practical aspects of modern cryptography n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Practical Aspects of Modern Cryptography PowerPoint Presentation
Download Presentation
Practical Aspects of Modern Cryptography

Loading in 2 Seconds...

play fullscreen
1 / 276

Practical Aspects of Modern Cryptography - PowerPoint PPT Presentation


  • 131 Views
  • Uploaded on

Practical Aspects of Modern Cryptography. Josh Benaloh Brian LaMacchia. Winter 2011. Some Tools We’ve Developed. Homomorphic Encryption Secret Sharing Verifiable Secret Sharing Threshold Encryption Interactive Proofs. Secret Sharing Homomorphisms.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Practical Aspects of Modern Cryptography' - holli


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
practical aspects of modern cryptography

Practical Aspects of Modern Cryptography

Josh Benaloh

Brian LaMacchia

Winter 2011

some tools we ve developed
Some Tools We’ve Developed
  • Homomorphic Encryption
  • Secret Sharing
  • Verifiable Secret Sharing
  • Threshold Encryption
  • Interactive Proofs

Practical Aspects of Modern Cryptography

secret sharing homomorphisms
Secret Sharing Homomorphisms

Many secret sharing methods have an additional useful feature:

If two secrets are separately shared amongst the same set of people in the same way, then the sum of the individual shares constitute shares of the sum of the secrets.

Practical Aspects of Modern Cryptography

secret sharing homomorphisms1
Secret Sharing Homomorphisms

OR

Secret: – Shares: , , …,

Secret: – Shares: , , …,

Secret sum:

Share sums: , , …,

Practical Aspects of Modern Cryptography

secret sharing homomorphisms2
Secret Sharing Homomorphisms

AND

Secret: – Shares: , , …,

Secret: – Shares: , , …,

Secret sum:

Share sums: , , …,

Practical Aspects of Modern Cryptography

secret sharing homomorphisms3
Secret Sharing Homomorphisms

THRESHOLD

Secret: – Shares:,, …,

Secret: – Shares:,, …,

Secret sum:

Share sums:, , …,

Practical Aspects of Modern Cryptography

threshold encryption
Threshold Encryption

I want to encrypt a secret message for a set of recipients such that

  • any of the recipients can uniquely decrypt the secret message ,
  • but any set of fewer than recipients has no information whatsoever about the secret message .

Practical Aspects of Modern Cryptography

recall diffie hellman
Recall Diffie-Hellman
  • Alice
  • Randomly select a large integer and send .
  • Compute the key .
  • Bob
  • Randomly select a large integer and send .
  • Compute the key .

Practical Aspects of Modern Cryptography

elgamal encryption
ElGamal Encryption

Practical Aspects of Modern Cryptography

elgamal encryption1
ElGamal Encryption
  • Alice selects a large random private key and computes an associated public key .

Practical Aspects of Modern Cryptography

elgamal encryption2
ElGamal Encryption
  • Alice selects a large random private key and computes an associated public key .
  • To send a message to Alice, Bob selects a random value and computes the pair .

Practical Aspects of Modern Cryptography

elgamal encryption3
ElGamal Encryption
  • Alice selects a large random private key and computes an associated public key .
  • To send a message to Alice, Bob selects a random value and computes the pair .
  • To decrypt, Alice computes

.

Practical Aspects of Modern Cryptography

elgamal re encryption
ElGamal Re-Encryption

If is a public key and the pair

is an encryption of message , then for any value , the pair

is an encryption of the same message , for any value .

Practical Aspects of Modern Cryptography

group elgamal encryption
Group ElGamal Encryption

Practical Aspects of Modern Cryptography

group elgamal encryption1
Group ElGamal Encryption
  • Each recipient selects a large random private key and computes an associated public key .

Practical Aspects of Modern Cryptography

group elgamal encryption2
Group ElGamal Encryption
  • Each recipient selects a large random private key and computes an associated public key .
  • The group key is .

Practical Aspects of Modern Cryptography

group elgamal encryption3
Group ElGamal Encryption
  • Each recipient selects a large random private key and computes an associated public key .
  • The group key is .
  • To send a message to the group, Bob selects a random value and computes the pair .

Practical Aspects of Modern Cryptography

group elgamal encryption4
Group ElGamal Encryption
  • Each recipient selects a large random private key and computes an associated public key .
  • The group key is .
  • To send a message to the group, Bob selects a random value and computes the pair .
  • To decrypt, each group member computes . The message .

Practical Aspects of Modern Cryptography

threshold encryption elgamal
Threshold Encryption (ElGamal)

Practical Aspects of Modern Cryptography

threshold encryption elgamal1
Threshold Encryption (ElGamal)
  • Each recipient selects large random secret coefficients , , …, , and forms the polynomial

Practical Aspects of Modern Cryptography

threshold encryption elgamal2
Threshold Encryption (ElGamal)
  • Each recipient selects large random secret coefficients , , …, , and forms the polynomial
  • Each polynomial is then verifiably shared with the other recipients by distributing each .

