research & development Towards Practical Coercion-Resistant Electronic Elections Jacques Traoré France Télécom / Orange Labs SecVote 2010 Bertinoro - Italy Saturday 4 September 2010

Orange Labs - Research & Development 2 Outline 1.Introduction 2.JCJ scheme – a review 3.Improving JCJ: 4. Client/Server trade-offs in universally verifiable elections 5. Conclusion

Orange Labs - Research & Development 3 1 Introduction

Orange Labs - Research & Development 4 Electronic Voting Methods Remote Electronic Voting (on-line voting) Supervised voting (off-line voting)

Orange Labs - Research & Development 5 Eligibility: only legitimate voters can vote, and only once Universal verifiability: All voters can verify that the final tally is correct The votes they cast are included Only authorized votes are counted No votes are changed during tallying Privacy: no adversary can learn any more about votes than is revealed by the final tally (Perfect) Anonymity: hide map from voter to vote Receipt-freeness: prohibit proof of vote Coercion-resistance: adaptative Some desired properties of e-voting systems Voters cannot prove whether or how they voted, even if they can interact with the adversary while voting. Stronger

Orange Labs - Research & Development 6 Incompatible Properties Under usual assumptions we cannot achieve*: Universal Verifiability and Perfect Anonymity simultaneously, unless all registered voters actually vote Universal Verifiability and Receipt-Freeness unless private channels are available between the voters and/or the voting authorities) * On Some Incompatible Properties of Voting Schemes, Benoît Chevallier-Mames, Pierre-Alain Fouque, David Pointcheval, Julien Stern, Jacques Traoré, Workshop On Trustworthy Elections 2006.

Orange Labs - Research & Development 7 2 JCJ – a brief review

Orange Labs - Research & Development 8 JCJ scheme* – a review Basic ingredients: Voter employs anonymous credential obtained during the registration phase Valid credentials are required for vote to count Voter can make "fake credentials" and vote multiple times We don’t know who voted (at time of voting) or what was voted A coercer cannot tell whether a credential is correct or not Attacker cannot tell whether a vote is valid or not Basic idea: To mislead a coercer, the voter sends invalid ballot(s) as long as he is coerced, and a valid ballot as soon as he is not coerced It suffices that the voter finds a window-time during which he is not coerced * Juels-Catalano-Jakobsson - WPES 2005

Orange Labs - Research & Development 9 Security model Registration: Attacker cannot interfere with registration process Before voting: Attacker can provide keying or other material to voter (even entire ballot) During vote: Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker guarantees) Bulletin board is universally accessible At all times: Attacker has access to all public information, i.e., encrypted and decrypted ballots Assumption. Voters trust their voting client.

Orange Labs - Research & Development 10 Building Blocks El Gamal cryptosystem (They need in fact a variant of El Gamal for their security proof: Jarecki and Lysyanskaya, Eurocrypt 2000) El Gamal cryptosystem: G a group of prime order p, g a generator of G the secret key is x, the public key is h = g x, Encryption of m is c = (g r, h r m), Decryption of c is (g r ) -x (h r m) Basic Tools

Orange Labs - Research & Development 11 El Gamal cryptosystem Decryption (private key) can easily be distributed No need to trust a single entity Encryption is homomorphic Multiplicative, or additive with a variant: E h (m)* E h (m') = E h (m*m') E h (m)* E h (m') = E h (m*m') E h (m) k = E h (m k ) Computing on encrypted data is easy Comparing the plaintexts of two ciphertexts (without decrypting them) is easy: Threshold Plaintext Equivalence Test (PET): PET(E h (m1), E h (m2) = 1 if m1 = m2 and 0 otherwise Re-encryption is easy : mix-nets can be efficiently implemented For simulating an "anonymous channel" For simulating "ballot shuffle" C = (g r, h r.m) can be transformed on a new ciphertext C' of m without knowing m and/or the secret key : C' = (g r+r', h r+r'.m)

Orange Labs - Research & Development 12 Cast of Characters Receive their credential during the registration phase Issue credentials in a distributed manner during the registration phase. They share an El Gamal secret key. R is the corresponding public key Manage the tallying process. They share an El Gamal secret key. T is the corresponding public key Voters Talliers Registration Authorities Coercer Try to verify whether the coerced voter voted as prescribed

