Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Research Centre MCS Workshop, Melbourne Electronic Voting and Receipt-freeness Byoungcheon Lee 1,2, Colin Boyd 1, Ed Dawson 1 1 Information.

Published byLesly Toney Modified over 10 years ago

Similar presentations

Presentation on theme: "Information Security Research Centre MCS Workshop, Melbourne Electronic Voting and Receipt-freeness Byoungcheon Lee 1,2, Colin Boyd 1, Ed Dawson 1 1 Information."— Presentation transcript:

1 Information Security Research Centre MCS Workshop, Melbourne Electronic Voting and Receipt-freeness Byoungcheon Lee 1,2, Colin Boyd 1, Ed Dawson 1 1 Information Security Research Centre, QUT 2 Joongbu University, Korea ARC Grant No: LX0346868

2 Information Security Research Centre 2 MCS Workshop, Melbourne Contents 1. Introduction to electronic voting Classification Electoral systems Security requirements Approaches to electronic voting 2. Three main approaches Blind signature based schemes Homomorphic encryption based schemes Mixnet based schemes

3 Information Security Research Centre 3 MCS Workshop, Melbourne Contents 3. Receipt-free voting protocols Receipt-freeness Hirt-Sako scheme [HS00] In Homomorphic encryption based voting [LK02] In mixnet based voting [Lee et.al. 03] 4. Real world Votopia – 2002 Worldcup voting project, ICU, Korea VoteHere – Seattle based active voting company 5. Conclusion

4 Information Security Research Centre MCS Workshop, Melbourne 1. Introduction to Electronic Voting

5 Information Security Research Centre 5 MCS Workshop, Melbourne Electronic Voting Implement real world voting (election) by electronic means (using computer and network) Internet Shopping Multimedia MobileNetwork University Banking Library Electronic voting User

6 Information Security Research Centre 6 MCS Workshop, Melbourne Why Electronic Voting? Advantages Convenience for voters Efficiency of management, counting Provide alternative choice for voters rather than traditional paper-based voting Electronic voting can solve the problem of decreasing participation rate in voting Younger generation prefers electronic means

7 Information Security Research Centre 7 MCS Workshop, Melbourne Classification of e-voting Computer voting (kiosk, electronic voting booth) Electronic voting using computer in voting booth Convenient user interface Efficient management and tally But, just half way to electronic voting Internet voting Electronic voting using computers connected to the Internet Can participate in voting in any place over the Internet Proceeding to mobile voting

8 Information Security Research Centre 8 MCS Workshop, Melbourne Electoral Systems 1. Plurality systems (First-Past-The-Post) Winner is who received the most votes regardless of majority requirement UK, Canada, USA Single non-transferable vote : Japan Block vote, Limited vote : Britain Approval voting : USA 2. Majoritorian systems Winner is required to receive more than half Second ballot Preferential voting (Alternative voting) in Australia

9 Information Security Research Centre 9 MCS Workshop, Melbourne Security Requirements Privacy (confidentiality) Prevention of double voting Universal verifiability (correctness) Fairness Robustness Receipt-freeness (prevent vote buying, coercion) Efficiency, Mobility, Convenience, Flexibility

10 Information Security Research Centre 10 MCS Workshop, Melbourne Approaches to Electronic Voting Schemes using blind signature [Cha88], [FOO92], [OMAFO99] Efficient, but requires anonymous channel (frequently implemented using mixnet) Schemes using mixnet [PIK93], [SK95], [Abe98], [HS00], [FS01], [Neff01] Require huge computation for mixing Schemes using homomorphic encryption [Ben87], [SK94], [CGS97], [LK00], [Hirt01], [MBC01], [BFPPS01], [LK02] Huge proof size, restriction on message encoding Many researches on receipt-freeness

11 Information Security Research Centre MCS Workshop, Melbourne 2. Three Main Approaches 2.1 Based on blind signature 2.2 Based on homomorphic encryption 2.3 Based on mixnet

12 Information Security Research Centre 12 MCS Workshop, Melbourne 2.1 Based on Blind Signature Main idea Administrator issues valid ballots using blind signature (User authentication and vote secrecy) Use anonymous channel to hide the voter-vote relationship (mainly implemented with mixnet) Criticism Hard to assume anonymous channel If mixnet is used, blind signature is not necessary User chosen randomness in blinding can work as a receipt

