Receipt-Free Universally-Verifiable Voting With Everlasting Privacy - PowerPoint PPT Presentation

1 / 57

About This Presentation

Title:

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Description:

Mr. Drew needs to prove to Ernie. that the box contains 20g. If he opens the box, ... It should weigh the same as the 'Ernie' box. Asks Mr. Drew to open the box ... – PowerPoint PPT presentation

Number of Views:40

Avg rating:3.0/5.0

Slides: 58

Provided by: talm

Learn more at: http://www.cs.princeton.edu

Category:

more less

Transcript and Presenter's Notes

Title: Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

1
Receipt-FreeUniversally-Verifiable Voting With
Everlasting Privacy

Tal Moran
Joint work with Moni Naor

2
Outline of Talk

Motivation for Cryptographic Voting
Flavors of Privacy (and why we care)
Cryptographic Voting Scheme based on commitment
with equivalence proof
Well use physical metaphors and a simplified
model

3
Voting The Challenge

Requirements based on democratic principles
Outcome should reflect the peoples will
Fairness
One person, one vote
Privacy
Not a principle in itselfrequired for fairness
Cast-as-intended
Counted-as-cast

Additional requirements Authorization,
Availability
4
A Very Brief History of Voting

Ancient Greece (5th century BCE)
Paper Ballots
Rome 2nd century BCE(Papyrus)
USA 17th century
Secret Ballots (19th century)
The Australian Ballot
Lever Machines
Optical Scan (20th century)
Direct Recording Electronic(DRE)

5
The Case for Cryptographic Voting

Elections dont just name the winnermust
convince the loser they lost!
Elections need to be verifiable
Counting in public
Completely verifiable
But no vote privacy
Using cryptography , we can get both!

6
Voting with Mix-Nets

Idea due to David Chaum (1981)
Multiple Election Authorities
Assume at least one is honest
Each voter creates Onion Ballot
Authorities decrypt and shuffle
No Authority knows all permutations
Authorities can publish proof of shuffle

No
Yes
No
No
7
How Private is Private?

Intuition No one can tell how you voted
This is not always possible
Best we can hope for
As good as the ideal vote counter

i1
i2
in

v1
v2
vn
Tally
8
Privacy and Coercion

Vote privacy is essential to prevent coercion
Computational privacy holds only as long as its
underlying assumptions
Almost all universally verifiable voting schemes
rely on public-key encryption
Belief in privacy violation isenough for
coercion!

Existing public-key schemes with current key
lengths are likely to be broken in less than 30
years! RSA conference 06
9
Privacy is not Enough!

Voter can sell vote by disclosing randomness
Example Italian Village Elections
System allows listing candidatesin any order
Bosses gave a different permutation ofapproved
candidates to each voter
They could check which permutationsdidnt appear
Need Receipt-FreenessBenalohTuinstra 1994

10
Who can you trust to encrypt?

Public-key encryption requires computers
Voting at home
Coercer can sit next to you
Voting in a polling booth
Can you trust the polling computer?
Verification should be possible for a human!
Receipt-freeness and privacy are also affected.

11
A New Breed of Voting Protocols

Chaum introduced first human-verifiable
protocol in 2004
Traditional Polling-place setting
Next a hidden-order based protocol
Receipt-free
Universally verifiable
Everlasting Privacy

12
Our Contributions
First Universally Verifiable Voting SchemeBased
on General Assumptions

First Universally Verifiable Scheme based
onGeneral Assumption
Previous schemes required special
properties(e.g. a homomorphic encryption scheme)
Our scheme can be based on any non-interactive
commitment
First Receipt-Free Voting Scheme withEverlasting
Privacy
Uses statistically hiding commitment instead of
encryption
Formal definition of Receipt-Freeness
Proof of security (integrity) in UC model
Security against arbitrary coalitions for free

First Receipt-Free Voting Scheme withEverlasting
Privacy
13
Alice and Bob for Class President

Cory the Coercer wants to rig the election
He can intimidate all the students
Only Mr. Drew is not afraid of Cory
Everybody trusts Mr. Drew to keep secrets
Unfortunately, Mr. Drew also wants to rig the
election
Luckily, he doesn't stoop to blackmail
Sadly, all the students suffer severe RSI
They can't use their hands at all
Mr. Drew will have to cast their ballots for them

14
Commitment with Equivalence Proof

We use a 20g weight for Alice...
...and a 10g weight for Bob
Using a scale, we can tell if two votes are
identical
Even if the weights are hidden in a box!
The only actions we allow are
Open a box
Compare two boxes