Orange Labs - Research & Development 13 Registration Registration Authorities CSCS  The authorities generate a random value C S  Mr Smith's credential is C S. He can send a fake credential FakeC S to the coercer E R (C S ) Coercer FakeC S Mr Smith Credential List 1 Mr Baker : E R (C B ) Mr Durand : E R (C D ) Mr Traoré : E R (C T ) Mr Smith : E R (C S )

Orange Labs - Research & Development 14 Voting  Anatomy of a ballot: ( E T (vote), E R (Credential), NIZKPs) Bulletin Board 1 E T (Gore), E R (C S ), NIZKPs  Vote under coercion Mr Smith  Revote E T (Bush), E R (FakeC S ), NIZKPs Bulletin Board 1

Orange Labs - Research & Development 15 Tallying Ballot Bulletin Board 1 E T (Bush), E R (FakeC B ), NIZKP E T (Gore), E R (C D ), NIZKP E T (Bush), E R (FakeC S ), NIZKP E T (Gore), E R (C S ), NIZKP E T (Gore), E R (C J ), NIZKP E T (Bush), E R (C K ), NIZKP E T (Bush), E R (C E ), NIZKP. E T (Bush), E R (C J ), NIZKP Ballots with invalid NIZKP are discarded Step 1: Check NIZKPs Tallier 1 Tallier 2

Orange Labs - Research & Development 16 Tallying Ballot Bulletin Board 2 E T (Bush), E R (FakeC B ) E T (Gore), E R (C D ) E T (Bush), E R (FakeC S ) E T (Gore), E R (C S ) E T (Gore), E R (C J ) E T (Bush), E R (C E ). E T (Bush), E R (C J ) Keep the last one for example Step 2: Elimination of duplicates using PET Authority 1 Authority 2

Orange Labs - Research & Development 17 Tallying Ballot Step 3: Mixing the ballots Bulletin Board 4 E T (Bush), E R (C J ) E T (Bush), E R (FakeC B ) E T (Gore), E R (C S ) E T (Gore), E R (C D ) E T (Bush), E R (C E ). E T (Bush), E R (FakeC S ) Mix Net … E‘(©) … Tallier 1 Tallier 2 Bulletin Board 3 E T (Bush), E R (FakeC B ) E T (Gore), E R (C D ) E T (Bush), E R (FakeC S ) E T (Gore), E R (C S ) E T (Bush), E R (C E ). E T (Bush), E R (C J )

Orange Labs - Research & Development 18 Tallying Ballot Step 4: Mixing the list of valid credentials Tallier 1 Tallier 2 … E‘(©) … Mix Net Credential List 1 Mr Baker : E R (C B ) Mr Durand : E R (C D ) Mr Traore : E R (C T ) Mr Smith : E R (C S ) Credential List 2 E R (C D ) E R (C S ) E R (C B ) E R (C T )

Orange Labs - Research & Development 19 Tallying Ballot Step 5: Checking credentials using PET … E‘(©) … Credential List 2 E R (C D ) E R (C S ) E R (C B ) E R (C T ) PET Bulletin Board 4 E T (Bush), E R (C J ) E T (Bush), E R (FakeC B ) E T (Gore), E R (C S ) E T (Gore), E R (C D ) E T (Bush), E R (C E ). E T (Bush), E R (FakeC S ) Authority 1 Authority 2

Orange Labs - Research & Development 20 Tallying Ballot Step 6: Decrypt valid votes … E‘(©) … Results Bush Gore Bush Authority 1 Authority 2 Distributed Decryption Bulletin Board 5 E T (Bush) E T (Gore) E T (Bush)

Orange Labs - Research & Development 21 Drawbacks quadratic overhead N the number of voters, V the number of votes (V ≧ N) O(V 2 ) tests for duplicates O(N 2 ) matching tests Civitas: Towards a secure voting system (IEEE Symposium on Security and Privacy 2008) It took five hours to tabulate (only) 500 votes. Denial of service attack / Flooding Attack Other proposals either have been broken or do not really satisfy the coercion-resistance property Acquisti, 2004 Smith, FEE'05 Schweisgut, E-voting 2006 Meng, ICSNC 2007

