Tal moran joint work with moni naor
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy PowerPoint PPT Presentation


  • 74 Views
  • Uploaded on
  • Presentation posted in: General

Tal Moran Joint work with Moni Naor. Receipt-Free Universally-Verifiable Voting With Everlasting Privacy. Flavors of Cryptographic Privacy. Computational Privacy Depends on a computational assumption A powerful enough adversary can “break” the privacy guarantee

Download Presentation

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Tal moran joint work with moni naor

Tal Moran

Joint work with Moni Naor

Receipt-FreeUniversally-Verifiable Voting With Everlasting Privacy


Flavors of cryptographic privacy

Flavors of Cryptographic Privacy

  • Computational Privacy

    • Depends on a computational assumption

    • A powerful enough adversary can “break” the privacy guarantee

    • Example: Public Key Encryption

  • Unconditional (“Everlasting”) Privacy

    • Privacy holds even for infinitely powerful adversary

    • Example: Statistically Hiding Commitment


Why not everlasting privacy

Why Not Everlasting Privacy?

  • Tradeoff between Unconditional Privacy and Unconditional Integrity

  • Gut feeling is that integrity is more important

  • Distributing trust between multiple parties is harder

    • Public communication cannot contain any information about individual votes

    • Standard methods using “threshold decryption” won’t work


Why everlasting privacy after all

Why Everlasting Privacy After All?

  • Integrity depends on privacy too:

    • Coerced elections are not fair!

  • Computational privacy holds only as long as its underlying assumptions

    • Belief in privacy violation may beenough for coercion!

    • Most open-audit voting schemes relyon public-key encryption

Existing public-key schemes with current key lengths are likely to be broken in 30 years! [RSA conference ’06]


Outline of talk

Outline of Talk

  • Voting Scheme based on Hidden Temporal Order[Crypto 2006]

    • Uses DRE; DRE learns vote

    • Generalization can be based on any non-interactive commitment

  • “Split Ballot” Voting Scheme[WOTE/CCS 2007]

    • Uses physical ballots

    • No single entity learns vote

  • We’ll use physical metaphors and a simplified model


Alice and bob for class president

Alice and Bob for Class President

  • Cory “the Coercer” wants to rig the election

    • He can intimidate all the students

  • Only Mr. Drew is not afraid of Cory

    • Everybody trusts Mr. Drew to keep secrets

    • Unfortunately, Mr. Drew also wants to rig the election

    • Luckily, he doesn't stoop to blackmail

  • Sadly, all the students suffer severe RSI

    • They can't use their hands at all

    • Mr. Drew will have to cast their ballots for them


Commitment with equivalence proof

Commitment with “Equivalence Proof”

  • We use a 20g weight for Alice...

  • ...and a 10g weight for Bob

  • Using a scale, we can tell if two votes are identical

    • Even if the weights are hidden in a box!

  • The only actions we allow are:

    • Open a box

    • Compare two boxes


Additional requirements

Additional Requirements

  • An “untappable channel”

    • Students can whisper in Mr. Drew's ear

  • Commitments are secret

    • Mr. Drew can put weights in the boxes privately

  • Everything else is public

    • Entire class can see all of Mr. Drew’s actions

    • They can hear anything that isn’t whispered

    • The whole show is recorded on video (external auditors)

I’m whispering


Ernie casts a ballot

Ernie Casts a Ballot

  • Ernie whispers his choice to Mr. Drew

I like Alice


Ernie casts a ballot1

Ernie Casts a Ballot

  • Mr. Drew puts a box on the scale

  • Mr. Drew needs to prove to Ernie that the box contains 20g

    • If he opens the box, everyone else will see what Ernie voted for!

  • Mr. Drew uses a “Zero Knowledge Proof”

Ernie


Ernie casts a ballot2

Ernie Casts a Ballot

Ernie Casts a Ballot

  • Mr. Drew puts k (=3) “proof” boxes on the table

    • Each box should contain a 20g weight

    • Once the boxes are on the table, Mr. Drew is committed to their contents

Ernie


Ernie casts a ballot3

Ernie

Ernie

Ernie Casts a Ballot

1 Weigh

2 Open

3 Open

  • Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either:

    • Asks Mr. Drew to put the box on the scale (“prove equivalence”)

      • It should weigh the same as the “Ernie” box

    • Asks Mr. Drew to open the box

      • It should contain a 20g weight


Ernie casts a ballot4

Ernie Casts a Ballot

1 Open2 Weigh3 Open

  • If the “Ernie” box doesn’tcontain a 20g weight, every proof box:

    • Either doesn’t contain a 20g weight

    • Or doesn’t weight the same as theErnie box

  • Mr. Drew can fool Ernie with probability at most 2-k

Ernie


Ernie casts a ballot5

Ernie Casts a Ballot

  • Why is this Zero Knowledge?

