a (brief) comparison of cryptographic schemes for electronic voting
DESCRIPTION
A (Brief) Comparison of Cryptographic Schemes for Electronic Voting. Tartu, Estonia May 17, 2004 Berry Schoenmakers Technical University of Eindhoven The Netherlands. Personal Experiences. Cryptography, since 1993 (CWI, DigiCash, TUE) Privacy-protecting electronic payment systems - PowerPoint PPT PresentationTRANSCRIPT
A (Brief) Comparison of
Cryptographic Schemes for
Electronic VotingTartu, EstoniaMay 17, 2004
Berry SchoenmakersTechnical University of Eindhoven
The Netherlands
Personal Experiences Cryptography, since 1993 (CWI, DigiCash, TUE) Privacy-protecting electronic payment systems
– e.g., eCash system at DigiCash (Chaum’s blind signatures) Electronic voting schemes
– since 1994– homomorphic approach– ‘shadow election’ May 1998 during Dutch national elections– technical advisor of VoteHere– EU project CyberVote (Sept. 2000 – March 2003)– consultancy for the Dutch government
» KOA-initiative (“Kiezen Op Afstand”)» upcoming experiment for ex-patriots (by touch-phone and internet)
(Next “wave:” other practical two/multiparty computations, e.g. millionaires, private matching, secure auctions, …)
Paper-based elections Advantages:
– Easy to understand.
– Transparent: in principle, observers may monitor the process for correct execution.
Disadvantage:– Requires physical presence of voters, talliers, observers
Fundamental properties:– Security: election result must be verifiably correct
– Privacy: individual votes must remain secret
Electronic elections Solve security and privacy issues:
– By trust?– By legal measures?– By technology? Yes, using cryptography!
Cryptographic approaches to electronic elections have been studied since the early 80s.– Electronic elections form a primary example of a
secure multiparty computation.
“Trusted party scenario” Voting:
– 1. Voter connects to voting server through an SSL connection (as with “secure web servers”)
– 2. Voter authenticates himself/herself– 3. Voter casts a vote
Tallying:– Server (trusted party) sums all the votes and
announces the election result
Problem: level of trust in insiders Attackers
– Outsiders, i.e., anyone on the Internet: » May try to attack the SSL connection or the server.
» Relatively easy to counter
– Insiders, i.e., those who run the election:» May try to alter the election result
» May try to learn people’s votes
» Much harder to counter
"Those who cast the votes decide nothing. Those who count the votes decide everything."
Josef Stalin
Bulletin board model
Bob56459845645454766
signedCarol49135784578454685
signed
Tallier #1
Sub-tally 132234555459085752
signed
Tallier #2Sub-tally 272378867307863836
signed
Alice 56805761456784158
signed
Sub-tally 1089873538968735603
signed Tallier #10
………….
Diane59643456456845463
signed
………….
………….
………….
Registered voters Registered
talliers
Scrutineers/observers(or, just anybody)
Election Roles
Election Officials– select a PKI (“one (wo)man, one key pair”) for
authentication of voters, talliers and officials– run the Bulletin Board server(s)
» assumption: access to Bulletin Board is not anonymous Voters
– large-scale elections» many voters, “vote&go”
Talliers (possibly incl. MIXers)– scalable distributed trust
» possibly a large number of talliers, e.g. 100 talliers Scrutineers (or, observers, auditors)
– can be anyone: universal verifiability
Bulletin Board = server network Properties (public broadcast channel):
– Anyone can read BB
– Nobody can erase anything from BB
– Voters, talliers, officials write ballots to their own sections, signed with their public keys
– BB produces signed receipts (threshold signature) Implemented as a kind of Byzantine agreement
– Replicated design prevents denial-of-service by BB» if < 1/3 of the BB servers is malicious, then BB is reliable
» e.g., Rampart toolkit (Mike Reiter)
Requirements for voting systems
Only registered voters may vote Each voter may vote only once Ballot secrecy (privacy) Public verifiability of election result Robustness No interaction between voters No vote duplication (copying someone’s
encrypted vote without knowing the vote)
Authentication vs. encryption Separate voter authentication from vote encryption:
– makes it easy to exclude double voting
Voter authentication– Ranging from weak to strong:
» UserID/password
» Challenge/response, possibly using hardware tokens (e.g., as used for Internet banking access control, ChipKnip)
