/
Practical Aspects Practical Aspects

Practical Aspects - PowerPoint Presentation

faustina-dinatale
faustina-dinatale . @faustina-dinatale
Follow
397 views
Uploaded On 2016-05-06

Practical Aspects - PPT Presentation

of Modern Cryptography Josh Benaloh Brian LaMacchia Winter 2011 Some Tools Weve Developed Homomorphic Encryption Secret Sharing Verifiable Secret Sharing Threshold Encryption ID: 308023

2011 cryptography modern aspects cryptography 2011 aspects modern practical march mix encryption voter vote votes ballot verifiable multiple perspective

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Practical Aspects" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Practical Aspects of Modern Cryptography

Josh BenalohBrian LaMacchia

Winter 2011Slide2

Some Tools We’ve DevelopedHomomorphic Encryption

Secret SharingVerifiable Secret SharingThreshold EncryptionInteractive Proofs

March 3, 2011

Practical Aspects of Modern Cryptography

2Slide3

Secret Sharing Homomorphisms

Many secret sharing methods have an additional useful feature:If two secrets are separately shared amongst the same set of people in the same way, then the sum of the individual shares constitute shares of the sum of the secrets.

March 3, 2011

Practical Aspects of Modern Cryptography

3Slide4

Secret Sharing Homomorphisms

ORSecret: – Shares:

,

, …,

Secret:

– Shares:

,

, …,

Secret sum:

Share sums:

,

, …,

 

March 3, 2011

Practical Aspects of Modern Cryptography

4Slide5

Secret Sharing Homomorphisms

ANDSecret:

– Shares:

,

, …,

Secret:

– Shares:

,

, …,

Secret sum:

Share sums:

,

, …,

 

March 3, 2011

Practical Aspects of Modern Cryptography

5Slide6

Secret Sharing Homomorphisms

THRESHOLDSecret:

– Shares:

,

, …,

Secret:

– Shares:

,

, …,

Secret sum:

Share sums:

,

,

…,

 

March 3, 2011

Practical Aspects of Modern Cryptography

6Slide7

Threshold Encryption

I want to encrypt a secret message for a set of

recipients such that

any

of the

recipients can uniquely decrypt the secret message

,

but any set of fewer than

recipients has

no information whatsoever

about the secret message

.

 

March 3, 2011

Practical Aspects of Modern Cryptography7Slide8

Recall Diffie-HellmanMarch 3, 2011

Practical Aspects of Modern Cryptography

Alice

Randomly select a large integer

and send

.

Compute the key

.

 

Bob

Randomly select a large integer

and send

.

Compute the key

.

 

 

8Slide9

ElGamal Encryption

March 3, 2011

Practical Aspects of Modern Cryptography

9Slide10

ElGamal Encryption

Alice selects a large random private key and computes an associated public key

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

10Slide11

ElGamal Encryption

Alice selects a large random private key and computes an associated public key

.

To send a message

to Alice, Bob selects a random value

and computes the pair

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

11Slide12

ElGamal Encryption

Alice selects a large random private key and computes an associated public key

.

To send a message

to Alice, Bob selects a random value

and computes the pair

.

To decrypt, Alice

computes

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

12Slide13

ElGamal Re-Encryption

If

is a public key and the pair

is an encryption of message

, then for any value

, the pair

is an encryption of the same message

, for any value

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

13Slide14

Group ElGamal Encryption

March 3, 2011

Practical Aspects of Modern Cryptography

14Slide15

Group ElGamal Encryption

Each recipient selects a large random private key and computes an associated public key

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

15Slide16

Group ElGamal Encryption

Each recipient selects a large random private key and computes an associated public key

.

The group key is

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

16Slide17

Group ElGamal Encryption

Each recipient selects a large random private key and computes an associated public key

.

The group key is

.

To send a message

to the group, Bob selects a random value

and computes the pair

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

17Slide18

Group ElGamal Encryption

Each recipient selects a large random private key and computes an associated public key

.

The group key is

.

To send a message

to the group, Bob selects a random value

and computes the pair

.

To decrypt, each group member computes

. The message

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

18Slide19

Threshold Encryption (ElGamal)

March 3, 2011Practical Aspects of Modern Cryptography

19Slide20

Threshold Encryption (ElGamal)

Each recipient selects large random secret coefficients

,

, …,

,

and

forms the

polynomial

 

March 3, 2011

Practical Aspects of Modern Cryptography

20Slide21

Threshold Encryption (ElGamal)

Each recipient selects large random secret coefficients

,

, …,

,

and

forms the

polynomial

Each

polynomial

is then verifiably shared with the other recipients by distributing each

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

21Slide22

Threshold Encryption (ElGamal)

Each recipient selects large random secret coefficients

,

, …,

,

and

forms the

polynomial

Each

polynomial

is then verifiably shared with the other recipients by distributing each

.

The joint (threshold) public key is

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

22Slide23

Threshold Encryption (ElGamal)

Each recipient selects large random secret coefficients

,

, …,

,

and

forms the

polynomial

Each

polynomial

is then verifiably shared with the other recipients by distributing each

.

