A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme 1 A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme 詹進科     國立中興大學 資訊科學系所 ICBN’03 Bangalore, India May 5-7, 2003

Introduction 2 System requirements Our E-voting scheme Initialization Phase Authentication Phase Voting Phase Announcement Phase Analysis Conclusions

3 System requirements Accuracy: All valid votes are counted correctly. A voter’s vote can not be altered, duplicated, or removed. Fairness: Only eligible voters are permitted to vote, and they can vote at most once. Verifiability: Voters can make sure that their votes are counted correctly. Privacy: There is no way to derive the link between voter’s identity and the marked ballot, the voter remains anonymous. Mobility: A system is mobile if there are no restrictions on the location from which voters can cast their ballots. Practicability:An e-voting system must be practical in that it must be easy to implement and the security is trusted .

Preview of Our Scheme 4 1 Signature on vi Verify vi and record inf. for announcing Personal certificate Announce m with secret keys Voter’s Id Secret sharing on marked ballot m

5 Issues Traditional election Our E-voting protocol   5 Issues Traditional election Our E-voting protocol Role Electoral authority and Voters Voters, Certificate Authority, Authentication Center, Public Proxy Servers, Tally Center and Supervision Center Web sites et al. Location Polling place (fixed location) Home (flexible location, by network) Ballot issuing way On voting day, issue by electoral authority Voter can download blank ballot from network and processing digital signature Authentication Authenticate voter by voter’s identification card Authenticate someone by digital signature Announce phase party Electoral authority TC and SC by secret sharing method Anonymous mechanism Voter should not make any token on ballot With public proxy servers to forward ballot through SSL (extend David Chaum’s mixer concept) and pseudonym mechanism.   Table 1 the difference between traditional election and our E-voting protocol  

Preview of Our Scheme(Notations) 6 Preview of Our Scheme(Notations) : the secret key of X. : the public key of X. : the voter-pseudonym for voter i. : marked ballot. : encrypted ballot. : two large prime numbers , where . : blind factors ;  . : the ElGamal signature of . ,

Preview of Our Scheme(Notations) 7 Preview of Our Scheme(Notations) : the random number. : a part of ballot which is hold by TC for revealing a half part of m . : a part of ballot which is hold by SC for revealing the other part of m . : a secret sharing parameter that is held by TC . : another secret sharing parameter which is held by SC .

8 Initialization Phase Step 1: Initially, there are a large prime number p, a prime factor q of (p-1), and a primitive number g (mod p) which are known to all users in our scheme. Step 2 : The AC, TC, and SC will choose their secret keys , and from numbers in the range [1, q-1] and compute the corresponding public keys respectively.

Initialization Phase(continue) 9 Initialization Phase(continue) step 3: Before the election, each voter should be enrolled in a register of electors and be issued a “personal certificate” from the CA to be embedded in the voter’s browser software. This “personal certificate” can be used for a number of elections.

Some Backgrounds Authentication phase 10 ri si 1.Voter use “personal certificate” to login the web site of AC to request for “voter-pseudonym signature” on vi ri si

11 Voting phase TC and SC can verify the pseudonym and the pair of signature ( )

12 Announcement phase

13 Analysis  Fairness Issues :Only a voter whose legal “personal certificate” has been embedded into his web browser can pass the AC website verification and login. Each voter has only one chance to ask the AC for a “voter-pseudonym signature” for the next voting phase.  Privacy Issues: Anonymity in the Authentication phase: The “voter-pseudonym signature” is signed by the AC blindly. (2) Anonymity in the voting phase :We involve “public proxy server”. The network address of the ballot can be replaced by a proxy address. (3) Anonymity in the Announcement phase: Only with the cooperation of the TC and SC, each ballot can be decrypted. It is not necessary to allow voters verify (or show to bribers) their votes

14 Analysis  Accuracy Issues:The ballot counting is under the supervision of the SC and TC. A ballot miscount cannot occur in our scheme.  Verifiability Issues: We involve the secret sharing mechanism in our scheme to be sure all of the votes can be counted correctly.  Mobility Issues : Our scheme can easily be implemented by connecting personal computers to those web sites, allowing voters to vote from anywhere.  Practicability Issues : The time complexity for the required processing is acceptable in our scheme. The design is suitable for implementation on the Internet.

15 Conclusions Integrate reality and cryptology , such as the kinds of “certificate authority” and “public proxy server” are integrated in our scheme to solve the problem of identification and anonymity over the Internet. Solve the fairness, privacy, accuracy, verifiability, mobility and practicability problems, and use secret sharing method to ensure the announcement phase will not occur on the misconduct. With the SSL channel, and the trusted server( to issue a digital certificate), the electoral authority can process a secure election efficiently.

