Cryptography meets Voting Warren D. Smith - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Cryptography meets Voting Warren D. Smith

Description:

Cryptography meets Voting Warren D. Smith – PowerPoint PPT presentation

Number of Views:66
Avg rating:3.0/5.0
Slides: 36
Provided by: peopleC4
Category:

less

Transcript and Presenter's Notes

Title: Cryptography meets Voting Warren D. Smith


1
Cryptography meets VotingWarren D. Smith
  • Paper discussed by
  • Isuru Ranaweera

2
  • In the next election
  • Will your vote be properly recorded?
  • Will you be able to rule out election fraud?
  • The answer to both these questions is quite
    possibly No!

3
The problem (a)
  • Our election system isnt very secure to begin
    with. And it stands to become even more insecure
    with time..
  • Many states, including New York, are proposing a
    shift to an increasingly electronic voting
    system. (This is a system where votes are tallied
    and results are calculated electronically.)
  • Unfortunately, many of the electronic voting
    components such as vote-tallying machines, are
    manufactured under non-disclosure agreements.
    (This means that electronic voting machine
    manufacturers arent required to release the
    hardware and software architectures employed by
    their machines.)

4
The problem (b)
  • Herein lies the central problem. Aside from the
    manufacturers guarantee that their systems are
    bulletproof, we only have moderate federal
    assurance of the security of such systems. And
    sometimes, even the federal assurance may not
    exist.
  • For example, after a recall election in 2003
    that employed the popular electronic Diebold
    Election System, Californias secretary of state,
    Kevin Shelley, announced that none of the
    systems software had been federally certified.
    This essentially implied that the validity of the
    election result was highly questionable.

5
(potential solution) (a)
  • The solution to our problem is simple
    Disclosure
  • Essentially, this means that any electronic
    voting system must publicly release the explicit
    methods it uses.
  • Why does it work?
  • Disclosure enables extreme scrutiny of the
    methods involved. This virtually guarantees that
    any fraud will be revealed, that the system being
    used is valid, and that it doesnt have any
    hidden security flaws.
  • In an electronic context, disclosure has proved
    to be extremely useful. For example, open-source
    (disclosed) systems such as Mandrakes Linux are
    much more stable than proprietary (un-disclosed)
    systems such as Microsofts Windows. (This is
    because disclosed systems are quick to find and
    remedy flaws.) Furthermore, in the field of
    information security, all publicly trusted
    systems have been fully disclosed. These in turn
    are believed to be the most secure systems in
    existence.

6
(potential solution) (b)
  • Is the method feasible?
  • Simply put, yes. Many secure election systems
    have been devised over the years. One such method
    devised by Warren D. Smith is outlined in his
    paper Cryptography meets Voting. In this paper
    he provides a provably secure system that costs
    around 1 per voter.
  • (This is well within current election budgets)
  • Today we will discuss this crypto system that has
    the capacity to meet our election security
    requirements

7
What do we desire from an election (A)
  • Cheap economically and computationally
  • Virtually impossible to cheat even for agencies
    such as the CIA or NSA
  • Robustness recounts should be possible

8
What do we desire from an election (B)
  • Only the voter knows how he voted vote cannot
    be effectively modified
  • Voter cannot prove how he voted to a third party
    voter cannot sell vote
  • Others cannot tell if voter voted or not voter
    cannot be coerced
  • Everyone can verify that only authorized voters
    voted and at most once no illegal voting

9
Cryptographic tools well use.. (A)-1
  • ElGamal public key crypto systems
  • Based on the difficulty of calculating discrete
    logs
  • C Number(secret-key) (mod Domain)
  • (its difficult to calculate secret-key from C)
  • Public keys N, A, B where BAa(mod N)
  • Secret key a
  • System details
  • cipher-pair (Ak, mBk) where m is the message
    k is random
  • decoding
  • We get inverse(Aak) by raising Ak to a and
    calculating its inverse
  • inverse(Number) x Number 1
  • mBk mAak,
  • mAak x inverse(Aak) m,

10
Cryptographic tools well use.. (A)-2
  • Homomorphic properties in ElGamal systems
  • A traditional El Gamal system with an encryption
    function E with this property
  • E(M1) x E(M2) E(M1 M2)

11
Cryptographic tools well use.. (B)-1
  • Zero knowledge proofs
  • A system whereby a prover proves to a verifier
    that he knows a secret without revealing any
    direct information about
  • the secret
  • Eg- Graph mapping

12
Cryptographic tools well use.. (B)-2
  • Zero knowledge (ZK) OR ing.
  • Alice provides a zero knowledge proof of
  • (ZK proof of S) OR (sender is Bob) to Bob.
    This way, because Bob knows sender isnt Bob, he
    trusts that hes received a ZK proof of Alices
    S. But if Bob then tries to send the message he
    received from Alice to Carl, Carl wont be
    convinced because he doesnt know that the second
    part of the OR was false in the initial
    transmission.
  • This way, Alice has deniability. (Only Bob knows
    that (sender is Bob) is false because Alice
    requires Bobs secret key to make that statement
    true. But Carl doesnt know if Bob gave his
    secret key to anyone else. So only Bob can be
    convinced in this scenario.

