Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Slides:



Advertisements
Similar presentations
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Advertisements

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.
Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
7. Asymmetric encryption-
Reusable Anonymous Return Channels
Jens Groth BRICS, University of Aarhus Cryptomathic
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Paillier Threshold Encryption WebService by Brett Wilson.
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
0x1A Great Papers in Computer Security
Introduction to Public Key Cryptography
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Civitas Toward a Secure Voting System AFRL Information Management Workshop October 22, 2010 Michael Clarkson Cornell University.
Cryptographic Voting Protocols: A Systems Perspective By Chris Karlof, Naveen Sastry, and David Wagner University of California, Berkely Proceedings of.
KYUSHUUNIVERSITYKYUSHUUNIVERSITY SAKURAILABORATORYSAKURAILABORATORY Sakurai Lab. Kyushu University Dr-course HER, Yong-Sork E-voting VS. E-auction.
Lecture 3.2: Public Key Cryptography II CS 436/636/736 Spring 2014 Nitesh Saxena.
Cryptography Lecture 8 Stefan Dziembowski
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
Cryptographic Voting Systems (Ben Adida) Jimin Park Carleton University COMP 4109 Seminar 15 February 2011.
Masked Ballot Voting for Receipt-Free Online Elections Sam Heinith, David Humphrey, and Maggie Watkins.
6. Esoteric Protocols secure elections and multi-party computation Kim Hyoung-Shick.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Research & development Towards Practical Coercion-Resistant Electronic Elections Jacques Traoré France Télécom / Orange Labs SecVote 2010 Bertinoro - Italy.
Coercion-Resistant Remote Voting Michael Clarkson Cornell University Coin (ca. 63 B.C.) commemorating introduction of secret ballot in 137 B.C. SecVote.
SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.
A remote voting system based on Prêt à Voter coded by David Lundin Johannes Clos.
The Paillier Cryptosystem
Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.
多媒體網路安全實驗室 Anonymous ID Signature Scheme with Provable Identity Date: Reporter :Chien-Wen Huang 出處: 2008 Second International Conference on Future.
A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
Usable Security Lab Crypto Lab Efficiency Comparison of Various Approaches in E-Voting Protocols Oksana Kulyk, Melanie Volkamer.
Cryptography and Network Security Chapter 13
Recipt-free Voting Through Distributed Blinding
ThreeBallot, VAV, and Twin
Some slides borrowed from Philippe Golle, Markus Jacobson
Presentation transcript:

research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle) France Télécom Orange Labs R&D Third Franco-Japanese Computer Security Workshop – 13 March 2008 LORIA, Nancy

Orange Labs - Research & Development 2 Electronic Voting Methods Remote Electronic Voting (on-line voting) Supervised voting (off-line voting) How to guarantee the "What You see is What You Vote For?

Orange Labs - Research & Development 3 Eligibility: only legitimate voters can vote, and only once Universal verifiability: All voters can verify that the final tally is correct The votes they cast are included Only authorized votes are counted No votes are changed during tallying Privacy: no adversary can learn any more about votes than is revealed by the final tally Anonymity: hide map from voter to vote Receipt-freeness: prohibit proof of vote Coercion-freeness: adaptative Some desired properties of e-voting systems Voters cannot prove whether or how they voted, even if they can interact with the adversary while voting. Stronger

Orange Labs - Research & Development 4 Previous work [Juels-Catalano-Jakobsson 2005] Basic ingredients: Voter employs anonymous credential obtained during the registration phase We don’t know who voted (at time of voting) or what was voted Valid credentials are required for vote to count Voter can make "fake credentials" and vote multiple times A coercer cannot tell whether a credential is correct or not Attacker cannot tell whether a vote is valid or not Basic idea: To mislead a coercer, the voter sends invalid ballot(s) as long as he is coerced, and a valid ballot as soon as he is not coerced It suffices that the voter finds a window-time during which he is not coerced Drawbacks N the number of voters, V the number of votes (V ≧ N) Quadratic overhead: tallying is in O(V 2 ) Denial of service attack…

Orange Labs - Research & Development 5 Building Blocks ElGamal Cryptosystem Designated verifier signature scheme: derived from "Boneh-Boyen-Sacham” or "Camenisch-Lysanskaya" signature schemes (Crypto’04) El Gamal cryptosystem: G a group of prime order p, g a generator of G the secret key is x, the public key is h = g x, Encryption of m is c = (g r, h r m), Decryption of c is (g r ) -x (h r m) Basic Tools

