks in mixnet-based electronic voting systems [40, 47].

One of the weakest points in remote electronic voting systems is the voter’s computer environment. In order to make sure that the voting device has not manipulated the vote, a reliable verification mechanism is required. Several approaches to individual vote verification have been proposed in the literature [41]. In this paper, we are going to concentrate on the cast-and-audit verification using a secondary device which has been used, e.g., in the Estonian Internet voting system IVXV since 2013 [28].

In the current (pre-quantum) implementation of the protocol, the secondary verification device gets access to the actual signed and encrypted vote together with the encryption randomness, allowing it to open the vote for auditing. It has been demonstrated² that this approach is in some sense too revealing, allowing the voter to obtain a strong receipt for her vote and hence enabling, e.g., vote selling. An elegant solution to this problem was recently proposed by Müller and Truderung, where they introduced a re-randomization step and zero-knowledge proof of correct re-randomization into the process [41]. Their proposal was limited to classical asymmetric cryptography, but we are going to build a lattice-based counterpart of this protocol in this paper.

2 Prior Works

Most of our work relies on the commitment scheme by Baum et al. [10] called BDLOP, which is additively homomorphic and has an efficient zero-knowledge proof of opening. Before [10], most of the schemes used for proving knowledge of a short solution to a linear relation used protocols derived from [46], which relied on the syndrome decoding problem. However, the soundness error for one round of the protocol was \(\frac{2}{3}\), so the proof sizes were suboptimal. Further works expanded upon [46] and built Stern-like protocols relying on the learning parity with noise [30] and ring-LWE problems [48], but still suffered from having large soundness errors. By using rejection sampling techniques from [32], Benhamouda et al. [12] managed to build a commitment scheme which allowed for small commitments and a negligible soundness error in the accompanying zero-knowledge proof. Finally, in [10], a commitment scheme was built, which allowed for statistically binding and hiding commitments based on the MLWE and MSIS problems with small commitments and a small soundness error. BDLOP remains as the staple lattice-based commitment scheme and is the basis for all the zero-knowledge proofs in our paper.

By using BDLOP commitments, Lyubashevsky et al. constructed a set membership proof in [35], which we use to prove the correctness of ballots. Also, for verifiable decryption, we use a technique by Silde [45], which uses BDLOP to commit to BGV [18] encryption noise. Finally, there is also a line of research, which gives exact proofs of short solutions to linear equations using the Number Theoretic Transform (NTT), starting from [15]. In [26], that work was improved upon and we use it to in our Cast-as-Intended protocol and also for verifiable encryption. In [34], a framework was built, which improves upon some aspects of [26] by combining BDLOP with the Ajtai commitment scheme [1], allowing for more general proofs, but putting some restrictions on the underlying modulus q. We target avoiding those restrictions in order to have more freedom in choosing our parameters. This is important because in the end we aim to combine several different proof systems into one coherent voting framework.

The aforementioned commitment schemes and proof systems have also been used previously in the construction of lattice-based online voting protocols. EVOLVE [24] was the first lattice-based post-quantum voting protocol using BDLOP commitments and zero-knowledge proofs. The scheme uses homomorphic tallying and it supports multiple candidates. Epoque [17] is an extension of EVOLVE which utilizes an identity based encryption (IBE) scheme making it the first end-to-end verifiable post-quantum voting protocol. An older homomorphic tallying scheme based on fully homomorphic encryption [20] avoided zero-knowledge proofs completely, but still achieved ballot privacy. Similarly, the BGV scheme is used for FHE in [44] and [8] with custom zero-knowledge proofs to achieve a practical homomorphic e-voting application. All of these homomorphic tallying frameworks have their own sets of strengths and none of them is clearly better than the others. However, it is clear they have not been designed with the cumulative voting scenario in mind.

There exist a number of e-voting protocols based on mix-nets that utilize lattice-based zero-knowledge proofs as well. Costa et al. developed a verifiable shuffle algorithm [22], which incorporates the commitment scheme introduced by Benhamouda et al. [12]. This method was further enhanced and implemented by Farzaliyev et al. [27], where they changed the commitment scheme to the BDLOP scheme. In parallel, Aranha et al. released a comprehensive online voting protocol featuring a more efficient mix-net [5], which employed the BGV encryption scheme and the BDLOP commitment scheme as the fundamental cryptographic elements. More recently, their methodology has been fine-tuned for the NTRU encryption scheme in [29], resulting in what may be the most efficient mix-net proof to date.

3 Preliminaries

3.1 Notation

Let q be an odd prime number, \({\mathbb {Z}}\) the set of integers and \({\mathbb {Z}}_q = {\mathbb {Z}} / q{\mathbb {Z}}\) the ring of integers modulo q where the elements are considered to be in the interval \( [-\frac{q-1}{2}, \frac{q-1}{2}]\). Vectors and matrices over \({\mathbb {Z}}_q\) are, respectively, denoted as regular lower case (e.g., \(\vec {\textit{v}} \in {\mathbb {Z}}_q^m\)) and regular capital letters (e.g., \(A \in {\mathbb {Z}}_q^{m\times n}\)), unless explicitly stated otherwise. We will be working with the polynomial rings \(\mathcal {R} = {\mathbb {Z}}[X]/(X^d+1) \) and \(\mathcal {R}_q = {\mathbb {Z}}_q[X]/(X^d+1) \) where d is a power of 2. Polynomials in these rings are written in bold lower case letters (e.g. \({\varvec{{p}}}\)), and vectors of polynomials are denoted as \(\vec {{\varvec{{b}}}}\). Similarly, matrices over \(\mathcal {R}\) or \(\mathcal {R}_q\) are denoted by bold upper case letters, e.g. \({\varvec{{B}}}\). By default, all vectors and their concatenations are column vectors. Moreover, every polynomial \( {\varvec{{a}}} = \sum _{i=0}^{d-1} a_i X^i \in \mathcal {R}_q\) can also be represented as a coefficient vector \( \vec {a} = ( a_0, a_1, \dots , a_{d-1} )^T\). Also, in \(\mathcal {R}_q\) the same element can be represented as a negacyclic matrix over \({\mathbb {Z}}_q\) (also known as a Toeplitz matrix) when it is a left multiplicand:

$$\begin{aligned} \begin{array}{lr} \mathcal {T}_{{\varvec{{a}}}} = \begin{vmatrix} a_0 & -a_{d-1} & -a_{d-2} & \cdots & -a_1 \\ a_{1} & a_0 & -a_{d-1} & \cdots & -a_{2} \\ \vdots & \ddots & \ddots & \ddots & \vdots \\ a_{d-1} & a_{d-2} & a_{d-3} & \cdots & a_0 \end{vmatrix}\; & \qquad {\varvec{{c}}} = {\varvec{{a}}} \cdot {\varvec{{b}}} \Leftrightarrow \vec {c} = \mathcal {T}_{{\varvec{{a}}}} \cdot \vec {b}. \\ \end{array} \end{aligned}$$

\(l_p\)- (for positive integer p) and \(l_{\infty }\)-norms are defined as usual:

$$\begin{aligned} \Vert {\varvec{{a}}}\Vert _{\infty } = \max _i{\mid a_i \mid }\;\;\text {and}\;\;\Vert {\varvec{{a}}}\Vert _{p} = \big (\sum _{i=0}^{d-1}\mid a_i\mid ^p\big )^{1/p}. \end{aligned}$$

These norms can naturally be extended to vectors over \(\mathcal {R}_q\). For \(\vec {{\varvec{{w}}}} = ({\varvec{{w}}}_1, \dots , {\varvec{{w}}}_k )\) in \(\mathcal {R}_q^k\), we have

$$\begin{aligned} \Vert \vec {{\varvec{{w}}}}\Vert _{\infty } = \max _i{\Vert {\varvec{{w}}}_i\Vert _{\infty }} \;\;\text {and}\;\; \Vert \vec {{\varvec{{w}}}}\Vert _{p} = \big (\sum _{i=1}^{k} \Vert {\varvec{{w}}}_i\Vert ^p_p \big )^{1/p}. \end{aligned}$$

The automorphism group of \(\mathcal {R}_q\) contains automorphisms of the form \(\sigma _i(X) = X^i\) where \(i\in {\mathbb {Z}}_{2d}^\times \). We will use the notation \(\sigma := \sigma _{2d/k+1}\) for some k, which is also a power of two.

3.2 Number Theoretic Transformation

The ring \(\mathcal {R}_q\) is partially splitting if \( q \equiv 2\,l+1 \mod 4\,l \). That is, \(X^d+1\) factors into l irreducible binomials of degree d/l in \({\mathbb {Z}}_q\),

$$\begin{aligned} X^d+1 = \prod _{i=1}^{l} (X^{d/l} - \zeta ^{2i-1}) \bmod q, \end{aligned}$$

where \(\zeta \) is a 2l-th primitive root of unity modulo q. When \(d=l\), the ring is fully splitting. Consequently, the ring is isomorphic to the direct product of residue fields:

$$\begin{aligned} \mathcal {R}_q \cong {\mathbb {Z}}_q[X]/(X^{d/l}-\zeta ) \times \cdots \times {\mathbb {Z}}_q[X]/(X^{d/l}-\zeta ^{2l-1}). \end{aligned}$$

The Number Theoretic Transform (NTT) of a polynomial is defined as a map

$$\begin{aligned} {\textbf {NTT}}: \mathcal {R}_q \rightarrow \prod _{i=1}^l {\mathbb {Z}}_q[X]/(X^{d/l}-\zeta ^{2i-1}): {\varvec{{f}}} \mapsto (\hat{f}_i )_{i=1,\dots ,l} \end{aligned}$$

where \(\hat{f}_i = f_i \mod (X^{d/l}-\zeta ^{2i-1})\). By the Chinese remainder theorem, there exists a unique inverse map, \({\textbf {NTT}}^{-1}\), such that, \({\textbf {NTT}}^{-1}({\textbf {NTT}}({\varvec{{f}}})) = {\varvec{{f}}}\) for all \({\varvec{{f}}} \in \mathcal {R}_q\).

