electronic voting
DESCRIPTION
Electronic Voting. Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum. Agenda. Why now-days paper based elections are not enough? What properties any voting scheme must achieve and why it is so hard? - PowerPoint PPT PresentationTRANSCRIPT
Electronic Voting
Presented by Ben Riva
Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum
Agenda Why now-days paper based elections are not
enough? What properties any voting scheme must achieve
and why it is so hard? Few cryptography primitives in a nutshell. Schemes that the voter uses a computer in the booth. Why it is not enough? The concept of voter-
verifiability. Voter Verifiable voting schemes
– Scratch and Vote.– Rynolds’ scheme.
What next?
Paper Based Elections
Flexible Simple to
understand Simple to
perform Transparent
But, a famous man once said - "Those who cast the votes decide nothing.
Those who count the votes decide everything."
Why Paper Based Elections Are Not Enough? Votes can be
easily altered. Votes can easily
be defected. Weak privacy. Re-counts
means almost nothing.
What Do We Want? Unforgeability: No one can falsify the result of the voting. Eligibility, Unreusability: Respectively requires that only
eligible voters vote and no voter can vote twice. Auditability, Universal auditability: The first describes the
ability of any individual voter to determine whether or not his vote has been correctly placed. The second corresponds to the ability of any auditor to determine that the whole protocol was followed correctly, given that votes had been correctly placed.
Robustness: Dishonest participants can not disrupt the voting. In particular cheating players should be detected and it should be possible to prove their malicious behavior and finish the voting process and the counting without their help.
Privacy: No one can link a voter with his vote. Coercion resistance (also called receipt freeness): A voter can
not prove how he voted. This is essential for avoiding vote selling.
Why Is It Hard?
Good privacy and universal verifiability at the same time …
Coercion resistance and unforgability…
Few Cryptography Primitives in a Nutshell
One-Way Functions
A function f: DR is called one-way if:– Computing f(x) is “easy”.– Computing f-1(y) for almost all the images is
“hard”. E.g. (under the DL assumption)
– Prime p and a generator g of Zp*.
– f(x) = gx (mod p).
RSA Cryptosystem
Famous Public Key cryptosystem
– A key generation algorithm• Let N=pq be the product of two primes• Choose e such that gcd(e,(N))=1• Let d be such that de1 mod (N)• The public key is (N,e)• The private key is d
– An encryption algorithm• Encryption of MZN* by C=E(M)=Me mod N
– A Decryption algorithm • Decryption of CZN* by M=D(C)=Cd mod N
El Gamal Cryptosystem Probabilistic, homomorphic public-key
encryption scheme over a multiplicative group of prime order.
A key generation algorithm
Publicly choose two large primes q` and q such that q | q`-1 , i.e., q` = qk+1 for some integer k. We also fix a generator g` of F*
q`. The cyclic group G we work with is the one generated by g = (g`)k and has order (q`-1)/k = q.
Private key x G . Public key y = gx.
An encryption algorithmTo encrypt m G we choose uniformly at random
r [1.. q - 1] and output E(q`, q, g, m, y; r) = (gr, m· yr).
A Decryption algorithm To decrypt a tuple (a,b) we compute m = ba-x.
We abbreviate E(q`, q, g, m, y; r) to E(m, y; r). ElGamal Encryption is multiplicative homomorphic,
meaning - E(m1, y;r1)*E(m2, y;r2) = E(m1m2, y;r1 + r2).
– Re-encryption of E(m,y;r1) is E(m,y;r1)*E(1,y;r2) which results in E(m,y;r1+r2).
Digital Signatures We focus on electronic signatures that use
public-key cryptography. E.g. (Based on RSA)
– A key generation algorithm• Same as in RSA encryption.
– A signing algorithm• Same as decryption of MZN* by C=D(M)=Md mod N.
– A verification algorithm• Same as encryption of CZN* by M=E(C)=Ce mod N.• Can be calculated and verified by anyone.
Concept of Blind Signatures …
Secret Sharing
Based on the next problem - assuming that there are N players, how can a dealer share a secret in a way that any group of t (< N) or more players could recreate the secret, but any group of less then t players will not be able to do so. Such scheme is called (t,N) - threshold secret sharing scheme.
