Receipt-Free Universally-Verifiable Voting With Everlasting Privacy
-
Upload
olga-mathews -
Category
Documents
-
view
36 -
download
0
description
Transcript of Receipt-Free Universally-Verifiable Voting With Everlasting Privacy
Receipt-FreeUniversally-Verifiable Voting
With Everlasting Privacy
Tal MoranJoint work with Moni Naor
Outline of Talk
Motivation for Cryptographic Voting
Flavors of Privacy (and why we care)
Cryptographic Voting Scheme based on commitment with equivalence proof
We’ll use physical metaphors and a simplified model
Requirements based on democratic principles: Outcome should reflect the “people’s will”
Fairness One person, one vote
Privacy Not a principle in itself;
required for fairnessCast-as-intendedCounted-as-cast
Voting: The Challenge
Additional requirements:Authorization, Availability
A [Very] Brief History of Voting
Ancient Greece (5th century BCE) Paper Ballots
Rome: 2nd century BCE(Papyrus)
USA: 17th century Secret Ballots (19th century)
The Australian Ballot Lever Machines Optical Scan (20th century) Direct Recording Electronic
(DRE)
The Case for Cryptographic Voting
Elections don’t just name the winnermust convince the loser they lost!
Elections need to be verifiableCounting in public:
Completely verifiable But no vote privacy
Using cryptography , we can get both!
Voting with Mix-NetsIdea due to David Chaum (1981) Multiple “Election Authorities”
Assume at least one is honestEach voter creates “Onion Ballot”Authorities decrypt and shuffleNo Authority knows all permutations
Authorities can publish “proof of shuffle”
No
No
Yes
No
No
Yes
No
No
Yes
No
Yes
No
No
How Private is Private?
Intuition: No one can tell how you votedThis is not always possible
Best we can hope for: As good as the “ideal” vote counter
v1 v2 vn…
Tally
i1 i2 in
Privacy and Coercion
Vote privacy is essential to prevent coercion
Computational privacy holds only as long as its underlying assumptions Almost all universally verifiable voting schemes
rely on public-key encryptionBelief in privacy violation is
enough for coercion!Existing public-key schemes with current key lengths are likely to be
broken in less than 30 years! [RSA conference ’06]
Privacy is not Enough!Voter can sell vote by disclosing
randomness
Example: Italian Village Elections System allows listing candidates
in any order Bosses gave a different permutation of
“approved” candidates to each voter They could check which permutations
didn’t appear
Need “Receipt-Freeness”[Benaloh&Tuinstra 1994]
Who can you trust to encrypt?
Public-key encryption requires computers
Voting at home Coercer can sit next to you
Voting in a polling booth Can you trust the polling computer?
Verification should be possible for a human!Receipt-freeness and privacy are also
affected.
First Universally Verifiable Scheme based onGeneral Assumption Previous schemes required special properties
(e.g. a homomorphic encryption scheme) Our scheme can be based on any non-interactive
commitment First Receipt-Free Voting Scheme with
Everlasting Privacy Uses statistically hiding commitment instead of
encryption Formal definition of Receipt-Freeness Proof of security (integrity) in UC model
Security against arbitrary coalitions “for free”
First Receipt-Free Voting Scheme withEverlasting Privacy
First Universally Verifiable Voting SchemeBased on General Assumptions
Our Contributions
Alice and Bob for Class PresidentCory “the Coercer” wants to rig the election
He can intimidate all the studentsOnly Mr. Drew is not afraid of Cory
Everybody trusts Mr. Drew to keep secrets Unfortunately, Mr. Drew also wants to rig the
election Luckily, he doesn't stoop to blackmail
Sadly, all the students suffer severe RSI They can't use their hands at all Mr. Drew will have to cast their ballots for them
We use a 20g weight for Alice... ...and a 10g weight for Bob
Using a scale, we can tell if two votes are identical Even if the weights are hidden in a box!