Let \(\mathcal {M}_q = \{{\varvec{{p}}} \in {\mathbb {Z}}_q[X]: \deg ({\varvec{{p}}}) < d/l\} \) be a \({\mathbb {Z}}_q\)-module. Sometimes, one can view NTT as a map from \(\mathcal {R}_q\) to \(\mathcal {M}_q^l\), which is a common abuse of definition in the literature. Moreover, NTT has convenient properties with respect to component-wise addition/subtraction ± and multiplication \(\circ \) in \(\mathcal {M}_q^l\):

$$\begin{aligned} {\textbf {NTT}}({\varvec{{a}}}\pm {\varvec{{b}}})&= {\textbf {NTT}}({\varvec{{a}}}) \pm {\textbf {NTT}}({\varvec{{b}}}), \\ {\textbf {NTT}}({\varvec{{a}}}\cdot {\varvec{{b}}})&= {\textbf {NTT}}({\varvec{{a}}}) \circ {\textbf {NTT}}({\varvec{{b}}}). \end{aligned}$$

Later we will need the following property of NTT. Given that \(q\equiv 1\mod 2d\), we have that the sum of the NTT-coefficients of a polynomial \({\varvec{{f}}}\) is equal to its constant term times d. More precisely, given a polynomial \({\varvec{{f}}}=f_{d-1}x^{d-1}+\cdots +f_{0}\), its NTT-representation \(\mathbf {NTT({\varvec{{f}}})}=:\hat{{\varvec{{f}}}}=\hat{f}_{d-1}x^{d-1}+\cdots +\hat{f}_{0}\) and a 2d-th root of unity \(\xi \), we have that \(\hat{f}_{i}={\varvec{{f}}}(\xi ^{2(i+1)-1})\) and

$$\begin{aligned} \sum _{i=0}^{d-1}\hat{f_{i}}=\sum _{i=0}^{d-1}{\varvec{{f}}}(\xi ^{2(i+1)-1})=f_{d-1}\Sigma ^{d-1}+f_{d-2}\Sigma ^{d-2}+\cdots +df_{0}, \end{aligned}$$

where \(\Sigma ^{j}=\sum _{i=0}^{d-1}\xi ^{j(2(i+1)-1)}=\sum _{i=0}^{d-1}\xi ^{j(2i+1)}\). Now as \(\xi ^{2d}=1\), then for all \(j=1,\ldots ,d-1\)

$$\begin{aligned} \Sigma ^{j}=\sum _{i=0}^{d-1}\xi ^{j(2i+1)}=\xi ^{j}\sum _{i=0}^{d-1}({\xi ^{2j}})^{i}=\xi ^{j}\left( \frac{1-(\xi ^{2d})^j}{1-\xi ^{2j}}\right) =0, \end{aligned}$$

and we see that \(\frac{1}{d}\sum _{i=0}^{d-1}\hat{f_{i}}=f_{0}\).

3.3 Challenge Space

The ring \(\mathcal {R}_q\) does not always have inverse elements. This was shown by Lyubashevsky et al. who established a connection between the invertibility probability in this ring and how many residue fields it decomposes into [37, Corollary 1.2]. They argued that, in general, short nonzero polynomials have inverses. In lattice-based zero-knowledge proofs, the verifier often picks from a challenge set such that the difference of any two elements in that set has an inverse. However, building such a set and sampling from it uniformly is not easy.

So, Lyubashevsky et al. suggested another way where they relaxed the invertiblity condition. They set the challenge space as the set of ternary polynomials \(\mathcal {C} = \{-1,0,1\}^d \subset \mathcal {R}\). Coefficients of a challenge \({\varvec{{c}}} \in \mathcal {C}\) are independently and identically distributed so that 0 has probability 1/2 and \(\pm 1\) both have probability 1/4. In [7, Lemma 3.3], it is proven that if \({\varvec{{c}}} \leftarrow \mathcal {C}\), the distribution of coefficients of \( {\varvec{{c}}} \bmod (X-\zeta )\) is nearly uniform and the highest probability of coefficients over \( {\mathbb {Z}}_q \) is limited. We call this limit \(\varepsilon \). For instance, in [7] it is calculated that \(\varepsilon =2^{-31.44}\) for \(d=128\), \(q\approx 2^{32}\). An element \({\varvec{{c}}} \) in the partially splitting ring \(\mathcal {R}_q\) is non-invertible when \({\varvec{{c}}} \bmod (X-\zeta ^{2i-1}) = 0\) for any \(i=1,\dots ,l\). Then the difference of any two challenges \(\bar{{\varvec{{c}}}} = {\varvec{{c}}} - {\varvec{{c}}}^\prime \) is non-invertible with probability at most \(\varepsilon ^{d/l}\).

3.4 Error Distributions

In lattice-based cryptography, the security levels of proposed cryptographic protocols depend on the error distribution. For earlier proposals, the security reductions required the errors to be sampled from a discrete Gaussian distribution [23, 36]. However, for practical purposes, many authors have chosen a centered binomial distribution [4, 25] or an uniform distribution on a small interval [19] instead. We also use these distributions in the construction of our protocol.

The usual continuous normal distribution over \({\mathbb {R}}\) centered at \(a\in {\mathbb {R}}\) with standard deviation \(\sigma \) is given by

$$\begin{aligned} \rho _{a,\sigma }(x)=\frac{1}{\sigma \sqrt{2\pi }}\exp {\left( \frac{-|x-a|^2}{2\sigma ^2}\right) }. \end{aligned}$$

We omit indices, when \(a=0\) or \(\sigma = 1\). By normalizing over \({\mathbb {Z}}\), we get the discrete Gaussian distribution, defined as

$$\begin{aligned} D_{a,\sigma }(x)=\frac{\rho _{a,\sigma }(x)}{\rho _{\sigma }({\mathbb {Z}})}, \end{aligned}$$

where \(\rho _{\sigma }({\mathbb {Z}})=\sum _{x\in {\mathbb {Z}}}\rho _{\sigma }(x)\).

We denote sampling from the discrete Gaussian distribution as \(x\leftarrow D_{a,\sigma }\). When sampling from other distributions, we specify the notation beforehand or use \(\chi \) to represent an arbitrary distribution.

3.5 Rejection Sampling

It is common practice to hide the secret commitment randomness \(\vec {{\varvec{{r}}}} \in \mathcal {R}_q^\kappa \) using another vector \(\vec {{\varvec{{z}}}}\) and to then use rejection sampling in order to not leak any information about \(\vec {{\varvec{{r}}}}\). For this, we recall three different rejection sampling algorithms.

Uniform distribution. For some of the protocols below, we will be using the uniform rejection sampling technique from [25]. In the protocol, the prover samples a "masking" vector \(\vec {{\varvec{{y}}}}\) using uniform distribution in \( [-\delta +1, \delta ]\). Upon receiving the challenge \({\varvec{{c}}} {\mathop {\leftarrow }\limits ^{\$}} \mathcal {C}\) from the verifier, the prover responds with the "masked" vector \(\vec {{\varvec{{z}}}} = \vec {{\varvec{{y}}}} + {\varvec{{c}}}\vec {{\varvec{{r}}}}\). The dependency of \(\vec {{\varvec{{z}}}}\) on \(\vec {{\varvec{{r}}}}\) is removed if \(\Vert \vec {{\varvec{{z}}}}\Vert _\infty < \delta - \beta \) where \(\Vert {\varvec{{c}}}\vec {{\varvec{{r}}}}\Vert _\infty \le \beta \). Otherwise, the prover rejects the masked vector and aborts the protocol to start over again.

The expected number of repetitions M required by rejection sampling can be estimated by

$$\begin{aligned} 1/M = \Big (\frac{2(\delta -\beta )-1}{2\delta -1}\Big )^{\kappa d} \approx e^{-\kappa d \beta /\delta }. \end{aligned}$$

For more details, see [25]. The parameter \(\delta \) is typically chosen such that the expected value of M is small (say, 2 or 3).

Discrete Gaussian distribution. When a masking vector \(\vec {{\varvec{{y}}}}\) is sampled from a discrete Gaussian distribution \(D_\sigma ^{ld}\), the dependency of \(\vec {{\varvec{{z}}}}=\vec {{\varvec{{y}}}}+{\varvec{{c}}}\vec {{\varvec{{r}}}}\) on \({\varvec{{c}}}\vec {{\varvec{{r}}}}\) can be removed by using the following two rejection sampling techniques from [35]. The first technique \(\text {Rej}_0\) samples \(u\leftarrow [0,1)\) uniformly and checks if

$$\begin{aligned} u>\frac{1}{M}\exp \left( \frac{-2\langle \vec {{\varvec{{z}}}},{\varvec{{c}}}\vec {{\varvec{{r}}}}\rangle +\Vert {\varvec{{c}}}\vec {{\varvec{{r}}}}\Vert _2^2}{2\sigma ^2}\right) . \end{aligned}$$

(1)

If yes, then the prover rejects and starts the protocol from the beginning.

The second technique \(\text {Rej}_1\) is similar. The difference is that before checking the inequality (1), the prover checks if \(\langle \vec {{\varvec{{z}}}},{\varvec{{c}}}\vec {{\varvec{{r}}}}\rangle <0\). If yes, the prover rejects. If no, the prover continues as in \(\text {Rej}_0\). If we set \(\sigma =\alpha \Vert {\varvec{{c}}}\vec {{\varvec{{r}}}}\Vert _2\), then in order to get \(M=3\) the \(\text {Rej}_0\) technique requires \(\alpha =11\), whereas for \(\text {Rej}_1\) it is enough to set \(\alpha =0.675\).

3.6 Lattice-Based Cryptography

3.6.1 Hard Problems

In lattice-based cryptography, many cryptographic primitives are built upon different forms of learning with errors and short integer solution problems, particularly the Ring-LWE (RLWE) [36], Module-LWE (MLWE) and Module-SIS (MSIS) problems [23, 42]. We give their definitions in Appendix A.

3.6.2 Commitment Scheme

In this work, we will be using a variant of the BDLOP commitment scheme [10]. Let \({\varvec{{B}}}_{0} \in \mathcal {R}^{\mu \times (\mu + \lambda + \ell )}_q\), \(\vec {{\varvec{{b}}}}_{1},\dots ,\vec {{\varvec{{b}}}}_{\ell } \in \mathcal {R}^{\mu + \lambda + \ell }_q\) and \( \vec {{\varvec{{r}}}} \leftarrow \chi ^{(\mu + \lambda + \ell )d}\). The commitment of a polynomial vector \({\varvec{{m}}} \in \mathcal {R}_q^\ell \) is a tuple \((\vec {{\varvec{{t}}}}_{0}, {\varvec{{t}}}_{1}, \dots , {\varvec{{t}}}_\ell )\), where \(\vec {{\varvec{{t}}}}_{0} = {\varvec{{B}}}_{0} \vec {{\varvec{{r}}}}\) and \({\varvec{{t}}}_{i} = \langle \vec {{\varvec{{b}}}}_{i}, \vec {{\varvec{{r}}}} \rangle + {\varvec{{m}}}_i\) for \(i=1,\dots ,\ell \).

It is easy to see that the commitment scheme is computationally binding and hiding due to the \(\textsf {MSIS}_\mu \) and \(\textsf {MLWE}_\lambda \) assumptions, respectively.

3.6.3 Encryption Scheme

The underlying encryption scheme, which we use to build up cryptosystems in the following sections, is based on the BGV encryption scheme presented in [18]. Let p be another prime number less than q. We define a noise distribution \(\chi \) over \(\{-1,0,1\}\). The plaintext space is the ring \(\mathcal {R}_{p}=\mathcal {R}/p\mathcal {R}\). Let \({\varvec{{s}}}\overset{\$}{\leftarrow }\chi ^{d}\) and the secret key is \(\vec {{\varvec{{sk}}}}=(-{\varvec{{s}}}, 1)\).

