1 / 44

Electronic Voting

Electronic Voting. Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum. Agenda. Why now-days paper based elections are not enough? What properties any voting scheme must achieve and why it is so hard?

montana-irwin
Download Presentation

Electronic Voting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum

  2. Agenda • Why now-days paper based elections are not enough? • What properties any voting scheme must achieve and why it is so hard? • Few cryptography primitives in a nutshell. • Schemes that the voter uses a computer in the booth. • Why it is not enough? The concept of voter-verifiability. • Voter Verifiable voting schemes • Scratch and Vote. • Rynolds’ scheme. • What next?

  3. Paper Based Elections • Flexible • Simple to understand • Simple to perform • Transparent But, a famous man once said - "Those who cast the votes decide nothing. Those who count the votes decide everything."

  4. Why Paper Based Elections Are Not Enough? • Votes can be easily altered. • Votes can easily be defected. • Weak privacy. • Re-counts means almost nothing.

  5. What Do We Want? • Unforgeability: No one can falsify the result of the voting. • Eligibility, Unreusability: Respectively requires that only eligible voters vote and no voter can vote twice. • Auditability, Universal auditability: The first describes the ability of any individual voter to determine whether or not his vote has been correctly placed. The second corresponds to the ability of any auditor to determine that the whole protocol was followed correctly, given that votes had been correctly placed. • Robustness: Dishonest participants can not disrupt the voting. In particular cheating players should be detected and it should be possible to prove their malicious behavior and finish the voting process and the counting without their help. • Privacy: No one can link a voter with his vote. • Coercion resistance (also called receipt freeness): A voter can not prove how he voted. This is essential for avoiding vote selling.

  6. Why Is It Hard? • Good privacy and universal verifiability at the same time … • Coercion resistance and unforgability…

  7. Few Cryptography Primitives in a Nutshell

  8. One-Way Functions • A function f: DRis called one-way if: • Computing f(x) is “easy”. • Computing f-1(y) for almost all the images is “hard”. • E.g. (under the DL assumption) • Prime p and a generator g of Zp*. • f(x) = gx (mod p).

  9. RSA Cryptosystem • Famous Public Key cryptosystem • A key generation algorithm • Let N=pq be the product of two primes • Choose e such that gcd(e,(N))=1 • Let d be such that de1 mod (N) • The public key is (N,e) • The private key is d • An encryption algorithm • Encryption of MZN* by C=E(M)=Me mod N • A Decryption algorithm • Decryption of CZN* by M=D(C)=Cd mod N

  10. El Gamal Cryptosystem • Probabilistic, homomorphic public-key encryption scheme over a multiplicative group of prime order. • A key generation algorithm Publicly choose two large primes q` and q such that q | q`-1, i.e., q` = qk+1 for some integer k. We also fix a generator g` of F*q`. The cyclic group G we work with is the one generated by g = (g`)k and has order (q`-1)/k = q. Private keyx  G . Public keyy = gx.

  11. An encryption algorithm To encrypt m  G we choose uniformly at random r  [1.. q - 1] and output E(q`, q, g, m, y; r) = (gr, m· yr). • A Decryption algorithm To decrypt a tuple (a,b) we compute m = ba-x. • We abbreviate E(q`, q, g, m, y; r) to E(m, y; r). • ElGamal Encryption is multiplicative homomorphic, meaning - E(m1, y;r1)*E(m2, y;r2) = E(m1m2, y;r1 + r2). • Re-encryption of E(m,y;r1) is E(m,y;r1)*E(1,y;r2) which results in E(m,y;r1+r2).

  12. Digital Signatures • We focus on electronic signatures that use public-key cryptography. • E.g. (Based on RSA) • A key generation algorithm • Same as in RSA encryption. • A signing algorithm • Same as decryption of MZN* by C=D(M)=Md mod N. • A verification algorithm • Same as encryption of CZN* by M=E(C)=Ce mod N. • Can be calculated and verified by anyone. • Concept of Blind Signatures …

  13. Secret Sharing • Based on the next problem - assuming that there are Nplayers, how can a dealer share a secret in a way that any group of t(< N) or more players could recreate the secret, but any group of less then tplayers will not be able to do so. Such scheme is called (t,N) - threshold secret sharing scheme.

