Practical Quantum Electronic Voting: Difference between revisions
(Initial protocol page for Practical Quantum Electonic Voting) |
mNo edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
<!--Tags: related pages or category --> | <!--Tags: related pages or category --> | ||
'''Tags:''' [[:Category: Multi Party Protocols|Multi Party Protocols]], [[:Category: Quantum Enhanced Classical Functionality| Quantum Enhanced Classical Functionality]], [[:Category:Specific Task | Specific Task]] | |||
== | ==Requirements== | ||
<!-- It describes the setting in which the protocol will be successful. --> | <!-- It describes the setting in which the protocol will be successful. --> | ||
* Classical communication between the voting agents | |||
* A multipartite entanglement source connected to each agent by a quantum channel. The source need not be trusted. | |||
* Voting agents must be able to generate random numbers | |||
==Outline== | ==Outline== | ||
Line 44: | Line 48: | ||
''Resources'': Classical communication, random numbers, N-qubit GHZ source, quantum channels | ''Resources'': Classical communication, random numbers, N-qubit GHZ source, quantum channels | ||
* Phase 1 [getting unique secret indices] | * Phase 1 [getting unique secret indices] | ||
** Agents perform | ** Agents perform '''UniqueIndex''' until each agent has a secret unique random index <math>\omega_k</math> | ||
* Phase 2 [casting votes] | * Phase 2 [casting votes] | ||
** For <math>l = 1</math> to <math>N</math> | ** For <math>l = 1</math> to <math>N</math> | ||
*** The voting agent is the agent <math>k</math> with <math>\omega_k = l</math> | *** The voting agent is the agent <math>k</math> with <math>\omega_k = l</math> | ||
*** Repeat until | *** Repeat until '''Voting''' is announced | ||
**** The source distributes to each of the N agents one qubit of the GHZ source | **** The source distributes to each of the N agents one qubit of the GHZ source | ||
**** All agents <math> j \in [N] </math> set rejections<math>_j = </math> trials<math>_j = 0</math> | **** All agents <math> j \in [N] </math> set rejections<math>_j = </math> trials<math>_j = 0</math> | ||
**** The voting agent tosses log<math>_2[\frac{16N\epsilon^2}{(\epsilon^2-4\delta)^2}</math>ln<math>(\frac{1}{\eta})]</math> <!--NEEDS FORMATTING CHANGES--> | **** The voting agent tosses log<math>_2[\frac{16N\epsilon^2}{(\epsilon^2-4\delta)^2}</math>ln<math>(\frac{1}{\eta})]</math> <!--NEEDS FORMATTING CHANGES--> | ||
**** The agents perform | **** The agents perform '''LogicalOR''', where output 1 indicates '''Verification''' and output 0 indicates '''Voting'''. Everyone except the voting agent inputs 0; if the coin toss is 'all heads' the voting agent also inputs 0, otherwise the voting agent inputs 1 | ||
**** If | **** If '''Verification''' is chosen, the agents perform '''RandomAgent''' and the voting agent anonymously picks an agent <math>j \in [N]</math> to be the verifier. Agent <math>j</math> updates trials<math>_j+ = 1</math> and if '''Verification''' outputs reject: rejections<math>_j+ = 1</math> | ||
*** If for any <math>j \in [N], \delta_j = \frac{rejections_j}{trials_j} > \delta </math>, the protocol ''Aborts'' | *** If for any <math>j \in [N], \delta_j = \frac{rejections_j}{trials_j} > \delta </math>, the protocol ''Aborts'' | ||
*** Perform | *** Perform '''Voting'''. The outcome is one row of the Bulletin Board '''B'''. The parity of the row gives one entry in the vote vector '''E'''. | ||
** Given the votes '''E''', the tally '''T''' can be computed. | ** Given the votes '''E''', the tally '''T''' can be computed. | ||
*Phase 3 [Verification of results]: | *Phase 3 [Verification of results]: | ||
** All agents perform | ** All agents perform '''LogicalOR''' with security parameter <math>S</math>, and input 1 if their vote is not the same as the entry in '''E''' for the round in which they voted, and 0 otherwise. | ||
** If | ** If '''LogicalOR''' outputs 1, ''Abort'' the protocol. Else output the candidate with the most votes according to the tally '''T'''. | ||
===Protocol 2 : LogicalOR=== | |||
===Protocol 2 : UniqueIndex=== | |||
''Input'': Security parameter <math>S</math> to be used in '''LogicalOR''',<math>N</math> random boolean variables <math>x_i</math>. | |||
''Output'': Each agent <math>k</math> has a secret unique index <math>\omega_k</math>. | |||
''Resources'': Classical communication and random numbers. | |||