  • When Ernie whispers to Mr. Drew,he can tell Mr. Drew what hischallenge will be.

  • Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs

I like Bob

1 Open2 Weigh3 Weigh


Ernie casts a ballot full protocol

Ernie

Ernie Casts a Ballot: Full Protocol

  • Ernie whispers his choice and a dummy challenge to Mr. Drew

  • Mr. Drew puts a box on the scale

    • it should contain a 20g weight

  • Mr. Drew puts k “Alice” proof boxesand k “Bob” proof boxes on the table

    • Bob boxes contain 10g or 20g weights according to the dummy challenge

I like Alice

1 Open2 Weigh3 Weigh


Ernie casts a ballot full protocol1

Ernie

Ernie

Ernie Casts a Ballot: Full Protocol

1 Open2 Open3 Weigh

  • Ernie shouts the “Alice” (real) challenge and the “Bob” (dummy) challenge

  • Drew responds to the challenges

  • No matter who Ernie voted for,The protocol looks exactly the same!

1 Open2 Weigh3 Weigh


A real system

A “Real” System

Hello Ernie, Welcome to VoteMaster

Please choose your candidate:

Alice

Bob

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===


A real system1

A “Real” System

Hello Ernie, You are voting for Alice

Please enter a dummy challenge for Bob

Alice:

l4st phone et spla

Bob :

Continue

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===


A real system2

A “Real” System

Hello Ernie, You are voting for Alice

Make sure the printer has output twolines (the second line will be covered)Now enter the real challenge for Alice

Alice:

Sn0w 619- ziggy p3

l4st phone et spla

Bob :

Continue

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===


A real system3

A “Real” System

Hello Ernie, You are voting for Alice

Please verify that the printed challengesmatch those you entered.

Alice:

Sn0w 619- ziggy p3

l4st phone et spla

Bob :

Finalize Vote

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===


A real system4

A “Real” System

Hello Ernie, Thank you for voting

Please take your receipt

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===12


Counting the votes

Ernie

Fay

Guy

Heidi

Counting the Votes

  • Mr. Drew announces the final tally

  • Mr. Drew must prove the tally correct

    • Without revealing who voted for what!

  • Recall: Mr. Drew is committed toeveryone’s votes

Alice: 3Bob: 1


Counting the votes1

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • Mr. Drew puts k rows ofnew boxes on the table

    • Each row should contain the same votes in a random order

  • A “random beacon” gives k challenges

    • Everyone trusts that Mr. Drewcannot anticipate thechallenges

Alice: 3Bob: 1


Counting the votes2

Ernie

Fay

Guy

Heidi

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • For each challenge:

    • Mr. Drew proves that the row contains a permutation of the real votes

Alice: 3Bob: 1


Counting the votes3

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • For each challenge:

    • Mr. Drew proves that the row contains a permutation of the real votes

      Or

    • Mr. Drew opens the boxes andshows they match the tally

Alice: 3Bob: 1

Fay


Counting the votes4

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • If Mr. Drew’s tally is bad

    • The new boxes don’t matchthe tally

      Or

    • They are not a permutationof the committed votes

  • Drew succeeds with prob.at most 2-k

Alice: 3Bob: 1

Fay


Counting the votes5

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • This prototocol does notreveal information aboutspecific votes:

    • No box is both opened andweighed

    • The opened boxes are ina random order

Alice: 3Bob: 1

Fay


Summary

Summary

  • A Universally-Verifiable Receipt-Free voting scheme

    • Based on commitment with equivalence testing

    • Based on generic non-interactive commitment

  • What’s Missing?

    • DRE knows voter’s choice

    • Can use subliminal channels to reveal it

  • We want to split trust between multiple authorities


Receipt free universally verifiable voting with everlasting privacy

ThankYou!


  • Login