1 / 39

Receipt-free Voting

Ari Juels. RSA Laboratories. Joint work with Markus Jakobsson, C. Andy Neff. Receipt-free Voting. I Like. Ike. Voter (Alice, and Bob, Charlie...). Attacker. Cast of characters. Voting authority. Eve. Bob. Charlie. Alice. Basic Internet voting. A vote for Al B re.

dexter
Download Presentation

Receipt-free Voting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ari Juels RSA Laboratories Joint work with Markus Jakobsson, C. Andy Neff Receipt-free Voting

  2. I Like Ike • Voter (Alice, and Bob, Charlie...) • Attacker Cast of characters • Voting authority

  3. Eve Bob Charlie Alice Basic Internet voting

  4. A vote for Al B re A vote for G.W. Gush A vote for G.W. Gush A vote for Al Bore Basic Internet voting Digitally signed by Eve Digitally signed by Bob Digitally signed by Final Tally: Gush 2 Bore 1 Charlie Digitally signed by Alice

  5. BORE Knees Alice knows randomization, so ciphertext ballot is a proof or receipt Alice

  6. Receipt-freeness • Receipt-freeness property: Alice cannot open ballot or prove contents • Prevents simple blackmail • References: BT94,SK95,HS00

  7. What receipt-freeness doesn’t defend against • Vote buying • Sale of authentication key • Vote-buying schemes (e.g., vote-auction.com; http://62.116.31.68/) • Anonymous peer-to-peer networks • Compromise of voting authority servers • Limited defense in HS00

  8. What receipt-freeness doesn’t defend against • Shoulder surfing • Randomization attack • Attacker pre-specifies form of Alice’s ciphertext, leading to random result • Forced-abstention attack • Receipt-freeness won’t do for real applications!

  9. Ari Juels RSA Laboratories Joint work with Markus Jakobsson, C. Andy Neff Receipt-free Voting

  10. Ari Juels RSA Laboratories Joint work with Markus Jakobsson, C. Andy Neff Coercion-free Voting

  11. First key tool: Mix network Mix network Randomly permutes and re-encrypts inputs

  12. ? What does a mix network do? Key property: We can’t tell which output corresponds to a given input

  13. From Bob Example application: Anonymizing bulletin board or e-mail From Alice From Charlie

  14. “Nobody loves Bob” Is it Bob, Charlie, self-love, or other? “I love Charlie” “I love Alice” Example application: Anonymizing bulletin board or e-mail From Alice From Charlie From Bob

  15. A vote for Al B re A vote for G.W. Gush A vote for G.W. Gush A vote for Al Bore Another application: Voting Digitally signed by Eve Digitally signed by Bob Digitally signed by Final Tally: Gush 2 Bore 1 Charlie Digitally signed by Alice

  16. A quick look under the hood

  17. Server 2 Server 3 Server 1 m1 re-encrypt and permute m2 re-encrypt and permute m2 m2 re-encrypt and permute m2 m3 m3 m1 m3 m1 m1 m3 Mix Structure

  18. m2 m3 m1 Mix Structure • Threshold decryption • Blinding • Re-mixing

  19. Mix network Properties • Privacy preserved, i.e., permutation hidden if at least one server is honest • Soundness achievable by having servers prove correct permutation

  20. Second key tool Threshold one-way functions • Denoted by B() and B’() • Essentially undeniable signature • B(m) = mxfor shared key x

  21. vali tagi Third key tool • Anonymous credential = Voting key • Essentially a group signature key • a la Atienese et al. (Crypto ‘00) • Other approaches possible • Carries hidden, identifying tag, called tagi • Special enhancement: Also includes validatorvali = B(tagi), where B is threshold one-way function

  22. A little more notation Let E[m] denote El Gamal ciphertext on m: • Private key held distributively • Authorities can jointly decrypt ciphertext • B(E[m]) = E[B(m)] (due to El Gamal homomorphism)

  23. Our new scheme Core ideas: • Voter employs anonymous credential • We don’t know who voted (at time of voting) or what was voted • Validator required for vote to count • Adversary cannot tell whether or not validator is correct • Attacker cannot tell whether a vote is valid or not