Public-key Cryptosystem RSA Each user B has two keys ( eB ,nB ) 及 ( dB , nB ) M M C A B D(C)=CdB mod nB = M C = E(M) = MeB mod nB Proposed by Rivest, Shamir and Adleman in 1978

Observations constraints 1. To any plaintext M; let gcd(M, n) = 1, here n=p*q; p &q are primes. 2. How to obtain e & d ? select any integer e such that gcd(e, (n))=1, and compute another integer d such that e*d mod (n) = 1 , here (n) =(p-1)*(q-1). 3. Public e & n , and keep d & (n) secret. 4. To find p & q from n = p*q is hard; if n is a 200-digit integer, and with a computer of 1 MIPS, to reveal p and q from n should cost 106 years. 1. nB = p . q {≈ 200 digits} 2. gcd( eB , (p-1)(q-1)) = 1 3. 0 < M < nB 4. eB . dB  1 (mod (p-1)(q-1)) constraints

Digital Signature with RSA 1. For authenticity. 2. In RSA, we may sign any document with sender’s private key. Alice Bob Alice : C = (MdA mod nA)eB mod nB Bob : M = (CdB mod nB)eA mod nA Signarture Encryption

ElGamal's Digital Signature 大質數 P, mod P 之原根g , 簽署者 B 任選之整數(私鑰) x , 1<x<P-1 B 算出之公鑰 y = g x mod P {用原根g 以免被解 離散對數} 系統已知 簽署作業 [ 此法之簽體(即明文 M)不能似 RSA簽章法之可直接還原] 對明文M, 1MP-1, B選一整數 k, gcd(k, P-1) = 1, B 計算簽署文 (r, s)滿足 : r = g k mod P, s = k -1 (M - x r) mod P-1(或 M = x r + k s mod P-1). B 將 (r, s)送給 A. 驗證 驗證者 A verifies 下式是否為真 ? g M = yr r s mod P  gM = gx r g k s = yr r s mod P

Nyberg-Rueppel Signature 系統已知 Let P be a large prime number, Q be a prime factor of P-1, and G be a primitive element to mod P.{ all these three are known to public}, Now, the signer holds SK[1, Q-1] as secret key and PK=GSK mod P as public key , plaintext M [1, P-1] and a random number r [1, Q-1] . 簽署作業 SG1 = M * G r mod P SG2 = SK * SG1 + r mod Q 任何人可用下列方式驗證送方身份並且可 recover message M : M  G -SG2 * PK SG1 * SG1 mod P  G -SK*SG1 -r * G SK * SG1 * M * G r mod P  M * G -SK*SG1 -r + SK * SG1 +r mod P 驗證 ? 1994年 Carmenisch, Piveteau & Stadler(CPS) 利用上述精神提出一盲簽章法

D. Chaum (1982) Blind Signature 系統參數: signer 之 public key (e, n), private key d, p, q (n=p*q). 簽署程序: A 請 B 簽署一份信息M,然 B 不被告知 M 之內容 (1) A 任選一亂數 r(即 blinding factor), 1< r < n, 且計算 t = M * r e mod n , 給B. (2) B 簽署 t, 即  = td = (M* r e) d mod n, 給A. (3) A 計算(unblind)出 M 之簽章為: s =  * r -1 = td * r -1 = M d (mod n).

CPS blind-signature 任何人可以下述驗證 系統參數: signer holds SK[1, Q-1] as secret key and PK=GSK mod P as public key , and a random number r [1, Q-1] . signer requester 1 K = G r mod P, r[1, Q-1] 任選兩亂數(盲因子) ,  [1, Q-1] 算 SG1 = M * G * K mod P C = SG1 *  -1 mod Q 2 SGC = C * SK + r mod Q 3 算 SG2 = SGC *  +  mod Q (4) 任何人可以下述驗證 (5) ? M  G -SG2 * PK SG1 * SG1 mod P = (G -SGC *  - ) * (GSK * SG1) * (M * G * K ) mod P = (G -(C *SK + r)*  - ) * (GSK * SG1) * (M * G * G r *  ) mod P = (G -SG1*SK -r *  - ) * (GSK * SG1) * (M * G * G r *  ) mod P = M * G -SG1*SK -r *  -  +SG1*SK +r *  +  mod P.

Cryptographic primitives The blind signature scheme based on DLP (1994 CPS) System parameters: a prime p, a prime factor q of p-1, and an element of order q, the signer’s private key ,public key is To sign a message , we do as follows: Requestor Signer We can verify **The pair (r, s) is a ElGamal signature of the message m

Cryptographic primitives b. Extension of the ElGamal(secret sharing) System parameters: a prime p, a primitive number g (mod p), A’s and B’s private keys are , public keys are To encrypt a message M, we do as following: Encryption procedure 1. two numbers a and b are randomly chosen by w A 2. A and B compute respectively B Decryption procedure

Thank you for your patience Professor Jinn-Ke Jan Institute of Computer Science, National Chung Hsing University, Taichung, Taiwan, ROC. E-mail: jkjan@cs.nchu.edu.tw