Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Published byNickolas Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum."— Presentation transcript:

1 Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum

2 Agenda Why now-days paper based elections are not enough? What properties any voting scheme must achieve and why it is so hard? Few cryptography primitives in a nutshell. Schemes that the voter uses a computer in the booth. Why it is not enough? The concept of voter- verifiability. Voter Verifiable voting schemes –Scratch and Vote. –Rynolds’ scheme. What next?

3 Paper Based Elections Flexible Simple to understand Simple to perform Transparent But, a famous man once said - "Those who cast the votes decide nothing. Those who count the votes decide everything."

4 Why Paper Based Elections Are Not Enough? Votes can be easily altered. Votes can easily be defected. Weak privacy. Re-counts means almost nothing.

5 What Do We Want? Unforgeability: No one can falsify the result of the voting. Eligibility, Unreusability: Respectively requires that only eligible voters vote and no voter can vote twice. Auditability, Universal auditability: The first describes the ability of any individual voter to determine whether or not his vote has been correctly placed. The second corresponds to the ability of any auditor to determine that the whole protocol was followed correctly, given that votes had been correctly placed. Robustness: Dishonest participants can not disrupt the voting. In particular cheating players should be detected and it should be possible to prove their malicious behavior and finish the voting process and the counting without their help. Privacy: No one can link a voter with his vote. Coercion resistance (also called receipt freeness): A voter can not prove how he voted. This is essential for avoiding vote selling.

6 Why Is It Hard? Good privacy and universal verifiability at the same time … Coercion resistance and unforgability…

7 Few Cryptography Primitives in a Nutshell

8 One-Way Functions A function f: D  R is called one-way if: –Computing f(x) is “easy”. –Computing f -1 (y) for almost all the images is “hard”. E.g. (under the DL assumption) –Prime p and a generator g of Z p *. –f(x) = g x (mod p).

9 RSA Cryptosystem Famous Public Key cryptosystem –A key generation algorithm Let N=pq be the product of two primes Choose e such that gcd(e,  (N))=1 Let d be such that de  1 mod  (N) The public key is (N,e) The private key is d –An encryption algorithm Encryption of M  Z N * by C=E(M)=M e mod N –A Decryption algorithm Decryption of C  Z N * by M=D(C)=C d mod N

10 El Gamal Cryptosystem Probabilistic, homomorphic public-key encryption scheme over a multiplicative group of prime order. A key generation algorithm Publicly choose two large primes q` and q such that q | q`-1, i.e., q` = qk+1 for some integer k. We also fix a generator g` of F * q`. The cyclic group G we work with is the one generated by g = (g`) k and has order (q`- 1)/k = q. Private key x  G. Public key y = g x.

11 An encryption algorithm To encrypt m  G we choose uniformly at random r  [1.. q - 1] and output E(q`, q, g, m, y; r) = (g r, m· y r ). A Decryption algorithm To decrypt a tuple (a,b) we compute m = ba -x. We abbreviate E(q`, q, g, m, y; r) to E(m, y; r). ElGamal Encryption is multiplicative homomorphic, meaning - E(m 1, y;r 1 )*E(m 2, y;r 2 ) = E(m 1 m 2, y;r 1 + r 2 ). –Re-encryption of E(m,y;r 1 ) is E(m,y;r 1 )*E(1,y;r 2 ) which results in E(m,y;r 1 +r 2 ).

12 Digital Signatures We focus on electronic signatures that use public-key cryptography. E.g. (Based on RSA) –A key generation algorithm Same as in RSA encryption. –A signing algorithm Same as decryption of M  Z N * by C=D(M)=M d mod N. –A verification algorithm Same as encryption of C  Z N * by M=E(C)=C e mod N. Can be calculated and verified by anyone. Concept of Blind Signatures …

13 Secret Sharing Based on the next problem - assuming that there are N players, how can a dealer share a secret in a way that any group of t (< N) or more players could recreate the secret, but any group of less then t players will not be able to do so. Such scheme is called (t,N) - threshold secret sharing scheme.