Shamir Secret Sharing Scheme The dealer selects t-1 random integers,
which forms a t-1 degree polynomial f(x) such that f(0) = S.
The dealer calculates f(i) for each player i. Those are their private shares.
Any group of t or more players can recreate the polynomial and S (using Lagrange interpolation).
Threshold Encryption
In threshold encryption we have N authorities, and we want to encrypt a message in a way that any t or more authorities could decrypt it. Again, any group of less then t authorities will not be able to do so.
No trusted dealer. Solutions are similar to Shamir’s scheme
[CGS,Pederson].
Zero-knowledge Proofs
Interactive protocols between two players, Prover and Verifier, in which the prover proves to the verifier, with high probability, that some statement is true.
Does not leak any information besides the veracity of this statement.
In the case of honest verifier ZKP, we can modify the protocol to non-interactive.
Zero-knowledge Proof Example Let g1, g2 generators of Zq*.
The Prover claims that logg1v = logg2w (=x) for publicly known v, w, g1, g2.– P chooses random z [1..q] and sends a=g1
z, b=g2z.
– V selects random c [1..q] and sends it.– P sends r = (z+cx) .
– V verifies that g1r=avc and g2
r=bwc
Can be turned into non-interactive– C = Hash(a,b,v,w).
Useful ZKP Equality of discrete logarithms:
– The prover knows discrete logarithms of v and w, and claims they are the same, logg1v = logg2w (for known g1, g2).
1-out-of-L re-encryption:– the prover wants to prove that for a publicly known
pair (x, y) there is an ElGamal re-encryption in the L encrypted pairs (x1, y2 )… (xL, yL ).
1-out-of-L message encryption:– Given L plain-text messages m1… mL, the prover
wants to prove that a tuple (x, y) is an encryption of one of the L plain-texts.
Schemes that the voter uses a computer in the booth
First Fundamental Decision
You have essentially two paradigms to choose from…– Anonymized Ballots.– Ballotless Tallying.
The Mix-Net Paradigm
Chaum, Sako & Kilian…
The Mix-Net Paradigm
The Mix-Net Paradigm
MIX
Vote
Vote
Vote
Vote
The Mix-Net Paradigm
MIX
Vote
Vote
Vote
Vote
The Mix-Net Paradigm
MIX
Vote
Vote
Vote
Vote
MIX
The Homomorphic Paradigm
Benaloh, Cramer et al…
The Homomorphic Paradigm
Tally
The Homomorphic Paradigm
Tally
CGS97 (Cramer,Gennaro and
Schoenmakers) - Ballotless Tallying
Uses robust threshold ElGamal. Players:
– Authorities a1 … as.
– Candidates: –1 and 1.
– Voters v1…vn.
– Public Board.
CGS97 -The Protocol Initialization
– All authorities publish• Their shares.• A threshold public key S.• Another generator h of the multiplicative group
– The legal votes will be h-1, h1. Voting
– A voter encrypts his vote bi using E(hbi,S;r) and publishes it along with a non-interactive proof of validity of the vote on a public board.
Verification– All voter's non interactive proofs are verified (publicly) and
invalid votes are deleted.
Tallying– After elections ends, t authorities
calculates E(htotal,S;rtotal) = E(hbi ,S;r) and publicly decrypt it to get htotal. Now, anyone can find Total (using linear time exhaustive search) which is the difference between the number of votes for each candidate.Those calculation can also be verified using non-interactive zero knowledge proof of equality of discrete logarithms.
! Using Pailler encryption we can eliminate the exhaustive search.
CGS97 Scheme –Properties
PrivacyAs long as there at most t-1 dishonest authorities
Coersion resistanceEasy to coerce
RobustnessAs long as there are t honest authorities
Unforgability computational
Elgibility, Unreusability
Auditability
So what more do we want?
A voter is not a computer! We want the voter to vote bare-handed. The
voter:– Does not bring any electronic device.– Does not compute cryptographic computations in
his head.– Uses only humen abilities.
We want him to be able to verify the booth’s behaivor - Voter Verifiability.
