Title: Cryptography meets Voting Warren D. Smith
1Cryptography meets VotingWarren D. Smith
- Paper discussed by
- Isuru Ranaweera
2- In the next election
- Will your vote be properly recorded?
- Will you be able to rule out election fraud?
- The answer to both these questions is quite
possibly No! -
3The problem (a)
- Our election system isnt very secure to begin
with. And it stands to become even more insecure
with time.. - Many states, including New York, are proposing a
shift to an increasingly electronic voting
system. (This is a system where votes are tallied
and results are calculated electronically.) - Unfortunately, many of the electronic voting
components such as vote-tallying machines, are
manufactured under non-disclosure agreements.
(This means that electronic voting machine
manufacturers arent required to release the
hardware and software architectures employed by
their machines.)
4The problem (b)
- Herein lies the central problem. Aside from the
manufacturers guarantee that their systems are
bulletproof, we only have moderate federal
assurance of the security of such systems. And
sometimes, even the federal assurance may not
exist. - For example, after a recall election in 2003
that employed the popular electronic Diebold
Election System, Californias secretary of state,
Kevin Shelley, announced that none of the
systems software had been federally certified.
This essentially implied that the validity of the
election result was highly questionable.
5(potential solution) (a)
- The solution to our problem is simple
Disclosure - Essentially, this means that any electronic
voting system must publicly release the explicit
methods it uses. - Why does it work?
- Disclosure enables extreme scrutiny of the
methods involved. This virtually guarantees that
any fraud will be revealed, that the system being
used is valid, and that it doesnt have any
hidden security flaws. - In an electronic context, disclosure has proved
to be extremely useful. For example, open-source
(disclosed) systems such as Mandrakes Linux are
much more stable than proprietary (un-disclosed)
systems such as Microsofts Windows. (This is
because disclosed systems are quick to find and
remedy flaws.) Furthermore, in the field of
information security, all publicly trusted
systems have been fully disclosed. These in turn
are believed to be the most secure systems in
existence.
6(potential solution) (b)
- Is the method feasible?
- Simply put, yes. Many secure election systems
have been devised over the years. One such method
devised by Warren D. Smith is outlined in his
paper Cryptography meets Voting. In this paper
he provides a provably secure system that costs
around 1 per voter. - (This is well within current election budgets)
- Today we will discuss this crypto system that has
the capacity to meet our election security
requirements
7What do we desire from an election (A)
- Cheap economically and computationally
- Virtually impossible to cheat even for agencies
such as the CIA or NSA - Robustness recounts should be possible
8What do we desire from an election (B)
- Only the voter knows how he voted vote cannot
be effectively modified - Voter cannot prove how he voted to a third party
voter cannot sell vote - Others cannot tell if voter voted or not voter
cannot be coerced - Everyone can verify that only authorized voters
voted and at most once no illegal voting
9Cryptographic tools well use.. (A)-1
- ElGamal public key crypto systems
- Based on the difficulty of calculating discrete
logs - C Number(secret-key) (mod Domain)
- (its difficult to calculate secret-key from C)
- Public keys N, A, B where BAa(mod N)
- Secret key a
- System details
- cipher-pair (Ak, mBk) where m is the message
k is random - decoding
- We get inverse(Aak) by raising Ak to a and
calculating its inverse - inverse(Number) x Number 1
- mBk mAak,
- mAak x inverse(Aak) m,
10Cryptographic tools well use.. (A)-2
- Homomorphic properties in ElGamal systems
- A traditional El Gamal system with an encryption
function E with this property -
- E(M1) x E(M2) E(M1 M2)
11Cryptographic tools well use.. (B)-1
- Zero knowledge proofs
- A system whereby a prover proves to a verifier
that he knows a secret without revealing any
direct information about - the secret
- Eg- Graph mapping
12Cryptographic tools well use.. (B)-2
- Zero knowledge (ZK) OR ing.
- Alice provides a zero knowledge proof of
- (ZK proof of S) OR (sender is Bob) to Bob.
This way, because Bob knows sender isnt Bob, he
trusts that hes received a ZK proof of Alices
S. But if Bob then tries to send the message he
received from Alice to Carl, Carl wont be
convinced because he doesnt know that the second
part of the OR was false in the initial
transmission. - This way, Alice has deniability. (Only Bob knows
that (sender is Bob) is false because Alice
requires Bobs secret key to make that statement
true. But Carl doesnt know if Bob gave his
secret key to anyone else. So only Bob can be
convinced in this scenario.