# Beginning of round R = 1 | |||
# Agents perform '''LogicalOR''' with inputs <math>x_k = 0</math> if they already have an index and <math>x_k = 1</math> if they do not. | |||
# If <math>y = 0</math>, repeat from step 2 | |||
# If an agent <math>k</math> has a bit <math>x_k = 1</math> and <math>\omega_k = 0</math> they know they are the only one and has been assigned the secret index corresponding to the round <math>\omega_k = R</math>, otherwise there is a collision. | |||
# [notification] Everybody performs a '''LogicalOR''' with input 0, unless they received the index in this round, in which case they input 1. | |||
# If the output of '''LogicalOR''' is 0, no index was assigned and we repeat from step 2. | |||
# If the output of '''LogicalOR''' is 1, the index was assigned and we repeat from step 2 with R+ = 1. | |||
# Repeat from step 2 until all indices have been assigned. | |||
===Protocol 3 : Verification=== | |||
''Input'': A quantum state distributed and shared by <math>N</math> parties, security parameter <math>S</math> for '''RandomAgent'''. | |||
''Output'': If the state is a GHZ state <math> \rightarrow </math> YES. | |||
''Resources'': Classical communication, random numbers, quantum state source, quantum channels. | |||
# Everyone executes '''RandomAgent''' to choose uniformly at random one of the voters to be the verifier. | |||
# The verifier generates random angles <math>\theta_j \in [0, \pi)</math> for all agents including themselves, such that the sum is a multiple of <math>\pi</math>. The angles are then sent out to all the agents. | |||
# Agent <math>j</math> measures in the basis <math>[|+_\theta\rangle,|-_\theta\rangle] = [\frac{1}{\sqrt{2}}(|0\rangle + e^{i\theta_j}|1\rangle), \frac{1}{\sqrt{2}}(|0\rangle - e^{i\theta_j}|1\rangle)]</math> and publicly announces the result <math>Y_j = \{0,1\}</math> | |||
# The state passes the verification test when the following condition is satisfied: if the sum of the randomly chosen angles is an even multiple of <math>\pi</math>, there must be an even number of 1 outcomes for <math>Y_j</math> , and if the sum is an odd multiple of <math>\pi</math>, there must be an odd number of 1 outcomes for <math>Y_j : \bigoplus_j Y_j = \frac{1}{\pi}\sum_i\theta_i </math> (mod 2) | |||
===Protocol 4 : Voting=== | |||
''Input'': Voting agent preference <math>v_k</math>. | |||
''Output'': All agents get one row of the bulletin board. | |||
''Resources'': Classical communication, GHZ source, quantum channels. | |||
# Each agent measures the state they received in the Hadamard basis and records the outcome. | |||
# The outcomes of the measurement of each voter <math>k</math> is <math>d_k</math>. Then we know that <math>\sum_kd_k = 0</math> mod <math> 2</math> | |||
# The voting agent performs an XOR between the outcome <math>d_k</math> and their vote <math>v_k</math>: <math>d_k \leftarrow d_k \oplus v_k </math>. However, this alone will still appear as a random string. | |||
# Every agent publicly broadcasts <math>d_k</math> which gives one line <math>b_k</math> of the bulletin board '''B''' <math> = \{b_k\}</math> | |||
===Protocol 5 : LogicalOR=== | |||
''Inputs'': <math>N</math> agents, <math>N</math> boolean variables <math>x_i</math>, security parameter <math>S = (1 - 2^{-\Gamma})^\Sigma \in (0,1)</math> | ''Inputs'': <math>N</math> agents, <math>N</math> boolean variables <math>x_i</math>, security parameter <math>S = (1 - 2^{-\Gamma})^\Sigma \in (0,1)</math> | ||
Line 79: | Line 125: | ||
# If at least once in the <math>\Sigma</math> repetitions for the various orderings <math>y = 1</math>, this is the output of the protocol, otherwise it is <math>y = 0</math> | # If at least once in the <math>\Sigma</math> repetitions for the various orderings <math>y = 1</math>, this is the output of the protocol, otherwise it is <math>y = 0</math> | ||
===Protocol 6 : RandomBit=== | |||
===Protocol | ''Input'': Security parameter S to be used in '''LogicalOR''', ''voting agent'': probability distribution D. | ||
''Input'': Security parameter S to be used in | |||
''Output'': The voting agent anonymously announces a random bit according to D. | ''Output'': The voting agent anonymously announces a random bit according to D. | ||
Line 87: | Line 132: | ||
''Resources'': Classical communication and random numbers. | ''Resources'': Classical communication and random numbers. | ||
*Perform | *Perform '''LogicalOR''' with security parameter S where the voting agent inputs a random bit according to D and the other agents input 0. | ||
===Protocol | ===Protocol 7 : RandomAgent=== | ||
''Input'': Security parameter S to be used in | ''Input'': Security parameter S to be used in '''RandomBit''', voting agent: probability distribution D. | ||
