On e-voting and privacy

Similar documents
Addressing the Challenges of e-voting Through Crypto Design

Secure Electronic Voting

An Introduction to Cryptographic Voting Systems

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

On Some Incompatible Properties of Voting Schemes

Ad Hoc Voting on Mobile Devices

A Design of Secure Preferential E-Voting

An Overview on Cryptographic Voting Systems

Estonian National Electoral Committee. E-Voting System. General Overview

SECURE e-voting The Current Landscape

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

Privacy of E-Voting (Internet Voting) Erman Ayday

Paper-based electronic voting

A homomorphic encryption-based secure electronic voting scheme

A Linked-List Approach to Cryptographically Secure Elections Using Instant Runoff Voting

PRIVACY PRESERVING IN ELECTRONIC VOTING

Int. J. of Security and Networks, Vol. x, No. x, 201X 1, Vol. x, No. x, 201X 1

Voting Protocol. Bekir Arslan November 15, 2008

An untraceable, universally verifiable voting scheme

A Verifiable Voting Protocol based on Farnel

Individual Verifiability in Electronic Voting

Security Analysis on an Elementary E-Voting System

A Receipt-free Multi-Authority E-Voting System

Swiss E-Voting Workshop 2010

Every Vote Counts: Ensuring Integrity in Large-Scale DRE-based Electronic Voting

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

A MULTIPLE BALLOTS ELECTION SCHEME USING ANONYMOUS DISTRIBUTION

Human readable paper verification of Prêt à Voter

Prêt à Voter: a Voter-Verifiable Voting System Peter Y. A. Ryan, David Bismark, James Heather, Steve Schneider, and Zhe Xia

TECHNICAL REPORT SERIES. No. CS-TR-1071 February, Human readable paper verification of Pret a Voter. David Lundin and Peter Y. A. Ryan.

Design of Distributed Voting Systems

Internet Voting the Estonian Experience

Receipt-Free Homomorphic Elections and Write-in Voter Verified Ballots

Voter Verifiability in Homomorphic Election Schemes. Joy Marie Forsythe

A matinee of cryptographic topics

福井大学審査 学位論文 博士 ( 工学 )


The USENIX Journal of Election Technology and Systems. Volume 2, Number 3 July 2014

Towards a Practical, Secure, and Very Large Scale Online Election

Receipt-Free Electronic Voting Scheme with a Tamper-Resistant Randomizer

The usage of electronic voting is spreading because of the potential benefits of anonymity,

How to challenge and cast your e-vote

Yes, my name's Priit, head of the Estonian State Election Office. Right. So how secure is Estonia's online voting system?

Blind Signatures in Electronic Voting Systems

Formal Verification of Selene with the Tamarin prover

Electing a University President using Open-Audit Voting: Analysis of real-world use of Helios

THE PROPOSAL OF GIVING TWO RECEIPTS FOR VOTERS TO INCREASE THE SECURITY OF ELECTRONIC VOTING

Receipt-Free Homomorphic Elections and Write-in Ballots

Distributed Protocols at the Rescue for Trustworthy Online Voting

PRIVACY in electronic voting

Punchscan: Introduction and System Definition of a High-Integrity Election System

CHAPTER 2 LITERATURE REVIEW

Union Elections. Online Voting. for Credit. Helping increase voter turnout & provide accessible, efficient and secure election processes.

M-Polling with QR-Code Scanning and Verification

Cobra: Toward Concurrent Ballot Authorization for Internet Voting

Office for Democratic Institutions and Human Rights REPUBLIC OF ESTONIA. PARLIAMENTARY ELECTIONS 4 March 2007

Towards Trustworthy e-voting using Paper Receipts

Exposure-Resilience for Free: The Hierarchical ID-based Encryption Case

Split-Ballot Voting: Everlasting Privacy With Distributed Trust

2 IEICE TRANS. FUNDAMENTALS, VOL., NO. to the counter through an anonymous channel. Any voter may not send his secret key to the counter and then the

Citizen engagement and compliance with the legal, technical and operational measures in ivoting

Electronic Voting: An Electronic Voting Scheme using the Secure Payment card System Voke Augoye. Technical Report RHUL MA May 2013

Internet Voting: Experiences From Five Elections in Estonia

Pretty Good Democracy for more expressive voting schemes

Selene: Voting with Transparent Verifiability and Coercion-Mitigation

Remote Internet voting: developing a secure and efficient frontend

HASHGRAPH CONSENSUS: DETAILED EXAMPLES

Survey on Remote Electronic Voting

Pretty Understandable Democracy 2.0

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

(Straw) Man in the Middle:

Review: Background on Bits. PFTD: What is Computer Science? Scale and Bits: Binary Digits. BIT: Binary Digit. Understanding scale, what does it mean?

This is a repository copy of Verifiable Classroom Voting in Practice.

