Receipt-Free Universally-Verifiable Voting With Everlasting Privacy - PowerPoint PPT Presentation

About This Presentation
Title:

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Description:

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor – PowerPoint PPT presentation

Number of Views:86
Avg rating:3.0/5.0
Slides: 58
Provided by: tal130
Category:

less

Transcript and Presenter's Notes

Title: Receipt-Free Universally-Verifiable Voting With Everlasting Privacy


1
Receipt-FreeUniversally-Verifiable Voting With
Everlasting Privacy
  • Tal Moran
  • Joint work with Moni Naor

2
Outline of Talk
  • Motivation for Cryptographic Voting
  • Flavors of Privacy (and why we care)
  • Cryptographic Voting Scheme based on commitment
    with equivalence proof
  • Well use physical metaphors and a simplified
    model

3
Voting The Challenge
  • Requirements based on democratic principles
  • Outcome should reflect the peoples will
  • Fairness
  • One person, one vote
  • Privacy
  • Not a principle in itselfrequired for fairness
  • Cast-as-intended
  • Counted-as-cast

Additional requirements Authorization,
Availability
4
A Very Brief History of Voting
  • Ancient Greece (5th century BCE)
  • Paper Ballots
  • Rome 2nd century BCE(Papyrus)
  • USA 17th century
  • Secret Ballots (19th century)
  • The Australian Ballot
  • Lever Machines
  • Optical Scan (20th century)
  • Direct Recording Electronic(DRE)

5
The Case for Cryptographic Voting
  • Elections dont just name the winnermust
    convince the loser they lost!
  • Elections need to be verifiable
  • Counting in public
  • Completely verifiable
  • But no vote privacy
  • Using cryptography , we can get both!

6
Voting with Mix-Nets
  • Idea due to David Chaum (1981)
  • Multiple Election Authorities
  • Assume at least one is honest
  • Each voter creates Onion Ballot
  • Authorities decrypt and shuffle
  • No Authority knows all permutations
  • Authorities can publish proof of shuffle

No
Yes
No
No
7
How Private is Private?
  • Intuition No one can tell how you voted
  • This is not always possible
  • Best we can hope for
  • As good as the ideal vote counter

i1
i2
in

v1
v2
vn
Tally
8
Privacy and Coercion
  • Vote privacy is essential to prevent coercion
  • Computational privacy holds only as long as its
    underlying assumptions
  • Almost all universally verifiable voting schemes
    rely on public-key encryption
  • Belief in privacy violation isenough for
    coercion!

Existing public-key schemes with current key
lengths are likely to be broken in less than 30
years! RSA conference 06
9
Privacy is not Enough!
  • Voter can sell vote by disclosing randomness
  • Example Italian Village Elections
  • System allows listing candidatesin any order
  • Bosses gave a different permutation ofapproved
    candidates to each voter
  • They could check which permutationsdidnt appear
  • Need Receipt-FreenessBenalohTuinstra 1994

10
Who can you trust to encrypt?
  • Public-key encryption requires computers
  • Voting at home
  • Coercer can sit next to you
  • Voting in a polling booth
  • Can you trust the polling computer?
  • Verification should be possible for a human!
  • Receipt-freeness and privacy are also affected.

11
A New Breed of Voting Protocols
  • Chaum introduced first human-verifiable
    protocol in 2004
  • Traditional Polling-place setting
  • Next a hidden-order based protocol
  • Receipt-free
  • Universally verifiable
  • Everlasting Privacy

12
Our Contributions
First Universally Verifiable Voting SchemeBased
on General Assumptions
  • First Universally Verifiable Scheme based
    onGeneral Assumption
  • Previous schemes required special
    properties(e.g. a homomorphic encryption scheme)
  • Our scheme can be based on any non-interactive
    commitment
  • First Receipt-Free Voting Scheme withEverlasting
    Privacy
  • Uses statistically hiding commitment instead of
    encryption
  • Formal definition of Receipt-Freeness
  • Proof of security (integrity) in UC model
  • Security against arbitrary coalitions for free

First Receipt-Free Voting Scheme withEverlasting
Privacy
13
Alice and Bob for Class President
  • Cory the Coercer wants to rig the election
  • He can intimidate all the students
  • Only Mr. Drew is not afraid of Cory
  • Everybody trusts Mr. Drew to keep secrets
  • Unfortunately, Mr. Drew also wants to rig the
    election
  • Luckily, he doesn't stoop to blackmail
  • Sadly, all the students suffer severe RSI
  • They can't use their hands at all
  • Mr. Drew will have to cast their ballots for them

14
Commitment with Equivalence Proof
  • We use a 20g weight for Alice...
  • ...and a 10g weight for Bob
  • Using a scale, we can tell if two votes are
    identical
  • Even if the weights are hidden in a box!
  • The only actions we allow are
  • Open a box
  • Compare two boxes

15
Additional Requirements
  • An untappable channel
  • Students can whisper in Mr. Drew's ear
  • Commitments are secret
  • Mr. Drew can put weights in the boxes privately
  • Everything else is public
  • Entire class can see all of Mr. Drews actions
  • They can hear anything that isnt whispered
  • The whole show is recorded on video (external
    auditors)

