1 / 29

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Tal Moran Joint work with Moni Naor. Receipt-Free Universally-Verifiable Voting With Everlasting Privacy. Flavors of Cryptographic Privacy. Computational Privacy Depends on a computational assumption A powerful enough adversary can “break” the privacy guarantee

halee-dean
Download Presentation

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tal Moran Joint work with Moni Naor Receipt-FreeUniversally-Verifiable Voting With Everlasting Privacy

  2. Flavors of Cryptographic Privacy • Computational Privacy • Depends on a computational assumption • A powerful enough adversary can “break” the privacy guarantee • Example: Public Key Encryption • Unconditional (“Everlasting”) Privacy • Privacy holds even for infinitely powerful adversary • Example: Statistically Hiding Commitment

  3. Why Not Everlasting Privacy? • Tradeoff between Unconditional Privacy and Unconditional Integrity • Gut feeling is that integrity is more important • Distributing trust between multiple parties is harder • Public communication cannot contain any information about individual votes • Standard methods using “threshold decryption” won’t work

  4. Why Everlasting Privacy After All? • Integrity depends on privacy too: • Coerced elections are not fair! • Computational privacy holds only as long as its underlying assumptions • Belief in privacy violation may beenough for coercion! • Most open-audit voting schemes relyon public-key encryption Existing public-key schemes with current key lengths are likely to be broken in 30 years! [RSA conference ’06]

  5. Outline of Talk • Voting Scheme based on Hidden Temporal Order[Crypto 2006] • Uses DRE; DRE learns vote • Generalization can be based on any non-interactive commitment • “Split Ballot” Voting Scheme[WOTE/CCS 2007] • Uses physical ballots • No single entity learns vote • We’ll use physical metaphors and a simplified model

  6. Alice and Bob for Class President • Cory “the Coercer” wants to rig the election • He can intimidate all the students • Only Mr. Drew is not afraid of Cory • Everybody trusts Mr. Drew to keep secrets • Unfortunately, Mr. Drew also wants to rig the election • Luckily, he doesn't stoop to blackmail • Sadly, all the students suffer severe RSI • They can't use their hands at all • Mr. Drew will have to cast their ballots for them

  7. Commitment with “Equivalence Proof” • We use a 20g weight for Alice... • ...and a 10g weight for Bob • Using a scale, we can tell if two votes are identical • Even if the weights are hidden in a box! • The only actions we allow are: • Open a box • Compare two boxes

  8. Additional Requirements • An “untappable channel” • Students can whisper in Mr. Drew's ear • Commitments are secret • Mr. Drew can put weights in the boxes privately • Everything else is public • Entire class can see all of Mr. Drew’s actions • They can hear anything that isn’t whispered • The whole show is recorded on video (external auditors) I’m whispering

  9. Ernie Casts a Ballot • Ernie whispers his choice to Mr. Drew I like Alice

  10. Ernie Casts a Ballot • Mr. Drew puts a box on the scale • Mr. Drew needs to prove to Ernie that the box contains 20g • If he opens the box, everyone else will see what Ernie voted for! • Mr. Drew uses a “Zero Knowledge Proof” Ernie

  11. Ernie Casts a Ballot Ernie Casts a Ballot • Mr. Drew puts k (=3) “proof” boxes on the table • Each box should contain a 20g weight • Once the boxes are on the table, Mr. Drew is committed to their contents Ernie

  12. Ernie Ernie Ernie Casts a Ballot 1 Weigh 2 Open 3 Open • Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either: • Asks Mr. Drew to put the box on the scale (“prove equivalence”) • It should weigh the same as the “Ernie” box • Asks Mr. Drew to open the box • It should contain a 20g weight

  13. Ernie Casts a Ballot 1 Open2 Weigh3 Open • If the “Ernie” box doesn’tcontain a 20g weight, every proof box: • Either doesn’t contain a 20g weight • Or doesn’t weight the same as theErnie box • Mr. Drew can fool Ernie with probability at most 2-k Ernie