Netvote: A Blockchain Voting Protocol

RECEIPT-FREE UNIVERSALLY-VERIFIABLE VOTING WITH EVERLASTING PRIVACY

Exact, Efficient and Information-Theoretically Secure Voting with an Arbitrary Number of Cheaters

Elections with Only 2 Alternatives

L9. Electronic Voting

OCSE Vienna 17/ Open Source Remote Electronic Voting in Norway

1 Introduction. A Cryptographic Scheme for Computerized General Elections

Key Considerations for Implementing Bodies and Oversight Actors

A Treasury System for Cryptocurrencies: Enabling Better Collaborative Intelligence

Survey of Fully Verifiable Voting Cryptoschemes

Uncovering the veil on Geneva s internet voting solution

The State of State Legislatures OAS Episode 25 Jan. 10, 2018

Internet voting in Estonia

SoK: Verifiability Notions for E-Voting Protocols

Guide to Electronic Voting Election Runner

E-Voting Solutions for Digital Democracy in Knowledge Society

Arthur M. Keller, Ph.D. David Mertz, Ph.D.

Towards Secure Quadratic Voting

A Robust Electronic Voting Scheme Against Side Channel Attack

Using Prêt à Voter in Victorian State Elections. EVT August 2012

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

Robert's Rules: What You Should Know

Encryption & FBI vs Apple. Sophie Park & Shanelle Roman

Ronald L. Rivest MIT CSAIL Warren D. Smith - CRV

Thoughts On Appropriate Technologies for Voting

Brittle and Resilient Verifiable Voting Systems

A Verifiable E-voting Scheme with Secret Sharing

Transcription:

On e-voting and privacy Jan Willemson UT,Cybernetica On e-voting and privacy p. 1

What is e-voting?? A citizen sits in front of his computer, On e-voting and privacy p. 2

What is e-voting?? A citizen sits in front of his computer, opens a voting application (e.g. a web browser), On e-voting and privacy p. 2

What is e-voting?? A citizen sits in front of his computer, opens a voting application (e.g. a web browser), clicks an appropriate name. On e-voting and privacy p. 2

Simple, isn t it? No, it s not. On e-voting and privacy p. 3

Simple, isn t it? No, it s not. Vote transmission over public media (Internet, phone line) is not secure. On e-voting and privacy p. 3

Simple, isn t it? No, it s not. Vote transmission over public media (Internet, phone line) is not secure. Thus we need to encrypt the votes. On e-voting and privacy p. 3

Is it now OK? No, it s not. On e-voting and privacy p. 4

Is it now OK? No, it s not. Some how we need to find out the sum of all votes. On e-voting and privacy p. 4

Is it now OK? No, it s not. Some how we need to find out the sum of all votes. How on Earth should that be possible if the votes are encrypted? On e-voting and privacy p. 4

Should a server decrypt? A voting server could possess a decryption key for every voter. But... On e-voting and privacy p. 5

Should a server decrypt? A voting server could possess a decryption key for every voter. But... The Estonian Riigikogu Valimise seadus 1 says: (2) Riigikogu liikmete valimised on vabad, üldised, ühetaolised ja otsesed. Hääletamine on salajane. On e-voting and privacy p. 5

Should a server decrypt? A voting server could possess a decryption key for every voter. But... The Estonian Riigikogu Valimise seadus 1 says: (2) Riigikogu liikmete valimised on vabad, üldised, ühetaolised ja otsesed. Hääletamine on salajane. Can we claim privacy if some server can decode everything? On e-voting and privacy p. 5

Should a server decrypt? A voting server could possess a decryption key for every voter. But... The Estonian Riigikogu Valimise seadus 1 says: (2) Riigikogu liikmete valimised on vabad, üldised, ühetaolised ja otsesed. Hääletamine on salajane. Can we claim privacy if some server can decode everything? Even threshold trust does not solve the essential problem if t + 1 servers are compromized, the votes become public. On e-voting and privacy p. 5

Homomorphic cryptography It is possible first to combine all the cryptograms of the votes to one large cryptogram and decode that one to obtain the sum of all of them. On e-voting and privacy p. 6

Homomorphic cryptography It is possible first to combine all the cryptograms of the votes to one large cryptogram and decode that one to obtain the sum of all of them. We need a special (so-called homomorphic) underlying cryptosystem for that (ElGamal, Paillier, Damgård-Jurik are fine) On e-voting and privacy p. 6

Homomorphic cryptography It is possible first to combine all the cryptograms of the votes to one large cryptogram and decode that one to obtain the sum of all of them. We need a special (so-called homomorphic) underlying cryptosystem for that (ElGamal, Paillier, Damgård-Jurik are fine) Do they help? On e-voting and privacy p. 6

