6. esoteric protocols secure elections and multi-party computation kim hyoung-shick

6. Esoteric Protocols

secure elections and multi-party computation

Kim Hyoung-Shick

Contents

1. Secure elections• Introduction

• Protocols

2. Secure multiparty computation• Introduction

• Examples

3. Conclusion

Contents


• Protocols


• Examples

Voting

What is the requirements ?

Voting

Secure Booth ?

Voting

Fair judge ?

Voting

We need two major requirements.

Privacy ! Fairness !

Traditional Voting Vs Electronic Voting

• Privacy

• Fairness

• Efficiency

Problems with Electronic Voting

• No physical audit trail

• Who provides the system?

• How are they audited?

• High Tech: More dependencies

• More ways to subvert the system

• etc.

Requirements for Electronic Voting

1. Only authorized voters can vote.

2. No one can vote more than once.

3. No one can duplicate anyone else’s vote.

4. No one can change anyone else’s vote without being discovered.

5. Every voter can make sure that his vote has been taken into account in the final tabulation.

6. No one can determine for whom anyone else voted.

7. Everyone knows who voted and who didn’t.

Contents


• Protocols


• Examples

Protocols

1. Simplistic voting protocols #1


3. Voting with blind signatures

4. Voting with two central facilities

5. Voting with ANDOS

6. Improved voting with ANDOS

7. Voting without a central facility

Idea of Simplistic Voting Protocol #1

secure booth

= encryption

Simplistic Voting Protocol #1

Voter ViCentral Tabulating Facility

3. ECTF(V)

1. Choose V

PCTF

SCTF

4. Tabulate V’s

5. Publish the result2. Encrypt V into ECTF(V).

Unsatisfied Requirements




4. No one can change anyone else’s vote without being discovered. (By intercept attack)




Protocols








Idea of Simplistic Voting Protocol #2

secure booth

= encryptionidentification card

= sign

Simplistic Voting Protocol #2


4. ECTF(Si(V))

1. Choose V

PCTF Pi

SCTF

5. Decrypt, verify, tabulate V’s

Si

2. Sign V into Si(V)

3. Encrypt Si(V) into ECTF(Si(V))

6. Publish the result







6. No one can determine for whom anyone else voted. (CTF knows it.)


Protocols








Problem with Signature

Kim

노

Idea of Voting with Blind Signature

accept

노

Idea of Voting with Blind Signature

Be covered !

Voting with Blind Signature


3. B(M)

1. Generate M = (O1, … , On, IDr , i)

PCTF Pi

SCTF

4. Check if B(M) is valid

Si

2. Blind M into B(M)

6. Choose SCTF(Oi)

5. SCTF(B(M))

7. Generate M’ = (SCTF(Oi), SCTF(IDr), SCTF(i))



8. M’

PCTF Pi

SCTF

9. Verify, check ID duplication

Si


B(M)







6. No one can determine for whom anyone else voted. (CTF knows it.) – it need to provide anonymous channel.


Additional Some Problems

1. CTF can generate a large number of signed, valid votes and cheat by submitting those itself.

2. If voter discovers that the CTF changed his or her vote, he or she has no way to prove it.

Protocols








Review of Traditional Voting

1. Check voter’s identification by checker.

checker voter


2. Count votes in the ballot boxes by counter.

counter


There are two positions in the voting.

counterchecker

Idea of Voting with Two Central Facilities

Central Tabulating FacilityCentral Legitimization Agency

Voting with Two Central Facilities

Voter ViCentral Legitimization Agency

1. Ask for VN

PCLA Pi

SCLA

2. Maintain VN list for voters

Si

3. VNr

VN list


Central Legitimization Agency

4. VN list

PCLA PCTF

SCLA

Central Tabulating Facility

SCTF

VN list


8. M

PCTF Pi

SCTF

9. Check if M is valid and maintain VN list

Si



5. Choose IDr

6. Generate M = (V, IDr, VNr)

6. Choose SCTF(Oi)

7. Generate M’ = (SCTF(Oi), SCTF(IDr), SCTF(i))

VNr VN list







6. No one can determine for whom anyone else voted. (But, the collusion is possible.)



1. CLA can generate a large number of signed, valid votes and cheat by submitting those itself. – It solve that CLA publish a list of certified voters.

