Privacy in evoting (joint work with Erik de Vink and Sjouke Mauw)

Similar documents
PRIVACY in electronic voting

Privacy of E-Voting (Internet Voting) Erman Ayday

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

Int. J. of Security and Networks, Vol. x, No. x, 201X 1, Vol. x, No. x, 201X 1

CHAPTER 2 LITERATURE REVIEW

On Some Incompatible Properties of Voting Schemes

Addressing the Challenges of e-voting Through Crypto Design

Design and Prototype of a Coercion-Resistant, Voter Verifiable Electronic Voting System

An untraceable, universally verifiable voting scheme

Swiss E-Voting Workshop 2010

Electronic Voting: An Electronic Voting Scheme using the Secure Payment card System Voke Augoye. Technical Report RHUL MA May 2013

PRIVACY PRESERVING IN ELECTRONIC VOTING

A homomorphic encryption-based secure electronic voting scheme

Voting Protocol. Bekir Arslan November 15, 2008

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

Ronald L. Rivest MIT CSAIL Warren D. Smith - CRV

Receipt-Free Homomorphic Elections and Write-in Voter Verified Ballots

A MULTIPLE BALLOTS ELECTION SCHEME USING ANONYMOUS DISTRIBUTION

Secure Electronic Voting

COMPUTING SCIENCE. University of Newcastle upon Tyne. Verified Encrypted Paper Audit Trails. P. Y. A. Ryan TECHNICAL REPORT SERIES

Formal Verification of Selene with the Tamarin prover

An Application of time stamped proxy blind signature in e-voting

Coercion-Resistant Hybrid Voting Systems 1

Estonian National Electoral Committee. E-Voting System. General Overview

RECEIPT-FREE UNIVERSALLY-VERIFIABLE VOTING WITH EVERLASTING PRIVACY

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

SECURE REMOTE VOTER REGISTRATION

Receipt-Free Homomorphic Elections and Write-in Ballots

Towards a Practical, Secure, and Very Large Scale Online Election

Validation formelle de protocoles de sécurité: le vote électronique de Scytl pour la Suisse

DESIGN AND ANALYSIS OF SECURED ELECTRONIC VOTING PROTOCOL

SMART VOTING. Bhuvanapriya.R#1, Rozil banu.s#2, Sivapriya.P#3 Kalaiselvi.V.K.G# /17/$31.00 c 2017 IEEE ABSTRACT:

A Robust Electronic Voting Scheme Against Side Channel Attack

Ballot Reconciliation Procedure Guide

Secure Voter Registration and Eligibility Checking for Nigerian Elections

Should We Vote Online? Martyn Thomas CBE FREng Livery Company Professor of Information Technology Gresham College

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

A Receipt-free Multi-Authority E-Voting System

Knowledge-based modelling of voting protocols

The Impact of Technology on Election Observation

Union Elections. Online Voting. for Credit. Helping increase voter turnout & provide accessible, efficient and secure election processes.

福井大学審査 学位論文 博士 ( 工学 )

SECURE e-voting The Current Landscape

An Introduction to Cryptographic Voting Systems

SoK: Verifiability Notions for E-Voting Protocols

The Economist Case Study: Blockchain-based Digital Voting System. Team UALR. Connor Young, Yanyan Li, and Hector Fernandez

Trusted Logic Voting Systems with OASIS EML 4.0 (Election Markup Language)

Running head: ROCK THE BLOCKCHAIN 1. Rock the Blockchain: Next Generation Voting. Nikolas Roby, Patrick Gill, Michael Williams

Security Analysis on an Elementary E-Voting System

Receipt-Free Electronic Voting Scheme with a Tamper-Resistant Randomizer

E- Voting System [2016]

Ad Hoc Voting on Mobile Devices

Pretty Good Democracy for more expressive voting schemes

L14. Electronic Voting

Secured Electronic Voting Protocol Using Biometric Authentication

IMPLEMENTATION OF SECURE PLATFORM FOR E- VOTING SYSTEM

Paper-based electronic voting

Colorado s Risk-Limiting Audits (RLA) CO Risk-Limiting Audits -- Feb Neal McBurnett