The joint (threshold) public key is

.

Any set of

recipients can form the secret key

to decrypt.

 

March 3, 2011

Practical Aspects of Modern Cryptography

23Slide24

An Application

Verifiable ElectionsMarch 3, 2011

Practical Aspects of Modern Cryptography

24Slide25

Verifiable Election Technologies

As a voter, you can check thatyour vote is correctly recordedall recorded votes are correctly counted…even in the presence of malicious software, hardware, and election officials.

March 3, 2011

Practical Aspects of Modern Cryptography

25Slide26

March 3, 2011

Practical Aspects of Modern Cryptography

26Slide27

March 3, 2011

Practical Aspects of Modern Cryptography

27Slide28

March 3, 2011

Practical Aspects of Modern Cryptography

28Slide29

March 3, 2011

Practical Aspects of Modern Cryptography

29Slide30

March 3, 2011

Practical Aspects of Modern Cryptography

30Slide31

March 3, 2011

Practical Aspects of Modern Cryptography

31Slide32

March 3, 2011

Practical Aspects of Modern Cryptography

32Slide33

Traditional Voting Methods

March 3, 2011Practical Aspects of Modern Cryptography

33Slide34

Traditional Voting Methods

Hand-Counted Paper

March 3, 2011

Practical Aspects of Modern Cryptography

34Slide35

Traditional Voting MethodsHand-Counted Paper

Punch Cards

March 3, 2011

Practical Aspects of Modern Cryptography

35Slide36

Traditional Voting MethodsHand-Counted Paper

Punch CardsLever Machines

March 3, 2011

Practical Aspects of Modern Cryptography

36Slide37

Traditional Voting MethodsHand-Counted Paper

Punch CardsLever MachinesOptical Scan Ballots

March 3, 2011

Practical Aspects of Modern Cryptography

37Slide38

Traditional Voting MethodsHand-Counted Paper

Punch CardsLever MachinesOptical Scan BallotsElectronic Voting Machines

March 3, 2011

Practical Aspects of Modern Cryptography

38Slide39

Traditional Voting MethodsHand-Counted Paper

Punch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen Terminals

March 3, 2011

Practical Aspects of Modern Cryptography

39Slide40

Traditional Voting MethodsHand-Counted Paper

Punch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen TerminalsVarious Hybrids

March 3, 2011

Practical Aspects of Modern Cryptography

40Slide41

Vulnerabilities and Trust

All of these systems have substantial vulnerabilities.All of these systems require trust in the honesty and expertise of election officials (and usually the equipment vendors as well).Can we do better?

March 3, 2011

Practical Aspects of Modern Cryptography

41Slide42

The Voter’s Perspective

March 3, 2011Practical Aspects of Modern Cryptography

42Slide43

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

43Slide44

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

44Slide45

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

45Slide46

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

46Slide47

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

47Slide48

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

48Slide49

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

49Slide50

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

50Slide51

The Voter’s Perspective

March 3, 2011

Practical Aspects of Modern Cryptography

51Slide52

The Voter’s PerspectiveMarch 3, 2011

Practical Aspects of Modern Cryptography

52Slide53

The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.

March 3, 2011

Practical Aspects of Modern Cryptography

53Slide54

The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.

You have no choice but to trust the people working behind the curtain.March 3, 2011

Practical Aspects of Modern Cryptography

54Slide55

The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.

You have no choice but to trust the people working behind the curtain.You don’t even get to choose the people who you will have to trust.

March 3, 2011

Practical Aspects of Modern Cryptography

55Slide56

Fully-Verifiable Election Technologies(End-to-End Verifiable)

March 3, 2011Practical Aspects of Modern Cryptography

56Slide57

Fully-Verifiable Election Technologies(End-to-End Verifiable)

Allows voters to track their individual (sealed) votes and ensure that they are properly counted…

March 3, 2011

Practical Aspects of Modern Cryptography

57Slide58

Fully-Verifiable Election Technologies(End-to-End Verifiable)

Allows voters to track their individual (sealed) votes and ensure that they are properly counted…… even in the presence of faulty or malicious election equipment …

March 3, 2011

Practical Aspects of Modern Cryptography

58Slide59

Fully-Verifiable Election Technologies(End-to-End Verifiable)

Allows voters to track their individual (sealed) votes and ensure that they are properly counted…… even in the presence of faulty or malicious election equipment …

… and/or careless or dishonest election personnel.

March 3, 2011

Practical Aspects of Modern Cryptography

59Slide60

Voters can check …

March 3, 2011Practical Aspects of Modern Cryptography

60Slide61

Voters can check …

… that their (sealed) votes have been properly recordedMarch 3, 2011

Practical Aspects of Modern Cryptography

61Slide62

Voters can check …

… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedMarch 3, 2011

Practical Aspects of Modern Cryptography

62Slide63

Voters can check …

… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedThis is not just checking a claim that the right steps have been taken …

March 3, 2011

Practical Aspects of Modern Cryptography

63Slide64

Voters can check …

… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedThis is not just checking a claim that the right steps have been taken …

This is actually a check that the counting is correct.