Orange Labs - Research & Development 22 3 Improving JCJ « Clarkson, Chong, and Myers [16] have devised and implemented a refined protocol in a system called Civitas, and achieved good scalability by partitioning the population of voters. It is certainly conceivable that there exists a provably secure, coercion-resistant electronic voting scheme with lower complexity— perhaps even linear. Constructing one remains an open problem ». Ari, Juels, Dario Catalano and Markus Jakobsson, Coercion- Resistant Elections, Towards Trustworthy Elections, LNCS 6000, 2010.

Orange Labs - Research & Development 23 Building Blocks Homomorphic Cryptosystem Plaintext Equivalence Test Mix Net Designated Verifier Signature Scheme Basic Tools

Orange Labs - Research & Development 24 Setup: Generators g 0, g, h of a cyclic group G of order p where DDH is hard Public key of the signer: PK = g 0 y, Secret key of the signer: SK = y "Signature" on a random message x: Choose a random value r Compute A = (g h x ) 1/(y+r) "Signature" on x = (A, r) along with a proof that Log A (A -r gh x ) = Log g 0 (PK ) Designated Verification: Prove that Log A (A -r gh x ) = Log g 0 (PK ) using a Designated Verifier Proof ( Jakobsson-Sako – Impagliazzo) Only the (designated) verifier can be convinced by this proof Designated verifier signature scheme A y = A -r gh x (1) A y+r g -1 h -x = 1 (2) Deciding whether a pair (A, r) is a valid signature on a message x is equivalent to the DDH problem  Based on "Boneh-Boyen-Sacham's group signature scheme (Crypto 2004)

Orange Labs - Research & Development 25 Designated Verifier Proof Designated verifier proof Only convinces the designated verifier Does not convince any other party Prove either the equality of the Discrete logarithms or the knowledge of the private key of the designated verifier or private key of the designated verifier Equality of the Discrete Logarithms

Orange Labs - Research & Development 26 Cast of Characters Receive their credential during the registration phase Issue credentials in a distributed manner during the registration phase. They share a secret key of our DVS. R is the corresponding public key Manage the tallying process. They share an El Gamal secret key. T is the corresponding public key Voters Talliers Registration Authorities Coercer Try to verify whether the coerced voter has voted as prescribed

Orange Labs - Research & Development 27 Setup: Generators g 0,g,h,m of a cyclic group G of order p (DDH problem is hard) Registration authority: PK=g 0 y,SK= y Talliers: share y and an ElGamal secret key Registration Credential: (A, r, x) x and r are randomly chosen by R A is computed as follows by R: A = (g h x ) 1/(y+r) A credential is valid iff the voter knows two values x and r such that: A γ+r =g h x (which is equivalent to A y+r g -1 h -x = 1) Fake credential: (A, r, x’) Set-up

Orange Labs - Research & Development 28 Registration Registration Authorities (A, r, x)  The registration authorities generate in a distributed manner* a signature (A, r) on a random value x and prove to Mr Smith using a DVP that the signature is valid  Mr Smith's credential is (A, r, x). He can send a fake credential (A, r, x') to the coercer Coercer Mr Smith (A, r, x') Is it a valid credential? * Wang, Zhang and Feng, Indocrypt 2005

Orange Labs - Research & Development 29 A passive coercer can't check if a credential is valid or not under the DDH assumption : given g, g a, g b, g c decide whether c = ab mod p or not. A coercer can't forge valid credentials under the q-SDH assumption q-SDH: given g, g x, …, g (x q ), find a pair (c, A) such that A x+c = g An active coercer can't check if a credential is valid or not (under the Strong DDH Inversion (SDDHI) assumption) Basic Facts about these credentials * The SDDHI assumption holds in generic groups