The only actions we allow are: Open a box Compare two boxes
Commitment with “Equivalence Proof”
An “untappable channel” Students can whisper in Mr. Drew's ear
Commitments are secret Mr. Drew can put weights in the boxes privately
Everything else is public Entire class can see all of Mr. Drew’s actions They can hear anything that isn’t whispered The whole show is recorded on video (external auditors)
I’m whispering
Additional Requirements
Ernie whispers his choice to Mr. Drew
I like Alice
Ernie Casts a Ballot
Ernie
Mr. Drew puts a box on the scaleMr. Drew needs to prove to Ernie
that the box contains 20g If he opens the box, everyone else will
see what Ernie voted for!Mr. Drew uses a “Zero Knowledge
Proof”
Ernie Casts a Ballot
Ernie Casts a BallotMr. Drew puts k (=3) “proof”
boxes on the tableEach box should contain a 20g
weightOnce the boxes are on the table,
Mr. Drew is committed to their contents
Ernie
Ernie Casts a Ballot
Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either:Asks Mr. Drew to put the box on the
scale (“prove equivalence”)It should weigh the same as the “Ernie”
boxAsks Mr. Drew to open the box
It should contain a 20g weight
Ernie
Weigh 1Open 2Open 3
Ernie
Ernie Casts a Ballot
Ernie
Open 1Weigh 2Open 3
If the “Ernie” box doesn’t contain a 20g weight, every proof box: Either doesn’t contain a 20g weight Or doesn’t weight the same as the
Ernie boxMr. Drew can fool Ernie with
probability at most 2-k
Ernie Casts a Ballot
Ernie Casts a Ballot Why is this Zero Knowledge? When Ernie whispers to Mr. Drew,
he can tell Mr. Drew what hischallenge will be.
Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs
I like Bob
Open 1Weigh 2Weigh 3
Ernie whispers his choice and a fake challenge to Mr. Drew
Mr. Drew puts a box on the scale it should contain a 20g weight
Mr. Drew puts k “Alice” proof boxesand k “Bob” proof boxes on the tableBob boxes contain 10g or 20g weights
according to the fake challenge
Ernie
I like Alice
Open 1Weigh 2Weigh 3
Ernie Casts a Ballot: Full Protocol
Ernie shouts the “Alice” (real) challenge and the “Bob” (fake) challenge
Drew responds to the challengesNo matter who Ernie voted for,
The protocol looks exactly the same!
Open 1Open 2Weigh 3
Open 1Weigh 2Weigh 3
ErnieErnie
Ernie Casts a Ballot: Full Protocol
We can use Pedersen commitment G: a cyclic (abelian) group of prime order p g,h: generators of G
No one should know loggh To commit to m2Zp:
Choose random r2Zp Send x=gmhr
Statistically Hiding: For any m, x is uniformly distributed in G
Computationally Binding: If we can find m’m and r’ such that gm’hr’=x then: gm-m’=hr-r’1, so we can compute loggh=(r-r’)/(m-m’)
r
Implementing “Boxes and Scales”
To prove equivalence of x=gmhr and y=gmhs
Prover sends t=r-s Verifier checks that yht=x
rg h sg h
t=r-s
Implementing “Boxes and Scales”
A “Real” System
1 Receipt for Ernie2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===
Hello Ernie, Welcome to VoteMaster
Please choose your candidate:
Bob
Alice
1 Receipt for Ernie2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===
Hello Ernie, You are voting for Alice
Please enter a fake challenge for Bob
A “Real” System
l4st phone et spla
Alice:
Bob :
Continue
1 Receipt for Ernie2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===
Hello Ernie, You are voting for Alice
Make sure the printer has output twolines (the second line will be covered)Now enter the real challenge for Alice
A “Real” System
l4st phone et spla
Alice:
Bob :
Sn0w 619- ziggy p3
Continue
A “Real” System
1 Receipt for Ernie2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===
Hello Ernie, You are voting for Alice
Please verify that the printed challengesmatch those you entered.
l4st phone et spla
Alice:
Bob :
Sn0w 619- ziggy p3
Finalize Vote
A “Real” System
1 Receipt for Ernie2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===12
Hello Ernie, Thank you for voting
Please take your receipt
Mr. Drew announces the final tally
Mr. Drew must prove the tally correct Without revealing who voted for what!