14 Shamir Secret Sharing Scheme The dealer selects t-1 random integers, which forms a t-1 degree polynomial f(x) such that f(0) = S. The dealer calculates f(i) for each player i. Those are their private shares. Any group of t or more players can recreate the polynomial and S (using Lagrange interpolation).

15 Threshold Encryption In threshold encryption we have N authorities, and we want to encrypt a message in a way that any t or more authorities could decrypt it. Again, any group of less then t authorities will not be able to do so. No trusted dealer. Solutions are similar to Shamir’s scheme [CGS,Pederson].

16 Zero-knowledge Proofs Interactive protocols between two players, Prover and Verifier, in which the prover proves to the verifier, with high probability, that some statement is true. Does not leak any information besides the veracity of this statement. In the case of honest verifier ZKP, we can modify the protocol to non- interactive.

17 Zero-knowledge Proof Example Let g 1, g 2 generators of Z q *. The Prover claims that log g1 v = log g2 w (=x) for publicly known v, w, g 1, g 2. –P chooses random z  [1..q] and sends a=g 1 z, b=g 2 z. –V selects random c  [1..q] and sends it. –P sends r = (z+cx). –V verifies that g 1 r =av c and g 2 r =bw c Can be turned into non-interactive –C = Hash(a,b,v,w).

18 Useful ZKP Equality of discrete logarithms: –The prover knows discrete logarithms of v and w, and claims they are the same, log g1 v = log g2 w (for known g 1, g 2 ). 1-out-of-L re-encryption: –the prover wants to prove that for a publicly known pair (x, y) there is an ElGamal re-encryption in the L encrypted pairs (x 1, y 2 )… (x L, y L ). 1-out-of-L message encryption: –Given L plain-text messages m 1 … m L, the prover wants to prove that a tuple (x, y) is an encryption of one of the L plain-texts.

19 Schemes that the voter uses a computer in the booth

20 First Fundamental Decision You have essentially two paradigms to choose from… –Anonymized Ballots. –Ballotless Tallying.

21 The Mix-Net Paradigm Chaum, Sako & Kilian…

22 The Mix-Net Paradigm

23 MIX Vote

24 The Mix-Net Paradigm MIX Vote

25 The Mix-Net Paradigm MIX Vote MIX

26 The Homomorphic Paradigm Benaloh, Cramer et al…

27 The Homomorphic Paradigm Tally

28 The Homomorphic Paradigm Tally

29 CGS97 (Cramer,Gennaro and Schoenmakers) - Ballotless Tallying Uses robust threshold ElGamal. Players: –Authorities a 1 … a s. –Candidates: –1 and 1. –Voters v 1 …v n. –Public Board.

30 CGS97 - The Protocol Initialization –All authorities publish Their shares. A threshold public key S. Another generator h of the multiplicative group –The legal votes will be h -1, h 1. Voting –A voter encrypts his vote b i using E(h bi,S;r) and publishes it along with a non-interactive proof of validity of the vote on a public board. Verification –All voter's non interactive proofs are verified (publicly) and invalid votes are deleted.

31 Tallying –After elections ends, t authorities calculates E(h total,S;r total ) =  E(h bi,S;r) and publicly decrypt it to get h total. Now, anyone can find Total (using linear time exhaustive search) which is the difference between the number of votes for each candidate. Those calculation can also be verified using non-interactive zero knowledge proof of equality of discrete logarithms. !Using Pailler encryption we can eliminate the exhaustive search.

32 CGS97 Scheme – Properties As long as there at most t-1 dishonest authorities Privacy Easy to coerce Coersion resistance As long as there are t honest authorities Robustness computational Unforgability Elgibility, Unreusability Auditability

33 So what more do we want? A voter is not a computer! We want the voter to vote bare-handed. The voter: –Does not bring any electronic device. –Does not compute cryptographic computations in his head. –Uses only humen abilities. We want him to be able to verify the booth’s behaivor - Voter Verifiability.

34 Voter Verifiable Voting Schemes

35 Scratch and Vote (Adida and Rivest 2006) Very simple idea. Uses threshold Paillier encryption. –The voter picks two ballots from a big bin. –The voter scratches off a scratch surface of one ballot, and later he can verify its validity. –The voter marks his selection on the other ballot, shreds the candidates list and surrender it to the poll-workers. –The poll-worker shreds the scratch surface. –The voter feeds the rest into a scanner and takes it home as a receipt.

