of Modern Cryptography Josh Benaloh Brian LaMacchia Winter 2011 Some Tools Weve Developed Homomorphic Encryption Secret Sharing Verifiable Secret Sharing Threshold Encryption ID: 308023
Download Presentation The PPT/PDF document "Practical Aspects" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Practical Aspects of Modern Cryptography
Josh BenalohBrian LaMacchia
Winter 2011Slide2
Some Tools We’ve DevelopedHomomorphic Encryption
Secret SharingVerifiable Secret SharingThreshold EncryptionInteractive Proofs
March 3, 2011
Practical Aspects of Modern Cryptography
2Slide3
Secret Sharing Homomorphisms
Many secret sharing methods have an additional useful feature:If two secrets are separately shared amongst the same set of people in the same way, then the sum of the individual shares constitute shares of the sum of the secrets.
March 3, 2011
Practical Aspects of Modern Cryptography
3Slide4
Secret Sharing Homomorphisms
ORSecret: – Shares:
,
, …,
Secret:
– Shares:
,
, …,
Secret sum:
Share sums:
,
, …,
March 3, 2011
Practical Aspects of Modern Cryptography
4Slide5
Secret Sharing Homomorphisms
ANDSecret:
– Shares:
,
, …,
Secret:
– Shares:
,
, …,
Secret sum:
Share sums:
,
, …,
March 3, 2011
Practical Aspects of Modern Cryptography
5Slide6
Secret Sharing Homomorphisms
THRESHOLDSecret:
– Shares:
,
, …,
Secret:
– Shares:
,
, …,
Secret sum:
Share sums:
,
,
…,
March 3, 2011
Practical Aspects of Modern Cryptography
6Slide7
Threshold Encryption
I want to encrypt a secret message for a set of
recipients such that
any
of the
recipients can uniquely decrypt the secret message
,
but any set of fewer than
recipients has
no information whatsoever
about the secret message
.
March 3, 2011
Practical Aspects of Modern Cryptography7Slide8
Recall Diffie-HellmanMarch 3, 2011
Practical Aspects of Modern Cryptography
Alice
Randomly select a large integer
and send
.
Compute the key
.
Bob
Randomly select a large integer
and send
.
Compute the key
.
8Slide9
ElGamal Encryption
March 3, 2011
Practical Aspects of Modern Cryptography
9Slide10
ElGamal Encryption
Alice selects a large random private key and computes an associated public key
.
March 3, 2011
Practical Aspects of Modern Cryptography
10Slide11
ElGamal Encryption
Alice selects a large random private key and computes an associated public key
.
To send a message
to Alice, Bob selects a random value
and computes the pair
.
March 3, 2011
Practical Aspects of Modern Cryptography
11Slide12
ElGamal Encryption
Alice selects a large random private key and computes an associated public key
.
To send a message
to Alice, Bob selects a random value
and computes the pair
.
To decrypt, Alice
computes
.
March 3, 2011
Practical Aspects of Modern Cryptography
12Slide13
ElGamal Re-Encryption
If
is a public key and the pair
is an encryption of message
, then for any value
, the pair
is an encryption of the same message
, for any value
.
March 3, 2011
Practical Aspects of Modern Cryptography
13Slide14
Group ElGamal Encryption
March 3, 2011
Practical Aspects of Modern Cryptography
14Slide15
Group ElGamal Encryption
Each recipient selects a large random private key and computes an associated public key
.
March 3, 2011
Practical Aspects of Modern Cryptography
15Slide16
Group ElGamal Encryption
Each recipient selects a large random private key and computes an associated public key
.
The group key is
.
March 3, 2011
Practical Aspects of Modern Cryptography
16Slide17
Group ElGamal Encryption
Each recipient selects a large random private key and computes an associated public key
.
The group key is
.
To send a message
to the group, Bob selects a random value
and computes the pair
.
March 3, 2011
Practical Aspects of Modern Cryptography
17Slide18
Group ElGamal Encryption
Each recipient selects a large random private key and computes an associated public key
.
The group key is
.
To send a message
to the group, Bob selects a random value
and computes the pair
.
To decrypt, each group member computes
. The message
.
March 3, 2011
Practical Aspects of Modern Cryptography
18Slide19
Threshold Encryption (ElGamal)
March 3, 2011Practical Aspects of Modern Cryptography
19Slide20
Threshold Encryption (ElGamal)
Each recipient selects large random secret coefficients
,
, …,
,
and
forms the
polynomial
March 3, 2011
Practical Aspects of Modern Cryptography
20Slide21
Threshold Encryption (ElGamal)
Each recipient selects large random secret coefficients
,
, …,
,
and
forms the
polynomial
Each
polynomial
is then verifiably shared with the other recipients by distributing each
.
March 3, 2011
Practical Aspects of Modern Cryptography
21Slide22
Threshold Encryption (ElGamal)
Each recipient selects large random secret coefficients
,
, …,
,
and
forms the
polynomial
Each
polynomial
is then verifiably shared with the other recipients by distributing each
.
The joint (threshold) public key is
.