13Cryptographic tools well use.. (C)
- Secret (Key) sharing
- Multiple parties hold a piece of a universal key
that can only be reconstructed with the mutual
cooperation of all the secret sharers. - (The cooperation is usually sequential and not
concurrent)
14Cryptographic tools well use.. (D)
- Elliptic Curve Cryptosystems (ECC)
- A computational modification that can be applied
to cryptosystems such as ElGamal which in turn
provides faster computation while also
potentially strengthening the encryption. (Useful
for making our voting schemes cost effective)
15The election system were aiming for (a)
- Before the election starts, there is a pre-posted
publicly available and readable list of
legitimately eligible voters. - During the election, voters provide their vote to
the EA (election authority). We assume that the
voting and communication processes are private.
(Not seen heard or recorded by anyone else.) - Afterwards, the EA combines the votes using a
publicly known polynomial time algorithm to
produce the election results which it then
announces.
16The election system were aiming for (b)
- Anyone can verify that only legitimate voters
voted and each voted at most once. And that no
votes were faked, altered or destroyed. - Anyone can verify that the correct election
results were announced. - The entire election and verification process
requires only a polynomial time total
computation. (To be feasible). - No vote-buyer can be convinced of what a voters
vote was. (Because no voter can convince others
of how he voted unless an exponentially large
computation takes place or the discrete logarithm
problem gets solved in less than exponential
time.) - (So, vote-buying and vote-coercion are virtually
impossible)
17Our first attempt.. (A)
- Each voter V encrypts his vote M using PKEA
- He sends the encrypted vote M to EA
- EA re-encrypts M as M by using SKEA and sends
it to V - V uses a zero knowledge log proof to verify
that M was indeed a re-encryption of M
PK public key SK secret key EA Election
Authority
18Our first attempt.. (B)
- V dates and signs M as M and sends it to EA
- EA signs M as M and posts this on a
publicly viewable bulletin board next to Vs name - V also receives a paper with a bar code denoting
M in case a recount is needed - Finally EA converts all bulletin board results to
an election result. (It proves the validity of
the result by providing zero knowledge proofs of
each conversion)
19Why the first attempt.. works
- Because everything is a ZK proof protocol,
everyone is convinced that the EA correctly
transformed the posted votes to the declared
election result. - Because only the EA has the universal secret key,
nobody but the EA knows what the votes are. - A voter wishing to sell his vote is unable to
demonstrate regeneration of his publicly posted
vote because of random padding. (So no two posted
votes will be identical.)
20What are the first attempts weaknesses?
- If the EA agrees to a collusion, the system will
allow vote buying and coercion. (However, the
actual posted vote will still be correctly
counted.) - Therefore, the EA must be trusted to hold a
proper election. (The EA is not fully audited).
21Analysis of first attempt..
- Benefits
- All are convinced of the result
- The votes remain anonymous
- Voter cannot prove what he voted
- Drawback
- EA isnt fully audited by anyone else
- EA knows all this is dangerous
- So, let us modify our first attempt..
22The Secure System (A)
- S key holders randomly generate their secret
- partial decryption keys K1, K2, , KS and use
- them to produce the public encryption keys and
the secret key k k S(i1 to S) Ki (k is the
universal secret key) - Voter makes his vote v based on public
information (v consists of integers) - Voter homomorphic-Elgamal-encrypts his v with K
- and transmits the encrypted vote M to EA
- where K (mod G) ? (i1 to S) Ki
- (K is a universal public key and G is Ks
modulus domain) -
23The Secure System (B)
- EA re-homomorphic-ElGamal-encrypts M to
- M using public key K. Then EA adjoins the
- date to M to get M which is sent back to
voter. Voter signs M and sends M back to EA
which signs M to get M. - ( Both voter and EA use non-interactive zero
knowledge proofs to verify the validity of the
relevant re-encryptions.) - Then, EA posts the twice-signed,
validity-self-proving dated M on a public list
of approved voters next to our voters name. EA
prints 2 hardcopy bar-codes of M and sends one
to the voter while keeping the other.
24The Secure System (C)
- A voter can vote multiple times, but only the
- last dated vote will count.
- Once all votes have been cast, EA provides the
homomorphically added result (which it cant
read) to the body of secret key holders who each
perform a partial ElGamal decryption on the
result to decode the election result. - (All during the EA homomorphic addition process
and secret-key-holder partial decryption process,
independent verifiers can find out if the
information has been contaminated)
25What have we changed? (a)
- We made all encryptions homomorphic-ElGamal.