Homomorphic cryptography It is possible first to combine all the cryptograms of the votes to one large cryptogram and decode that one to obtain the sum of all of them. We need a special (so-called homomorphic) underlying cryptosystem for that (ElGamal, Paillier, Damgård-Jurik are fine) Do they help? No, as every single vote can be decoded just like the whole sum. On e-voting and privacy p. 6

Anything else...... doesn t work either. On e-voting and privacy p. 7

Anything else...... doesn t work either. Theorem. If an electronic voting system is capable of decoding the result of voting by any subset of voters, it is possible to decode every single vote. On e-voting and privacy p. 7

Anything else...... doesn t work either. Theorem. If an electronic voting system is capable of decoding the result of voting by any subset of voters, it is possible to decode every single vote. Proof. Say, the set of voters is X. Take any x X and decode X together with X \ {x}. The difference of the results gives x s vote. On e-voting and privacy p. 7

Now what? The only way to try design a privacy-preserving voting system is to design it for a predetermined set of voters (so-called boardroom voting ). On e-voting and privacy p. 8

Now what? The only way to try design a privacy-preserving voting system is to design it for a predetermined set of voters (so-called boardroom voting ). The good side: we do not have to be very concerned about the possibility that some party leaves the boardroom in the middle of the action. On e-voting and privacy p. 8

Now what? The only way to try design a privacy-preserving voting system is to design it for a predetermined set of voters (so-called boardroom voting ). The good side: we do not have to be very concerned about the possibility that some party leaves the boardroom in the middle of the action. The bad side: the resulting scheme is probably not very practical... On e-voting and privacy p. 8

Now what? The only way to try design a privacy-preserving voting system is to design it for a predetermined set of voters (so-called boardroom voting ). The good side: we do not have to be very concerned about the possibility that some party leaves the boardroom in the middle of the action. The bad side: the resulting scheme is probably not very practical...... but still hopefully applicable in some limited setting. On e-voting and privacy p. 8

Planning the protocol The voters should still encrypt their votes. On e-voting and privacy p. 9

Planning the protocol The voters should still encrypt their votes. No-one else should possess the respective decryption keys. On e-voting and privacy p. 9

Planning the protocol The voters should still encrypt their votes. No-one else should possess the respective decryption keys. Thus, the voters should decrypt their own votes. On e-voting and privacy p. 9

Planning the protocol The voters should still encrypt their votes. No-one else should possess the respective decryption keys. Thus, the voters should decrypt their own votes. Consequently, our protocol should contain (at least) two rounds. On e-voting and privacy p. 9

Setting the protocol up Let us have the voters A 1, A 2,..., A n. On e-voting and privacy p. 10

Setting the protocol up Let us have the voters A 1, A 2,..., A n. Choose a group G and an element g of large order so that the respective discrete logarithm problem is hard. On e-voting and privacy p. 10

Setting the protocol up Let us have the voters A 1, A 2,..., A n. Choose a group G and an element g of large order so that the respective discrete logarithm problem is hard. Z p and its generator g for a good choice of prime p will do. On e-voting and privacy p. 10

Setting the protocol up Let us have the voters A 1, A 2,..., A n. Choose a group G and an element g of large order so that the respective discrete logarithm problem is hard. Z p and its generator g for a good choice of prime p will do. Each party A i chooses his vote v i and a random exponent invertible in Z p 1. On e-voting and privacy p. 10

Protocol: encryption A 1 : g a 1 On e-voting and privacy p. 11

Protocol: encryption A 1 : g a 1 A 2 : (g a 1 )a 2 = ga 1a 2 On e-voting and privacy p. 11

Protocol: encryption A 1 : g a 1 A 2 : (g a 1 )a 2 = ga 1a 2... On e-voting and privacy p. 11

Protocol: encryption A 1 : g a 1 A 2 : (g a 1 )a 2 = ga 1a 2... A n : g a 1a 2...a n On e-voting and privacy p. 11

Protocol: decryption A 1 : (g a 1a 2...a n ) a 1 1 v 1 = gv 1a 2...a n On e-voting and privacy p. 12

Protocol: decryption A 1 : (g a 1a 2...a n ) a 1 1 v 1 = gv 1a 2...a n A 2 : (g v 1a 2...a n ) a 1 2 v 2 = gv 1v 2 a 3...a n On e-voting and privacy p. 12

Protocol: decryption A 1 : (g a 1a 2...a n ) a 1 1 v 1 = gv 1a 2...a n A 2 : (g v 1a 2...a n ) a 1 2 v 2 = gv 1v 2 a 3...a n... On e-voting and privacy p. 12

Protocol: decryption A 1 : (g a 1a 2...a n ) a 1 1 v 1 = gv 1a 2...a n A 2 : (g v 1a 2...a n ) a 1 2 v 2 = gv 1v 2 a 3...a n... A n : g v 1v 2...v n On e-voting and privacy p. 12