March 3, 2011
Practical Aspects of Modern Cryptography
22Slide23
Threshold Encryption (ElGamal)
Each recipient selects large random secret coefficients
,
, …,
,
and
forms the
polynomial
Each
polynomial
is then verifiably shared with the other recipients by distributing each
.
The joint (threshold) public key is
.
Any set of
recipients can form the secret key
to decrypt.
March 3, 2011
Practical Aspects of Modern Cryptography
23Slide24
An Application
Verifiable ElectionsMarch 3, 2011
Practical Aspects of Modern Cryptography
24Slide25
Verifiable Election Technologies
As a voter, you can check thatyour vote is correctly recordedall recorded votes are correctly counted…even in the presence of malicious software, hardware, and election officials.
March 3, 2011
Practical Aspects of Modern Cryptography
25Slide26
March 3, 2011
Practical Aspects of Modern Cryptography
26Slide27
March 3, 2011
Practical Aspects of Modern Cryptography
27Slide28
March 3, 2011
Practical Aspects of Modern Cryptography
28Slide29
March 3, 2011
Practical Aspects of Modern Cryptography
29Slide30
March 3, 2011
Practical Aspects of Modern Cryptography
30Slide31
March 3, 2011
Practical Aspects of Modern Cryptography
31Slide32
March 3, 2011
Practical Aspects of Modern Cryptography
32Slide33
Traditional Voting Methods
March 3, 2011Practical Aspects of Modern Cryptography
33Slide34
Traditional Voting Methods
Hand-Counted Paper
March 3, 2011
Practical Aspects of Modern Cryptography
34Slide35
Traditional Voting MethodsHand-Counted Paper
Punch Cards
March 3, 2011
Practical Aspects of Modern Cryptography
35Slide36
Traditional Voting MethodsHand-Counted Paper
Punch CardsLever Machines
March 3, 2011
Practical Aspects of Modern Cryptography
36Slide37
Traditional Voting MethodsHand-Counted Paper
Punch CardsLever MachinesOptical Scan Ballots
March 3, 2011
Practical Aspects of Modern Cryptography
37Slide38
Traditional Voting MethodsHand-Counted Paper
Punch CardsLever MachinesOptical Scan BallotsElectronic Voting Machines
March 3, 2011
Practical Aspects of Modern Cryptography
38Slide39
Traditional Voting MethodsHand-Counted Paper
Punch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen Terminals
March 3, 2011
Practical Aspects of Modern Cryptography
39Slide40
Traditional Voting MethodsHand-Counted Paper
Punch CardsLever MachinesOptical Scan BallotsElectronic Voting MachinesTouch-Screen TerminalsVarious Hybrids
March 3, 2011
Practical Aspects of Modern Cryptography
40Slide41
Vulnerabilities and Trust
All of these systems have substantial vulnerabilities.All of these systems require trust in the honesty and expertise of election officials (and usually the equipment vendors as well).Can we do better?
March 3, 2011
Practical Aspects of Modern Cryptography
41Slide42
The Voter’s Perspective
March 3, 2011Practical Aspects of Modern Cryptography
42Slide43
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
43Slide44
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
44Slide45
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
45Slide46
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
46Slide47
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
47Slide48
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
48Slide49
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
49Slide50
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
50Slide51
The Voter’s Perspective
March 3, 2011
Practical Aspects of Modern Cryptography
51Slide52
The Voter’s PerspectiveMarch 3, 2011
Practical Aspects of Modern Cryptography
52Slide53
The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.
March 3, 2011
Practical Aspects of Modern Cryptography
53Slide54
The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.
You have no choice but to trust the people working behind the curtain.March 3, 2011
Practical Aspects of Modern Cryptography
54Slide55
The Voter’s PerspectiveAs a voter, you don’t really know what happens behind the curtain.
You have no choice but to trust the people working behind the curtain.You don’t even get to choose the people who you will have to trust.
March 3, 2011
Practical Aspects of Modern Cryptography
55Slide56
Fully-Verifiable Election Technologies(End-to-End Verifiable)
March 3, 2011Practical Aspects of Modern Cryptography
56Slide57
Fully-Verifiable Election Technologies(End-to-End Verifiable)
Allows voters to track their individual (sealed) votes and ensure that they are properly counted…
March 3, 2011
Practical Aspects of Modern Cryptography
57Slide58
Fully-Verifiable Election Technologies(End-to-End Verifiable)
Allows voters to track their individual (sealed) votes and ensure that they are properly counted…… even in the presence of faulty or malicious election equipment …
March 3, 2011
Practical Aspects of Modern Cryptography
58Slide59
Fully-Verifiable Election Technologies(End-to-End Verifiable)
Allows voters to track their individual (sealed) votes and ensure that they are properly counted…… even in the presence of faulty or malicious election equipment …
… and/or careless or dishonest election personnel.
March 3, 2011
Practical Aspects of Modern Cryptography
59Slide60
Voters can check …
March 3, 2011Practical Aspects of Modern Cryptography
60Slide61
Voters can check …
… that their (sealed) votes have been properly recordedMarch 3, 2011
Practical Aspects of Modern Cryptography
61Slide62
Voters can check …
… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedMarch 3, 2011
Practical Aspects of Modern Cryptography
62Slide63
Voters can check …
… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedThis is not just checking a claim that the right steps have been taken …
March 3, 2011
Practical Aspects of Modern Cryptography
63Slide64
Voters can check …
… that their (sealed) votes have been properly recorded… and that all recorded votes have been properly countedThis is not just checking a claim that the right steps have been taken …
This is actually a check that the counting is correct.
