370 likes | 500 Views
e-voting (requirements & protocols). 1) Aggelos Kiayias, Moti Yung : Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth : Efficient Maximal Privacy in Boardroom Voting an d A nonymous Broadcas t. Types of Adversary. 1)Passive
E N D
e-voting(requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect BallotSecrecy 2) Jens Groth: Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast
Types of Adversary 1)Passive Static 2)Active Adaptive(or Dynamic) 3)Fail-Stop
Requirements • Privacy: Ensures the secrecy of the ballots. • Universal Verifiability: Anyone, having or not participated in the elections, can be convinced that all valid votes have been included in the final tally. • Robustness: The system can tolerate a certain number of faulty participants. • Receipt-freeness: The voters cannot provide a “receipt” that shows what they voted. • Fairness: No partial tally is revealed before the end of the elections.
Further requirements • Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party. • Self-tallying: The post-ballot-phase can be performed by any interested third party. • Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result. • Perfect Message Secrecy: Nothing is revealed about who sent which message, no matter how many parties are corrupted.(Groth2004)
Propositions • A self-tallying scheme cannot be robust and support privacy at the same time. • A voting scheme with robustness based on secret sharing cannot satisfy Perfect Ballot Secrecy.
New Notion Corrective Fault Tolerance (More relaxed form of robustness)
Bulletin Board • Public-broadcast channel with memory (no one can erase what is written). • Any party (or simple observer) can read information of it. • All active parties can write on it in designated areas (this means that the communication transcript is secure). • The bulletin board authority (server) is responsible for administrating the election (starting, terminating, and maintaining a registry of voters).
Voting Scheme (Kiayias-Yung2002) • Gk: family of groups, such that the DLP is hard • Gen: a probabilistic polynomial-time algorithm that, given 1 generates the description of a group G Gk and three random elements from G: f, g, h, known to all parties (k: number of bits of q,p ; G: of order q). • Every voter Vi selects randomly aiq, and publishes hi:=h (voter’s public key). k a i
Pre-Voting Stage(1) • Each Vi selects randomly s i,j q , j=1,…,n s.t. s i,j=0. (select n-1 values and set s i,n:=- s i,j ). • Each Vi then publishes the pairs <R i,j,R’i,j> s.t R i,j:=g and R’i,j:=hj along with a proof of knowledge that log R i,j=logR’i,j. • The bulletin board authority computes the product R’j = R’i,j, and publishes it on the board. s s i,j i,j g h j
Pre-Voting Stage(2) Interactive Proof of Knowledge
Pre-Voting Stage(3) Theorem: After the completion of the pre-voting phase i)Any third-party can verify that log R i,j=logR’i,j. ii)Any third-party can verify that s i,j=0. iii)If at least one voter chose the s i,j values randomly, then the values t j= s i.,j are random in q, with the property that tj=0. g h j
Voting Phase(1) • Voter Vj reads R’j on the board and raises it to aj in order to obtain h . • Voter Vj selects vj {-1(no),1(yes)} and publishes the ballot Bj:=h f , along with a proof of knowledge that -1 t j t v j j
Self-Tallying • The tally T:= Bj = f , since tj=0. • T {f ,f }, so a brute force attack can check all possible values with 2n steps worst case. Shanks’ “Baby Step-Giant Step” method gives even better results. v j -n+1 n-1
Corrective Fault Tolerance Two cases: • When some registered voters do not participate in the pre-voting phase. • When some voters do not cast a ballot before the deadline of the election. • In both cases the remaining active voters must react to reveal the shares that were intended for the ones that failed.
Corrective Fault Tolerance(1) • No participation in the pre-voting phase: S:=set of voters who didn’t participate S:=set of remaining voters Each voter Vk, k S, publishes R’’:=h , together with a non-interactive proof of knowledge for Then the bulletin board authority modifies the values _ _ s k,j k k
Corrective Fault Tolerance(2) The values R’k are changed to satisfy the properties of Theorem, especially (iii), with tk:=log R’k . It is easy to see that tk=0 and that the values tk are random in q, if at least one voter chose the si,j randomly. h k
Corrective Fault Tolerance(3) • No participation in the voting phase: S’:=set of voters who didn’t cast a vote S’:=set of remaining voters Each Voter Vk, k S’ publishes ek:= sk,j and Φk:=( R’j,k) . The value of ek can be publicly verified by checking g := Rk,j Φk must be accompanied by a PK as before. _ _ a -1 k e k
Corrective Fault Tolerance(4) The tally computation can be performed by any third party: T:= B h (Φ ) It is easy to see that T {f ,…,f }, so the number of the positive votes can be found with a brute force attack as before. e -1 k k k -
Multi-Way Elections • In the initialization phase, instead of f, the values f1, f2,…,fn G are given to all parties. • Whenever Vj wants to cast a vote vj he publishes the ballot h fvj, along with a proof of knowledge. • In the final stage the product T1T2…Tc is revealed, where Tk {fk,…,fk }. A total of n search steps in the worst case is required, to reveal the votes each candidate received. tj 0 n-1 c-1
Conclusion • Assuming the existence of an homomorphic encryption with an associated discrete logarithm problem which is secure, and a random oracle hash: Theorem: The described protocol satisfies privacy, fairness(assuming the existence of an honest authority that casts the lest 0-vote), universalverifiability, corrective-fault tolerance, dispute-freeness, self-tallying and perfect ballot secrecy.
