Ben Adida Jimin Park Carleton University COMP 4109 Seminar 15 February 2011 If you think cryptography is the solution to your problem then you dont understand cryptography ID: 434503
Download Presentation The PPT/PDF document "Cryptographic Voting Systems" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cryptographic Voting Systems(Ben Adida)
Jimin
Park
Carleton University
COMP 4109 Seminar
15 February 2011Slide2
“ If you thinkcryptographyis the solutionto your problem….Slide3
… then youdon’t understandcryptography…
…and you don’t
understand your
problem.” Slide4
Yet, cryptography solvesproblems that initiallyappear to be impossible.Slide5
There is apotential paradigm shift.A means of
election verification
far more powerful
than other methods.Slide6
“But with cryptography, you’re just moving the black box. Few people really understand it or trust it.”Debra Bowen
California Sec. of State, 7/30/2008
(paraphrased)Slide7
Problems with current voting systems
Rigged lever
machine counters
, lost ballot boxes or magically found, dead citizens’ votes.Slide8
Why not fully computerize voting systems?
Bush vs. Gore (California, 2000)
Bush won by just 500 votes!
Known missing ballots, coercion
Computerization was taken seriously
Direct Recording Electronic (DRE) machines
Nothing but touch screen, automatic tallying
Problems with DRE, can we trust it?
Inherited risks of any computer systems (bugs, back door code, etc.)
Non-transparency
Ref: [2]
Avi
Rubin Slide9
Dilemma: Verification vs. SecrecyAnalogy: ATM machinesFully automated computerized system
Why do we trust them?
We can fully verify the transactions
Difference between ATM and Voting Systems
VS: information being verified must stay secret
“Rely on
mathematical proofs
of the results – rather than of the machines.”Slide10
The Goal of Cryptographic Voting SystemsNo: Chain-of-Custody approach (current)
Yes: End-to-End verification approachSlide11
Flow DiagramSlide12
Threshold Decryption
Need Public-key encryption system
Private keys used for decryption need to be distributed among the different parties
Shared-secret scheme
E.g. ) A race of 3 candidates. Each given an equation of a plane (non-coplanar).
Key resides at the point where all planes intersect.
Ref: [3]
Blakley
, G. R.Slide13
What crypto system to use?3 desired properties of our crypto systemPublic-Private key encryption-decryption
Voters encrypt
Candidates decrypt
Easily generated random keys
One vote encrypts to many different cipher-texts
Homomorphic
Cipher-texts (different votes) get aggregated to one cipher-text under certain operation (addition, multiplication, etc.)
Ref: [4] Josh D. Cohen and Michael J. FischerSlide14
Group HomomorphismDef: Given
two groups (
G
, *) and (
H
, ·), group homomorphism
from
(
G
, *) to (
H, ·) is a function h
:
G
→
H
such that for
all
u
and
v
in
G
it holds that
In our case, the function
h
can be the encryption.
h(u v) = h(u)
· h(v)
*
encrypt(u v) = encrypt(u)
· encrypt(v)
*Slide15
El Gamal encryption: original
(1) Bob computes + publishes:
- p : large prime
(p-1 has at least one large prime factor)
- a : primitive element mod p
- y : public key, y = a mod p
x : private key, x = random(1, 2, …, p-1)
(2) Alice encrypts : message m: 0 <= m <= p
(c1, c2) = ( y , m
· SK)
mod p = ( a , m
· (a ) ) mod p
(3) Bob decrypts:
(m
· SK· SK ) mod p = (m · a · a ) mod p = m
Alice Bob
(voters) (candidates)
B
B
x
B
B
B
A
X
A
X
B
X
A
-1
A
X
X
B
-X
X
A B
Ref: [6] T. El
Gamal
Shared Key (SK)
SK = (y )
= (y )
B
x
A
A
B
xSlide16
El Gamal example
(1) Bob computes + publishes:
- p : large prime
(p-1 has at least one large prime factor)
- a : primitive element mod p
- y : public key, y = a mod p
x : private key, x = random(1, 2, …, p-1)
(2) Alice encrypts : message m: 0 <= m <= p-1
(c1, c2) = ( y , m
· SK)
mod p = ( a , m
· (a ) ) mod p
(3) Bob decrypts:
(m
· SK· SK ) mod p = (m · a · a ) mod p = m
Alice Bob
(voters) (candidates)
B
B
x
B
B
B
A
X
A
X
B
X
A
-1
A
X
X
B
-X
X
A B
Ref: [6] T. El
Gamal
p : 13
a : 2
x : 11
y : 7 (2 mod 13)
11
B
B
m : 7
(c1, c2) = (2 , 7
· (2 ) ) mod 13
= (12, 6)
6
11
6
(7
· 2 · 2 ) mod 13 = 7
-66
66Slide17
Comparison: RSA vs. El GamalSecurity
RSA: factoring large integers
El
Gamal
: discrete logarithms
3 ≡ 13 (mod
17) what
is x?