''Output'': The voting agent anonymously chooses a random agent according to D. | ''Output'': The voting agent anonymously chooses a random agent according to D. | ||
Line 97: | Line 142: | ||
''Resources'': Classical communication and random numbers. | ''Resources'': Classical communication and random numbers. | ||
* Repeat | * Repeat '''RandomBit''' log2 N times. | ||
== | ==Properties== | ||
<!-- important information on the protocol: parameters (threshold values), security claim, success probability... --> | |||
* <math>(\sigma_H,\sigma_D,\gamma)</math>-''Correctness'': This notion of approximate correctness includes two properties: | |||
** <math>\sigma_H</math>-''Completeness'': If all agents are honest, the election is accepted with probability more than <math>\sigma_H</math> - Pr[election accepted] <math> \geq \sigma_H</math> | |||
'' | ** <math>(\sigma_D,\gamma)</math>-''Soundness'': the probability that the election result is accepted, given that the set of the votes '''E''' computed from the bulletin board '''B''' resulting from the election is more than <math>\gamma</math> away from the real votes '''V''', is smaller than <math>\sigma_D</math> - | ||
:: Pr[election accepted <math>| \frac{1}{N}||</math>'''V''' - '''E'''<math>||_1 \geq \gamma] \leq \sigma_D </math> | |||
'' | : This particular protocol is <math>([1-\epsilon(1-S)]^N, S^{N(1+\lambda)[\epsilon(1-\eta)+\eta]},(1+\lambda)[\epsilon(1-\eta)+\eta])</math>-correct, for a small constant <math>\lambda > 0</math> | ||
'' | * <math>\zeta</math>-''Privacy'': The privacy of the election scheme implies that for any voter <math>k</math>, the probability that any subset of malicious parties <math>D</math> that deviates from the honest protocol can guess the vote <math>v_k</math> of the voter is at most <math>\zeta</math> more than in the case they just have access to the bulletin board and to their own votes - | ||
: <math>\forall k, </math> Pr<math>[v_k|D] -</math> Pr<math>[v_k|B,v_j \in </math> '''V'''<math>_D] \leq \zeta</math> | |||
: This particular protocol is <math>\zeta</math>-private with <math>\zeta = (1-\eta)^N\epsilon + (1 - (1-\eta)^N)</math> | |||
* ''Authentication'': This e-voting protocol does not provide authentication, which should be taken care of by the physical implementation of the protocol. | |||
* ''Double voting'': Each voter can vote at most once. Since the number of voters is known in advance for this protocol, double voting is easily taken care of. | |||
'' | |||
'' | * ''Verifiability'': Each voter can verify that their vote has been counted correctly. In this protocol, the tally is performed by the voters themselves. The bulletin board produced as an output of the protocol is public and can always be checked by everyone, while still appearing random. | ||
'' | * ''Receipt freeness'': In order to prevent vote-selling, voters should not be able to prove how they voted. As the unique indices stay secret, voters cannot produce a receipt of their vote. | ||
* ''Additional candidates'': The protocol described here only allows an election consisting of 2 candidates. This can be extended to more candidates by repeating the protocol multiple times in sequence. In particular, if there are K candidates, we can express each of them using log<math>_2</math>K bits and repeat the election as many times so that each vote set corresponds to one bit. This however does affect the correctness and privacy. | |||
==Further Information== | ==Further Information== | ||
<!-- theoretical and experimental papers including requirements, security proof (important), which protocol does it implement, benchmark values... --> | <!-- theoretical and experimental papers including requirements, security proof (important), which protocol does it implement, benchmark values... --> | ||
* Proofs of the protocol properties can be found in [https://arxiv.org/abs/2107.14719 Centrone et al. (2021)] | |||
* Protocols 5-7 are classical anonymous protocols taken from [https://arxiv.org/abs/0706.2010 Broadbent and Tapp(2007)] and used in [https://arxiv.org/abs/1811.04729 Unnikrishnan et al.(2018)] | |||
* Protocol 3 is the same as that of [https://arxiv.org/abs/1112.5064 Pappa et al.(2011)] | |||
= | <div style='text-align: right;'>''*contributed by Chirag Wadhwa''</div> |
Latest revision as of 01:10, 1 February 2022
This example protocol achieves the functionality of Quantum Electronic Voting. In this protocol, an untrusted multipartite entanglement source can be used to carry out an election without any election authorities.