Im whispering
16
Ernie Casts a Ballot
  • Ernie whispers his choice to Mr. Drew

I like Alice
17
Ernie Casts a Ballot
  • Mr. Drew puts a box on the scale
  • Mr. Drew needs to prove to Ernie that the box
    contains 20g
  • If he opens the box, everyone else will see what
    Ernie voted for!
  • Mr. Drew uses a Zero Knowledge Proof

Ernie
18
Ernie Casts a Ballot
Ernie Casts a Ballot
  • Mr. Drew puts k (3) proof boxes on the table
  • Each box should contain a 20g weight
  • Once the boxes are on the table, Mr. Drew is
    committed to their contents

Ernie
19
Ernie Casts a Ballot
Weigh 1Open 2Open 3
  • Ernie challenges Mr. Drew For each box, Ernie
    flips a coin and either
  • Asks Mr. Drew to put the box on the scale (prove
    equivalence)
  • It should weigh the same as the Ernie box
  • Asks Mr. Drew to open the box
  • It should contain a 20g weight

20
Ernie Casts a Ballot
Open 1Weigh 2Open 3
  • If the Ernie box doesnt contain a 20g weight,
    every proof box
  • Either doesnt contain a 20g weight
  • Or doesnt weight the same as theErnie box
  • Mr. Drew can fool Ernie with probability at most
    2-k

Ernie
21
Ernie Casts a Ballot
  • Why is this Zero Knowledge?
  • When Ernie whispers to Mr. Drew,he can tell Mr.
    Drew what hischallenge will be.
  • Mr. Drew can put 20g weights in the boxes he will
    open, and 10g weights in the boxes he weighs

I like Bob
Open 1Weigh 2Weigh 3
22
Ernie Casts a Ballot Full Protocol
  • Ernie whispers his choice and a fake challenge
    to Mr. Drew
  • Mr. Drew puts a box on the scale
  • it should contain a 20g weight
  • Mr. Drew puts k Alice proof boxesand k Bob
    proof boxes on the table
  • Bob boxes contain 10g or 20g weights according to
    the fake challenge

I like Alice
Open 1Weigh 2Weigh 3
23
Ernie Casts a Ballot Full Protocol
Open 1Open 2Weigh 3
  • Ernie shouts the Alice (real) challenge and the
    Bob (fake) challenge
  • Drew responds to the challenges
  • No matter who Ernie voted for,The protocol looks
    exactly the same!

Open 1Weigh 2Weigh 3
24
Implementing Boxes and Scales
  • We can use Pedersen commitment
  • G a cyclic (abelian) group of prime order p
  • g,h generators of G
  • No one should know loggh
  • To commit to m2Zp
  • Choose random r2Zp
  • Send xgmhr
  • Statistically Hiding
  • For any m, x is uniformly distributed in G
  • Computationally Binding
  • If we can find m?m and r such that gmhrx
    then
  • gm-mhr-r?1, so we can compute
    loggh(r-r)/(m-m)

25
Implementing Boxes and Scales
  • To prove equivalence of xgmhr and ygmhs
  • Prover sends tr-s
  • Verifier checks that yhtx

g
h
g
h
tr-s
26
A Real System
Hello Ernie, Welcome to VoteMaster
Please choose your candidate
Alice
Bob
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

27
A Real System
Hello Ernie, You are voting for Alice
Please enter a fake challenge for Bob
Alice
l4st phone et spla
Bob
Continue
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

28
A Real System
Hello Ernie, You are voting for Alice
Make sure the printer has output twolines (the
second line will be covered)Now enter the real
challenge for Alice
Alice
Sn0w 619- ziggy p3
l4st phone et spla
Bob
Continue
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

29
A Real System
Hello Ernie, You are voting for Alice
Please verify that the printed challengesmatch
those you entered.
Alice
Sn0w 619- ziggy p3
l4st phone et spla
Bob
Finalize Vote
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

30
A Real System
Hello Ernie, Thank you for voting
Please take your receipt
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified
12
31
Counting the Votes
  • Mr. Drew announces the final tally
  • Mr. Drew must prove the tally correct
  • Without revealing who voted for what!
  • Recall Mr. Drew is committed toeveryones votes

Alice 3Bob 1
32
Counting the Votes
Weigh WeighOpen
  • Mr. Drew puts k rows ofnew boxes on the table
  • Each row should contain the same votes in a
    random order
  • A random beacon gives k challenges
  • Everyone trusts that Mr. Drewcannot anticipate
    thechallenges

Alice 3Bob 1
33
Counting the Votes
Weigh WeighOpen
  • For each challenge
  • Mr. Drew proves that the row contains a
    permutation of the real votes

Alice 3Bob 1
34
Counting the Votes
Weigh WeighOpen
  • For each challenge
  • Mr. Drew proves that the row contains a
    permutation of the real votes
  • Or
  • Mr. Drew opens the boxes andshows they match the
    tally

Alice 3Bob 1
Fay
35
Counting the Votes
Weigh WeighOpen
  • If Mr. Drews tally is bad
  • The new boxes dont matchthe tally
  • Or
  • They are not a permutationof the committed votes
  • Drew succeeds with prob.at most 2-k

