A (Brief) Comparison of

Cryptographic Schemes for

Electronic VotingTartu, EstoniaMay 17, 2004

Berry SchoenmakersTechnical University of Eindhoven

The Netherlands

Personal Experiences Cryptography, since 1993 (CWI, DigiCash, TUE) Privacy-protecting electronic payment systems

– e.g., eCash system at DigiCash (Chaum’s blind signatures) Electronic voting schemes

– since 1994– homomorphic approach– ‘shadow election’ May 1998 during Dutch national elections– technical advisor of VoteHere– EU project CyberVote (Sept. 2000 – March 2003)– consultancy for the Dutch government

» KOA-initiative (“Kiezen Op Afstand”)» upcoming experiment for ex-patriots (by touch-phone and internet)

(Next “wave:” other practical two/multiparty computations, e.g. millionaires, private matching, secure auctions, …)

Paper-based elections Advantages:

– Easy to understand.

– Transparent: in principle, observers may monitor the process for correct execution.

Disadvantage:– Requires physical presence of voters, talliers, observers

Fundamental properties:– Security: election result must be verifiably correct

– Privacy: individual votes must remain secret

Electronic elections Solve security and privacy issues:

– By trust?– By legal measures?– By technology? Yes, using cryptography!

Cryptographic approaches to electronic elections have been studied since the early 80s.– Electronic elections form a primary example of a

secure multiparty computation.

“Trusted party scenario” Voting:

– 1. Voter connects to voting server through an SSL connection (as with “secure web servers”)

– 2. Voter authenticates himself/herself– 3. Voter casts a vote

Tallying:– Server (trusted party) sums all the votes and

announces the election result

Problem: level of trust in insiders Attackers

– Outsiders, i.e., anyone on the Internet: » May try to attack the SSL connection or the server.

» Relatively easy to counter

– Insiders, i.e., those who run the election:» May try to alter the election result

» May try to learn people’s votes

» Much harder to counter

"Those who cast the votes decide nothing. Those who count the votes decide everything."

Josef Stalin

Bulletin board model

Bob56459845645454766

signedCarol49135784578454685

signed

Tallier #1

Sub-tally 132234555459085752

signed

Tallier #2Sub-tally 272378867307863836

signed

Alice 56805761456784158

signed

Sub-tally 1089873538968735603

signed Tallier #10

………….

Diane59643456456845463

signed

………….

………….

………….

Registered voters Registered

talliers

Scrutineers/observers(or, just anybody)

Election Roles

Election Officials– select a PKI (“one (wo)man, one key pair”) for

authentication of voters, talliers and officials– run the Bulletin Board server(s)

» assumption: access to Bulletin Board is not anonymous Voters

– large-scale elections» many voters, “vote&go”

Talliers (possibly incl. MIXers)– scalable distributed trust

» possibly a large number of talliers, e.g. 100 talliers Scrutineers (or, observers, auditors)

– can be anyone: universal verifiability

Bulletin Board = server network Properties (public broadcast channel):

– Anyone can read BB

– Nobody can erase anything from BB

– Voters, talliers, officials write ballots to their own sections, signed with their public keys

– BB produces signed receipts (threshold signature) Implemented as a kind of Byzantine agreement

– Replicated design prevents denial-of-service by BB» if < 1/3 of the BB servers is malicious, then BB is reliable

» e.g., Rampart toolkit (Mike Reiter)

Requirements for voting systems

Only registered voters may vote Each voter may vote only once Ballot secrecy (privacy) Public verifiability of election result Robustness No interaction between voters No vote duplication (copying someone’s

encrypted vote without knowing the vote)

Authentication vs. encryption Separate voter authentication from vote encryption:

– makes it easy to exclude double voting

Voter authentication– Ranging from weak to strong:

» UserID/password

» Challenge/response, possibly using hardware tokens (e.g., as used for Internet banking access control, ChipKnip)

» Digital signatures, PKI

Vote encryption– Special protocols

Hard nut to crack Privacy and verifiability at the same time

Ballot Secrecy: even when the system is fully audited, all individual votes should remain private

Public Verifiability: anyone (incl. observers, auditors) is able to verify the integrity of the election result against the encrypted votes cast by legitimate voters

Modern cryptography Achieving privacy and verifiable security at

the same time– cannot be solved using conventional (public key)

encryption and authentication techniques only.– but requires advanced techniques such as:

» zero-knowledge proofs of knowledge

» verifiable secret sharing

» homomorphic encryption

» threshold decryption

Universally verifiable voting– Homomorphic schemes:

» Benaloh et al. mid 80s

» Sako-Kilian 1994» Cramer-Franklin-Schoenmakers-Yung 1996, Cramer-Gennaro-

Schoenmakers 1997 First practical homomorphic encryption protocols

» Damgård-Jurik 2001 (using Paillier cryptosystem)

– Verifiable MIXes» Sako-Kilian 1996

» Neff 2000 First practical publicly verifiable mix protocol

» Furukawa-Sako 2001

» Groth 2003

– Important innovation: efficient zero-knowledge proofs

Verifiable black box

Black Box

Counting Process

using private keys

of talliers

E1 = Ballot Alice

E2 = Ballot Bob

E3 = Ballot Carol

Em = Ballot Diane

T = Final Tally

Aux = Sub-tallies

Verify (E1,…,Em, T, Aux, public keys of talliers) = accept or reject

Single tallier sees everything:

Random split between two talliers:

Some intuition: secret sharing

Tallier Alice Yes 1 Bob No 0 Carol Yes 1 Diana No 0 Total 2

Tallier 1 Tallier 2 Alice Yes -1287 +1288 Bob No -1999 +1999 Carol Yes -769 +770 Diana No -1334 +1334 Total -5389 +5391 +2

ElGamal encryption Receiver’s private key: x Receiver’s public key: h = gx

Sender encrypts plaintext m:

(a, b) = (gw, hw m),

using a random w Receiver decrypts ciphertext (a, b):

b / ax = m

Sender Receiver(a, b)

m m

husesuses

x

ciphertextplaintext plaintext

Homomorphic ElGamal encryption

Consider a vote v {1,0} {yes,no}

Ballot is ElGamal encryption of vote gv:

(a, b) = (gwhwgv),

Homomorphic property:

(a, b) * (a', b') = ( gw+w' hw+w' gv+v' )

Tallying: decrypt product of all ElGamal encryptions to find sum of votes.

Use of zeroknowledge proofs Question: How to prevent voters from sending in

ballots like these?

(a, b) = (gwhwg2) double yes(a, b) = (gwhwg-4) -4 times yes(a, b) = (gwhwg1000) 1000 times yes

Answer: use zero-knowledge proofs to prove that each ElGamal encryption contains either g0 or g1

without revealing any additional information.

Homomorphic approach Each voter Vi post an ElGamal encryption:

(ai, bi) = (gwihwigvi) plus a zero-knowledge proof that vi=0 or vi=1

Compute (i ai , i bi) = (gWhWgT)

with W = i wi and T = i vi

Talliers threshold-decrypt (gWhWgT)

to get gT and finally T

Verifiable MIXes

Voter

Voter

Voter

Voter

vote2

vote3

SSL/WTLS channels(authenticated)

encrypt using talliers' public key(Modified El Gamal encryption)

transform and permute

Vote server(aka "bulletin board")

vote1

vote3

vote1

vote2

vote2

vote1

vote3

MIX server MIX server

vote1

vote2

vote3

Talliers

vote2

vote1

vote3

result

decrypt

Attacker

…..

Cryptographic techniques Blinding of ElGamal encryptions:

– Input: (a, b) = (g w, h w m)– Output: (a', b') = (a, b)*(g r, h r) = (g w+r, h w+r m)

where r is random» plus a zero-knowledge proof of correctness

Verifiable MIX, e.g. 2 x 2 MIX:

Secret, random π,

secret blinding

E1

E2

E'π(1)

E'π(2)

plus a ZK proof

Performance: Work per player Counting modular exponentiations m voters, n talliers, m >> n Complexity of zero-knowledge proof: f

Homomorphic Verifiable MIX

Voter O(f) O(1)

BB O(mf) O(mn)

Tallier O(f) O(m)

MIXer n.a. O(m), sequential

Scrutineer O(mf) O(mn)

Solution = Protocol + Infrastructure Voting protocol: cryptographic core of the system,

protects even against insiders (who run the system) Security infrastructure: required to stop a multitude of

attacks, related to e.g.: – Security of client and server computers– Security of (voting) application software– Security of communication between these computers– …………….

Shortcomings of the cryptographic protocol cannot be remedied by strengthening the security infrastructure

Author’s address

Berry Schoenmakers

Coding and Crypto groupDept. of Math. and CS

Eindhoven University of TechnologyP.O. Box 513

5600 MB EindhovenNetherlands

berry@win.tue.nlhttp://www.win.tue.nl/~berry/