Protocol: decryption A 1 : (g a 1a 2...a n ) a 1 1 v 1 = gv 1a 2...a n A 2 : (g v 1a 2...a n ) a 1 2 v 2 = gv 1v 2 a 3...a n... A n : g v 1v 2...v n In order to obtain the result of the voting, we must solve limited discrete logarithm problem by raising g to all possible powers v 1 v 2...v n and comparing the results to the output of the protocol. On e-voting and privacy p. 12

All-against-one attack Say, A 2,..., A n choose a 2 =... = a n = 1. On e-voting and privacy p. 13

All-against-one attack Say, A 2,..., A n choose a 2 =... = a n = 1. Then A 1 computes g a 1 in the first round and (g a 1 )a 1 1 v 1 = gv 1 in the second. On e-voting and privacy p. 13

All-against-one attack Say, A 2,..., A n choose a 2 =... = a n = 1. Then A 1 computes g a 1 in the first round and (g a 1 )a 1 1 v 1 = gv 1 in the second. Then v 1 can be found by solving the limited discrete logarithm problem. On e-voting and privacy p. 13

All-against-one attack Say, A 2,..., A n choose a 2 =... = a n = 1. Then A 1 computes g a 1 in the first round and (g a 1 )a 1 1 v 1 = gv 1 in the second. Then v 1 can be found by solving the limited discrete logarithm problem. But hey, if A 2,..., A n collaborate, they can find out v i anyway! On e-voting and privacy p. 13

All-against-one attack Say, A 2,..., A n choose a 2 =... = a n = 1. Then A 1 computes g a 1 in the first round and (g a 1 )a 1 1 v 1 = gv 1 in the second. Then v 1 can be found by solving the limited discrete logarithm problem. But hey, if A 2,..., A n collaborate, they can find out v i anyway! We have an interesting situation: in order for my vote to be secure, at least one other voter has to be honest! On e-voting and privacy p. 13

Is one other honest guy enough? No, it s not. On e-voting and privacy p. 14

Is one other honest guy enough? No, it s not. A n can give g a 1 as his first round output as this value is public anyway. On e-voting and privacy p. 14

Is one other honest guy enough? No, it s not. A n can give g a 1 as his first round output as this value is public anyway. In order to do it legally, A n has to compute the true discrete logarithm log g a 1 g a 2...a n. On e-voting and privacy p. 14

Is one other honest guy enough? No, it s not. A n can give g a 1 as his first round output as this value is public anyway. In order to do it legally, A n has to compute the true discrete logarithm log g a 1 g a 2...a n. This can be avoided by requiring the proofs of knowledge of their own exponents from everybody. On e-voting and privacy p. 14

Is one other honest guy enough? No, it s not. A n can give g a 1 as his first round output as this value is public anyway. In order to do it legally, A n has to compute the true discrete logarithm log g a 1 g a 2...a n. This can be avoided by requiring the proofs of knowledge of their own exponents from everybody. Zero-knowledge proofs can do the job. On e-voting and privacy p. 14

Good and bad sides + The protocol is very efficient only 2n modular exponents are needed to compute the result On e-voting and privacy p. 15

Good and bad sides + The protocol is very efficient only 2n modular exponents are needed to compute the result This is good compared to 2n 2 + 2n done in the protocol by Kiayias and Yung... On e-voting and privacy p. 15

Good and bad sides + The protocol is very efficient only 2n modular exponents are needed to compute the result This is good compared to 2n 2 + 2n done in the protocol by Kiayias and Yung...... and in a way as efficient as it can get everybody has to perform at least 2 operations. On e-voting and privacy p. 15

Good and bad sides + The protocol is very efficient only 2n modular exponents are needed to compute the result This is good compared to 2n 2 + 2n done in the protocol by Kiayias and Yung...... and in a way as efficient as it can get everybody has to perform at least 2 operations. The rounds have to be carried out in the predefined order, otherwise it may be possible to decode some votes. On e-voting and privacy p. 15

Anything else wrong? Probably yes, at least points to be improved. On e-voting and privacy p. 16

Anything else wrong? Probably yes, at least points to be improved. We could still try to cope with some parties failing to complete the protocol. On e-voting and privacy p. 16

Anything else wrong? Probably yes, at least points to be improved. We could still try to cope with some parties failing to complete the protocol. A n learns the sum of other votes before the others do. He could change his mind before voting based on that information. On e-voting and privacy p. 16

Anything else wrong? Probably yes, at least points to be improved. We could still try to cope with some parties failing to complete the protocol. A n learns the sum of other votes before the others do. He could change his mind before voting based on that information. Etc. Security proofs/improvements are needed open call for student contributions! On e-voting and privacy p. 16

That s how far we are. Questions? On e-voting and privacy p. 17

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback