Presentation is loading. Please wait.

Presentation is loading. Please wait.

Recipt-free Voting Through Distributed Blinding

Published byReginald Hawkins Modified over 6 years ago

Similar presentations

Presentation on theme: "Recipt-free Voting Through Distributed Blinding"— Presentation transcript:

1 Recipt-free Voting Through Distributed Blinding
Joint work with Markus Jakobsson Ari Juels RSA Laboratories

2 Coercion-free Voting Through Distributed Blinding
Joint work with Markus Jakobsson Ari Juels RSA Laboratories

3 Why do we want coercion-free voting?
Blackmail with a long arm Vote buying Anonymous peer-to-peer networks Vote-buying schemes (e.g., vote-auction.com; Receipt-freeness required Coercion-freeness required Home voting Shoulder surfing Proximate coercion

4 Attack model Attacker cannot interfere with registration process (otherwise can simulate voter) Attacker can provide keying or other material to voter prior to vote (even entire ballot) Two possibilities during vote: Assume no attacker presence at time of vote (countermeasure: receipt-freeness) Assume attacker sometimes present (countermeasure: coercion-freeness) Attacker has access to all public information, i.e., encrypted and decrypted ballots

5 Cast of characters Voter (Alice) I Like Ike Voting authority Attacker

6 Some visual notation Ciphertext Mix network (publicly verifiable)

7 Hirt-Sako approach IDEA: Voter commits publicly to vote, but ballot preparation is secret TOOLS (scheme-specific): Designated verifier proofs DV Proof Untappable channels

8 P2 P1 Ballot blinding Bore Gush Nadir blinded ballot: P = P1 P2
Authority 1 Authority 2 Bore P2 P1 Gush Nadir

9 Voting Authority 1 Authority 2 DV Proof of P1 DV Proof of P2 P = P1 P2

10 Voting Bore Gush Nadir = Alice’s vote Bore  = 1 2

11 Drawbacks Cost per ballot is linear in number of candidates 
Requires untappable channels for vote Not fully coercion resistant, e.g., not resistant to shoulder surfing Not resistant to collusion between adversary and authorities Subject to “randomization” attack 

12 Randomization attack Gush Random choice
Now Alice is unlikely to select her intended choice, Bore

13 “Proof” that collusion resistance is not possible with public verifiability
We must identify voter in order to have public verifiability If attacker controls an authority, he can do “spot checking” In order not to risk “spot checking”, voter must reveal all communication Thus, untappable channels are breached and all transcripts are revealed

14 Our scheme represents a counterexample to this “proof”... (and more?)

15 New tool for our scheme Anonymous credential = Voting key
Essentially a group signature key Carries hidden, identifying tag, called tagi Special enhancement: Also includes validator vali = B(tagi), where B is threshold blinding function tagi vali

16 Some notation Let B’() denote another, independent threshold blinding function Let E[m] denote El Gamal ciphertext on m: Private key held distributively Authorities can jointly decrypt ciphertext B(E[m]) = E[B(m)] (due to El Gamal homomorphism

17 Our new scheme Core ideas: Voter employs anonymous credential
We don’t know who voted (at time of voting) or what was voted Validator required for vote to count Adversary cannot tell whether or not validator is correct Attacker cannot tell whether a vote is valid or not

18 Anatomy of a ballot validator = B(tagi) tagi vali votei proofi
Anonymous credential signature NIZK proof that tagi ciphertext is valid for credential tagi vali

19 Tallying Ballots Step 1: Check group signatures and proofs
tag1 val1 vote1 proof1 ? tag2 val2 vote2 proof2 Authority 1 Authority 2 ? tag3 val3 vote3 proof3 ? . . . tagn valn voten proofn ?

20 Tallying Ballots Step 2: Mixing ballots
Authority 1 Authority 2 . tag1 val1 vote1 tag2 val2 vote2 tagn’ valn’ voten’ re-encryption tag1 val1 vote1 tag2 val2 vote2 tagn’ valn’ voten’ .

21 Tallying Ballots Step 3: Joint blinding and decryption of validators
Authority 1 Authority 2 tag1 val1 vote1 . tag1 vote1 tag2 vote2 tagn’ voten’ B’(val1) B’(val2) B’(valn’) tag2 val2 vote2 . tagn’ valn’ voten’

22 Tallying Ballots Step 4: Elimination of duplicates by validator
Authority 1 Authority 2 tag1 vote1 B’(val1) equal validators tag2 vote2 B’(val2) . . . tag3 B’(val3) vote3 tagn’ B’(valn’) voten’

23 Tallying Ballots Step 5: Verification of validators
Authority 2 Authority 1 E[tag2] If correct, B’(vali) = B’(B(tagi)) tagi votei B’(vali) Authorities compute B’(B(E[tagi])) = E[B’(B(tagi))] and jointly decrypt If result is B’(vali), then validator is correct Otherwise ballot is invalid and is thus removed

24 Tallying Ballots Step 6: Joint decryption of valid votes
Authority 2 Authority 1 = vote1 Gush vote2 Bore vote3 Bore

25 Coersion is eliminated
Key idea: Attacker cannot tell a false validator from a real one If attacker demands voting key, voter can provide false validator If attacker demands that voter cast a certain type of vote, and demands pointer(s) Voter can vote as demanded using false validator Voter can re-vote using correct validator This holds even if attacker colludes with a minority of authorities Well, there’s always Florida

26 Features of scheme Overhead on top of mixing process is minimal, thus the scheme is quite practical Cost is effectively independent of number of candidates No need for untappable channels during vote We need some access to anonymous channels Resistant to “randomization” attacks Resistant to collusion with authorities Potential resistance to shoulder-surfing attack

27 Additions Votes can be countersigned by polling station, indicating priority If registrar publishes voting roll with blinded validators, we can verify publicly that all participants are on roll Requires an additional mixing step Validator may be constructed in threshold manner, distributed with proofs and re-encrypted by registrar Careful modeling required and largely unaddressed

28 Questions?

29 Appendix: Improvement to Hirt-Sako

30 Idea: Secret sharing of vote
Authority 1 Authority 2 V2 V1 Vote = V1V2

31 Idea: Secret sharing of vote
Authority 1 Authority 2 ZK-DV Proof of correct encryption ZK-DV Proof of correct encryption Vote = V1V2

32 And then… x = Vote V1 V2

33 Remarks No randomization attack possible Cost is (1) per vote
By letting Vi = -1 or 1, we can check validity

Download ppt "Recipt-free Voting Through Distributed Blinding"

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting.

Civitas A Secure Remote Voting System Michael Clarkson, Stephen Chong, Andrew Myers Cornell University Dagstuhl Seminar on Frontiers of Electronic Voting.
Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.
Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.

Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Similar presentations

Ads by Google