Orange Labs - Research & Development 30 Ballot (E T [vote], E T [A], E T [A r ], E T [h x ], F=m x, P) P is a NIZKP of validity, that is : E T (vote) is an encryption of a valid vote Voter knows the plaintext related to E T (A) Voter knows the "discrete logarithm" of E T [A r ] in the base E T [A] Voter knows the plaintext related to E T [h x ] as well as the discrete logarithm x of this plaintext in the base h. Voter knows the discrete logarithm of F in the base m and that this discrete logarithm is equal to x Anatomy of a ballot Credential : A tuple (A, r, x) such that A y+r g -1 h -x = 1

Orange Labs - Research & Development 31 Voting  Anatomy of a ballot: ( E T (vote), E T (A), E T (A r ) E T (h x ), m x, Proof) Bulletin Board 1  Vote under coercion Mr Smith  Revote E T (Gore), E T (A), E T (A r ) E T (h x ), m x, Proof2 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x', Proof1 Bulletin Board 1

Orange Labs - Research & Development 32 Tallying phase Bulletin Board 1 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x', Proof 1 E T (Bush), E T (B), E T (B s ) E T (h y ), m y, Proof 2 E T (Bush), E T (C), E T (C t ) E T (h z ), m z, Proof 3 E T (Gore), E T (B), E T (B s ) E T (h y ), m y, Proof 4 E T (Bush), E T (D), E T (D u ) E T (h v ), m w, Proof 5 E T (Gore), E T (A), E T (A r ) E T (h x ), m x, Proof 6 Step 1: Discard ballots with invalid proofs Tallier 1 Tallier 2

Orange Labs - Research & Development 33 Tallying phase Bulletin Board 2 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x' E T (Bush), E T (B), E T (B s ) E T (h y ), m y E T (Bush), E T (C), E T (C t ) E T (h z ), m z E T (Gore), E T (B), E T (B s ) E T (h y ), m y E T (Gore), E T (A), E T (A r ) E T (h x ), m x Step 2: Elimination of duplicates: the ballots that have the same fifth component Tallier 1 Tallier 2 Keep the last one for example

Orange Labs - Research & Development 34 Tallying phase Step 3: Mixing the ballots Tallier 1 Tallier 2 Bulletin Board 3 E T (Bush), E T (A), E T (A r ) E T (h x' ) E T (Bush), E T (C), E T (C t ) E T (h z ) E T (Gore), E T (B), E T (B s ) E T (h y ) E T (Gore), E T (A), E T (A r ) E T (h x ) Mix Net Bulletin Board 4 E' T (Gore), E' T (A), E' T (A r ), E' T (h x ) E' T (Gore), E' T (B), E' T (B s ), E' T (h y ) E' T (Bush), E' T (C), E' T (C t ), E' T (h z ) E' T (Bush), E' T (A), E' T (A r ), E' T (h x' ) Reencrypt and permute each row

Orange Labs - Research & Development 35 Tallying phase Step 4: Checking credentials … E‘(©) … Authority 1 Authority 2 1.The authorities compute C=E' T [A y+r g -1 h -x ] from E' T [A], E' T [A r ], E' T [h x ] and SK = y 2.Test whether C is an encryption of 1 1.Power C to a fresh random number 'f' and jointly decrypt C f. 2.D[C f ] =1 ? Yes = valid / No = invalid and discard ballots Bulletin Board 4 E' T (Gore), E' T (A), E' T (A r ), E' T (h x ) E' T (Gore), E' T (B), E' T (B s ), E' T (h y ) E' T (Bush), E' T (C), E' T (C t ), E' T (h z ) E' T (Bush), E' T (A), E' T (A r ), E' T (h x' )

Orange Labs - Research & Development 36 Tallying phase Step 5: Decrypt valid votes … E‘(©) … Results Gore Bush Distributed Decryption Bulletin Board 4 E' T (Gore) E' T (Bush) Tallier 1 Tallier 2

Orange Labs - Research & Development 37 Security at a glance Voter cannot sell or prove vote Attacker cannot tell a false credential from a real one No randomization or forced abstention Randomization: Voter can use fake credential to post false ballot… and later vote for real Forced abstention: Voter can vote using an anonymous channel Resistance to shoulder-surfing Voter can vote multiple times Weeding policy provides for re-vote E.g., last vote might count (needs extra phase)

