1 / 28

Electronic Voting Schemes and Other stuff

Electronic Voting Schemes and Other stuff. Requirements. Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?) Voter cannot be coerced/bribed to voting some way Voter cannot prove how she voted. The final tally is the correct sum

kiral
Download Presentation

Electronic Voting Schemes and Other stuff

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Voting Schemes and Other stuff

  2. Requirements • Only eligible voters can vote (once only) • No one can tell how voter voted • Publish who voted (?) • Voter cannot be coerced/bribed to voting some way • Voter cannot prove how she voted. • The final tally is the correct sum • Every voter can verify her vote, or assign other to verify • Everyone can verify total • No disruption • No partial results known

  3. Chaum’s Onion Routing Note: messages are same length

  4. Voting in Mix Nets • Voters create ballots • Every voter encrypts ballot • t mix servers (one after the other) • Decryption network: encryption peeled off and order randomized in server • Reencryption networks: use El-Gamal

  5. El Gamal Encryption • g a generation of Zp*, p=2q+1 • x is the secret key • y = gx is the public key, g is a generator • E(m) = (gr, myr) = (c1,c2), r random, is the encryption • D(c1,c2) = c2 / c1x = m • Reencryption: • ReEnc(c1,c2) = (c1gs, c2ys), s random, is the reencryption

  6. Need to prove correct reencryption y=gx • c1 = (gt, m1yt) • c2 = (gu, m2yu) • c1[1]/c2[1] = gt-u =gr = w (Define r = t-u, w) • c1[2]/c2[2] = yt-u =(m1/m2)yr = u • Prover/Verifier Protocol • (gs,ys) = (a,b) -> Verifier • Prover <- c • t = s+cr -> Verifier, check that gt = a wc and that yt = b uc • Verfier needs to be honest here, why? What does verifier learn?

  7. Chaum Pederson • For G, X, H, Y prove that • logG X = log H Y • Honest Verifier Zero Knowledge Proof of Knowledge • Example question for exam: • Define HVZK proof of knowledge • Prove that Chaum Pederson protocol is HVZK proof of knowledge

  8. Honest Verifier ZK (Sigma-Nets) • x is common input to P, V, w is a witness for x, private to P • P sends a message A • V sends a random t-bit string e. • P sends a reply z • V decides to accept or reject based on the data he has seen, i.e. x, a, e, z.

  9. Honest Verifier ZK • For any (a, e, z), (a, e’, z’) where e <> e’, one can efficiently compute a witness w for x • There exists a polynomial-time simulator M, which on input x and a random e outputs an accepting conversation of the form (a, e, z), with the same probability distribution as conversations between the honest P, V on input x. • Proofs of Knowledge: resetable P allows simulator to compute witness w.

  10. Homomorphic El Gamal • c1 = (gt, m1yt) • c2 = (gu, m2yu) • c1c1 = (gt+u, m1m2yt+u) • Encode 1 = no vote • g = yes vote

  11. Payments • Untraceable electronic cash • Online • Offline • Micropayment protocols • “Real Protocols” – SET, EMC, • EMC is really used, old • SET seems to be dead in the water

  12. Main idea (Chaum): blind signatures • RSA: m1/e mod n • Blind RSA: • Two party protocol: • Alice sends Bob (rem) mod n • Bob computes (rem)1/e= rm1/emod n • Alice computes m1/e mod n • Problems: • Alice can get Bob to sign anything, • Bod does not know what he is signing

  13. Online Non-Anonymous Cash Let’s follow the flow of a $1 bill: • Alice takes the string m = “account number” || “serial number”, chooses a random r, and sends m re mod n to the bank • The bank signs this message and sends m1/er to Alice • Alice extracts a signature on “account number” || “serial number” (m1/e) , and gives it to the merchant • The merchant sends this to the bank, that verifies that the bill has not been used previously

  14. Problems • No anonymity • What is Alice having signed anyway? The bank does not know. • Imagine that a signature on the string “f(s)” means one dollar • Alice could prove to the bank that this is the format of what she is asking for • Could be done via general multiparty computation • Could be done via cut and choose (the rabbit problem)