March 3, 2011
Practical Aspects of Modern Cryptography
64Slide65
Where is My Vote?
March 3, 2011Practical Aspects of Modern Cryptography
65Slide66
Where is My Vote?
March 3, 2011
Practical Aspects of Modern Cryptography
66Slide67
End-to-End Verifiability
March 3, 2011Practical Aspects of Modern Cryptography
67Slide68
End-to-End Verifiability
As a voter, I can be sure thatMarch 3, 2011
Practical Aspects of Modern Cryptography
68Slide69
End-to-End Verifiability
As a voter, I can be sure that My vote isMarch 3, 2011
Practical Aspects of Modern Cryptography
69Slide70
End-to-End Verifiability
As a voter, I can be sure that My vote isCast as intendedMarch 3, 2011
Practical Aspects of Modern Cryptography
70Slide71
End-to-End Verifiability
As a voter, I can be sure that My vote isCast as intendedCounted as cast
March 3, 2011
Practical Aspects of Modern Cryptography
71Slide72
End-to-End Verifiability
As a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast
March 3, 2011
Practical Aspects of Modern Cryptography
72Slide73
End-to-End Verifiability
As a voter, I can be sure that My vote isCast as intendedCounted as castAll votes are counted as cast… without having to trust anyone
or
anything.
March 3, 2011
Practical Aspects of Modern Cryptography
73Slide74
One Thing Missing …
March 3, 2011
Practical Aspects of Modern Cryptography
74Slide75
One Thing Missing …
… that pesky little secret-ballot requirement.
March 3, 2011
Practical Aspects of Modern Cryptography
75Slide76
One Thing Missing …
… that pesky little secret-ballot requirement.Elections would be sooooooo… much easier without it.
March 3, 2011
Practical Aspects of Modern Cryptography
76Slide77
Full Voter-Verifiability is Possible
March 3, 2011Practical Aspects of Modern Cryptography
77Slide78
Full Voter-Verifiability is Possible
Even though this “toy” public election is not secret-ballot, it’s enough to show that voter-verifiability is possibleMarch 3, 2011
Practical Aspects of Modern Cryptography
78Slide79
Full Voter-Verifiability is Possible
Even though this “toy” public election is not secret-ballot, it’s enough to show that voter-verifiability is possible … and also to falsify arguments that electronic elections are inherently untrustworthy.
March 3, 2011
Practical Aspects of Modern Cryptography
79Slide80
Privacy
March 3, 2011Practical Aspects of Modern Cryptography
80Slide81
Privacy
The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).March 3, 2011
Practical Aspects of Modern Cryptography
81Slide82
Privacy
The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).Performing tasks while preserving privacy is the bailiwick of cryptography.
March 3, 2011
Practical Aspects of Modern Cryptography
82Slide83
Privacy
The only ingredient missing from this transparent election is privacy – and the things which flow from privacy (e.g. protection from coercion).Performing tasks while preserving privacy is the bailiwick of cryptography.Cryptographic techniques can enable end-to-end verifiable elections while preserving voter privacy.
March 3, 2011
Practical Aspects of Modern Cryptography
83Slide84
Where is My Vote?
March 3, 2011
Practical Aspects of Modern Cryptography
84Slide85
Where is
My
Vote?
March 3, 2011
Practical Aspects of Modern Cryptography
85Slide86
Where is My Vote?
March 3, 2011
Practical Aspects of Modern Cryptography
86Slide87
Where is My Vote?
March 3, 2011
Practical Aspects of Modern Cryptography
87Slide88
Where is My Vote?
No – 2
Yes – 1
March 3, 2011
Practical Aspects of Modern Cryptography
88Slide89
Where is My Vote?