Tags: Multi Party Protocols, Quantum Enhanced Classical Functionality, Specific Task
Requirements[edit]
- Classical communication between the voting agents
- A multipartite entanglement source connected to each agent by a quantum channel. The source need not be trusted.
- Voting agents must be able to generate random numbers
Outline[edit]
- In the first phase of the protocol, each agent is assigned a secret unique random index
- Next, we perform multiple rounds of voting, one for each agent. In each round, the following steps are carried out:
- The agent with the same index as the round number is designated the voter for that round
- The source distributes one qubit of a GHZ state to each agent. The voting agent randomly chooses to either verify the GHZ state or vote with a certain probability. This step, including state distribution, is repeated until the voter chooses to vote. Once voting is chosen, the voter anonymously transmits their vote to all agents.
- Finally, all the votes are tallied. All agents have the votes for each round and can thus verify the final tally.
Notation[edit]
- : Number of agents
- : The votes
- : Security parameter
- : Distance from the perfect GHZ state
- : Threshold for verification
- : Probability of failure of verification
- B: Bulletin board - x binary matrix. Each row corresponds to one round of voting, and each column contains the output of a single voter across all rounds
- E: Vote vector - The list of votes across rounds. Each element is computed as the parity of a row from B
- T: Final tally
Protocol Description[edit]
Protocol 1 : Quantum e-voting[edit]
Inputs: - Set of votes; - Security parameter; - Distance from the perfect GHZ state; - Threshold for verification; Probability of failure of verification
Output: The candidate with majority votes or Abort
Resources: Classical communication, random numbers, N-qubit GHZ source, quantum channels
- Phase 1 [getting unique secret indices]
- Agents perform UniqueIndex until each agent has a secret unique random index
- Phase 2 [casting votes]
- For to
- The voting agent is the agent with
- Repeat until Voting is announced
- The source distributes to each of the N agents one qubit of the GHZ source
- All agents set rejections trials
- The voting agent tosses logln
- The agents perform LogicalOR, where output 1 indicates Verification and output 0 indicates Voting. Everyone except the voting agent inputs 0; if the coin toss is 'all heads' the voting agent also inputs 0, otherwise the voting agent inputs 1
- If Verification is chosen, the agents perform RandomAgent and the voting agent anonymously picks an agent to be the verifier. Agent updates trials and if Verification outputs reject: rejections
- If for any , the protocol Aborts
- Perform Voting. The outcome is one row of the Bulletin Board B. The parity of the row gives one entry in the vote vector E.
- Given the votes E, the tally T can be computed.
- For to
- Phase 3 [Verification of results]:
- All agents perform LogicalOR with security parameter , and input 1 if their vote is not the same as the entry in E for the round in which they voted, and 0 otherwise.
- If LogicalOR outputs 1, Abort the protocol. Else output the candidate with the most votes according to the tally T.
Protocol 2 : UniqueIndex[edit]
Input: Security parameter to be used in LogicalOR, random boolean variables .
Output: Each agent has a secret unique index .
Resources: Classical communication and random numbers.
- Beginning of round R = 1
- Agents perform LogicalOR with inputs if they already have an index and if they do not.
- If , repeat from step 2
- If an agent has a bit and they know they are the only one and has been assigned the secret index corresponding to the round , otherwise there is a collision.
- [notification] Everybody performs a LogicalOR with input 0, unless they received the index in this round, in which case they input 1.
- If the output of LogicalOR is 0, no index was assigned and we repeat from step 2.
- If the output of LogicalOR is 1, the index was assigned and we repeat from step 2 with R+ = 1.
- Repeat from step 2 until all indices have been assigned.
