Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Receipt-FreeUniversally-Verifiable Voting

With Everlasting Privacy

Tal MoranJoint work with Moni Naor

Outline of Talk

Motivation for Cryptographic Voting

Flavors of Privacy (and why we care)

Cryptographic Voting Scheme based on commitment with equivalence proof

We’ll use physical metaphors and a simplified model

Requirements based on democratic principles: Outcome should reflect the “people’s will”

Fairness One person, one vote

Privacy Not a principle in itself;

required for fairnessCast-as-intendedCounted-as-cast

Voting: The Challenge

Additional requirements:Authorization, Availability

A [Very] Brief History of Voting

Ancient Greece (5th century BCE) Paper Ballots

Rome: 2nd century BCE(Papyrus)

USA: 17th century Secret Ballots (19th century)

The Australian Ballot Lever Machines Optical Scan (20th century) Direct Recording Electronic

(DRE)

The Case for Cryptographic Voting

Elections don’t just name the winnermust convince the loser they lost!

Elections need to be verifiableCounting in public:

Completely verifiable But no vote privacy

Using cryptography , we can get both!

Voting with Mix-NetsIdea due to David Chaum (1981) Multiple “Election Authorities”

Assume at least one is honestEach voter creates “Onion Ballot”Authorities decrypt and shuffleNo Authority knows all permutations

Authorities can publish “proof of shuffle”

No

No

Yes

No

No

Yes

No

No

Yes

No

Yes

No

No

How Private is Private?

Intuition: No one can tell how you votedThis is not always possible

Best we can hope for: As good as the “ideal” vote counter

v1 v2 vn…

Tally

i1 i2 in

Privacy and Coercion

Vote privacy is essential to prevent coercion

Computational privacy holds only as long as its underlying assumptions Almost all universally verifiable voting schemes

rely on public-key encryptionBelief in privacy violation is

enough for coercion!Existing public-key schemes with current key lengths are likely to be

broken in less than 30 years! [RSA conference ’06]

Privacy is not Enough!Voter can sell vote by disclosing

randomness

Example: Italian Village Elections System allows listing candidates

in any order Bosses gave a different permutation of

“approved” candidates to each voter They could check which permutations

didn’t appear

Need “Receipt-Freeness”[Benaloh&Tuinstra 1994]

Who can you trust to encrypt?

Public-key encryption requires computers

Voting at home Coercer can sit next to you

Voting in a polling booth Can you trust the polling computer?

Verification should be possible for a human!Receipt-freeness and privacy are also

affected.

First Universally Verifiable Scheme based onGeneral Assumption Previous schemes required special properties

(e.g. a homomorphic encryption scheme) Our scheme can be based on any non-interactive

commitment First Receipt-Free Voting Scheme with

Everlasting Privacy Uses statistically hiding commitment instead of

encryption Formal definition of Receipt-Freeness Proof of security (integrity) in UC model

Security against arbitrary coalitions “for free”

First Receipt-Free Voting Scheme withEverlasting Privacy

First Universally Verifiable Voting SchemeBased on General Assumptions

Our Contributions

Alice and Bob for Class PresidentCory “the Coercer” wants to rig the election

He can intimidate all the studentsOnly Mr. Drew is not afraid of Cory

Everybody trusts Mr. Drew to keep secrets Unfortunately, Mr. Drew also wants to rig the

election Luckily, he doesn't stoop to blackmail

Sadly, all the students suffer severe RSI They can't use their hands at all Mr. Drew will have to cast their ballots for them

We use a 20g weight for Alice... ...and a 10g weight for Bob

Using a scale, we can tell if two votes are identical Even if the weights are hidden in a box!

The only actions we allow are: Open a box Compare two boxes

Commitment with “Equivalence Proof”

An “untappable channel” Students can whisper in Mr. Drew's ear

Commitments are secret Mr. Drew can put weights in the boxes privately

Everything else is public Entire class can see all of Mr. Drew’s actions They can hear anything that isn’t whispered The whole show is recorded on video (external auditors)

I’m whispering

Additional Requirements

Ernie whispers his choice to Mr. Drew

I like Alice

Ernie Casts a Ballot

Ernie

Mr. Drew puts a box on the scaleMr. Drew needs to prove to Ernie

that the box contains 20g If he opens the box, everyone else will

see what Ernie voted for!Mr. Drew uses a “Zero Knowledge

Proof”


