Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Published byJulianna Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)"— Presentation transcript:

1 research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle) France Télécom Orange Labs R&D Third Franco-Japanese Computer Security Workshop – 13 March 2008 LORIA, Nancy

2 Orange Labs - Research & Development 2 Electronic Voting Methods Remote Electronic Voting (on-line voting) Supervised voting (off-line voting) How to guarantee the "What You see is What You Vote For?

3 Orange Labs - Research & Development 3 Eligibility: only legitimate voters can vote, and only once Universal verifiability: All voters can verify that the final tally is correct The votes they cast are included Only authorized votes are counted No votes are changed during tallying Privacy: no adversary can learn any more about votes than is revealed by the final tally Anonymity: hide map from voter to vote Receipt-freeness: prohibit proof of vote Coercion-freeness: adaptative Some desired properties of e-voting systems Voters cannot prove whether or how they voted, even if they can interact with the adversary while voting. Stronger

4 Orange Labs - Research & Development 4 Previous work [Juels-Catalano-Jakobsson 2005] Basic ingredients: Voter employs anonymous credential obtained during the registration phase We don’t know who voted (at time of voting) or what was voted Valid credentials are required for vote to count Voter can make "fake credentials" and vote multiple times A coercer cannot tell whether a credential is correct or not Attacker cannot tell whether a vote is valid or not Basic idea: To mislead a coercer, the voter sends invalid ballot(s) as long as he is coerced, and a valid ballot as soon as he is not coerced It suffices that the voter finds a window-time during which he is not coerced Drawbacks N the number of voters, V the number of votes (V ≧ N) Quadratic overhead: tallying is in O(V 2 ) Denial of service attack…

5 Orange Labs - Research & Development 5 Building Blocks ElGamal Cryptosystem Designated verifier signature scheme: derived from "Boneh-Boyen-Sacham” or "Camenisch-Lysanskaya" signature schemes (Crypto’04) El Gamal cryptosystem: G a group of prime order p, g a generator of G the secret key is x, the public key is h = g x, Encryption of m is c = (g r, h r m), Decryption of c is (g r ) -x (h r m) Basic Tools

6 Orange Labs - Research & Development 6 El Gamal cryptosystem Decryption (private key) can easily be distributed No need to trust a single entity Encryption is homomorphic Multiplicative, or additive with a variant: E h (m)* E h (m') = E h (m*m') E h (m)* E h (m') = E h (m*m') E h (m) k = E h (m k ) Computing on encrypted data is easy Comparing the plaintexts of two ciphertexts (without decrypting them) is easy: Plaintext Equivalence Test (PET): PET(E h (m1), E h (m2) = 1 if m1 = m2 and 0 otherwise Re-encryption is easy : mix-nets can be efficiently implemented For simulating an "anonymous channel" For simulating "ballot shuffle" C = (g r, h r.m) can be transformed on a new ciphertext C' of m without knowing m and/or the secret key : C' = (g r+r', h r+r'.m)

7 Orange Labs - Research & Development 7 Setup: Generators g 0, g, h of a cyclic group G of order p where DDH is hard Public key of the signer: PK = g 0 y, Secret key of the signer: SK = y Signature of a message x: Choose a random value r Compute A = (g h x ) 1/(y+r) Signature of x = (A, r) Designated Verification: Prove that Log A (A -r gh x ) = Log g 0 (PK ) using a Designated Verifier Proof ( Jakobsson-Sako – Impagliazzo) Only the (designated) verifier can be convinced by this proof Designated verifier signature scheme A y = A -r gh x (1) A y+r g -1 h -x = 1 (2) Deciding whether a pair (A, r) is a valid signature on a message x is equivalent to the DDH problem  Based on "Boneh-Boyen-Sacham's group signature scheme (Crypto 2004)

8 Orange Labs - Research & Development 8 Cast of Characters Receive their credential during the registration phase Issue credentials in a distributed manner during the registration phase. They share a secret key of our DVS. R is the corresponding public key Manage the tallying process. They share an El Gamal secret key. T is the corresponding public key Voters Talliers Registration Authorities Coercer Try to verify whether the coerced voter as voted as prescribed

9 Orange Labs - Research & Development 9 Security model Registration: Attacker cannot interfere with registration process Before voting: Attacker can provide keying or other material to voter (even entire ballot) During vote: Votes may be posted anonymously (for strongest security) or semi-anonymously (for weaker guarantees) Bulletin board is universally accessible At all times: Attacker has access to all public information, i.e., encrypted and decrypted ballots May corrupt all but one of each type of election authority May coerce voters, demanding any secrets or behavior, remotely or physically May control network Assumption. Voters trust their voting client.

10 Orange Labs - Research & Development 10 Setup: Generators g 0,g,h,m of a cyclic group G of order p (DDH problem is hard) Registration authority: PK=g 0 y,SK= y Talliers: share y and an ElGamal secret key Registration Credential: (A, r, x) x and r are randomly chosen by R A is computed as follows by R: A = (g h x ) 1/(y+r) A credential is valid iff the voter knows two values x and r such that: A γ+r =g h x (which is equivalent to A y+r g -1 h -x = 1) Fake credential: (A, r, x’) Set-up

11 Orange Labs - Research & Development 11 Registration Registration Authorities (A, r, x)  The registration authorities generate in a distributed manner a DVS signature (A, r) of a random value x and prove using a DVP to Mr Smith that the signature is valid  Mr Smith's credential is (A, r, x). He can send a fake credential (A, r, x') to the coercer Coercer Mr Smith (A, r, x') Is it a valid credential?

