1 / 26

A (Brief) Comparison of Cryptographic Schemes for Electronic Voting

A (Brief) Comparison of Cryptographic Schemes for Electronic Voting. Tartu, Estonia May 17, 2004 Berry Schoenmakers Technical University of Eindhoven The Netherlands. Personal Experiences. Cryptography, since 1993 (CWI, DigiCash, TUE) Privacy-protecting electronic payment systems

coyne
Download Presentation

A (Brief) Comparison of Cryptographic Schemes for Electronic Voting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A (Brief) Comparison of Cryptographic Schemes for Electronic Voting Tartu, EstoniaMay 17, 2004 Berry Schoenmakers Technical University of Eindhoven The Netherlands

  2. Personal Experiences • Cryptography, since 1993 (CWI, DigiCash, TUE) • Privacy-protecting electronic payment systems • e.g., eCash system at DigiCash (Chaum’s blind signatures) • Electronic voting schemes • since 1994 • homomorphic approach • ‘shadow election’ May 1998 during Dutch national elections • technical advisor of VoteHere • EU project CyberVote (Sept. 2000 – March 2003) • consultancy for the Dutch government • KOA-initiative (“Kiezen Op Afstand”) • upcoming experiment for ex-patriots (by touch-phone and internet) • (Next “wave:” other practical two/multiparty computations, e.g. millionaires, private matching, secure auctions, …)

  3. Paper-based elections • Advantages: • Easy to understand. • Transparent: in principle, observers may monitor the process for correct execution. • Disadvantage: • Requires physical presence of voters, talliers, observers • Fundamental properties: • Security: election result must be verifiablycorrect • Privacy: individual votes must remain secret

  4. Electronic elections • Solve security and privacy issues: • By trust? • By legal measures? • By technology? Yes, using cryptography! • Cryptographic approaches to electronic elections have been studied since the early 80s. • Electronic elections form a primary example of a secure multiparty computation.

  5. “Trusted party scenario” • Voting: • 1. Voter connects to voting server through an SSL connection (as with “secure web servers”) • 2. Voter authenticates himself/herself • 3. Voter casts a vote • Tallying: • Server (trusted party) sums all the votes and announces the election result

  6. Problem: level of trust in insiders • Attackers • Outsiders, i.e., anyone on the Internet: • May try to attack the SSL connection or the server. • Relatively easy to counter • Insiders, i.e., those who run the election: • May try to alter the election result • May try to learn people’s votes • Much harder to counter • "Those who cast the votes decide nothing. Those who count the votes decide everything." Josef Stalin

  7. Alice 56805761456784158 Sub-tally 1 32234555459085752 signed Bob 56459845645454766 Tallier #1 signed signed Carol 49135784578454685 Sub-tally 2 72378867307863836 signed Tallier #2 …………. signed …………. …………. …………. Sub-tally 10 89873538968735603 Diane 59643456456845463 signed Tallier #10 signed Scrutineers/observers (or, just anybody) Bulletin board model Registered voters Registered talliers

  8. Election Roles • Election Officials • select a PKI (“one (wo)man, one key pair”) for authentication of voters, talliers and officials • run the Bulletin Board server(s) • assumption: access to Bulletin Board is not anonymous • Voters • large-scale elections • many voters, “vote&go” • Talliers (possibly incl. MIXers) • scalable distributed trust • possibly a large number of talliers, e.g. 100 talliers • Scrutineers (or, observers, auditors) • can be anyone: universal verifiability

  9. Bulletin Board = server network • Properties (public broadcast channel): • Anyone can read BB • Nobody can erase anything from BB • Voters, talliers, officials write ballots to their own sections, signed with their public keys • BB produces signed receipts (threshold signature) • Implemented as a kind of Byzantine agreement • Replicateddesign prevents denial-of-service by BB • if < 1/3 of the BB servers is malicious, then BB is reliable • e.g., Rampart toolkit (Mike Reiter)

  10. Requirements for voting systems • Only registered voters may vote • Each voter may vote only once • Ballot secrecy (privacy) • Public verifiability of election result • Robustness • No interaction between voters • No vote duplication (copying someone’s encrypted vote without knowing the vote)

  11. Authentication vs. encryption • Separate voter authentication from vote encryption: • makes it easy to exclude double voting • Voter authentication • Ranging from weak to strong: • UserID/password • Challenge/response, possibly using hardware tokens (e.g., as used for Internet banking access control, ChipKnip) • Digital signatures, PKI • Vote encryption • Special protocols