For the public key, choose \({\varvec{{a}}}\overset{\$}{\leftarrow } \mathcal {R}_{q}\) uniformly and define \({\varvec{{b}}}\leftarrow {\varvec{{a}}}\cdot {\varvec{{s}}}+p\cdot {\varvec{{e}}}\), where \({\varvec{{e}}}\overset{\$}{\leftarrow }\chi ^{d}\). Then the public key is defined as

$$\begin{aligned} {\varvec{{pk}}}:= {\textbf {A}}:= \begin{pmatrix} {\varvec{{a}}} & \; p & \;\; 0& \\ {\varvec{{b}}} & \; 0 & \;\; p& \end{pmatrix}. \end{aligned}$$

To encrypt a message \({\varvec{{m}}}\in \mathcal {R}_{p}\), we first form the vector \(\vec {{\varvec{{m}}}}\leftarrow (0, {\varvec{{m}}})\). Then to encrypt, we just generate a vector \(\vec {{\varvec{{r}}}}=({\varvec{{r}}}_{1},{\varvec{{r}}}_{2},{\varvec{{r}}}_{3})\overset{\$}{\leftarrow }\chi ^{3d}\) and the ciphertext \(\vec {{\varvec{{c}}}}\) is

$$\begin{aligned} \vec {{\varvec{{c}}}} = \vec {{\varvec{{m}}}}+{\textbf {A}}\vec {{\varvec{{r}}}}=\begin{pmatrix} {\varvec{{a}}}{\varvec{{r}}}_{1}+p{\varvec{{r}}}_{2}\\ {\varvec{{b}}}{\varvec{{r}}}_{1}+p{\varvec{{r}}}_{3}+{\varvec{{m}}} \end{pmatrix}. \end{aligned}$$

To decrypt, we just take the dot product of the ciphertext and the secret key and then reduce it first by q and then by p. Therefore

$$\begin{aligned} [[\langle \vec {{\varvec{{c}}}},\vec {{\varvec{{sk}}}}\rangle ]_{q}]_{p}&={\varvec{{m}}}+{\varvec{{b}}}{\varvec{{r}}}_{1}+p{\varvec{{r}}}_{3}-{\varvec{{s}}}{\varvec{{a}}}{\varvec{{r}}}_{1}-p{\varvec{{s}}}{\varvec{{r}}}_{2}\mod p={\varvec{{m}}}+{\varvec{{r}}}_{1}({\varvec{{b}}}-{\varvec{{s}}}{\varvec{{a}}})\\&+p{\varvec{{r}}}_{3} - p{\varvec{{s}}}{\varvec{{r}}}_2\mod p= {\varvec{{m}}}+p({\varvec{{r}}}_{1}{\varvec{{e}}} + {\varvec{{r}}}_3 - {\varvec{{s}}}{\varvec{{r}}}_2)\mod p={\varvec{{m}}} \end{aligned}$$

The correctness of the given encryption scheme depends on the encryption noise, i.e, if \(\Vert [\langle \vec {{\varvec{{c}}}},\vec {{\varvec{{sk}}}}\rangle ]_{q}\Vert _\infty < \lfloor q/2\rfloor \), then the decryption algorithm will recover the plaintext successfully. The scheme is CPA-secure if RLWE\(_\chi \) is hard.

The BGV encryption scheme is naturally additively homomorphic. Adding two ciphertexts produces a new valid ciphertext, but with slightly increased noise. If the final noise of the aggregated ciphertexts is still less than the allowed threshold, then the decryption of the sum of ciphertexts will result in the actual sum of the plaintexts. More generally, the BGV scheme is said to be \(\tau \)-correct if the sum of \(\tau \) honestly generated ciphertexts successfully decrypts to the sum of the corresponding plaintexts with overwhelming probability.

3.7 Zero-Knowledge Proofs of Multiplicative and Linear Relations

Let \({\varvec{{m}}}_1, {\varvec{{m}}}_2\) and \({\varvec{{m}}}_3\) be messages such that \({\varvec{{m}}}_3 = {\varvec{{m}}}_1\cdot {\varvec{{m}}}_2\). Attema \(et al. \) constructed a zero-knowledge proof of knowledge protocol in [7, Algorithm 4] using the commitment scheme from Sect. 3.6.2. The protocol requires only one committed garbage term. By employing the Fiat-Shamir transformation, it can be turned into a non-interactive zero-knowledge protocol and the resulting proof size is \(d\lceil \log {q}\rceil + k(\lambda + \mu + 4)d\lceil \log {q}\rceil + 256\) bits,³ where \(\mu \) and \(\lambda \) are module ranks for \(\textsf {MSIS}\) and \(\textsf {MLWE}\) respectively. The parameter k is used to boost knowledge soundness. Furthermore, the protocol works the same way and the proof size scales linearly for many triplets of messages, without needing extra garbage terms.

Following the similar proof design and coming up with a strategy on how to turn inner products in \({\mathbb {Z}}_q\) to polynomial expressions in \(\mathcal {R}_q\), Esgin \(et al. \) [26] proposed a zero-knowledge proof of knowledge protocol for proving equations of the type \(A\vec {s}=\vec {u}\) in \({\mathbb {Z}}_q\), where \(\vec {s}\) is a secret ternary vector of dimension n and the remaining terms are publicly known. To prove that \(\vec {s}\) is ternary, properties of NTT are used. First by mapping \(\vec {s}\) to n/d vectors \(\vec {s_{i}}\), it is natural to apply inverse NTT to them and prove that for every polynomial \({\widehat{{\varvec{{s}}}_{i}}}=\textbf{NTT}^{-1}(\vec {s_{i}})\), the following equality holds:

$$\begin{aligned} \textbf{NTT}({\widehat{{\varvec{{s}}}_{i}}}(\widehat{{\varvec{{s}}}_{i}}-\textbf{1})(\widehat{{\varvec{{s}}}_{i}}+\textbf{1}))= \vec {{s}_{i}}\circ (\vec {{s}_{i}}-\vec {1})\circ (\vec {{s}_{i}}+\vec {1})=\vec {0}, \end{aligned}$$

where \(\circ \) is the component-wise product.

The authors also use the property that the scaled sum of the NTT-coefficients of a polynomial \({\varvec{{f}}}\) is equal to its constant term. Let \(\vec {s}={\textbf {NTT}}(\textbf{s})\) for some polynomial \(\textbf{s}\). To prove the linear relation \(A\vec {s}=\vec {u}\), the verifier sends a challenge \(\vec {\gamma }\in {\mathbb {Z}}_{q}^{m}\) and then the prover shows that

$$\begin{aligned} \langle A\vec {s}-\vec {u},\vec {\gamma }\rangle&=\langle A\vec {s},\vec {\gamma }\rangle -\langle \vec {u},\vec {\gamma }\rangle =\langle \vec {s},A^{T}\vec {\gamma }\rangle -\langle \vec {u},\vec {\gamma }\rangle \\ &=\sum _{i=1}^{d}\left( {\varvec{{s}}}(\xi ^{2i-1})\left( {\textbf {NTT}}^{-1}(A^{T}\vec {\gamma })\right) (\xi ^{2i-1})-\langle \vec {u},\vec {\gamma }\rangle \right) \\ &=\frac{1}{d}\sum _{i=1}^{d}{\varvec{{f}}}(\xi ^{2i-1})=f_{0}=0, \end{aligned}$$

where \({\varvec{{f}}}:={\textbf {NTT}}^{-1}(dA^{T}\vec {\gamma }){\varvec{{s}}}-\langle \vec {u},\vec {\gamma }\rangle \) and \(f_{0}\) is the constant term of \({\varvec{{f}}}\).

Without additional optimizations, the size of the non-interactive proof after applying the Fiat-Shamir transformation is \((\mu + n/d + 4) d\lceil \log {q}\rceil + k (\lambda + \mu + n/d + 3) d\lceil \log {q}\rceil \), excluding the commitments.

4 Verifiable e-Voting

4.1 Generic Ballot Correctness Proof

We are now going to describe a protocol which gives a zero-knowledge proof that the encrypted message indeed encrypts a valid candidate identifier from the given (public) candidate list. Our approach is based on Lyubashevsky et al. [35].

The protocol is as follows. Assume that \(\mathcal R_q\) is partially splitting. We denote \(\mathcal M_q=\{{\varvec{{p}}}\in \mathbb Z _q[X]:\deg ({\varvec{{p}}})<d/l\}\). Let us have \(n=l^m\) users (where \(m\geqslant 2\)) and a public matrix \({\varvec{{A}}}\in \mathcal R_q^{k\times \ell }\). Every user has a secret key \(\vec {{\varvec{{s}}}}\in [-\kappa ,\kappa ]^{\ell d}\) and a corresponding public key \(\vec {{\varvec{{pk}}}}:={\varvec{{A}}}\vec {{\varvec{{s}}}}\). Let \(\vec {{\varvec{{s}}}}_\iota \) and \(\vec {{\varvec{{pk}}}}_\iota \) be the secret key and the public key of the \(\iota \)-th user, accordingly. The protocol proves that the \(\iota \)-th user knows the secret \(\vec {{\varvec{{s}}}}_\iota \) such that \({\varvec{{A}}}\vec {{\varvec{{s}}}}_\iota \in \{\vec {{\varvec{{pk}}}}_1,\ldots ,\vec {{\varvec{{pk}}}}_n\}\), without revealing the index \(\iota \).

The prover (the \(\iota \)-th user) decomposes the vector \(\vec {v}\in \{0,1\}^n\), where the \(\iota \)-th component is 1 and others are 0, into a tensor product \(\vec {v}=\vec {v}_1\otimes \ldots \otimes \vec {v}_m\). Note that the vectors \(\vec {v}_i\in \{0,1\}^l\), \(i=1,\ldots ,m\), are uniquely defined and \(\vec {v}_i\circ (\vec {v}_i-\vec {1})=\vec {0}\), \(\langle \vec {1},\vec {v}_i\rangle =1\). The secret key is masked using \(\vec {{\varvec{{y}}}}^\prime {\mathop {\leftarrow }\limits ^{\$}} D_{\sigma ^\prime }^{\ell d}\). Let \({\varvec{{c}}}\) and \({\varvec{{c}}}^\prime \) be challenges sent by the verifier. Now, define P as

$$\begin{aligned} P:=\left( \left. {\textbf {NTT}}(-{\varvec{{c}}}'\cdot \vec {{\varvec{{pk}}}}_1)\right| \ldots \left| {\textbf {NTT}}(-{\varvec{{c}}}'\cdot \vec {{\varvec{{pk}}}}_n)\right. \right) \in \mathcal M_q^{kl\times n} \end{aligned}$$

and

$$\begin{aligned} \vec {x}_1:={\textbf {NTT}}(\vec {{\varvec{{w}}}}^\prime -{\varvec{{A}}}\vec {{\varvec{{z}}}}^\prime ) \end{aligned}$$