12 Orange Labs - Research & Development 12 A passive coercer can't check if a credential is valid or not under the DDH assumption A coercer can't forge valid credentials under the q-SDH assumption q-SDH: given g, g x, …, g (x q ), find a pair (c, s) such that s x+c = g An active coercer can't check if a credential is valid or not (under the SDDHI assumption) Basic Facts about these credentials

13 Orange Labs - Research & Development 13 Ballot (E T [vote], E T [A], E T [A r ], E T [h x ], F=m x, P) P is a NIZKP of validity, that is : E T (vote) is an encryption of a valid vote Voter knows the plaintext related to E T (A) Voter knows the "discrete logarithm" of E T [A r ] in the base E T [A] Voter knows the plaintext related to E T [h x ] as well as the discrete logarithm x of this plaintext in the base h. Voter knows the discrete logarithm of F in the base m and that this discrete logarithm is equal to x Anatomy of a ballot Credential : A tuple (A, r, x) such that A y+r g -1 h -x = 1

14 Orange Labs - Research & Development 14 Voting  Anatomy of a ballot: ( E T (vote), E T (A), E T (A r ) E T (h x ), m x, Proof) Bulletin Board 1  Vote under coercion Mr Smith  Revote E T (Gore), E T (A), E T (A r ) E T (h x ), m x, Proof2 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x', Proof1 Bulletin Board 1

15 Orange Labs - Research & Development 15 Tallying phase Bulletin Board 1 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x', Proof 1 E T (Bush), E T (B), E T (B s ) E T (h y ), m y, Proof 2 E T (Bush), E T (C), E T (C t ) E T (h z ), m z, Proof 3 E T (Gore), E T (B), E T (B s ) E T (h y ), m y, Proof 4 E T (Bush), E T (D), E T (D u ) E T (h v ), m w, Proof 5 E T (Gore), E T (A), E T (A r ) E T (h x ), m x, Proof 6 Step 1: Discard ballots with invalid proofs Tallier 1 Tallier 2

16 Orange Labs - Research & Development 16 Tallying phase Bulletin Board 2 E T (Bush), E T (A), E T (A r ) E T (h x' ), m x' E T (Bush), E T (B), E T (B s ) E T (h y ), m y E T (Bush), E T (C), E T (C t ) E T (h z ), m z E T (Gore), E T (B), E T (B s ) E T (h y ), m y E T (Gore), E T (A), E T (A r ) E T (h x ), m x Step 2: Elimination of duplicates: the ballots that have the same fourth component Tallier 1 Tallier 2 Keep the last one for example

17 Orange Labs - Research & Development 17 Tallying phase Step 3: Mixing the ballots Tallier 1 Tallier 2 Bulletin Board 3 E T (Bush), E T (A), E T (A r ) E T (h x' ) E T (Bush), E T (C), E T (C t ) E T (h z ) E T (Gore), E T (B), E T (B s ) E T (h y ) E T (Gore), E T (A), E T (A r ) E T (h x ) Mix Net Bulletin Board 4 E' T (Gore), E' T (A), E' T (A r ), E' T (h x ) E' T (Gore), E' T (B), E' T (B s ), E' T (h y ) E' T (Bush), E' T (C), E' T (C t ), E' T (h z ) E' T (Bush), E' T (A), E' T (A r ), E' T (h x' ) Reencrypt and permute each row

18 Orange Labs - Research & Development 18 Tallying phase Step 4: Checking credentials … E‘(©) … Authority 1 Authority 2 1.The authorities compute C=E' T [A y+r g -1 h -x ] from E' T [A], E' T [A r ], E' T [h x ] and SK = y 2.Test whether C is an encryption of 1 1.Power C to a fresh random number 'f' and jointly decrypt C f. 2.D[C f ] =1 ? Yes = valid / No = invalid and discard ballots Bulletin Board 4 E' T (Gore), E' T (A), E' T (A r ), E' T (h x ) E' T (Gore), E' T (B), E' T (B s ), E' T (h y ) E' T (Bush), E' T (C), E' T (C t ), E' T (h z ) E' T (Bush), E' T (A), E' T (A r ), E' T (h x' )

19 Orange Labs - Research & Development 19 Tallying phase Step 5: Decrypt valid votes … E‘(©) … Results Gore Bush Distributed Decryption Bulletin Board 4 E' T (Gore) E' T (Bush) Tallier 1 Tallier 2

20 Orange Labs - Research & Development 20 Security Voter cannot sell or prove vote Attacker cannot tell a false credential from a real one No randomization or forced abstention Randomization: Voter can use fake credential to post false ballot… and later vote for real Forced abstention: Voter can vote using an anonymous channel Resistance to shoulder-surfing Voter can vote multiple times Weeding policy provides for re-vote E.g., last vote might count (needs extra phase) Our scheme satisfies the coercion-freeness property under the q-SDH and SDDHI assumptions

21 Orange Labs - Research & Development 21 Conclusion The JCJ scheme is promising, but not efficient We design a practical (with linear work factor), publicly verifiable and coercion- resistant voting scheme for remote elections Not just practical, but essential for Internet voting! Open problem: how to remove the assumption related to the voter's computer?

Download ppt "Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)"

Similar presentations

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.

Requirements for a Secure Voting System  Only authorized voters can vote  No one can vote more than once  No one can determine for whom anyone else.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
A Pairing-Based Blind Signature

A Pairing-Based Blind Signature
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.
Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.

Civitas Verifiability and Coercion Resistance for Remote Voting Virginia Tech NCR September 14, 2012 Michael Clarkson George Washington University with.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
7. Asymmetric encryption-

7. Asymmetric encryption-

Similar presentations

Ads by Google