UniversallyVerifiable Voting With Everlasting Privacy Tal Moran Outline of Talk Flavors of Privacy and why we care A Cryptographic Voting Scheme with Everlasting Privacy Based on the Neff ID: 432837
Download Presentation The PPT/PDF document "Receipt-Free" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Receipt-Free
Universally-Verifiable Voting With Everlasting Privacy
Tal MoranSlide2
Outline of Talk
Flavors of Privacy (and why we care)A Cryptographic Voting Scheme with Everlasting PrivacyBased on the “Neff-ian” paradigmWe’ll use physical metaphors and a simplified modelSlide3
The Case for Cryptographic Voting
Elections need to be verifiableCounting in public:Completely verifiableBut no vote privacyVotes should be privateTrusting the vote counter“Perfect” privacyno way to verify resultUsing cryptography ,
we can get both!Slide4
Template for Universally Verifiable Voting
Cast ballotReceive encrypted receiptPublish encrypted receipt on bulletin boardCompute and Publish TallyPublish proof of consistency with receipts
Proof
ensures
verifiability
Encryption
ensures
privacySlide5
Why Care About Ballot Privacy?
Only to prevent coercion/vote sellingexplicit coercionimplicit coercionIs encrypting votes enough?Encryption may be brokenRecently: RSA-768Would you take the risk?
Existing public-key schemes with current key lengths are likely to be broken in less than 30 years!
[RSA conference ’06]Slide6
What can we do instead?
Require “everlasting” privacy:Published receipts give no information about voteEven for adversaries with infinite computing powerWhat does “no information” mean?Any set of votes can result in identical bulletin board!Impossible to “break” --- all decryptions are equally likelySlide7
Problem Solved.
or is it?If all decryptions are equally likely,any result is consistent with receipts.“proof of consistency” doesn’t mean anythingReplace “proof” with a computational “argument”:Computationally bound adversary can only “prove” result consistent with voter intentionsSlide8
Privacy/Integrity Tradeoff
Can make one unconditionalthe other will only hold computationallyUnconditional IntegrityEven “infinitely powerful” prover cannot fake election resultsPrivacy might be broken in the futureUnconditional PrivacyProver that can break cryptographic assumption
before election day can fake resultsPrivacy is “everlasting”
Integrity
PrivacySlide9
Commitment to a value:Commit now
“Hiding”: Alice doesn’t learn contentsReveal later“Binding”: Bob can’t change the contents
Cryptographic Commitments
Think of this as EncryptionSlide10
Public-Key Encryption isUnconditionally Binding, Computationally Hiding
Computationally-Hiding CommitmentsSlide11
Alice cannot does not get any informationBinding is only computational
To give protocols “Everlasting Privacy”:Replace encryptions with commitments
Unconditionally-Hiding CommitmentsSlide12
Perfectly-Hiding Commitments
G: a cyclic (abelian) group of prime order pDLog is hard in Gg,h: generators of G
No one should know logghTo commit to mZp:Choose random
r
Z
p
Send x=
g
mhrStatistically Hiding:For any m, x is uniformly distributed in GComputationally Binding:If we can find m’m and r’ such that gm’hr’=x then:gm-m’=hr-r’1, so we can compute loggh=(r-r’)/(m-m’) Example: Pedersen Commitmentsmrx=gm
hrSlide13
Example Voting System (MN06)
Based on “Neff-ian” paradigmProve to a human that receipt encodes their voteUse Zero-Knowledge simulator forreceipt-freenessUses commitments for everlasting privacyLet’s move to a slightly simpler setting…Slide14
Alice and Bob for Class President
Cory “the Coercer” wants to rig the election
He can intimidate all the studentsOnly Mr. Drew is not afraid of Cory
Everybody trusts Mr. Drew to keep secrets
Unfortunately, Mr. Drew also wants to rig the election
Luckily, he doesn't stoop to blackmail
Sadly, all the students suffer severe RSI
They can't use their hands at all
Mr. Drew will have to cast their ballots for themSlide15
We use a 20g weight for Alice......and a 10g weight for Bob Using a scale, we can tell if two votes are identical
Even if the weights are hidden in a box!The only actions we allow are:Open a boxCompare two boxes
Commitment with “Equivalence Proof”Slide16
An “untappable channel”Students can whisper in Mr. Drew's ear
Commitments are secretMr. Drew can put weights in the boxes privatelyEverything else is publicEntire class can see all of Mr. Drew’s actionsThey can hear anything that isn’t whisperedThe whole show is recorded on video (external auditors)
I’m whispering
Additional RequirementsSlide17
Ernie whispers his choice to Mr. Drew
I like Alice
Ernie Casts a BallotSlide18
Ernie
Mr. Drew puts a box on the scale
Mr. Drew needs to prove to Ernie
that the box contains 20g
If he opens the box, everyone else will see what Ernie voted for!
Mr. Drew uses a “Zero Knowledge Proof”
Ernie Casts a BallotSlide19
Ernie Casts a Ballot
Mr. Drew puts k (=3) “proof” boxes on the table
Each box should contain a 20g weight
Once the boxes are on the table, Mr. Drew is committed to their contents
Ernie
Ernie Casts a BallotSlide20
Ernie “challenges” Mr. Drew; For each box, Ernie flips a coin and either:
Asks Mr. Drew to put the box on the scale (“prove equivalence”)
It should weigh the same as the “Ernie” box
Asks Mr. Drew to open the box
It should contain a 20g weight
Ernie
Weigh 1
Open 2
Open 3
Ernie
Ernie Casts a BallotSlide21
Ernie
Open 1
Weigh 2
Open 3
If the “Ernie” box
doesn’t
contain a 20g weight, every
proof box:
Either doesn’t contain a 20g weightOr doesn’t weight the same as theErnie boxMr. Drew can fool Ernie with probability at most 2-kErnie Casts a BallotSlide22
Ernie Casts a Ballot
Why is this Zero Knowledge?