15
Additional Requirements

An untappable channel
Students can whisper in Mr. Drew's ear
Commitments are secret
Mr. Drew can put weights in the boxes privately
Everything else is public
Entire class can see all of Mr. Drews actions
They can hear anything that isnt whispered
The whole show is recorded on video (external
auditors)

Im whispering
16
Ernie Casts a Ballot

Ernie whispers his choice to Mr. Drew

I like Alice
17
Ernie Casts a Ballot

Mr. Drew puts a box on the scale
Mr. Drew needs to prove to Ernie that the box
contains 20g
If he opens the box, everyone else will see what
Ernie voted for!
Mr. Drew uses a Zero Knowledge Proof

Ernie
18
Ernie Casts a Ballot
Ernie Casts a Ballot

Mr. Drew puts k (3) proof boxes on the table
Each box should contain a 20g weight
Once the boxes are on the table, Mr. Drew is
committed to their contents

Ernie
19
Ernie Casts a Ballot
Weigh 1Open 2Open 3

Ernie challenges Mr. Drew For each box, Ernie
flips a coin and either
Asks Mr. Drew to put the box on the scale (prove
equivalence)
It should weigh the same as the Ernie box
Asks Mr. Drew to open the box
It should contain a 20g weight

20
Ernie Casts a Ballot
Open 1Weigh 2Open 3

If the Ernie box doesnt contain a 20g weight,
every proof box
Either doesnt contain a 20g weight
Or doesnt weight the same as theErnie box
Mr. Drew can fool Ernie with probability at most
2-k

Ernie
21
Ernie Casts a Ballot

Why is this Zero Knowledge?
When Ernie whispers to Mr. Drew,he can tell Mr.
Drew what hischallenge will be.
Mr. Drew can put 20g weights in the boxes he will
open, and 10g weights in the boxes he weighs

I like Bob
Open 1Weigh 2Weigh 3
22
Ernie Casts a Ballot Full Protocol

Ernie whispers his choice and a fake challenge
to Mr. Drew
Mr. Drew puts a box on the scale
it should contain a 20g weight
Mr. Drew puts k Alice proof boxesand k Bob
proof boxes on the table
Bob boxes contain 10g or 20g weights according to
the fake challenge

I like Alice
Open 1Weigh 2Weigh 3
23
Ernie Casts a Ballot Full Protocol
Open 1Open 2Weigh 3

Ernie shouts the Alice (real) challenge and the
Bob (fake) challenge
Drew responds to the challenges
No matter who Ernie voted for,The protocol looks
exactly the same!

Open 1Weigh 2Weigh 3
24
Implementing Boxes and Scales

We can use Pedersen commitment
G a cyclic (abelian) group of prime order p
g,h generators of G
No one should know loggh
To commit to m2Zp
Choose random r2Zp
Send xgmhr
Statistically Hiding
For any m, x is uniformly distributed in G
Computationally Binding
If we can find m?m and r such that gmhrx
then
gm-mhr-r?1, so we can compute
loggh(r-r)/(m-m)

25
Implementing Boxes and Scales

To prove equivalence of xgmhr and ygmhs
Prover sends tr-s
Verifier checks that yhtx

g
h
g
h
tr-s
26
A Real System
Hello Ernie, Welcome to VoteMaster
Please choose your candidate
Alice
Bob
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

27
A Real System
Hello Ernie, You are voting for Alice
Please enter a fake challenge for Bob
Alice
l4st phone et spla
Bob
Continue
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

28
A Real System
Hello Ernie, You are voting for Alice
Make sure the printer has output twolines (the
second line will be covered)Now enter the real
challenge for Alice
Alice
Sn0w 619- ziggy p3
l4st phone et spla
Bob
Continue
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

29
A Real System
Hello Ernie, You are voting for Alice
Please verify that the printed challengesmatch
those you entered.
Alice
Sn0w 619- ziggy p3
l4st phone et spla
Bob
Finalize Vote
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

30
A Real System
Hello Ernie, Thank you for voting
Please take your receipt
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified
12
31
Counting the Votes

Mr. Drew announces the final tally
Mr. Drew must prove the tally correct
Without revealing who voted for what!
Recall Mr. Drew is committed toeveryones votes

Alice 3Bob 1
32
Counting the Votes
Weigh WeighOpen

Mr. Drew puts k rows ofnew boxes on the table
Each row should contain the same votes in a
random order
A random beacon gives k challenges
Everyone trusts that Mr. Drewcannot anticipate
thechallenges

Alice 3Bob 1
33
Counting the Votes
Weigh WeighOpen

For each challenge
Mr. Drew proves that the row contains a
permutation of the real votes