No – 2
Yes – 1
Mathematical
Proof
March 3, 2011
Practical Aspects of Modern Cryptography
89Slide90
The Voter’s Perspective
March 3, 2011Practical Aspects of Modern Cryptography
90Slide91
The Voter’s Perspective
Verifiable election systems can be built to look exactly like current systems …March 3, 2011
Practical Aspects of Modern Cryptography
91Slide92
The Voter’s Perspective
Verifiable election systems can be built to look exactly like current systems …… with one addition …March 3, 2011
Practical Aspects of Modern Cryptography
92Slide93
A Verifiable Receipt
March 3, 2011
Practical Aspects of Modern Cryptography
93Slide94
A Verifiable Receipt
March 3, 2011
Practical Aspects of Modern Cryptography
94Slide95
A Verifiable Receipt
Precinct 37 – Machine 4
Nov. 6, 2012 1:39PM
Vote receipt tag:
7A34ZR9K4BX
***VOTE COMFIRMED***
March 3, 2011
Practical Aspects of Modern Cryptography
95Slide96
The Voter’s Perspective
March 3, 2011Practical Aspects of Modern Cryptography
96Slide97
The Voter’s PerspectiveVoters can …
March 3, 2011
Practical Aspects of Modern Cryptography
97Slide98
The Voter’s PerspectiveVoters can …
Use receipts to check their results are properly recorded on a public web site.March 3, 2011
Practical Aspects of Modern Cryptography
98Slide99
The Voter’s PerspectiveVoters can …
Use receipts to check their results are properly recorded on a public web site.Throw their receipts in the trash.March 3, 2011
Practical Aspects of Modern Cryptography
99Slide100
The Voter’s Perspective
Voters can …March 3, 2011
Practical Aspects of Modern Cryptography
100Slide101
The Voter’s Perspective
Voters can …Write their own applications to verify the mathematical proof of the tally.March 3, 2011
Practical Aspects of Modern Cryptography
101Slide102
The Voter’s Perspective
Voters can …Write their own applications to verify the mathematical proof of the tally.Download verification apps from sources of their choice.March 3, 2011
Practical Aspects of Modern Cryptography
102Slide103
The Voter’s Perspective
Voters can …Write their own applications to verify the mathematical proof of the tally.Download verification apps from sources of their choice.Believe verifications done by their political parties, LWV, ACLU, etc.
March 3, 2011
Practical Aspects of Modern Cryptography
103Slide104
The Voter’s Perspective
Voters can …Write their own applications to verify the mathematical proof of the tally.Download verification apps from sources of their choice.Believe verifications done by their political parties, LWV, ACLU, etc.Accept the results without question.
March 3, 2011
Practical Aspects of Modern Cryptography
104Slide105
So How Does It Work?
March 3, 2011Practical Aspects of Modern Cryptography
105Slide106
Secure MPC is not Enough
March 3, 2011Practical Aspects of Modern Cryptography
106Slide107
Secure MPC is not Enough
Secure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.
March 3, 2011
Practical Aspects of Modern Cryptography
107Slide108
Secure MPC is not Enough
Secure Multi-Party Computation allows any public function to be computed on any number of private inputs without compromising the privacy of the inputs.But secure MPC does not prevent parties from revealing their private inputs if they so choose.
March 3, 2011
Practical Aspects of Modern Cryptography
108Slide109
End-to-End Verifiable Elections
Two principle phases …March 3, 2011
Practical Aspects of Modern Cryptography
109Slide110
End-to-End Verifiable Elections
Two principle phases …Voters publish their names and encrypted votes.
March 3, 2011
Practical Aspects of Modern Cryptography
110Slide111
End-to-End Verifiable Elections
Two principle phases …Voters publish their names and encrypted votes.
At the end of the election, administrators compute and publish the tally together with a cryptographic proof that the tally “matches” the set of encrypted votes.
March 3, 2011
Practical Aspects of Modern Cryptography
111Slide112
End-to-End Verifiable Elections
Two questions must be answered …March 3, 2011
Practical Aspects of Modern Cryptography
112Slide113
End-to-End Verifiable Elections
Two questions must be answered …How do voters turn their preferences into encrypted votes?March 3, 2011
Practical Aspects of Modern Cryptography
113Slide114
End-to-End Verifiable Elections
Two questions must be answered …How do voters turn their preferences into encrypted votes?How are voters convinced that the published set of encrypted votes corresponds the announced tally?
March 3, 2011
Practical Aspects of Modern Cryptography
114Slide115
Is it Really This Easy?
March 3, 2011Practical Aspects of Modern Cryptography
115Slide116
Is it Really This Easy?
Yes …March 3, 2011
Practical Aspects of Modern Cryptography
116Slide117
Is it Really This Easy?
Yes …… but there are lots of details to get right.
March 3, 2011
Practical Aspects of Modern Cryptography
117Slide118
Fundamental Tallying Decision
March 3, 2011Practical Aspects of Modern Cryptography
118Slide119
Fundamental Tallying Decision
There are essentially two paradigms to choose from …March 3, 2011
Practical Aspects of Modern Cryptography
119Slide120
Fundamental Tallying Decision
There are essentially two paradigms to choose from …Anonymized Ballots
March 3, 2011
Practical Aspects of Modern Cryptography
120Slide121
Fundamental Tallying Decision
There are essentially two paradigms to choose from …Anonymized Ballots
(Mix Networks)
March 3, 2011
Practical Aspects of Modern Cryptography
121Slide122
Fundamental Tallying Decision
There are essentially two paradigms to choose from …Anonymized Ballots
(Mix Networks)
Ballotless
Tallying
March 3, 2011
Practical Aspects of Modern Cryptography
122Slide123
Fundamental Tallying Decision
There are essentially two paradigms to choose from …Anonymized Ballots
(Mix Networks)
Ballotless
Tallying
(
Homomorphic
Encryption)
March 3, 2011
Practical Aspects of Modern Cryptography
123Slide124
Anonymized
Ballots
March 3, 2011
Practical Aspects of Modern Cryptography
124Slide125
Ballotless
Tallying
March 3, 2011
Practical Aspects of Modern Cryptography
125Slide126
Homomorphic
Tallying
March 3, 2011
Practical Aspects of Modern Cryptography
126Slide127
Homomorphic Encryption
Some Homomorphic FunctionsRSA:
ElGamal
:
GM:
Benaloh:
Pallier
:
March 3, 2011
Practical Aspects of Modern Cryptography
127Slide128
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
128Slide129
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
129Slide130
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
130Slide131
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
131Slide132
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
132Slide133
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
133Slide134
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
134Slide135
Alice
0
Bob
0
Carol
1
David
0
Eve
1
=
2
Homomorphic
Elections
March 3, 2011
Practical Aspects of Modern Cryptography
135Slide136
Alice
0
Bob
0
Carol
1
David
0
Eve
1
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
136Slide137
The product of the encryptions
of the votes constitutes an encryption of the sum of the votes.