where \(\vec {{\varvec{{w}}}}^\prime = A\vec {{\varvec{{y}}}}^\prime \) and \(\vec {{\varvec{{z}}}}^\prime = \vec {{\varvec{{y}}}}^\prime + {\varvec{{c}}}^\prime \vec {{\varvec{{s}}}}\). Notice that, \({\varvec{{A}}}\vec {{\varvec{{s}}}}_\iota \in \{\vec {{\varvec{{pk}}}}_1,\ldots ,\vec {{\varvec{{pk}}}}_n\}\) is now equivalent to showing \(P\vec {v} = \vec {x}_1\). This is achieved by using two algebraic tricks. First, using the linear properties of the tensor product, one can show that

$$\begin{aligned} \langle P\cdot (\vec {v}_1\otimes \vec {v}_2\otimes \dots \otimes \vec {v}_m) - \vec {x}_1, \vec {\gamma } \rangle = \langle \vec {v}_1, P^\prime \cdot (\vec {v}_2\otimes \dots \otimes \vec {v}_m) \rangle - \langle \vec {x}_1,\vec {\gamma }\rangle = 0 \end{aligned}$$

for any random \(\vec {\gamma }\in \mathcal {M}_q^{kl}\) and \(P^\prime \) is defined as

$$\begin{aligned} P^\prime :=\begin{pmatrix} \vec {\gamma }_j^T P_{1}\\ \vdots \\ \vec {\gamma }_j^T P_{l} \end{pmatrix}\in \mathcal {M}_q^{l\times l^{m-1}}. \end{aligned}$$

where we set \(P = [ P_1 \mid P_2 \mid \cdots \mid P_l ]\). Thus, the main linear relation \(P(\vec {v}_1\otimes \vec {v}_2\otimes \dots \otimes \vec {v}_m) = \vec {x}_1\) is reduced to a smaller instance \(P^\prime (\vec {v}_2\otimes \dots \otimes \vec {v}_m) = \vec {x}_2\). This reduction can be recursively applied until we reach the base relation \(P_m\vec {v}_m = \vec {x}_m\). At this point, one could simply use the linear proof from [26] to show the base relation. Instead, the authors follow a slightly different path. In [26], the right hand side of the linear equation is public, whereas in this protocol \(\vec {x}_m\) should be kept private. Then the second trick is used to prove \(P_m\vec {v}_m=\vec {x}_m\) where both \(\vec {v}_m\) and \(\vec {x}_m\) are secret. Roughly speaking, the trick is to prove the augmented relation \([P_m | -I]\begin{pmatrix} \vec {v}_m \\ \vec {x}_m \end{pmatrix}=0\) using the linear proof from [26].

In conclusion, in the SMILE paper [35], the authors construct a set membership proof using a recursive approach and show the correctness of the recursion steps using product proofs and a single linear proof to prove the final step. Interested readers should refer to the original paper for a detailed description of the protocol. Overall, the zero-knowledge protocol is complete with probability approximately \(1/(2M^2)\), has knowledge soundness error at least \(32\varepsilon ^{d/l}\) and is honest-verifier zero-knowledge assuming Extended-MLWE is hard. For a detailed security proof, refer to [35, Appendix B].

In this work, we subtly modify the SMILE protocol to support the \(m=1\) case, where there is no need for recursion. These small changes include redefining the challenge set for \(\vec {\gamma }\) and the garbage terms. The protocol is explicitly given in Fig. 7. Although we omit a technical security proof, these changes do not affect completeness, soundness nor zero-knowledge properties.

Now we describe how to use the protocol in a voting system. Let us have \(n=l^m\) and list of candidates \((\textbf{cand}_1,\ldots ,\textbf{cand}_n)\). For every \(i=1,\ldots ,n\) we take \(\textbf{cand}_i\in R_p\).

For encryption we use the encryption scheme from subsection 3.6.3. If the ciphertext of \(\textbf{cand}_\iota \) is \(\vec {{\varvec{{c}}}}=\begin{pmatrix}{\varvec{{c}}}_1&{\varvec{{c}}}_2\end{pmatrix}^T\) we take

$$\begin{aligned} {\varvec{{A}}}= \begin{pmatrix} {\varvec{{c}}}_1& {\varvec{{a}}} & p & 0\\ {\varvec{{c}}}_2& {\varvec{{b}}} & 0 & p \end{pmatrix}, \vec {{\varvec{{S}}}} = \begin{pmatrix} 1\\ poly r_1\\ poly r_2\\ poly r_3 \end{pmatrix}, \end{aligned}$$

where p is chosen as in subsection 3.6.3, \(k=2\) and \(\ell =4\). Then

$$\begin{aligned} {\varvec{{A}}}\vec {{\varvec{{S}}}}=\begin{pmatrix}0\\ \textbf{cand}_\iota \end{pmatrix} \in \left\{ \begin{pmatrix} 0\\ \textbf{cand}_1\ \end{pmatrix},\ldots ,\begin{pmatrix} 0\\ \textbf{cand}_n\ \end{pmatrix}\right\} \end{aligned}$$

and we can apply the protocol.

Furthermore, we can add as many rows and columns of zeroes to the matrix \({\varvec{{A}}}\) and as many zeroes to the vector \(\vec {{\varvec{{S}}}}\) as we want, if we need to use some certain parameters k and \(\ell \).

4.2 Ballot Correctness Proofs for Homomorphic Tallying

In this subsection, we consider a lattice-based homomorphic tallying scheme for cumulative voting, i.e., a voting system where each voter has multiple votes and can spread them between different candidates, possibly giving several votes to one candidate.

Despite receiving some game-theoretic criticism [11], cumulative voting has its benefits ensuring better proportional representation of minorities [31]. This method of voting been adopted in a number of jurisdictions in U.S., including Port Chester, New York; Worcester County, Maryland; Boerne, Texas; and Peoria, Illinois. It was used for more than a century to elect the lower house of the Illinois state legislature [11]. Besides the U.S., cumulative voting has also been used for political elections in Germany [16], and it is a well-established method used in corporate voting [14, 43].

While post-quantum homomorphic tallying has gained some research interest in recent years [8, 17, 21, 24, 44], none of these works are adaptable to cumulative voting.

Let there be \(N_c\) candidates and let the voter be allowed to give at most \(l_c\) votes for each candidate. Instead of encrypting the votes per candidate, the voter packs all her votes into a single vector \(\vec {v} \in {\mathbb {Z}}^d\) such that \(v_i \in [0, l_c]\) for \(0\le i< N_{c}\), \(v_i=0\) for \(N_c\le i<d\). Moreover, we assume that the voter can distribute \(l_s\) votes altogether, i.e \(\sum _{i=0}^{d-1} v_i = l_s\).

It is straightforward to check that \(\sum _{i=0}^{d-1} v_i = l_s\). Simply, one can rewrite the same equality in terms of an inner product \(\langle \vec {v}, (1, 1, \dots , 1) \rangle = l_s\) or in matrix form:

$$\begin{aligned} B\cdot \vec {v} = \begin{pmatrix} 1 & 1 & \dots & 1 \\ 0 & 0 & \dots & 0 \\ \vdots & \vdots & \ddots & \vdots \\ 0 & 0 & \dots & 0 \\ \end{pmatrix} \cdot \begin{pmatrix} v_0 \\ v_1 \\ \vdots \\ v_{d-1} \end{pmatrix} = \begin{pmatrix} l_s \\ 0 \\ \vdots \\ 0 \end{pmatrix} \end{aligned}$$

(2)

Proof that an integer belongs to a certain range is often implemented by decomposing the secret value into a binary vector and arguing that this binary vector contains only 0 s and 1 s, and that there are at most a certain number of them. This approach has logarithmic overhead in terms of resources for a single integer. To show that all the coefficients of a vector are in the given range (i.e., its \(l_\infty \)-norm is bounded), this process should be repeated for each coefficient individually. The main difficulty here is decomposing a committed polynomial to a vector of binary representations of its coefficients. A simpler, but more costly alternative is to make use of component-wise multiplication in the NTT-domain. Moreover, if the coefficients of the vector \(\vec {v}\) are in the interval \([0, l_c]\), then \(\vec {v} \circ (\vec {v} - \vec {1})\circ (\vec {v} - \vec {2})\circ \dots \circ (\vec {v} -\vec {l_c}) = 0\). As before, if \({\textbf {NTT}}({\varvec{{m}}}) = \vec {v}\), then the previous equality can be transferred into the \(\mathcal {R}_q\)-domain as

$$\begin{aligned} {\varvec{{m}}} \cdot ({\varvec{{m}}}-1) \cdot ({\varvec{{m}}}-2) \cdot \ldots \cdot ({\varvec{{m}}}-l_c) = \textbf{0} \end{aligned}$$

(3)

Unfortunately, this approach requires at least \(l_c\) extra commitments for intermediate partial products, significantly affecting the ballot size.

To ensure vote privacy, we use the BGV encryption scheme:

$$\begin{aligned} \vec {{\varvec{{c}}}} = \vec {{\varvec{{v}}}}+{\varvec{{pk}}}\cdot \vec {{\varvec{{r}}}}, \end{aligned}$$

(4)

where \(\vec {{\varvec{{v}}}} = (0, {\varvec{{v}}})\) and \({\varvec{{v}}}\) is the polynomial obtained by reducing \(\vec {v}\) into \(\mathcal {R}_p\). Finally, the voter proves that the BGV ciphertext and the BDLOP commitment contain the same message. Naïvely, one would combine the proof of plaintext knowledge for a BGV ciphertext and the proof of opening for a BDLOP commitment. Here, a problem arises due to the fact that the ciphertext contains the NTT-representation of the committed message instead of the message itself. Hence, such a relation should also be taken into account in zero-knowledge fashion. For example, the verifiable encryption scheme proposed in [33] appends extra relations under the ciphertext vector and obtains a \({\varvec{{A}}}\vec {{\varvec{{s}}}} = \vec {{\varvec{{u}}}}\) relation. Moreover, in that scheme the prover actually proves knowledge of \(\vec {{\varvec{{s}}}}^\prime \) that contains the relaxed plaintext, randomness and error terms used in encryption and that they also satisfy certain linear relations. While this would also work in our case, we follow another approach that will guarantee knowledge of the exact plaintext and the other parameters show that the given ciphertext is indeed a valid BGV ciphertext. Therefore, there is no need to modify the decryption algorithm. Semantically, we also prove a \(A\vec {s} = \vec {u}\) relation (but in \({\mathbb {Z}}_q\)). However, the main difference in this approach is that we do not have to append extra matrices or vectors to show some properties of the plaintext. Because the protocol commits to \({\varvec{{s}}}_i\) such that \({\textbf {NTT}}({\varvec{{s}}}_i) = s_i\), then the expected properties can be shown by using these commitments.

