A Noninteractive Zero Knowledge Proof Protocol in an Internet Voting Scheme

1
A Non-interactive Zero Knowledge Proof Protocol
in an Internet Voting Scheme

• Md. Abdul Based
• Department of Telematics, NTNU
• October 22, 2009

2
Outline

• An Internet Voting Scheme
• Voter Authentication
• Confidentiality and Integrity of Ballot
• Ballot Verification using a NZKP Protocol
• Smartcard
• Computations at Voters side
• Computations at Servers side
• Completeness, Soundness, and Zero-knowledgeness
• Summary and Future plan

3
An Internet Voting Scheme
Figure 1 An Internet Voting Scheme.
4
Voter Authentication

• Using Smartcard Technology with Fingerprint
• Voter inserts smartcard into smartcard reader
• Voter supplies fingerprint by fingerprint scanner
• The smartcard verifies the fingerprint, and if it
  is ok the voter gets access to the voting web page

5
Confidentiality and Integrity of Ballot

• Confidentiality and Integrity of Ballot
• Voter signs ballot B using the private key for
  group signature
• Voter encrypts the ballot using the public key of
  the counting server (CS)
• Voter again signs the ballot using voters own
  private key, and encrypts the ballot again using
  the public key of the authentication server (AS)
• Voter sends this signed and encrypted ballot to
  AS. The AS verifies the outer signature and
  forwards the encrypted ballot to CSs (after
  removing the outer signature)

6
Zero Knowledge Protocol

• Completeness
• Soundness
• Zero-knowledgeness
• Types (Based on Interaction)
• Interactive
• Non-interactive (NZKP)

7
Ballot Verification using a NZKP

• Smartcard Contains ((e, g1, and n1), (e, g2, and
  n2),, (e, gj, and nj))
• j number of counting servers (CS) or candidates
• e a prime agreed by all CSs
• gj an element in such that e divides the
  order of gj, and nj pj.qj (pj and qj values are
  chosen by server j such that e divides (pj-1),
  but does not divide (qj-1). pj and qj are private
  to the servers)

8
Computations at Voters Side

• Voter randomly picks the values of the string R
  (r1, r2,,rj), where
• Here, (r1, r2,,rj) are elements of

9
Computations at Voters Side (contd.)

• Voter computes the ballot B (b1, b2,,bj),
  where b1, b2,,bj are ballot shares such that

10
Computations at Voters Side (contd.)

• A vote V (v1, v2,,vj), where

11
Computations at Voters Side (contd.)

• A ballot B is valid if each of b1, b2,,bj is
  valid, and if
• Vote for candidate 1 is v1, for candidate 2 is
  v2, and so on

12
Computations at Voters Side (contd.)

• Voter chooses (a1, a1,, aj) and (ß1, ß2,, ßj),
  where

13
Computations at Voters Side (contd.)

• And
• Here, k is a security parameter. Each of a1,
  a1,, aj is 0 (mod e), and each of ß1, ß2,, ßj
  is 1 (mod e).

14
Computations at Voters Side (contd.)

• Now, the voter picks a random bit, if the biti
  0 then the voter computes pairi (xi, yi) else
  pairi (yi, xi). Here,
• And, i 1 to k.

15
Computations at Voters Side (contd.)

• The voter sends B and k-pairs to the counting
  servers.
• For each ballot the voter follows the following
  procedure
• For ballot share b1, the voter checks the bit ci
  of the random challenge string provided by a
  trusted third party and answers with di.

16
Computations at Voters Side (contd.)

• If ci 0 then
• di
• If ci 1 then
• di (if v1 1 )
  
• else
• di (if v1 0 )

17
Computations at Voters Side (contd.)

• The voter sends di to the counting servers and
  follows the same procedure for each ballot share.
• Finally the voter sends the random string R to
  the counting servers.

18
Computations at Servers Side

• The servers also check ci value.
• If ci 0 then the servers first check that
• And

19
Computations at Servers Side (contd.)

• Then the servers check that
• pairi
• Or
• pairi

20
Computations at Servers Side (contd.)

• If ci 1 the servers first check that
• Then the servers check that
• Here, m 1 to j, and i 1 to k.

21
Computations at Servers Side (contd.)

• And

22
Computations at Servers Side (contd.)

• If these calculations are correct this implies
  that each of b1, b2,,bj is valid.
• Finally, the servers check that (from R)
• And
• This implies that the ballot B is valid.

23
Ballot Counting

• CSs receive ballots (B1, B2,,Bp) from p voters
  where
• B1 (b11, b12,,b1j) sent by voter 1
• B2 (b21, b22,,b2j) sent by voter 2
• And so on.
• Net ballot Bp ( ) (mod e)

24
Ballot Counting (contd.)

• Total vote for
• Candidate 1
• Candidate 2
• And so on.

25
Ballot Counting (contd.)

• To compute the final tally, the servers should
  publish the sub-tallies.
• Sub-tallies published by
• Server 1
• Server 2
• And so on.

26
Completeness

• If both the voter and server follow the protocol,
  the ballot cast by the voter will be accepted
  with probability one.

27
Soundness

• If at least one of the counting server is honest,
  then with overwhelming probability, a dishonest
  voter will not succeed with invalid ballot.

28
Zero-knowledgeness

• The voter sends only neccessary information
  needed to prove the validity of the ballot. The
  counting servers can just prove the validity of
  ballot, but can not reveal the value of a
  particular ballot.

29
Summary

• Authentication of Voter
• Confidentiality and Integrity of ballot
• Anonymity of the Voter
• Validity of ballot without interation

30
Future Plan

• Implementation
• Evaluation

31

• Questions?