Alice 3Bob 1
34
Counting the Votes
Weigh WeighOpen

For each challenge
Mr. Drew proves that the row contains a
permutation of the real votes
Or
Mr. Drew opens the boxes andshows they match the
tally

Alice 3Bob 1
Fay
35
Counting the Votes
Weigh WeighOpen

If Mr. Drews tally is bad
The new boxes dont matchthe tally
Or
They are not a permutationof the committed votes
Drew succeeds with prob.at most 2-k

Alice 3Bob 1
Fay
36
Counting the Votes
Weigh WeighOpen

This prototocol does notreveal information
aboutspecific votes
No box is both opened andweighed
The opened boxes are ina random order

Alice 3Bob 1
Fay
37
Using Standard Commitment

Is the equivalence proof necessary?
Our new metaphor Locks and Keys
Assumptions
Every key fits a single lock
Every lock has only one key
No one can tell by just looking whether a key
fits a lock

38
Commitment with Locks and Keys

To commit to a message
Privately lock the message using a key
Put the key (or lock) on the table
The key only fits one lock
To open the commitment, show the lock and open it

39
Nested Commitments

We have an additional trick
Commitment to a commitment
We can put a key on the lock instead of a message
The locked key is a commitment to the commitment
to the message

40
Nested Commitments

We can open the external commitment without
giving any information about the internal
Or open the internal one without revealing the
external

41
Ernie Casts a Ballot

Ernie whispers his choice to Mr. Drew
Mr. Drew creates 2k doublecommitments to Ernies
choice
Mr. Drew now proves to Ernie thatmost of the
commitments are correct
He uses a Zero Knowledge proof

I like Alice
42
Ernie Casts a Ballot

Ernie chooses a random permutation
Drew rearranges keysand locks by this permutation

2314
43
Ernie Casts a Ballot

Drew reveals k of the internalcommitments
Does not open external commitments!
Ernie makes k challenges

Candidate 1Connection 2
44
Ernie Casts a Ballot

Drew responds to challenges
Opens internal commitment

Candidate 1Connection 2
45
Ernie Casts a Ballot

Drew responds to challenges
Opens internal commitment
Or
Opens external commitment

Candidate 1Connection 2
46
Ernie Casts a Ballot Proof Intuition

If a large fraction of Drews commitments are bad
After shuffling, a large fraction of bad
commitments will be in the first k
For each bad commitment
Either Drew cannot open internal commitment
Or
Drew cannot open external commitment
Drew cheats successfully with prob. exponentially
small in k

47
Ernie Casts a Ballot Zero Knowledge

If Drew knows Ernies challengein advance
He creates fakeinternal commitments

Candidate 1Connection 2
Private
48
Ernie Casts a Ballot Zero Knowledge

Drew can prove Ernievoted for Bob

Candidate 1Connection 2
Private
49
Ernie Casts a Ballot Receipt Freeness

We use the same technique as previously
Ernie whispers his choiceand a fake challenge
Drew proves that Ernievoted for Bob using the
fake challenge
And that Ernie voted for Alice usinga real
challenge
The real and fake proofs are indistinguishable
to everyone else

I like Alice
Candidate 1Candidate 2
50
Counting the Votes
Alice 3Bob 1

Drew reveals the tally
Random beacon providesn permutations of 1,,k
Drew permutes the columns

Ernie 12 Fay 12Guy 21Heidi 21
Ernie
Fay
Guy
Heidi
Ernie
Fay
Guy
Heidi
51
Counting the Votes

Drew chooses k randompermutations of 1,,n
Drew permutes the rows(of internal commitments)

Row1 2431Row2 1342
52
Counting the Votes
Commits 1Tally 2

Drew reveals the permuted internal
commitments(without opening any commitment)
The random beacon issues k challenges

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
53
Counting the Votes
Commits 1Tally 2

Drew responds
Open external commitments and show they match
the originals

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
54
Counting the Votes
Commits 1Tally 2

Drew responds
Open external commitments and show they match
the originals
or
Open internal commitmentsand show the tally
matches

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
55
Counting the Votes Proof Intuition

Zero Knowledge
Viewers see either random permutation of tally
Internal Commitments cant be connected to voters
Or opening of external commitments
No information about votes

56
Counting the Votes Proof Intuition

Integrity Drew can cheat in two ways
Use bad (new) external commitments
Will be caught if asked to open them
Use bad double commitments
Ballot casting ensures a good majority in each
column
Columns are permuted after commitment with high
probability some rows will not match
Probability of successful cheating is
exponentially small in k