March 3, 2011

Practical Aspects of Modern Cryptography

64Slide65

Where is My Vote?

March 3, 2011Practical Aspects of Modern Cryptography

65Slide66

Where is My Vote?

March 3, 2011

Practical Aspects of Modern Cryptography

66Slide67

End-to-End Verifiability

March 3, 2011Practical Aspects of Modern Cryptography

67Slide68

End-to-End Verifiability

As a voter, I can be sure thatMarch 3, 2011

Practical Aspects of Modern Cryptography

68Slide69

End-to-End Verifiability

As a voter, I can be sure that My vote isMarch 3, 2011

Practical Aspects of Modern Cryptography

69Slide70

End-to-End Verifiability

As a voter, I can be sure that My vote isCast as intendedMarch 3, 2011

Practical Aspects of Modern Cryptography

70Slide71

End-to-End Verifiability

As a voter, I can be sure that My vote isCast as intendedCounted as cast

March 3, 2011

Practical Aspects of Modern Cryptography

71Slide72

End-to-End Verifiability

As a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast

March 3, 2011

Practical Aspects of Modern Cryptography

72Slide73

End-to-End Verifiability

As a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast… without having to trust anyone

or

anything.

March 3, 2011

Practical Aspects of Modern Cryptography

73Slide74

One Thing Missing …

March 3, 2011

Practical Aspects of Modern Cryptography

74Slide75

One Thing Missing …

… that pesky little secret-ballot requirement.

March 3, 2011

Practical Aspects of Modern Cryptography

75Slide76

One Thing Missing …

… that pesky little secret-ballot requirement.Elections would be sooooooo… much easier without it.

March 3, 2011

Practical Aspects of Modern Cryptography

76Slide77

Full Voter-Verifiability is Possible

March 3, 2011Practical Aspects of Modern Cryptography

77Slide78

Full Voter-Verifiability is Possible

Even though this “toy” public election is not secret-ballot, it’s enough to show that voter-verifiability is possibleMarch 3, 2011

Practical Aspects of Modern Cryptography

78Slide79

Full Voter-Verifiability is Possible

Even though this “toy” public election is not secret-ballot, it’s enough to show that voter-verifiability is possible … and also to falsify arguments that electronic elections are inherently untrustworthy.

March 3, 2011

Practical Aspects of Modern Cryptography

79Slide80

Privacy

March 3, 2011Practical Aspects of Modern Cryptography

80Slide81

Privacy

The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).March 3, 2011

Practical Aspects of Modern Cryptography

81Slide82

Privacy

The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).Performing tasks while preserving privacy is the bailiwick of cryptography.

March 3, 2011

Practical Aspects of Modern Cryptography

82Slide83

Privacy

The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).Performing tasks while preserving privacy is the bailiwick of cryptography.Cryptographic techniques can enable end-to-end verifiable elections while preserving voter privacy.

March 3, 2011

Practical Aspects of Modern Cryptography

83Slide84

Where is My Vote?

March 3, 2011

Practical Aspects of Modern Cryptography

84Slide85

Where is

My

Vote?

March 3, 2011

Practical Aspects of Modern Cryptography

85Slide86

Where is My Vote?

March 3, 2011

Practical Aspects of Modern Cryptography

86Slide87

Where is My Vote?

March 3, 2011

Practical Aspects of Modern Cryptography

87Slide88

Where is My Vote?

No – 2

Yes – 1

March 3, 2011

Practical Aspects of Modern Cryptography

88Slide89

Where is My Vote?

No – 2

Yes – 1

Mathematical

Proof

March 3, 2011

Practical Aspects of Modern Cryptography

89Slide90

The Voter’s Perspective

March 3, 2011Practical Aspects of Modern Cryptography

90Slide91

The Voter’s Perspective

Verifiable election systems can be built to look exactly like current systems …March 3, 2011

Practical Aspects of Modern Cryptography

91Slide92

The Voter’s Perspective

Verifiable election systems can be built to look exactly like current systems …… with one addition …March 3, 2011

Practical Aspects of Modern Cryptography

92Slide93

A Verifiable Receipt

March 3, 2011

Practical Aspects of Modern Cryptography

93Slide94

A Verifiable Receipt

March 3, 2011

Practical Aspects of Modern Cryptography

94Slide95

A Verifiable Receipt

Precinct 37 – Machine 4

Nov. 6, 2012 1:39PM

Vote receipt tag:

7A34ZR9K4BX

***VOTE COMFIRMED***

March 3, 2011

Practical Aspects of Modern Cryptography

95Slide96

The Voter’s Perspective

March 3, 2011Practical Aspects of Modern Cryptography

96Slide97

The Voter’s PerspectiveVoters can …

March 3, 2011

Practical Aspects of Modern Cryptography

97Slide98

The Voter’s PerspectiveVoters can …

Use receipts to check their results are properly recorded on a public web site.March 3, 2011

