Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Mark Ryan
University of Birmingham
2 Desired properties
3 Trust assumptions
7 Conclusions
Electronic voting: potential
In UK
May 2007 elections included 5 local authorities that piloted a range
of electronic voting machines.
Electoral Commission report concluded that the implementation and
security risk was significant and unacceptable and recommends that
no further e-voting take place until a sufficiently secure and
transparent system is available.
In USA:
Diebold controversy since 2003 when code leaked on internet.
Kohno/Stubblefield/Rubin/Wallach analysis concluded Diebold
system far below even most minimal security standards. Voters
without insider privileges can cast unlimited votes without being
detected.
Current situation in USA, continued
2 Desired properties
3 Trust assumptions
7 Conclusions
Desired properties
Verifiability
Outcome of election is
verifiable by voters
and observers
You dont need to trust
election software
Desired properties
Verifiability Incoercibility
Outcome of election is Your vote is private
even if you try to
verifiable by voters
and observers cooperate with a coercer
even if the coercer is the
You dont need to trust
election software election authorities
Desired properties
Verifiability Incoercibility
Outcome of election is Your vote is private
even if you try to
verifiable by voters
and observers cooperate with a coercer
even if the coercer is the
You dont need to trust
election software election authorities
Usability
Vote & go
Verify any time
Examples
Verifiable
Incoercible
website voting
Usable
Voting system: desired properties in more detail
Contradiction?
Eligibility: only legitimate
voters can vote, and only once
Effectiveness: the number of
votes for each candidate is
published after the election Contradiction?
Privacy: the fact that a Receipt-freeness: a voter
particular voted in a particular cannot later prove to a coercer
way is not revealed to anyone that she voted in a certain way
(not even the election Individual verifiability: a
authorities) voter can verify that her vote
was really counted
Individual verifiability
(stronger): . . . , and if her
vote wasnt counted, she can
prove that.
Where are we?
2 Desired properties
3 Trust assumptions
7 Conclusions
How could it be secure?
Trust assumption possibilities
Nothing is required-to-be-trusted
it is
e.g. current DRE solutions
Security by trusted client software
trusted by user
not trusted by user
does not need to be
doesnt need to be
trusted by authorities
trusted by anyone
or other voters
Where are we?
2 Desired properties
3 Trust assumptions
7 Conclusions
First, some cryptoraphy
Blind signatures
Normally, when Alice signs a
message M, creating
SignSKA (M), she knows what
the message M is.
In a blind signature, Bob can Commitments
ask her to sign a blinded version Alice can send Bob a
of the message, blindb (M). commitment commitc (M) to a
After she signs it, he can message M.
unblind it. Later, she can reveal c and M,
unblindb (SignSKA (blindb (M))) = and Bob can verify that it is
SignSKA (M) indeed the correct M that she
committed to.
Alice cannot lie, e.g., cannot
find some other c 0 and M 0 that
have the same commitment
commitc 0 (M 0 ).
FOO 92 protocol [FujiokaOkamotoOhta92]
II
{ commit(v, c)} D 1
publ. (l , commit(v, c ))
(l , c )
III
open(...) = v
publ. v
FOO 92 properties
Let us consider for each one whether FOO has it or not:
Eligibility
Fairness
Privacy
Receipt-freeness
Coercion-resistance
Individual verifiability
Universal verifiability
Eligibility verifiability
4 out of 8. . . . not too bad, but not good enough!
2 Desired properties
3 Trust assumptions
7 Conclusions
Election of president at University of Louvain
Problem
I give you an encryption
enck (v ) of a value v .
How do you know that I
know v (E.g., that I
didnt copy someone
elses ballot)?
How do you know that v
satisfies certain
constraints, e.g., that it is
a valid vote?
Zero-knowledge proofs
Problem
I give you an encryption Solution
enck (v ) of a value v . I give you a
How do you know that I zero-knowledge proof
know v (E.g., that I that I know the v inside
didnt copy someone enck (v ).
elses ballot)? I give you a zero
How do you know that v knowledge proof that the
satisfies certain v inside enck (v ) satisfies
constraints, e.g., that it is the relevant constraints
a valid vote?
Encryption of m:
(c, d) = (g r , m hr )
Variation:
(c, d) = (g r , g m hr )
Decryption of (c, d)
(assuming variation):
0 d
gm =
cx
Elgamal encryption
Encryption of m:
(c, d) = (g r , m hr )
Variation:
(c, d) = (g r , g m hr )
Decryption of (c, d)
(assuming variation):
0 d
gm =
cx
Elgamal encryption
2 Desired properties
3 Trust assumptions
7 Conclusions
Verifiability and Incoercibility
JCJ Civitas is the only protocol (to my knowledge) that achieves both
verifiability and incoercibility in strong forms. This makes it of great
theoretical interest, although its complexity may make it unusable in
practice.
How does it achieve these properties?
Incoercibility
Verifiability Voters cannot prove that a given value
Everything is their credential. Votes under invalid
that the credentials may be cast, but wont be
servers counted. Observers can verify that
process is votes with incorrect credentials werent
published counted, but they cant see which ones
those were.
Verifiable reencryption mixes
Problem
We want to shuffle a
bunch of encryptions
{v }m
pk , like putting them
into a big box, closing it,
and shaking it for a long
time!
But we want to be sure
that
What comes out of
the box is what goes
in, as a whole
No-one can link any
particular object that
comes out with a
particular object that
went in
Verifiable reencryption mixes
Problem
Solution: a verifiable reencryption mix
We want to shuffle a
bunch of encryptions It takes as input the bunch of
{v }m encryptions {v }mpk .
pk , like putting them
into a big box, closing it, It re-randomises them all.
and shaking it for a long It outputs the results.
time!
But we want to be sure
that
What comes out of
the box is what goes
in, as a whole
No-one can link any
particular object that
comes out with a
particular object that
went in
Verifiable reencryption mixes
Problem
Solution: a verifiable reencryption mix
We want to shuffle a
bunch of encryptions It takes as input the bunch of
{v }m encryptions {v }mpk .
pk , like putting them
into a big box, closing it, It re-randomises them all.
and shaking it for a long It outputs the results.
time!
But we want to be sure How to verify it did the mix correctly?
that Ask it to do another mix.
What comes out of Flip a coin.
the box is what goes If heads, ask it to prove the
in, as a whole correspondence between the input
No-one can link any and the result of the second mix.
particular object that If tails, ask it to prove the
comes out with a correspondence between the output
particular object that and the result of the second mix.
went in
JCJ/Civitas step-by-step
Voter with
remove malformed
credential d ballots
remove duplicates
decrypt
results
JCJ-Civitas: verifiability