1 / 57

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

Tal Moran Joint work with Moni Naor. Receipt-Free Universally-Verifiable Voting With Everlasting Privacy. Outline of Talk. Motivation for Cryptographic Voting Flavors of Privacy (and why we care) Cryptographic Voting Scheme based on commitment with equivalence proof

olga-mathews
Download Presentation

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tal Moran Joint work with Moni Naor Receipt-FreeUniversally-Verifiable Voting With Everlasting Privacy

  2. Outline of Talk • Motivation for Cryptographic Voting • Flavors of Privacy (and why we care) • Cryptographic Voting Scheme based on commitment with equivalence proof • We’ll use physical metaphors and a simplified model

  3. Voting: The Challenge • Requirements based on democratic principles: • Outcome should reflect the “people’s will” • Fairness • One person, one vote • Privacy • Not a principle in itself;required for fairness • Cast-as-intended • Counted-as-cast Additional requirements: Authorization, Availability

  4. A [Very] Brief History of Voting • Ancient Greece (5th century BCE) • Paper Ballots • Rome: 2nd century BCE(Papyrus) • USA: 17th century • Secret Ballots (19th century) • The Australian Ballot • Lever Machines • Optical Scan (20th century) • Direct Recording Electronic(DRE)

  5. The Case for Cryptographic Voting • Elections don’t just name the winnermust convince the loser they lost! • Elections need to be verifiable • Counting in public: • Completely verifiable • But no vote privacy • Using cryptography , we can get both!

  6. Voting with Mix-Nets • Idea due to David Chaum (1981) • Multiple “Election Authorities” • Assume at least one is honest • Each voter creates “Onion Ballot” • Authorities decrypt and shuffle • No Authority knows all permutations • Authorities can publish “proof of shuffle” No No Yes No Yes Yes No No Yes No No No No

  7. How Private is Private? • Intuition: No one can tell how you voted • This is not always possible • Best we can hope for: • As good as the “ideal” vote counter i1 i2 in … v1 v2 vn Tally

  8. Privacy and Coercion • Vote privacy is essential to prevent coercion • Computational privacy holds only as long as its underlying assumptions • Almost all universally verifiable voting schemes rely on public-key encryption • Belief in privacy violation isenough for coercion! Existing public-key schemes with current key lengths are likely to be broken in less than 30 years! [RSA conference ’06]

  9. Privacy is not Enough! • Voter can sell vote by disclosing randomness • Example: Italian Village Elections • System allows listing candidatesin any order • Bosses gave a different permutation of“approved” candidates to each voter • They could check which permutationsdidn’t appear • Need “Receipt-Freeness”[Benaloh&Tuinstra 1994]

  10. Who can you trust to encrypt? • Public-key encryption requires computers • Voting at home • Coercer can sit next to you • Voting in a polling booth • Can you trust the polling computer? • Verification should be possible for a human! • Receipt-freeness and privacy are also affected.

  11. Our Contributions First Universally Verifiable Voting SchemeBased on General Assumptions • First Universally Verifiable Scheme based onGeneral Assumption • Previous schemes required special properties(e.g. a homomorphic encryption scheme) • Our scheme can be based on any non-interactive commitment • First Receipt-Free Voting Scheme withEverlasting Privacy • Uses statistically hiding commitment instead of encryption • Formal definition of Receipt-Freeness • Proof of security (integrity) in UC model • Security against arbitrary coalitions “for free” First Receipt-Free Voting Scheme withEverlasting Privacy

  12. Alice and Bob for Class President • Cory “the Coercer” wants to rig the election • He can intimidate all the students • Only Mr. Drew is not afraid of Cory • Everybody trusts Mr. Drew to keep secrets • Unfortunately, Mr. Drew also wants to rig the election • Luckily, he doesn't stoop to blackmail • Sadly, all the students suffer severe RSI • They can't use their hands at all • Mr. Drew will have to cast their ballots for them

  13. Commitment with “Equivalence Proof” • We use a 20g weight for Alice... • ...and a 10g weight for Bob • Using a scale, we can tell if two votes are identical • Even if the weights are hidden in a box! • The only actions we allow are: • Open a box • Compare two boxes

