Practical Electronic Voting Schemes - PowerPoint PPT Presentation

About This Presentation
Title:

Practical Electronic Voting Schemes

Description:

Title: PowerPoint Presentation Author: Helle Sandmann Last modified by: Peter Landrock Created Date: 8/8/2002 12:36:24 PM Document presentation format – PowerPoint PPT presentation

Number of Views:240
Avg rating:3.0/5.0
Slides: 30
Provided by: HelleSa8
Category:

less

Transcript and Presenter's Notes

Title: Practical Electronic Voting Schemes


1
Practical Electronic Voting Schemes
  • Peter Landrock
  • ECC, Copenhagen 2005

2
The company
  • Software house
  • Established in 1986
  • Spin-off from
  • University of Aarhus
  • World-Class Cryptographers
  • - Vincent Rijmen, Ivan Damgaard

Cryptomathic provides secure electronic solutions
for web-banking, card issuing and advanced key
management with almost 20 years of experience.
3
Innovation beyond competiton
  • World Economic Forum
  • Nominated as one of the most innovative
  • companies in Europe at Davos 2003

4
Company Ownership
5
Office Locations
Aarhus, DK Head Quarter R D
Cambridge, UK UK USA
Copenhagen, DK Scandinavia
Leuven, BE Benelux
Amaro, IT ECEO - Partner
Munich, DE Central Europe
6
Products and Offerings
  • Products
  • Custom Solutions
  • Professional Services

7
Selected Products
8
The Switch from Manual Elections
  • General idea behind Electronic Voting
  • like manual voting - only much faster and
    cheaper, but
  • is the voter able to verify that what he enters
    is actually what is recorded?
  • can official monitoring verify that one vote is
    recorded correctly for each voter?
  • can we trust the counting process?
  • and
  • is it socially acceptable?
  • Well, lets start with the requirements

9
Requirements for an e-Voting Scheme
  • Privacy
  • only the final result is made public, no
    additional information about votes will leak.
  • Robustness
  • the result reflects all submitted and well-formed
    ballots correctly, even if some voters and/or
    possibly some of the entities running the
    election cheat.
  • Universal verifiability
  • after the election, the result can be verified by
    anyone.

10
How to meet these requirements?
  • we obviously need cryptographic techniques
  • but tamper resistant devices as well
  • and we need to provide
  • appropriate protocols and mechanisms to meet
    these requirements
  • which we will be discussing
  • digital signatures to identify voters

11
Specification
  • This does NOT imply that we need an independent
    X.509 PKI system in place
  • But we will assume we have an existing
    registration scheme in place
  • otherwise there is no democracy in the first
    place!
  • so we can send something out to a voter by mail,
    like a PIN-mailer
  • which he may use for electronic registration
  • at which stage a public key pair is generated for
    his use, and the private key is stored securely
    in a central server
  • all using HSMs
  • the private key never leaves the HSM controlled
    environment

12
Specification
  • This registration could take place
  • at home from the voters own work station
  • or at a polling station
  • where he presents a fairly traditional voting
    card received in the mail for proper
    identification and counting
  • and uses an additional small slip with a PIN or
    similar to vote, as in the vote home scenario
  • using the PIN for identification

13
Counting votes
  • is easy in binary
  • Example
  • 5 candidates, 128 voters
  • 40 bits voting ballot
  • Candidate A 00000000...................00000001
  • Candidate B 00000000.....0000000100000000
  • ...
  • Candidate E 000000010............................
    ..0
  • The sum of the votes reveales how many votes each
    candidate obtained

14
Counting the votes
  • Let alone the issues of anonymity etc.,
  • adding up votes electronic could be virtually
    instant
  • In order to meet some of all our requirements, it
    would be extremely useful with the following
    property
  • Given any two votes, m1 and m2, and their
    encryption, P(m1), P(m2), assume
  • P(m1)P(m2) P(m1m2),
  • even better, if we can randomise to anonymise
    using individual random numbers ri for each vote,
    and we have the property
  • P(m1,r1)P(m2,r2) P(m1m2,R)
  • for some number R, then

15
e-Voting
  • we call P(.,.) a homomophic public key if
  • for any set of votes, there always exist some R
    (which will vary with the votes) with
  • ?P(xi,ri) P(?xi,R)
  • Now we have it (if such a function exist)!
  • the voter
  • cast his electronic vote x
  • the application
  • chooses a random number r and calculate P(x,r)
  • signs and forwards SA(P(x,r))
  • the authenticating server
  • verifies the signature and forwards P(x,r) for
    counting
  • the counting server
  • calculates ?P(xi,ri) P(?xi,R) and descrypts to
    recover ?xi, while R is discharged
  • the result is available less than 1 minute after
    the closing of the polling stations

16
Another cryptographic tool
  • zero-knowledge
  • it is actually possible to verify that a vote is
    the encryption of a correctly filled ballot
  • without revealing anything else about the vote!
  • this means that a votes cannot successfully
    include more than one legal vote in his ballot
  • this involves commitment schemes
  • but it is quite likely that politicians dont buy
    it ?