13 Information Security Research Centre 13 MCS Workshop, Melbourne Overview Anonymous channel (3) counting (Threshold decryption) Administrator Voters Talliers BBS (1) Voter registration (encrypted ballot +blind signature) (2) Voting (encrypted ballot + signature) registration Blinding Unblinding

14 Information Security Research Centre 14 MCS Workshop, Melbourne Many Implementation Examples Sensus L.F. Cranor, Washington Univ. http://www.ccrc.wustl.edu/~lorracks/sensus FOO92 Assumption : anonymous channel, key distribution EVOX M.A. Herschberg, R.L. Rivest, MIT, http://theory.lcs.mit.edu/~cis/voting/voting.html FOO92 + Anonymizer Assumption : key distribution

15 Information Security Research Centre 15 MCS Workshop, Melbourne 2.2 Based on Homomorphic Encryption Main idea Tally the summed ballots with a single threshold decryption using the homomorphic property of encryption (keep the privacy of ballots) Each ballot should be valid (voter should provide the proof of validity of ballot) Relatively easy to design receipt-free voting schemes Criticism Message encoding is very restrictive Large amount of ZK proofs, overload in computation and communication

16 Information Security Research Centre 16 MCS Workshop, Melbourne Overview (2) Counting (Threshold decryption) Voters Talliers BBS (1) Voting Encrypted ballot Proof of validity Signature Sum up valid ballots

17 Information Security Research Centre 17 MCS Workshop, Melbourne 2.3 Based on Mixnet Main idea Voters take part in the voting in authentic way Encrypted ballots are shuffled using mixnet (anonymity) Multiple talliers open each ballot in a threshold manner (open only after mixing) Criticism Large amount of computation for mixing

18 Information Security Research Centre 18 MCS Workshop, Melbourne Overview (3) Opening (Threshold decryption) Voters Mixers BBS1 (2) Mixing (1) Voting Talliers BBS2 Encrypted Ballot Proof of correct Mixing

19 Information Security Research Centre MCS Workshop, Melbourne 3. Receipt-free Voting Protocols 3.1 Receipt-freeness 3.2 In Hirt-Sako scheme [HS00] 3.3 In Homomorphic encryption based voting [LK02] 3.4 In mixnet based voting [Lee et.al. 03]

20 Information Security Research Centre 20 MCS Workshop, Melbourne 3.1 Receipt-freeness Receipt-freeness [BT94] A unique security requirement of electronic voting Voter should not be able to construct a receipt Voter must keep his vote private Why is it important? Vote buying is a common experience in real political voting (threat, solicitation) Previous works Studies on receipt-freeness had been done mainly in homomorphic encryption based schemes

21 Information Security Research Centre 21 MCS Workshop, Melbourne How to Achieve Receipt-freeness? Using some kind of randomization service Voter has to lose his knowledge on randomness Designated-verifier re-encryption proofs Channel assumption is used One-way untappable channel from voter to authority [Oka97] One-way untappable channel from authority to voter [SK95, HS00] Two-way untappable channel between voter and authority (using voting booth) [BT94, LK00, Hirt01] Internal channel [MBC01, LK02, Lee03]

22 Information Security Research Centre 22 MCS Workshop, Melbourne Tamper Resistant Hardware Assumptions required for receipt- freeness Third party randomizer (trusted) Untappable channel (voting booth) Tamper resistant randomizer (TRR) can replace the role of “Third party randomizer + Untappable channel” Ultimate place to store user’s secret information

23 Information Security Research Centre 23 MCS Workshop, Melbourne Re-encryption (Randomization) VoterRandomizer (TRR) First ballot Final ballot DVRP (designated verifier re-encryption proof) through an untappable channel (Signed) Check DVRP

24 Information Security Research Centre 24 MCS Workshop, Melbourne Designated-verifier Re-encryption Proof Designated verifier proof Prove the knowledge of either the witness in question or the private key of the designated verifier Using the chameleon commitment scheme Convincing only the designated verifier Completely useless when transferred to other parties, since the verifier can open the proof in any way he likes or private key of the designated verifier witness in question

25 Information Security Research Centre 25 MCS Workshop, Melbourne 3.2 Receipt-freeness in [HS00] Hirt and Sako, “Efficient receipt-free voting based on homomorphic encryption”, Eurocrypt2000 Basic idea: “Mix-then-choose” approach Primitives 1-out-of-L re-encryption proof : authority proves publicly that she shuffles the ballots correctly Designated-verifier re-encryption proof : authority proves privately to voter that which encrypted ballot is which