  14. Ernie Casts a Ballot • Why is this Zero Knowledge? • When Ernie whispers to Mr. Drew,he can tell Mr. Drew what hischallenge will be. • Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs I like Bob 1 Open2 Weigh3 Weigh

  15. Ernie Ernie Casts a Ballot: Full Protocol • Ernie whispers his choice and a dummy challenge to Mr. Drew • Mr. Drew puts a box on the scale • it should contain a 20g weight • Mr. Drew puts k “Alice” proof boxesand k “Bob” proof boxes on the table • Bob boxes contain 10g or 20g weights according to the dummy challenge I like Alice 1 Open2 Weigh3 Weigh

  16. Ernie Ernie Ernie Casts a Ballot: Full Protocol 1 Open2 Open3 Weigh • Ernie shouts the “Alice” (real) challenge and the “Bob” (dummy) challenge • Drew responds to the challenges • No matter who Ernie voted for,The protocol looks exactly the same! 1 Open2 Weigh3 Weigh

  17. A “Real” System Hello Ernie, Welcome to VoteMaster Please choose your candidate: Alice Bob 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  18. A “Real” System Hello Ernie, You are voting for Alice Please enter a dummy challenge for Bob Alice: l4st phone et spla Bob : Continue 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  19. A “Real” System Hello Ernie, You are voting for Alice Make sure the printer has output twolines (the second line will be covered)Now enter the real challenge for Alice Alice: Sn0w 619- ziggy p3 l4st phone et spla Bob : Continue 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  20. A “Real” System Hello Ernie, You are voting for Alice Please verify that the printed challengesmatch those you entered. Alice: Sn0w 619- ziggy p3 l4st phone et spla Bob : Finalize Vote 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  21. A “Real” System Hello Ernie, Thank you for voting Please take your receipt 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===12

  22. Ernie Fay Guy Heidi Counting the Votes • Mr. Drew announces the final tally • Mr. Drew must prove the tally correct • Without revealing who voted for what! • Recall: Mr. Drew is committed toeveryone’s votes Alice: 3Bob: 1

  23. Ernie Fay Guy Heidi Counting the Votes 1 Weigh 2 Weigh3 Open • Mr. Drew puts k rows ofnew boxes on the table • Each row should contain the same votes in a random order • A “random beacon” gives k challenges • Everyone trusts that Mr. Drewcannot anticipate thechallenges Alice: 3Bob: 1

  24. Ernie Fay Guy Heidi Ernie Fay Guy Heidi Counting the Votes 1 Weigh 2 Weigh3 Open • For each challenge: • Mr. Drew proves that the row contains a permutation of the real votes Alice: 3Bob: 1

  25. Ernie Fay Guy Heidi Counting the Votes 1 Weigh 2 Weigh3 Open • For each challenge: • Mr. Drew proves that the row contains a permutation of the real votes Or • Mr. Drew opens the boxes andshows they match the tally Alice: 3Bob: 1 Fay

  26. Ernie Fay Guy Heidi Counting the Votes 1 Weigh 2 Weigh3 Open • If Mr. Drew’s tally is bad • The new boxes don’t matchthe tally Or • They are not a permutationof the committed votes • Drew succeeds with prob.at most 2-k Alice: 3Bob: 1 Fay

  27. Ernie Fay Guy Heidi Counting the Votes 1 Weigh 2 Weigh3 Open • This prototocol does notreveal information aboutspecific votes: • No box is both opened andweighed • The opened boxes are ina random order Alice: 3Bob: 1 Fay

  28. Summary • A Universally-Verifiable Receipt-Free voting scheme • Based on commitment with equivalence testing • Based on generic non-interactive commitment • What’s Missing? • DRE knows voter’s choice • Can use subliminal channels to reveal it • We want to split trust between multiple authorities

  29. ThankYou!

More Related