Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme

Published byEdith Strickland Modified over 6 years ago

Similar presentations

Presentation on theme: "A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme"— Presentation transcript:

1 A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme
1 A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme 詹進科     國立中興大學 資訊科學系所 ICBN’03 Bangalore, India May 5-7, 2003

2 Introduction 2 System requirements Our E-voting scheme
Initialization Phase Authentication Phase Voting Phase Announcement Phase Analysis Conclusions

3 3 System requirements Accuracy: All valid votes are counted correctly. A voter’s vote can not be altered, duplicated, or removed. Fairness: Only eligible voters are permitted to vote, and they can vote at most once. Verifiability: Voters can make sure that their votes are counted correctly. Privacy: There is no way to derive the link between voter’s identity and the marked ballot, the voter remains anonymous. Mobility: A system is mobile if there are no restrictions on the location from which voters can cast their ballots. Practicability:An e-voting system must be practical in that it must be easy to implement and the security is trusted .

4 Preview of Our Scheme 4 1 Signature on vi
Verify vi and record inf. for announcing Personal certificate Announce m with secret keys Voter’s Id Secret sharing on marked ballot m

5 5 Issues Traditional election Our E-voting protocol
5 Issues Traditional election Our E-voting protocol Role Electoral authority and Voters Voters, Certificate Authority, Authentication Center, Public Proxy Servers, Tally Center and Supervision Center Web sites et al. Location Polling place (fixed location) Home (flexible location, by network) Ballot issuing way On voting day, issue by electoral authority Voter can download blank ballot from network and processing digital signature Authentication Authenticate voter by voter’s identification card Authenticate someone by digital signature Announce phase party Electoral authority TC and SC by secret sharing method Anonymous mechanism Voter should not make any token on ballot With public proxy servers to forward ballot through SSL (extend David Chaum’s mixer concept) and pseudonym mechanism. Table 1 the difference between traditional election and our E-voting protocol

6 Preview of Our Scheme(Notations)
6 Preview of Our Scheme(Notations) : the secret key of X. : the public key of X. : the voter-pseudonym for voter i. : marked ballot. : encrypted ballot. : two large prime numbers , where : blind factors ;  : the ElGamal signature of ,

7 Preview of Our Scheme(Notations)
7 Preview of Our Scheme(Notations) : the random number. : a part of ballot which is hold by TC for revealing a half part of m . : a part of ballot which is hold by SC for revealing the other part of m . : a secret sharing parameter that is held by TC . : another secret sharing parameter which is held by SC .

8 8 Initialization Phase Step 1: Initially, there are a large prime number p, a prime factor q of (p-1), and a primitive number g (mod p) which are known to all users in our scheme. Step 2 : The AC, TC, and SC will choose their secret keys , and from numbers in the range [1, q-1] and compute the corresponding public keys respectively.

9 Initialization Phase(continue)
9 Initialization Phase(continue) step 3: Before the election, each voter should be enrolled in a register of electors and be issued a “personal certificate” from the CA to be embedded in the voter’s browser software. This “personal certificate” can be used for a number of elections.

10 Some Backgrounds Authentication phase 10 ri si
1.Voter use “personal certificate” to login the web site of AC to request for “voter-pseudonym signature” on vi ri si

11 11 Voting phase TC and SC can verify the pseudonym and the pair of signature ( )

12 12 Announcement phase

13 13 Analysis  Fairness Issues :Only a voter whose legal “personal certificate” has been embedded into his web browser can pass the AC website verification and login. Each voter has only one chance to ask the AC for a “voter-pseudonym signature” for the next voting phase.  Privacy Issues: Anonymity in the Authentication phase: The “voter-pseudonym signature” is signed by the AC blindly. (2) Anonymity in the voting phase :We involve “public proxy server”. The network address of the ballot can be replaced by a proxy address. (3) Anonymity in the Announcement phase: Only with the cooperation of the TC and SC, each ballot can be decrypted. It is not necessary to allow voters verify (or show to bribers) their votes

14 14 Analysis  Accuracy Issues:The ballot counting is under the supervision of the SC and TC. A ballot miscount cannot occur in our scheme.  Verifiability Issues: We involve the secret sharing mechanism in our scheme to be sure all of the votes can be counted correctly.  Mobility Issues : Our scheme can easily be implemented by connecting personal computers to those web sites, allowing voters to vote from anywhere.  Practicability Issues : The time complexity for the required processing is acceptable in our scheme. The design is suitable for implementation on the Internet.

15 15 Conclusions Integrate reality and cryptology , such as the kinds of “certificate authority” and “public proxy server” are integrated in our scheme to solve the problem of identification and anonymity over the Internet. Solve the fairness, privacy, accuracy, verifiability, mobility and practicability problems, and use secret sharing method to ensure the announcement phase will not occur on the misconduct. With the SSL channel, and the trusted server( to issue a digital certificate), the electoral authority can process a secure election efficiently.

