Presentation is loading. Please wait.

Presentation is loading. Please wait.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Published byMarvin Page Modified over 9 years ago

Similar presentations

Presentation on theme: "Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor."— Presentation transcript:

1 Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor

2 Flavors of Cryptographic Privacy Computational Privacy  Depends on a computational assumption  A powerful enough adversary can “break” the privacy guarantee  Example: Public Key Encryption Unconditional (“Everlasting”) Privacy  Privacy holds even for infinitely powerful adversary  Example: Statistically Hiding Commitment

3 Why Not Everlasting Privacy? Tradeoff between Unconditional Privacy and Unconditional Integrity Gut feeling is that integrity is more important Distributing trust between multiple parties is harder  Public communication cannot contain any information about individual votes  Standard methods using “threshold decryption” won’t work

4 Why Everlasting Privacy After All? Integrity depends on privacy too:  Coerced elections are not fair! Computational privacy holds only as long as its underlying assumptions  Belief in privacy violation may be enough for coercion!  Most open-audit voting schemes rely on public-key encryption Existing public-key schemes with current key lengths are likely to be broken in 30 years! [RSA conference ’06]

5 Outline of Talk Voting Scheme based on Hidden Temporal Order [Crypto 2006]  Uses DRE; DRE learns vote  Generalization can be based on any non- interactive commitment “Split Ballot” Voting Scheme [WOTE/CCS 2007]  Uses physical ballots  No single entity learns vote We’ll use physical metaphors and a simplified model

6 Alice and Bob for Class President Cory “the Coercer” wants to rig the election  He can intimidate all the students Only Mr. Drew is not afraid of Cory  Everybody trusts Mr. Drew to keep secrets  Unfortunately, Mr. Drew also wants to rig the election  Luckily, he doesn't stoop to blackmail Sadly, all the students suffer severe RSI  They can't use their hands at all  Mr. Drew will have to cast their ballots for them

7 We use a 20g weight for Alice......and a 10g weight for Bob Using a scale, we can tell if two votes are identical  Even if the weights are hidden in a box! The only actions we allow are:  Open a box  Compare two boxes Commitment with “Equivalence Proof”

8 An “untappable channel”  Students can whisper in Mr. Drew's ear Commitments are secret  Mr. Drew can put weights in the boxes privately Everything else is public  Entire class can see all of Mr. Drew’s actions  They can hear anything that isn’t whispered  The whole show is recorded on video (external auditors) I’m whispering Additional Requirements

9 Ernie whispers his choice to Mr. Drew I like Alice Ernie Casts a Ballot

10 Ernie Mr. Drew puts a box on the scale Mr. Drew needs to prove to Ernie that the box contains 20g  If he opens the box, everyone else will see what Ernie voted for! Mr. Drew uses a “Zero Knowledge Proof” Ernie Casts a Ballot

11 Mr. Drew puts k (=3) “proof” boxes on the table  Each box should contain a 20g weight  Once the boxes are on the table, Mr. Drew is committed to their contents Ernie Ernie Casts a Ballot

12 Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either:  Asks Mr. Drew to put the box on the scale (“prove equivalence”) It should weigh the same as the “Ernie” box  Asks Mr. Drew to open the box It should contain a 20g weight Ernie 1 Weigh 2 Open 3 Open Ernie Ernie Casts a Ballot

13 Ernie 1 Open 2 Weigh 3 Open If the “Ernie” box doesn’t contain a 20g weight, every proof box:  Either doesn’t contain a 20g weight  Or doesn’t weight the same as the Ernie box Mr. Drew can fool Ernie with probability at most 2 -k Ernie Casts a Ballot

14 Why is this Zero Knowledge? When Ernie whispers to Mr. Drew, he can tell Mr. Drew what his challenge will be. Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs I like Bob 1 Open 2 Weigh 3 Weigh

15 Ernie whispers his choice and a dummy challenge to Mr. Drew Mr. Drew puts a box on the scale  it should contain a 20g weight Mr. Drew puts k “Alice” proof boxes and k “Bob” proof boxes on the table  Bob boxes contain 10g or 20g weights according to the dummy challenge Ernie I like Alice 1 Open 2 Weigh 3 Weigh Ernie Casts a Ballot: Full Protocol

