1 / 33

Recipt-free Voting Through Distributed Blinding

Ari Juels. RSA Laboratories. Joint work with Markus Jakobsson. Recipt-free Voting Through Distributed Blinding. Ari Juels. RSA Laboratories. Joint work with Markus Jakobsson. Coercion-free Voting Through Distributed Blinding. Why do we want coercion-free voting?. Blackmail with a long arm

minna
Download Presentation

Recipt-free Voting Through Distributed Blinding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ari Juels RSA Laboratories Joint work with Markus Jakobsson Recipt-free VotingThrough Distributed Blinding

  2. Ari Juels RSA Laboratories Joint work with Markus Jakobsson Coercion-free VotingThrough Distributed Blinding

  3. Why do we want coercion-free voting? • Blackmail with a long arm • Vote buying • Anonymous peer-to-peer networks • Vote-buying schemes (e.g., vote-auction.com; http://62.116.31.68/) Receipt-freeness required Coercion-freeness required • Home voting • Shoulder surfing • Proximate coercion

  4. Attack model • Attacker cannot interfere with registration process (otherwise can simulate voter) • Attacker can provide keying or other material to voter prior to vote (even entire ballot) • Two possibilities during vote: • Assume no attacker presence at time of vote (countermeasure: receipt-freeness) • Assume attacker sometimes present (countermeasure: coercion-freeness) • Attacker has access to all public information, i.e., encrypted and decrypted ballots

  5. I Like Ike • Voter (Alice) • Attacker Cast of characters • Voting authority

  6. Ciphertext • Mix network (publicly verifiable) Some visual notation

  7. Designated verifier proofs DV Proof • Untappable channels Hirt-Sako approach • IDEA: Voter commits publicly to vote, but ballot preparation is secret • TOOLS (scheme-specific):

  8. blinded ballot: P = P1 P2 Authority 1 Authority 2 P1 P2 Ballot blinding Bore Gush Nadir

  9. Authority 1 Authority 2 Voting DV Proof of P1 DV Proof of P2 P = P1 P2

  10. Nadir = Gush Bore Alice’s vote Voting Bore  = 1 2

  11. Drawbacks • Cost per ballot is linear in number of candidates  • Requires untappable channels for vote • Not fully coercion resistant, e.g., not resistant to shoulder surfing • Not resistant to collusion between adversary and authorities • Subject to “randomization” attack 

  12. Random choice Randomization attack Gush Now Alice is unlikely to selecther intended choice, Bore

  13. “Proof” that collusion resistance is not possible with public verifiability • We must identify voter in order to have public verifiability • If attacker controls an authority, he can do “spot checking” • In order not to risk “spot checking”, voter must reveal all communication • Thus, untappable channels are breached and all transcripts are revealed

  14. Our scheme represents a counterexample to this “proof”... (and more?)

  15. vali tagi New tool for our scheme • Anonymous credential = Voting key • Essentially a group signature key • Carries hidden, identifying tag, called tagi • Special enhancement: Also includes validatorvali = B(tagi), where B is threshold blinding function

  16. Some notation • Let B’() denote another, independent threshold blinding function • Let E[m] denote El Gamal ciphertext on m: • Private key held distributively • Authorities can jointly decrypt ciphertext • B(E[m]) = E[B(m)] (due to El Gamal homomorphism

  17. Our new scheme • Core ideas: • Voter employs anonymous credential • We don’t know who voted (at time of voting) or what was voted • Validator required for vote to count • Adversary cannot tell whether or not validator is correct • Attacker cannot tell whether a vote is valid or not

  18. validator = B(tagi) tagi vali votei NIZK proof that tagi ciphertext is valid for credential Anonymous credential signature Anatomy of a ballot proofi tagi vali

  19. tag3 tagn tag2 tag1 val3 valn val2 val1 vote3 vote2 vote1 voten proof3 proofn proof2 proof1 Authority 2 Authority 1 Tallying BallotsStep 1: Check group signatures and proofs ? ? ? . . . ?

  20. tag1 tagn’ tag2 tagn’ tag1 tag2 valn’ valn’ val2 val1 val1 val2 vote1 vote1 voten’ vote2 voten’ vote2 Authority 2 Authority 1 re-encryption . . . . . . Tallying BallotsStep 2: Mixing ballots

  21. tagn’ tag2 tag1 tagn’ tag2 tag1 valn’ val1 val2 vote1 vote2 voten’ voten’ vote2 vote1 Authority 2 Authority 1 B’(val1) B’(val2) . . . . . . . . . B’(valn’) Tallying BallotsStep 3: Joint blinding and decryption of validators

  22. tag2 tag3 tagn’ tag1 voten’ vote1 vote3 vote2 Authority 2 Authority 1 equal validators Tallying BallotsStep 4: Elimination of duplicates by validator B’(val1) B’(val2) . . . B’(val3) B’(valn’)

  23. tagi votei If correct, B’(vali) = B’(B(tagi)) E[tag2] Authority 1 Authority 2 Tallying BallotsStep 5: Verification of validators B’(vali) • Authorities compute B’(B(E[tagi])) = E[B’(B(tagi))] and jointly decrypt • If result is B’(vali), then validator is correct • Otherwise ballot is invalid and is thus removed

  24. Authority 1 Authority 2 Tallying BallotsStep 6: Joint decryption of valid votes = vote1 Gush vote2 Bore Bore vote3

  25. Coersion is eliminated • Key idea: Attacker cannot tell a false validator from a real one • If attacker demands voting key, voter can provide false validator • If attacker demands that voter cast a certain type of vote, and demands pointer(s) • Voter can vote as demanded using false validator • Voter can re-vote using correct validator • This holds even if attacker colludes with a minority of authorities Well, there’s always Florida

  26. Features of scheme • Overhead on top of mixing process is minimal, thus the scheme is quite practical • Cost is effectively independent of number of candidates • No need for untappable channels during vote • We need some access to anonymous channels • Resistant to “randomization” attacks • Resistant to collusion with authorities • Potential resistance to shoulder-surfing attack

  27. Additions • Votes can be countersigned by polling station, indicating priority • If registrar publishes voting roll with blinded validators, we can verify publicly that all participants are on roll • Requires an additional mixing step • Validator may be constructed in threshold manner, distributed with proofs and re-encrypted by registrar • Careful modeling required and largely unaddressed

  28. Questions?

  29. Appendix: Improvement to Hirt-Sako

  30. V2 Authority 1 Authority 2 V2 Idea: Secret sharing of vote V1 V1 Vote = V1V2

  31. V2 Authority 1 Authority 2 ZK-DV Proof of correct encryption ZK-DV Proof of correct encryption Idea: Secret sharing of vote V1 Vote = V1V2

  32. And then… x = Vote V1 V2

  33. Remarks • No randomization attack possible • Cost is (1) per vote • By letting Vi = -1 or 1, we can check validity

More Related