tal moran joint work with moni naor
Download
Skip this Video
Download Presentation
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Loading in 2 Seconds...

play fullscreen
1 / 29

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

Tal Moran Joint work with Moni Naor. Receipt-Free Universally-Verifiable Voting With Everlasting Privacy. Flavors of Cryptographic Privacy. Computational Privacy Depends on a computational assumption A powerful enough adversary can “break” the privacy guarantee

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Receipt-Free Universally-Verifiable Voting With Everlasting Privacy' - halee-dean


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
flavors of cryptographic privacy
Flavors of Cryptographic Privacy
  • Computational Privacy
    • Depends on a computational assumption
    • A powerful enough adversary can “break” the privacy guarantee
    • Example: Public Key Encryption
  • Unconditional (“Everlasting”) Privacy
    • Privacy holds even for infinitely powerful adversary
    • Example: Statistically Hiding Commitment
why not everlasting privacy
Why Not Everlasting Privacy?
  • Tradeoff between Unconditional Privacy and Unconditional Integrity
  • Gut feeling is that integrity is more important
  • Distributing trust between multiple parties is harder
    • Public communication cannot contain any information about individual votes
    • Standard methods using “threshold decryption” won’t work
why everlasting privacy after all
Why Everlasting Privacy After All?
  • Integrity depends on privacy too:
    • Coerced elections are not fair!
  • Computational privacy holds only as long as its underlying assumptions
    • Belief in privacy violation may beenough for coercion!
    • Most open-audit voting schemes relyon public-key encryption

Existing public-key schemes with current key lengths are likely to be broken in 30 years! [RSA conference ’06]

outline of talk
Outline of Talk
  • Voting Scheme based on Hidden Temporal Order[Crypto 2006]
    • Uses DRE; DRE learns vote
    • Generalization can be based on any non-interactive commitment
  • “Split Ballot” Voting Scheme[WOTE/CCS 2007]
    • Uses physical ballots
    • No single entity learns vote
  • We’ll use physical metaphors and a simplified model
alice and bob for class president
Alice and Bob for Class President
  • Cory “the Coercer” wants to rig the election
    • He can intimidate all the students
  • Only Mr. Drew is not afraid of Cory
    • Everybody trusts Mr. Drew to keep secrets
    • Unfortunately, Mr. Drew also wants to rig the election
    • Luckily, he doesn\'t stoop to blackmail
  • Sadly, all the students suffer severe RSI
    • They can\'t use their hands at all
    • Mr. Drew will have to cast their ballots for them
commitment with equivalence proof
Commitment with “Equivalence Proof”
  • We use a 20g weight for Alice...
  • ...and a 10g weight for Bob
  • Using a scale, we can tell if two votes are identical
    • Even if the weights are hidden in a box!
  • The only actions we allow are:
    • Open a box
    • Compare two boxes
additional requirements
Additional Requirements
  • An “untappable channel”
    • Students can whisper in Mr. Drew\'s ear
  • Commitments are secret
    • Mr. Drew can put weights in the boxes privately
  • Everything else is public
    • Entire class can see all of Mr. Drew’s actions
    • They can hear anything that isn’t whispered
    • The whole show is recorded on video (external auditors)

I’m whispering

ernie casts a ballot
Ernie Casts a Ballot
  • Ernie whispers his choice to Mr. Drew

I like Alice

ernie casts a ballot1
Ernie Casts a Ballot
  • Mr. Drew puts a box on the scale
  • Mr. Drew needs to prove to Ernie that the box contains 20g
    • If he opens the box, everyone else will see what Ernie voted for!
  • Mr. Drew uses a “Zero Knowledge Proof”

Ernie

ernie casts a ballot2
Ernie Casts a Ballot

Ernie Casts a Ballot

  • Mr. Drew puts k (=3) “proof” boxes on the table
    • Each box should contain a 20g weight
    • Once the boxes are on the table, Mr. Drew is committed to their contents

Ernie

ernie casts a ballot3

Ernie

Ernie

Ernie Casts a Ballot

1 Weigh

2 Open

3 Open

  • Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either:
    • Asks Mr. Drew to put the box on the scale (“prove equivalence”)
      • It should weigh the same as the “Ernie” box
    • Asks Mr. Drew to open the box
      • It should contain a 20g weight
ernie casts a ballot4
Ernie Casts a Ballot