Practical Aspects of Modern Cryptography

threshold encryption elgamal3
Threshold Encryption (ElGamal)
  • Each recipient selects large random secret coefficients , , …, , and forms the polynomial
  • Each polynomial is then verifiably shared with the other recipients by distributing each .
  • The joint (threshold) public key is .

Practical Aspects of Modern Cryptography

threshold encryption elgamal4
Threshold Encryption (ElGamal)
  • Each recipient selects large random secret coefficients , , …, , and forms the polynomial
  • Each polynomial is then verifiably shared with the other recipients by distributing each .
  • The joint (threshold) public key is .
  • Any set of recipients can form the secret key to decrypt.

Practical Aspects of Modern Cryptography

an application
An Application

Verifiable

Elections

Practical Aspects of Modern Cryptography

verifiable election technologies
Verifiable Election Technologies

As a voter, you can check that

  • your vote is correctly recorded
  • all recorded votes are correctly counted

…even in the presence of malicious software, hardware, and election officials.

Practical Aspects of Modern Cryptography

traditional voting methods
Traditional Voting Methods

Practical Aspects of Modern Cryptography

traditional voting methods1
Traditional Voting Methods
  • Hand-Counted Paper

Practical Aspects of Modern Cryptography

traditional voting methods2
Traditional Voting Methods
  • Hand-Counted Paper
  • Punch Cards

Practical Aspects of Modern Cryptography

traditional voting methods3
Traditional Voting Methods
  • Hand-Counted Paper
  • Punch Cards
  • Lever Machines

Practical Aspects of Modern Cryptography

traditional voting methods4
Traditional Voting Methods
  • Hand-Counted Paper
  • Punch Cards
  • Lever Machines
  • Optical Scan Ballots

Practical Aspects of Modern Cryptography

traditional voting methods5
Traditional Voting Methods
  • Hand-Counted Paper
  • Punch Cards
  • Lever Machines
  • Optical Scan Ballots
  • Electronic Voting Machines

Practical Aspects of Modern Cryptography

traditional voting methods6
Traditional Voting Methods
  • Hand-Counted Paper
  • Punch Cards
  • Lever Machines
  • Optical Scan Ballots
  • Electronic Voting Machines
  • Touch-Screen Terminals

Practical Aspects of Modern Cryptography

traditional voting methods7
Traditional Voting Methods
  • Hand-Counted Paper
  • Punch Cards
  • Lever Machines
  • Optical Scan Ballots
  • Electronic Voting Machines
  • Touch-Screen Terminals
  • Various Hybrids

Practical Aspects of Modern Cryptography

vulnerabilities and trust
Vulnerabilities and Trust
  • All of these systems have substantial vulnerabilities.
  • All of these systems require trust in the honesty and expertise of election officials (and usually the equipment vendors as well).

Can we do better?

Practical Aspects of Modern Cryptography

the voter s perspective
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective1
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective2
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective3
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective4
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective5
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective6
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective7
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective8
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective9
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective10
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective11
The Voter’s Perspective
  • As a voter, you don’t really know what happens behind the curtain.

Practical Aspects of Modern Cryptography

the voter s perspective12
The Voter’s Perspective
  • As a voter, you don’t really know what happens behind the curtain.
  • You have no choice but to trust the people working behind the curtain.

Practical Aspects of Modern Cryptography

the voter s perspective13
The Voter’s Perspective
  • As a voter, you don’t really know what happens behind the curtain.
  • You have no choice but to trust the people working behind the curtain.
  • You don’t even get to choose the people who you will have to trust.

Practical Aspects of Modern Cryptography

fully verifiable election technologies end to end verifiable
Fully-Verifiable Election Technologies(End-to-End Verifiable)

Practical Aspects of Modern Cryptography

fully verifiable election technologies end to end verifiable1
Fully-Verifiable Election Technologies(End-to-End Verifiable)

Allows voters to track their individual (sealed) votes and ensure that they are properly counted…

Practical Aspects of Modern Cryptography

fully verifiable election technologies end to end verifiable2
Fully-Verifiable Election Technologies(End-to-End Verifiable)

Allows voters to track their individual (sealed) votes and ensure that they are properly counted…

… even in the presence of faulty or malicious election equipment …

Practical Aspects of Modern Cryptography

fully verifiable election technologies end to end verifiable3
Fully-Verifiable Election Technologies(End-to-End Verifiable)

Allows voters to track their individual (sealed) votes and ensure that they are properly counted…

… even in the presence of faulty or malicious election equipment …

… and/or careless or dishonest election personnel.