Practical Aspects of Modern Cryptography

98Slide99

The Voter’s PerspectiveVoters can …

Use receipts to check their results are properly recorded on a public web site.Throw their receipts in the trash.March 3, 2011

Practical Aspects of Modern Cryptography

99Slide100

The Voter’s Perspective

Voters can …March 3, 2011

Practical Aspects of Modern Cryptography

100Slide101

The Voter’s Perspective

Voters can …Write their own applications to verify the mathematical proof of the tally.March 3, 2011

Practical Aspects of Modern Cryptography

101Slide102

The Voter’s Perspective

Voters can …Write their own applications to verify the mathematical proof of the tally.Download verification apps from sources of their choice.March 3, 2011

Practical Aspects of Modern Cryptography

102Slide103

The Voter’s Perspective

Voters can …Write their own applications to verify the mathematical proof of the tally.Download verification apps from sources of their choice.Believe verifications done by their political parties, LWV, ACLU, etc.

March 3, 2011

Practical Aspects of Modern Cryptography

103Slide104

The Voter’s Perspective

Voters can …Write their own applications to verify the mathematical proof of the tally.Download verification apps from sources of their choice.Believe verifications done by their political parties, LWV, ACLU, etc.Accept the results without question.

March 3, 2011

Practical Aspects of Modern Cryptography

104Slide105

So How Does It Work?

March 3, 2011Practical Aspects of Modern Cryptography

105Slide106

Secure MPC is not Enough

March 3, 2011Practical Aspects of Modern Cryptography

106Slide107

Secure MPC is not Enough

Secure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.

March 3, 2011

Practical Aspects of Modern Cryptography

107Slide108

Secure MPC is not Enough

Secure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.But secure MPC does not prevent parties from revealing their private inputs if they so choose.

March 3, 2011

Practical Aspects of Modern Cryptography

108Slide109

End-to-End Verifiable Elections

Two principle phases …March 3, 2011

Practical Aspects of Modern Cryptography

109Slide110

End-to-End Verifiable Elections

Two principle phases …Voters publish their names and encrypted votes.

March 3, 2011

Practical Aspects of Modern Cryptography

110Slide111

End-to-End Verifiable Elections

Two principle phases …Voters publish their names and encrypted votes.

At the end of the election, administrators compute and publish the tally together with a cryptographic proof that the tally “matches” the set of encrypted votes.

March 3, 2011

Practical Aspects of Modern Cryptography

111Slide112

End-to-End Verifiable Elections

Two questions must be answered …March 3, 2011

Practical Aspects of Modern Cryptography

112Slide113

End-to-End Verifiable Elections

Two questions must be answered …How do voters turn their preferences into encrypted votes?March 3, 2011

Practical Aspects of Modern Cryptography

113Slide114

End-to-End Verifiable Elections

Two questions must be answered …How do voters turn their preferences into encrypted votes?How are voters convinced that the published set of encrypted votes corresponds the announced tally?

March 3, 2011

Practical Aspects of Modern Cryptography

114Slide115

Is it Really This Easy?

March 3, 2011Practical Aspects of Modern Cryptography

115Slide116

Is it Really This Easy?

Yes …March 3, 2011

Practical Aspects of Modern Cryptography

116Slide117

Is it Really This Easy?

Yes …… but there are lots of details to get right.

March 3, 2011

Practical Aspects of Modern Cryptography

117Slide118

Fundamental Tallying Decision

March 3, 2011Practical Aspects of Modern Cryptography

118Slide119

Fundamental Tallying Decision

There are essentially two paradigms to choose from …March 3, 2011

Practical Aspects of Modern Cryptography

119Slide120

Fundamental Tallying Decision

There are essentially two paradigms to choose from …Anonymized Ballots

March 3, 2011

Practical Aspects of Modern Cryptography

120Slide121

Fundamental Tallying Decision

There are essentially two paradigms to choose from …Anonymized Ballots

(Mix Networks)

March 3, 2011

Practical Aspects of Modern Cryptography

121Slide122

Fundamental Tallying Decision

There are essentially two paradigms to choose from …Anonymized Ballots

(Mix Networks)

Ballotless

Tallying

March 3, 2011

Practical Aspects of Modern Cryptography

122Slide123

Fundamental Tallying Decision

There are essentially two paradigms to choose from …Anonymized Ballots

(Mix Networks)

Ballotless

Tallying

(

Homomorphic

Encryption)

March 3, 2011

Practical Aspects of Modern Cryptography

123Slide124

Anonymized

Ballots

March 3, 2011

Practical Aspects of Modern Cryptography

124Slide125

Ballotless

Tallying

March 3, 2011

Practical Aspects of Modern Cryptography

125Slide126

Homomorphic

Tallying

March 3, 2011

Practical Aspects of Modern Cryptography

126Slide127

Homomorphic Encryption

Some Homomorphic FunctionsRSA:

ElGamal

:

GM:

Benaloh:

Pallier

:

 

March 3, 2011

Practical Aspects of Modern Cryptography

127Slide128

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

128Slide129

Alice

0

Bob

0

Carol

1

David

0

Eve

1

 =

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

129Slide130

Alice

0

Bob

0

Carol

1

David

0

Eve

1

 =

2

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

130Slide131

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

131Slide132

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

132Slide133

Alice

0

Bob

0

Carol

1

David

0

Eve

1

=

2

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

133Slide134

Alice

0

Bob

0

Carol

1

David

0

Eve

1

=

2

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

134Slide135

Alice

0

Bob

0

Carol

1

David

0

Eve

1

=

2

Homomorphic

Elections

March 3, 2011

Practical Aspects of Modern Cryptography

135Slide136

Alice

0

Bob

0

Carol

1

David

0

Eve

1

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

136Slide137

The product of the encryptions

of the votes constitutes an encryption of the sum of the votes.