- The EA does not know its decryption key (The
universal secret key). - (With homomorphism, this doesnt prevent the EA
from correctly tallying the votes or proving to
each voter that his vote has been correctly
converted.) - Anyone else is free to carry out the same
calculation as the EA and verify that its work is
accurate by producing the same result himself.
26What have we changed? (b)
- The EA is prevented from revealing any votes and
thus makes the election fully secure. - (Therefore the vote-selling problem in our first
attempt is no longer a problem.) - Because the EA cannot decrypt each vote, it
doesnt know if each vote is properly formatted.
Therefore, it is now necessary for each voter to
provide a zero-knowledge proof that his vote was
correctly and legally formatted.
27What have we changed? (c)
- The universal secret key is known (partially) by
s mutually distrusting entities. - The s mutually distrusting entities are also
known as the secret sharers. - During the election, the s secret sharers work
together only twice. Once at the beginning to
generate the public keys, and once at the end to
decrypt the result by sequentially applying their
partial secret keys to make up the universal
secret key k. (which gets implicitly used to
decode the election result)
28What have we changed? (d)
- Each secret sharer must provide zero-knowledge
proofs that they are using the same Ki for both
their initial generation of k and for their
subsequent decryption of the final result. - No one knows the ElGamal universal secret key k,
but we can still decode the result. - Unless all the keyholders and the EA collude, all
votes will remain forever private.
29What have we changed? (e)
- The EA does most of the communication and
computation. The secret key holders act once at
the very beginning and once at the end of the
election. (This is a small amount of modular
exponentiation work which is independent of the
number of voters.) - Because the EA only knows encryption keys, it can
publicly make them available and distribute them
far and wide at different voting locations
without fear of exposing an important secret - Therefore voting communication will be between
the voter and the EA owned voting machine next to
him. - If the voting machine performs the encryption
and stores the result immediately, its data
cannot be compromised. -
- (Naturally, when the voter makes his choice at
the machine, that act itself is vulnerable to
eavesdropping.)
30Analysis of the Secure System
- Benefits (similar to first attempt..)
- All are convinced of the result
- The votes remain anonymous
- Voter cannot prove what he voted
- EA knows little
- Only the secret key holders have to be physically
protected - One Drawback Remains (not in the paper)
- Public bulletin reveals if you voted or not
31Other similar voting systems.. (a)
- Mixnet voting system
- Expensive in terms of communication cost.
(because multiple parallel redundant
communications must take place. This will clog
the network) - Cannot be scaled to work with multi-winner voting
systems. (because this would make votes unique
and non-anonymous. There are ways of avoiding
this, but they are computationally very expensive
and limiting.) - All voters may have to have decided before the
voting begins (in order to guarantee perfect
anonymity. Otherwise traffic can be monitored.)
32Other similar voting systems.. (b)
- Heterodox voting system
- Votes can be bought. (Voters are capable of
proving the way they voted and thereby selling
their vote. They can also be coerced through
this.) - Potentially heavy delays during voting. (This is
because a preparatory phase exists along with a
vote casting phase. Furthermore, explicit
identification of voters who drop out during
phases is required.) - Heavy information storage requirements (This
makes the scheme only feasible for small
elections with around 10000 voters.)
33Other similar voting systems.. (c)
- Multiparty computation voting system
- Computationally expensive. (This makes it
necessary to perform 1014 modular exponentiations
for 108 voters. This makes the cost per voter
round to about 270 per voter. Unacceptable in
all but the most select small circles.) - Too many parties to trust. (The distributed
computation model forces us to trust many parties
and hope that they dont collude. When were
dealing with powerful political parties, its
unreasonable to make this assumption.) - It may be possible to overcome the second ( /\ )
drawback by making extensive computation advances
and overcoming the first drawback.
34Conclusion
- Generally, each voting system has benefits over
other systems, and drawbacks compared to other
systems as well. - However, our present day voting systems are
highly antiquated and ineffective at best. - (Think about Florida in 2000)
- Therefore, Mr. Smith argues that important
elections should be conducted with secure systems
such as the one weve discussed today. He
believes that his system is the most secure
option that meets all the requirements outlined
as part of the (election system were aiming
for..) discussion.
35Questions??
- Acknowledgements
- Cryptography Meets Voting by Warren D. Smith
- www.verifiedvoting.org
- Prof. Chris Lynch