When Ernie whispers to Mr. Drew,he can tell Mr. Drew what hischallenge will be.
Mr. Drew can put 20g weights in the boxes he will open, and 10g weights in the boxes he weighs
I like
Bob
Open 1
Weigh 2
Weigh 3Slide23
Ernie whispers his choice
and a fake challenge
to Mr. Drew
Mr. Drew puts a box on the scale
it should contain a 20g weight
Mr. Drew puts k “Alice” proof boxes
and k “Bob” proof boxes on the table
Bob boxes contain 10g or 20g weights according to the fake challenge
Ernie
I like AliceOpen 1Weigh 2Weigh 3
Ernie Casts a Ballot: Full ProtocolSlide24
Ernie shouts the “Alice” (real) challenge and the “Bob” (fake) challenge
Drew responds to the challenges
No matter who Ernie voted for,
The protocol looks exactly the same!
Open 1
Open 2
Weigh 3
Open 1
Weigh 2
Weigh 3
ErnieErnie
Ernie Casts a Ballot: Full ProtocolSlide25
Example for Pedersen Commitments
To prove equivalence of x=gmhr and y=gmhsProver
sends t=r-sVerifier checks that yht=x
r
g
h
s
g
h
t=r-sImplementing a “Scale”Slide26
A “Real” System
1 Receipt for Ernie
2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -
4 Alice:
5 Sn0w 619- ziggy p3
6 Bob:
7 l4st phone et spla
8 - Response -
9
9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===Hello Ernie, Welcome to VoteMasterPlease choose your candidate:BobAliceSlide27
1 Receipt for Ernie
2
o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:
5 Sn0w 619- ziggy p3
6 Bob:
7 l4st phone et spla
8 - Response -
9
9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=
0 === Certified ===Hello Ernie, You are voting for AlicePlease enter a fake challenge for BobA “Real” Systeml4st phone et splaAlice:Bob :
ContinueSlide28
1 Receipt for Ernie
2
o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -4 Alice:
5 Sn0w 619- ziggy p3
6 Bob:
7 l4st phone et spla
8 - Response -
9
9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=
0 === Certified ===Hello Ernie, You are voting for AliceMake sure the printer has output twolines (the second line will be covered)Now enter the real challenge for AliceA “Real” Systeml4st phone et splaAlice:Bob :Sn0w 619- ziggy p3
ContinueSlide29
A “Real” System
1 Receipt for Ernie
2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -
4 Alice:
5 Sn0w 619- ziggy p3
6 Bob:
7 l4st phone et spla
8 - Response -
9
9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===Hello Ernie, You are voting for AlicePlease verify that the printed challengesmatch those you entered.l4st phone et splaAlice:Bob :Sn0w 619- ziggy p3Finalize VoteSlide30
A “Real” System
1 Receipt for Ernie
2 o63ZJVxC91rN0uRv/DtgXxhl+UY=3 - Challenges -
4 Alice:
5 Sn0w 619- ziggy p3
6 Bob:
7 l4st phone et spla
8 - Response -
9
9NKWoDpGQMWvUrJ5SKH8Q2CtwAQ=0 === Certified ===12Hello Ernie, Thank you for votingPlease take your receiptSlide31
Mr. Drew announces the final tallyMr. Drew must prove the tally correctWithout revealing who voted for what!
Recall: Mr. Drew is committed toeveryone’s votesCounting the Votes
Ernie
Fay
Guy
Heidi
Alice: 3
Bob: 1Slide32
Mr. Drew puts k rows ofnew boxes on the tableEach row should contain the
same votes in a random orderA “random beacon” gives k challengesEveryone trusts that Mr. Drewcannot anticipate thechallenges
Alice: 3
Bob: 1
Ernie
Fay
Guy
Heidi
Counting the Votes
Weigh
Weigh
OpenSlide33
For each challenge:Mr. Drew proves that the row contains a permutation of
the real votes
Alice: 3
Bob: 1
Ernie
Fay
Guy
Heidi
Weigh
Weigh
Open
Counting the Votes
Ernie
Fay
Guy
HeidiSlide34
For each challenge:Mr. Drew proves that the row contains a permutation of
the real votes OrMr. Drew opens the boxes andshows they match the tally
Alice: 3Bob: 1
Weigh
Weigh
Open
Fay
Ernie
Fay
Guy
Heidi
Counting the VotesSlide35
If Mr. Drew’s tally is badThe new boxes don’t matchthe tally
OrThey are not a permutationof the committed votesDrew succeeds with prob.at most 2-k
Alice: 3Bob: 1
Weigh
Weigh
Open
Fay
Ernie
Fay
Guy
Heidi
Counting the VotesSlide36
This prototocol does notreveal information aboutspecific votes:
No box is both opened andweighedThe opened boxes are ina random order
Alice: 3
Bob: 1
Weigh
Weigh
Open
Fay
Ernie
Fay
Guy
Heidi
Counting the VotesSlide37
Distributing Mr. Drew?
Mr. Drew knows everyone’s votesMust be trusted to maintain privacyStandard solution: multiple authoritiesAuthorities must collude to breach privacyEverlasting privacy creates a problem:Messages cannot contain any informationHow can distributed authorities compute tally?Slide38
Distributing Mr. Drew?
Idea: Hybrid SystemsAuthorities’ communications arecomputationally hidingPublished information is unconditionally hidingWhat about receipts?
Voters must trust a computer to secret-share votesor do it themselvesStill some work left to do…Slide39
Questions
?