code verification elections
TRANSCRIPT
Scaling Privacy Guaranteesin Code Verification Elections
Anthi Orfanou
Columbia University
July 18, 2013
Joint work with Aggelos Kiayias (University of Athens)
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 1 / 19
Internet voting / The untrusted platform problem
Voters: Cast votes
Personal Computers: Encode, encrypt and submit votes
Vote Collectors: Receive and store votes
Talliers: Process the votes and compute the result
The untrusted platform problem:
PC is vulnerablemalicious software attempts to modify the vote
Voter PCVote Collector Tallier
Internet
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 2 / 19
Previous work
Code Voting [SureVote: Chaum’01] [PGD: RT’09, HRT’10] ...
Vote secrecy & vote integrity against malicious PC
Code Verification Voting [HLV’10] [Gjøsteen’10,’11] [Lipmaa’11]
Simpler approachIntegrity against malicious PC (the PC sees the vote)Uses receipts to guarantee correct vote submission
generation, distribution, reconstruction phases
Requires secondary platform that receives the receipts (e.g. mobilephone)Requires 2 attacker free channels
Pre/Post-channel: receipt distribution, receipt feedbackPostal service/SMS
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 3 / 19
Security Guarantees
Previous work [HLV’10] [Gjøsteen’10,’11]
Messenger server (MS): reconstructed the security code to be sent tothe voter
Cast as intended: Detection if the PC is malicious. Violated: PC &MS coalitions
Vote Secrecy: Guaranteed against individuals only. Violated: VC &MS coalitions
Our results
Question: How to avoid the latter infrastructure server collusion attack?
Without additional PC-side secrets (key management) [Lipmaa’11]
Maintaining human verifiability
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 4 / 19
A New Vote-Verification Protocol
Use a set of identical voting servers:
No distinction between vote collectors & messenger
Share the receipt among the servers:
No share leaks informationThe receipt can be:
the vote itselfor a voter-dependent security code as beforeor a visual representation of the vote (image)
Voter verification: combine the shares to reconstruct the receipt
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 5 / 19
A New Vote-Verification Protocol
Assumption: an average human can do additions mod 10, 100, . . .
Consider m candidates in Zm and n ≥ 2 voting servers
Pedersen commitments, ElGamal cryptosystem over 〈g〉q ⊂ Zp, (q, p)primes, Range proof in exponents [LAN’03]
The receipt is the actual vote
Let u = minλ 10λ s.t. m ≤ 10λ < q, System parameters (g , q, p, u)
Broadcast channel from PC to the voting servers
Untappable (post)channel from servers to the voter
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 6 / 19
A New Vote-Verification Protocol - n Servers
Voter VVotes for x ∈ Zm
Server S1
Server Sn
SSS
Tallier
x
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
A New Vote-Verification Protocol - n Servers
Voter VVotes for x ∈ Zm
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1
Server Sn
SSS
Tallier
x
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
A New Vote-Verification Protocol - n Servers
Voter VVotes for x ∈ Zm
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1
Server Sn
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
A New Vote-Verification Protocol - n Servers
Voter VVotes for x ∈ Zm
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1Open C1, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
Server SnOpen Cn, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
A New Vote-Verification Protocol - n Servers
Voter VVotes for x ∈ Zm
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1Open C1, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
Server SnOpen Cn, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
xn
x1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
A New Vote-Verification Protocol - n Servers
Voter VVotes for x ∈ Zm
x?= x1 + · · ·+ xn mod u
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1Open C1, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
Server SnOpen Cn, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
xn
x1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
A New Vote-Verification Protocol - n Servers
Voter VVotes for x ∈ Zm
x?= x1 + · · ·+ xn mod u
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1Open C1, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
