1. 1 Receipt-freedom in voting Pieter van Ede

2. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody may know who voted for which candidate  Correctness  Verifiability  Coercion-free: unable to bride or threaten people to vote for particular candidate  Show up checks, useability

3. 3 Receipt-freedom  Focus of this talk is coercion protection  Imagine a threatened or bribed Alice  We want to prevent Alice getting a proof of her vote.  Called receipt-freedom

4. 4 Rise of electronic voting  Government wants cheaper voting  Also less dependence on honesty of small number of election officials  Electronic voting works efficient

5. 5 Fall of electronic voting  No paper trail, so no recounting (Verifiability)  No public verifying of voting software  If verified, is THIS machine correct? (Correctness)  Is what is printed the same as recorded?  In the Netherlands, electronic voting is discontinued

6. 6 Change of mind  Do not rely on correctness of machine  Rely on cryptographic correctness

7. 7 First idea: paper ballots Idea:  Choose candidate on machine  Machine prints out ballot  Voter verifies and puts in box Advantages:  User can simply check for correctness  No dependance on programmers or machine- integrity

8. 8 First idea: paper ballots (2) Drawbacks:  Still counting of paper (could be done automatically)  Transportation of paper ballots  Not much use for cryptography  No coercion freedom: villain demands photograph

9. 9 Ongoing research Many cryptographic protocols proposed:  Mixing: scrambles large batches of votes  Blind signatures: require safe publishing channel  Homomorphic: sum results and decrypt with secure computing Many not receipt-free

10. 10 Second idea  Give user receipt  Use commitment protocol Commitment protocol: 1.User has secret A. 2.User commits to A by computing y=C(A). There is no A' so C(A)=C(A') and y does not reveil a. 3.User opens y to provide it was a commitment to A.

11. 11 Second idea (2)  Receipt-free universally verifiable voting protocol with everlasting privacy.  By Tal Moran and Moni Naor (Weizmann Institute of Science, Rehovot, Israel)  Based on other protocols, in particular Neff's voting Scheme

12. 12 Properties of Moran-Naor  Everlasting privacy, but not in efficient version (Secrecy)  Universally verifiable: everybody interested can verify result (Verifiability)  Safe on voting machine running malicious code.  Receipt-freedom

13. 13 Assumptions of Moran-Naor  One-way untappable channel  Achieved by requireing a booth  Voter must easily verify machine

14. 14 Voter perspective  Dharma goes to vote  Authorizes with election officials  Enters the booth

15. 15 Voter perspective  Finds a screen, keyboard and ATM- style printer  Votes for Betty

16. 16 Voter perspective  Dharma is asked to type random words next to other candidates

17. 17 Voter perspective  Printer prints out 2 lines, the commitment to Betty.  Dharma must verify  that 2 lines were printed.  She does not see what was printed, important for next phase.

18. 18 Voters perspective  Dharma is asked to input random words next to Betty. This a challenge, later used in the verifiability, therefore she must not know the commitment statement.

19. 19 Voters perspective  If all good, press OK.  Otherwise, cancel and printout is still worthless.  Prints out voter and  candidates with random words.

20. 20 Voters perspective  Dharma chooses OK, machine prints CERTIFIED RECEIPT.  Now there is no way back.  Receipt also posted on bulletin board.  At home, check if receipt is correct on bulletin board.

21. 21 Receipt-freedom of Moran-Naor  Coercer Trudy cannot see in what orde the challenges where given.  She might however reverse engineer the commitment.  Impossible because of commitment scheme

22. 22 Pedersen commitment scheme  Moran-Naor use Pedersen commitments in the efficient scheme  Based on the hardness of discrete logarithm

23. 23 Pedersen commitment scheme (2) Computations in Z q 1.Machine commits to secret A. 2.Computes y=P(A,r) (r is random) 3.P(A,r) = h H(A) g r (h, g of order q; H collision free hash function) 4.Verifies that y is commitment of A, by sending (A,r). Only done in context of zero knowledge proof for verifiable counting, so this is safe. Due to random r, commitment never shows secret A to Trudy.

24. 24 Pedersen commitment scheme (3)  No A' and r' so P(A',r)=y, because that implies:  H A' g r' = h a g r  h A' – A = g r – r'  r-r' / A'-A = Log g h  But we assumed discrete logarithms were hard, so infeasible to do.

25. 25 One step further: Cybervote  Project of European Commission  Vote via mobile phone or internet  All cryptography for nothing: Pressure from father Or friends at bar  Could be fixed by allowing changing of votes, but does that work after a night at the bar?

26. 26 Conclusion Advantages:  Receipt-freedom  Many other nice properties of voting satisfied  Feasible Disadvantages:  Users must trust mathematicians  Coercion by bluffing about commitment  Still a lot more work then paper voting  Difficult for visually disabled  Difficult for older people to use bulletin