Homomorphic Encryption

March 3, 2011

Practical Aspects of Modern Cryptography

137Slide138

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

138Slide139

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

139Slide140

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

140Slide141

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

=

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

141Slide142

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

2

=

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

142Slide143

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

 =

2

=

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

143Slide144

The sum of the shares

of the votes constitute shares of the sum of the votes.

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

144Slide145

X

1

X

2

X

3

Alice

0

=

3

-5

2

Bob

0

=

-4

5

-1

Carol

1

=

2

-3

2

David

0

=

-2

-1

3

Eve

1

=

4

-1

-2

 =

 =

 =

 =

2

=

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

145Slide146

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

146Slide147

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

147Slide148

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

148Slide149

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

149Slide150

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

=

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

150Slide151

X

1

X

2

X

3

Alice

0

3

-5

2

Bob

0

-4

5

-1

Carol

1

2

-3

2

David

0

-2

-1

3

Eve

1

4

-1

-2

 =

 =

 =

2

=

3

-5

4

Multiple Authorities

March 3, 2011

Practical Aspects of Modern Cryptography

151Slide152

The product of the encryptions

of the shares of the votes constitute an encryption of a share the sum of the votes.

Double

Commutivity

March 3, 2011

Practical Aspects of Modern Cryptography

152Slide153

Robust Sharing

March 3, 2011Practical Aspects of Modern Cryptography

153Slide154

Robust Sharing

Note that votes can be “shared” with a polynomial threshold scheme instead of a simple sum.March 3, 2011

Practical Aspects of Modern Cryptography

154Slide155

Robust Sharing

Note that votes can be “shared” with a polynomial threshold scheme instead of a simple sum.This provides robustness in case one or more trustees fails to properly decrypt their shares.March 3, 2011

Practical Aspects of Modern Cryptography

155Slide156

Mix-Based Elections

March 3, 2011

Practical Aspects of Modern Cryptography

156Slide157

The Mix-Net Paradigm

MIXMarch 3, 2011

Practical Aspects of Modern Cryptography

157Slide158

The Mix-Net Paradigm

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

158Slide159

The Mix-Net Paradigm

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

159Slide160

The Mix-Net Paradigm

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

160Slide161

The Mix-Net Paradigm

MIX

Vote

Vote

Vote

Vote

March 3, 2011

Practical Aspects of Modern Cryptography

161Slide162

The Mix-Net Paradigm

MIX

Vote

Vote

Vote

Vote

March 3, 2011

Practical Aspects of Modern Cryptography

162Slide163

Multiple MixesMarch 3, 2011

Practical Aspects of Modern Cryptography

163Slide164

Multiple Mixes

March 3, 2011

Practical Aspects of Modern Cryptography

164Slide165

Multiple Mixes

March 3, 2011

Practical Aspects of Modern Cryptography

165Slide166

Multiple Mixes

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

166Slide167

Multiple Mixes

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

167Slide168

Multiple Mixes

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

168Slide169

Multiple Mixes

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

169Slide170

Multiple Mixes

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

170Slide171

Multiple Mixes

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

171Slide172

Multiple Mixes

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

172Slide173

Multiple Mixes

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

173Slide174

Multiple Mixes

MIX

Vote

Vote

Vote

Vote

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

174Slide175

Multiple Mixes

MIX

Vote

Vote

Vote

Vote

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

175Slide176

Decryption Mix-net

March 3, 2011Practical Aspects of Modern Cryptography

176Slide177

Decryption Mix-net

Each object is encrypted with a pre-determined set of encryption layers.March 3, 2011

Practical Aspects of Modern Cryptography

177Slide178

Decryption Mix-net

Each object is encrypted with a pre-determined set of encryption layers.Each mix, in pre-determined order performs a decryption to remove its associated layer.

March 3, 2011

Practical Aspects of Modern Cryptography

178Slide179

Re-encryption Mix-net

March 3, 2011Practical Aspects of Modern Cryptography

179Slide180

Re-encryption Mix-net

The decryption and shuffling functions are decoupled.March 3, 2011

Practical Aspects of Modern Cryptography

180Slide181

Re-encryption Mix-net

The decryption and shuffling functions are decoupled.Mixes can be added or removed dynamically with robustness.