When equations (4) and (2) are written in matrix form, we obtain

$$\begin{aligned} \begin{pmatrix}\vec {{\varvec{{c}}}} \\ {\varvec{{l}}}_s \end{pmatrix} = \begin{bmatrix} {\varvec{{pk}}} & \begin{pmatrix} {\varvec{{0}}} \\ {\varvec{{1}}} \end{pmatrix} \\ {\varvec{{0}}}_{1\times 3} & B \end{bmatrix} \cdot \begin{pmatrix}\vec {{\varvec{{r}}}} \\ \vec {{\varvec{{v}}}}\end{pmatrix} \end{aligned}$$

(5)

where \({\varvec{{l}}}_s\) is a constant polynomial with the zeroth coefficient equal to \(l_s\). Moreover, we expand every polynomial in the matrix in the middle to it’s Toeplitz representation and denote the resulting matrix by \(\bar{A}\). We also denote the concatenated coefficient vector of \(( \vec {{\varvec{{r}}}},\vec {{\varvec{{v}}}})\) by \(\vec {s}\). Next, we rewrite (5) as \(\bar{A}\vec {s} = \vec {u}\) where \(\vec {u}\) is the concatenated coefficient vector of \(\vec {{\varvec{{c}}}}\) and \({\varvec{{l}}}_s\). We extend the unstructured linear relations proof by Esgin et al. [26] and include arguments for the ballot properties. A detailed description of the protocol is depicted in Algorithms 1 and 2. The zero-knowledge and soundness analysis is presented in Appendix B.1.

Algorithm 1

The verifiable encryption algorithm

Algorithm 2

The verification algorithm

4.3 Cast-as-Intended Verifiability

Cast-as-intended verification is designed to convince the voter that her vote reached the vote collection service in the way she intended. A number of techniques have been proposed in the literature to achieve this property; see Marky et al. for a good overview [38].

In this paper, we are going to concentrate on the approach using a secondary verification device first proposed by Heiberg and Willemson [28]. In this approach (used for example in the Estonian Internet voting system IVXV), the verification device is provided with the encryption randomness and vote ID (transferred from the voting device via a QR code). The verification device uses the vote ID to fetch the encrypted vote from the vote collector service and the encryption randomness to open the encryption.

In the original version of [28], RSA encryption was used, so opening the encryption was implemented by going through the list of valid candidate identifiers and creating all the corresponding cryptograms. However, since 2017, ElGamal encryption is used in IVXV, allowing to open the encryption of the vote using the encryption randomness much more efficiently. However, in both cases, the encryption randomness serves as a receipt of voting that can, in principle, be used in coercive scenarios like vote selling.

An elegant solution to this problem was proposed by Müller and Truderung in 2023 [41]. They require that the underlying encryption scheme has two properties: re-randomization and special decryption. Re-randomization allows anyone with access to the public key to alter the ciphertext in a way that changes the randomness used during encryption, but doesn’t change the underlying plaintext. Special decryption allows anyone with access to the public key and the randomness used during encryption to decrypt the vote without knowledge of the secret key. For most encryption schemes based on LWE, these functions are easily definable.

The protocol also includes a proof of correct re-randomization that is run between the voting server and the audit device. In our implementation, we use the approach proposed by Esgin et al. [26] to prove knowledge of a ternary solution to a linear equation \(A\vec {s}=\vec {u}\) over \({\mathbb {Z}}_{q}\). In our case, encryption randomness is a vector of ternary polynomials and re-randomization is implemented by adding an encryption of zero to the ciphertext, which is just the public key multiplied with the new randomness. As our encryption scheme works over \(\mathcal {R}_{q}\), but the linear equation in the proof is over \({\mathbb {Z}}_{q}\), we also need a way to convert all matrices and vectors over \(\mathcal {R}_{q}\) to matrices and vectors over \({\mathbb {Z}}_{q}\) while preserving multiplication. This can be done easily by using Toeplitz matrices.

In the following we present a detailed description of the cast-as-intended protocol. Later we shall describe the re-randomization proof separately. The brief security analysis of the whole protocol is described in B.2.

4.3.1 Re-randomization and Special Decryption

In the protocol, we require two properties of our encryption scheme: re-randomization and special decryption. Let us now describe them more closely and show how our encryption scheme satisfies them. Formally, we have a public key encryption scheme (KeyGen, Enc, Dec).

• Re-randomization. For re-randomization we require a probabilistic polynomial-time algorithm ReRand, which takes as input a public key \({\varvec{{pk}}}\) together with a ciphertext \(\vec {{\varvec{{c}}}}=\texttt {Enc}({\varvec{{pk}}},{\varvec{{m}}},\vec {{\varvec{{r}}}})\) and returns a ciphertext \(\vec {{\varvec{{c}}}}^{*}\) such that \(\vec {{\varvec{{c}}}}^{*}=\texttt {Enc}({\varvec{{pk}}},{\varvec{{m}}},\vec {{\varvec{{r}}}}^{*})\) for some randomness \(\vec {{\varvec{{r}}}}^{*}\). We require \(\texttt {ReRand}\) to be homomorphic with regards to randomness, i.e.

  $$\begin{aligned} \texttt {Enc}({\varvec{{pk}}},{\varvec{{m}}},\vec {{\varvec{{x}}}}+\vec {{\varvec{{r}}}})=\texttt {ReRand}({\varvec{{pk}}},\texttt {Enc}({\varvec{{pk}}},{\varvec{{m}}},\vec {{\varvec{{r}}}}),\vec {{\varvec{{x}}}}). \end{aligned}$$

  In the case of our encryption scheme we have

  $$\begin{aligned} \texttt {ReRand}({\varvec{{pk}}}={\textbf {A}},\texttt {Enc}({\varvec{{pk}}},{\varvec{{m}}},\vec {{\varvec{{r}}}}),\vec {{\varvec{{x}}}})={\varvec{{m}}}+{\textbf {A}}\vec {{\varvec{{r}}}}+{\textbf {A}}\vec {{\varvec{{x}}}}={\varvec{{m}}}+{\textbf {A}}(\vec {{\varvec{{x}}}}+\vec {{\varvec{{r}}}}). \end{aligned}$$

  Formally there is an issue that the sum of two ternary polynomials is not exactly ternary, and therefore the error distribution of the randomness of the re-randomized ciphertext is different. However, this issue is bypassed in the zero-knowledge proof (as seen later) and as the ciphertext is decrypted using special decryption, the error distribution of the randomness does not effect decryption during the protocol.

• Special decryption. For special decryption, we require a polynomial-time algorithm \(\texttt {SpecDec}\), which takes as input the public key \({\varvec{{pk}}}\), ciphertext \(\vec {{\varvec{{c}}}}\) and randomness \(\vec {{\varvec{{r}}}}\) and returns the plaintext \({\varvec{{m}}}\) if \(\vec {{\varvec{{c}}}}=\texttt {Enc}({\varvec{{pk}}},{\varvec{{m}}},\vec {{\varvec{{r}}}})\), or fails otherwise. In our case we have

  $$\begin{aligned} \texttt {SpecDec}({\varvec{{pk}}}={\textbf {A}},\vec {{\varvec{{c}}}},\vec {{\varvec{{r}}}})=\vec {{\varvec{{c}}}}-{\textbf {A}}\vec {{\varvec{{r}}}}={\varvec{{m}}}+{\textbf {A}}\vec {{\varvec{{r}}}}-{\textbf {A}}\vec {{\varvec{{r}}}}={\varvec{{m}}}. \end{aligned}$$

4.3.2 Proof of Correct Re-randomization

The zero-knowledge proof used for proving correct re-randomization is based on [26] by Esgin et al. It provides a proof of knowledge of a ternary vector \(\vec {s}\) such that \(A\vec {s}=\vec {u}\), where A and \(\vec {u}\) are defined over \({\mathbb {Z}}_{q}\). In our instantiation, we have the ciphertext \(\vec {{\varvec{{c}}}}\) encrypted using randomness \(\vec {{\varvec{{r}}}}_{vd}\) and the ciphertext \(\vec {{\varvec{{c}}}}^{*}\) encrypted using randomness \(\vec {{\varvec{{r}}}}_{v}=\vec {{\varvec{{r}}}}_{s}+\vec {{\varvec{{r}}}}_{vd}\). The server sends \(\vec {{\varvec{{c}}}}\) and \(\vec {{\varvec{{c}}}}^{*}\) to the audit device and then proves knowledge of \(\vec {{\varvec{{r}}}}_{s}\) using the linear relation

$$\begin{aligned} \vec {{\varvec{{c}}}}^{*}-\vec {{\varvec{{c}}}}={\textbf {A}}(\vec {{\varvec{{r}}}}_{s}+\vec {{\varvec{{r}}}}_{vd})-{\textbf {A}}\vec {{\varvec{{r}}}}_{vd}={\textbf {A}}\vec {{\varvec{{r}}}}_{s}. \end{aligned}$$

4.3.3 Overview of the Protocol

The protocol consists of two separate parts: ballot casting and vote verification. In the first part, there are three participants: the voter, the voting device and the voting server. First, the voter enters his preferred candidate’s number into the voting device. It is then encoded into a binary polynomial, where the coefficient of the term with degree equal to the candidate’s number is one and all other coefficients are zero. Then the voting device encrypts the polynomial using randomness \(\vec {{\varvec{{r}}}}_{vd}\in \chi ^{3d}\) and sends the encrypted vote to the voting server. The voting server stores the ballot and generates a blinding factor \(\vec {{\varvec{{r}}}}_{s}\in \chi ^{3d}\), which it sends back to the voting device. The voting device then sends \(\vec {{\varvec{{r}}}}_{v} = \vec {{\varvec{{r}}}}_{vd}+\vec {{\varvec{{r}}}}_{s}\) to the voter in the form of a QR-code.

Let \((\texttt {KeyGen}, \texttt {Enc}, \texttt {Dec})\) be an IND-CPA encryption scheme, and let \({\varvec{{pk}}}\) be the public key generated by \(\texttt {KeyGen}\). The ballot submission is performed as follows (see also Fig. 1).

1. 1.

   The voter enters the vote \({\varvec{{v}}}\) into the voting device.

2. 2.

   The voting device encrypts the vote using \({\varvec{{pk}}}\) and voting device randomness \(\vec {{\varvec{{r}}}}_{vd}\in \chi ^{3d}\) and sends the ciphertext \(\vec {{\varvec{{c}}}}=\texttt {Enc}({\varvec{{v}}},{\varvec{{pk}}},\vec {{\varvec{{r}}}}_{vd})\) to the voting server.

3. 3.

   The voting server stores the ciphertext, generates server randomness \(\vec {{\varvec{{r}}}}_{s}\in \chi ^{3d}\) and sends it to the voting device.

4. 4.

   The voting device adds \(\vec {{\varvec{{r}}}}_{s}\) and \(\vec {{\varvec{{r}}}}_{vd}\) to get the cumulative voting randomness \(\vec {{\varvec{{r}}}}_{v}=\vec {{\varvec{{r}}}}_{s}+\vec {{\varvec{{r}}}}_{vd}\) and sends \(\vec {{\varvec{{r}}}}_{v}\) to the voter in the form of a QR-code to be later used for vote verification.

