Protocol comparison table (#4)

main.bib

@@ -156,11 +156,3 @@ @misc{kryvos
       year = {2022},
       note = {\url{https://ia.cr/2022/1132}},
 }
-
-@misc{replay,
-      author = {David Mestel and Johannes Mueller and Pascal Reisert},
-      title = {How Efficient are Replay Attacks against Vote Privacy? {A} Formal Quantitative Analysis},
-      howpublished = {Cryptology ePrint Archive, Paper 2022/743},
-      year = {2022},
-      note = {\url{https://ia.cr/2022/743}},
-}

main.tex

@@ -4,6 +4,13 @@
 
 \usepackage{amsmath,amssymb,amsfonts}
 \usepackage{bookmark}
+\usepackage{pifont}
+\usepackage{xcolor}
+
+\definecolor{yes}{HTML}{2EC936}
+\definecolor{no}{HTML}{C9362E}
+\newcommand{\cmark}{\textcolor{yes}{\ding{51}}}
+\newcommand{\xmark}{\textcolor{no}{\ding{55}}}
 
 \newcommand{\G}{\mathbb{G}}
 \newcommand{\F}{\mathbb{F}}
@@ -46,7 +53,7 @@ \subsection{Requirements}
     \item \textbf{Public parameters}: Aside from election-specific trust requirements, all cryptographic constructions must use publicly-verifiable parameters.
     \item \textbf{Correctness}: A voter authorized for an election can cast a ballot that is included in the election result.
     \item \textbf{Universal verifiability}: Any observer can verify that all valid ballots are included in the final result, and that the result correctly represents only those ballots.
-    \item \textbf{Vote privacy}: It is not possible for an observer to determine the vote associated with a valid ballot.
+    \item \textbf{Ballot privacy}: It is not possible for an observer to determine the choices associated with a valid ballot.
     \item \textbf{Voter anonymity}: It is not possible for an observer to determine the voter associated with a valid ballot, or if a particular voter voted at all.
     \item \textbf{Coercion resistance}: It is possible for a voter to privately cast multiple ballots that each invalidate any previous ballots.
 \end{itemize}
@@ -67,7 +74,7 @@ \subsection{Prior work}
 However, it does not provide any particular verifiable guarantees on ballot anonymity, relying on election administrators to assert voter eligibility and decouple voter identity from ballot data.
 Additionally, although it provides an option for ballot spoiling, this requires individual decryption of such ballots for verification.
 
-More recent investigations introduce complete voter privacy with different trust requirements, primarily using combinations of encrypted ballots and general zero-knowledge proving systems, to dissociate ballots from voter identity.
+More recent work supports complete voter privacy with different trust requirements, primarily using encrypted ballots and generic circuit-based proving systems, to dissociate ballots from voter identity.
 For example, \cite{dimitriou} uses a zk-SNARK construction to anonymize ballots, and relies on organizer-supplied token randomizers as a form of coercion resistance; however, soundness and voter anonymity are compromised in the case of a malicious organizer producing the proving system common reference string.
 In Vote-SAVER \cite{saver}, voter anonymity is similarly provided by a zk-SNARK construction, and coercion resistance is achieved by having untrusted third parties conduct provable re-randomization; however, this crucially relies on proving system malleability, and therefore is currently limited (to our knowledge) to proving systems where soundness depends on a trusted organizer to produce a non-malicious common reference string.
 More recent work like Kryvos \cite{kryvos} examines more complex voting methods and adds partial or full hiding of tally details, but soundness depends on trusted organizers and proofs are large.
@@ -77,18 +84,35 @@ \subsection{Contribution}
 
 Aura presents a protocol combining several useful properties that improve on earlier work.
 
-First, we minimize the trust on election participants, including tally authorities with the joint capability to decrypt ballot results.
+We minimize the trust on election participants, including tally authorities with the joint capability to decrypt ballot results.
 In Aura, all cryptographic components may be instantiated with public verifiable parameters.
-Keys used by voters can be generated by voters themselves, and the key used for decrypting election results is constructed by tally authorities in a distributed and verifiable manner that does not require a trusted dealer.
-Ballots are dissociated from voter identity using voter-produced provable re-randomization and a set membership proof, and ballot validity is asserted by a combination of verifiable ElGamal encryption and a bit vector proving system.
-Even in the case of collusion between talliers (and even organizers) to decrypt individual ballots, voter anonymity is perfectly retained; and while multiple vote attempts by a voter can be reliably detected, this process occurs after the close of the election, and allows for safer mitigation of voter coercion by permitting such a voter to invalidate a coerced ballot anonymously and without revealing its contents.
-The careful use of proving systems for ballot anonymity and coercion resistance additionally prevents votes cast in replay attacks from succeeding with either identical or malleated ballot data \cite{replay}.
+Keys used to authenticate ballots can be generated by voters themselves, and the key used for decrypting election results is constructed by tally authorities in a distributed and verifiable manner that does not require a trusted dealer.
+
+Ballots are dissociated from voter identity using voter-produced proofs, and ballot validity is asserted by a combination of verifiable ElGamal encryption and a bit vector proving system.
+Even in the case of collusion between talliers (and organizers) to decrypt individual ballots, voter anonymity is perfectly retained; and while multiple vote attempts by a voter can be reliably detected, this process occurs after the close of the election, and allows for safer mitigation of voter coercion by permitting such a voter to invalidate a coerced ballot anonymously and without revealing its contents.
 