17
Ingenious!?
  • if EVERYBODY votes electronically, yes
  • but the choice is political
  • it could save some embarrassment, though, here
    and there ?
  • Applications in the near future
  • closed groups of users who already communicate
    together electronically
  • e.g. organisations as IEEE
  • stock holders in large companies (e.g. IBM)
  • Anyway, lets see how it works

18
homomorphic encryption
  • We start with an ElGamal encryption scheme
  • Let E be an elliptic curve, P a generator of a
    large cyclic group of prime order
  • Let Q xP be a public key, where x is the
    private key
  • Represent a message m by the point M in E and
    encrypt as (rPMrQ)
  • Decryption of a ciphertext (UV) takes place by
    computing (xU,V-xU)
  • This system is semantically secure under the
    generalized DH assumptiono far so good

19
homomorphic encryption
  • We now need to combine this idea with the vary
    basic naïve counting method we described earlier
  • Example
  • assume there are s candidates and less than t
    voters
  • Choose a point B such that the order of B is at
    least ts
  • Let candidate j be represented by the point tj-1B
  • this means that any ballot vote to be encrypted
    is of the form tj-1B, j 1,2,,s
  • the sum of all the votes will be equal to
  • M t1Bt2tB..tsts-1B (S tjtj-1)B, where tj is
    the number of votes for candidate j

20
homomorphic encryption
  • So given M (t1t2t..tsts-1)B,
  • how do we find t1, t2,..,ts?
  • By solving the discrete log problem!
  • Well!? ? ?
  • This is easily done by choosing B wisely for most
    schemes
  • example Suppose t 32 mill lt225 and s2
  • then the order of B is bounded by 250.

21
Some references
  • R.Cramer, R.Gennaro, B.Schoenmakers
  • A Secure and Optimally Efficient Multi-Authority
    Election Scheme,
  • Proceedings of EuroCrypt 97,
  • I. DamgÃ¥rd and M. Jurik
  • A Generalisation, a Simplification and some
    Applications of Paillier's Probabilistic
    Public-Key System
  • Proc. of Public Key Cryptography 2001
  • P.Pallier
  • Public-Key Cryptosystems based on Composite
    Degree Residue Classes,
  • Proceedings of EuroCrypt 99,
  • I. DamgÃ¥rd, J. Groth and G. Salomonsen
  • The Theory and Implementation of an Electronic
    Voting System
  • Secure Electronic Voting, Advances in Information
    Security, Vol. 7 Gritzalis, Dimitris (Ed.)

22
Voting using HSMs/SMS
(1) User logs on to vote
(2) e-Vote web server requests user to vote
(3) Key-server request one-time SMS
(5) Initiate vote and sign
(4) Auth-server forwards one-time SMS to
User and Key-Server
Back-end
Key Server
User
HSM
e-Vote Web server
Authenticator Server
HSM
23
Voting using HSMs/Tokens,..
(5) User initiate Voting and signing
  • User logs on to e-Vote WS
  • generating one-time PW

(3) Key Server request verification of
one-time PW
(2) e-Vote web server request user to vote
(4) Authenticator verifies one-time PW
Back-end
Key Server
User
HSM
e-Vote Web server
Authenticator Server
HSM
24
Using tamper resistant HSMs
  • is an alternative to e.g. using
  • zero-knowledge techniques
  • mix-nets
  • the HSM will only allow legal votes before it
    signs on behalf of the voter
  • By using independent servers for
  • user authentication
  • signing and voting
  • we can effectively prevent all fraud

25
Detecting cheating
  • If citizens vote at polling stations
  • all this could be combined with a touch screen
    for voting
  • printing a ballot for traditional voting
  • for all or a small randomly chosen sample
  • and an electronic vote as just described
  • Samples could then be matched with the
    corresponding electronic votes
  • and basic statistics would tell us how many we
    need to check for an acceptable confidence level
  • Consider an example

26
Detecting cheating
  • By having ballots printed voters are provided
    with the service that
  • they can see what they have voted on paper, and
    they have the same level of certainty as at a
    manual election,
  • their vote will count, provided that a manual
    recount actually takes place.
  • Almost no information is gained by checking a few
    votes in a district. The only action that makes
    sense is to make total recounts in a selection of
    districts.
  • However, if say a manual recount takes place in
    10 of the districts, this gives a 10 chance of
    catching the manipulation of votes in a
    particular district for a particular election.

27
Detecting cheating
  • Consequently quite comprehensive recounting is
    necessary in order to ensure that the mechanism
    works as intended
  • not only by revealing attempted frauds, but also
    by preventing attempts of fraud from happening by
    acting as a deterrent.
  • Our approach here allows the following core
    properties
  • Electronic votes may contain encrypted
    information identifying the election district and
    the manual vote.
  • The electronic votes are detached from the
    identities of the voters and then decrypted.
  • We can pick a random sample of all the electronic
    votes of an arbitrary size.
  • Say that we want to ensure with 99 probability
    that at most 1 of the electronic votes are
    tampered with, i.e. contain different choices
    than the ones entered by the voters.
  • Then we pick 459 random electronic votes. For
    each of those, if at least 1 of the electronic
    votes contain different choices than the
    corresponding manual votes, it has less than a
    99 chance of passing the test of being compared
    to the corresponding manual vote.
  • Consequently there is a probability of less than
    0.99459 0.009921 that all of them pass the test.

28
Detecting cheating
  • For the ultimate case,
  • a general election in the US say,
  • by manipulating 459 votes out of maybe 100
    million votes and causing the rather simple
    procedure to happen in 459 randomly chosen
    election districts, you actually get quite
    confident that no large scale fraud takes place
    with the electronic votes
  • had this been implemented in 2000, the world
    migth have looked different.

29
Conclusion
  • We have described practical voting schemes
  • which have been tested in pilots
  • They require instant key generation upon
    registration
  • without requiring PKI in place
  • which for million of voters would be
  • practically impossible using RSA
  • quite trivial using ECC
  • and we can make it as secure as we want
  • at low cost
Write a Comment
User Comments (0)
About PowerShow.com