Fig. 1

Scheme of ballot submission

The second part of the protocol is the vote verification itself. Here there are also three participants: the voter, the audit device and the voting server. First, the voter enters \(\vec {{\varvec{{r}}}}_{v}\) into the audit device (say, by scanning a QR code).⁴ Then the audit device contacts the server and requests vote verification. The server re-randomizes the ciphertext using \(\vec {{\varvec{{r}}}}_{s}\), and as re-randomization is homomorphic, the vote is now encrypted under randomness \(\vec {{\varvec{{r}}}}_{v}=\vec {{\varvec{{r}}}}_{vd}+\vec {{\varvec{{r}}}}_{s}\).

The server then starts an interactive zero-knowledge proof of correct re-randomization, confirming that the vote is indeed encrypted under \(\vec {{\varvec{{r}}}}_{v}\). If the proof is accepted by the audit device, it uses special decryption using \(\vec {{\varvec{{r}}}}_{v}\) to decrypt the vote and displays the voter’s choice in plaintext. The voter can then confirm whether she intended to vote for the same candidate that is displayed. If the zero-knowledge proof is rejected, the audit device notifies the voter of failure.

Let \({\varvec{{pk}}}={\textbf {A}}\), where \({\textbf {A}}\in \mathcal {R}_{q}^{2\times 3}\). The verification protocol is as follows (see also Fig. 2).

1. 1.

   The voter sends the voting randomness \(\vec {{\varvec{{r}}}}_{v}\) to the audit device and the audit device requests vote verification from the server.

2. 2.

   The voting server re-randomizes the encrypted vote \(\vec {{\varvec{{c}}}}\) using server randomness \(\vec {{\varvec{{r}}}}_{s}\). Then it sends \(\vec {{\varvec{{c}}}}\) and \(\vec {{\varvec{{c}}}}^{*}=\texttt {ReRand}(\vec {{\varvec{{c}}}},{\varvec{{pk}}},\vec {{\varvec{{r}}}}_{s})\) to the audit device.

3. 3.

   The audit device and the voting server run an interactive proof of re-randomization. Here, the server proves knowledge of \(\vec {{\varvec{{r}}}}_{s}\) as it satisfies the equation \(\vec {{\varvec{{c}}}}^{*}-\vec {{\varvec{{c}}}}={\textbf {A}}\vec {{\varvec{{r}}}}_{s}\).

4. 4.

   If the proof is accepted, the audit device uses special decryption to decrypt the re-randomized ciphertext \(\vec {{\varvec{{c}}}}^{*}\) and sends \({\varvec{{v}}}^{*}=\texttt {SpecDec}(\vec {{\varvec{{c}}}}^{*},{\varvec{{pk}}},\vec {{\varvec{{r}}}}_{v})\) to the voter. If the proof is rejected, it notifies the voter of failure.

5. 5.

   If the proof was successful, the voter checks whether his vote \({\varvec{{v}}}\) matches the sent special decrypted ciphertext \({\varvec{{v}}}^{*}\). This concludes vote verification (Figs. 3 and 4).

Fig. 2

Scheme of vote verification

Fig. 3

Proof of knowledge of ternary solution to a linear equation \(A\vec {s}=\vec {u}\) over \({\mathbb {Z}}_{q}\) [26]

Fig. 4

Verification equations for re-randomization proof [26]

4.4 Verifiable Decryption

Verifiable decryption is a means to prove that a ciphertext was decrypted correctly without revealing information about the secret key. It is necessary for end-to-end verifiability and provides the voter with some evidence that the voting authorities are acting honestly on their part. In our instantiation we use the protocol from [45].

In essence, the prover decrypts the ballot, extracts and commits to the noise used during encryption and proves in zero-knowledge that the noise was used during encryption and that the noise is bounded. For proving that the commited noise was used during encryption, a proof of knowledge of a solution to a linear relation from [5] is used and to prove that the noise is bounded, a simple proof from [9] is used. As before, the BDLOP scheme is used for commitments.

4.4.1 Zero-Knowledge Proof for Linear Relations

The protocol for verifiable decryption requires that we commit to the noise used during encryption and then prove in zero-knowledge that the values under the commitments satisfy a linear relation. For this, we have a simple proof of knowledge relying on the BDLOP scheme from [5].

We have a linear relation of the form \({\varvec{{x}}}'={\varvec{{a}}}{\varvec{{x}}}+{\varvec{{b}}}\) in \(\mathcal {R}_{q}\). Our BDLOP public key is of the form \([\textbf{B}_{0},\vec {{\varvec{{b}}}}_{1}]\), where \(\textbf{B}_{0}\in \mathcal {R}_{q}^{n\times k}\) and \(\vec {{\varvec{{b}}}}_{1}\in \mathcal {R}_{q}^{k}\) and we denote \([\![{\varvec{{x}}}]\!]:=\texttt {Com}\,({\varvec{{x}}},\vec {{\varvec{{r}}}}_{\varvec{{x}}})=[\vec {{\varvec{{c}}}}_{1},{\varvec{{c}}}_{2}]\). Likewise \([\![{\varvec{{x}}}']\!]:=\texttt {Com}\,({\varvec{{x}}}',\vec {{\varvec{{r}}}}_{{\varvec{{x}}}'})=[\vec {{\varvec{{c}}}}_{1}',{\varvec{{c}}}_{2}']\).

The protocol is depicted in Fig. 5.

Fig. 5

Proof of knowledge of linear relation \([\![{\varvec{{x}}}']\!]={\varvec{{a}}}[\![{\varvec{{x}}}]\!]+{\varvec{{b}}}\)

4.4.2 Amortized Proof of Bounded Openings

We also need to prove that the values satisfying the aforementioned linear relation are also from the chosen noise distribution. This means that we need to show boundedness of the commitments and this can be amortized easily by setting the linear relations into matrix form. Note that while the proof of boundedness can be amortized, the proofs of linear relation are run for every ciphertext separately. The following proof is from [9] and it’s based on the hardness of finding pre-images to the Ajtai function.

Let \(\textbf{A}\in \mathcal {R}_{q}^{r\times s}\) be a publicly known matrix and let \(\vec {{\varvec{{s}}}}_{1},\ldots ,\vec {{\varvec{{s}}}}_{\tau }\in \mathcal {R}_{q}^{s}\) be the noise vectors corresponding to the \(\tau \) ciphertexts. Set \(\{s_{i}\}_{i=1}^{s}\) as columns in a matrix \(\textbf{S}\in \mathcal {R}_{q}^{s\times \tau }\) and let \(\textbf{T}=\textbf{AS}\in \mathcal {R}_{q}^{r\times \tau }\). \(\textbf{A}\) and \(\textbf{T}\) are public values and \(\textbf{S}\) is private. The dimension n is chosen large enough to preserve hardness of SIS. The protocol is in Fig. 6.

Fig. 6

Amortized proof for bounded openings

4.4.3 Main Protocol

In the main protocol, the prover decrypts the message, commits to the noise and then proves in zero-knowledge, using the above proofs, that the committed value is indeed the encryption noise. This means that it satisfies a linear relation and that the length of the vector is shorter than the agreed upon bound. Let \({\varvec{{s}}}\) be the polynomial contained in the BGV secret key and \([\![{\varvec{{s}}}]\!]\) is a commitment to that polynomial.

The protocol goes as follows:

1. 1.

   The prover takes as input a set of ciphertexts \(({\varvec{{u}}}_{1},{\varvec{{v}}}_{1}),\ldots ,({\varvec{{u}}}_{\tau },{\varvec{{v}}}_{\tau })\) and the values \(([\![{\varvec{{s}}}]\!],{\varvec{{s}}},{\varvec{{r}}}_{{\varvec{{s}}}})\), where \({\varvec{{r}}}_{{\varvec{{s}}}}\) is the commitment randomness.

2. 2.

   The prover decrypts the ciphertexts using \({\varvec{{s}}}\) and obtains messages \({\varvec{{m}}}_{1},\ldots ,{\varvec{{m}}}_{\tau }\).

3. 3.

   The prover extracts the encryption noise \({\varvec{{d}}}_{i}\) by computing \({\varvec{{d}}}_{i}=({\varvec{{v}}}_{i}-{\varvec{{m}}}_{i}-{\varvec{{u}}}_{i}{\varvec{{s}}})/p\mod q\) for all \(i\in [\tau ]\).

4. 4.

   The prover commits to all \({\varvec{{d}}}_{i}\) as \([\![{\varvec{{d}}}_{i}]\!]\) and proves \(p[\![{\varvec{{d}}}_{i}]\!]={\varvec{{v}}}_{i}-{\varvec{{m}}}_{i}-{\varvec{{u}}}_{i}[\![{\varvec{{s}}}]\!]\) using the linear relation proof for all \(i\in [\tau ]\).

5. 5.

   The prover proves for all \(i\in [\tau ]\) at the same time that \(\Vert {\varvec{{d}}}_{i}\Vert _{2}\) is bounded by \(B_{A}\le \sqrt{2sd}\sigma _{A}\).

6. 6.

   The prover outputs the messages \({\varvec{{m}}}_{i}\), commitments \([\![{\varvec{{d}}}_{i}]\!]\) for all \(i\in [\tau ]\) and the aforementioned proofs to be verified.

Theorem 1

[45] The verifiable decryption protocol is a complete, sound and zero-knowledge proof protocol in the ROM when \(B_A < q/(4p)\).

Proof

Refer to [45] for the proof. \(\square \)

5 Results and Discussion

In the sections above, we have built zero-knowledge proofs for specific problems. Here we will discuss how to bundle them into a single e-voting framework. Online voting consists mainly of the following stages: vote collection (casting), tallying and revealing results. Needless to say, for privacy reasons, ballots are encrypted during the casting phase. Thus, an appropriate decryption algorithm is used in the end. Ideally, one would use distributed decryption in this case. However, current known techniques for lattice-based distributed decryption add extra bits to the ring modulus [6], consequently decreasing the efficiency. Therefore, we assume that the secret key is physically shared and distributed among a number of selected individuals chosen by election authorities. Those individuals should gather and regenerate the secret key ceremonially in order to decrypt and reveal results.

Based on tallying methods, online voting systems can be put into two categories. The first (and conceptually simpler) category consists of systems making use of homomorphic tallying, where the tally function is evaluated over encrypted ballots. For simplicity, we suppose that the tally function is ordinary summation. This requires, at least, an additively homomorphic encryption scheme. The BGV scheme is a natural candidate, as well as many other lattice-based encryption schemes. The second category consists of mix-net based voting systems. Here, a few mixing networks are used in between the vote collection and tallying phases. The main conceptual difference is that in homomorphic tallying there will be a single invocation of the decryption algorithm, while after using mix-nets each encrypted ballot is deciphered separately before being tallied. In addition, voters are allowed to only cast valid votes in systems using homomorphic tallying, whereas invalid plain votes will be discarded before tallying in the second approach.

We will give a simple recipe for building an e-voting application based on homomorphic tallying and mix-nets using lattice-based cryptography and zero-knowledge proofs. We will not explain the key generation process and other formal procedures such as secret key sharing, distribution of public keys, announcing candidates etc. Thus, we assume they have already been performed correctly.