Recall: Mr. Drew is committed toeveryone’s votes
Counting the Votes
Ernie Fay Guy Heidi
Alice: 3Bob: 1
Mr. Drew puts k rows ofnew boxes on the table Each row should contain the
same votes in a random orderA “random beacon” gives k challenges
Everyone trusts that Mr. Drewcannot anticipate thechallenges
Alice: 3Bob: 1
Ernie Fay Guy Heidi
Counting the VotesWeighWeighOpen
For each challenge: Mr. Drew proves that the row
contains a permutation of the real votes
Alice: 3Bob: 1
Ernie Fay Guy Heidi
WeighWeighOpen
Counting the Votes
ErnieFayGuyHeidi
For each challenge: Mr. Drew proves that the row
contains a permutation of the real votes
Or Mr. Drew opens the boxes and
shows they match the tally
Alice: 3Bob: 1
WeighWeighOpen
Fay
Ernie Fay Guy Heidi
Counting the Votes
If Mr. Drew’s tally is bad The new boxes don’t match
the tallyOr
They are not a permutationof the committed votes
Drew succeeds with prob.at most 2-k
Alice: 3Bob: 1
WeighWeighOpen
Fay
Ernie Fay Guy Heidi
Counting the Votes
This prototocol does notreveal information aboutspecific votes: No box is both opened and
weighed The opened boxes are in
a random order
Alice: 3Bob: 1
WeighWeighOpen
Fay
Ernie Fay Guy Heidi
Counting the Votes
Is the equivalence proof necessary?Our new metaphor: Locks and KeysAssumptions:
Every key fits a single lock Every lock has only one key No one can tell by just looking
whether a key fits a lock
Using “Standard” Commitment
Private
To commit to a message: Privately lock the message using a key Put the key (or lock) on the table
The key only fits one lockTo open the commitment, show the lock
and open it
Commitment with Locks and Keys
Private
Nested Commitments
We have an additional trick:Commitment to a commitment
We can put a key on the lock instead of a message
The locked key is a commitment to the commitment to the message
Private
We can open the “external” commitment without giving any information about the “internal”
Or open the “internal” one without revealing the “external”
Nested Commitments
Ernie whispers his choice to Mr. Drew Mr. Drew creates 2k double
commitments to Ernie’s choice Mr. Drew now proves to Ernie that
most of the commitments are correct He uses a Zero Knowledge proof
Private
Ernie Casts a Ballot
I like Alice
Ernie Casts a Ballot
Ernie chooses a random permutation
Drew rearranges keysand locks by this permutation
Private
2314
Drew reveals k of the internalcommitments Does not open external
commitments!Ernie makes k challenges
Private
Candidate 1Connection 2
Ernie Casts a Ballot
Drew responds to challenges Opens internal commitment
Private
Ernie Casts a Ballot
Candidate 1Connection 2
Drew responds to challenges Opens internal commitment
Or Opens external commitment
Private
Candidate 1Connection 2
Ernie Casts a Ballot
If a large fraction of Drew’s commitments are bad After shuffling, a large fraction of bad commitments will be in the first k
For each bad commitment: Either Drew cannot open internal commitment
Or Drew cannot open external commitment
Drew cheats successfully with prob. exponentially small in k
Ernie Casts a Ballot: Proof Intuition
Ernie Casts a Ballot: Zero Knowledge
If Drew knows Ernie’s challengein advance
He creates “fake”internal commitments
Private
Candidate 1Connection 2
Ernie Casts a Ballot: Zero Knowledge
Drew can “prove” Ernievoted for Bob
Private
Candidate 1Connection 2
We use the same technique as previouslyErnie whispers his choice
and a fake challengeDrew “proves” that Ernie
voted for Bob using the fake challengeAnd that Ernie voted for Alice using
a real challengeThe real and fake proofs are
indistinguishable to everyone else
Ernie Casts a Ballot: Receipt Freeness
Candidate 1Candidate 2
I like Alice
Alice: 3Bob: 1
Counting the Votes
Drew reveals the tallyRandom beacon provides
n permutations of 1,…,kDrew permutes the columns
Private
Ernie Fay Guy Heidi
Ernie: 12Fay: 12Guy: 21Heidi: 21
Ernie Fay Guy Heidi
Private
Drew chooses k randompermutations of 1,…,n
Drew permutes the rows(of internal commitments)
Counting the Votes
Row1: 2431Row2: 1342
Heidi
Ernie Fay Guy Heidi
Ernie GuyFayHeidi ErnieFay
FayGuy Heidi
Private
Drew reveals the permuted internal commitments(without opening any commitment)
The random beacon issues k challenges
Ernie
GuyHeidi ErnieFay
FayGuy Heidi
Counting the VotesCommits 1Tally 2
Private
Drew responds: Open external commitments and
show they match the originals
Ernie
GuyHeidi ErnieFay
FayGuy Heidi
Commits 1Tally 2
Counting the Votes
Private
Drew responds: Open external commitments and
show they match the originals or
Open internal commitmentsand show the tally matches
Ernie
GuyHeidi ErnieFay
FayGuy Heidi
Commits 1Tally 2
Counting the Votes
Counting the Votes: Proof Intuition
Zero Knowledge: Viewers see either random permutation of tally
Internal Commitments can’t be connected to voters Or opening of external commitments
No information about votes
Counting the Votes: Proof Intuition Integrity: Drew can cheat in two ways
Use “bad” (new) external commitments Will be caught if asked to open them
Use bad double commitments Ballot casting ensures a good majority in each column Columns are permuted after commitment; with high probability
some rows will not match Probability of successful cheating is exponentially small in k
Ernie Fay Guy Heidi
Ernie Fay Guy Heidi
Summary and Open Questions
Summary A Universally-Verifiable Receipt-Free voting
scheme Based on commitment with equivalence testing
Based on generic non-interactive commitment
Further work Prevent subliminal channels Can we split trust between multiple authorities? Do we really need an untappable channel? Better voting protocols?
ThankYou!