26 Information Security Research Centre 26 MCS Workshop, Melbourne Receipt-freeness in [HS00] Re-encryption (randomization) Voter Casting 1-out-of-L re-encryption proof Designated-verifier re-encryption proof (personally verifiable how shuffling was performed, but this proofs cannot be transferred) Secure untappable channel

27 Information Security Research Centre 27 MCS Workshop, Melbourne 3.3 In Homomorphic Encryption Based Voting [LK02] Lee and Kim, “Receipt-free electronic voting scheme with a tamper-resistant randomizer”, ICISC2002 Basic Idea: Improved K-out-of-L voting scheme using Designated-verifier re-encryption proof (DVRP) Divertible proof of validity Divertible proof of difference Replace untappable channel and a third party randomizer by a tamper-resistant randomizer (TRR)

28 Information Security Research Centre 28 MCS Workshop, Melbourne Overview of Voting Protocol M Voters Admin(1) System set-up BBS Issue TRR (2) Registration TRR (3) Voting Ballot generation Ballot + Proof of validity N Talliers (4) Tallying (t,N) threshold decryption

29 Information Security Research Centre 29 MCS Workshop, Melbourne Voting Stage Encrypted first ballot Re-encrypted final ballot (signed) Designated-verifier re-encryption proof Divertible proof of validity (signed) Divertible proof of difference (signed) Voting (post signed messages) final ballot, proof of validity, proof of difference first signed by TRR and then signed by voter Voter TRRBBS Sign (approve)

30 Information Security Research Centre 30 MCS Workshop, Melbourne 3.4 In Mixnet-based Voting Lee, Boyd, Dawson, et. al., “Providing receipt- freeness in mixnet-based voting protocols”, ICISC2003 Incorporate receipt-freeness in mixnet-based electronic voting Designated-verified re-encryption proof (DVRP) Using a tamper resistant randomizer (TRR) Mixnet voting + Randomization by TRR 1. Voting (Randomization by TRR) 2. Mixing 3. Tally

31 Information Security Research Centre 31 MCS Workshop, Melbourne Mixnet Schemes Mixnet provides anonymity service Classification (based on mixing mechanism) Decryption mixnet Re-encryption mixnet Classification (based on correctness proof) Verifiable mixnet: [Abe99], [FS01], [Nef01], [Gro03] Optimistic mixnet: [Jak98], [Gol02] Mixer Inputs Outputs

32 Information Security Research Centre 32 MCS Workshop, Melbourne In Mixnet-based Voting l Voters (1) System set-up BBS Issue TRR (2) Registration TRR (3) Voting Ballot generation n Talliers (5) Tallying (t,N) threshold decryption BBS (4) Mixing m Mixers Overview

33 Information Security Research Centre 33 MCS Workshop, Melbourne (3) Voting stage Encrypted first ballot Re-encrypted final ballot (signed) DVRP first signed by TRR and then signed by voter Voter TRR BBS Double signed final ballot Check DVRP Internal channel

34 Information Security Research Centre MCS Workshop, Melbourne 4. Real World 4.1 Votopia http://mvp.worldcup2002.or.kr/ 4.2 VoteHere http://www.votehere.com

35 Information Security Research Centre 35 MCS Workshop, Melbourne Activities in the Real World International Projects Internet Voting Technology Alliance, http://www.ivta.org EU CyberVote, http://www.eucybervote.org Votopia, http://mvp.worldcup2002.or.kr/ Companies VoteHere.Net, http://www.votehere.net/ CyberVote.Com, http://www.cybervote.com/ SCYTL, http://www.scytl.com/ Campus-Vote, http://www.campus-vote.com/ Exnet, http://exnet.bizmag.co.kr Hwajinsoft, http://www.hwajinsoft.co.kr

36 Information Security Research Centre 36 MCS Workshop, Melbourne 4.1 Votopia Developed by ICU (Korea) and NTT (Japan) Blind signature based Internet voting system Anonymous channel by using mixnet Using Internet web browser Voting client is implemented by Java applet PKI based voter authentication Served for the selection of MVPs in 2002 FIFA Worldcup Korea/Japan http://mvp.worldcup2002.or.kr/

37 Information Security Research Centre 37 MCS Workshop, Melbourne Participants in the Project Internet Voting System for MVP of 2002 worldcup C&IS Lab. ICU NTT U. Tokyo Insol Soft STI KSIGN KISITI Project management Development of system Running the MVP voting Prototype Crypto library System Verification Hardware Resource PKI service Java crypto library User Interface DB management SECUi.COM Anti-Hacking