16 Ernie shouts the “Alice” (real) challenge and the “Bob” (dummy) challenge Drew responds to the challenges No matter who Ernie voted for, The protocol looks exactly the same! 1 Open 2 Open 3 Weigh 1 Open 2 Weigh 3 Weigh Ernie Ernie Casts a Ballot: Full Protocol

17 A “Real” System 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified === Hello Ernie, Welcome to VoteMaster Please choose your candidate: Bob Alice

18 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified === Hello Ernie, You are voting for Alice Please enter a dummy challenge for Bob A “Real” System l4st phone et spla Alice: Bob : Continue

19 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified === Hello Ernie, You are voting for Alice Make sure the printer has output two lines (the second line will be covered) Now enter the real challenge for Alice A “Real” System l4st phone et spla Alice: Bob : Sn0w 619- ziggy p3 Continue

20 A “Real” System 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified === Hello Ernie, You are voting for Alice Please verify that the printed challenges match those you entered. l4st phone et spla Alice: Bob : Sn0w 619- ziggy p3 Finalize Vote

21 A “Real” System 1 Receipt for Ernie 2 o63ZJVxC91rN0uRv/DtgXxhl+UY= 3 - Challenges - 4 Alice: 5 Sn0w 619- ziggy p3 6 Bob: 7 l4st phone et spla 8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ= 0 === Certified === 1 2 Hello Ernie, Thank you for voting Please take your receipt

22 Mr. Drew announces the final tally Mr. Drew must prove the tally correct  Without revealing who voted for what! Recall: Mr. Drew is committed to everyone’s votes Counting the Votes ErnieFayGuyHeidi Alice: 3 Bob: 1

23 Mr. Drew puts k rows of new boxes on the table  Each row should contain the same votes in a random order A “random beacon” gives k challenges  Everyone trusts that Mr. Drew cannot anticipate the challenges Alice: 3 Bob: 1 ErnieFayGuyHeidi Counting the Votes 1 Weigh 2 Weigh 3 Open

24 For each challenge:  Mr. Drew proves that the row contains a permutation of the real votes Alice: 3 Bob: 1 ErnieFayGuyHeidi 1 Weigh 2 Weigh 3 Open Counting the Votes ErnieFayGuyHeidi

25 For each challenge:  Mr. Drew proves that the row contains a permutation of the real votes Or  Mr. Drew opens the boxes and shows they match the tally Alice: 3 Bob: 1 1 Weigh 2 Weigh 3 Open Fay ErnieFayGuyHeidi Counting the Votes

26 If Mr. Drew’s tally is bad  The new boxes don’t match the tally Or  They are not a permutation of the committed votes Drew succeeds with prob. at most 2 -k Alice: 3 Bob: 1 1 Weigh 2 Weigh 3 Open Fay ErnieFayGuyHeidi Counting the Votes

27 This prototocol does not reveal information about specific votes:  No box is both opened and weighed  The opened boxes are in a random order Alice: 3 Bob: 1 1 Weigh 2 Weigh 3 Open Fay ErnieFayGuyHeidi Counting the Votes

28 Summary A Universally-Verifiable Receipt-Free voting scheme  Based on commitment with equivalence testing  Based on generic non-interactive commitment What’s Missing?  DRE knows voter’s choice  Can use subliminal channels to reveal it We want to split trust between multiple authorities

29 Thank You!

Download ppt "Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor."

Similar presentations

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran.
Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.

Secret Ballot Receipts: True Voter Verifiable Elections Author: David Chaum Published: IEEE Security & Privacy Presenter: Adam Anthony.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)

Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
Privacy, Democracy and the Secret Ballot An Informal Introduction to Cryptographic Voting.

Privacy, Democracy and the Secret Ballot An Informal Introduction to Cryptographic Voting.
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.

Weizmann Institute of Science Israel Deterministic History-Independent Strategies for Storing Information on Write-Once Memories Tal Moran Moni Naor Gil.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Similar presentations

Ads by Google