Practical Aspects of Modern Cryptography

voters can check
Voters can check …

Practical Aspects of Modern Cryptography

voters can check1
Voters can check …

… that their (sealed) votes have been properly recorded

Practical Aspects of Modern Cryptography

voters can check2
Voters can check …

… that their (sealed) votes have been properly recorded

… and that all recorded votes have been properly counted

Practical Aspects of Modern Cryptography

voters can check3
Voters can check …

… that their (sealed) votes have been properly recorded

… and that all recorded votes have been properly counted

This is not just checking a claim that the right steps have been taken …

Practical Aspects of Modern Cryptography

voters can check4
Voters can check …

… that their (sealed) votes have been properly recorded

… and that all recorded votes have been properly counted

This is not just checking a claim that the right steps have been taken …

This is actually a check that the counting is correct.

Practical Aspects of Modern Cryptography

where is my vote
Where is My Vote?

Practical Aspects of Modern Cryptography

where is my vote1
Where is My Vote?

Practical Aspects of Modern Cryptography

end to end verifiability
End-to-End Verifiability

Practical Aspects of Modern Cryptography

end to end verifiability1
End-to-End Verifiability

As a voter, I can be sure that

Practical Aspects of Modern Cryptography

end to end verifiability2
End-to-End Verifiability

As a voter, I can be sure that

  • My vote is

Practical Aspects of Modern Cryptography

end to end verifiability3
End-to-End Verifiability

As a voter, I can be sure that

  • My vote is
    • Cast as intended

Practical Aspects of Modern Cryptography

end to end verifiability4
End-to-End Verifiability

As a voter, I can be sure that

  • My vote is
    • Cast as intended
    • Counted as cast

Practical Aspects of Modern Cryptography

end to end verifiability5
End-to-End Verifiability

As a voter, I can be sure that

  • My vote is
    • Cast as intended
    • Counted as cast
  • All votes are counted as cast

Practical Aspects of Modern Cryptography

end to end verifiability6
End-to-End Verifiability

As a voter, I can be sure that

  • My vote is
    • Cast as intended
    • Counted as cast
  • All votes are counted as cast

… without having to trust anyone or anything.

Practical Aspects of Modern Cryptography

one thing missing
One Thing Missing …

Practical Aspects of Modern Cryptography

one thing missing1
One Thing Missing …

… that pesky little secret-ballotrequirement.

Practical Aspects of Modern Cryptography

one thing missing2
One Thing Missing …

… that pesky little secret-ballotrequirement.

Elections would be sooooooo… much easier without it.

Practical Aspects of Modern Cryptography

full voter verifiability is possible
Full Voter-Verifiability is Possible

Practical Aspects of Modern Cryptography

full voter verifiability is possible1
Full Voter-Verifiability is Possible

Even though this “toy” public election is not secret-ballot, it’s enough to show that voter-verifiability is possible

Practical Aspects of Modern Cryptography

full voter verifiability is possible2
Full Voter-Verifiability is Possible

Even though this “toy” public election is not secret-ballot, it’s enough to show that voter-verifiability is possible

… and also to falsify arguments that electronic elections are inherently untrustworthy.

Practical Aspects of Modern Cryptography

privacy
Privacy

Practical Aspects of Modern Cryptography

privacy1
Privacy
  • The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).

Practical Aspects of Modern Cryptography

privacy2
Privacy
  • The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).
  • Performing tasks while preserving privacy is the bailiwick of cryptography.

Practical Aspects of Modern Cryptography

privacy3
Privacy
  • The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).
  • Performing tasks while preserving privacy is the bailiwick of cryptography.
  • Cryptographic techniques can enable end-to-end verifiable elections while preserving voter privacy.

Practical Aspects of Modern Cryptography

where is my vote2
Where is My Vote?

Practical Aspects of Modern Cryptography

where is my vote3
Where is My Vote?

Practical Aspects of Modern Cryptography

where is my vote4
Where is My Vote?

Practical Aspects of Modern Cryptography

where is my vote5
Where is My Vote?

Practical Aspects of Modern Cryptography

where is my vote6
Where is My Vote?

No – 2

Yes – 1

Practical Aspects of Modern Cryptography

where is my vote7
Where is My Vote?

No – 2

Yes – 1

Mathematical

Proof

Practical Aspects of Modern Cryptography

the voter s perspective14
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective15
The Voter’s Perspective

Verifiable election systems can be built to look exactly like current systems …

Practical Aspects of Modern Cryptography

the voter s perspective16
The Voter’s Perspective

Verifiable election systems can be built to look exactly like current systems …

… with one addition …

Practical Aspects of Modern Cryptography

a verifiable receipt
A Verifiable Receipt

Practical Aspects of Modern Cryptography

a verifiable receipt1
A Verifiable Receipt

Practical Aspects of Modern Cryptography

a verifiable receipt2
A Verifiable Receipt

Precinct 37 – Machine 4

Nov. 6, 2012 1:39PM

Vote receipt tag:

7A34ZR9K4BX

***VOTE COMFIRMED***

Practical Aspects of Modern Cryptography

the voter s perspective17
The Voter’s Perspective

Practical Aspects of Modern Cryptography

the voter s perspective18
The Voter’s Perspective

Voters can …

Practical Aspects of Modern Cryptography

the voter s perspective19
The Voter’s Perspective

Voters can …

  • Use receipts to check their results are properly recorded on a public web site.