Scytl Secure Electronic Voting

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

E-Voting, a technical perspective


Human readable paper verification of Prêt à Voter

An Overview on Cryptographic Voting Systems

Key Considerations for Implementing Bodies and Oversight Actors

Johns Hopkins University Security Privacy Applied Research Lab

Prêt à Voter: a Voter-Verifiable Voting System Peter Y. A. Ryan, David Bismark, James Heather, Steve Schneider, and Zhe Xia

Presidential Decree No. 513 of 10 November 1997

Why Biometrics? Why Biometrics? Biometric Technologies: Security and Privacy 2/25/2014. Dr. Rigoberto Chinchilla School of Technology

Survey of Fully Verifiable Voting Cryptoschemes

Between Law and Technology: Internet Voting, Secret Suffrage and the European Electoral Heritage

Secure Electronic Voting: Capabilities and Limitations. Dimitris Gritzalis

Social Choice Theory. Denis Bouyssou CNRS LAMSADE

L9. Electronic Voting

Towards Trustworthy e-voting using Paper Receipts

Prêt à Voter: a Systems Perspective

COMMISSION CHECKLIST FOR NOVEMBER GENERAL ELECTIONS (Effective May 18, 2004; Revised July 15, 2015)

Protocol to Check Correctness of Colorado s Risk-Limiting Tabulation Audit

Speaker s Commission on Digital Democracy Inquiry into Electronic Voting

Netvote: A Blockchain Voting Protocol

E-Voting Discourses in the UK and the Netherlands

Statement on Security & Auditability

Analysis of an Electronic Boardroom Voting System

Citizen engagement and compliance with the legal, technical and operational measures in ivoting

Secretary of State Chapter STATE OF ALABAMA OFFICE OF THE SECRETARY OF STATE ADMINISTRATIVE CODE

Prêt à Voter with Confirmation Codes

E-voting at Expatriates MPs Elections in France

Electronic voting systems for defending free will and resisting bribery and coercion based on ring anonymous signcryption scheme

Blind Signatures in Electronic Voting Systems

TECHNICAL REPORT SERIES. No. CS-TR-1071 February, Human readable paper verification of Pret a Voter. David Lundin and Peter Y. A. Ryan.

COUNTY OF SACRAMENTO CALIFORNIA

Secure and Reliable Electronic Voting. Dimitris Gritzalis

Electronic Voting in Belgium Past, Today and Future

HOW TO RUN AN ONLINE ELECTION

Internet & Telephone Voting Procedures. Municipality of Grey Highlands. Last Updated:

TERMS OF USE FOR PUBLIC LAW CORPORATION PERSONAL CERTIFICATES FOR AUTHENTICATION

NOTICE OF PRE-ELECTION LOGIC AND ACCURACY TESTING

Additional Case study UK electoral system

vvote: a Verifiable Voting System

Act means the Municipal Elections Act, 1996, S.O. 1996, c.32 as amended. All references to sections in this procedure are references to the Act.

Transcription:

Privacy in (joint work with Erik de Vink and Sjouke Mauw) Hugo Jonker h.l.jonker@tue.nl Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 1/20

overview overview voting in the real world privacy in voting voting electronically (digitally / over the internet) (aside) irregularities privacy in evoting formalising privacy characterising receipts receipt-freeness as anonymity current / future work Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 2/20

typical elections typical elections preventing cheating privacy set of candidates set of voters one vote for one candidate per voter result is multiset of cast votes E.g. national elections in the Netherlands. Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 3/20

preventing cheating typical elections preventing cheating privacy Cheating in elections is prevented by law, procedures and regulations, e.g.: At all times during the elections, the chairman and two members of the voting bureau are present Kieswet, Artikel J lid 12 sub 1 This provides (some) protection against incorrect voting, multiple voting, incorrect counting, etc. etc. Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 4/20

privacy per-district: typical elections preventing cheating privacy record kept of who votes paper ballots: mixed, so somewhat ok (note: UK elections) voting machines: unclear district size: average of ±1, 400 voters Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 5/20

pro s & con s advantages: pro s & con s irregularities properties privacy disadvantages: Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 6/20