Server SnOpen Cn, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
xn
x1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 7 / 19
A New Vote-Verification Protocol
A 2-Server exampleVote 7 7 5 5
Server 1 2 9 2 9
Server 2 5 8 3 6
Sum mod 10 7 mod 10 17 mod 10 5 mod 10 15 mod 10
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 8 / 19
Security & Complexity
Cast as intended: A correct receipt guarantees a successfullysubmitted original vote
Threshold vote secrecy: with an (n, n)-secret sharing scheme nocoalition of less than n servers can extract information about the vote
Complexity (online exponentiations):
PC: 4(blog2(m − 1) + 1c+ 11n, 1 signingServer: 5(blog2(m− 1) + 1c+ 5n + 4, 1 signing, 1 signature verification
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 9 / 19
Adaptation to Code Verification protocol
Code generation:Pick bV ,1 . . . bV ,n ∈ Zu
bV =∑n
i=1 bV ,i mod uCodeV [x] = x + bV mod uVoter V
Votes for x ∈ Zm
x?= x1 + · · ·+ xn mod u
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1Open C1, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
Server SnOpen Cn, π : x ∈ Zm
x = x1 + · · ·+ xn mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
xn
x1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
Adaptation to Code Verification protocol
Code generation:Pick bV ,1 . . . bV ,n ∈ Zu
bV =∑n
i=1 bV ,i mod uCodeV [x] = x + bV mod uVoter V
Votes for x ∈ ZmC = CodeV [x]
x?= x1 + · · ·+ xn mod u
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1bV ,1 ∈ Zu
Open C1, π : x ∈ Zmx = x1 + · · ·+ xn mod u
Server SnbV ,n ∈ Zu
Open Cn, π : x ∈ Zmx = x1 + · · ·+ xn mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
xn
x1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
Adaptation to Code Verification protocol
Code generation:Pick bV ,1 . . . bV ,n ∈ Zu
bV =∑n
i=1 bV ,i mod uCodeV [x] = x + bV mod uVoter V
Votes for x ∈ ZmC = CodeV [x]
x?= x1 + · · ·+ xn mod u
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1bV ,1 ∈ Zu
Open C1, π : x ∈ Zmx = x1 + · · ·+ xn mod ua1 = x1 + bV ,1 mod u
Server SnbV ,n ∈ Zu
Open Cn, π : x ∈ Zmx = x1 + · · ·+ xn mod uan = xn + bV ,n mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
an
a1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
Adaptation to Code Verification protocol
Code generation:Pick bV ,1 . . . bV ,n ∈ Zu
bV =∑n
i=1 bV ,i mod uCodeV [x] = x + bV mod uVoter V
Votes for x ∈ ZmC = CodeV [x]
C?= a1 + · · ·+ an mod u
Picks x1, . . . , xn ∈ Zux = x1 + · · ·+ xn mod u
Ci =Com(xi )Et = Enctallier (x)
ZKP π
Server S1bV ,1 ∈ Zu
Open C1, π : x ∈ Zmx = x1 + · · ·+ xn mod ua1 = x1 + bV ,1 mod u
Server SnbV ,n ∈ Zu
Open Cn, π : x ∈ Zmx = x1 + · · ·+ xn mod uan = xn + bV ,n mod u
C1, . . . ,CnEt , π
SSS
Tallier
x
Op
en(C
1)
Open(Cn)
an
a1
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 10 / 19
Adaptation to Visual Vote verification protocol
Visual vote representation
Previous work: Visual Cryptography [NS’94]: secret sharing of an image
supervised (booth) voting [Chaum’04]
Our approach: Associate a message x ∈ Zm with a simple image, with a provablerelation
Visual sharing of shape descriptions (VSSD)
Consider two shapes that can be visually interpreted by a human:
A “full” circle
A “half” circle
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 11 / 19
Visual sharing of shape descriptions (VSSD)
What shape does the overlaying of two half circles create?
+ = full circle
+ = full circle
+ = half circle
+ = half circle
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 12 / 19
n-VSSD definition
In general n share-holders (servers)
M a set of m ≥ 2 messages (candidates)
Dx the set of visual descriptions for message x ∈ M, |Dx | ≥ 1
Λ the visual alphabet, commutative semigroup with operation ∨P : M → Λn randomized splitting function
Properties:
Solvability: ∀x ∈ M ∀〈v1, . . . , vn〉 ∈ P(x): ∨ni=1vi ∈ Dx
(t, n)-Resilience: Consider n-tuple w = (a ∪ {#})n s.t.
w has (at most) t < n known shares a ∈ Λn − t unknown shares # ∈ Λthen ∃ 0 < c < 1 s.t. Probv←P(x)[w ∈ v ] = c
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 13 / 19
Our approach: A 2-VSSD
Simple 2-VSSD: n=2 servers, m = 2 messages
2 messages: M∗ = {0, 1}
Λ∗ = { , }, ∨: visual overlaying (logical bitwise OR)
0↔: full circle
D∗0 = { }, P∗(0) = {〈 , 〉, 〈 , 〉}
1↔ half circle
D∗1 = { , }, P∗(1) = {〈 , 〉, 〈 , 〉}
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 14 / 19
Our approach: A 2-VSSD
Simple 2-VSSD: n=2 servers, m = 2 messages
2 messages: M∗ = {0, 1}
