ReceiptFree UniversallyVerifiable Voting With Everlasting Privacy - PowerPoint PPT Presentation

1 / 56

About This Presentation

Title:

ReceiptFree UniversallyVerifiable Voting With Everlasting Privacy

Description:

Nothing is known about individual votes except final tally. Verifiability ... Mr. Drew cheats successfully with prob. exponentially small in k ... – PowerPoint PPT presentation

Number of Views:73

Avg rating:3.0/5.0

Slides: 57

Provided by: peopleSea

Category:

more less

Transcript and Presenter's Notes

Title: ReceiptFree UniversallyVerifiable Voting With Everlasting Privacy

1
Receipt-FreeUniversally-Verifiable Voting With
Everlasting Privacy

Tal Moran
Joint work with Prof. Moni Naor

2
A Very Brief History of Voting

Ancient Greece (5th century BCE)
Paper Ballots
Rome 2nd century BCE(Papyrus)
USA 17th century
Secret Ballots (19th century)
The Australian Ballot
Lever Machines
Optical Scan (20th century)
Direct Recording Electronic(DRE)

3
Voting the Challenge

Accuracy (Final result should reflect voters
intentions)
Fairness
Cast-as-intended
Counted-as-cast
Authorization
Availability
Privacy
Nothing is known about individual votes except
final tally
Verifiability
Who can check the results of the vote?
Receipt-Freeness
A voter cant prove for whom she votedeven if
she wants to
prevents vote-buying and coercion

4
Cryptographic Voting Schemes

Killer Advantage Universal Verifiability
Communication is sent to a public bulletin board
Anyone can verify the results of the election!
Chaum proposed first scheme based on mixes (1981)
Many different schemes exist today
Most schemes require computers
Voters may not trust the computers
Voting from home allows coercion

5
Human-aware Crytographic Voting

Use traditional framework
physical polling booths rather than internet
voting
Chaum 2004Visual-cryptography based scheme
Additional schemes using similar ideasBryans,
Ryan 2005
Neff 2004 Use cut-and-choose Zero Knowledge
The voting machine runs simulator to generate
receipt
All these schemes send encrypted votes to public
bulletin board
Rely on number-theoretic assumptions
Privacy will be lost if encryption is broken in
the future!

6
Privacy and Coercion

Vote privacy is essential to prevent coercion
Computational privacy holds only as long as its
underlying assumptions
Almost all universally verifiable voting schemes
rely on public-key encryption
Belief in privacy violation isenough for
coercion!

Existing public-key schemes with current key
lengths are likely to be broken in less than 30
years! RSA conference 06
7
Our Contributions
First Universally Verifiable Voting SchemeBased
on General Assumptions

First Universally Verifiable Scheme based
onGeneral Assumption
Previous schemes required special
properties(e.g. a homomorphic encryption scheme)
Our scheme can be based on any non-interactive
commitment
First Receipt-Free Voting Scheme withEverlasting
Privacy
Uses statistically hiding commitment instead of
encryption
Formal definition of Receipt-Freeness
Proof of security (integrity) in UC model
Security against arbitrary coalitions for free

First Receipt-Free Voting Scheme withEverlasting
Privacy
8
Outline of Talk

Voting Scheme based on commitment with
equivalence proof
Generalized Voting Scheme based on any
non-interactive commitment
Well use physical metaphors and a simplified
model

9
Alice and Bob for Class President

Cory the Coercer wants to rig the election
He can intimidate all the students
Only Mr. Drew is not afraid of Cory
Everybody trusts Mr. Drew to keep secrets
Unfortunately, Mr. Drew also wants to rig the
election
Luckily, he doesn't stoop to blackmail
Sadly, all the students suffer severe RSI
They can't use their hands at all
Mr. Drew will have to cast their ballots for them

10
Commitment with Equivalence Proof

We use a 20g weight for Alice...
...and a 10g weight for Bob
Using a scale, we can tell if two votes are
identical
Even if the weights are hidden in a box!
The only actions we allow are
Open a box
Compare two boxes

11
Additional Requirements

An untappable channel
Students can whisper in Mr. Drew's ear
Commitments are secret
Mr. Drew can put weights in the boxes privately
Everything else is public
Entire class can see all of Mr. Drews actions
They can hear anything that isnt whispered
The whole show is recorded on video (external
auditors)

Im whispering
12
Ernie Casts a Ballot

Ernie whispers his choice to Mr. Drew

I like Alice
13
Ernie Casts a Ballot

Mr. Drew puts a box on the scale
Mr. Drew needs to prove to Ernie that the box
contains 20g
If he opens the box, everyone else will see what
Ernie voted for!
Mr. Drew uses a Zero Knowledge Proof