  12. Hard nut to crack • Privacy and verifiability at the same time • Ballot Secrecy: even when the system is fully audited, all individual votes should remain private • Public Verifiability: anyone (incl. observers, auditors) is able to verify the integrity of the election result against the encrypted votes cast by legitimate voters

  13. Modern cryptography • Achieving privacy and verifiable security at the same time • cannot be solved using conventional (public key) encryption and authentication techniques only. • but requires advanced techniques such as: • zero-knowledge proofs of knowledge • verifiable secret sharing • homomorphic encryption • threshold decryption

  14. Universally verifiable voting • Homomorphic schemes: • Benaloh et al. mid 80s • Sako-Kilian 1994 • Cramer-Franklin-Schoenmakers-Yung 1996, Cramer-Gennaro-Schoenmakers 1997 • First practical homomorphic encryption protocols • Damgård-Jurik 2001 (using Paillier cryptosystem) • Verifiable MIXes • Sako-Kilian 1996 • Neff 2000 • First practical publicly verifiable mix protocol • Furukawa-Sako 2001 • Groth 2003 • Important innovation: efficient zero-knowledge proofs

  15. Verifiable black box Black Box Counting Process using private keys of talliers E1 = Ballot Alice E2 = Ballot Bob T = Final Tally Aux = Sub-tallies E3 = Ballot Carol Em = Ballot Diane Verify (E1,…,Em, T, Aux, public keys of talliers) = accept or reject

  16. Some intuition: secret sharing • Single tallier sees everything: • Random split between two talliers:

  17. ElGamal encryption • Receiver’s private key: x • Receiver’s public key: h = gx • Sender encrypts plaintext m: (a, b) = (gw, hw m), using a random w • Receiver decrypts ciphertext (a, b): b / ax= m (a, b) m Receiver Sender m ciphertext plaintext plaintext h x uses uses

  18. Homomorphic ElGamal encryption • Consider a vote v Î{1,0} @ {yes,no} • Ballot is ElGamal encryption of vote gv: • (a, b) = (gw, hwgv), • Homomorphic property: • (a, b) * (a', b') = ( gw+w',hw+w' gv+v') • Tallying: decrypt product of all ElGamal encryptions to find sum of votes.

  19. Use of zeroknowledge proofs • Question: How to prevent voters from sending in ballots like these? (a, b) = (gw, hwg2) double yes (a, b) = (gw, hwg-4) -4 times yes (a, b) = (gw, hwg1000) 1000 times yes • Answer: use zero-knowledge proofs to prove that each ElGamal encryption contains either g0 org1 without revealing any additional information.

  20. Homomorphic approach • Each voter Vi post an ElGamal encryption: (ai, bi) = (gwi, hwigvi)plus a zero-knowledge proof that vi=0 or vi=1 • Compute (Pi ai , Pi bi) = (gW, hWgT) with W = Si wiandT = Si vi • Talliers threshold-decrypt (gW, hWgT) to get gT and finally T

  21. Verifiable MIXes SSL/WTLS channels (authenticated) vote1 Voter Attacker vote1 vote2 vote3 vote3 ….. vote2 vote3 vote2 vote2 vote2 Voter Voter vote3 vote1 vote1 vote1 Vote server (aka "bulletin board") MIX server MIX server Talliers result Voter vote3 transform and permute encrypt using talliers' public key (Modified El Gamal encryption) decrypt

  22. Cryptographic techniques • Blinding of ElGamal encryptions: • Input: (a, b) = (g w, h wm) • Output: (a', b') = (a, b)*(g r, h r) = (g w+r, h w+rm) where r is random • plus a zero-knowledge proof of correctness • Verifiable MIX, e.g. 2 x 2 MIX: E1 Secret, random π, secret blinding E'π(1) E2 E'π(2) plus a ZK proof

  23. Performance: Work per player • Counting modular exponentiations • m voters, n talliers, m >> n • Complexity of zero-knowledge proof: f

  24. Solution = Protocol + Infrastructure • Voting protocol: cryptographiccore of the system, protects even againstinsiders (who run the system) • Security infrastructure: required to stop a multitude of attacks, related to e.g.: • Security of client and server computers • Security of (voting) application software • Security of communication between these computers • ……………. • Shortcomings of the cryptographic protocol cannot be remedied by strengthening the security infrastructure

  25. Author’s address Berry Schoenmakers Coding and Crypto group Dept. of Math. and CS Eindhoven University of Technology P.O. Box 513 5600 MB Eindhoven Netherlands berry@win.tue.nl http://www.win.tue.nl/~berry/

More Related