38 Information Security Research Centre 38 MCS Workshop, Melbourne Overall Configuration DB server Web servers Voters V3. Request Schnorr blind signature R1. After setting up secure session, download registration form Counter server Admin server V4. Receive Schnorr blind signature V6. Send encrypted ballot & admin’s digital signature R5. Save certificate R2. Send encrypted public key & registration information with session key CA server R3. Request certificate R4. Issue certificate V1. Download voting applet V2. Encrypt the ballot with counter’s public key in ElGamal encryption V5. Verify admin’s blind signature V7. Verify admin’s signature & decrypt ballot using counter’s private key V8/C1. Save all decrypted ballots C3. Receive the final result C2. Send query for tallying

39 Information Security Research Centre 39 MCS Workshop, Melbourne 4.2 VoteHere.net Seattle based active voting company http://www.votehere.net Many voting trials Alaska Republican Party vote in January 2000 e-voting pilots for California, Arizona, Washington, and Alaska Swindon, UK, the first e-voting public sector vote in the world, over 4,000 voters participated, May 2002

40 Information Security Research Centre 40 MCS Workshop, Melbourne Technologies Homomorphic encryption based techniques Voter receives smart key card with unique ballot sequence number Use electronic voting machine (voting booth) Give a digital signature printed receipt to voters Heavily depend on trusted parties and machines (must believe verification code) Shuffling technology, A. Neff [ACM CCS 2001] Verifiable permutation using iterated logarithmic multiplication proof

41 Information Security Research Centre 41 MCS Workshop, Melbourne Voting Stages Smart key card Voting machineVote on the screen Printed receipt Verify via web

42 Information Security Research Centre MCS Workshop, Melbourne 5. Conclusion 5.1 Korean activities 5.2 Australian activities

43 Information Security Research Centre 43 MCS Workshop, Melbourne Korean Activities Korea is a strong IT-based country Broadband Internet connection to more than 70% homes 30 million mobile users among 47 million population More than 10 million Certificate users (Internet banking) e-government provides many services currently http://www.egov.go.kr/ E-voting activities Public forums, seminars E-voting for presidential candidate election in Democratic party, 2002 Some political parties are using Internet voting

44 Information Security Research Centre 44 MCS Workshop, Melbourne Australian Activities Organizations Electoral Council of Australia (ECA) Australian Election Commission (AEC) ACT Electoral Commission Electronic voting trial in October 2001 Australian Capital Territory (ACT) Electoral Commission http://www.elections.act.gov.au

45 Information Security Research Centre 45 MCS Workshop, Melbourne Comparison Computer voting A secure environment, but not convenient Many trials in many countries: USA, UK, Australia, Korea, etc… Using just network security mechanism (?) – IPSec, SSL Suitable for serious political elections Internet voting More easy to participate in Have to use secure electronic voting protocols Authentication, Vote buying, Coercion issues Suitable for non-serious elections

46 Information Security Research Centre 46 MCS Workshop, Melbourne Internet Banking vs. Internet Voting ATM Banking Internet Banking Computer Voting Internet Voting Secure environment Public communication channel Personal purpose Non-serious(?) Public purpose Serious (political) Non-serious (non-political)

47 Information Security Research Centre 47 MCS Workshop, Melbourne Further Works Everlasting goal in research Designing voting schemes with more security, efficiency, and additional features How to provide Australian preferential voting? Probably using mixnet voting approach Using real cryptographic protocols How to make it work in the real world? More public activities – forum, workshop, standardization Supported by the government Good start with non-serious uses

48 Information Security Research Centre MCS Workshop, Melbourne Q & A

Download ppt "Information Security Research Centre MCS Workshop, Melbourne Electronic Voting and Receipt-freeness Byoungcheon Lee 1,2, Colin Boyd 1, Ed Dawson 1 1 Information."

Similar presentations

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Pretty Good Voting (PGV) Christian Bell, Jason Duell, Amir Kamil Computer Security CS 261 Fall 2004.

Pretty Good Voting (PGV) Christian Bell, Jason Duell, Amir Kamil Computer Security CS 261 Fall 2004.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Ronald L. Rivest MIT Laboratory for Computer Science

Ronald L. Rivest MIT Laboratory for Computer Science
Applying Cryptography --lottery, anonymous authentication, and voting-- Kazue Sako 2007.9.20.

Applying Cryptography --lottery, anonymous authentication, and voting-- Kazue Sako

Similar presentations

Ads by Google