Homomorphic Encryption
March 3, 2011
Practical Aspects of Modern Cryptography
137Slide138
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
138Slide139
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
139Slide140
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
140Slide141
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
141Slide142
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
2
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
142Slide143
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
=
2
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
143Slide144
The sum of the shares
of the votes constitute shares of the sum of the votes.
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
144Slide145
X
1
X
2
X
3
Alice
0
=
3
-5
2
Bob
0
=
-4
5
-1
Carol
1
=
2
-3
2
David
0
=
-2
-1
3
Eve
1
=
4
-1
-2
=
=
=
=
2
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
145Slide146
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
146Slide147
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
147Slide148
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
148Slide149
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
149Slide150
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
150Slide151
X
1
X
2
X
3
Alice
0
3
-5
2
Bob
0
-4
5
-1
Carol
1
2
-3
2
David
0
-2
-1
3
Eve
1
4
-1
-2
=
=
=
2
=
3
-5
4
Multiple Authorities
March 3, 2011
Practical Aspects of Modern Cryptography
151Slide152
The product of the encryptions
of the shares of the votes constitute an encryption of a share the sum of the votes.
Double
Commutivity
March 3, 2011
Practical Aspects of Modern Cryptography
152Slide153
Robust Sharing
March 3, 2011Practical Aspects of Modern Cryptography
153Slide154
Robust Sharing
Note that votes can be “shared” with a polynomial threshold scheme instead of a simple sum.March 3, 2011
Practical Aspects of Modern Cryptography
154Slide155
Robust Sharing
Note that votes can be “shared” with a polynomial threshold scheme instead of a simple sum.This provides robustness in case one or more trustees fails to properly decrypt their shares.March 3, 2011
Practical Aspects of Modern Cryptography
155Slide156
Mix-Based Elections
March 3, 2011
Practical Aspects of Modern Cryptography
156Slide157
The Mix-Net Paradigm
MIXMarch 3, 2011
Practical Aspects of Modern Cryptography
157Slide158
The Mix-Net Paradigm
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
158Slide159
The Mix-Net Paradigm
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
159Slide160
The Mix-Net Paradigm
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
160Slide161
The Mix-Net Paradigm
MIX
Vote
Vote
Vote
Vote
March 3, 2011
Practical Aspects of Modern Cryptography
161Slide162
The Mix-Net Paradigm
MIX
Vote
Vote
Vote
Vote
March 3, 2011
Practical Aspects of Modern Cryptography
162Slide163
Multiple MixesMarch 3, 2011
Practical Aspects of Modern Cryptography
163Slide164
Multiple Mixes
March 3, 2011
Practical Aspects of Modern Cryptography
164Slide165
Multiple Mixes
March 3, 2011
Practical Aspects of Modern Cryptography
165Slide166
Multiple Mixes
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
166Slide167
Multiple Mixes
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
167Slide168
Multiple Mixes
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
168Slide169
Multiple Mixes
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
169Slide170
Multiple Mixes
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
170Slide171
Multiple Mixes
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
171Slide172
Multiple Mixes
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
172Slide173
Multiple Mixes
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
173Slide174
Multiple Mixes
MIX
Vote
Vote
Vote
Vote
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
174Slide175
Multiple Mixes
MIX
Vote
Vote
Vote
Vote
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
175Slide176
Decryption Mix-net
March 3, 2011Practical Aspects of Modern Cryptography
176Slide177
Decryption Mix-net
Each object is encrypted with a pre-determined set of encryption layers.March 3, 2011
Practical Aspects of Modern Cryptography
177Slide178
Decryption Mix-net
Each object is encrypted with a pre-determined set of encryption layers.Each mix, in pre-determined order performs a decryption to remove its associated layer.
March 3, 2011
Practical Aspects of Modern Cryptography
178Slide179
Re-encryption Mix-net
March 3, 2011Practical Aspects of Modern Cryptography
179Slide180
Re-encryption Mix-net
The decryption and shuffling functions are decoupled.March 3, 2011
Practical Aspects of Modern Cryptography
180Slide181
Re-encryption Mix-net
The decryption and shuffling functions are decoupled.Mixes can be added or removed dynamically with robustness.
March 3, 2011
Practical Aspects of Modern Cryptography
181Slide182
Re-encryption Mix-net
The decryption and shuffling functions are decoupled.Mixes can be added or removed dynamically with robustness.Proofs of correct mixing can be published and independently verified.