Voter Verifiable Voting Schemes
Scratch and Vote (Adida and Rivest 2006) Very simple idea. Uses threshold Paillier encryption.
– The voter picks two ballots from a big bin.– The voter scratches off a scratch surface of one ballot, and
later he can verify its validity.– The voter marks his selection on the other ballot, shreds the
candidates list and surrender it to the poll-workers.– The poll-worker shreds the scratch surface.– The voter feeds the rest into a scanner and takes it home as
a receipt.
Scratch and Vote – The Ballot The ballot consists of
– Candidates list in a random order (left part).– A barcode made of encryptions and NIZKP.– A scratch surface which conceals the randomness used for the
encryptions.
Scratch and Vote –Verification and Tallying Every voter can check that his vote is
published correctly. Ballots are checked using their NIZKP. A threshold decryption of the product of
all legal casted ballots is executed …
Scratch and Vote –Properties Pros.
– Very simple to use.– Voter verifiable.– Efficient.
Cons.– If it uses an empty ballots bin
• A coercer can steal a valid ballot and coerce someone to use it (chain voting).– If it uses a computer and a printer to create the ballots in front of the voter
• The booth can misbehave.– If it uses a scanner to record the ballots
• The booth knows what the voter voted.– If it uses another ballots bin to collect the ballots
• The voter has no receipt.– Also, signatures are not handled properly
• Without signatures, the voter can claim anything later.• With signatures, the voter needs a computer assistance.
– Shreding• If we want to print the ballots in front of the voter, we must verify the voter shreds the left part.
– Random coercion• A coercer can coerce the voter to vote randomly.
Reynolds’ Scheme Voter enters the booth
and receives a blank ballot.
The voter fills two random number inside the boxes of the candidates he does not want.
The booth prints few encryptions (later).
The voter fills the last number and casts the ballot. He also take it as a receipt.
Voter =
yellow
green
blue
Ben Riva
d1
d2
d3
157
732
222
E(157),E(0),NIZKP
E(732),E(0),NIZKP
E(536),E(1),NIZKP
E(di),E(vote?)
Reynolds’ Scheme – What are the NIZKP? If we use threshold ElGamal, then the NIZKPs
consist of– A proof that for each line i
Di = E(di) OR Vi = E(h1)
– A proof that for each line i
Vi = E(h0) OR Vi = E(h1)
– A proof that
Vi = E(h1)
Where h is another generator of the group…
Reynolds’ Scheme –Verification and Tallying Every voter can check that his vote is
published correctly. Ballots are checked using their NIZKPs. A threshold decryption of the product of all
legal casted ballots’ lines is executed.
Voter =
yellow
green
blue
Ben Riva
d1
d2
d3
157
732
222
E(157),E(0),NIZKP
E(732),E(0),NIZKP
E(536),E(1),NIZKP
Voter =
yellow
green
blue
Alon C
d1
d2
d3
635
453
999
E(112),E(1),NIZKP
E(435),E(0),NIZKP
E(999),E(0),NIZKP
Voter =
yellow
green
blue
David B
d1
d2
d3
743
142
734
E(743),E(0),NIZKP
E(142),E(0),NIZKP
E(111),E(1),NIZKP
Final tally
Yellow – 1
Green – 2
Blue - 0
Some Of The Problems
Has almost the same problems as SnV with– Privacy.– Coercion.– Robustness.
Other schemes (Neff, Chaum, Ryan…) have similar problems.
The Main Thing …
The Projects Scratch and Vote
– Encryption – threshold Paillier.
– Ref• Base paper - Ben Adida and Ronald L. Rivest. Scratch & Vote: Voter-
Verifiable Paper-Based Cryptographic Voting.
Reynolds’ scheme– Encryption – threshold ElGamal.
– Ref• Base presentation - D. J. Reynolds. A method for electronic voting with
coercion-free receipt. FEE 05.• For NIZKP - Ronald Cramer, Rosario Gennaro, and Berry
Schoenmakers. A secure and optimally efficient multi-authority election scheme. In EUROCRYPT.
Also– Public board.
– Digital signatures.