March 3, 2011

Practical Aspects of Modern Cryptography

181Slide182

Re-encryption Mix-net

The decryption and shuffling functions are decoupled.Mixes can be added or removed dynamically with robustness.Proofs of correct mixing can be published and independently verified.

March 3, 2011

Practical Aspects of Modern Cryptography

182Slide183

More Homomorphic Encryption

We can construct a public-key encryption function

such that if

is

an

encryption of

and

is

an

encryption of

then

is an encryption of

.

 

March 3, 2011

Practical Aspects of Modern Cryptography

183Slide184

Re-encryption (additive)

is

an

encryption of

and

is

an

encryption of

then

is

another encryption of . 

March 3, 2011

Practical Aspects of Modern Cryptography

184Slide185

Re-encryption (multiplicative)

is

an

encryption of

and

is

an

encryption of

then

is

another encryption of . 

March 3, 2011

Practical Aspects of Modern Cryptography

185Slide186

A Re-encryption Mix

MIXMarch 3, 2011

Practical Aspects of Modern Cryptography

186Slide187

A Re-encryption Mix

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

187Slide188

A Re-encryption Mix

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

188Slide189

A Re-encryption Mix

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

189Slide190

A Re-encryption Mix

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

190Slide191

A Re-encryption Mix

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

191Slide192

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

192Slide193

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

193Slide194

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

194Slide195

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

195Slide196

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

196Slide197

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

197Slide198

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

198Slide199

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

199Slide200

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

200Slide201

Re-encryption Mix-nets

MIX

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

201Slide202

Re-encryption Mix-nets

MIX

Vote

Vote

Vote

Vote

MIX

March 3, 2011

Practical Aspects of Modern Cryptography

202Slide203

Verifiability

March 3, 2011Practical Aspects of Modern Cryptography

203Slide204

Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.March 3, 2011

Practical Aspects of Modern Cryptography

204Slide205

Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.March 3, 2011

Practical Aspects of Modern Cryptography

205Slide206

Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.The decryptions are also proven to be correct.

March 3, 2011

Practical Aspects of Modern Cryptography

206Slide207

Verifiability

Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.The decryptions are also proven to be correct.If a mix’s proof is invalid, its mixing will be bypassed.

March 3, 2011

Practical Aspects of Modern Cryptography

207Slide208

Recent Mix Work1993 Park,

Itoh, and Kurosawa1995 Sako and Kilian2001 Furukawa and Sako2001 Neff2002

Jakobsson

,

Juels

, and

Rivest2003 Groth

March 3, 2011

Practical Aspects of Modern Cryptography

208Slide209

MIX

Re-encryption Mix OperationMarch 3, 2011

Practical Aspects of Modern Cryptography

209Slide210

Input Ballot Set

MIX

Re-encryption Mix Operation

March 3, 2011

Practical Aspects of Modern Cryptography

210Slide211

Input Ballot Set

Output Ballot Set

MIX

Re-encryption Mix Operation

March 3, 2011

Practical Aspects of Modern Cryptography

211Slide212

Input Ballot Set

Output Ballot Set

Re-encryption Mix Operation

March 3, 2011

Practical Aspects of Modern Cryptography

212

Re-encryptionsSlide213

Re-encryption

March 3, 2011Practical Aspects of Modern Cryptography

213Slide214

Re-encryption

Each value is re-encrypted homomorphically.

March 3, 2011

Practical Aspects of Modern Cryptography

214Slide215

Re-encryption

Each value is re-encrypted homomorphically.

This can be done

without

knowing the decryptions.

March 3, 2011

Practical Aspects of Modern Cryptography

215Slide216

Verifying a Re-encryptionMarch 3, 2011

Practical Aspects of Modern Cryptography

216Slide217

Verifying a Re-encryptionA

prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.March 3, 2011

Practical Aspects of Modern Cryptography

217Slide218

Verifying a Re-encryptionA

prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.Instead, an interactive proof can be performed to demonstrate the equivalence of the input and output ballot sets.

March 3, 2011

Practical Aspects of Modern Cryptography

218Slide219

Verifying a Re-encryptionA

prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.Instead, an interactive proof can be performed to demonstrate the equivalence of the input and output ballot sets.The Fiat-Shamir heuristic can be used to “publish” the proof.

March 3, 2011

Practical Aspects of Modern Cryptography

219Slide220

The Encryption

March 3, 2011Practical Aspects of Modern Cryptography

220Slide221

The Encryption

Anyone with the decryption key can read all of the votes – even before mixing.March 3, 2011

Practical Aspects of Modern Cryptography

221Slide222

The Encryption

Anyone with the decryption key can read all of the votes – even before mixing.A threshold encryption scheme is used to distribute the decryption capabilities.March 3, 2011

Practical Aspects of Modern Cryptography

222Slide223

Most Verifiable Election Protocols

March 3, 2011Practical Aspects of Modern Cryptography

223Slide224

Most Verifiable Election Protocols

Step 1March 3, 2011

Practical Aspects of Modern Cryptography

224Slide225

Most Verifiable Election Protocols

Step 1Encrypt your vote and …

March 3, 2011

Practical Aspects of Modern Cryptography

225Slide226

Most Verifiable Election Protocols

Step 1Encrypt your vote and …

How?