» Digital signatures, PKI
Vote encryption– Special protocols
Hard nut to crack Privacy and verifiability at the same time
Ballot Secrecy: even when the system is fully audited, all individual votes should remain private
Public Verifiability: anyone (incl. observers, auditors) is able to verify the integrity of the election result against the encrypted votes cast by legitimate voters
Modern cryptography Achieving privacy and verifiable security at
the same time– cannot be solved using conventional (public key)
encryption and authentication techniques only.– but requires advanced techniques such as:
» zero-knowledge proofs of knowledge
» verifiable secret sharing
» homomorphic encryption
» threshold decryption
Universally verifiable voting– Homomorphic schemes:
» Benaloh et al. mid 80s
» Sako-Kilian 1994» Cramer-Franklin-Schoenmakers-Yung 1996, Cramer-Gennaro-
Schoenmakers 1997 First practical homomorphic encryption protocols
» Damgård-Jurik 2001 (using Paillier cryptosystem)
– Verifiable MIXes» Sako-Kilian 1996
» Neff 2000 First practical publicly verifiable mix protocol
» Furukawa-Sako 2001
» Groth 2003
– Important innovation: efficient zero-knowledge proofs
Verifiable black box
Black Box
Counting Process
using private keys
of talliers
E1 = Ballot Alice
E2 = Ballot Bob
E3 = Ballot Carol
Em = Ballot Diane
T = Final Tally
Aux = Sub-tallies
Verify (E1,…,Em, T, Aux, public keys of talliers) = accept or reject
Single tallier sees everything:
Random split between two talliers:
Some intuition: secret sharing
Tallier Alice Yes 1 Bob No 0 Carol Yes 1 Diana No 0 Total 2
Tallier 1 Tallier 2 Alice Yes -1287 +1288 Bob No -1999 +1999 Carol Yes -769 +770 Diana No -1334 +1334 Total -5389 +5391 +2
ElGamal encryption Receiver’s private key: x Receiver’s public key: h = gx
Sender encrypts plaintext m:
(a, b) = (gw, hw m),
using a random w Receiver decrypts ciphertext (a, b):
b / ax = m
Sender Receiver(a, b)
m m
husesuses
x
ciphertextplaintext plaintext
Homomorphic ElGamal encryption
Consider a vote v {1,0} {yes,no}
Ballot is ElGamal encryption of vote gv:
(a, b) = (gwhwgv),
Homomorphic property:
(a, b) * (a', b') = ( gw+w' hw+w' gv+v' )
Tallying: decrypt product of all ElGamal encryptions to find sum of votes.
Use of zeroknowledge proofs Question: How to prevent voters from sending in
ballots like these?
(a, b) = (gwhwg2) double yes(a, b) = (gwhwg-4) -4 times yes(a, b) = (gwhwg1000) 1000 times yes
Answer: use zero-knowledge proofs to prove that each ElGamal encryption contains either g0 or g1
without revealing any additional information.
Homomorphic approach Each voter Vi post an ElGamal encryption:
(ai, bi) = (gwihwigvi) plus a zero-knowledge proof that vi=0 or vi=1
Compute (i ai , i bi) = (gWhWgT)
with W = i wi and T = i vi
Talliers threshold-decrypt (gWhWgT)
to get gT and finally T
Verifiable MIXes
Voter
Voter
Voter
Voter
vote2
vote3
SSL/WTLS channels(authenticated)
encrypt using talliers' public key(Modified El Gamal encryption)
transform and permute
Vote server(aka "bulletin board")
vote1
vote3
vote1
vote2
vote2
vote1
vote3
MIX server MIX server
vote1
vote2
vote3
Talliers
vote2
vote1
vote3
result
decrypt
Attacker
…..
Cryptographic techniques Blinding of ElGamal encryptions:
– Input: (a, b) = (g w, h w m)– Output: (a', b') = (a, b)*(g r, h r) = (g w+r, h w+r m)
where r is random» plus a zero-knowledge proof of correctness
Verifiable MIX, e.g. 2 x 2 MIX:
Secret, random π,
secret blinding
E1
E2
E'π(1)
E'π(2)
plus a ZK proof
Performance: Work per player Counting modular exponentiations m voters, n talliers, m >> n Complexity of zero-knowledge proof: f
Homomorphic Verifiable MIX
Voter O(f) O(1)
BB O(mf) O(mn)
Tallier O(f) O(m)
MIXer n.a. O(m), sequential
Scrutineer O(mf) O(mn)
Solution = Protocol + Infrastructure Voting protocol: cryptographic core of the system,
protects even against insiders (who run the system) Security infrastructure: required to stop a multitude of
attacks, related to e.g.: – Security of client and server computers– Security of (voting) application software– Security of communication between these computers– …………….
Shortcomings of the cryptographic protocol cannot be remedied by strengthening the security infrastructure
Author’s address
Berry Schoenmakers
Coding and Crypto groupDept. of Math. and CS
Eindhoven University of TechnologyP.O. Box 513
5600 MB EindhovenNetherlands
[email protected]://www.win.tue.nl/~berry/