receipt-free voting joint work with markus jakobsson, c. andy neff ari juels rsa laboratories
TRANSCRIPT
Basic Internet voting
Digitally signed by
Eve
Digitally signed by
Charlie
Digitally signed by
Bob
Digitally signed by
Alice
A vote forAl B re
A vote forG.W. Gush
A vote forAl Bore
A vote forG.W. Gush
Final Tally:
Gush 2
Bore 1
Receipt-freeness
Receipt-freeness property: Alice cannot open ballot or prove contents
Prevents simple blackmail References: BT94,SK95,HS00
What receipt-freeness doesn’t defend against
Vote buying– Sale of authentication key– Vote-buying schemes (e.g., vote-auction.com;
http://62.116.31.68/)
– Anonymous peer-to-peer networks Compromise of voting authority servers
– Limited defense in HS00
What receipt-freeness doesn’t defend against
Shoulder surfing Randomization attack
– Attacker pre-specifies form of Alice’s ciphertext, leading to random result
Forced-abstention attack Receipt-freeness won’t do for real
applications!
From Bob
From CharlieFrom Alice
“I love
Alice”
“Nobody loves Bob”
“Ilove
Charlie”
Is it Bob, Charlie,
self-love, or other?
Example application: Anonymizing bulletin board or e-mail
Another application: Voting
Digitally signed by
Eve
Digitally signed by
Charlie
Digitally signed by
Bob
Digitally signed by
Alice
A vote forAl B re
A vote forG.W. Gush
A vote forAl Bore
A vote forG.W. Gush
Final Tally:
Gush 2
Bore 1
Mix Structure
Server 1 Server 2 Server 3
m1
m2
m3
re-encrypt
and
permute
re-encrypt
and
permute
re-encrypt
and
permute
m2
m3
m1
m1
m3
m2m2
m3
m1
Properties
Privacy preserved, i.e., permutation hidden if at least one server is honest
Soundness achievable by having servers prove correct permutation
Mix network
Second key tool
Threshold one-way functions– Denoted by B() and B’()– Essentially undeniable signature– B(m) = mx for shared key x
Third key tool Anonymous credential = Voting key
– Essentially a group signature key a la Atienese et al. (Crypto ‘00) Other approaches possible
– Carries hidden, identifying tag, called tagi
– Special enhancement: Also includes validator vali = B(tagi), where B is threshold one-way function
tagi vali
A little more notation
Let E[m] denote El Gamal ciphertext on m:– Private key held distributively– Authorities can jointly decrypt ciphertext– B(E[m]) = E[B(m)] (due to El Gamal homomorphism)
Our new scheme
Core ideas:– Voter employs anonymous credential– We don’t know who voted (at time of
voting) or what was voted– Validator required for vote to count– Adversary cannot tell whether or not
validator is correct Attacker cannot tell whether a vote is valid or
not
Security model Registration:
– Attacker cannot interfere with registration process or– User is forced by, e.g., hardware, to do erasing
Before voting:– Attacker can provide keying or other material to voter (even entire ballot)
During vote:– Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker
guarantees)– Bulletin board is universally accessible
At all times:– Attacker has access to all public information, i.e., encrypted and decrypted ballots
Voting: Anatomy of a ballot
tagi vali
tagi vali votei
proofi
NIZK proof that
tagi ciphertext is
valid for credential
Anonymous credential
signature
validator = B(tagi)
tag3 val3 vote3
proof3
Tallying BallotsStep 1: Check group signatures and proofs
Authority 1 Authority 2
...
?
?
?
?
tag1 val1 vote1
proof1
tag2 val2 vote2
proof2
tagn valn voten
proofn
Tallying BallotsStep 2: Mixing ballots
Authority 1 Authority 2
...
tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
re-encryption tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
...
Tallying BallotsStep 3: Joint blinding and decryption of validators
Authority 1 Authority 2
tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
......
tag1 vote1
tag2 vote2
tagn’ voten’
B’(val1)
B’(val2)
B’(valn’)
...
B’ blinding prevents authorities from recognizing validators
Tallying BallotsStep 4: Elimination of duplicates by validator
Authority 1 Authority 2
equal validators ...
tag1 vote1
tag2 vote2
tagn’ voten’
B’(val1)
B’(val2)
B’(valn’)
tag3 vote3B’(val3)
Tallying BallotsStep 5: Re-mixing ballots
Authority 1 Authority 2
re-encryption tag1 B’(val1) vote1
tag2 B’(val2) vote2
tagn’B’(valn)’ voten’
.
.
.
...
tag1 vote1
tag2 vote2
B’(val1)
B’(val2)
tagn’ voten’B’(valn’)
Remixing required so that adversary does not recognize weeding based on number of ballots he cast
Tallying BallotsStep 6: Verification of validators
Authority 1 Authority 2
•Authorities compute C1= B’(B(E[tagi])) = E[B’(B(tagi))]
•Authorities do distributed comparison of C1 with C2 = E[B’(vali)]
•If ciphertexts are equal, then validator is correct•Otherwise ballot is invalid and is thus removed
tagi votei
E[tagi] If correct, B’(vali) = B’(B(tagi))
B’(vali)
Tallying BallotsStep 7: Joint decryption of valid votes
Authority 1 Authority 2
Gush=
Bore
Bore
vote1
vote2
vote3
Winner!
Voter cannot sell or prove vote
Key idea: Attacker cannot tell a false validator from a real one– If attacker demands voting key, voter can provide
false validator– If attacker demands that voter cast a certain type
of vote, and demands pointer(s) Voter can vote as demanded using false validator Voter can re-vote using correct validator
Collusion with minority coalition of servers resisted
Correct validators only computable by majority
Mixing is private and robust if majority is honest
No randomization or forced abstention
Randomization: Voter can use false validator to post false ballot… and later vote for real
Forced abstention: Group signature (+ anonymous channel) provides anonymity
Resistance to shoulder-surfing
Voter can vote multiple times Weeding policy provides for re-vote
– E.g., last vote might count (needs extra phase)
Is it practical?
Overhead is just a few times that of basic, mixed-based voting– Hirt-Sako ‘00 requires untappable channels, linear
cost in number of candidates, no write-ins, etc.
Not just practical, but essential for Internet voting!