36 Scratch and Vote – The Ballot The ballot consists of –Candidates list in a random order (left part). –A barcode made of encryptions and NIZKP. –A scratch surface which conceals the randomness used for the encryptions.

37 Scratch and Vote – Verification and Tallying Every voter can check that his vote is published correctly. Ballots are checked using their NIZKP. A threshold decryption of the product of all legal casted ballots is executed …

38 Scratch and Vote – Properties Pros. –Very simple to use. –Voter verifiable. –Efficient. Cons. –If it uses an empty ballots bin A coercer can steal a valid ballot and coerce someone to use it (chain voting). –If it uses a computer and a printer to create the ballots in front of the voter The booth can misbehave. –If it uses a scanner to record the ballots The booth knows what the voter voted. –If it uses another ballots bin to collect the ballots The voter has no receipt. –Also, signatures are not handled properly Without signatures, the voter can claim anything later. With signatures, the voter needs a computer assistance. –Shreding If we want to print the ballots in front of the voter, we must verify the voter shreds the left part. –Random coercion A coercer can coerce the voter to vote randomly.

39 Reynolds’ Scheme Voter enters the booth and receives a blank ballot. The voter fills two random number inside the boxes of the candidates he does not want. The booth prints few encryptions (later). The voter fills the last number and casts the ballot. He also take it as a receipt. Voter = yellow green blue Ben Riva d1d1 d2d2 d3d3 157 732 222 E(157),E(0),NIZKP E(732),E(0),NIZKP E(536),E(1),NIZKP E(d i ),E(vote?)

40 Reynolds’ Scheme – What are the NIZKP? If we use threshold ElGamal, then the NIZKPs consist of –A proof that for each line i D i = E(d i ) OR V i = E(h 1 ) –A proof that for each line i V i = E(h 0 ) OR V i = E(h 1 ) –A proof that  V i = E(h 1 ) Where h is another generator of the group…

41 Reynolds’ Scheme – Verification and Tallying Every voter can check that his vote is published correctly. Ballots are checked using their NIZKPs. A threshold decryption of the product of all legal casted ballots’ lines is executed. Voter = yellow green blue Ben Riva d1d1 d2d2 d3d3 157 732 222 E(157),E(0),NIZKP E(732),E(0),NIZKP E(536),E(1),NIZKP Voter = yellow green blue Alon C d1d1 d2d2 d3d3 635 453 999 E(112),E(1),NIZKP E(435),E(0),NIZKP E(999),E(0),NIZKP Voter = yellow green blue David B d1d1 d2d2 d3d3 743 142 734 E(743),E(0),NIZKP E(142),E(0),NIZKP E(111),E(1),NIZKP Final tally Yellow – 1 Green – 2 Blue - 0

42 Some Of The Problems Has almost the same problems as SnV with –Privacy. –Coercion. –Robustness. Other schemes (Neff, Chaum, Ryan…) have similar problems.

43 The Main Thing…

44 The Projects Scratch and Vote –Encryption – threshold Paillier. –Ref Base paper - Ben Adida and Ronald L. Rivest. Scratch & Vote: Voter- Verifiable Paper-Based Cryptographic Voting. Reynolds’ scheme –Encryption – threshold ElGamal. –Ref Base presentation - D. J. Reynolds. A method for electronic voting with coercion-free receipt. FEE 05. For NIZKP - Ronald Cramer, Rosario Gennaro, and Berry Schoenmakers. A secure and optimally efficient multi-authority election scheme. In EUROCRYPT. Also –Public board. –Digital signatures.

Download ppt "Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum."

Similar presentations

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
A method for electronic voting with Coercion-free receipt David J. Reynolds (unaffiliated)

A method for electronic voting with Coercion-free receipt David J. Reynolds (unaffiliated)
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
7. Asymmetric encryption-

7. Asymmetric encryption-
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Josh Benaloh Senior Cryptographer Microsoft Research.

Josh Benaloh Senior Cryptographer Microsoft Research.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Similar presentations

Ads by Google