Recipt-free Voting Through Distributed Blinding Joint work with Markus Jakobsson Ari Juels RSA Laboratories

Coercion-free Voting Through Distributed Blinding Joint work with Markus Jakobsson Ari Juels RSA Laboratories

Why do we want coercion-free voting? Blackmail with a long arm Vote buying Anonymous peer-to-peer networks Vote-buying schemes (e.g., vote-auction.com; http://62.116.31.68/) Receipt-freeness required Coercion-freeness required Home voting Shoulder surfing Proximate coercion

Attack model Attacker cannot interfere with registration process (otherwise can simulate voter) Attacker can provide keying or other material to voter prior to vote (even entire ballot) Two possibilities during vote: Assume no attacker presence at time of vote (countermeasure: receipt-freeness) Assume attacker sometimes present (countermeasure: coercion-freeness) Attacker has access to all public information, i.e., encrypted and decrypted ballots

Cast of characters Voter (Alice) I Like Ike Voting authority Attacker

Some visual notation Ciphertext Mix network (publicly verifiable)

Hirt-Sako approach IDEA: Voter commits publicly to vote, but ballot preparation is secret TOOLS (scheme-specific): Designated verifier proofs DV Proof Untappable channels

P2 P1 Ballot blinding Bore Gush Nadir blinded ballot: P = P1 P2 Authority 1 Authority 2 Bore P2 P1 Gush Nadir

Voting Authority 1 Authority 2 DV Proof of P1 DV Proof of P2 P = P1 P2

Voting Bore Gush Nadir = Alice’s vote Bore  = 1 2

Drawbacks Cost per ballot is linear in number of candidates  Requires untappable channels for vote Not fully coercion resistant, e.g., not resistant to shoulder surfing Not resistant to collusion between adversary and authorities Subject to “randomization” attack 

Randomization attack Gush Random choice Now Alice is unlikely to select her intended choice, Bore

“Proof” that collusion resistance is not possible with public verifiability We must identify voter in order to have public verifiability If attacker controls an authority, he can do “spot checking” In order not to risk “spot checking”, voter must reveal all communication Thus, untappable channels are breached and all transcripts are revealed

Our scheme represents a counterexample to this “proof”... (and more?)

New tool for our scheme Anonymous credential = Voting key Essentially a group signature key Carries hidden, identifying tag, called tagi Special enhancement: Also includes validator vali = B(tagi), where B is threshold blinding function tagi vali

Some notation Let B’() denote another, independent threshold blinding function Let E[m] denote El Gamal ciphertext on m: Private key held distributively Authorities can jointly decrypt ciphertext B(E[m]) = E[B(m)] (due to El Gamal homomorphism

Our new scheme Core ideas: Voter employs anonymous credential We don’t know who voted (at time of voting) or what was voted Validator required for vote to count Adversary cannot tell whether or not validator is correct Attacker cannot tell whether a vote is valid or not

Anatomy of a ballot validator = B(tagi) tagi vali votei proofi Anonymous credential signature NIZK proof that tagi ciphertext is valid for credential tagi vali

Tallying Ballots Step 1: Check group signatures and proofs tag1 val1 vote1 proof1 ? tag2 val2 vote2 proof2 Authority 1 Authority 2 ? tag3 val3 vote3 proof3 ? . . . tagn valn voten proofn ?

Tallying Ballots Step 2: Mixing ballots Authority 1 Authority 2 . tag1 val1 vote1 tag2 val2 vote2 tagn’ valn’ voten’ re-encryption tag1 val1 vote1 tag2 val2 vote2 tagn’ valn’ voten’ .

Tallying Ballots Step 3: Joint blinding and decryption of validators Authority 1 Authority 2 tag1 val1 vote1 . tag1 vote1 tag2 vote2 tagn’ voten’ B’(val1) B’(val2) B’(valn’) tag2 val2 vote2 . tagn’ valn’ voten’

Tallying Ballots Step 4: Elimination of duplicates by validator Authority 1 Authority 2 tag1 vote1 B’(val1) equal validators tag2 vote2 B’(val2) . . . tag3 B’(val3) vote3 tagn’ B’(valn’) voten’

Tallying Ballots Step 5: Verification of validators Authority 2 Authority 1 E[tag2] If correct, B’(vali) = B’(B(tagi)) tagi votei B’(vali) Authorities compute B’(B(E[tagi])) = E[B’(B(tagi))] and jointly decrypt If result is B’(vali), then validator is correct Otherwise ballot is invalid and is thus removed

Tallying Ballots Step 6: Joint decryption of valid votes Authority 2 Authority 1 = vote1 Gush vote2 Bore vote3 Bore

Coersion is eliminated Key idea: Attacker cannot tell a false validator from a real one If attacker demands voting key, voter can provide false validator If attacker demands that voter cast a certain type of vote, and demands pointer(s) Voter can vote as demanded using false validator Voter can re-vote using correct validator This holds even if attacker colludes with a minority of authorities Well, there’s always Florida

Features of scheme Overhead on top of mixing process is minimal, thus the scheme is quite practical Cost is effectively independent of number of candidates No need for untappable channels during vote We need some access to anonymous channels Resistant to “randomization” attacks Resistant to collusion with authorities Potential resistance to shoulder-surfing attack

Additions Votes can be countersigned by polling station, indicating priority If registrar publishes voting roll with blinded validators, we can verify publicly that all participants are on roll Requires an additional mixing step Validator may be constructed in threshold manner, distributed with proofs and re-encrypted by registrar Careful modeling required and largely unaddressed

Questions?

Appendix: Improvement to Hirt-Sako

Idea: Secret sharing of vote Authority 1 Authority 2 V2 V1 Vote = V1V2

Idea: Secret sharing of vote Authority 1 Authority 2 ZK-DV Proof of correct encryption ZK-DV Proof of correct encryption Vote = V1V2

And then… x = Vote V1 V2

Remarks No randomization attack possible Cost is (1) per vote By letting Vi = -1 or 1, we can check validity