Practical Aspects of Modern Cryptography

the voter s perspective20
The Voter’s Perspective

Voters can …

  • Use receipts to check their results are properly recorded on a public web site.
  • Throw their receipts in the trash.

Practical Aspects of Modern Cryptography

the voter s perspective21
The Voter’s Perspective

Voters can …

Practical Aspects of Modern Cryptography

the voter s perspective22
The Voter’s Perspective

Voters can …

  • Write their own applications to verify the mathematical proof of the tally.

Practical Aspects of Modern Cryptography

the voter s perspective23
The Voter’s Perspective

Voters can …

  • Write their own applications to verify the mathematical proof of the tally.
  • Download verification apps from sources of their choice.

Practical Aspects of Modern Cryptography

the voter s perspective24
The Voter’s Perspective

Voters can …

  • Write their own applications to verify the mathematical proof of the tally.
  • Download verification apps from sources of their choice.
  • Believe verifications done by their political parties, LWV, ACLU, etc.

Practical Aspects of Modern Cryptography

the voter s perspective25
The Voter’s Perspective

Voters can …

  • Write their own applications to verify the mathematical proof of the tally.
  • Download verification apps from sources of their choice.
  • Believe verifications done by their political parties, LWV, ACLU, etc.
  • Accept the results without question.

Practical Aspects of Modern Cryptography

slide105

So How Does It Work?

Practical Aspects of Modern Cryptography

secure mpc is not enough
Secure MPC is not Enough

Practical Aspects of Modern Cryptography

secure mpc is not enough1
Secure MPC is not Enough
  • Secure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.

Practical Aspects of Modern Cryptography

secure mpc is not enough2
Secure MPC is not Enough
  • Secure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.
  • But secure MPC does not prevent parties from revealing their private inputs if they so choose.

Practical Aspects of Modern Cryptography

end to end verifiable elections
End-to-End Verifiable Elections

Two principle phases …

Practical Aspects of Modern Cryptography

end to end verifiable elections1
End-to-End Verifiable Elections

Two principle phases …

  • Voters publish their names and encrypted votes.

Practical Aspects of Modern Cryptography

end to end verifiable elections2
End-to-End Verifiable Elections

Two principle phases …

  • Voters publish their names and encrypted votes.
  • At the end of the election, administrators compute and publish the tally together with a cryptographic proof that the tally “matches” the set of encrypted votes.

Practical Aspects of Modern Cryptography

end to end verifiable elections3
End-to-End Verifiable Elections

Two questions must be answered …

Practical Aspects of Modern Cryptography

end to end verifiable elections4
End-to-End Verifiable Elections

Two questions must be answered …

  • How do voters turn their preferences into encrypted votes?

Practical Aspects of Modern Cryptography

end to end verifiable elections5
End-to-End Verifiable Elections

Two questions must be answered …

  • How do voters turn their preferences into encrypted votes?
  • How are voters convinced that the published set of encrypted votes corresponds the announced tally?

Practical Aspects of Modern Cryptography

is it really this easy
Is it Really This Easy?

Practical Aspects of Modern Cryptography

is it really this easy1
Is it Really This Easy?

Yes …

Practical Aspects of Modern Cryptography

is it really this easy2
Is it Really This Easy?

Yes …

… but there are lots of details to get right.

Practical Aspects of Modern Cryptography

fundamental tallying decision
Fundamental Tallying Decision

Practical Aspects of Modern Cryptography

fundamental tallying decision1
Fundamental Tallying Decision

There are essentially two paradigms to choose from …

Practical Aspects of Modern Cryptography

fundamental tallying decision2
Fundamental Tallying Decision

There are essentially two paradigms to choose from …

  • Anonymized Ballots

Practical Aspects of Modern Cryptography

fundamental tallying decision3
Fundamental Tallying Decision

There are essentially two paradigms to choose from …

  • Anonymized Ballots

(Mix Networks)

Practical Aspects of Modern Cryptography

fundamental tallying decision4
Fundamental Tallying Decision

There are essentially two paradigms to choose from …

  • Anonymized Ballots

(Mix Networks)

  • Ballotless Tallying

Practical Aspects of Modern Cryptography

fundamental tallying decision5
Fundamental Tallying Decision

There are essentially two paradigms to choose from …

  • Anonymized Ballots

(Mix Networks)

  • Ballotless Tallying

(Homomorphic Encryption)