Protocol 3 : Verification[edit]
Input: A quantum state distributed and shared by parties, security parameter for RandomAgent.
Output: If the state is a GHZ state YES.
Resources: Classical communication, random numbers, quantum state source, quantum channels.
- Everyone executes RandomAgent to choose uniformly at random one of the voters to be the verifier.
- The verifier generates random angles for all agents including themselves, such that the sum is a multiple of . The angles are then sent out to all the agents.
- Agent measures in the basis and publicly announces the result
- The state passes the verification test when the following condition is satisfied: if the sum of the randomly chosen angles is an even multiple of , there must be an even number of 1 outcomes for , and if the sum is an odd multiple of , there must be an odd number of 1 outcomes for (mod 2)
Protocol 4 : Voting[edit]
Input: Voting agent preference .
Output: All agents get one row of the bulletin board.
Resources: Classical communication, GHZ source, quantum channels.
- Each agent measures the state they received in the Hadamard basis and records the outcome.
- The outcomes of the measurement of each voter is . Then we know that mod
- The voting agent performs an XOR between the outcome and their vote : . However, this alone will still appear as a random string.
- Every agent publicly broadcasts which gives one line of the bulletin board B
Protocol 5 : LogicalOR[edit]
Inputs: agents, boolean variables , security parameter
Output:
Resources: Classical communication and random numbers
- Decide random orderings, such that each voter is the last once. For each ordering repeat \Sigma times the following.
- Each voter gives an input
- If , set , otherwise toss coins and set to if the result is ‘all heads’ and to otherwise
- Then each voter generates uniformly at random an -bit string , such that
- Voter sends to voter for all , keeping
- Each voter sums the received bits and broadcasts the parity according to the ordering.
- Compute the parity of the original bits
- From this everyone can also compute the parity of all other inputs except their own
- Repeat times from step 4: each time repeat with as new inputs
- If at least once in the repetitions for the various orderings , this is the output of the protocol, otherwise it is
Protocol 6 : RandomBit[edit]
Input: Security parameter S to be used in LogicalOR, voting agent: probability distribution D.
Output: The voting agent anonymously announces a random bit according to D.
Resources: Classical communication and random numbers.
- Perform LogicalOR with security parameter S where the voting agent inputs a random bit according to D and the other agents input 0.
Protocol 7 : RandomAgent[edit]
Input: Security parameter S to be used in RandomBit, voting agent: probability distribution D.
Output: The voting agent anonymously chooses a random agent according to D.
Resources: Classical communication and random numbers.
- Repeat RandomBit log2 N times.
Properties[edit]
- -Correctness: This notion of approximate correctness includes two properties:
- -Completeness: If all agents are honest, the election is accepted with probability more than - Pr[election accepted]
- -Soundness: the probability that the election result is accepted, given that the set of the votes E computed from the bulletin board B resulting from the election is more than away from the real votes V, is smaller than -
- Pr[election accepted V - E
- This particular protocol is -correct, for a small constant
- -Privacy: The privacy of the election scheme implies that for any voter , the probability that any subset of malicious parties that deviates from the honest protocol can guess the vote of the voter is at most more than in the case they just have access to the bulletin board and to their own votes -
- Pr Pr V
- This particular protocol is -private with
- Authentication: This e-voting protocol does not provide authentication, which should be taken care of by the physical implementation of the protocol.
- Double voting: Each voter can vote at most once. Since the number of voters is known in advance for this protocol, double voting is easily taken care of.
- Verifiability: Each voter can verify that their vote has been counted correctly. In this protocol, the tally is performed by the voters themselves. The bulletin board produced as an output of the protocol is public and can always be checked by everyone, while still appearing random.
- Receipt freeness: In order to prevent vote-selling, voters should not be able to prove how they voted. As the unique indices stay secret, voters cannot produce a receipt of their vote.
- Additional candidates: The protocol described here only allows an election consisting of 2 candidates. This can be extended to more candidates by repeating the protocol multiple times in sequence. In particular, if there are K candidates, we can express each of them using logK bits and repeat the election as many times so that each vote set corresponds to one bit. This however does affect the correctness and privacy.
Further Information[edit]
- Proofs of the protocol properties can be found in Centrone et al. (2021)
- Protocols 5-7 are classical anonymous protocols taken from Broadbent and Tapp(2007) and used in Unnikrishnan et al.(2018)
- Protocol 3 is the same as that of Pappa et al.(2011)