March 3, 2011

Practical Aspects of Modern Cryptography

226Slide227

How do Humans Encrypt?

March 3, 2011Practical Aspects of Modern Cryptography

227Slide228

How do Humans Encrypt?If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.

March 3, 2011

Practical Aspects of Modern Cryptography

228Slide229

How do Humans Encrypt?If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.

If voters encrypt their votes on “official” devices, how can they trust that their intentions have been properly captured?March 3, 2011

Practical Aspects of Modern Cryptography

229Slide230

The Human Encryptor

We need to find ways to engage humans in an interactive proof process to ensure that their intentions are accurately reflected in encrypted ballots cast on their behalf.

March 3, 2011

Practical Aspects of Modern Cryptography

230Slide231

MarkPledge Ballot

Alice367

248

792

141

390

863

427

015

Bob

629

523

916

504

129077476947Carol285668049

732859

308156

422David

863

863

863

863863

863863

863

Eve

264

717740317832399441946March 3, 2011Practical Aspects of Modern Cryptography231Slide232

MarkPledge Ballot

Alice367

248

792

141

390

863

427

015

Bob

629

523

916

504

129077476

947

Carol285

668

049

732

859

308

156422

David

863

863

863863863863863863Eve264717740317832399

441946

March 3, 2011

Practical Aspects of Modern Cryptography

232Slide233

MarkPledge Ballot

Alice367

248

792

141

390

863

427

015

Bob

629

523

916

504

129077476

947

Carol285

668

049

732

859

308

156422

David

863

863

863863863863863863Eve264717740317832399

441946

Device commitment to voter: “You’re candidate’s number is 863.”

March 3, 2011

Practical Aspects of Modern Cryptography

233Slide234

MarkPledge Ballot

Alice367

248

792

141

390

863

427

015

Bob

629

523

916

504

129077476

947

Carol285

668

049

732

859

308

156422

David

863

863

863863863863863863Eve264717740317832399

441946

Device commitment to voter: “You’re candidate’s number is 863.”

Voter challenge: “Decrypt column number 5.”

March 3, 2011

Practical Aspects of Modern Cryptography

234Slide235

MarkPledge Ballot

Alice367

248

792

141

390

863

427

015

Bob

629

523

916

504

129077476

947

Carol285

668

049

732

859

308

156422

David

863

863

863863863863863863Eve264717740317832399

441946

Device commitment to voter: “You’re candidate’s number is 863.”

Voter challenge: “Decrypt column number 5.”

March 3, 2011

Practical Aspects of Modern Cryptography

235Slide236

MarkPledge Ballot

Alice367

248

792

141

390

863

427

015

Bob

629

523

916

504

129077476947Carol285668049

732859

308156

422David

863

863

863

863863

863863

863

Eve

264

717740317832399441946March 3, 2011Practical Aspects of Modern Cryptography236Slide237

Prêt à Voter Ballot

Bob

Eve

Carol

Alice

David

17320508

March 3, 2011

Practical Aspects of Modern Cryptography

237Slide238

Prêt à Voter Ballot

Bob

Eve

Carol

Alice

X

David

17320508

March 3, 2011

Practical Aspects of Modern Cryptography

238Slide239

Prêt à Voter Ballot

X

17320508

March 3, 2011

Practical Aspects of Modern Cryptography

239Slide240

PunchScan Ballot

Y – Alice

X – Bob

X

Y

#001

March 3, 2011

Practical Aspects of Modern Cryptography

240Slide241

PunchScan Ballot

Y – Alice

X – Bob

Y

X

#001

March 3, 2011

Practical Aspects of Modern Cryptography

241Slide242

PunchScan Ballot

X – Alice

Y – Bob

Y

X

#001

March 3, 2011

Practical Aspects of Modern Cryptography

242Slide243

PunchScan Ballot

X – Alice

Y – Bob

Y

X

#001

March 3, 2011

Practical Aspects of Modern Cryptography

243Slide244

X – Alice

Y – Bob

PunchScan

Ballot

#001

Y

#001

X

March 3, 2011

Practical Aspects of Modern Cryptography

244Slide245

Scantegrity

March 3, 2011

Practical Aspects of Modern Cryptography

245Slide246

Three-Ballot

March 3, 2011Practical Aspects of Modern Cryptography

246Slide247

Voter-Initiated Auditing

March 3, 2011Practical Aspects of Modern Cryptography

247Slide248

Voter-Initiated Auditing

Voter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)March 3, 2011

Practical Aspects of Modern Cryptography

248Slide249

Voter-Initiated Auditing

Voter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)After selections are made, voter receives an encrypted receipt of the ballot.