Orange Labs - Research & Development 6 El Gamal cryptosystem Decryption (private key) can easily be distributed No need to trust a single entity Encryption is homomorphic Multiplicative, or additive with a variant: E h (m)* E h (m') = E h (m*m') E h (m)* E h (m') = E h (m*m') E h (m) k = E h (m k ) Computing on encrypted data is easy Comparing the plaintexts of two ciphertexts (without decrypting them) is easy: Plaintext Equivalence Test (PET): PET(E h (m1), E h (m2) = 1 if m1 = m2 and 0 otherwise Re-encryption is easy : mix-nets can be efficiently implemented For simulating an "anonymous channel" For simulating "ballot shuffle" C = (g r, h r.m) can be transformed on a new ciphertext C' of m without knowing m and/or the secret key : C' = (g r+r', h r+r'.m)

Orange Labs - Research & Development 7 Setup: Generators g 0, g, h of a cyclic group G of order p where DDH is hard Public key of the signer: PK = g 0 y, Secret key of the signer: SK = y Signature of a message x: Choose a random value r Compute A = (g h x ) 1/(y+r) Signature of x = (A, r) Designated Verification: Prove that Log A (A -r gh x ) = Log g 0 (PK ) using a Designated Verifier Proof ( Jakobsson-Sako – Impagliazzo) Only the (designated) verifier can be convinced by this proof Designated verifier signature scheme A y = A -r gh x (1) A y+r g -1 h -x = 1 (2) Deciding whether a pair (A, r) is a valid signature on a message x is equivalent to the DDH problem  Based on "Boneh-Boyen-Sacham's group signature scheme (Crypto 2004)

Orange Labs - Research & Development 8 Cast of Characters Receive their credential during the registration phase Issue credentials in a distributed manner during the registration phase. They share a secret key of our DVS. R is the corresponding public key Manage the tallying process. They share an El Gamal secret key. T is the corresponding public key Voters Talliers Registration Authorities Coercer Try to verify whether the coerced voter as voted as prescribed

Orange Labs - Research & Development 9 Security model Registration: Attacker cannot interfere with registration process Before voting: Attacker can provide keying or other material to voter (even entire ballot) During vote: Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker guarantees) Bulletin board is universally accessible At all times: Attacker has access to all public information, i.e., encrypted and decrypted ballots May corrupt all but one of each type of election authority May coerce voters, demanding any secrets or behavior, remotely or physically May control network Assumption. Voters trust their voting client.

Orange Labs - Research & Development 10 Setup: Generators g 0,g,h,m of a cyclic group G of order p (DDH problem is hard) Registration authority: PK=g 0 y,SK= y Talliers: share y and an ElGamal secret key Registration Credential: (A, r, x) x and r are randomly chosen by R A is computed as follows by R: A = (g h x ) 1/(y+r) A credential is valid iff the voter knows two values x and r such that: A γ+r =g h x (which is equivalent to A y+r g -1 h -x = 1) Fake credential: (A, r, x’) Set-up

Orange Labs - Research & Development 11 Registration Registration Authorities (A, r, x)  The registration authorities generate in a distributed manner a DVS signature (A, r) of a random value x and prove using a DVP to Mr Smith that the signature is valid  Mr Smith's credential is (A, r, x). He can send a fake credential (A, r, x') to the coercer Coercer Mr Smith (A, r, x') Is it a valid credential?

Orange Labs - Research & Development 12 A passive coercer can't check if a credential is valid or not under the DDH assumption A coercer can't forge valid credentials under the q-SDH assumption q-SDH: given g, g x, …, g (x q ), find a pair (c, s) such that s x+c = g An active coercer can't check if a credential is valid or not (under the SDDHI assumption) Basic Facts about these credentials

Orange Labs - Research & Development 13 Ballot (E T [vote], E T [A], E T [A r ], E T [h x ], F=m x, P) P is a NIZKP of validity, that is : E T (vote) is an encryption of a valid vote Voter knows the plaintext related to E T (A) Voter knows the "discrete logarithm" of E T [A r ] in the base E T [A] Voter knows the plaintext related to E T [h x ] as well as the discrete logarithm x of this plaintext in the base h. Voter knows the discrete logarithm of F in the base m and that this discrete logarithm is equal to x Anatomy of a ballot Credential : A tuple (A, r, x) such that A y+r g -1 h -x = 1