  14. Additional Requirements • An “untappable channel” • Students can whisper in Mr. Drew's ear • Commitments are secret • Mr. Drew can put weights in the boxes privately • Everything else is public • Entire class can see all of Mr. Drew’s actions • They can hear anything that isn’t whispered • The whole show is recorded on video (external auditors) I’m whispering

  15. Ernie Casts a Ballot • Ernie whispers his choice to Mr. Drew I like Alice

  16. Ernie Casts a Ballot • Mr. Drew puts a box on the scale • Mr. Drew needs to prove to Ernie that the box contains 20g • If he opens the box, everyone else will see what Ernie voted for! • Mr. Drew uses a “Zero Knowledge Proof” Ernie

  17. Ernie Casts a Ballot Ernie Casts a Ballot • Mr. Drew puts k (=3) “proof” boxes on the table • Each box should contain a 20g weight • Once the boxes are on the table, Mr. Drew is committed to their contents Ernie

  18. Ernie Ernie Ernie Casts a Ballot Weigh 1Open 2Open 3 • Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either: • Asks Mr. Drew to put the box on the scale (“prove equivalence”) • It should weigh the same as the “Ernie” box • Asks Mr. Drew to open the box • It should contain a 20g weight

  19. Ernie Casts a Ballot Open 1Weigh 2Open 3 • If the “Ernie” box doesn’tcontain a 20g weight, every proof box: • Either doesn’t contain a 20g weight • Or doesn’t weight the same as theErnie box • Mr. Drew can fool Ernie with probability at most 2-k Ernie

  20. Ernie Casts a Ballot • Why is this Zero Knowledge? • When Ernie whispers to Mr. Drew,he can tell Mr. Drew what hischallenge will be. • Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs I like Bob Open 1Weigh 2Weigh 3

  21. Ernie Ernie Casts a Ballot: Full Protocol • Ernie whispers his choice and a fake challenge to Mr. Drew • Mr. Drew puts a box on the scale • it should contain a 20g weight • Mr. Drew puts k “Alice” proof boxesand k “Bob” proof boxes on the table • Bob boxes contain 10g or 20g weights according to the fake challenge I like Alice Open 1Weigh 2Weigh 3

  22. Ernie Ernie Ernie Casts a Ballot: Full Protocol Open 1Open 2Weigh 3 • Ernie shouts the “Alice” (real) challenge and the “Bob” (fake) challenge • Drew responds to the challenges • No matter who Ernie voted for,The protocol looks exactly the same! Open 1Weigh 2Weigh 3

  23. r Implementing “Boxes and Scales” • We can use Pedersen commitment • G: a cyclic (abelian) group of prime order p • g,h: generators of G • No one should know loggh • To commit to m2Zp: • Choose random r2Zp • Send x=gmhr • Statistically Hiding: • For any m, x is uniformly distributed in G • Computationally Binding: • If we can find m’m and r’ such that gm’hr’=x then: • gm-m’=hr-r’1, so we can compute loggh=(r-r’)/(m-m’)

  24. r s Implementing “Boxes and Scales” • To prove equivalence of x=gmhr and y=gmhs • Prover sends t=r-s • Verifier checks that yht=x h g h g t=r-s

  25. A “Real” System Hello Ernie, Welcome to VoteMaster Please choose your candidate: Alice Bob 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  26. A “Real” System Hello Ernie, You are voting for Alice Please enter a fake challenge for Bob Alice: l4st phone et spla Bob : Continue 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  27. A “Real” System Hello Ernie, You are voting for Alice Make sure the printer has output twolines (the second line will be covered)Now enter the real challenge for Alice Alice: Sn0w 619- ziggy p3 l4st phone et spla Bob : Continue 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  28. A “Real” System Hello Ernie, You are voting for Alice Please verify that the printed challengesmatch those you entered. Alice: Sn0w 619- ziggy p3 l4st phone et spla Bob : Finalize Vote 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===

  29. A “Real” System Hello Ernie, Thank you for voting Please take your receipt 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified ===12

  30. Ernie Fay Guy Heidi Counting the Votes • Mr. Drew announces the final tally • Mr. Drew must prove the tally correct • Without revealing who voted for what! • Recall: Mr. Drew is committed toeveryone’s votes Alice: 3Bob: 1

  31. Ernie Fay Guy Heidi Counting the Votes Weigh WeighOpen • Mr. Drew puts k rows ofnew boxes on the table • Each row should contain the same votes in a random order • A “random beacon” gives k challenges • Everyone trusts that Mr. Drewcannot anticipate thechallenges Alice: 3Bob: 1