Alice 3Bob 1
Fay
36
Counting the Votes
Weigh WeighOpen
  • This prototocol does notreveal information
    aboutspecific votes
  • No box is both opened andweighed
  • The opened boxes are ina random order

Alice 3Bob 1
Fay
37
Using Standard Commitment
  • Is the equivalence proof necessary?
  • Our new metaphor Locks and Keys
  • Assumptions
  • Every key fits a single lock
  • Every lock has only one key
  • No one can tell by just looking whether a key
    fits a lock

38
Commitment with Locks and Keys
  • To commit to a message
  • Privately lock the message using a key
  • Put the key (or lock) on the table
  • The key only fits one lock
  • To open the commitment, show the lock and open it

39
Nested Commitments
  • We have an additional trick
  • Commitment to a commitment
  • We can put a key on the lock instead of a message
  • The locked key is a commitment to the commitment
    to the message

40
Nested Commitments
  • We can open the external commitment without
    giving any information about the internal
  • Or open the internal one without revealing the
    external

41
Ernie Casts a Ballot
  • Ernie whispers his choice to Mr. Drew
  • Mr. Drew creates 2k doublecommitments to Ernies
    choice
  • Mr. Drew now proves to Ernie thatmost of the
    commitments are correct
  • He uses a Zero Knowledge proof

I like Alice
42
Ernie Casts a Ballot
  • Ernie chooses a random permutation
  • Drew rearranges keysand locks by this permutation

2314
43
Ernie Casts a Ballot
  • Drew reveals k of the internalcommitments
  • Does not open external commitments!
  • Ernie makes k challenges

Candidate 1Connection 2
44
Ernie Casts a Ballot
  • Drew responds to challenges
  • Opens internal commitment

Candidate 1Connection 2
45
Ernie Casts a Ballot
  • Drew responds to challenges
  • Opens internal commitment
  • Or
  • Opens external commitment

Candidate 1Connection 2
46
Ernie Casts a Ballot Proof Intuition
  • If a large fraction of Drews commitments are bad
  • After shuffling, a large fraction of bad
    commitments will be in the first k
  • For each bad commitment
  • Either Drew cannot open internal commitment
  • Or
  • Drew cannot open external commitment
  • Drew cheats successfully with prob. exponentially
    small in k

47
Ernie Casts a Ballot Zero Knowledge
  • If Drew knows Ernies challengein advance
  • He creates fakeinternal commitments

Candidate 1Connection 2
Private
48
Ernie Casts a Ballot Zero Knowledge
  • Drew can prove Ernievoted for Bob

Candidate 1Connection 2
Private
49
Ernie Casts a Ballot Receipt Freeness
  • We use the same technique as previously
  • Ernie whispers his choiceand a fake challenge
  • Drew proves that Ernievoted for Bob using the
    fake challenge
  • And that Ernie voted for Alice usinga real
    challenge
  • The real and fake proofs are indistinguishable
    to everyone else

I like Alice
Candidate 1Candidate 2
50
Counting the Votes
Alice 3Bob 1
  • Drew reveals the tally
  • Random beacon providesn permutations of 1,,k
  • Drew permutes the columns

Ernie 12 Fay 12Guy 21Heidi 21
Ernie
Fay
Guy
Heidi
Ernie
Fay
Guy
Heidi
51
Counting the Votes
  • Drew chooses k randompermutations of 1,,n
  • Drew permutes the rows(of internal commitments)

Row1 2431Row2 1342
52
Counting the Votes
Commits 1Tally 2
  • Drew reveals the permuted internal
    commitments(without opening any commitment)
  • The random beacon issues k challenges

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
53
Counting the Votes
Commits 1Tally 2
  • Drew responds
  • Open external commitments and show they match
    the originals

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
54
Counting the Votes
Commits 1Tally 2
  • Drew responds
  • Open external commitments and show they match
    the originals
  • or
  • Open internal commitmentsand show the tally
    matches

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
55
Counting the Votes Proof Intuition
  • Zero Knowledge
  • Viewers see either random permutation of tally
  • Internal Commitments cant be connected to voters
  • Or opening of external commitments
  • No information about votes

56
Counting the Votes Proof Intuition
  • Integrity Drew can cheat in two ways
  • Use bad (new) external commitments
  • Will be caught if asked to open them
  • Use bad double commitments
  • Ballot casting ensures a good majority in each
    column
  • Columns are permuted after commitment with high
    probability some rows will not match
  • Probability of successful cheating is
    exponentially small in k

?
Ernie
Fay
Guy
Heidi
Ernie
Fay
Guy
Heidi
57
Summary and Open Questions
  • Summary
  • A Universally-Verifiable Receipt-Free voting
    scheme
  • Based on commitment with equivalence testing
  • Based on generic non-interactive commitment
  • Further work
  • Prevent subliminal channels
  • Can we split trust between multiple authorities?
  • Do we really need an untappable channel?
  • Better voting protocols?

58
ThankYou!
Write a Comment
User Comments (0)
About PowerShow.com