A Secure and Optimally Efficient MultiAuthority Election Scheme - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

A Secure and Optimally Efficient MultiAuthority Election Scheme

Description:

Appears in: Walter Funny (ed.) EUROCRYPT '97, LNCS 1233, pp. 103-118. Springer ... Given a message space M, and cipher ... M is the plain text or the vote ... – PowerPoint PPT presentation

Number of Views:97
Avg rating:3.0/5.0
Slides: 13
Provided by: ADE115
Category:

less

Transcript and Presenter's Notes

Title: A Secure and Optimally Efficient MultiAuthority Election Scheme


1
A Secure and Optimally Efficient Multi-Authority
Election Scheme Ronald Cramer, Rosario Gennaro,
Berry Schoenmakers Appears in Walter Funny
(ed.) EUROCRYPT '97, LNCS 1233, pp. 103-118.
Springer-Verlag Berlin Heidelberg 1997 Presented
by Adeel Hasan, hasa9053_at_cs
2
Criteria for Electronic Voting Mechanisms
  • Voter Privacy
  • Vote Non Duplication
  • Universal Verifiability
  • Protection against fraudulent authorities
  • Incoercible
  • Receipt-free
  • Feasibility of processing complexity

3
Summary
  • A bulletin board model is used for the submission
    of ballots.
  • A ballot consists of an encrypted vote and a
    zero-knowledge proof of its validity.
  • The mathematical properties of the encrypted vote
    allow calculating the tally of the votes without
    compromising privacy.
  • Votes are encrypted with the public key of
    authorities who share a private key under a
    threshold scheme.
  • Universal verifiability is achieved by examining
    the transcripts of the sessions posted
  • The scheme used is very efficient - the ballot
    size is small and the computations are
    straightforward
  • Except for receipt-freeness, meets all other
    criteria

4
The Bulletin Board Model
From digicash.com
  • A bulletin board is like a broadcast channel with
    memory to the extent that any party (including
    passive observers) can see the contents of it,
    and furthermore that each active participant can
    post messages by appending the message to her
    designated area. No party can erase anything from
    the bulletin board.
  • Communication with the bulletin board model can
    utilize a public key system already in place. For
    example, signatures can be used to authenticate
    user postings.
  • The intermediate and final results posted on the
    site implement universal verifiability

5
Homomorphic Encryption
Given a message space M, and cipher space C. M
is a group under operation ? C is a group under
operation ? E is a homomorphic encryption scheme
if given c1 Er1( m1 ) and c2Er2( m2 ), there
exists an r such that c1 ? c2 Er( m1 ? m2
) Therefore given c1...cn single vote
encryptions, the tally can be calculated as c
c1 ? c2 ? c3 ... ? cn The ElGamal encryption
scheme satisfies these conditions.
6
Diffie Hellman Key Exchange
Alice and Bob agree on a large prime n , and g,
such that g is primitive mod n
Alice choose a random large integer x Sends over
X g x mod n Alice computes k Yx mod n
gyx mod n
Bob chooses a random large integer y Sends over
Y g y mod n Bob computes k X y mod n
gxy mod n
Anybody listening in would have to solve a
discrete logarithm to know x or y. Imagine that
Alice is the Voter, and Bob is the
Authority. Alice sends over ( X , hx M mod n )
to Bob, where h gy mod n, and y is the secret
held by Bob, and h is public M is the plain text
or the vote Bob can decrypt by making use of
(gy)x M Xy M ? M (hx M mod n ) / Xy
7
ElGamal Encryption
p is a large prime, and g public The private key is x and is a random
number. The public key y is computed as y gx
mod p To encrypt M, choose a random k such that
k is relatively prime to p - 1. a gk mod p b
yk M mod p The pair ( a, b ) is the cipher
text. To decrypt, compute M b / ax
8
ElGamal Encryption in Voting Scheme
  • p and g and a generator G are public
  • The private key s is a secret shared by the
    authorities
  • h is the public key, h gs mod p
  • a is a value chosen by the voter when encrypting
    the vote
  • Ballot is an encryption of the form
  • ( x, y ) ( ga , haGm ) for m ? 1,-1
  • The product ( x1x2, y1y2 ) is an encryption of (
    Gm1 m2 )

9
Zero Knowledge Proof for Vote Validity
Proof of knowledge for loggx loghya
Verifier c of Zq Verify gr axc ( gwac
gw.gac ) Verify hr byc ( hwac hw.hac )
Prover ( x , y ) ( ga , ha ) w of Zq ( a ,
b ) ( gw, hw ) r w ac
a,b
c
r
  • a,b,c the encryption (x,y) are posted on
    bulletin board. The challenge c is computed to be
    voter specific to prevent vote duplication. So
    for voter Vi , ci H (IDi, a, b, x, y).
  • For Yes-No votes, two pairs of a and b are posted
    to prove that the vote could be either way

10
Threshold Key-Sharing Scheme
  • Use Pedersens scheme a combination of ElGamal
    and the (t,n)-threshold scheme by Shamir.
  • Each Authority has a share sj of a secret s which
    can be reconstructed by the cooperation of t
    number of participants.
  • The public key h gs is made public to all
    participants. Authorities are committed to these
    shares as the values hj gsj are made public
  • To decrypt an encrypted vote of the form ( x, y )
    ( ga, ham ) without explicit re-construction,
    of the secret s,
  • 1. Each Authority broadcasts wj xsj and proves
    in zero knowledge that logghj logxwj
  • 2. Plain text is recovered as m y / ( product
    of shares )

11
Main Steps of the Protocol
  • Voter Vi posts a ballot ( xi, yi ) and a validity
    proof
  • When the deadline is reached, the proofs of
    validity are checked by the authorities and the
    product ( X , Y ) ( ? xi , ? yi) is formed.
  • The authorities jointly decrypt ( X , Y ) to
    obtain W Y / Xs
  • W GT and T logGW, where T is the difference
    between the yes-votes and no-votes, -l and G is the fixed generator used in
    encrypting the votes
  • Since the number of voters is small, T can be
    computed by O(l) by iteratively generating G-l ,
    G-l1,until W is found.
  • Universally verifiable since any party can
    compute T

12
References
Digicash Web Site http//www.digicash.com/news/a
rchive/voting.html Cramer, Ronald, Rosario
Gennaro, Berry Schoenmakers, A Secure and
Optimally Efficient Multi-Authority Election
Scheme, Appears in Walter Funny (ed.) EUROCRYPT
'97, LNCS 1233, pp. 103-118. Springer-Verlag
Berlin Heidelberg 1997 download from
http//www.digicash.com/news/archive/voting.html
Schneir, Bruce, Applied Cryptography, Second
Edition, Wiley 1996 Radwin, Michael J, An
untraceable, universally verifiable voting
scheme. Download from http//www.radwin.org/mic
hael/projects/voting.html Pedersen, T. P.
Distributed Provers and Verifiable Secret
Sharing Based on the Discrete Logarithm Problem.
PhD thesis, Aarhus University, Computer Science
Department, Aarhus, Denmark, March 1992.
Write a Comment
User Comments (0)
About PowerShow.com