 Aura uses constructions supporting efficient operations.
-The one-of-many proving system used to assert voter anonymity supports batch verification that greatly reduces the marginal complexity of verification, and scales extremely well in proof size even with a large number of voters.
-Further, a single bit vector commitment proving system is used to assert that a set of vote ciphertexts are valid, both with valid ElGamal vote messages and the overall number of choices selected by a voter; this proving system also supports batch verification and scales more efficiently than previous work, while remaining flexible for single- and multi-choice election rules.
+The proving system used to assert voter anonymity supports batch verification that greatly reduces the marginal complexity of verification, and scales extremely well in proof size even with a large number of voters.
+Further, a single commitment proving system is used to assert that a set of vote ciphertexts are valid, both with valid ElGamal vote messages and the overall number of choices selected by a voter; this proving system also supports batch verification and scales more efficiently than previous work, while remaining flexible for single- and multi-choice election rules.
+
+We show a comparison between Aura and other designs in Table \ref{table:comparison}.
+While no generic circuit-based design appears to be in common use, we reference Vote-SAVER \cite{saver} as it is well specified as an example of such a construction.
+
+\begin{table}
+    \centering
+    \caption{Comparison of properties of Aura to other systems; here, a trust-free setup means participant collusion during parameter generation cannot forge ballots or break voter privacy}
+    \label{table:comparison}
+    \begin{tabular}{l|c|c|c}
+        Protocol & Ballot privacy & Voter privacy & Trust-free setup \\
+        \hline
+        ElectionGuard \cite{electionguard} & \cmark & \xmark & \cmark \\
+        Helios \cite{helios2} & \cmark & \xmark & \cmark \\
+        Vote-SAVER \cite{saver} & \cmark & \cmark & \xmark \\
+        Aura [this work] & \cmark & \cmark & \cmark
+    \end{tabular}
+\end{table}
 
-While we use well-studied techniques and cryptographic components to build Aura, we stress that the overall protocol analysis is informal, and we defer a formal security model and proofs to future work.
+While we use well-studied techniques and provably-secure cryptographic components to build Aura, we stress that the overall protocol analysis is informal, and we defer a formal security model and protocol-level proofs to future work.
 
 
 \section{Cryptographic primitives}
@@ -467,7 +491,7 @@ \section{Remarks}
 While we do not provide a formal security analysis here, we note that Aura meets our informal requirements.
 All cryptographic constructions use only public parameters, and completeness properties map to overall protocol correctness.
 We obtain universal verifiability since any observer can run $\func{VerifyBallot}$ on all ballots appearing on the bulletin board, and run $\func{VerifyTally}$ to check that these ballots all appear in the correct tally.
-Vote privacy follows from the properties of the cryptographic primitives used in $\func{Vote}$ and $\func{Tally}$ under the assumption of no malicious threshold cohort of talliers.
+Ballot privacy follows from the properties of the cryptographic primitives used in $\func{Vote}$ and $\func{Tally}$ under the assumption of no malicious threshold cohort of talliers.
 Voter anonymity is asserted unconditionally by the use of a commitment set proof, and coercion resistance follows from the use of encrypted ballot serial numbers that are unique and fixed for each voter identity.
 
 
@@ -524,22 +548,16 @@ \section{Bit commitment proving system}
 \end{enumerate}
 
 
-\section{Comparison to ElectionGuard}
+\section{Efficiency comparison to ElectionGuard}
 \label{app:efficiency}
 
 We compare the efficiency of some Aura components to those of ElectionGuard \cite{electionguard}, since its design is well specified.
-However, we note that ElectionGuard offloads voter anonymity to election organizers, which Aura specifically avoids through the use of voter-produced anonymity proofs; as a result, we cannot provide a direct comparison.
-
-However, it is instructive to examine how Aura's other ballot-related proofs compare.
-In particular, we note that ballot proofs in both protocols have two overall goals: they must show that each option encrypts to 0 (the voter does not choose it) or 1 (the voter chooses it) against the correct ElGamal key, and must further show that only a specified number of options are chosen.
-In Aura, this is done using $\func{EncValVerify}$ on each encrypted option from a ballot, and $\func{BitVerify}$ on the sum of all encrypted options.
-Specifically, the former asserts that each option is a valid encryption of \textit{some} message (secretly known by the prover) against the proper key, and the latter asserts both that each such message is in $\{0,1\}$ and that the selection limit is satisfied.
-This approach succeeds in part because each choice is assocated to a unique group generator as part of the ElGamal encryptions.
-
-In ElectionGuard, a related but different approach is taken.
-One proving system uses a disjunction approach to show that each encrypted option corresponds to a message in $\{0,1\}$ against the proper key.
-Another proving system shows that the sum of all such encryptions corresponds to the selection limit.
-This approach succeeds in part because each choice uses the same group generators for ElGamal encryption.
+However, ElectionGuard offloads voter privacy to organizers, which Aura specifically avoids; as a result, we cannot directly compare this.
+
+We observe that ballot validity proofs in both protocols have two overall goals: they must show that each option is a valid encryption against the correct ElGamal key, and that only a specified number of options are chosen.
+In Aura, we use one proof to show that an encrypted selection is a valid encryption of \text{some} message, and another to show the validity of all such messages and the correct selection limit.
+In ElectionGuard, one proof shows that an encrypted selection is a valid encryption of a valid message, and another asserts the correct seection limit.
+This difference, which arises from proving system designs, impacts efficiency.
 
 As before, suppose an election has $k$ options, and that a voter must select between $k_{\text{min}}$ and $k_{\text{max}}$ of them.
 Let $k' = k + k_{\text{max}} - k_{\text{min}}$ for convenience.