13
Cryptographic tools well use.. (C)
  • Secret (Key) sharing
  • Multiple parties hold a piece of a universal key
    that can only be reconstructed with the mutual
    cooperation of all the secret sharers.
  • (The cooperation is usually sequential and not
    concurrent)

14
Cryptographic tools well use.. (D)
  • Elliptic Curve Cryptosystems (ECC)
  • A computational modification that can be applied
    to cryptosystems such as ElGamal which in turn
    provides faster computation while also
    potentially strengthening the encryption. (Useful
    for making our voting schemes cost effective)

15
The election system were aiming for (a)
  • Before the election starts, there is a pre-posted
    publicly available and readable list of
    legitimately eligible voters.
  • During the election, voters provide their vote to
    the EA (election authority). We assume that the
    voting and communication processes are private.
    (Not seen heard or recorded by anyone else.)
  • Afterwards, the EA combines the votes using a
    publicly known polynomial time algorithm to
    produce the election results which it then
    announces.

16
The election system were aiming for (b)
  • Anyone can verify that only legitimate voters
    voted and each voted at most once. And that no
    votes were faked, altered or destroyed.
  • Anyone can verify that the correct election
    results were announced.
  • The entire election and verification process
    requires only a polynomial time total
    computation. (To be feasible).
  • No vote-buyer can be convinced of what a voters
    vote was. (Because no voter can convince others
    of how he voted unless an exponentially large
    computation takes place or the discrete logarithm
    problem gets solved in less than exponential
    time.)
  • (So, vote-buying and vote-coercion are virtually
    impossible)

17
Our first attempt.. (A)
  • Each voter V encrypts his vote M using PKEA
  • He sends the encrypted vote M to EA
  • EA re-encrypts M as M by using SKEA and sends
    it to V
  • V uses a zero knowledge log proof to verify
    that M was indeed a re-encryption of M

PK public key SK secret key EA Election
Authority
18
Our first attempt.. (B)
  • V dates and signs M as M and sends it to EA
  • EA signs M as M and posts this on a
    publicly viewable bulletin board next to Vs name
  • V also receives a paper with a bar code denoting
    M in case a recount is needed
  • Finally EA converts all bulletin board results to
    an election result. (It proves the validity of
    the result by providing zero knowledge proofs of
    each conversion)

19
Why the first attempt.. works
  • Because everything is a ZK proof protocol,
    everyone is convinced that the EA correctly
    transformed the posted votes to the declared
    election result.
  • Because only the EA has the universal secret key,
    nobody but the EA knows what the votes are.
  • A voter wishing to sell his vote is unable to
    demonstrate regeneration of his publicly posted
    vote because of random padding. (So no two posted
    votes will be identical.)

20
What are the first attempts weaknesses?
  • If the EA agrees to a collusion, the system will
    allow vote buying and coercion. (However, the
    actual posted vote will still be correctly
    counted.)
  • Therefore, the EA must be trusted to hold a
    proper election. (The EA is not fully audited).

21
Analysis of first attempt..
  • Benefits
  • All are convinced of the result
  • The votes remain anonymous
  • Voter cannot prove what he voted
  • Drawback
  • EA isnt fully audited by anyone else
  • EA knows all this is dangerous
  • So, let us modify our first attempt..

22
The Secure System (A)
  • S key holders randomly generate their secret
  • partial decryption keys K1, K2, , KS and use
  • them to produce the public encryption keys and
    the secret key k k S(i1 to S) Ki (k is the
    universal secret key)
  • Voter makes his vote v based on public
    information (v consists of integers)
  • Voter homomorphic-Elgamal-encrypts his v with K
  • and transmits the encrypted vote M to EA
  • where K (mod G) ? (i1 to S) Ki
  • (K is a universal public key and G is Ks
    modulus domain)

23
The Secure System (B)
  • EA re-homomorphic-ElGamal-encrypts M to
  • M using public key K. Then EA adjoins the
  • date to M to get M which is sent back to
    voter. Voter signs M and sends M back to EA
    which signs M to get M.
  • ( Both voter and EA use non-interactive zero
    knowledge proofs to verify the validity of the
    relevant re-encryptions.)
  • Then, EA posts the twice-signed,
    validity-self-proving dated M on a public list
    of approved voters next to our voters name. EA
    prints 2 hardcopy bar-codes of M and sends one
    to the voter while keeping the other.

