Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)"— Presentation transcript:

1 Electronic Voting Schemes and Other stuff

2 Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?) Voter cannot be coerced/bribed to voting some way Voter cannot prove how she voted. The final tally is the correct sum Every voter can verify her vote, or assign other to verify Everyone can verify total No disruption No partial results known

3 Chaum’s Onion Routing Note: messages are same length

4 Voting in Mix Nets Voters create ballots Every voter encrypts ballot t mix servers (one after the other) Decryption network: encryption peeled off and order randomized in server Reencryption networks: use El-Gamal

5 El Gamal Encryption g a generation of Z p *, p=2q+1 x is the secret key y = g x is the public key, g is a generator E(m) = (g r, my r ) = (c 1,c 2 ), r random, is the encryption D(c 1,c 2 ) = c 2 / c 1 x = m Reencryption: ReEnc(c1,c2) = (c 1 g s, c 2 y s ), s random, is the reencryption

6 Need to prove correct reencryption c 1 = (g t, m 1 y t ) c 2 = (g u, m 2 y u ) c 1 [1]/c 2 [1] = g t-u = g r = w (Define r = t-u, w) c 1 [2]/c 2 [2] = y t-u = (m 1 /m 2 )y r = u Prover/Verifier Protocol (g s,y s ) = (a,b) -> Verifier Prover <- c t = s+cr -> Verifier, check that g t = a w c and that y t = b u c Verfier needs to be honest here, why? What does verifier learn? y=g x

7 Chaum Pederson For G, X, H, Y prove that –log G X = log H Y Honest Verifier Zero Knowledge Proof of Knowledge Example question for exam: –Define HVZK proof of knowledge –Prove that Chaum Pederson protocol is HVZK proof of knowledge

8 Honest Verifier ZK (Sigma-Nets) x is common input to P, V, w is a witness for x, private to P P sends a message A V sends a random t-bit string e. P sends a reply z V decides to accept or reject based on the data he has seen, i.e. x, a, e, z.

9 Honest Verifier ZK For any (a, e, z), (a, e’, z’) where e <> e’, one can efficiently compute a witness w for x There exists a polynomial-time simulator M, which on input x and a random e outputs an accepting conversation of the form (a, e, z), with the same probability distribution as conversations between the honest P, V on input x. Proofs of Knowledge: resetable P allows simulator to compute witness w.

10 Homomorphic El Gamal c 1 = (g t, m 1 y t ) c 2 = (g u, m 2 y u ) c 1 c 1 = (g t+u, m 1 m 2 y t+u ) Encode 1 = no vote g = yes vote

11 Payments Untraceable electronic cash –Online –Offline Micropayment protocols “Real Protocols” – SET, EMC, –EMC is really used, old –SET seems to be dead in the water

12 Main idea (Chaum): blind signatures RSA: m 1/e mod n Blind RSA: –Two party protocol: Alice sends Bob (r e m) mod n Bob computes (r e m) 1/e = r m 1/e mod n Alice computes m 1/e mod n Problems: –Alice can get Bob to sign anything, –Bod does not know what he is signing

13 Online Non-Anonymous Cash Let’s follow the flow of a $1 bill: Alice takes the string m = “account number” || “serial number”, chooses a random r, and sends m r e mod n to the bank The bank signs this message and sends m 1/e r to Alice Alice extracts a signature on “account number” || “serial number” (m 1/e ), and gives it to the merchant The merchant sends this to the bank, that verifies that the bill has not been used previously

14 Problems No anonymity What is Alice having signed anyway? The bank does not know. –Imagine that a signature on the string “f(s)” means one dollar –Alice could prove to the bank that this is the format of what she is asking for Could be done via general multiparty computation Could be done via cut and choose (the rabbit problem)

15 Online Anonymous Cash Alice chooses a random s, r, sends r e (f(s)) to the bank The bank debits Alice’s account by $1 and send r (f(s)) 1/e to Alice Alice extracts (f(s)) 1/e, and gives it and s to the merchant The merchant sends this to the bank, that verifies that the bill (s) has not been used previously

16 Advantages & Problems: The bank has given Alice a bill, but does not know what the bill looks like The bank cannot later identify Alice with the bill The bank must be online at all times to identify bills Multiparty computation is entirely inefficient

17 How to do cut and choose here Alice sends the bank many values z 1, z 2, …, z k The bank asks Alice to reveal ½ of the values z i = r i (f(s i )) The bank extracts the root of the multiplication of all the others The bill is valid if it is of the root of a product of (f(s i )) Remark: in this case, it’s not clear that we need for Alice to prove anything to the bank, any deviation from protocol for Alice can only harm her

18 How to do Offline Anonymous Cash? If Alice “double spends” – she will be caught and identified If Alice does not – her anonymity is guaranteed The merchant cannot reuse the money (other than send it to the bank)

19 Idea: encode Alice’s identity into the money Alice generates f(s 1 ), f(s 2 ), … f(s k ), t 1 || f(t 1 ), f(t 2 ), …, f(t k ), such that s i xor t i = “Alice” Alice sends blinded versions of all of these to the bank The bank verifies the correctness and sends Alice the root of the product of the indices not revealed The merchant asks alice for the signature and for a random subset of the indices If Alice double spends, her identity becomes known to the bank.

20 El-Gamal Signature Scheme Pick a prime p of length 1024 bits such that DL in Z p * is hard. Let g be a generator of Z p *. Pick x in [2,p-2] at random. Compute y=g x mod p. Public key: p,g,y. Private key: x. Generation

21 El-Gamal Signature Scheme Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=g k mod p. Compute s=(m-rx)k -1 mod (p-1) (***) Output r and s. Signing M

22 El-Gamal Signature Scheme Compute m=H(M). Accept if 0<r<p and y r r s =g m mod p. else reject. What’s going on? By (***) s=(m-rx)k -1 mod p-1, so sk+rx=m. Now r=g k so r s =g ks, and y=g x so y r =g rx, implying y r r s =g m. Verify M,r,s,PK

23 The Digital Signature Algorithm (DSA) Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q ’ th root of 1 modulo p. How do we compute α?

24 The Digital Signature Algorithm (DSA) p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p) Signature on message M: –Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((α k mod p) mod q

25 The Digital Signature Algorithm (DSA) –p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! –Part I: ((α k mod p) mod q –Part II: (SHA (M) + s (PART I)) /k mod q Verification: –e 1 = SHA (M) / (PART II) mod q –e 2 = (PART I) / (PART II) mod q –OK if

26 The Digital Signature Algorithm

27 Testing Primitive Elements mod p Let p be a prime number so that the prime factorization of p-1 is known: p-1 = q 1 e1 q 2 e2 … q k ek (q 1, q 2,…, q k primes). Theorem: g  Z p is a primitive element in Z p iff g (p-1)/q1, g (p-1)/q2, …, g (p-1)/qk are all  1 mod p Algorithm: Efficiently compute all k powers. Caveat: Requires factorization of p-1.

28 Proof If g is a primitive mod p then g i mod p ≠ 1 for all 1 ≤ i ≤ p-2 If g is not a primitive element mod p, let d be the order of g. d divides p-1, let q be a prime divisor of (p-1)/d, then g d = 1 mod p, d divides (p-1)/q, and so g (p-1)/q =1 mod p.

Download ppt "Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)"

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
7. Asymmetric encryption-

7. Asymmetric encryption-
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.

Announcements: 1. Presentations start Friday 2. Cem Kaner presenting O th block today. Questions? This week: DSA, Digital Cash DSA, Digital Cash.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Similar presentations

Ads by Google