March 3, 2011
Practical Aspects of Modern Cryptography
182Slide183
More Homomorphic Encryption
We can construct a public-key encryption function
such that if
is
an
encryption of
and
is
an
encryption of
then
is an encryption of
.
March 3, 2011
Practical Aspects of Modern Cryptography
183Slide184
Re-encryption (additive)
is
an
encryption of
and
is
an
encryption of
then
is
another encryption of .
March 3, 2011
Practical Aspects of Modern Cryptography
184Slide185
Re-encryption (multiplicative)
is
an
encryption of
and
is
an
encryption of
then
is
another encryption of .
March 3, 2011
Practical Aspects of Modern Cryptography
185Slide186
A Re-encryption Mix
MIXMarch 3, 2011
Practical Aspects of Modern Cryptography
186Slide187
A Re-encryption Mix
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
187Slide188
A Re-encryption Mix
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
188Slide189
A Re-encryption Mix
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
189Slide190
A Re-encryption Mix
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
190Slide191
A Re-encryption Mix
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
191Slide192
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
192Slide193
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
193Slide194
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
194Slide195
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
195Slide196
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
196Slide197
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
197Slide198
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
198Slide199
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
199Slide200
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
200Slide201
Re-encryption Mix-nets
MIX
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
201Slide202
Re-encryption Mix-nets
MIX
Vote
Vote
Vote
Vote
MIX
March 3, 2011
Practical Aspects of Modern Cryptography
202Slide203
Verifiability
March 3, 2011Practical Aspects of Modern Cryptography
203Slide204
Verifiability
Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.March 3, 2011
Practical Aspects of Modern Cryptography
204Slide205
Verifiability
Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.March 3, 2011
Practical Aspects of Modern Cryptography
205Slide206
Verifiability
Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.The decryptions are also proven to be correct.
March 3, 2011
Practical Aspects of Modern Cryptography
206Slide207
Verifiability
Each re-encryption mix provides a mathematical proof that its output is a permutation of re-encryptions of its input.Any observer can verify this proof.The decryptions are also proven to be correct.If a mix’s proof is invalid, its mixing will be bypassed.
March 3, 2011
Practical Aspects of Modern Cryptography
207Slide208
Recent Mix Work1993 Park,
Itoh, and Kurosawa1995 Sako and Kilian2001 Furukawa and Sako2001 Neff2002
Jakobsson
,
Juels
, and
Rivest2003 Groth
March 3, 2011
Practical Aspects of Modern Cryptography
208Slide209
MIX
Re-encryption Mix OperationMarch 3, 2011
Practical Aspects of Modern Cryptography
209Slide210
Input Ballot Set
MIX
Re-encryption Mix Operation
March 3, 2011
Practical Aspects of Modern Cryptography
210Slide211
Input Ballot Set
Output Ballot Set
MIX
Re-encryption Mix Operation
March 3, 2011
Practical Aspects of Modern Cryptography
211Slide212
Input Ballot Set
Output Ballot Set
Re-encryption Mix Operation
March 3, 2011
Practical Aspects of Modern Cryptography
212
Re-encryptionsSlide213
Re-encryption
March 3, 2011Practical Aspects of Modern Cryptography
213Slide214
Re-encryption
Each value is re-encrypted homomorphically.
March 3, 2011
Practical Aspects of Modern Cryptography
214Slide215
Re-encryption
Each value is re-encrypted homomorphically.
This can be done
without
knowing the decryptions.
March 3, 2011
Practical Aspects of Modern Cryptography
215Slide216
Verifying a Re-encryptionMarch 3, 2011
Practical Aspects of Modern Cryptography
216Slide217
Verifying a Re-encryptionA
prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.March 3, 2011
Practical Aspects of Modern Cryptography
217Slide218
Verifying a Re-encryptionA
prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.Instead, an interactive proof can be performed to demonstrate the equivalence of the input and output ballot sets.
March 3, 2011
Practical Aspects of Modern Cryptography
218Slide219
Verifying a Re-encryptionA
prover could simply reveal the specifics of the “blinding factors” used for re-encryption, but this would also reveal the permutation.Instead, an interactive proof can be performed to demonstrate the equivalence of the input and output ballot sets.The Fiat-Shamir heuristic can be used to “publish” the proof.
March 3, 2011
Practical Aspects of Modern Cryptography
219Slide220
The Encryption
March 3, 2011Practical Aspects of Modern Cryptography
220Slide221
The Encryption
Anyone with the decryption key can read all of the votes – even before mixing.March 3, 2011
Practical Aspects of Modern Cryptography
221Slide222
The Encryption
Anyone with the decryption key can read all of the votes – even before mixing.A threshold encryption scheme is used to distribute the decryption capabilities.March 3, 2011
Practical Aspects of Modern Cryptography
222Slide223
Most Verifiable Election Protocols
March 3, 2011Practical Aspects of Modern Cryptography
223Slide224
Most Verifiable Election Protocols
Step 1March 3, 2011
Practical Aspects of Modern Cryptography
224Slide225
Most Verifiable Election Protocols
Step 1Encrypt your vote and …
March 3, 2011
Practical Aspects of Modern Cryptography
225Slide226
Most Verifiable Election Protocols
Step 1Encrypt your vote and …
How?