pro s & con s pro s & con s irregularities properties privacy advantages: more voter convenience ( less overhead quicker counting large scale updates are easy disadvantages:? = greater turnout) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 6/20

pro s & con s pro s & con s irregularities properties privacy advantages: more voter convenience ( less overhead quicker counting large scale updates are easy disadvantages: costlier? = greater turnout) re-invent the wheel: danger of introducing new flaws risk of forgetting about known flaws large scale updates are easy Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 6/20

irregularities As an aside, some insights / anecdotes on: pro s & con s irregularities properties privacy Sdu voting machine reveals votes through radiation Nedap voting machines not secure elections irregularities in Eindhoven Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 7/20

properties established voting properties include: pro s & con s irregularities properties privacy democracy eligibility accuracy verifiability individual universal fairness Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 8/20

privacy pro s & con s irregularities properties privacy Anonymity vote is private w.r.t. an observer receipt-freeness no proof strong receipt-freeness no elimination of possibilities coercion-resistance no randomisation no abstention no simulation Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 9/20

intuition A receipt proves how a voter voted. intuition requirements Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 10/20

intuition A receipt proves how a voter voted. intuition requirements Examples: - Everyone signs their vote. Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 10/20

intuition A receipt proves how a voter voted. intuition requirements Examples: - Everyone signs their vote. - In Italy, simultaneous elections were held for various posts, using one ballot. The order of posts listed is up to the voter, and is preserved. An attacker (El Mafiosi) can assign each voter a specific order of posts. Benaloh & Tuinstra Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 10/20

requirements More precisely: a receipt r proves that a voter v cast a vote for candidate c. intuition requirements Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 11/20

requirements More precisely: a receipt r proves that a voter v cast a vote for candidate c. intuition requirements R1: r authenticates v Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 11/20

requirements More precisely: a receipt r proves that a voter v cast a vote for candidate c. intuition requirements R1: r authenticates v R2: r proves that v chose candidate c Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 11/20

requirements More precisely: a receipt r proves that a voter v cast a vote for candidate c. intuition requirements R1: r authenticates v R2: r proves that v chose candidate c R3: r proves that v cast her vote Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 11/20

requirements More precisely: a receipt r proves that a voter v cast a vote for candidate c. intuition requirements R1: r authenticates v R2: r proves that v chose candidate c R3: r proves that v cast her vote Note: - Specific for this type of elections - Quite strict Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 11/20

ingredients ingredients decomposing receipts receipts as terms suitable terms voters v V, choices c C ballots B and results (multisets of choices) M(C) a set of received ballots RB, from which the result will be computed a choice function Γ: V C, which specifies how the voters vote Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 12/20

ingredients ingredients decomposing receipts receipts as terms suitable terms voters v V, choices c C ballots B and results (multisets of choices) M(C) a set of received ballots RB, from which the result will be computed a choice function Γ: V C, which specifies how the voters vote the set of receipts R Terms(v), the set of all terms that a voter v V can generate authentication terms AT (v): t AT (v) = w v: t / Terms(w) auth: AT V, the unique voter that created an AT Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 12/20

decomposing receipts The following functions are used to decompose receipts: ingredients decomposing receipts receipts as terms suitable terms α: R AT, extract authentication term from receipt β: R RB, extract ballot from receipt γ : R C, extract candidate from receipt Formalisation of the requirements: Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 13/20

decomposing receipts The following functions are used to decompose receipts: ingredients decomposing receipts receipts as terms suitable terms α: R AT, extract authentication term from receipt β: R RB, extract ballot from receipt γ : R C, extract candidate from receipt Formalisation of the requirements: R1: α(r) AT (v) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 13/20

decomposing receipts The following functions are used to decompose receipts: ingredients decomposing receipts receipts as terms suitable terms α: R AT, extract authentication term from receipt β: R RB, extract ballot from receipt γ : R C, extract candidate from receipt Formalisation of the requirements: R1: α(r) AT (v) R2: γ(r) = Γ(v) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 13/20

decomposing receipts The following functions are used to decompose receipts: ingredients decomposing receipts receipts as terms suitable terms α: R AT, extract authentication term from receipt β: R RB, extract ballot from receipt γ : R C, extract candidate from receipt Formalisation of the requirements: R1: α(r) AT (v) R2: γ(r) = Γ(v) R3: β(r) RB Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 13/20