  24. Security model • Registration: • Attacker cannot interfere with registration process or • User is forced by, e.g., hardware, to do erasing • Before voting: • Attacker can provide keying or other material to voter (even entire ballot) • During vote: • Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker guarantees) • Bulletin board is universally accessible • At all times: • Attacker has access to all public information, i.e., encrypted and decrypted ballots

  25. validator = B(tagi) tagi vali votei NIZK proof that tagi ciphertext is valid for credential Anonymous credential signature Voting: Anatomy of a ballot proofi tagi vali

  26. tag3 tagn tag2 tag1 val3 valn val2 val1 vote3 vote2 vote1 voten proof3 proofn proof2 proof1 Authority 2 Authority 1 Tallying BallotsStep 1: Check group signatures and proofs ? ? ? . . . ?

  27. tag1 tagn’ tag2 tagn’ tag1 tag2 valn’ valn’ val2 val1 val1 val2 vote1 vote1 voten’ vote2 voten’ vote2 Authority 2 Authority 1 re-encryption . . . . . . Tallying BallotsStep 2: Mixing ballots

  28. tag2 tag1 tagn’ tag1 tagn’ tag2 valn’ val2 val1 vote2 vote1 voten’ voten’ vote2 vote1 Authority 1 Authority 2 B’(val1) B’(val2) . . . . . . . . . B’(valn’) Tallying BallotsStep 3: Joint blinding and decryption of validators B’ blinding prevents authorities from recognizing validators

  29. tag2 tag3 tagn’ tag1 voten’ vote1 vote3 vote2 Authority 2 Authority 1 equal validators Tallying BallotsStep 4: Elimination of duplicates by validator B’(val1) B’(val2) . . . B’(val3) B’(valn’)

  30. tag2 tag1 tagn’ vote2 voten’ vote1 tag2 tagn’ tag1 vote2 voten’ vote1 Authority 2 Authority 1 B’(val1) re-encryption . B’(val2) . . B’(valn)’ B’(valn’) Tallying BallotsStep 5: Re-mixing ballots B’(val1) B’(val2) . . . Remixing required so that adversary does not recognize weeding based on number of ballots he cast

  31. tagi votei B’(vali) If correct, B’(vali) = B’(B(tagi)) E[tagi] Authority 1 Authority 2 Tallying BallotsStep 6: Verification of validators • Authorities compute C1= B’(B(E[tagi])) = E[B’(B(tagi))] • Authorities do distributed comparison of C1 with C2= E[B’(vali)] • If ciphertexts are equal, then validator is correct • Otherwise ballot is invalid and is thus removed

  32. Winner! Authority 1 Authority 2 Tallying BallotsStep 7: Joint decryption of valid votes = vote1 Gush vote2 Bore Bore vote3

  33. Voter cannot sell or prove vote Key idea: Attacker cannot tell a false validator from a real one • If attacker demands voting key, voter can provide false validator • If attacker demands that voter cast a certain type of vote, and demands pointer(s) • Voter can vote as demanded using false validator • Voter can re-vote using correct validator

  34. Collusion with minority coalition of servers resisted • Correct validators only computable by majority • Mixing is private and robust if majority is honest

  35. No randomization or forced abstention • Randomization: Voter can use false validator to post false ballot… and later vote for real • Forced abstention: Group signature (+ anonymous channel) provides anonymity

  36. Resistance to shoulder-surfing • Voter can vote multiple times • Weeding policy provides for re-vote • E.g., last vote might count (needs extra phase)

  37. Is it practical? • Overhead is just a few times that of basic, mixed-based voting • Hirt-Sako ‘00 requires untappable channels, linear cost in number of candidates, no write-ins, etc. • Not just practical, but essential for Internet voting!

  38. Questions?

  39. Additions • Votes can be countersigned by polling station, indicating priority • If registrar publishes voting roll with blinded validators, we can verify publicly that all participants are on roll • Requires an additional mixing step • Careful modeling required and largely unaddressed

More Related