  14. Shamir Secret Sharing Scheme • The dealer selects t-1random integers, which forms a t-1 degree polynomialf(x) such that f(0) = S. • The dealer calculates f(i) for each player i. Those are their private shares. • Any group of t or more players can recreate the polynomial and S (using Lagrange interpolation).

  15. Threshold Encryption • In threshold encryption we have Nauthorities, and we want to encrypt a message in a way that any tor more authorities could decrypt it. Again, any group of less then tauthorities will not be able to do so. • No trusted dealer. • Solutions are similar to Shamir’s scheme [CGS,Pederson].

  16. Zero-knowledge Proofs • Interactive protocols between two players, Prover and Verifier, in which the prover proves to the verifier, with high probability, that some statement is true. • Does not leak any information besides the veracity of this statement. • In the case of honest verifier ZKP, we can modify the protocol to non-interactive.

  17. Zero-knowledge Proof Example • Let g1, g2generators of Zq*. • The Prover claims that logg1v = logg2w (=x) for publicly known v, w, g1, g2. • P chooses randomz  [1..q] and sends a=g1z, b=g2z. • V selects random c  [1..q] and sends it. • P sends r = (z+cx) . • V verifies that g1r=avc and g2r=bwc • Can be turned into non-interactive • C = Hash(a,b,v,w).

  18. Useful ZKP • Equality of discrete logarithms: • The prover knows discrete logarithms of vand w, and claims they are the same, logg1v = logg2w(for known g1, g2). • 1-out-of-L re-encryption: • the prover wants to prove that for a publicly known pair (x, y) there is an ElGamal re-encryption in the Lencrypted pairs (x1, y2)…(xL, yL). • 1-out-of-L message encryption: • Given Lplain-text messages m1… mL, the prover wants to prove that a tuple (x, y) is an encryption of one of the Lplain-texts.

  19. Schemes that the voter uses a computer in the booth

  20. First Fundamental Decision You have essentially two paradigms to choose from… • Anonymized Ballots. • Ballotless Tallying.

  21. The Mix-Net Paradigm • Chaum, Sako & Kilian…

  22. The Mix-Net Paradigm

  23. The Mix-Net Paradigm Vote MIX Vote Vote Vote

  24. The Mix-Net Paradigm Vote MIX Vote Vote Vote

  25. The Mix-Net Paradigm Vote MIX MIX Vote Vote Vote

  26. The Homomorphic Paradigm • Benaloh, Cramer et al…

  27. Tally The Homomorphic Paradigm

  28. Tally The Homomorphic Paradigm

  29. CGS97 (Cramer,Gennaro and Schoenmakers) - Ballotless Tallying • Uses robust threshold ElGamal. • Players: • Authorities a1 … as. • Candidates: –1 and 1. • Voters v1…vn. • Public Board.

  30. CGS97 -The Protocol • Initialization • All authorities publish • Their shares. • A threshold public key S. • Another generator h of the multiplicative group • The legal votes will be h-1, h1. • Voting • A voter encrypts his vote bi using E(hbi,S;r) and publishes it along with a non-interactive proof of validity of the vote on a public board. • Verification • All voter's non interactive proofs are verified (publicly) and invalid votes are deleted.

  31. Tallying • After elections ends, t authorities calculates E(htotal,S;rtotal) = E(hbi ,S;r) and publicly decrypt it to get htotal. Now, anyone can find Total (using linear time exhaustive search) which is the difference between the number of votes for each candidate.Those calculation can also be verified using non-interactive zero knowledge proof of equality of discrete logarithms. • Using Pailler encryption we can eliminate the exhaustive search.

  32. CGS97 Scheme –Properties

  33. So what more do we want? • A voter is not a computer! • We want the voter to vote bare-handed. The voter: • Does not bring any electronic device. • Does not compute cryptographic computations in his head. • Uses only humen abilities. • We want him to be able to verify the booth’s behaivor - Voter Verifiability.

