An Informal Introduction to Cryptographic Voting Talk Outline Background on Voting Voting with MixNets Voting and Privacy A HumanVerifiable Voting Scheme Splitting trust between multiple ID: 717110
Download Presentation The PPT/PDF document "Privacy, Democracy and the Secret Ballot" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Privacy, Democracy and the Secret Ballot
An Informal Introduction to Cryptographic Voting
?Slide2
Talk OutlineBackground on Voting
Voting with Mix-Nets
Voting and PrivacyA Human-Verifiable Voting Scheme
Splitting trust between multiple authoritiesSlide3
A [Very] Brief History of VotingAncient Greece (5th century BCE)
Paper Ballots Rome: 2nd century BCE
(Papyrus)USA: 17th centurySecret Ballots (19
th century)The Australian BallotLever MachinesOptical Scan (20th century)Direct Recording Electronic(DRE)Slide4
Requirements based on democratic principles:Outcome should reflect the “people’s will”FairnessOne person, one votePrivacy
Not a principle in itself;required for fairnessCast-as-intendedCounted-as-cast
Voting: The Challenge
Additional requirements:
Authorization, AvailabilitySlide5
The Case for Cryptographic VotingElections don’t just name the winnermust convince the loser they lost!Elections need to be
verifiableCounting in public:Completely verifiableBut no vote privacy
Using cryptography , we can get both!Slide6
Voting with Mix-NetsIdea due to David Chaum (1981)
Multiple “Election Authorities”Assume at least one is honestEach voter creates “Onion Ballot”Authorities decrypt and shuffle
No Authority knows all permutationsAuthorities can publish “proof of shuffle”
No
No
Yes
No
No
Yes
No
No
Yes
No
Yes
No
NoSlide7
How Private is Private?Intuition: No one can tell how you votedThis is not always possible
Best we can hope for:As good as the “ideal” vote counter
v
1v2vn…
Tally
i
1
i
2
i
nSlide8
Privacy is not Enough!Voter can sell vote by disclosing randomness
Example: Italian Village ElectionsSystem allows listing candidatesin any order
Bosses gave a different permutation of“approved” candidates to each voterThey could check which permutations
didn’t appearNeed “Receipt-Freeness”[Benaloh&Tuinstra 1994]Slide9
Flavors of Cryptographic PrivacyComputationalDepends on a computational assumption
A powerful enough adversary can “break” the privacy guaranteeExample: Mix-Nets (public-key encryption)Unconditional
Privacy holds even for infinitely powerful adversaryExample: Statistically-Hiding CommitmentEverlastingAfter protocol ends, privacy is “safe” forever
Example: Unopened Statistically-Hiding CommitmentsSlide10
Who can you trust to encrypt?Public-key encryption requires computersVoting at home
Coercer can sit next to youVoting in a polling boothCan you trust the polling computer?
Verification should be possible for a human!Receipt-freeness and privacy are also affected.Slide11
A New Breed of Voting ProtocolsChaum introduced first “human-verifiable” protocol in 2004Two classes of protocols:
Destroy part of the ballot in the booth [Chaum]
Hide order of events in the booth [Neff]Next: a “hidden-order” based protocolReceipt-free
Universally verifiableEverlasting PrivacySlide12
Alice and Bob for Class President
Cory “the Coercer” wants to rig the election
He can intimidate all the students
Only Mr. Drew is not afraid of CoryEverybody trusts Mr. Drew to keep secretsUnfortunately, Mr. Drew also wants to rig the election Luckily, he doesn't stoop to blackmailSadly, all the students suffer severe RSIThey can't use their hands at allMr. Drew will have to cast their ballots for themSlide13
Commitment with “Equivalence Proof”We use a 20g weight for Alice......and a 10g weight for Bob Using a scale, we can tell if two votes are identical
Even if the weights are hidden in a box!The only actions we allow are:Open a box
Compare two boxesSlide14
Additional RequirementsAn “untappable channel”Students can whisper in Mr. Drew's ear
Commitments are secretMr. Drew can put weights in the boxes privatelyEverything else is public
Entire class can see all of Mr. Drew’s actionsThey can hear anything that isn’t whisperedThe whole show is recorded on video (external auditors)
I’m whisperingSlide15
Ernie Casts a Ballot
Ernie whispers his choice to Mr. Drew
I like AliceSlide16
Ernie
Ernie Casts a Ballot
Mr. Drew puts a box on the scale
Mr. Drew needs to prove to Ernie that the box contains 20gIf he opens the box, everyone else will see what Ernie voted for!Mr. Drew uses a “Zero Knowledge Proof”Slide17
Ernie Casts a Ballot
Mr. Drew puts k (=3) “proof” boxes on the table
Each box should contain a 20g weight
Once the boxes are on the table, Mr. Drew is committed to their contentsErnieErnie Casts a BallotSlide18
Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either:
Asks Mr. Drew to put the box on the scale (“prove equivalence”)
It should weigh the same as the “Ernie” box
Asks Mr. Drew to open the boxIt should contain a 20g weightErnie
Weigh 1
Open 2Open 3
Ernie
Ernie Casts a BallotSlide19
Ernie
Open 1
Weigh 2
Open 3Ernie Casts a BallotIf the “Ernie” box doesn’t contain a 20g weight, every proof box:Either doesn’t contain a 20g weightOr doesn’t weight the same as theErnie boxMr. Drew can fool Ernie with probability at most 2-kSlide20
Ernie Casts a Ballot
Why is this Zero Knowledge?