Practical Aspects of Modern Cryptography

slide124

Anonymized Ballots

Practical Aspects of Modern Cryptography

slide125

Ballotless Tallying

Practical Aspects of Modern Cryptography

slide126

Homomorphic Tallying

Practical Aspects of Modern Cryptography

homomorphic encryption
Homomorphic Encryption

Some Homomorphic Functions

  • RSA:
  • ElGamal:
  • GM:
  • Benaloh:
  • Pallier:

Practical Aspects of Modern Cryptography

slide128

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide129

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide130

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide131

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide132

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide133

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide134

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide135

Homomorphic Elections

Practical Aspects of Modern Cryptography

slide136

Multiple Authorities

Practical Aspects of Modern Cryptography

homomorphic encryption1
Homomorphic Encryption

The product of the encryptions of the votes constitutes an encryption of the sum of the votes.

Practical Aspects of Modern Cryptography

slide138

Multiple Authorities

Practical Aspects of Modern Cryptography

slide139

Multiple Authorities

Practical Aspects of Modern Cryptography

slide140

Multiple Authorities

Practical Aspects of Modern Cryptography

slide141

Multiple Authorities

Practical Aspects of Modern Cryptography

slide142

Multiple Authorities

Practical Aspects of Modern Cryptography

slide143

Multiple Authorities

Practical Aspects of Modern Cryptography

multiple authorities
Multiple Authorities

The sum of the shares of the votes constitute shares of the sum of the votes.

Practical Aspects of Modern Cryptography

slide145

Multiple Authorities

Practical Aspects of Modern Cryptography

slide146

Multiple Authorities

Practical Aspects of Modern Cryptography

slide147

Multiple Authorities

Practical Aspects of Modern Cryptography

slide148

Multiple Authorities

Practical Aspects of Modern Cryptography

slide149

Multiple Authorities

Practical Aspects of Modern Cryptography

slide150

Multiple Authorities

Practical Aspects of Modern Cryptography

slide151

Multiple Authorities

Practical Aspects of Modern Cryptography

double commutivity
Double Commutivity

The product of the encryptions of the shares of the votes constitute an encryption of a share the sum of the votes.

Practical Aspects of Modern Cryptography

robust sharing
Robust Sharing

Practical Aspects of Modern Cryptography

robust sharing1
Robust Sharing
  • Note that votes can be “shared” with a polynomial threshold scheme instead of a simple sum.

Practical Aspects of Modern Cryptography

robust sharing2
Robust Sharing
  • Note that votes can be “shared” with a polynomial threshold scheme instead of a simple sum.
  • This provides robustness in case one or more trustees fails to properly decrypt their shares.

Practical Aspects of Modern Cryptography

slide156

Mix-Based Elections

Practical Aspects of Modern Cryptography

the mix net paradigm
The Mix-Net Paradigm

MIX

Practical Aspects of Modern Cryptography

the mix net paradigm1
The Mix-Net Paradigm

MIX

Practical Aspects of Modern Cryptography

the mix net paradigm2
The Mix-Net Paradigm

MIX

Practical Aspects of Modern Cryptography

the mix net paradigm3
The Mix-Net Paradigm

MIX

Practical Aspects of Modern Cryptography

the mix net paradigm4
The Mix-Net Paradigm

Vote

MIX

Vote

Vote

Vote

Practical Aspects of Modern Cryptography

the mix net paradigm5
The Mix-Net Paradigm

Vote

MIX

Vote

Vote

Vote

Practical Aspects of Modern Cryptography

multiple mixes
Multiple Mixes

Practical Aspects of Modern Cryptography

multiple mixes1
Multiple Mixes

Practical Aspects of Modern Cryptography

multiple mixes2
Multiple Mixes

Practical Aspects of Modern Cryptography

multiple mixes3
Multiple Mixes

MIX

Practical Aspects of Modern Cryptography

multiple mixes4
Multiple Mixes

MIX

Practical Aspects of Modern Cryptography

multiple mixes5
Multiple Mixes

MIX

Practical Aspects of Modern Cryptography

multiple mixes6
Multiple Mixes

MIX

Practical Aspects of Modern Cryptography

multiple mixes7
Multiple Mixes

MIX

Practical Aspects of Modern Cryptography

multiple mixes8
Multiple Mixes

MIX

MIX

Practical Aspects of Modern Cryptography

multiple mixes9
Multiple Mixes

MIX

MIX

Practical Aspects of Modern Cryptography

multiple mixes10
Multiple Mixes

MIX

MIX

Practical Aspects of Modern Cryptography

multiple mixes11
Multiple Mixes

Vote

MIX

MIX

Vote

Vote

Vote

Practical Aspects of Modern Cryptography

multiple mixes12
Multiple Mixes

Vote

MIX

MIX

Vote

Vote

Vote

Practical Aspects of Modern Cryptography

decryption mix net
Decryption Mix-net

Practical Aspects of Modern Cryptography

decryption mix net1
Decryption Mix-net

Each object is encrypted with a pre-determined set of encryption layers.