Λ∗ = { , }, ∨: visual overlaying (logical bitwise OR)
0↔: full circle
D∗0 = { }, P∗(0) = {〈 , 〉, 〈 , 〉}
1↔ half circle
D∗1 = { , }, P∗(1) = {〈 , 〉, 〈 , 〉}
General 2-VSSD: n=2 servers, m ≥ 2 messages
M = Zm, k = # of bits of m − 1
Λ = Λ∗k
P(x): Splits each bit bi of x in Λ∗
Dx : A description of x is a concatenation of its bits’ visual descriptions in D∗x
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 14 / 19
An example
Message Shape Dx P(x)
00 Two full circles ( , ) ( , )
( , ) ( , )
01 Full circle fol-lowed by halfcircle
( , ) ( , )
( , ) ( , )
10 Half circle fol-lowed by full cir-cle
( , ) ( , )
( , ) ( , )
11 Two half circles , ( , ) ( , )
, ( , ) ( , )
(1, 2)-Resilience: Prob[( ,#) ∈ P(0)] = Prob[( ,#) ∈ P(1)] =
Prob[( ,#) ∈ P(2)] = Prob[( ,#) ∈ P(3)] = 1/4
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 15 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
Server S1
Server S2
Tallier
1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1
Commitments to v , v1, v2Et = Enctallier (1)
ZKP π′
Server S1
Server S2
Tallier
1
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1
Commitments to v , v1, v2Et = Enctallier (1)
ZKP π′
Server S1
Server S2
CommitmentsEt , π′
Tallier
1
{Open
(Com
)}v 1
{Open(Co
m)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1
Commitments to v , v1, v2Et = Enctallier (1)
ZKP π′
Server S1π′ : VSSD(v1) ↔ Et
Server S2π′ : VSSD(v2) ↔ Et
CommitmentsEt , π′
Tallier
1
{Open
(Com
)}v 1
{Open(Co
m)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1
Commitments to v , v1, v2Et = Enctallier (1)
ZKP π′
Server S1π′ : VSSD(v1) ↔ Et
Server S2π′ : VSSD(v2) ↔ Et
CommitmentsEt , π′
Tallier
1
{Open
(Com
)}v 1
{Open(Co
m)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
( , ) ∨ ( , )?∈ D1
VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1
Commitments to v , v1, v2Et = Enctallier (1)
ZKP π′
Server S1π′ : VSSD(v1) ↔ Et
Server S2π′ : VSSD(v2) ↔ Et
CommitmentsEt , π′
Tallier
1
{Open
(Com
)}v 1
{Open(Co
m)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
Yes: ( , ) ∈D1
VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1
Commitments to v , v1, v2Et = Enctallier (1)
ZKP π′
Server S1π′ : VSSD(v1) ↔ Et
Server S2π′ : VSSD(v2) ↔ Et
CommitmentsEt , π′
Tallier
1
{Open
(Com
)}v 1
{Open(Co
m)}v2
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
A Visual Vote-Verification Protocol - 2 VSSD
Voter VVotes for 1 ∈ Zm
D1 = “full followed by half”
Yes: ( , ) ∈D1
VSSD: 〈v1, v2〉 ← P(1)v = (v1 ∨ v2) ∈ D1
Commitments to v , v1, v2Et = Enctallier (1)
ZKP π′
Server S1π′ : VSSD(v1) ↔ Et
Server S2π′ : VSSD(v2) ↔ Et
CommitmentsEt , π′
Tallier
1
{Open
(Com
)}v 1
{Open(Co
m)}v2
Et
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 16 / 19
Future work
General (t, n)-VSSD?
Perhaps using Colored Visual Secret Sharing [VT’97]?
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 17 / 19
References
David Chaum. Surevote. International patent WO 01/55940 A1, 2001.
David Chaum. Secret-ballot receipts: True voter-verifiable elections. IEEE Security & Privacy, 2(1):38-47, 2004.
Kristian Gjøsteen. The norwegian internet voting protocol. In VOTE-ID, pages 1-18, 2011.
Kristian Gjøsteen. Analysis of an internet voting protocol. IACR Cryptology ePrint Archive, 2010:380, 2010.
James Heather, Peter Y. A. Ryan, and Vanessa Teague. Pretty good democracy for more expressive voting schemes. In
Proceedings of the 15th European conference on Research in computer security, ESORICS10, pages 405-423, Berlin,Heidelberg, 2010. Springer-Verlag.
Sven Heiberg, Helger Lipmaa, and Filip van Laenen. On e-vote integrity in the case of malicious voter computers. In
ESORICS, pages 373-388, 2010.
Helger Lipmaa. Two simple code-verification voting protocols. IACR Cryptology ePrint Archive, 2011:317, 2011.
Helger Lipmaa, N. Asokan, and Valtteri Niemi. Secure Vickrey auctions without threshold trust. In Proceedings of the
6th international conference on Financial cryptography, FC02, pages 87-101, Berlin, Heidelberg, 2003. Springer-Verlag.
Moni Naor and Adi Shamir. Visual cryptography. In EUROCRYPT, pages 1-12, 1994.
Peter Y. A. Ryan and Vanessa Teague. Pretty good democracy. In Security Protocols Workshop, pages 111-130, 2009.
Eric R. Verheul and Henk C. A. Van Tilborg. Constructions and properties of k out of n visual secret sharing schemes.
Des. Codes Cryptography, 11(2):179-196, May 1997.
Anthi Orfanou (Columbia University) Scaling Privacy Guarantees July 18, 2013 19 / 19