  15. Online Anonymous Cash • Alice chooses a random s, r, sends re (f(s)) to the bank • The bank debits Alice’s account by $1 and send r (f(s))1/e to Alice • Alice extracts (f(s))1/e, and gives it and s to the merchant • The merchant sends this to the bank, that verifies that the bill (s) has not been used previously

  16. Advantages & Problems: • The bank has given Alice a bill, but does not know what the bill looks like • The bank cannot later identify Alice with the bill • The bank must be online at all times to identify bills • Multiparty computation is entirely inefficient

  17. How to do cut and choose here • Alice sends the bank many values z1, z2, …, zk • The bank asks Alice to reveal ½ of the values zi = ri (f(si)) • The bank extracts the root of the multiplication of all the others • The bill is valid if it is of the root of a product of (f(si)) • Remark: in this case, it’s not clear that we need for Alice to prove anything to the bank, any deviation from protocol for Alice can only harm her

  18. How to do Offline Anonymous Cash? • If Alice “double spends” – she will be caught and identified • If Alice does not – her anonymity is guaranteed • The merchant cannot reuse the money (other than send it to the bank)

  19. Idea: encode Alice’s identity into the money • Alice generates f(s1), f(s2), … f(sk), t1 || f(t1), f(t2), …, f(tk), such that si xor ti = “Alice” • Alice sends blinded versions of all of these to the bank • The bank verifies the correctness and sends Alice the root of the product of the indices not revealed • The merchant asks alice for the signature and for a random subset of the indices • If Alice double spends, her identity becomes known to the bank.

  20. El-Gamal Signature Scheme Generation • Pick a prime p of length 1024 bits such that DL in Zp* is hard. • Let g be a generator of Zp*. • Pickxin[2,p-2]at random. • Compute y=gx mod p. • Public key: p,g,y. • Private key: x.

  21. El-Gamal Signature Scheme Signing M • Hash: Let m=H(M). • Pick k in[1,p-2]relatively prime to p-1 at random. • Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1) (***) • Output r and s.

  22. El-Gamal Signature Scheme Verify M,r,s,PK • Compute m=H(M). • Accept if 0<r<p and yrrs=gmmod p. elsereject. • What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gkso rs=gks, and y=gx so yr=grx,implying yrrs=gm .

  23. The Digital Signature Algorithm (DSA) • Let p be an L bit prime such that the discrete log problem mod p is intractable • Let q be a 160 bit prime that divides p-1 • Let α be a q’th root of 1 modulo p. How do we compute α?

  24. The Digital Signature Algorithm (DSA) • p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p • Private key: random 1 ≤ s ≤ q-1. • Public key: (p, q, α, β = αs mod p) • Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part II: (SHA(M) + s (PART I)) / k mod q • Part I: ((αk mod p) mod q

  25. The Digital Signature Algorithm (DSA) • p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part I: ((αk mod p) mod q • Part II: (SHA(M) + s (PART I)) /k mod q • Verification: • e1 = SHA(M) / (PART II) mod q • e2 = (PART I) / (PART II) mod q • OK if

  26. The Digital Signature Algorithm

  27. Testing Primitive Elements mod p Let p be a prime number so that the prime factorization of p-1 is known: p-1 = q1e1q2e2…qkek(q1,q2,…,qk primes). Theorem: gZp is a primitive element in Zp iff g(p-1)/q1, g(p-1)/q2,… , g(p-1)/qk are all  1 mod p Algorithm: Efficiently compute allkpowers. Caveat:Requires factorization of p-1.

  28. Proof • If g is a primitive mod p then gi mod p ≠ 1 for all 1 ≤ i ≤ p-2 • If g is not a primitive element mod p, let d be the order of g. d divides p-1, let q be a prime divisor of (p-1)/d, then • gd = 1 mod p, d divides (p-1)/q, and so g(p-1)/q =1 mod p.

More Related