March 3, 2011
Practical Aspects of Modern Cryptography
226Slide227
How do Humans Encrypt?
March 3, 2011Practical Aspects of Modern Cryptography
227Slide228
How do Humans Encrypt?If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.
March 3, 2011
Practical Aspects of Modern Cryptography
228Slide229
How do Humans Encrypt?If voters encrypt their votes with devices of their own choosing, they are subject to coercion and compromise.
If voters encrypt their votes on “official” devices, how can they trust that their intentions have been properly captured?March 3, 2011
Practical Aspects of Modern Cryptography
229Slide230
The Human Encryptor
We need to find ways to engage humans in an interactive proof process to ensure that their intentions are accurately reflected in encrypted ballots cast on their behalf.
March 3, 2011
Practical Aspects of Modern Cryptography
230Slide231
MarkPledge Ballot
Alice367
248
792
141
390
863
427
015
Bob
629
523
916
504
129077476947Carol285668049
732859
308156
422David
863
863
863
863863
863863
863
Eve
264
717740317832399441946March 3, 2011Practical Aspects of Modern Cryptography231Slide232
MarkPledge Ballot
Alice367
248
792
141
390
863
427
015
Bob
629
523
916
504
129077476
947
Carol285
668
049
732
859
308
156422
David
863
863
863863863863863863Eve264717740317832399
441946
March 3, 2011
Practical Aspects of Modern Cryptography
232Slide233
MarkPledge Ballot
Alice367
248
792
141
390
863
427
015
Bob
629
523
916
504
129077476
947
Carol285
668
049
732
859
308
156422
David
863
863
863863863863863863Eve264717740317832399
441946
Device commitment to voter: “You’re candidate’s number is 863.”
March 3, 2011
Practical Aspects of Modern Cryptography
233Slide234
MarkPledge Ballot
Alice367
248
792
141
390
863
427
015
Bob
629
523
916
504
129077476
947
Carol285
668
049
732
859
308
156422
David
863
863
863863863863863863Eve264717740317832399
441946
Device commitment to voter: “You’re candidate’s number is 863.”
Voter challenge: “Decrypt column number 5.”
March 3, 2011
Practical Aspects of Modern Cryptography
234Slide235
MarkPledge Ballot
Alice367
248
792
141
390
863
427
015
Bob
629
523
916
504
129077476
947
Carol285
668
049
732
859
308
156422
David
863
863
863863863863863863Eve264717740317832399
441946
Device commitment to voter: “You’re candidate’s number is 863.”
Voter challenge: “Decrypt column number 5.”
March 3, 2011
Practical Aspects of Modern Cryptography
235Slide236
MarkPledge Ballot
Alice367
248
792
141
390
863
427
015
Bob
629
523
916
504
129077476947Carol285668049
732859
308156
422David
863
863
863
863863
863863
863
Eve
264
717740317832399441946March 3, 2011Practical Aspects of Modern Cryptography236Slide237
Prêt à Voter Ballot
Bob
Eve
Carol
Alice
David
17320508
March 3, 2011
Practical Aspects of Modern Cryptography
237Slide238
Prêt à Voter Ballot
Bob
Eve
Carol
Alice
X
David
17320508
March 3, 2011
Practical Aspects of Modern Cryptography
238Slide239
Prêt à Voter Ballot
X
17320508
March 3, 2011
Practical Aspects of Modern Cryptography
239Slide240
PunchScan Ballot
Y – Alice
X – Bob
X
Y
#001
March 3, 2011
Practical Aspects of Modern Cryptography
240Slide241
PunchScan Ballot
Y – Alice
X – Bob
Y
X
#001
March 3, 2011
Practical Aspects of Modern Cryptography
241Slide242
PunchScan Ballot
X – Alice
Y – Bob
Y
X
#001
March 3, 2011
Practical Aspects of Modern Cryptography
242Slide243
PunchScan Ballot
X – Alice
Y – Bob
Y
X
#001
March 3, 2011
Practical Aspects of Modern Cryptography
243Slide244
X – Alice
Y – Bob
PunchScan
Ballot
#001
Y
#001
X
March 3, 2011
Practical Aspects of Modern Cryptography
244Slide245
Scantegrity
March 3, 2011
Practical Aspects of Modern Cryptography
245Slide246
Three-Ballot
March 3, 2011Practical Aspects of Modern Cryptography
246Slide247
Voter-Initiated Auditing
March 3, 2011Practical Aspects of Modern Cryptography
247Slide248
Voter-Initiated Auditing
Voter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)March 3, 2011
Practical Aspects of Modern Cryptography
248Slide249
Voter-Initiated Auditing
Voter can use “any” device to make selections (touch-screen DRE, OpScan, etc.)After selections are made, voter receives an encrypted receipt of the ballot.