24
The Secure System (C)
  • A voter can vote multiple times, but only the
  • last dated vote will count.
  • Once all votes have been cast, EA provides the
    homomorphically added result (which it cant
    read) to the body of secret key holders who each
    perform a partial ElGamal decryption on the
    result to decode the election result.
  • (All during the EA homomorphic addition process
    and secret-key-holder partial decryption process,
    independent verifiers can find out if the
    information has been contaminated)

25
What have we changed? (a)
  • We made all encryptions homomorphic-ElGamal.
  • The EA does not know its decryption key (The
    universal secret key).
  • (With homomorphism, this doesnt prevent the EA
    from correctly tallying the votes or proving to
    each voter that his vote has been correctly
    converted.)
  • Anyone else is free to carry out the same
    calculation as the EA and verify that its work is
    accurate by producing the same result himself.

26
What have we changed? (b)
  • The EA is prevented from revealing any votes and
    thus makes the election fully secure.
  • (Therefore the vote-selling problem in our first
    attempt is no longer a problem.)
  • Because the EA cannot decrypt each vote, it
    doesnt know if each vote is properly formatted.
    Therefore, it is now necessary for each voter to
    provide a zero-knowledge proof that his vote was
    correctly and legally formatted.

27
What have we changed? (c)
  • The universal secret key is known (partially) by
    s mutually distrusting entities.
  • The s mutually distrusting entities are also
    known as the secret sharers.
  • During the election, the s secret sharers work
    together only twice. Once at the beginning to
    generate the public keys, and once at the end to
    decrypt the result by sequentially applying their
    partial secret keys to make up the universal
    secret key k. (which gets implicitly used to
    decode the election result)

28
What have we changed? (d)
  • Each secret sharer must provide zero-knowledge
    proofs that they are using the same Ki for both
    their initial generation of k and for their
    subsequent decryption of the final result.
  • No one knows the ElGamal universal secret key k,
    but we can still decode the result.
  • Unless all the keyholders and the EA collude, all
    votes will remain forever private.

29
What have we changed? (e)
  • The EA does most of the communication and
    computation. The secret key holders act once at
    the very beginning and once at the end of the
    election. (This is a small amount of modular
    exponentiation work which is independent of the
    number of voters.)
  • Because the EA only knows encryption keys, it can
    publicly make them available and distribute them
    far and wide at different voting locations
    without fear of exposing an important secret
  • Therefore voting communication will be between
    the voter and the EA owned voting machine next to
    him.
  • If the voting machine performs the encryption
    and stores the result immediately, its data
    cannot be compromised.
  • (Naturally, when the voter makes his choice at
    the machine, that act itself is vulnerable to
    eavesdropping.)

30
Analysis of the Secure System
  • Benefits (similar to first attempt..)
  • All are convinced of the result
  • The votes remain anonymous
  • Voter cannot prove what he voted
  • EA knows little
  • Only the secret key holders have to be physically
    protected
  • One Drawback Remains (not in the paper)
  • Public bulletin reveals if you voted or not

31
Other similar voting systems.. (a)
  • Mixnet voting system
  • Expensive in terms of communication cost.
    (because multiple parallel redundant
    communications must take place. This will clog
    the network)
  • Cannot be scaled to work with multi-winner voting
    systems. (because this would make votes unique
    and non-anonymous. There are ways of avoiding
    this, but they are computationally very expensive
    and limiting.)
  • All voters may have to have decided before the
    voting begins (in order to guarantee perfect
    anonymity. Otherwise traffic can be monitored.)

32
Other similar voting systems.. (b)
  • Heterodox voting system
  • Votes can be bought. (Voters are capable of
    proving the way they voted and thereby selling
    their vote. They can also be coerced through
    this.)
  • Potentially heavy delays during voting. (This is
    because a preparatory phase exists along with a
    vote casting phase. Furthermore, explicit
    identification of voters who drop out during
    phases is required.)
  • Heavy information storage requirements (This
    makes the scheme only feasible for small
    elections with around 10000 voters.)

33
Other similar voting systems.. (c)
  • Multiparty computation voting system
  • Computationally expensive. (This makes it
    necessary to perform 1014 modular exponentiations
    for 108 voters. This makes the cost per voter
    round to about 270 per voter. Unacceptable in
    all but the most select small circles.)
  • Too many parties to trust. (The distributed
    computation model forces us to trust many parties
    and hope that they dont collude. When were
    dealing with powerful political parties, its
    unreasonable to make this assumption.)
  • It may be possible to overcome the second ( /\ )
    drawback by making extensive computation advances
    and overcoming the first drawback.

34
Conclusion
  • Generally, each voting system has benefits over
    other systems, and drawbacks compared to other
    systems as well.
  • However, our present day voting systems are
    highly antiquated and ineffective at best.
  • (Think about Florida in 2000)
  • Therefore, Mr. Smith argues that important
    elections should be conducted with secure systems
    such as the one weve discussed today. He
    believes that his system is the most secure
    option that meets all the requirements outlined
    as part of the (election system were aiming
    for..) discussion.

35
Questions??
  • Acknowledgements
  • Cryptography Meets Voting by Warren D. Smith
  • www.verifiedvoting.org
  • Prof. Chris Lynch
Write a Comment
User Comments (0)
About PowerShow.com