Practical Aspects of Modern Cryptography

decryption mix net2
Decryption Mix-net

Each object is encrypted with a pre-determined set of encryption layers.

Each mix, in pre-determined order performs a decryption to remove its associated layer.

Practical Aspects of Modern Cryptography

re encryption mix net
Re-encryption Mix-net

Practical Aspects of Modern Cryptography

re encryption mix net1
Re-encryption Mix-net

The decryption and shuffling functions are decoupled.

Practical Aspects of Modern Cryptography

re encryption mix net2
Re-encryption Mix-net

The decryption and shuffling functions are decoupled.

Mixes can be added or removed dynamically with robustness.

Practical Aspects of Modern Cryptography

re encryption mix net3
Re-encryption Mix-net

The decryption and shuffling functions are decoupled.

Mixes can be added or removed dynamically with robustness.

Proofs of correct mixing can be published and independently verified.

Practical Aspects of Modern Cryptography

more homomorphic encryption
More Homomorphic Encryption

We can construct a public-key encryption function such that if

is an encryption of and

is an encryption of then

is an encryption of .

Practical Aspects of Modern Cryptography

re encryption additive
Re-encryption (additive)

is an encryption of and

is an encryption of then

is another encryption of .

Practical Aspects of Modern Cryptography

re encryption multiplicative
Re-encryption (multiplicative)

is an encryption of and

is an encryption of then

is another encryption of .

Practical Aspects of Modern Cryptography

a re encryption mix
A Re-encryption Mix

MIX

Practical Aspects of Modern Cryptography

a re encryption mix1
A Re-encryption Mix

MIX

Practical Aspects of Modern Cryptography

a re encryption mix2
A Re-encryption Mix

MIX

Practical Aspects of Modern Cryptography

a re encryption mix3
A Re-encryption Mix

MIX

Practical Aspects of Modern Cryptography

a re encryption mix4
A Re-encryption Mix

MIX

Practical Aspects of Modern Cryptography

a re encryption mix5
A Re-encryption Mix

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets1
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets2
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets3
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets4
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets5
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets6
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets7
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets8
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets9
Re-encryption Mix-nets

MIX

MIX

Practical Aspects of Modern Cryptography

re encryption mix nets10
Re-encryption Mix-nets

Vote

MIX

MIX

Vote

Vote

Vote

Practical Aspects of Modern Cryptography

verifiability
Verifiability

Practical Aspects of Modern Cryptography

verifiability1
Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.

Practical Aspects of Modern Cryptography

verifiability2
Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.

Any observer can verify this proof.

Practical Aspects of Modern Cryptography

verifiability3
Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.

Any observer can verify this proof.

The decryptions are also proven to be correct.

Practical Aspects of Modern Cryptography

verifiability4
Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.

Any observer can verify this proof.

The decryptions are also proven to be correct.

If a mix’s proof is invalid, its mixing will be bypassed.

Practical Aspects of Modern Cryptography

recent mix work
Recent Mix Work
  • 1993 Park, Itoh, and Kurosawa
  • 1995 Sako and Kilian
  • 2001 Furukawa and Sako
  • 2001 Neff
  • 2002 Jakobsson, Juels, and Rivest
  • 2003 Groth

Practical Aspects of Modern Cryptography

re encryption mix operation
Re-encryption Mix Operation

MIX

Practical Aspects of Modern Cryptography

re encryption mix operation1
Re-encryption Mix Operation

Input Ballot Set

MIX

Practical Aspects of Modern Cryptography

re encryption mix operation2
Re-encryption Mix Operation

Input Ballot Set

Output Ballot Set

MIX

Practical Aspects of Modern Cryptography

re encryption mix operation3
Re-encryption Mix Operation

Input Ballot Set

Output Ballot Set

Re-encryptions

Practical Aspects of Modern Cryptography

re encryption
Re-encryption

Practical Aspects of Modern Cryptography

re encryption1
Re-encryption
  • Each value is re-encryptedhomomorphically.

Practical Aspects of Modern Cryptography

re encryption2
Re-encryption
  • Each value is re-encryptedhomomorphically.
  • This can be done without knowing the decryptions.

Practical Aspects of Modern Cryptography

verifying a re encryption
Verifying a Re-encryption

Practical Aspects of Modern Cryptography

verifying a re encryption1
Verifying a Re-encryption
  • A prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.

Practical Aspects of Modern Cryptography

verifying a re encryption2
Verifying a Re-encryption
  • A prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.
  • Instead, an interactive proof can be performed to demonstrate the equivalence of the input and output ballot sets.