Ernie
14
Ernie Casts a Ballot
Ernie Casts a Ballot

Mr. Drew puts k (3) proof boxes on the table
Each box should contain a 20g weight
Once the boxes are on the table, Mr. Drew is
committed to their contents

Ernie
15
Ernie Casts a Ballot
1 Weigh 2 Open 3 Open

Ernie challenges Mr. Drew For each box, Ernie
flips a coin and either
Asks Mr. Drew to put the box on the scale (prove
equivalence)
It should weigh the same as the Ernie box
Asks Mr. Drew to open the box
It should contain a 20g weight

16
Ernie Casts a Ballot
1 Open2 Weigh3 Open

If the Ernie box doesnt contain a 20g weight,
every proof box
Either doesnt contain a 20g weight
Or doesnt weight the same as theErnie box
Mr. Drew can fool Ernie with probability at most
2-k

Ernie
17
Ernie Casts a Ballot

Why is this Zero Knowledge?
When Ernie whispers to Mr. Drew,he can tell Mr.
Drew what hischallenge will be.
Mr. Drew can put 20g weights in the boxes he will
open, and 10g weights in the boxes he weighs

I like Bob
1 Open2 Weigh3 Weigh
18
Ernie Casts a Ballot Full Protocol

Ernie whispers his choice and a dummy challenge
to Mr. Drew
Mr. Drew puts a box on the scale
it should contain a 20g weight
Mr. Drew puts k Alice proof boxesand k Bob
proof boxes on the table
Bob boxes contain 10g or 20g weights according to
the dummy challenge

I like Alice
1 Open2 Weigh3 Weigh
19
Ernie Casts a Ballot Full Protocol
1 Open2 Open3 Weigh

Ernie shouts the Alice (real) challenge and the
Bob (dummy) challenge
Drew responds to the challenges
No matter who Ernie voted for,The protocol looks
exactly the same!

1 Open2 Weigh3 Weigh
20
Implementing Boxes and Scales

We can use Pedersen commitment
G a cyclic (abelian) group of prime order p
g,h generators of G
No one should know loggh
To commit to m2Zp
Choose random r2Zp
Send xgmhr
Statistically Hiding
For any m, x is uniformly distributed in G
Computationally Binding
If we can find m?m and r such that gmhrx
then
gm-mhr-r?1, so we can compute
loggh(r-r)/(m-m)

21
Implementing Boxes and Scales

To prove equivalence of xgmhr and ygmhs
Prover sends tr-s
Verifier checks that yhtx

g
h
g
h
tr-s
22
A Real System
Hello Ernie, Welcome to VoteMaster
Please choose your candidate
Alice
Bob
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

23
A Real System
Hello Ernie, You are voting for Alice
Please enter a dummy challenge for Bob
Alice
l4st phone et spla
Bob
Continue
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

24
A Real System
Hello Ernie, You are voting for Alice
Make sure the printer has output twolines (the
second line will be covered)Now enter the real
challenge for Alice
Alice
Sn0w 619- ziggy p3
l4st phone et spla
Bob
Continue
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

25
A Real System
Hello Ernie, You are voting for Alice
Please verify that the printed challengesmatch
those you entered.
Alice
Sn0w 619- ziggy p3
l4st phone et spla
Bob
Finalize Vote
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified

26
A Real System
Hello Ernie, Thank you for voting
Please take your receipt
1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhlUY
3 - Challenges - 4 Alice 5 Sn0w 619- ziggy
p3 6 Bob 7 l4st phone et spla 8 - Response -
9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ 0 Certified
12
27
Counting the Votes

Mr. Drew announces the final tally
Mr. Drew must prove the tally correct
Without revealing who voted for what!
Recall Mr. Drew is committed toeveryones votes

Alice 3Bob 1
28
Counting the Votes
1 Weigh 2 Weigh3 Open

Mr. Drew puts k rows ofnew boxes on the table
Each row should contain the same votes in a
random order
A random beacon gives k challenges
Everyone trusts that Mr. Drewcannot anticipate
thechallenges

Alice 3Bob 1
29
Counting the Votes
1 Weigh 2 Weigh3 Open

For each challenge
Mr. Drew proves that the row contains a
permutation of the real votes

Alice 3Bob 1
30
Counting the Votes
1 Weigh 2 Weigh3 Open

For each challenge
Mr. Drew proves that the row contains a
permutation of the real votes
Or
Mr. Drew opens the boxes andshows they match the
tally

Alice 3Bob 1
Fay
31
Counting the Votes
1 Weigh 2 Weigh3 Open

If Mr. Drews tally is bad
The new boxes dont matchthe tally
Or
They are not a permutationof the committed votes
Drew succeeds with prob.at most 2-k