  32. Ernie Fay Guy Heidi Ernie Fay Guy Heidi Counting the Votes Weigh WeighOpen • For each challenge: • Mr. Drew proves that the row contains a permutation of the real votes Alice: 3Bob: 1

  33. Ernie Fay Guy Heidi Counting the Votes Weigh WeighOpen • For each challenge: • Mr. Drew proves that the row contains a permutation of the real votes Or • Mr. Drew opens the boxes andshows they match the tally Alice: 3Bob: 1 Fay

  34. Ernie Fay Guy Heidi Counting the Votes Weigh WeighOpen • If Mr. Drew’s tally is bad • The new boxes don’t matchthe tally Or • They are not a permutationof the committed votes • Drew succeeds with prob.at most 2-k Alice: 3Bob: 1 Fay

  35. Ernie Fay Guy Heidi Counting the Votes Weigh WeighOpen • This prototocol does notreveal information aboutspecific votes: • No box is both opened andweighed • The opened boxes are ina random order Alice: 3Bob: 1 Fay

  36. Using “Standard” Commitment • Is the equivalence proof necessary? • Our new metaphor: Locks and Keys • Assumptions: • Every key fits a single lock • Every lock has only one key • No one can tell by just looking whether a key fits a lock

  37. Private Commitment with Locks and Keys • To commit to a message: • Privately lock the message using a key • Put the key (or lock) on the table • The key only fits one lock • To open the commitment, show the lock and open it

  38. Private Nested Commitments • We have an additional trick: • Commitment to a commitment • We can put a key on the lock instead of a message • The locked key is a commitment to the commitment to the message

  39. Private Nested Commitments • We can open the “external” commitment without giving any information about the “internal” • Or open the “internal” one without revealing the “external”

  40. Private Ernie Casts a Ballot • Ernie whispers his choice to Mr. Drew • Mr. Drew creates 2k doublecommitments to Ernie’s choice • Mr. Drew now proves to Ernie thatmost of the commitments are correct • He uses a Zero Knowledge proof I like Alice

  41. Private Ernie Casts a Ballot • Ernie chooses a random permutation • Drew rearranges keysand locks by this permutation 2314

  42. Private Ernie Casts a Ballot • Drew reveals k of the internalcommitments • Does not open external commitments! • Ernie makes k challenges Candidate 1Connection 2

  43. Private Ernie Casts a Ballot • Drew responds to challenges • Opens internal commitment Candidate 1Connection 2

  44. Private Ernie Casts a Ballot • Drew responds to challenges • Opens internal commitment Or • Opens external commitment Candidate 1Connection 2

  45. Ernie Casts a Ballot: Proof Intuition • If a large fraction of Drew’s commitments are bad • After shuffling, a large fraction of bad commitments will be in the first k • For each bad commitment: • Either Drew cannot open internal commitment Or • Drew cannot open external commitment • Drew cheats successfully with prob. exponentially small in k

  46. Ernie Casts a Ballot: Zero Knowledge • If Drew knows Ernie’s challengein advance • He creates “fake”internal commitments Candidate 1Connection 2 Private

  47. Ernie Casts a Ballot: Zero Knowledge • Drew can “prove” Ernievoted for Bob Candidate 1Connection 2 Private

  48. Ernie Casts a Ballot: Receipt Freeness • We use the same technique as previously • Ernie whispers his choiceand a fake challenge • Drew “proves” that Ernievoted for Bob using the fake challenge • And that Ernie voted for Alice usinga real challenge • The real and fake proofs are indistinguishable to everyone else I like Alice Candidate 1Candidate 2

  49. Private Counting the Votes Alice: 3Bob: 1 • Drew reveals the tally • Random beacon providesn permutations of 1,…,k • Drew permutes the columns Ernie: 12 Fay: 12Guy: 21Heidi: 21 Ernie Fay Guy Heidi Ernie Fay Guy Heidi

  50. Private Ernie Ernie Fay Fay Guy Heidi Heidi Ernie Fay Fay Guy Guy Heidi Heidi Counting the Votes • Drew chooses k randompermutations of 1,…,n • Drew permutes the rows(of internal commitments) Row1: 2431Row2: 1342

More Related