Practical Aspects of Modern Cryptography

verifying a re encryption3
Verifying a Re-encryption
  • A prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.
  • Instead, an interactive proof can be performed to demonstrate the equivalence of the input and output ballot sets.
  • The Fiat-Shamir heuristic can be used to “publish” the proof.

Practical Aspects of Modern Cryptography

the encryption
The Encryption

Practical Aspects of Modern Cryptography

the encryption1
The Encryption
  • Anyone with the decryption key can read all of the votes – even before mixing.

Practical Aspects of Modern Cryptography

the encryption2
The Encryption
  • Anyone with the decryption key can read all of the votes – even before mixing.
  • A threshold encryption scheme is used to distribute the decryption capabilities.

Practical Aspects of Modern Cryptography

most verifiable election protocols
Most Verifiable Election Protocols

Practical Aspects of Modern Cryptography

most verifiable election protocols1
Most Verifiable Election Protocols

Step 1

Practical Aspects of Modern Cryptography

most verifiable election protocols2
Most Verifiable Election Protocols

Step 1

Encrypt your vote and …

Practical Aspects of Modern Cryptography

most verifiable election protocols3
Most Verifiable Election Protocols

Step 1

Encrypt your vote and …

How?

Practical Aspects of Modern Cryptography

how do humans encrypt
How do Humans Encrypt?

Practical Aspects of Modern Cryptography

how do humans encrypt1
How do Humans Encrypt?
  • If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.

Practical Aspects of Modern Cryptography

how do humans encrypt2
How do Humans Encrypt?
  • If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.
  • If voters encrypt their votes on “official” devices, how can they trust that their intentions have been properly captured?

Practical Aspects of Modern Cryptography

the human encryptor
The Human Encryptor

We need to find ways to engage humans in an interactive proof process to ensure that their intentions are accurately reflected in encrypted ballots cast on their behalf.

Practical Aspects of Modern Cryptography

markpledge ballot
MarkPledge Ballot

Practical Aspects of Modern Cryptography

markpledge ballot1
MarkPledge Ballot

Practical Aspects of Modern Cryptography

markpledge ballot2
MarkPledge Ballot

Device commitment to voter: “You’re candidate’s number is 863.”

Practical Aspects of Modern Cryptography

markpledge ballot3
MarkPledge Ballot

Device commitment to voter: “You’re candidate’s number is 863.”

Voter challenge: “Decrypt column number 5.”

Practical Aspects of Modern Cryptography

markpledge ballot4
MarkPledge Ballot

Device commitment to voter: “You’re candidate’s number is 863.”

Voter challenge: “Decrypt column number 5.”

Practical Aspects of Modern Cryptography

markpledge ballot5
MarkPledge Ballot

Practical Aspects of Modern Cryptography

pr t voter ballot
Prêt à Voter Ballot

Practical Aspects of Modern Cryptography

pr t voter ballot1
Prêt à Voter Ballot

Practical Aspects of Modern Cryptography

pr t voter ballot2
Prêt à Voter Ballot

Practical Aspects of Modern Cryptography

punchscan ballot
PunchScan Ballot

Y – Alice

X – Bob

#001

X

Y

Practical Aspects of Modern Cryptography

punchscan ballot1
PunchScan Ballot

Y – Alice

X – Bob

#001

Y

X

Practical Aspects of Modern Cryptography

punchscan ballot2
PunchScan Ballot

X – Alice

Y – Bob

#001

Y

X

Practical Aspects of Modern Cryptography

punchscan ballot3
PunchScan Ballot

X – Alice

Y – Bob

#001

Y

X

Practical Aspects of Modern Cryptography

punchscan ballot4
PunchScan Ballot

X – Alice

Y – Bob

#001

#001

Y

X

Practical Aspects of Modern Cryptography

scantegrity
Scantegrity

Practical Aspects of Modern Cryptography

three ballot
Three-Ballot

Practical Aspects of Modern Cryptography

voter initiated auditing
Voter-Initiated Auditing

Practical Aspects of Modern Cryptography

voter initiated auditing1
Voter-Initiated Auditing
  • Voter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)

Practical Aspects of Modern Cryptography

voter initiated auditing2
Voter-Initiated Auditing
  • Voter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)
  • After selections are made, voter receives an encrypted receipt of the ballot.

Practical Aspects of Modern Cryptography

voter initiated auditing3
Voter-Initiated Auditing

734922031382

Encrypted Vote

Practical Aspects of Modern Cryptography

voter initiated auditing4
Voter-Initiated Auditing

Voter choice: Cast or Challenge

734922031382

Encrypted Vote

Practical Aspects of Modern Cryptography

voter initiated auditing5
Voter-Initiated Auditing

Cast

734922031382

Practical Aspects of Modern Cryptography

voter initiated auditing6
Voter-Initiated Auditing

Challenge

734922031382

Practical Aspects of Modern Cryptography

voter initiated auditing7
Voter-Initiated Auditing

Challenge

Practical Aspects of Modern Cryptography

voter initiated auditing8
Voter-Initiated Auditing

Challenge

Practical Aspects of Modern Cryptography

voter initiated auditing9
Voter-Initiated Auditing

Challenge

Vote for Alice

Random # is

28637582738

Practical Aspects of Modern Cryptography

ballot casting assurance
Ballot Casting Assurance

The voter front ends shown here differ in both their human factors qualities and the level of assurance that they offer.

