Advanced Topics in Security Lecture ID: ET-IDA -044 Section-B: Lecture 6 Secured Voting 22.01.2011 V-2 Prof. Wael Adi Institute for Computer and Network Engineering Technical University of Braunschweig Braunschweig, Germany Technische Universitaet Braunschweig

Outlines Introduction, Background Electronic Voting Objectives Cryphtography in Electronic Voting Research Direction Conclusion

Background Voting plays an important role to the society Manual voting has limitation (scalability, efficiency, cost, accuracy) Voting technology tends to follow the latest technology trends. Complicated security requirements (voter – vote relationship) Contemporary application of cryptography

registration authority Traditional Voting ballot box ballot vote voter news / bulletin board teller registration authority monitor

Disadvantages of traditional voting Scalability Complex for large number of voter Spans across large geographical region (hard to manage consistently) Efficiency - storage and processing time, space Administration cost Accuracy - verifiability, human errors, abnormally vote -> Move towards automated (electronic) means

Requirements for Electronic voting Voting with the help of machinery Electronic voting must be as similar as possible to regular voting, compliant with election legislation and principles, and be at least as secure as traditional voting

Examples of Electronic Voting Offline voting - machine readable (create, read) ballot - vote counting systems Online voting - telephone voting - Direct Recording Electronic (DRE) - Internet voting

Security requirements Voter authorisation only authorised voter may vote Vote privacy individual voter-vote relationship is private Voting integrity the system must at least be able to detect tampering Verifiable anyone can verify the whole process discreetly

Conflicts in security requirements Voter authorisation only authorised voter may vote and not revealing any individual strategy Vote privacy individual voter-vote relationship is private and compute/counting the vote Voting integrity the system must at least be able to detect tampering and not revealing the owner of the vote Verifiable anyone can verify the whole process discreetly and still protecting the “voter - vote” relationship (Voter should not be able to prove his vote to others)

“Voter – Vote” relationship Authorised voter Vote Secrecy voter_id vote voter_id Confidential (vote) Confidential (voter_id) vote

Cryptographic primitives Involved [1] Zero knowledge Homomorphic Encryption ballot box ballot vote Mix net voter news / bulletin board teller Blind Signature registration authority Threshold Cryptography monitor

Cryptographic primitives [2] Zero Knowledge: vote verification Homomorphic Encryption: hide individual vote Threshold Cryptography: distribution of trust Blind signatures: voter authorisation, pseudonym Mixed Network: physical layer secrecy

Authentication Request I am A, and this is the proof Zero Knowledge Proofs Prover A Verifier Who are you ? Authentication Request I am A, and this is the proof A proof is called a Zero Knowledge proof if: Prover reveals no secrets (whatever) to the verifier !

Zero Knowledge [2] Fiat – Shamir Proof of Identity Protocol (1986) m = p1p2 p1p2 are secrets which no body should know m : RSA type modulus ya = xa2 in Zm (mod m) xa = secret key of A Prover A Verifier S = r2 r : a unit in Z*m I am user A, S b random b = 1 or 0 b If t2 = S.yab then A is authentic t = r.xab t Probability of a successful attack after k trials = 2 -k

Omura Proof of Identity Protocol (1986) Zero Knowledge [3] Omura Proof of Identity Protocol (1986) α is a primitive element in GF(p) ya public key of A α Xa = ya Prover A Verifier Who are you ? , R k random R = αk R I am A, RXa RXa Check RXa = yak = αk.Xa RXa = αk.Xa It is not Zero Knowledge proof if the verifier cheat

Homomorphic Encryption (s) Homomorphic Encryption An Encryption function E(M) is said to be homomorphic if : E(M1)E(M2) = E(M1 + M2) Two candidates example : For v voters 1 Sum > v/2 Sum < v/2

Homomorphic Encryption [2] ElGamal Crypto – System (1985) α primitive element in GF(p) y = αx Voter Teller Secret key x X X M C = M.αx.R M αR Z = yR = αx.R Z-1 = (αR)-x

Homomorphic Encryption ElGamal Crypto – System Setup (1985) Teller: α primitive element in GF(p) Teller secret key = x, Public key y = αx ( Ci = Mi Zi) n voters 1 ( C1 C2 · · Cn , h1 h2 · · hn ) X X X (M1 · · Mn · Z1 · · Zn , h1 · · hn) (C1, h1) (Ci, hi) (Cn, hn) Mi = αvi Mn = αvn M1 = αv1 X ( αv1+…+vn · αx(R1+…+Rn) , αR1+…+Rn ) X X Encryption of αVs = α v1+v2+..+vn Problem : getting the sum of the votes Vs. Solution by search to get the discrete log as Vs is not cryptographically huge! Z1 = yR1 = αx.R1 Zi = yRi = αx.Ri Zn = yRn = αx.Rn h1 = αR1 hi = αRi hn = αRn