Voting Schemes(Jens Groth2004) • Simple self-tallying voting scheme with perfect ballot secrecy, which is more efficient than [KiayiasYung]. • Anonymous broadcast channel with perfect message secrecy (Nothing is revealed about who sent which message, no matter how many parties are corrupted), built on top of a broadcast channel.
Remember notions! • Dispute-freeness: The fact that the participants follow the protocol at any phase can be publicly verified by any casual third party. • Self-tallying: The post-ballot-phase can be performed by any interested third party. • Perfect Ballot Secrecy: The only thing revealed about the voters’ choice is the final result. • Fairness: No partial tally is revealed before the end of the elections.
Properties • Bulletin(message)-board with memory. • The adversary A is polynomial-time, active and static. • The parties work semi-synchronously; the protocol proceeds in phases and the parties act in random order in each phase. We let A decide when to switch phase. decide when to change
Simple Protocol(1) Simple protocol in the honest-but-curious case (Passive),and a yes-or-no voting. Initialization: • The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq. • All voters select randomly a xj q which is kept secret, and they publish hj:=g . x j
Simple Protocol(2) Casting votes: • v1,…,vn {0,1}. • Voter 1 chooses random r1q, and publishes (g ,( hi) g ). • Voter 2 chooses random r2q, and publishes (g , ( hi) g ). … • Voter n chooses random rnq, and publishes (g ,g ). r1 v1 r1 r1+r2 r1+r2 v1+v2 ri vi
Simple Protocol(3) Tallying: • Finally from the last voter’s output we can read off g . vin, so we can compute the 1-votes. • To deal with active adversaries too, all we have to do is add zero-knowledge proofs for correctness. vi
Voting Protocol • n : number of voters • c : number of candidates • k : the security parameter • W : set of possible votes. We encode the vote for candidate i as (n+1) . In this way we can know the exact number of votes each candidate took. i
Voting Protocol(1) Initialization: • The voters agree on a group Gq, of order q, where the DDH problem is hard and on g: generator of Gq. • All voters select randomly a xi q which is kept secret, and they publish hi:=g , along with a proof of knowledge for xi. • Set current state of election (1,1). x i
Voting Protocol(2) Voting Phase: • Voter i wants to cast a vote vi W. He downloads the current state of election (u,v) and verifies the correctness of the keys and all votes cast till now. • He selects random ri from q. He sets: u:=ug v:=vu ( hj) g , where T: the set of remaining voters. • He broadcasts (u,v) along with a proof of knowledge. ri ri vi -xi
Voting Protocol(3) Tallying: The state of the election is (u,v) with v=g . If there are not too many voters and candidates, the discrete logarithm can be computed. Fault-correction: The remaining voters have to repeat the voting phase, with the reduced set of voters. They can gain a factor logc by proving that they cast the same vote… vi
KiayiasYung 1. O(n) exponentiations in thekey regi- stration phase 2. O(nk) size of the key 3. O(n ) exponentiations for the verifi- cation of the keys 4. O(logc) exponentiations in the voting phase Groth 1. O(1) exponentiations in the key regi- stration phase 2. O(k) size of the key 3. O(n) exponentiations for the verifi- cation of the keys 4. O(logc) exponentiations in the voting phase Comparison 2 • The size of the votes and the exponentiations necessary to verify the votes(the voters’ proofs resp.) are the same in both protocols. • In KiayiasYung, many voters can vote simultaneously.
Anonymous Broadcast with PMS Requirements: • Perfect message secrecy: A sender is hidden completely among the group of honest senders. • Self-disclosing: Once the last sender has submitted his message, anybody can see the messages broadcasted. • Fairness: There is no access to a partial tally before the end of the election(assuming the existence of an honest authority that casts the lest 0-vote). • Dispute-freeness: Anybody can verify if the senders follow the protocol or not.
Anonymous Broadcast Protocol(1) • The senders agree on a group Gq of order q, where the DHP is hard, and on a generator g for Gq. • Each sender i selects random xiq and publishes hi:=g , with a proof of knowledge for it. • Sender i wants to send a message mi Gq. We denote S: the set of senders who already sent a message, and T: the set of those who didn’t. The state of the election are the ciphertexts {(uj, vj)} . xi j S\{i}
Anonymous Broadcast Protocol(2) Message submission: • Sender i checks all proofs of the previous senders. Then he encrypts mi as (ui, vi):=(g , ( hj) mi). • He picks random permutation πi over S, permutes all ciphertexts {(uj, vj)} and rerandomizes them into {(Uj,Vj’)} . • Finally he removes one layer of encryption, meaning he computes {(Uj,Vj’Uj )} . • He broadcasts the list of ciphertexts with a Proof of knowledge for having done all that correctly. ri ri j S j S -xi j S
Theorem: The described protocol is self-disclosing, dispute-free, anonymous broadcast protocol with perfect message secrecy.Assuming the existence of an honest authority that doesn’t submit a message himself, the protocol is fair.