Alice 3Bob 1
Fay
32
Counting the Votes
1 Weigh 2 Weigh3 Open

This prototocol does notreveal information
aboutspecific votes
No box is both opened andweighed
The opened boxes are ina random order

Alice 3Bob 1
Fay
33
Using Standard Commitment

Is the equivalence proof necessary?
Our new metaphor Locks and Keys
Assumptions
Every key fits a single lock
Every lock has only one key
No one can tell by just looking whether a key
fits a lock

34
Commitment with Locks and Keys

To commit to a message
Privately lock the message using a key
Create another, dummy message and lock
Put the key, lock and dummy lock on the table
The key only fits one lock
To open the commitment, open the real lock

Private
35
Nested Commitments

We have an additional trick
Commitment to a commitment
We can put a key on the lock instead of a message
The second key is a commitment to the commitment
to the message

36
Nested Commitments

We can open the external commitment without
giving any information about the internal

37
Nested Commitments

We can open the external commitment without
giving any information about the internal
Or open the internal one without revealing the
external

38
Ernie Casts a Ballot

Ernie whispers his choice to Mr. Drew
Mr. Drew creates 2k doublecommitments to Ernies
choice
Mr. Drew now proves to Ernie thatmost of the
commitments are correct
He uses a Zero Knowledge proof

I like Alice
Private
39
Ernie Casts a Ballot

Ernie chooses a random permutation
Mr. Drew rearranges keysand locks by this
permutation

2314
40
Ernie Casts a Ballot

Mr. Drew reveals k of the internalcommitments
Does not open external commitments!
Ernie makes k challenges

1 Candidate2 Connection
41
Ernie Casts a Ballot

Mr. Drew responds to challenges
Opens internal commitment

1 Candidate2 Connection
42
Ernie Casts a Ballot

Mr. Drew responds to challenges
Opens internal commitment
Or
Opens external commitment

1 Candidate2 Connection
43
Ernie Casts a Ballot Proof Intuition

If a large fraction of Mr. Drews commitments are
bad
After shuffling, a large fraction of bad
commitments will be in the first k
For each bad commitment
Either Mr. Drew cannot open internal commitment
Or
Drew cannot open external commitment
Mr. Drew cheats successfully with prob.
exponentially small in k

44
Ernie Casts a Ballot Zero Knowledge

If Mr. Drew knows Ernies challengein advance
He can use the dummyinternal commitments

1 Candidate2 Connection
Private
45
Ernie Casts a Ballot Zero Knowledge

Mr. Drew can prove Ernievoted for Bob

1 Candidate2 Connection
Private
46
Ernie Casts a Ballot Receipt Freeness

We use the same technique as previously
Ernie whispers his choiceand a dummy challenge
Mr. Drew proves that Ernievoted for Bob using
the dummychallenge
And that Ernie voted for Alice usinga real
challenge
The real and dummy proofs are indistinguishable
to everyone else

I like Alice
1 Candidate2 Candidate
47
Counting the Votes
Alice 3Bob 1

Mr. Drew reveals the tally
Random beacon providesn permutations of 1,,k
Mr. Drew permutes the columns

Ernie 12 Fay 12Guy 21Heidi 21
Ernie
Fay
Guy
Heidi
Ernie
Fay
Guy
Heidi
48
Counting the Votes

Drew chooses k randompermutations of 1,,n
Drew permutes the rows(of internal commitments)

Row1 2431Row2 1342
49
Counting the Votes
1 Commits2 Tally

Mr. Drew reveals the permuted internal
commitments(without opening any commitment)
The random beacon issues k challenges

Ernie
Guy
Heidi
Fay
Ernie
Fay
Guy
Heidi
50
Counting the Votes
1 Commits2 Tally

Mr. Drew responds
Open external commitments and show they match
the originals

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
51
Counting the Votes
1 Commits2 Tally

Mr. Drew responds
Open external commitments and show they match
the originals
or
Open internal commitmentsand show the tally
matches

Guy
Heidi
Ernie
Fay
Ernie
Fay
Guy
Heidi
52
Counting the Votes Proof Intuition

Zero Knowledge
Viewers see either random permutation of tally
Internal commitments cant be connected to voters
Or opening of external commitments
No information about votes

53
Counting the Votes Proof Intuition

Integrity Mr. Drew can cheat in two ways
Use bad (dummy) external commitments
Will be caught if asked to open them

?
Ernie
Fay
Guy
Heidi
Ernie
Fay
Guy
Heidi
54
Counting the Votes Proof Intuition

Integrity Mr. Drew can cheat in two ways
Use bad (dummy) external commitments
Will be caught if asked to open them
Use bad double commitments
Ballot casting ensures a good majority in each
column
Columns are permuted after commitment with high
probability some rows will not match
Probability of successful cheating is
exponentially small in k