Presentation on theme: "1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting Authority: only authorized persons can vote One vote Secrecy: nobody."— Presentation transcript:
1 Receipt-freedom in voting Pieter van Ede
2 Important properties of voting Authority: only authorized persons can vote One vote Secrecy: nobody may know who voted for which candidate Correctness Verifiability Coercion-free: unable to bride or threaten people to vote for particular candidate Show up checks, useability
3 Receipt-freedom Focus of this talk is coercion protection Imagine a threatened or bribed Alice We want to prevent Alice getting a proof of her vote. Called receipt-freedom
4 Rise of electronic voting Government wants cheaper voting Also less dependence on honesty of small number of election officials Electronic voting works efficient
5 Fall of electronic voting No paper trail, so no recounting (Verifiability) No public verifying of voting software If verified, is THIS machine correct? (Correctness) Is what is printed the same as recorded? In the Netherlands, electronic voting is discontinued
6 Change of mind Do not rely on correctness of machine Rely on cryptographic correctness
7 First idea: paper ballots Idea: Choose candidate on machine Machine prints out ballot Voter verifies and puts in box Advantages: User can simply check for correctness No dependance on programmers or machine- integrity
8 First idea: paper ballots (2) Drawbacks: Still counting of paper (could be done automatically) Transportation of paper ballots Not much use for cryptography No coercion freedom: villain demands photograph
9 Ongoing research Many cryptographic protocols proposed: Mixing: scrambles large batches of votes Blind signatures: require safe publishing channel Homomorphic: sum results and decrypt with secure computing Many not receipt-free
10 Second idea Give user receipt Use commitment protocol Commitment protocol: 1.User has secret A. 2.User commits to A by computing y=C(A). There is no A' so C(A)=C(A') and y does not reveil a. 3.User opens y to provide it was a commitment to A.
11 Second idea (2) Receipt-free universally verifiable voting protocol with everlasting privacy. By Tal Moran and Moni Naor (Weizmann Institute of Science, Rehovot, Israel) Based on other protocols, in particular Neff's voting Scheme
12 Properties of Moran-Naor Everlasting privacy, but not in efficient version (Secrecy) Universally verifiable: everybody interested can verify result (Verifiability) Safe on voting machine running malicious code. Receipt-freedom
13 Assumptions of Moran-Naor One-way untappable channel Achieved by requireing a booth Voter must easily verify machine
14 Voter perspective Dharma goes to vote Authorizes with election officials Enters the booth
15 Voter perspective Finds a screen, keyboard and ATM- style printer Votes for Betty
16 Voter perspective Dharma is asked to type random words next to other candidates
17 Voter perspective Printer prints out 2 lines, the commitment to Betty. Dharma must verify that 2 lines were printed. She does not see what was printed, important for next phase.
18 Voters perspective Dharma is asked to input random words next to Betty. This a challenge, later used in the verifiability, therefore she must not know the commitment statement.
19 Voters perspective If all good, press OK. Otherwise, cancel and printout is still worthless. Prints out voter and candidates with random words.
20 Voters perspective Dharma chooses OK, machine prints CERTIFIED RECEIPT. Now there is no way back. Receipt also posted on bulletin board. At home, check if receipt is correct on bulletin board.
21 Receipt-freedom of Moran-Naor Coercer Trudy cannot see in what orde the challenges where given. She might however reverse engineer the commitment. Impossible because of commitment scheme
22 Pedersen commitment scheme Moran-Naor use Pedersen commitments in the efficient scheme Based on the hardness of discrete logarithm
23 Pedersen commitment scheme (2) Computations in Z q 1.Machine commits to secret A. 2.Computes y=P(A,r) (r is random) 3.P(A,r) = h H(A) g r (h, g of order q; H collision free hash function) 4.Verifies that y is commitment of A, by sending (A,r). Only done in context of zero knowledge proof for verifiable counting, so this is safe. Due to random r, commitment never shows secret A to Trudy.
24 Pedersen commitment scheme (3) No A' and r' so P(A',r)=y, because that implies: H A' g r' = h a g r h A' – A = g r – r' r-r' / A'-A = Log g h But we assumed discrete logarithms were hard, so infeasible to do.
25 One step further: Cybervote Project of European Commission Vote via mobile phone or internet All cryptography for nothing: Pressure from father Or friends at bar Could be fixed by allowing changing of votes, but does that work after a night at the bar?
26 Conclusion Advantages: Receipt-freedom Many other nice properties of voting satisfied Feasible Disadvantages: Users must trust mathematicians Coercion by bluffing about commitment Still a lot more work then paper voting Difficult for visually disabled Difficult for older people to use bulletin