March 3, 2011
Practical Aspects of Modern Cryptography
249Slide250
Voter-Initiated Auditing
734922031382
Encrypted Vote
March 3, 2011
Practical Aspects of Modern Cryptography
250Slide251
Voter-Initiated Auditing
Voter choice: Cast or Challenge
734922031382
Encrypted Vote
March 3, 2011
Practical Aspects of Modern Cryptography
251Slide252
CastVoter-Initiated Auditing
734922031382
March 3, 2011
Practical Aspects of Modern Cryptography
252Slide253
Voter-Initiated AuditingChallenge
734922031382
March 3, 2011
Practical Aspects of Modern Cryptography
253Slide254
Voter-Initiated Auditing
Challenge
March 3, 2011
Practical Aspects of Modern Cryptography
254Slide255
Voter-Initiated Auditing
Challenge
March 3, 2011
Practical Aspects of Modern Cryptography
255Slide256
Voter-Initiated Auditing
Challenge
Vote for
Alice
Random # is
28637582738
March 3, 2011
Practical Aspects of Modern Cryptography
256Slide257
Ballot Casting Assurance
The voter front ends shown here differ in both their human factors qualities and the level of assurance that they offer.All are feasible and provide greater integrity than current methods.
March 3, 2011
Practical Aspects of Modern Cryptography
257Slide258
True VerifiabilityThe end-to-end verifiable election technologies described here allow individuals to
choose who to trust.Individuals are not forced to trust officials with special status. They can depend on verifications from entities of their choice.Sufficiently paranoid individuals can check everything for themselves.
March 3, 2011
Practical Aspects of Modern Cryptography
258Slide259
Real-World Deployments
March 3, 2011Practical Aspects of Modern Cryptography
259Slide260
Real-World DeploymentsHelios (
www.heliosvoting.org) – Ben Adida and othersRemote electronic voting system using voter-initiated auditing and homomorphic backend.Used to elect president of UC Louvain, Belgium.Used in Princeton University student government.Used to elect IACR Board of Directors.
March 3, 2011
Practical Aspects of Modern Cryptography
260Slide261
Real-World DeploymentsHelios (
www.heliosvoting.org) – Ben Adida and othersRemote electronic voting system using voter-initiated auditing and homomorphic backend.Used to elect president of UC Louvain, Belgium.Used in Princeton University student government.Used to elect IACR Board of Directors.Scantegrity
II (
www.scantegrity.org
) – David Chaum, Ron Rivest, many others.
Optical scan system with codes revealed by invisible ink markers and “
plugboard-mixnet” backend.Used for municipal elections in Takoma Park, MD.
March 3, 2011
Practical Aspects of Modern Cryptography
261Slide262
End-to-End Verifiability
March 3, 2011Practical Aspects of Modern Cryptography
262Slide263
End-to-End Verifiability… is a fundamentally different paradigm,
March 3, 2011
Practical Aspects of Modern Cryptography
263Slide264
End-to-End Verifiability… is a fundamentally different paradigm,
… is not just a security enhancement,March 3, 2011
Practical Aspects of Modern Cryptography
264Slide265
End-to-End Verifiability… is a fundamentally different paradigm,
… is not just a security enhancement,… democratizes the electoral process,March 3, 2011
Practical Aspects of Modern Cryptography
265Slide266
End-to-End Verifiability… is a fundamentally different paradigm,
… is not just a security enhancement,… democratizes the electoral process,… but it is not a panacea.
March 3, 2011
Practical Aspects of Modern Cryptography
266Slide267
End-to-End System Properties
March 3, 2011Practical Aspects of Modern Cryptography
267Slide268
End-to-End System PropertiesAccuracy/Integrity
March 3, 2011
Practical Aspects of Modern Cryptography
268Slide269
End-to-End System PropertiesAccuracy/Integrity
– enormously improvedMarch 3, 2011
Practical Aspects of Modern Cryptography
269Slide270
End-to-End System PropertiesAccuracy/Integrity
– enormously improvedPrivacy/CoercionMarch 3, 2011
Practical Aspects of Modern Cryptography
270Slide271
End-to-End System PropertiesAccuracy/Integrity
– enormously improvedPrivacy/Coercion – not substantially changed
March 3, 2011
Practical Aspects of Modern Cryptography
271Slide272
End-to-End System PropertiesAccuracy/Integrity
– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability
March 3, 2011
Practical Aspects of Modern Cryptography
272Slide273
End-to-End System PropertiesAccuracy/Integrity
– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability
– not substantially changed
March 3, 2011
Practical Aspects of Modern Cryptography
273Slide274
End-to-End System PropertiesAccuracy/Integrity
– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability
– not substantially changed
Usability/Comprehensibility
March 3, 2011
Practical Aspects of Modern Cryptography
274Slide275
End-to-End System PropertiesAccuracy/Integrity
– enormously improvedPrivacy/Coercion – not substantially changedReliability/Survivability
– not substantially changed
Usability/Comprehensibility
– not substantially changed
March 3, 2011
Practical Aspects of Modern Cryptography
275Slide276
Is There any Deployment Hope?The U.S. Election Assistance Commission is considering new guidelines.
These guidelines explicitly include an “innovation class” which could be satisfied by truly verifiable election systems.Election supervisors must choose to take this opportunity to change the paradigm.However, a bill was recently introduced in Congress that explicitly precludes use of crypto.
March 3, 2011
Practical Aspects of Modern Cryptography
276