Ernie Casts a BallotMr. Drew puts k (=3) “proof”

boxes on the tableEach box should contain a 20g

weightOnce the boxes are on the table,

Mr. Drew is committed to their contents

Ernie


Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either:Asks Mr. Drew to put the box on the

scale (“prove equivalence”)It should weigh the same as the “Ernie”

boxAsks Mr. Drew to open the box

It should contain a 20g weight

Ernie

Weigh 1Open 2Open 3

Ernie


Ernie

Open 1Weigh 2Open 3

If the “Ernie” box doesn’t contain a 20g weight, every proof box: Either doesn’t contain a 20g weight Or doesn’t weight the same as the

Ernie boxMr. Drew can fool Ernie with

probability at most 2-k


Ernie Casts a Ballot Why is this Zero Knowledge? When Ernie whispers to Mr. Drew,

he can tell Mr. Drew what hischallenge will be.

Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs

I like Bob

Open 1Weigh 2Weigh 3

Ernie whispers his choice and a fake challenge to Mr. Drew

Mr. Drew puts a box on the scale it should contain a 20g weight

Mr. Drew puts k “Alice” proof boxesand k “Bob” proof boxes on the tableBob boxes contain 10g or 20g weights

according to the fake challenge

Ernie

I like Alice


Ernie Casts a Ballot: Full Protocol

Ernie shouts the “Alice” (real) challenge and the “Bob” (fake) challenge

Drew responds to the challengesNo matter who Ernie voted for,

The protocol looks exactly the same!

Open 1Open 2Weigh 3


ErnieErnie

Ernie Casts a Ballot: Full Protocol

We can use Pedersen commitment G: a cyclic (abelian) group of prime order p g,h: generators of G

No one should know loggh To commit to m2Zp:

Choose random r2Zp Send x=gmhr

Statistically Hiding: For any m, x is uniformly distributed in G

Computationally Binding: If we can find m’m and r’ such that gm’hr’=x then: gm-m’=hr-r’1, so we can compute loggh=(r-r’)/(m-m’)

r

Implementing “Boxes and Scales”

To prove equivalence of x=gmhr and y=gmhs

Prover sends t=r-s Verifier checks that yht=x

rg h sg h

t=r-s

Implementing “Boxes and Scales”

A “Real” System

1 Receipt for Ernie2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===

Hello Ernie, Welcome to VoteMaster

Please choose your candidate:

Bob

Alice


Hello Ernie, You are voting for Alice

Please enter a fake challenge for Bob

A “Real” System

l4st phone et spla

Alice:

Bob :

Continue



Make sure the printer has output twolines (the second line will be covered)Now enter the real challenge for Alice

A “Real” System

l4st phone et spla

Alice:

Bob :

Sn0w 619- ziggy p3

Continue

A “Real” System



Please verify that the printed challengesmatch those you entered.

l4st phone et spla

Alice:

Bob :

Sn0w 619- ziggy p3

Finalize Vote

A “Real” System

1 Receipt for Ernie2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===12

Hello Ernie, Thank you for voting

Please take your receipt

Mr. Drew announces the final tally

Mr. Drew must prove the tally correct Without revealing who voted for what!

Recall: Mr. Drew is committed toeveryone’s votes

Counting the Votes

Ernie Fay Guy Heidi

Alice: 3Bob: 1

Mr. Drew puts k rows ofnew boxes on the table Each row should contain the

same votes in a random orderA “random beacon” gives k challenges

Everyone trusts that Mr. Drewcannot anticipate thechallenges

Alice: 3Bob: 1

Ernie Fay Guy Heidi

Counting the VotesWeighWeighOpen

For each challenge: Mr. Drew proves that the row

contains a permutation of the real votes

Alice: 3Bob: 1

Ernie Fay Guy Heidi

WeighWeighOpen

Counting the Votes

ErnieFayGuyHeidi

For each challenge: Mr. Drew proves that the row

contains a permutation of the real votes

Or Mr. Drew opens the boxes and

shows they match the tally

Alice: 3Bob: 1

WeighWeighOpen

Fay

Ernie Fay Guy Heidi

Counting the Votes

If Mr. Drew’s tally is bad The new boxes don’t match

the tallyOr

They are not a permutationof the committed votes

Drew succeeds with prob.at most 2-k

Alice: 3Bob: 1

WeighWeighOpen

Fay

Ernie Fay Guy Heidi

Counting the Votes

This prototocol does notreveal information aboutspecific votes: No box is both opened and

weighed The opened boxes are in

a random order

Alice: 3Bob: 1

WeighWeighOpen

Fay

Ernie Fay Guy Heidi

Counting the Votes

Is the equivalence proof necessary?Our new metaphor: Locks and KeysAssumptions:

Every key fits a single lock Every lock has only one key No one can tell by just looking

whether a key fits a lock

Using “Standard” Commitment

Private

To commit to a message: Privately lock the message using a key Put the key (or lock) on the table

The key only fits one lockTo open the commitment, show the lock

and open it

Commitment with Locks and Keys

Private

Nested Commitments

We have an additional trick:Commitment to a commitment

We can put a key on the lock instead of a message

The locked key is a commitment to the commitment to the message

Private

We can open the “external” commitment without giving any information about the “internal”

Or open the “internal” one without revealing the “external”

Nested Commitments

Ernie whispers his choice to Mr. Drew Mr. Drew creates 2k double

commitments to Ernie’s choice Mr. Drew now proves to Ernie that

most of the commitments are correct He uses a Zero Knowledge proof

Private


I like Alice


Ernie chooses a random permutation

Drew rearranges keysand locks by this permutation

Private

2314

Drew reveals k of the internalcommitments Does not open external

commitments!Ernie makes k challenges

Private

Candidate 1Connection 2


Drew responds to challenges Opens internal commitment

Private



Drew responds to challenges Opens internal commitment

Or Opens external commitment

Private



If a large fraction of Drew’s commitments are bad After shuffling, a large fraction of bad commitments will be in the first k

For each bad commitment: Either Drew cannot open internal commitment

Or Drew cannot open external commitment

Drew cheats successfully with prob. exponentially small in k

Ernie Casts a Ballot: Proof Intuition

Ernie Casts a Ballot: Zero Knowledge

If Drew knows Ernie’s challengein advance

He creates “fake”internal commitments

Private


Ernie Casts a Ballot: Zero Knowledge

Drew can “prove” Ernievoted for Bob

Private


We use the same technique as previouslyErnie whispers his choice

and a fake challengeDrew “proves” that Ernie

voted for Bob using the fake challengeAnd that Ernie voted for Alice using

a real challengeThe real and fake proofs are

indistinguishable to everyone else

Ernie Casts a Ballot: Receipt Freeness

Candidate 1Candidate 2

I like Alice

Alice: 3Bob: 1

Counting the Votes

Drew reveals the tallyRandom beacon provides

n permutations of 1,…,kDrew permutes the columns

Private

Ernie Fay Guy Heidi

Ernie: 12Fay: 12Guy: 21Heidi: 21

Ernie Fay Guy Heidi

Private

Drew chooses k randompermutations of 1,…,n

Drew permutes the rows(of internal commitments)

Counting the Votes

Row1: 2431Row2: 1342

Heidi

Ernie Fay Guy Heidi

Ernie GuyFayHeidi ErnieFay

FayGuy Heidi

Private

Drew reveals the permuted internal commitments(without opening any commitment)

The random beacon issues k challenges

Ernie

GuyHeidi ErnieFay

FayGuy Heidi

Counting the VotesCommits 1Tally 2

Private

Drew responds: Open external commitments and

show they match the originals

Ernie

GuyHeidi ErnieFay

FayGuy Heidi

Commits 1Tally 2

Counting the Votes

Private

Drew responds: Open external commitments and

show they match the originals or

Open internal commitmentsand show the tally matches

Ernie

GuyHeidi ErnieFay

FayGuy Heidi

Commits 1Tally 2

Counting the Votes

Counting the Votes: Proof Intuition

Zero Knowledge: Viewers see either random permutation of tally

Internal Commitments can’t be connected to voters Or opening of external commitments

No information about votes

Counting the Votes: Proof Intuition Integrity: Drew can cheat in two ways

Use “bad” (new) external commitments Will be caught if asked to open them

Use bad double commitments Ballot casting ensures a good majority in each column Columns are permuted after commitment; with high probability

some rows will not match Probability of successful cheating is exponentially small in k

Ernie Fay Guy Heidi

Ernie Fay Guy Heidi

Summary and Open Questions

Summary A Universally-Verifiable Receipt-Free voting

scheme Based on commitment with equivalence testing

Based on generic non-interactive commitment

Further work Prevent subliminal channels Can we split trust between multiple authorities? Do we really need an untappable channel? Better voting protocols?

ThankYou!

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Documents

Transcript of Receipt-Free Universally-Verifiable Voting With Everlasting Privacy