Due to its simplicity, let us focus on homomorphic tallying first. We consider cumulative voting in this case to allow for more sophisticated election rules. That is, ballot correctness is formalized using parameters \(l_c\) and \(l_s\) which are the number of vote shares for a single candidate and the total number of vote shares a voter can use, respectively. In Sect. 4.2, a verifiable encryption scheme is described for the given conditions. As a result, encrypted ballots are formed correctly if they pass the verification equations (Algorithm 2). The next stage is tallying, i.e, adding ciphertexts together. Finally, the sum is decrypted and the result is revealed. The decrypting oracle also provides a proof of correct decryption, which is explained in Sect. 4.4.

In mix-net based e-voting, some things are different. Despite the fact that the ballots are encrypted using the BGV encryption scheme as before, we propose to use a set membership proof (see Sect. 4.1) to prove that the ballots match the nominated candidates. With this approach, the candidate list can be arbitrarily large, yet the ballot correctness proofs are very efficient to obtain. Another advantage is that the ring dimension does not depend on the number of candidates anymore. After the vote collection period ends, the encrypted ballots are shuffled and re-encrypted within several mixing nodes in the mix-net server. The server also produces a zero-knowledge proof of shuffle which shows that ballots are not modified, removed and/or added during the shuffling procedure. There are lattice-based verifiable mix-nets available [5, 6, 22, 27] in the literature that can be used in this step. Finally, the mix-net server outputs a list of fresh ballot ciphertexts, which are decrypted individually by the decryption authority and then tallied. Here, the decryption authority produces a proof of correct decryption for each ballot.

In Table 1, we instantiate all of the components with 192-bit security in mind, considering \(2^{64}\) random oracle queries to accommodate for the linear security loss after applying Fiat-Shamir transformation, and present their runtime (in seconds) and memory size (in kilobytes). Based on numerical results from the LWE Estimator [3], we set \(d=4096, l=1024, q\approx 2^{62}, \mu =1\) and \(\lambda =1\) in all experiments. BGV encryption is instantiated with \(p=10000009\) and \(p=2\) for homomorphic tallying and mix-net based approaches, respectively. The ternary uniform distribution \(\chi \) is set to have probability distribution \(\Pr [x=0]=\Pr [x=\pm 1]=1/3\). For cumulative voting, we include size and timings for the case \(l_s=l_c=1, N_C=2\), while other possible cases are given in Table 2. For Algorithm 2, the standard deviations \(\sigma \) and \(\sigma ^\prime \) are chosen such that \(2M^2=3\) according to the formula

$$\begin{aligned} M = \exp \left( \frac{T}{2\sigma ^2}\right) =\exp \left( \frac{T^\prime }{2{\sigma ^\prime }^{2}}\right) \end{aligned}$$

where \(\Vert {\varvec{{c}}}\vec {{\varvec{{r}}}}\Vert _2 \le T\) and \(\Vert {\varvec{{c}}}^\prime \vec {{\varvec{{s}}}}\Vert _2 \le T^{\prime }\). Their values are heuristically chosen such that inequalities hold with probability at least 0.99.

Remark 1

Efficient lattice-based zero-knowledge proofs (such as in [13, 34]) obtain such impressive small proof sizes mainly due to the tailored choice of the ring modulus and dimension. In fact, in these works, the ideal \((X^d + 1)\) should split into two prime ideals over \({\mathbb {Z}}_q\) so that 1) one can define automorphisms \(\sigma _1\) and \(\sigma _{-1}\) 2) there exists a large enough challenge set \(C = \{ c: \sigma (c) = c \;\wedge \; \Vert c\Vert _1 < \eta \}\) i.e, they are stable under automorphism transformations, 3) short polynomials are invertible. However, our constructions demand that the polynomial ring be split into many residue fields and fully split, particularly for homomorphic tallying. Thus, these proof systems are not suitable. Of course, one can design the voting protocol with different moduli for encryption schemes and proof systems. Nevertheless, proving non-native ring arithmetic is not trivial nor efficient.

We have chosen the C language to implement the non-interactive version of the SMILE protocol based on the source code of [27]. SHAKE128 is used as hash function for generating challenges and the COSAC [49] sampler is used to sample from a discrete Gaussian with large standard deviations in constant time. We implemented the cumulative voting protocol in C++ using the NFLlib library. Finally, we changed parameters in the original implementation given in [45] to estimate the verifiable decryption results. The source code is available at https://github.com/Valeh2012/voting-from-lattices. All tests are run on an 8th generation Intel i5-8250u CPU with 3.4 GHz maximum clock speed and 16GB RAM.

In Table 1, proof sizes are calculated per voter (1 M voters). Particularly, the size of the decryption proof is amortized over batches with size 4096. Based on the results, the total cost of mix-net based e-voting system per voter is around 3.5MiB.⁵ However, for the homomorphic tallying approach the overall cost is 1120KiB per voter, which is around 3 times smaller than the cost when using the previous technique. Note that in these calculation we do not consider the cost of the cast-as-intended proofs which will be more or less the same in both approaches as encryption parameters are identical (expect for p which does not affect the protocol size). Therefore, we conclude that for our choice of parameters, homomorphic tallying systems outperform mix-net based systems. Of course, one has to bear in mind that our experiments were conducted using a relatively simple ballot structure. For elections requiring more complex ballots, mix-nets are still going to be advantageous.

Table 1 Performance table (per voter)

Table 2 Ballot sizes and total ballot encryption and verification times per vote. \(N_C\) is the number of candidates, \(l_c\) is the number of votes a voter can give to one candidate, and \(l_s\) is the limit on the sum of all votes a voter can give

6 Conclusion

In this work, we showed how to build necessary but currently missing privacy components for both the mix-net-based and homomorphic tallying-based e-voting systems using lattice-based cryptography. We have constructed a proof of ballot correctness for both of these scenarios by using a set membership proof and a cumulative voting proof and we integrated a proof of correctness by [45] to design a post-quantum secure e-voting system. We also provide proof of concept implementations. Our benchmarking results give concrete estimates for the advantage of homomorphic tallying compared to mix-net based e-voting systems in terms of running time and memory cost per voter. All the security proofs are considered in the classical random oracle model and the security reductions in the quantum random oracle model are left for future work.

Appendices

Security Definitions

In this section we formally define the LWE, Ring-LWE, Module-LWE and Module-SIS assumptions.

Definition 1

(\(LWE_{m,n,\chi }\)) In the decisional LWE problem with a discrete error distribution \(\chi \) over \({\mathbb {Z}}\), the probabilistic polynomial time (PPT) adversary \(\mathcal {A}\) is asked to distinguish m tuples \((\vec {a}_i,b_i) {\mathop {\leftarrow }\limits ^{\$}} {\mathbb {Z}}^n_q \times {\mathbb {Z}}_q \) from \((\vec {a}_i, \langle \vec {a}_i, {\varvec{{s}}}\rangle + e_i)\) for \({\varvec{{a}}}_i {\mathop {\leftarrow }\limits ^{\$}} {\mathbb {Z}}^n_q\) and \(\vec {s} \leftarrow \chi ^n, e_i \leftarrow \chi \;\;\forall i=1,\dots ,m\).

Definition 2

(\(RLWE_\chi \)) In the decisional Ring-LWE problem with an error distribution \(\chi \) over \(\mathcal {R}\), the probabilistic polynomial time (PPT) adversary \(\mathcal {A}\) is asked to distinguish \(({\varvec{{a}}},{\varvec{{b}}}) {\mathop {\leftarrow }\limits ^{\$}} \mathcal {R}_q \times \mathcal {R}_q\) from \(({\varvec{{a}}}, {\varvec{{a}}}\cdot {\varvec{{s}}} + {\varvec{{e}}})\) for \({\varvec{{a}}} {\mathop {\leftarrow }\limits ^{\$}} \mathcal {R}_q\) and \({\varvec{{s}}},{\varvec{{e}}} \leftarrow \chi .\)

The corresponding search-RLWE problem asks to find \({\varvec{{s}}}\) from several \(({\varvec{{a}}},{\varvec{{b}}})\) RLWE samples. The RLWE assumption is that the search-RLWE and/or decisional-RLWE problems are hard for any probabilistic polynomial time adversaries. We can define the search-LWE problem analogously. Informally, \(\textsf {RLWE}_\chi \sim \textsf {LWE}_{d,d,\chi }\), where d is dimension of the ring \(\mathcal {R}_q\).

Definition 3

In the Module-LWE problem with parameters \(n,m > 0\) and an error distribution \(\chi \) over \(\mathcal {R}\), the PPT adversary \(\mathcal {A}\) is asked to distinguish \(({\varvec{{A}}}, \vec {{\varvec{{t}}}}) \overset{\$}{\leftarrow }\ \mathcal {R}_q^{m\times n} \times \mathcal {R}_q^m\) from \(({\varvec{{A}}}, {\varvec{{A}}}\vec {{\varvec{{s}}}} + \vec {{\varvec{{e}}}})\) for \({\varvec{{A}}} {\mathop {\leftarrow }\limits ^{\$}} \mathcal {R}_q^{m\times n} \), a secret vector \(\vec {{\varvec{{s}}}}\leftarrow \chi ^n \), and an error vector \(\vec {{\varvec{{e}}}} \leftarrow \chi ^m\).

Definition 4

(\(MSIS_{m,n,\beta }\)) The goal in the Module-SIS problem with parameters \(n,m > 0\) and \( 0< \beta < q\) is to find \(\vec {{\varvec{{x}}}} \in \mathcal {R}_q^m\) for a given matrix \({\varvec{{A}}} {\mathop {\leftarrow }\limits ^{\$}} \mathcal {R}_q^{n\times m}\) such that \({\varvec{{A}}} \vec {{\varvec{{x}}}} = \vec {{\textbf {0}}} \bmod {q}\) and \(0< \Vert \vec {{\varvec{{x}}}}\Vert _\infty < \beta \).

In practical security estimations, the parameter m in Definitions 3 and 4 does not play a crucial role, therefore we simply omit it and use the notations \(\textsf {MLWE}_{n,\chi }\) and \(\textsf {MSIS}_{n,\beta }\). Furthermore, we let the parameters \(\mu \) and \(\lambda \) denote the module ranks for \(\textsf {MSIS}\) and \(\textsf {MLWE}\), respectively.

