Presentation is loading. Please wait.

Presentation is loading. Please wait.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Published byRodger Carroll Modified over 9 years ago

Similar presentations

Presentation on theme: "Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories."— Presentation transcript:

1 Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories

2 Cast of characters u Voting authority u Attacker u Voter (Alice, and Bob, Charlie...) I Like Ike

3 Basic Internet voting Eve Charlie Bob Alice

4 Basic Internet voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al B re A vote for G.W. Gush A vote for Al Bore A vote for G.W. Gush Final Tally: Gush 2 Bore 1

5 BORE Alice knows randomization, so ciphertext ballot is a proof or receipt Alice Knees

6 Receipt-freeness u Receipt-freeness property: Alice cannot open ballot or prove contents u Prevents simple blackmail u References: BT94,SK95,HS00

7 What receipt-freeness doesn’t defend against u Vote buying –Sale of authentication key –Vote-buying schemes (e.g., vote-auction.com; http://62.116.31.68/) –Anonymous peer-to-peer networks u Compromise of voting authority servers –Limited defense in HS00

8 What receipt-freeness doesn’t defend against u Shoulder surfing u Randomization attack –Attacker pre-specifies form of Alice’s ciphertext, leading to random result u Forced-abstention attack u Receipt-freeness won’t do for real applications!

9 Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories

10 Coercion-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories

11 First key tool: Mix network Randomly permutes and re-encrypts inputs Mix network

12 What does a mix network do? Key property: We can’t tell which output corresponds to a given input ?

13 Example application: Anonymizing bulletin board or e-mail From Bob From Charlie From Alice

14 From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or e-mail

15 Another application: Voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al B re A vote for G.W. Gush A vote for Al Bore A vote for G.W. Gush Final Tally: Gush 2 Bore 1

16 A quick look under the hood

17 Mix Structure Server 1 Server 2 Server 3 m1 m2 m3 re-encrypt and permute re-encrypt and permute re-encrypt and permute m2 m3 m1 m3 m2 m3 m1

18 Mix Structure m2 m3 m1 Threshold decryption Blinding Re-mixing

19 Properties u Privacy preserved, i.e., permutation hidden if at least one server is honest u Soundness achievable by having servers prove correct permutation Mix network

20 Second key tool Threshold one-way functions –Denoted by B() and B’() –Essentially undeniable signature –B(m) = m x for shared key x

21 Third key tool u Anonymous credential = Voting key –Essentially a group signature key v a la Atienese et al. (Crypto ‘00) v Other approaches possible –Carries hidden, identifying tag, called tag i –Special enhancement: Also includes validator val i = B(tag i ), where B is threshold one-way function tag i val i

22 A little more notation Let E[m] denote El Gamal ciphertext on m: –Private key held distributively –Authorities can jointly decrypt ciphertext –B(E[m]) = E[B(m)] (due to El Gamal homomorphism)

23 Our new scheme Core ideas: –Voter employs anonymous credential –We don’t know who voted (at time of voting) or what was voted –Validator required for vote to count –Adversary cannot tell whether or not validator is correct v Attacker cannot tell whether a vote is valid or not

24 Security model u Registration: –Attacker cannot interfere with registration process or –User is forced by, e.g., hardware, to do erasing u Before voting: –Attacker can provide keying or other material to voter (even entire ballot) u During vote: –Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker guarantees) –Bulletin board is universally accessible u At all times: –Attacker has access to all public information, i.e., encrypted and decrypted ballots

25 Voting: Anatomy of a ballot tag i val i tag i val i vote i proof i NIZK proof that tag i ciphertext is valid for credential Anonymous credential signature validator = B(tag i )

26 tag 3 val 3 vote 3 proof 3 Tallying Ballots Step 1: Check group signatures and proofs Authority 1Authority 2... ? ? ? ? tag 1 val 1 vote 1 proof 1 tag 2 val 2 vote 2 proof 2 tag n val n vote n proof n

27 Tallying Ballots Step 2: Mixing ballots Authority 1Authority 2... tag 1 val 1 vote 1 tag 2 val 2 vote 2 tag n’ val n’ vote n’ re-encryption tag 1 val 1 vote 1 tag 2 val 2 vote 2 tag n’ val n’ vote n’...

28 Tallying Ballots Step 3: Joint blinding and decryption of validators Authority 1Authority 2 tag 1 val 1 vote 1 tag 2 val 2 vote 2 tag n’ val n’ vote n’...... tag 1 vote 1 tag 2 vote 2 tag n’ vote n’ B’(val 1 ) B’(val 2 ) B’(val n’ )... B’ blinding prevents authorities from recognizing validators

29 Tallying Ballots Step 4: Elimination of duplicates by validator Authority 1Authority 2 equal validators... tag 1 vote 1 tag 2 vote 2 tag n’ vote n’ B’(val 1 ) B’(val 2 ) B’(val n’ ) tag 3 vote 3 B’(val 3 )

30 Tallying Ballots Step 5: Re-mixing ballots Authority 1Authority 2 re-encryption tag 1 B’(val 1 ) vote 1 tag 2 B’(val 2 ) vote 2 tag n’ B’(val n ) ’ vote n’...... tag 1 vote 1 tag 2 vote 2 B’(val 1 ) B’(val 2 ) tag n’ vote n’ B’(val n’ ) Remixing required so that adversary does not recognize weeding based on number of ballots he cast

31 Tallying Ballots Step 6: Verification of validators Authority 1Authority 2 Authorities compute C 1 = B’(B(E[tag i ])) = E[B’(B(tag i ))] Authorities do distributed comparison of C 1 with C 2 = E[B’(val i )] If ciphertexts are equal, then validator is correct Otherwise ballot is invalid and is thus removed tag i vote i E[tag i ] If correct, B’(val i ) = B’(B(tag i )) B’(val i )

32 Tallying Ballots Step 7: Joint decryption of valid votes Authority 1Authority 2 Gush = Bore vote 1 vote 2 vote 3 Winner!

33 Voter cannot sell or prove vote Key idea: Attacker cannot tell a false validator from a real one –If attacker demands voting key, voter can provide false validator –If attacker demands that voter cast a certain type of vote, and demands pointer(s) v Voter can vote as demanded using false validator v Voter can re-vote using correct validator

34 Collusion with minority coalition of servers resisted u Correct validators only computable by majority u Mixing is private and robust if majority is honest

35 No randomization or forced abstention u Randomization: Voter can use false validator to post false ballot… and later vote for real u Forced abstention: Group signature (+ anonymous channel) provides anonymity

36 Resistance to shoulder-surfing u Voter can vote multiple times u Weeding policy provides for re-vote –E.g., last vote might count (needs extra phase)

37 Is it practical? u Overhead is just a few times that of basic, mixed-based voting –Hirt-Sako ‘00 requires untappable channels, linear cost in number of candidates, no write-ins, etc. u Not just practical, but essential for Internet voting!

38 Questions?

39 Additions u Votes can be countersigned by polling station, indicating priority u If registrar publishes voting roll with blinded validators, we can verify publicly that all participants are on roll –Requires an additional mixing step u Careful modeling required and largely unaddressed

Download ppt "Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
Analysis of an Internet Voting Protocol Dale Neal Garrett Smith.

Analysis of an Internet Voting Protocol Dale Neal Garrett Smith.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Similar presentations

Ads by Google