When Ernie whispers to Mr. Drew,
he can tell Mr. Drew what hischallenge will be.Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighsI like Alice
Open 1Weigh 2Weigh 3Slide21
Ernie whispers his choice
and a fake challenge
to Mr. Drew
Mr. Drew puts a box on the scaleit should contain a 20g weightMr. Drew puts k “Alice” proof boxesand k “Bob” proof boxes on the tableBob boxes contain 10g or 20g weights according to the fake challengeErnie
I like Alice
Open 1
Weigh 2Weigh 3
Ernie Casts a Ballot: Full ProtocolSlide22
Ernie shouts the “Alice” (real) challenge and the “Bob” (fake) challenge
Drew responds to the challenges
No matter who Ernie voted for,
The protocol looks exactly the same!Open 1Open 2Weigh 3Open 1Weigh 2Weigh 3
Ernie
Ernie
Ernie Casts a Ballot: Full ProtocolSlide23
Implementing “Boxes and Scales”We can use Pedersen commitment
G: a cyclic (abelian) group of prime order pg,h: generators of GNo one should know log
ghTo commit to m2
Zp:Choose random r2ZpSend x=gmhrStatistically Hiding:For any m, x is uniformly distributed in GComputationally Binding:If we can find m’m and r’ such that gm’hr’=x then:gm-m’=hr-r’1, so we can compute loggh=(r-r’)/(m-m’) rSlide24
Implementing “Boxes and Scales”To prove equivalence of x=gmh
r and y=gmhs
Prover sends t=r-sVerifier checks that yht=x
rghsght=r-sSlide25
A “Real” System
1 Receipt for Ernie
2
o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===Hello Ernie, Welcome to VoteMasterPlease choose your candidate:BobAliceSlide26
1 Receipt for Ernie
2
o63ZJVxC91rN0uRv/DtgXxhl+UY=
3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===Hello Ernie, You are voting for AlicePlease enter a fake challenge for BobA “Real” Systeml4st phone et spla
Alice:
Bob :
ContinueSlide27
1 Receipt for Ernie
2
o63ZJVxC91rN0uRv/DtgXxhl+UY=
3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===Hello Ernie, You are voting for AliceMake sure the printer has output twolines (the second line will be covered)Now enter the real challenge for AliceA “Real” Systeml4st phone et splaAlice:
Bob :
Sn0w 619- ziggy p3
ContinueSlide28
A “Real” System
1 Receipt for Ernie
2
o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===Hello Ernie, You are voting for AlicePlease verify that the printed challengesmatch those you entered.l4st phone et splaAlice:Bob :
Sn0w 619- ziggy p3
Finalize VoteSlide29
A “Real” System
1 Receipt for Ernie
2
o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:5 Sn0w 619- ziggy p36 Bob:7 l4st phone et spla8 - Response - 9 9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===12Hello Ernie, Thank you for votingPlease take your receiptSlide30
Counting the VotesMr. Drew announces the final tallyMr. Drew must prove the tally correctWithout revealing who voted for what!