Security Proofs

1.1 Verifiable Encryption in Sect. 4.2

Zero-knowledge: Let \(\mathcal {S}\) be a simulator following the steps of the algorithm in Algorithm 1. First, \(\mathcal {S}\) samples k vectors \(\vec {{\varvec{{z}}}}_i{\mathop {\leftarrow }\limits ^{\$}} [\delta -\beta , -\delta +\beta ]^{(\lambda +\mu +l_c+8)d}\) from the distribution of \(\vec {{\varvec{{z}}}}_i\) in a non-aborting transcript. As \(\sigma ^i({\varvec{{c}}})\vec {{\varvec{{r}}}}\) is independent of \(\vec {{\varvec{{z}}}}_i\) due to rejection sampling, the simulator can randomly sample \({\varvec{{c}}}\) from the challenge set \(\mathcal {C}\). Similarly, the other challenges \(\varvec{\alpha }_1,\dots ,\varvec{\alpha }_{kn},\varvec{\alpha }_1^\prime ,\dots ,\varvec{\alpha }_{kl_c}^\prime , \vec {\gamma }_0,\dots ,\vec {\gamma }_{k-1}, \gamma _0^\prime ,\dots ,\gamma _{k-1}^\prime \) do not depend on the previous variables, hence they are also sampled randomly from the respective challenge sets. Next, \(\mathcal {S}\) samples \({\varvec{{h}}}\) uniformly so that its first k coefficients are zero. The decisional \(\textsf {MSIS}_\mu \) and \(\textsf {MLWE}_\lambda \) assumptions state that \(\vec {{\varvec{{t}}}}_0\) and \({\varvec{{t}}}_i\) for \(i=1,\dots , l_c+8\) are computationally indistinguishable from uniform elements in \(\mathcal {R}_q^\mu \) and \(\mathcal {R}_q\), respectively; thus they are also chosen randomly by the simulator. Furthermore, the ciphertext \(({\varvec{{c}}}_1, {\varvec{{c}}}_2)\) is also indistinguishable from random polynomials due to the semantic security of the BGV encryption scheme. Finally, \(\vec {{\varvec{{w}}}}_0, \dots , \vec {{\varvec{{w}}}}_{k-1}, {\varvec{{v}}}_1, \dots , {\varvec{{v}}}_{3+k}\) can be uniquely determined from the verification equations because of completeness. To sum up, the simulator’s view is computationally indistinguishable from a non-aborting transcript of an honest prover, i.e the protocol does not leak any information about secret knowledge.

Soundness: Here we explain why the probability of a dishonest prover convincing an honest verifier is at most \(\epsilon \le (3\varepsilon )^k\), unless it can solve \(\textsf {MSIS}_{\mu , 8d\beta }\), where \(\varepsilon \approx 1/q\) is defined as in Sect. 3.3. Observe that the protocol consists of three arguments: the ciphertext is a valid BGV ciphertext, the coefficients of the vote vector are in \([0, l_c]\), and their sum is equal to \(l_s\). As explained in Sect. 4.2, these arguments are formulated as equations (3), (5) and \(\sum _{i=0}^{d-1} v_i = l_s\). These arguments are realized by an amortized proof of product relations and a proof of unstructured linear relations in \({\mathbb {Z}}_q\) with ternary secrets as given in [7] and [26], respectively. Their soundness proofs share the same extractor which extracts weak openings of BDLOP commitments that satisfy the required relations with cheating probability at most \((3\varepsilon )^k\), otherwise we obtain a solution to a \(\textsf {MSIS}_{\mu , 8d\beta }\) problem instance. Although the extracted openings are weak, linear and product relation arguments prove that the extracted message satisfies the necessary ballot requirements, i.e., the ciphertext in a valid proof will decrypt to a valid witness.

1.2 Cast-as-Intended Verifiability in Sect. 4.3

Originally, Müller and Truderung show that assuming the underlying proof of re-randomization is zero-knowledge, the cast-as-intended protocol as a whole is an interactive zero-knowledge protocol as well. For this, they define the voter and the audit device together as the verifier, and the voting device and vote collector server together as the prover, and rewrite the protocol from their unified viewpoints. Correctness and soundness are easily translated from the respective properties of the re-randomization proof. For the zero-knowledge property, their simulator works as follows:

• The simulator chooses \(r^{*}{\mathop {\leftarrow }\limits ^{\$}} R\), computes \(c^{*} = \texttt {Enc}(pk, v, r^{*})\), and returns \((r^{*},c^{*})\)

• The simulator runs the proof of re-randomization simulator without the knowledge of x.

They argue that the protocol has to be zero-knowledge, so that anyone who acquires the transcript of the protocol gathers no information about the given vote. From soundness, we also get that even if the voting device and server collude, they cannot convince the voter that he voted for his chosen candidate, when the actual ballot was cast for someone else. It can also be shown that the voting server does not gather any additional information during vote verification. More details can be found in [41].

Unfortunately, in our case, the underlying proof of re-randomization protocol is only honest verifier zero-knowledge, thus we cannot use their simulator. One possible solution is to make the re-randomization protocol zero-knowledge by asking the verifier to commit to its challenge by using a hiding commitment scheme in the beginning. Instead, we follow a different strategy. Namely, we argue that even if the proof of re-randomization protocol is honest verifier zero-knowledge only, the voter can generate fake transcripts which are indistinguishable from the real execution. This is enough to achieve receipt-freeness and to avoid the re-randomization proof being used for vote-buying. Of course, we implicitly assume that the coercer only validates the proof transcript and does not take part in the vote casting and auditing process.

While the proof of re-randomization satisfies the security requirements of a (honest verifier) zero-knowledge protocol, sharing voting randomness \(\vec {{\varvec{{r}}}}_v\) with the audit device introduces another problem. As discussed in Sect. 4.3, the sum of two ternary polynomials is very likely not ternary. In fact, the audit device can recover certain coefficients of the blinding factor \(\vec {{\varvec{{r}}}}_s\) and the voting device randomness \(\vec {{\varvec{{r}}}}_{vd}\) at the edge cases. However, we argue that even after this extra leakage, the concrete security level of our scheme is still sufficiently high.

Let \(\chi \) be a centered ternary distribution on \(\{-1,0,1\}\) parameterized with probabilities \(\Pr [x=\pm 1] = p\) and \(\Pr [x=0] = 1-2p\) for \(0< p < 1/2\). Let \(X_1\) and \(X_2\) be independent identically distributed random variables with probability distribution \(\chi \). Now, define \(Y = X_1 + X_2\) as the sum of independently sampled outcomes. One can easily verify that Y is a random variable over \(\{-2,-1,0,1,2\}\) with probabilities \(\{p^2, 2p(1-2p), (1-2p)^2+2p^2, 2p(1-2p), p^2\}\), respectively. Observe that the event \(Y=2\) (or \(-2\)) can happen only when \(X_1=X_2=1\) (or \(-1\)). Consequently, in such edge cases, the value of Y exactly determines the values of the addends. Moreover, we introduce another random variable \(Z = (Y=\pm 2)\) which has a Bernoulli distribution with \(p^\prime =2p^2\).

As we have defined \(\vec {{\varvec{{r}}}}_v = \vec {{\varvec{{r}}}}_{vd}+\vec {{\varvec{{r}}}}_s\) to be the sum of two polynomials with each coefficient sampled independently according to the error distribution \(\chi \), the coefficients of \(\vec {{\varvec{{r}}}}_v\) can be represented by Y. We are interested in the expected number of coefficients that will be \(\pm 2\), i.e will leak coefficients of \(\vec {{\varvec{{r}}}}_s\) and \(\vec {{\varvec{{r}}}}_{vd}\). Let \(Z_i = Z\) be random variables denoting whether the leak occurs at position i for \(i=0,\dots ,d-1\). The number of leaked coefficients can be modeled as yet another random variable \(N = \sum _{i=0}^{d-1} Z_i \thicksim Bin(d, p^\prime )\).⁶ Therefore, \({\mathbb {E}}[N] = dp^\prime = 2dp^2\). For example, for the centered binomial distribution (\(p=5/16\)) and the uniform distribution (\(p=1/3\)), approximately one-fifth of the coefficients are exposed on average.

Other values of Y also leak some information about the original values of X. Formally, one can calculate conditional probabilities \(\Pr [X = \pm 1 \mid Y = \pm 1] = \Pr [X = 0 \mid Y = \pm 1] = 1/2\). That is, if the sum \(Y=-1\) (\(Y=1\)), then one can guess \(X=0\) or \(-1\) (\(X=0\) or 1) with probability 1/2 (respectively). Considering \(\Pr [X = \pm 1] = p < 1/2\), it provides a quantifiable advantage for guessing \(X=\pm 1\). The only way to check the correctness of the guessed coefficients is to solve the LWE (or SIS) equations. Let the number of guessed coefficients be x. In this case, the total attack cost will be \(2^x\cdot \text {BKZ-cost}(d-2p^2d-x)\). Generally speaking, although the attack requires guessing and running the BKZ solver multiple times, there may exist such an x that smaller lattice instance will be easier to solve. For instance, Albrecht et al. [2] found such optimal \(x = 0, 1\) or 197 for some parameters and different cost models.

Based on the discussion above, we can quantify the security loss using the LWE Estimator [3]. Originally, the encryption parameters are chosen to provide around 192 bits of security (see Sect. 5 for details). Even if 1/5-th of the coefficients are leaked, we can see that the reduced LWE instance has, at least, 128-bit post-quantum security. Additionally, we have determined that the optimal number of coefficients to guess is zero. Furthermore, we have run a similar analysis for the uniform ternary distribution and the results are presented in Table 3. Overall, the security is reduced by approximately 50 bits on average, which still gives us an acceptable level of concrete security.

Table 3 LWE Security loss in cast-as-intended verifiability protocol

Fig. 7

\(m=1\) case of the protocol

Finally, we can construct our own simulator Sim. Assume that the voter has chosen the candidate \(\vec {{\varvec{{v}}}}\), and received \(\vec {{\varvec{{r}}}}_{v}\) and ciphertext \(\vec {{\varvec{{c}}}}\), but she wants to convince the coercer that she voted for another \(\vec {{\varvec{{v}}}}^\prime \). The voter runs Sim which follows these steps:

• Sim samples \(\vec {{\varvec{{r}}}}_{v}^{*}\) such that it overlaps with \(\vec {{\varvec{{r}}}}_{v}\) at coefficients equal to \(\pm 2\), otherwise the coefficients are randomly generated from \(\{-1,0,1\}^d\). Next, Sim computes \(\vec {{\varvec{{c}}}}^{*} = Enc({\varvec{{A}}}, \vec {{\varvec{{r}}}}_{v}^{*},\vec {{\varvec{{v}}}}^\prime \)) and returns \((\vec {{\varvec{{r}}}}^{*}, \vec {{\varvec{{c}}}}^{*})\)

• Sim runs the simulator of the honest-verifier proof of the re-randomization protocol without the knowledge of \(\vec {{\varvec{{r}}}}_{vs}\) on input \(({\varvec{{A}}}, \vec {{\varvec{{c}}}},\vec {{\varvec{{c}}}}^{*})\), and returns the transcript.

The advantage of a probabilistic polynomial time adversary in distinguishing this simulator’s view from the real non-aborting proof transcript, \(\varepsilon \), is bounded by the advantage \(\epsilon _{ReRand}\) of distinguishing an honest verifier zero-knowledge simulator’s view of the proof of re-randomization protocol or advantage \(\varepsilon _{LWE}\) in solving a reduced LWE instance with \( \chi , m=3d, n=d-2p^2d\). Thus, \(\varepsilon \le \varepsilon _{ReRand} + \varepsilon _{LWE} = \varepsilon _{MLWE} + \varepsilon _{LWE}\)⁷ (Fig. 8).

SMILE \(m=1\) Protocol

Fig. 8

Verification of the \(m=1\) case of the protocol