Orange Labs - Research & Development 38 Computational Definition of Coercion-Resistance (1) The credentials are given to the voters A sets coercive target If b = 0 the coerced voter cast a ballot for  and gives a fake credential to A If b = 1 the coerced voter gives her valid credential to A and does not cast a ballot A guesses coin flip

Orange Labs - Research & Development 39 Computational Definition of Coercion-Resistance (2) The credentials are given to the voters A sets coercive target the coerced voter evades coercion A' guesses coin flip but it's only input is the final tally

Orange Labs - Research & Development 40 Computational Definition of Coercion-Resistance (3) Intuitively, this definition means that in a real protocol execution, A learns nothing more than the election tally Our protocol satisfies the coercion-resistant requirement (in the random oracle model) under the q-SDH and SDDHI assumptions

Orange Labs - Research & Development 41 Computational Definition of Verifiability Our protocol satisfies the verifiability requirement (in the random oracle model) under the q-SDH assumption should be negligible

Orange Labs - Research & Development 42 4 Client/Server trade-offs in UV elections

Orange Labs - Research & Development 43 Client/Server trade-offs in universally verifiable elections Setup : Generators g 0,g,h,m of a cyclic group G of order p (DDH problem is hard) Registration authority: PK=g 0 y,SK= y Talliers: share y and an ElGamal secret key Encoding of votes for L candidate s: candidate 1 → 1, candidate 2 → 2,..., candidate L → L.

Orange Labs - Research & Development 44 Generation of the ballots Ballot for the candidate j: ( A, r, x) Where x = j and r is randomly chosen by R A is computed as follows by R: A = (g h x ) 1/(y+r) The ballot is valid iff : A γ+r =g h x (which is equivalent to A y+r g -1 h -x = 1)

Orange Labs - Research & Development 45 A vote for candidate j: (E[A], E[A r ], E[h x ], P) where x = j P is a NIZKP of validity, that is : E(vote) is an encryption of a valid vote Voter knows the plaintext related to E(A) Voter knows the "discrete logarithm" of E[A r ] in the base E[A] Voter knows the plaintext related to E[h x ] as well as the discrete logarithm x of this plaintext in the base h. Voting

Orange Labs - Research & Development 46 Tallying Ballot Bulletin Board 1 E T (A), E T (A r ) E T (h x ), Proof 1 E T (A), E T (A r ) E T (h x ), Proof 2 E T (C), E T (C t ) E T (h z ), Proof 3 E T (D), E T (D u ) E T (h w ), Proof 4 Step 1: Discard ballots with invalid proofs Tallier 1 Tallier 2

Orange Labs - Research & Development 47 Tallying Ballot Step 4: Checking valid ballots … E‘(©) … Authority 1 Authority 2 1.The authorities compute C=E[A y+r g -1 h -x ] from E[A], E[A r ], E[h x ] and SK = y 2.Test whether C is an encryption of 1 1.Power C to a fresh random number 'f' and jointly decrypt C f. 2.D[C f ] =1 ? Yes = valid / No = invalid and discard ballots Bulletin Board 2 E T (A), E T (A r ) E T (h x ) E T (C), E T (C t ) E T (h z ) E T (D), E T (D u ) E T (h w )

Orange Labs - Research & Development 48 Tallying Ballot Step 6: decrypt and compute the result … E‘(©) … Bulletin Board 3 E T (h x ) E T (h w ) Tallier 1 Tallier 2

Orange Labs - Research & Development 49 5 Conclusion

Orange Labs - Research & Development 50 Conclusion JCJ and Civitas are promising, but unfortunately not really practical We design a practical (with linear work factor), publicly verifiable and coercion- resistant voting scheme for remote elections Not just practical, but essential for Internet voting! What about Perfect anonymity? Usability issues: would average people be able to memorize 10 alphanumeric characters? How to remove the assumption related to the voter's computer? Details: Araujo, Foulle, Traoré, Towards Trustworthy Elections 2010 and Araujo, Ben Rajeb, Robbana, Traoré, Youssfi, CANS 2010.