Recall: Mr. Drew is committed toeveryone’s votes
Ernie
FayGuyHeidiAlice: 3Bob: 1Slide31
Counting the VotesMr. Drew puts k rows ofnew boxes on the tableEach row should contain the same votes in a random order
A “random beacon” gives k challengesEveryone trusts that Mr. Drewcannot anticipate thechallenges
Alice: 3
Bob: 1ErnieFayGuy
Heidi
Weigh
Weigh
OpenSlide32
Counting the VotesFor each challenge:Mr. Drew proves that the row contains a permutation of the real votes
Alice: 3
Bob: 1ErnieFayGuyHeidi
Weigh
Weigh
Open
Ernie
Fay
Guy
HeidiSlide33
Counting the VotesFor each challenge:Mr. Drew proves that the row contains a permutation of the real votes
OrMr. Drew opens the boxes andshows they match the tally
Alice: 3
Bob: 1
Weigh
Weigh
Open
Ernie
Fay
Guy
HeidiSlide34
Counting the VotesIf Mr. Drew’s tally is badThe new boxes don’t matchthe tally
OrThey are not a permutationof the committed votesDrew succeeds with prob.at most 2
-k
Alice: 3Bob: 1
Weigh
Weigh
Open
Ernie
Fay
Guy
HeidiSlide35
Counting the VotesThis prototocol does notreveal information aboutspecific votes:No box is both opened
andweighedThe opened boxes are ina random order
Alice: 3Bob: 1
Weigh
Weigh
Open
Ernie
Fay
Guy
HeidiSlide36
Interim SummaryBackground on Voting
Voting with Mix-NetsVoting and PrivacyA Human-Verifiable Voting Scheme
Universally-VerifiableReceipt-Free
Based on commitment with equivalence testingNextSplitting trust between multiple authoritiesSlide37
Protocol Ingredients
Two independent voting authoritiesPublic bulletin board
“Append Only” Private voting boothPrivate channel between authoritiesSlide38
Protocol OverviewVoters receive separate
parts of the ballot from the authoritiesThey combine the parts to vote
Some of the ballot is destroyed to maintain privacyNo authority knows all of the destroyed partsBoth authorities cooperate to tally votes
Public proof of correctness (with everlasting privacy)Even if both authorities cooperate cheating will be detectedPrivate information exchange to produce the proofStill maintains computational privacy#1 Left #1 RightSlide39
Casting a BallotChoose a pair of ballots to audit
#1 Left
#1 Right
#2 Left#2 Right#1 Left
#1 RightSlide40
#2 Left
#2 Right
Casting a Ballot
Choose a pair of ballots to auditOpen and scan audit ballot pair
#1 Right
#1 LeftSlide41
Casting a Ballot
Choose a pair of ballots to audit
Open and scan audit ballot pair
Enter private voting boothOpen voting ballot pair#2 Left
#2 Right
#2 Right
#2 Left
Private BoothSlide42
Casting a BallotChoose a pair of ballots to auditOpen and scan audit ballot pairEnter private voting booth
Open voting ballot pairStack ballot partsMark ballot
Private Booth
A,FB,EC,HD,GSlide43
Casting a BallotChoose a pair of ballots to auditOpen and scan audit ballot pair
Enter private voting boothOpen voting ballot pairStack ballot partsMark ballotSeparate pages
Private BoothSlide44
Casting a BallotChoose a pair of ballots to auditOpen and scan audit ballot pair
Enter private voting boothOpen voting ballot pairStack ballot partsMark ballotSeparate pages
Destroy top (red) pagesLeave booth. Scan bottom pages
Private BoothRandom letter order: different on each ballot
Commitment to letter orderSlide45
Forced Destruction RequirementVoters must be forced to destroy top sheetsMarking a revealed ballot as spoiled is not enough!
Coercer can force voter to spoil certain ballotsCoerced voters vote “correctly” 50% of the time
Attack works against other cryptographic voting systems tooSlide46
Checking the Receipt
Receipt consists of:
Filled-out bottom (green) pages of voted ballot All pages of empty audit ballotVerify receipt copy on bulletin board is accurate
AuditedUnvoted Ballots
Audit checks that commitment matches ballot Slide47
Counting the BallotsBulletin board contains commitments to votesEach authority publishes “half” a commitment
Doesn’t know the other halfWe can publicly “add” both halves“
Homomorphic Commitment”Now neither authority can open!We need to shuffle commitments before opening
Encryption equivalent is mix-netWon’t work for everlasting privacy: not enough informationSlide48
Counting the BallotsWe need an oblivious commitment shuffleIdea: Use homomorphic commitment and encryption over the same group
Publicly “add” commitmentsPublicly shuffle commitmentsPrivately perform the same operations using encryptions
Just enough information to open, still have privacySlide49
Oblivious Commitment ShuffleShow a semi-honest version of the protocol
Real protocol works in the malicious model
We’ll use a clock analogy for
homomorphic commitment and encryptionSlide50
Oblivious Commitment Shuffle
Modular addition with clocks
x+y
z←Slide51
Oblivious Commitment ShuffleHomomorphic CommitmentHour hand is “value”
Minute hand is opening key (randomness)Value and key are added separately
After homomorphic addition, commitment cannot be opened by either party!Slide52
Oblivious Commitment ShuffleSlide53
Oblivious Commitment ShuffleSlide54
Oblivious Commitment ShuffleSlide55
Oblivious Commitment ShuffleSlide56
Oblivious Commitment ShuffleSlide57
Summary and Open Questions
Background on VotingVoting with Mix-NetsVoting and Privacy
A Human-Verifiable Voting SchemeSplitting trust between multiple
authoritiesProtocol distributes trust between two authoritiesEverlasting PrivacyCan we improve the human interface?Required if we want more authoritiesNew voting protocols?Slide58
Thank
You!