All are feasible and provide greater integrity than current methods.

Practical Aspects of Modern Cryptography

true verifiability
True Verifiability
  • The end-to-end verifiable election technologies described here allow individuals to choose who to trust.
  • Individuals are not forced to trust officials with special status. They can depend on verifications from entities of their choice.
  • Sufficiently paranoid individuals can check everything for themselves.

Practical Aspects of Modern Cryptography

real world deployments
Real-World Deployments

Practical Aspects of Modern Cryptography

real world deployments1
Real-World Deployments
  • Helios (www.heliosvoting.org) – Ben Adida and others
    • Remote electronic voting system using voter-initiated auditing and homomorphic backend.
    • Used to elect president of UC Louvain, Belgium.
    • Used in Princeton University student government.
    • Used to elect IACR Board of Directors.

Practical Aspects of Modern Cryptography

real world deployments2
Real-World Deployments
  • Helios (www.heliosvoting.org) – Ben Adida and others
    • Remote electronic voting system using voter-initiated auditing and homomorphic backend.
    • Used to elect president of UC Louvain, Belgium.
    • Used in Princeton University student government.
    • Used to elect IACR Board of Directors.
  • Scantegrity II (www.scantegrity.org) – David Chaum, Ron Rivest, many others.
    • Optical scan system with codes revealed by invisible ink markers and “plugboard-mixnet” backend.
    • Used for municipal elections in Takoma Park, MD.

Practical Aspects of Modern Cryptography

end to end verifiability7
End-to-End Verifiability

Practical Aspects of Modern Cryptography

end to end verifiability8
End-to-End Verifiability
  • … is a fundamentally different paradigm,

Practical Aspects of Modern Cryptography

end to end verifiability9
End-to-End Verifiability
  • … is a fundamentally different paradigm,
  • … is not just a security enhancement,

Practical Aspects of Modern Cryptography

end to end verifiability10
End-to-End Verifiability
  • … is a fundamentally different paradigm,
  • … is not just a security enhancement,
  • … democratizes the electoral process,

Practical Aspects of Modern Cryptography

end to end verifiability11
End-to-End Verifiability
  • … is a fundamentally different paradigm,
  • … is not just a security enhancement,
  • … democratizes the electoral process,
  • … but it is nota panacea.

Practical Aspects of Modern Cryptography

end to end system properties
End-to-End System Properties

Practical Aspects of Modern Cryptography

end to end system properties1
End-to-End System Properties
  • Accuracy/Integrity

Practical Aspects of Modern Cryptography

end to end system properties2
End-to-End System Properties
  • Accuracy/Integrity

– enormously improved

Practical Aspects of Modern Cryptography

end to end system properties3
End-to-End System Properties
  • Accuracy/Integrity

– enormously improved

  • Privacy/Coercion

Practical Aspects of Modern Cryptography

end to end system properties4
End-to-End System Properties
  • Accuracy/Integrity

– enormously improved

  • Privacy/Coercion

– not substantially changed

Practical Aspects of Modern Cryptography

end to end system properties5
End-to-End System Properties
  • Accuracy/Integrity

– enormously improved

  • Privacy/Coercion

– not substantially changed

  • Reliability/Survivability

Practical Aspects of Modern Cryptography

end to end system properties6
End-to-End System Properties
  • Accuracy/Integrity

– enormously improved

  • Privacy/Coercion

– not substantially changed

  • Reliability/Survivability

– not substantially changed

Practical Aspects of Modern Cryptography

end to end system properties7
End-to-End System Properties
  • Accuracy/Integrity

– enormously improved

  • Privacy/Coercion

– not substantially changed

  • Reliability/Survivability

– not substantially changed

  • Usability/Comprehensibility

Practical Aspects of Modern Cryptography

end to end system properties8
End-to-End System Properties
  • Accuracy/Integrity

– enormously improved

  • Privacy/Coercion

– not substantially changed

  • Reliability/Survivability

– not substantially changed

  • Usability/Comprehensibility

– not substantially changed

Practical Aspects of Modern Cryptography

is there any deployment hope
Is There any Deployment Hope?
  • The U.S. Election Assistance Commission is considering new guidelines.
  • These guidelines explicitly include an “innovation class” which could be satisfied by truly verifiable election systems.
  • Election supervisors must choose to take this opportunity to change the paradigm.
  • However, a bill was recently introduced in Congress that explicitly precludes use of crypto.

Practical Aspects of Modern Cryptography