16 Public-key Cryptosystem
RSA Each user B has two keys ( eB ,nB ) 及 ( dB , nB ) M M C A B D(C)=CdB mod nB = M C = E(M) = MeB mod nB Proposed by Rivest, Shamir and Adleman in 1978

17 Observations constraints
1. To any plaintext M; let gcd(M, n) = 1, here n=p*q; p &q are primes. 2. How to obtain e & d ? select any integer e such that gcd(e, (n))=1, and compute another integer d such that e*d mod (n) = 1 , here (n) =(p-1)*(q-1). 3. Public e & n , and keep d & (n) secret. 4. To find p & q from n = p*q is hard; if n is a 200-digit integer, and with a computer of 1 MIPS, to reveal p and q from n should cost 106 years. 1. nB = p . q {≈ 200 digits} 2. gcd( eB , (p-1)(q-1)) = 1 3. 0 < M < nB 4. eB . dB  1 (mod (p-1)(q-1)) constraints

18 Digital Signature with RSA
1. For authenticity. 2. In RSA, we may sign any document with sender’s private key. Alice Bob Alice : C = (MdA mod nA)eB mod nB Bob : M = (CdB mod nB)eA mod nA Signarture Encryption

19 ElGamal's Digital Signature
大質數 P, mod P 之原根g , 簽署者 B 任選之整數(私鑰) x , 1<x<P-1 B 算出之公鑰 y = g x mod P {用原根g 以免被解 離散對數} 系統已知 簽署作業 [ 此法之簽體(即明文 M)不能似 RSA簽章法之可直接還原] 對明文M, 1MP-1, B選一整數 k, gcd(k, P-1) = 1, B 計算簽署文 (r, s)滿足 : r = g k mod P, s = k -1 (M - x r) mod P-1(或 M = x r + k s mod P-1). B 將 (r, s)送給 A. 驗證 驗證者 A verifies 下式是否為真 ? g M = yr r s mod P  gM = gx r g k s = yr r s mod P

20 Nyberg-Rueppel Signature
系統已知 Let P be a large prime number, Q be a prime factor of P-1, and G be a primitive element to mod P.{ all these three are known to public}, Now, the signer holds SK[1, Q-1] as secret key and PK=GSK mod P as public key , plaintext M [1, P-1] and a random number r [1, Q-1] . 簽署作業 SG1 = M * G r mod P SG2 = SK * SG1 + r mod Q 任何人可用下列方式驗證送方身份並且可 recover message M : M  G -SG2 * PK SG1 * SG1 mod P  G -SK*SG1 -r * G SK * SG1 * M * G r mod P  M * G -SK*SG1 -r + SK * SG1 +r mod P 驗證 ? 1994年 Carmenisch, Piveteau & Stadler(CPS) 利用上述精神提出一盲簽章法

21 D. Chaum (1982) Blind Signature 系統參數: signer 之 public key (e, n), private key d, p, q (n=p*q). 簽署程序: A 請 B 簽署一份信息M,然 B 不被告知 M 之內容 (1) A 任選一亂數 r(即 blinding factor), 1< r < n, 且計算 t = M * r e mod n , 給B. (2) B 簽署 t, 即  = td = (M* r e) d mod n, 給A. (3) A 計算(unblind)出 M 之簽章為: s =  * r -1 = td * r -1 = M d (mod n).

22 CPS blind-signature 任何人可以下述驗證
系統參數: signer holds SK[1, Q-1] as secret key and PK=GSK mod P as public key , and a random number r [1, Q-1] . signer requester 1 K = G r mod P, r[1, Q-1] 任選兩亂數(盲因子) ,  [1, Q-1] 算 SG1 = M * G * K mod P C = SG1 *  -1 mod Q 2 SGC = C * SK + r mod Q 3 算 SG2 = SGC *  +  mod Q (4) 任何人可以下述驗證 (5) ? M  G -SG2 * PK SG1 * SG1 mod P = (G -SGC *  - ) * (GSK * SG1) * (M * G * K ) mod P = (G -(C *SK + r)*  - ) * (GSK * SG1) * (M * G * G r *  ) mod P = (G -SG1*SK -r *  - ) * (GSK * SG1) * (M * G * G r *  ) mod P = M * G -SG1*SK -r *  -  +SG1*SK +r *  +  mod P.

23 Cryptographic primitives
The blind signature scheme based on DLP (1994 CPS) System parameters: a prime p, a prime factor q of p-1, and an element of order q, the signer’s private key ,public key is To sign a message , we do as follows: Requestor Signer We can verify **The pair (r, s) is a ElGamal signature of the message m

24 Cryptographic primitives
b. Extension of the ElGamal(secret sharing) System parameters: a prime p, a primitive number g (mod p), A’s and B’s private keys are , public keys are To encrypt a message M, we do as following: Encryption procedure 1. two numbers a and b are randomly chosen by w A 2. A and B compute respectively B Decryption procedure

25 Thank you for your patience
Professor Jinn-Ke Jan Institute of Computer Science, National Chung Hsing University, Taichung, Taiwan, ROC.

Download ppt "A Realistic Secure Anonymous E-voting Protocol Based on ElGamal Scheme"

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Digital Signatures and applications Math 7290CryptographySu07.

Digital Signatures and applications Math 7290CryptographySu07.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA Secret sharing Secret sharing DTTF/NB479: DszquphsbqizDay 29.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.

Announcements:Questions? This week: Digital signatures, DSA Digital signatures, DSA DTTF/NB479: DszquphsbqizDay 29.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
 Introduction  Requirements for RSA  Ingredients for RSA  RSA Algorithm  RSA Example  Problems on RSA.

 Introduction  Requirements for RSA  Ingredients for RSA  RSA Algorithm  RSA Example  Problems on RSA.
Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.

Digital Signatures (DSs) The digital signatures cannot be separated from the message and attached to another The signature is not only tied to signer but.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

Similar presentations

Ads by Google