March 3, 2011

Practical Aspects of Modern Cryptography

249Slide250

Voter-Initiated Auditing

734922031382

Encrypted Vote

March 3, 2011

Practical Aspects of Modern Cryptography

250Slide251

Voter-Initiated Auditing

Voter choice: Cast or Challenge

734922031382

Encrypted Vote

March 3, 2011

Practical Aspects of Modern Cryptography

251Slide252

CastVoter-Initiated Auditing

734922031382

March 3, 2011

Practical Aspects of Modern Cryptography

252Slide253

Voter-Initiated AuditingChallenge

734922031382

March 3, 2011

Practical Aspects of Modern Cryptography

253Slide254

Voter-Initiated Auditing

Challenge

March 3, 2011

Practical Aspects of Modern Cryptography

254Slide255

Voter-Initiated Auditing

Challenge

March 3, 2011

Practical Aspects of Modern Cryptography

255Slide256

Voter-Initiated Auditing

Challenge

Vote for

Alice

Random # is

28637582738

March 3, 2011

Practical Aspects of Modern Cryptography

256Slide257

Ballot Casting Assurance

The voter front ends shown here differ in both their human factors qualities and the level of assurance that they offer.All are feasible and provide greater integrity than current methods.

March 3, 2011

Practical Aspects of Modern Cryptography

257Slide258

True VerifiabilityThe end-to-end verifiable election technologies described here allow individuals to

choose who to trust.Individuals are not forced to trust officials with special status. They can depend on verifications from entities of their choice.Sufficiently paranoid individuals can check everything for themselves.

March 3, 2011

Practical Aspects of Modern Cryptography

258Slide259

Real-World Deployments

March 3, 2011Practical Aspects of Modern Cryptography

259Slide260

Real-World DeploymentsHelios (

www.heliosvoting.org) – Ben Adida and othersRemote electronic voting system using voter-initiated auditing and homomorphic backend.Used to elect president of UC Louvain, Belgium.Used in Princeton University student government.Used to elect IACR Board of Directors.

March 3, 2011

Practical Aspects of Modern Cryptography

260Slide261

Real-World DeploymentsHelios (

www.heliosvoting.org) – Ben Adida and othersRemote electronic voting system using voter-initiated auditing and homomorphic backend.Used to elect president of UC Louvain, Belgium.Used in Princeton University student government.Used to elect IACR Board of Directors.Scantegrity

II (

www.scantegrity.org

) – David Chaum, Ron Rivest, many others.

Optical scan system with codes revealed by invisible ink markers and “

plugboard-mixnet” backend.Used for municipal elections in Takoma Park, MD.

March 3, 2011

Practical Aspects of Modern Cryptography

261Slide262

End-to-End Verifiability

March 3, 2011Practical Aspects of Modern Cryptography

262Slide263

End-to-End Verifiability… is a fundamentally different paradigm,

March 3, 2011

Practical Aspects of Modern Cryptography

263Slide264

End-to-End Verifiability… is a fundamentally different paradigm,

… is not just a security enhancement,March 3, 2011

Practical Aspects of Modern Cryptography

264Slide265

End-to-End Verifiability… is a fundamentally different paradigm,

… is not just a security enhancement,… democratizes the electoral process,March 3, 2011

Practical Aspects of Modern Cryptography

265Slide266

End-to-End Verifiability… is a fundamentally different paradigm,

… is not just a security enhancement,… democratizes the electoral process,… but it is not a panacea.

March 3, 2011

Practical Aspects of Modern Cryptography

266Slide267

End-to-End System Properties

March 3, 2011Practical Aspects of Modern Cryptography

267Slide268

End-to-End System PropertiesAccuracy/Integrity

March 3, 2011

Practical Aspects of Modern Cryptography

268Slide269

End-to-End System PropertiesAccuracy/Integrity

– enormously improvedMarch 3, 2011

Practical Aspects of Modern Cryptography

269Slide270

End-to-End System PropertiesAccuracy/Integrity

– enormously improvedPrivacy/CoercionMarch 3, 2011

Practical Aspects of Modern Cryptography

270Slide271

End-to-End System PropertiesAccuracy/Integrity

– enormously improvedPrivacy/Coercion – not substantially changed

March 3, 2011

Practical Aspects of Modern Cryptography

271Slide272

End-to-End System PropertiesAccuracy/Integrity

– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability

March 3, 2011

Practical Aspects of Modern Cryptography

272Slide273

End-to-End System PropertiesAccuracy/Integrity

– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability

– not substantially changed

March 3, 2011

Practical Aspects of Modern Cryptography

273Slide274

End-to-End System PropertiesAccuracy/Integrity

– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability

– not substantially changed

Usability/Comprehensibility

March 3, 2011

Practical Aspects of Modern Cryptography

274Slide275

End-to-End System PropertiesAccuracy/Integrity

– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability

– not substantially changed

Usability/Comprehensibility

– not substantially changed

March 3, 2011

Practical Aspects of Modern Cryptography

275Slide276

Is There any Deployment Hope?The U.S. Election Assistance Commission is considering new guidelines.

These guidelines explicitly include an “innovation class” which could be satisfied by truly verifiable election systems.Election supervisors must choose to take this opportunity to change the paradigm.However, a bill was recently introduced in Congress that explicitly precludes use of crypto.

March 3, 2011

Practical Aspects of Modern Cryptography

276