1 Open2 Weigh3 Open

  • If the “Ernie” box doesn’tcontain a 20g weight, every proof box:
    • Either doesn’t contain a 20g weight
    • Or doesn’t weight the same as theErnie box
  • Mr. Drew can fool Ernie with probability at most 2-k

Ernie

ernie casts a ballot5
Ernie Casts a Ballot
  • Why is this Zero Knowledge?
  • When Ernie whispers to Mr. Drew,he can tell Mr. Drew what hischallenge will be.
  • Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs

I like Bob

1 Open2 Weigh3 Weigh

ernie casts a ballot full protocol

Ernie

Ernie Casts a Ballot: Full Protocol
  • Ernie whispers his choice and a dummy challenge to Mr. Drew
  • Mr. Drew puts a box on the scale
    • it should contain a 20g weight
  • Mr. Drew puts k “Alice” proof boxesand k “Bob” proof boxes on the table
    • Bob boxes contain 10g or 20g weights according to the dummy challenge

I like Alice

1 Open2 Weigh3 Weigh

ernie casts a ballot full protocol1

Ernie

Ernie

Ernie Casts a Ballot: Full Protocol

1 Open2 Open3 Weigh

  • Ernie shouts the “Alice” (real) challenge and the “Bob” (dummy) challenge
  • Drew responds to the challenges
  • No matter who Ernie voted for,The protocol looks exactly the same!

1 Open2 Weigh3 Weigh

a real system
A “Real” System

Hello Ernie, Welcome to VoteMaster

Please choose your candidate:

Alice

Bob

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===

a real system1
A “Real” System

Hello Ernie, You are voting for Alice

Please enter a dummy challenge for Bob

Alice:

l4st phone et spla

Bob :

Continue

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===

a real system2
A “Real” System

Hello Ernie, You are voting for Alice

Make sure the printer has output twolines (the second line will be covered)Now enter the real challenge for Alice

Alice:

Sn0w 619- ziggy p3

l4st phone et spla

Bob :

Continue

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===

a real system3
A “Real” System

Hello Ernie, You are voting for Alice

Please verify that the printed challengesmatch those you entered.

Alice:

Sn0w 619- ziggy p3

l4st phone et spla

Bob :

Finalize Vote

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===

a real system4
A “Real” System

Hello Ernie, Thank you for voting

Please take your receipt

1 Receipt for Ernie

2 o63ZJVxC91rN0uRv/DtgXxhl+UY=

3 - Challenges -

4 Alice:

5 Sn0w 619- ziggy p3

6 Bob:

7 l4st phone et spla

8 - Response -

9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=

0 === Certified ===12

counting the votes

Ernie

Fay

Guy

Heidi

Counting the Votes
  • Mr. Drew announces the final tally
  • Mr. Drew must prove the tally correct
    • Without revealing who voted for what!
  • Recall: Mr. Drew is committed toeveryone’s votes

Alice: 3Bob: 1

counting the votes1

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • Mr. Drew puts k rows ofnew boxes on the table
    • Each row should contain the same votes in a random order
  • A “random beacon” gives k challenges
    • Everyone trusts that Mr. Drewcannot anticipate thechallenges

Alice: 3Bob: 1

counting the votes2

Ernie

Fay

Guy

Heidi

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • For each challenge:
    • Mr. Drew proves that the row contains a permutation of the real votes

Alice: 3Bob: 1

counting the votes3

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • For each challenge:
    • Mr. Drew proves that the row contains a permutation of the real votes

Or

    • Mr. Drew opens the boxes andshows they match the tally

Alice: 3Bob: 1

Fay

counting the votes4

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • If Mr. Drew’s tally is bad
    • The new boxes don’t matchthe tally

Or

    • They are not a permutationof the committed votes
  • Drew succeeds with prob.at most 2-k

Alice: 3Bob: 1

Fay

counting the votes5

Ernie

Fay

Guy

Heidi

Counting the Votes

1 Weigh

2 Weigh3 Open

  • This prototocol does notreveal information aboutspecific votes:
    • No box is both opened andweighed
    • The opened boxes are ina random order

Alice: 3Bob: 1

Fay

summary
Summary
  • A Universally-Verifiable Receipt-Free voting scheme
    • Based on commitment with equivalence testing
    • Based on generic non-interactive commitment
  • What’s Missing?
    • DRE knows voter’s choice
    • Can use subliminal channels to reveal it
  • We want to split trust between multiple authorities
ad