  34. Voter Verifiable Voting Schemes

  35. Scratch and Vote (Adida and Rivest 2006) • Very simple idea. • Uses threshold Paillier encryption. • The voter picks two ballots from a big bin. • The voter scratches off a scratch surface of one ballot, and later he can verify its validity. • The voter marks his selection on the other ballot, shreds the candidates list and surrender it to the poll-workers. • The poll-worker shreds the scratch surface. • The voter feeds the rest into a scanner and takes it home as a receipt.

  36. Scratch and Vote – The Ballot • The ballot consists of • Candidates list in a random order (left part). • A barcode made of encryptions and NIZKP. • A scratch surface which conceals the randomness used for the encryptions.

  37. Scratch and Vote –Verification and Tallying • Every voter can check that his vote is published correctly. • Ballots are checked using their NIZKP. • A threshold decryption of the product of all legal casted ballots is executed …

  38. Scratch and Vote –Properties • Pros. • Very simple to use. • Voter verifiable. • Efficient. • Cons. • If it uses an empty ballots bin • A coercer can steal a valid ballot and coerce someone to use it (chain voting). • If it uses a computer and a printer to create the ballots in front of the voter • The booth can misbehave. • If it uses a scanner to record the ballots • The booth knows what the voter voted. • If it uses another ballots bin to collect the ballots • The voter has no receipt. • Also, signatures are not handled properly • Without signatures, the voter can claim anything later. • With signatures, the voter needs a computer assistance. • Shreding • If we want to print the ballots in front of the voter, we must verify the voter shreds the left part. • Random coercion • A coercer can coerce the voter to vote randomly.

  39. Voter = Ben Riva E(di),E(vote?) d1 157 E(157),E(0),NIZKP yellow d2 green E(536),E(1),NIZKP 732 E(732),E(0),NIZKP d3 blue Reynolds’ Scheme • Voter enters the booth and receives a blank ballot. • The voter fills two random number inside the boxes of the candidates he does not want. • The booth prints few encryptions (later). • The voter fills the last number and casts the ballot. He also take it as a receipt. 222

  40. Reynolds’ Scheme – What are the NIZKP? • If we use threshold ElGamal, then the NIZKPs consist of • A proof that for each line i Di = E(di) OR Vi = E(h1) • A proof that for each line i Vi = E(h0)ORVi = E(h1) • A proof that Vi = E(h1) Where h is another generator of the group…

  41. Voter = Voter = Voter = David B Ben Riva Alon C d1 d1 d1 E(157),E(0),NIZKP E(743),E(0),NIZKP E(112),E(1),NIZKP yellow yellow yellow d2 d2 d2 green green green E(999),E(0),NIZKP E(536),E(1),NIZKP E(111),E(1),NIZKP E(435),E(0),NIZKP E(142),E(0),NIZKP E(732),E(0),NIZKP d3 d3 d3 blue blue blue Reynolds’ Scheme –Verification and Tallying • Every voter can check that his vote is published correctly. • Ballots are checked using their NIZKPs. • A threshold decryption of the product of all legal casted ballots’ lines is executed. Final tally Yellow – 1 Green – 2 Blue - 0 743 635 734 157 999 142 222 453 732

  42. Some Of The Problems • Has almost the same problems as SnV with • Privacy. • Coercion. • Robustness. • Other schemes (Neff, Chaum, Ryan…) have similar problems.

  43. The Main Thing…

  44. The Projects • Scratch and Vote • Encryption – threshold Paillier. • Ref • Base paper - Ben Adida and Ronald L. Rivest. Scratch & Vote: Voter-Verifiable Paper-Based Cryptographic Voting. • Reynolds’ scheme • Encryption – threshold ElGamal. • Ref • Base presentation - D. J. Reynolds. A method for electronic voting with coercion-free receipt. FEE 05. • For NIZKP - Ronald Cramer, Rosario Gennaro, and Berry Schoenmakers. A secure and optimally efficient multi-authority election scheme. In EUROCRYPT. • Also • Public board. • Digital signatures.

More Related