2. As stated above, the collusion is possible.

Protocols








What is ANDOS (All-Or-Nothing Disclosure of Secrets)

Sender Receiver

- Sender doesn’t know that receiver has gained the one.

- As soon as receiver has gained anyone, he can’t receive other messages.

Voting with ANDOS


1. Ask for VN

PCLA Pi

SCLA

2. Maintain VN list for voters

Si

3. VNr by ANDOS

VN list


1. Only authorized voters can vote. – we solve it by blinded signagture







Protocols








Idea of Improved Voting with ANDOS

Voter is also checker for CTF



1. Join within T

PCTF Pi

SCTF

2. Publish a list of participants

Si

3. IDr by using ANDOS



5. IDr, Ei(IDr, V)

PCTF Pi

SCTF

6. Publish Ei(IDr, V)

Si

IDr

7. IDr Si

8. Decrypt, publish the result.(For each candidate, the list of all Ei(IDr, V) that voted for a

candidate)



9. IDr, Ei(IDr, V), Si

PCTF Pi

SCTFSi

IDr or

9. IDr, Ei(IDr, V’), Si

Within time T, voter can change the vote.

The Reason of the possibility for protest


6. Publish Ei(IDr, V)

CTF should be examined for performing his duty by voter Vi


1. Only authorized voters can vote. – we solve it by blinded signagture







Additional Satisfied Requirements

8. A voter can change his mind within a given period of time.

9. If a voter find out that his vote is miscounted, he can identify and correct the problem without jeopardzing the secrecy of his ballot.

Protocols








Idea of Voting without a Central Facility

The problem of source is CTF.


Idea of Voting without a Central Facility

Everyone is checker.

Voting without a Central Facility

Voter V1 Voter V2 Voter V3 Voter Vn

1. Generate each public/private key pair.

2. Publish order of voters and each public key.


Voter Vi

1. Generate IDr

2. Generate E1(…En(V, IDr)…)

3. Generate En(E1(…En(V, IDr)…), Rn)

4. Generate M = E1(…En(E1(…En(V, IDr)…)…), R1)

and record Rn … R1 and the intermediate results.

IDr

Pi

Si

Voter Vi

5. M

P1 Pi

Si

6. Decrypt, removes all of the random strings at that level.


Voter V1

S1

Voter V1

7. M2

P1 P2

S1

8. Decrypt, check to see that his vote is among the set of votes, removes all of the random strings at that level.


Voter V2

S2

(M2 is the decrypted

message)

Voter Vn

9. M’

Pn P1

Sn

10. Decrypt, check to see that his vote is among the set of votes, removes all of the random strings at that level.


Voter V1

S1

( M’ = E1(…En(V, IDr)…) )

11. Sign all the votes.

12. Broadcast all signed votes to everyone.


Voter V1


Voter Vn

13. Publish the result.


1. An enormous amount of computation

2. Vn learns the results of the election before anyone else d

oes.

3. Message duplication. (Ex: There are three people.)

Contents


• Protocols


• Examples

Introduction

A protocol in which a group can compute any function securely.

f(x1, x2, …, Xm)

Xj ,…, Xk

Pi

Introduction

f(x1, x2, …, Xm) is public !

But, no one learns anything about the

inputs of any other members other tha

n what is obvious from the output of th

e function.

Contents


• Protocols


• Examples

Compute Average Value

n

s)s , ,,(

n

1 ii

n21

ssf

P1

1. Generate M = S1 + r

P2

2. E2(M)

3. Decrypt, M’ = S2 + M

Compute Average Value

Pn

4. Generate M* = Sn + M’’

P1

5. E1(M*)

6. Decrypt.

n

rM * 7. Compute

8. Publish it

Problems

1. Participants can lie Si

2. V1 can misrepresent the result to everyone. – It is solved

by bit commit for r, but V2 knows S1.

Check the equality

),( baf

P1

1. Compute h(a)

P2

2. h(a)

3. Compute h(b)4. Check if h(a) = h(b)

0, if a = b

1, otherwise

a b

Problems

1. B has a chosen plaintext attack if size of domain is small.

Additional Examples

• Electronic elections

• Bidding protocols

• Lotteries

• Distributed games over the

internet

6. esoteric protocols secure elections and multi-party computation kim hyoung-shick

Documents

elses vote

improved voting

simplistic voting protocols

signsimplistic voting

voter vi1

final tabulation

major requirements

central facilities5