Orange Labs - Research & Development 14 Voting  Anatomy of a ballot: ( E T (vote), E T (A), E T (A r ) E T (h x ), m x, Proof) Bulletin Board 1  Vote under coercion Mr Smith  Revote E T (Gore), E T (A), E T (A r ) E T (h x ), m x, Proof2 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x', Proof1 Bulletin Board 1

Orange Labs - Research & Development 15 Tallying phase Bulletin Board 1 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x', Proof 1 E T (Bush), E T (B), E T (B s ) E T (h y ), m y, Proof 2 E T (Bush), E T (C), E T (C t ) E T (h z ), m z, Proof 3 E T (Gore), E T (B), E T (B s ) E T (h y ), m y, Proof 4 E T (Bush), E T (D), E T (D u ) E T (h v ), m w, Proof 5 E T (Gore), E T (A), E T (A r ) E T (h x ), m x, Proof 6 Step 1: Discard ballots with invalid proofs Tallier 1 Tallier 2

Orange Labs - Research & Development 16 Tallying phase Bulletin Board 2 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x' E T (Bush), E T (B), E T (B s ) E T (h y ), m y E T (Bush), E T (C), E T (C t ) E T (h z ), m z E T (Gore), E T (B), E T (B s ) E T (h y ), m y E T (Gore), E T (A), E T (A r ) E T (h x ), m x Step 2: Elimination of duplicates: the ballots that have the same fourth component Tallier 1 Tallier 2 Keep the last one for example

Orange Labs - Research & Development 17 Tallying phase Step 3: Mixing the ballots Tallier 1 Tallier 2 Bulletin Board 3 E T (Bush), E T (A), E T (A r ) E T (h x' ) E T (Bush), E T (C), E T (C t ) E T (h z ) E T (Gore), E T (B), E T (B s ) E T (h y ) E T (Gore), E T (A), E T (A r ) E T (h x ) Mix Net Bulletin Board 4 E' T (Gore), E' T (A), E' T (A r ), E' T (h x ) E' T (Gore), E' T (B), E' T (B s ), E' T (h y ) E' T (Bush), E' T (C), E' T (C t ), E' T (h z ) E' T (Bush), E' T (A), E' T (A r ), E' T (h x' ) Reencrypt and permute each row

Orange Labs - Research & Development 18 Tallying phase Step 4: Checking credentials … E‘(©) … Authority 1 Authority 2 1.The authorities compute C=E' T [A y+r g -1 h -x ] from E' T [A], E' T [A r ], E' T [h x ] and SK = y 2.Test whether C is an encryption of 1 1.Power C to a fresh random number 'f' and jointly decrypt C f. 2.D[C f ] =1 ? Yes = valid / No = invalid and discard ballots Bulletin Board 4 E' T (Gore), E' T (A), E' T (A r ), E' T (h x ) E' T (Gore), E' T (B), E' T (B s ), E' T (h y ) E' T (Bush), E' T (C), E' T (C t ), E' T (h z ) E' T (Bush), E' T (A), E' T (A r ), E' T (h x' )

Orange Labs - Research & Development 19 Tallying phase Step 5: Decrypt valid votes … E‘(©) … Results Gore Bush Distributed Decryption Bulletin Board 4 E' T (Gore) E' T (Bush) Tallier 1 Tallier 2

Orange Labs - Research & Development 20 Security Voter cannot sell or prove vote Attacker cannot tell a false credential from a real one No randomization or forced abstention Randomization: Voter can use fake credential to post false ballot… and later vote for real Forced abstention: Voter can vote using an anonymous channel Resistance to shoulder-surfing Voter can vote multiple times Weeding policy provides for re-vote E.g., last vote might count (needs extra phase) Our scheme satisfies the coercion-freeness property under the q-SDH and SDDHI assumptions

Orange Labs - Research & Development 21 Conclusion The JCJ scheme is promising, but not efficient We design a practical (with linear work factor), publicly verifiable and coercion- resistant voting scheme for remote elections Not just practical, but essential for Internet voting! Open problem: how to remove the assumption related to the voter's computer?