Threshold Cryptography Decryption requires a number of parties exceeding a threshold to cooperate in the decryption protocol. Encryption uses a public key Private key is shared among the participating parties. (t,n) Threshold scheme Divide private key K into n mapped shared s1s2...sn Any t or more si pieces makes K easily to compute Any t-1 or less si leaves K completely undetermined

Threshold Cryptography [2] Shamir’s Threshold scheme A polynomial y = f(x) of degree (t-1) can only be uniquely defined by at least t points (xi,yi) with distinct xi. y y = ax2 + bx + c (xi,yi) 2 points or less can not determine the curve Any three points can determine the curve x

Blind Signature The content of the message is disguised (blind) before it is signed. User A User B M B

Blind Signature Cryptographic scheme Blinding Factor ( )e Open directory Authority Public key e All arithmetic modulo m m = p q (RSA Modulus) Private key d d.e = 1 mod φ(m) re r User B User A Private key d ( )d M M B r-1 r Md = x Signed Message: bank does not know the signed contests!

Mix net A multiparty computation and communication protocol David Chaum A multiparty computation and communication protocol A large number of input messages to get shuffled into a random order Every party becomes confident that a shuffling was performed No party has any idea what the shuffle-permutation was

Decryption & Shuffling Mix net [2] Decryption & Shuffling Server M1 M2 M3 C1 M2 M3 M1 C2 C3 Encrypted vote Plain vote

E(PK1,E(PK2,(…,E(PKt,Mi)…))) Mix net [3] Encryption E(PKt-1,E(PKt,Mi)) PKt-1 E(PKt,Mi) PKt Mi PK1 E(PK1,E(PK2,(…,E(PKt,Mi)…))) t servers S Sj(PKj,SKj) Ci,0 =

Mix net [4] Decryption Sj(PKj,SKj) Ci,j-1 Ci,j

Mix net [5] Permutation Sj(PKj,SKj)

Mix net [6] full system C…,t C0,0 C…,j-1 C…,j Ci,0 Cn,0 S1 Sj : (PKj, SKj) St Ci,0 = E(PK1 , E(PK2 , … E(PKt, Mi)………)) Ci,t = Mi

Current situation Traditional voting Direct Recording Electronic (DRE) Research into electronic voting schemes Early usage of electronic voting Internet voting trial

Current research concenstration Voter registration and pre-voting Vote collection Vote tabulation Post-election auditing Threat mitigation Usability Accessibility

Some current researche Punch scan system – David Chaum – http://punchscan.org Cryptographic paper ballots : Prêt à voter - Peter Ryan of Newcastle University, Scratch&Vote – Ben Adida, Ronald Rivest of MIT Voter verification without employing cryptography : Three Ballots System – Ronald Rivest of MIT Voting protocol based on Farnel protocol – TU Darmstardt, Trindade University Divisible Voting Scheme : each voter casts multivotes - Natsuki Ischida , Shin’ichiro Matsuo and Wakaha Ogata

Evoting reference sites Verified Voting Foundation http://www.verifiedvotingfoundation.org Accurate http://accurate-voting.org Caltech/MIT voting technology project http://www.votingtechnologyproject.org International Association for Cryptologic Research http://www.iacr.org USENIX – The Advanced Computing Systems Association http://www.usenix.org

Issues Complexities in current e-voting schemes Security drawbacks on existing schemes How secure is secure enough Applicability, ease of use, voter education Trust

Things to do Identify requirements for electronic voting Analyse existing schemes Improve current protocol designs Voting system validation Prototype and testing of the design

Conclusion Voting plays an important role in the society Trends move toward electronic voting Importance of security Applying cryptography to electronic voting Need of a secure and trustable voting scheme

Annex

Homomorphic Encryption [4] Pailier Crypto – System (1999) Public key : (k, α) Private key : (ʎ,µ) k = p.q p,q are primes α is an element from Z* ʎ= lcm(p-1,q-1) µ= (L(αʎmod k2))-1 (mod k) L(u) = (u-1)/k for u≡1(mod k) Ø(k2) = n Ø(k) Voter m is the vote k2 Choose x from Zk* C= αm. xn (mod k2) Teller m=L(Cʎ mod k2).µ (mod k)

Homomorphic Encryption [5] Pailier Crypto – System (1999) Public key : (k, α) Private key : (ʎ,µ) E(m1)..E(mi)..E(mn) = αm1.x1k.. αmi.xik.. αmn.xnk = (αm1.+.mi.+.mn)(x1..xi..xn)k = E(m1+..+mi+..+mn) X X X E(m1)= αm1.x1k E(mi)= αmi.xik E(mn)= αmn.xnk