Keys
RSA: expensive computation of finding p and q
El
Gamal: computation of p and q is done once
xSlide18
Homomorphic Tallying
Original El
Gamal
Enc(m1)
·
Enc(m2) = ( y , m
· SK ) · ( y , m · SK ) mod p
= ( y
·
y , (m
· m ) · (SK · SK )) mod p
= Enc( m
· m )
X
X
X
X
1
2
1
2
1
1
2
2
1
2
1
2
1
2
Exponential El
Gamal
Enc(m1) · Enc(m2) = ( y , a · SK ) · ( y , a · SK ) mod p
= ( y · y , a · (SK · SK )) mod p
= Enc(
a )
It would be more useful if we could do
addition
on the cipher texts rather than multiplication!
m
1
m
2
X
1
X
2
1
2
X
1
X
2
(m + m )
1
2
1
2
(m + m )
1
2Slide19
What is the message that we are encrypting?Slide20
Let’s Vote!
Auditing the ballot
- by zero-knowledge proof
Pick any two ballots to vote
“You” pick one of them and scratch to reveal random numbers -> private keys of the ballot
Take to election activist organization to scan 2D bar code and validate the ballot Slide21
Zero-knowledge ProofSlide22
Let’s Vote!
(2) Vote
(3) Remove candidate list
(4) Shred random numbers,
take home the receiptSlide23
Public Bulletin Board
“The votes of the
registered citizens
were casted as
intended
and these votes are
tallied
properly
, so we have
counted as intended
!”Slide24
Mixnets
Ref: [7] David
ChaumSlide25
DeploymentsNumerous university student electionsMIT, Hardvard
, etc.
Unversite
Catholique
de Louvain: 25,000 voters
University of Ottawa:
punchscan
voting system
Takoma
Park election, Maryland (Nov. 3. 2009)
Electing mayor, city councils, etc.
First binding governmental electionSlide26
Ben’s FearComputerization of voting is inevitable, without true verifiability, the situation is grim.
Ben’s Hope
Public auditing proofs will soon be as common as public-key crypto is now.Slide27Slide28
QuizWhat approach is current voting system taking? And what is this seminar’s proposed approach?
What is threshold decryption?
List the 3 desired properties crypto system should have for
homomorphic
tallying method?
What method is used to do ballot auditing?
In the voting process, the un-scratched random numbers are shredded in public view. What is the danger in revealing these numbers? What sort of benefit would a coercer have?Slide29
Reference[1] Ben Adida
. Advances in Cryptographic Voting Systems. MIT. (2006
).
[
2]
Avi
Rubin. An Election Day clouded by doubt, October 2004. http://avirubin.com/vote/op-ed.html
.
[
3]
Blakley
, G. R. Safeguarding cryptographic keys. Proceedings of the National Computer Conference 48: 313-317, (1979).
[
4] Josh D. Cohen and Michael J. Fischer. A robust and verifiable cryptographically secure
election scheme. In FOCS, pages 372–382. IEEE Computer Society, 1985
.
[
5] S.
Poblig
and M. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Transaction on Information Theory It-24:106-110, (1978
).
[
6] T. El
Gamal
. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory 31, pg. 469-472. (1985
)
[7]
David
Chaum
. Untraceable electronic mail, return addresses, and digital
pseudonyms.
Commun
. ACM,
24(2):84–88,
(1981)
.