decomposing receipts The following functions are used to decompose receipts: ingredients decomposing receipts receipts as terms suitable terms α: R AT, extract authentication term from receipt β: R RB, extract ballot from receipt γ : R C, extract candidate from receipt Formalisation of the requirements: R1: α(r) AT (v) R2: γ(r) = Γ(v) R3: β(r) RB So, for valid receipts: auth(α(r)) = v = γ(r) = Γ(v), which is satisfied by γ = Γ auth α. Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 13/20

receipts as terms ingredients decomposing receipts receipts as terms suitable terms Intuitively, a receipt must be derivable from an actual execution of a voting protocol (i.e. receipts generated outside a protocol do not invalidate that protocol). To facilitate detection of receipts, limit the notion of receipts to terms (i.e. R = R Terms). Now: Model the protocol in ACP Test suitability of communicated terms as receipts Pronounce judgment Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 14/20

receipts as terms ingredients decomposing receipts receipts as terms suitable terms Intuitively, a receipt must be derivable from an actual execution of a voting protocol (i.e. receipts generated outside a protocol do not invalidate that protocol). To facilitate detection of receipts, limit the notion of receipts to terms (i.e. R = R Terms). Now: Model the protocol in ACP (+ tweaks) Test suitability of communicated terms as receipts Pronounce judgment Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 14/20

suitable terms Write t t if t is a subterm of t. α, β extract terms from terms, i.e. they deal with subterms. ingredients decomposing receipts receipts as terms suitable terms Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 15/20

suitable terms Write t t if t is a subterm of t. ingredients decomposing receipts receipts as terms suitable terms α, β extract terms from terms, i.e. they deal with subterms. Lemma t R: α(t) t β(t) t Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 15/20

suitable terms Write t t if t is a subterm of t. ingredients decomposing receipts receipts as terms suitable terms α, β extract terms from terms, i.e. they deal with subterms. Lemma t R: α(t) t β(t) t (Note that, by definition: t t t AT (v) = t AT (v). So receipts are themselves authentication terms) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 15/20

suitable terms Write t t if t is a subterm of t. ingredients decomposing receipts receipts as terms suitable terms α, β extract terms from terms, i.e. they deal with subterms. Lemma t R: α(t) t β(t) t (Note that, by definition: t t t AT (v) = t AT (v). So receipts are themselves authentication terms) Although this does not capture the entire notion of receipts, it turns out to be strong enough in the examined cases. Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 15/20

RF anonymity Anonymity, 3 flavours: sender/voter anonymity? no, voter tries to prove vote RF anonymity unlinkability Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 16/20

RF anonymity Anonymity, 3 flavours: RF anonymity unlinkability sender/voter anonymity? no, voter tries to prove vote plausible deniability? no, sender knows how she voted Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 16/20

RF anonymity Anonymity, 3 flavours: RF anonymity unlinkability sender/voter anonymity? no, voter tries to prove vote plausible deniability? no, sender knows how she voted unlinkability? no link between vote and voter... Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 16/20

unlinkability Unlinkability of message m to sender v: intruder does not know that v sent m intruder cannot rule out that v sent any message m, where m AS, the Anonymity Set RF anonymity unlinkability Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 17/20

unlinkability Unlinkability of message m to sender v: intruder does not know that v sent m intruder cannot rule out that v sent any message m, where m AS, the Anonymity Set RF anonymity unlinkability... cannot rule out... Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 17/20

unlinkability Unlinkability of message m to sender v: intruder does not know that v sent m intruder cannot rule out that v sent any message m, where m AS, the Anonymity Set RF anonymity unlinkability... cannot rule out... strong rf the intruder cannot rule out any vote from the anonymity set. Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 17/20

different approaches Current situation: different approaches unifying approach todo Delaune, Kremer and Ryan proposed an approach based on bisimilarity ignoring the notion of receipts Jonker and De Vink proposed an approach based on the characteristics of a receipt founded on the notion of receipts Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 18/20

different approaches Current situation: different approaches unifying approach todo Delaune, Kremer and Ryan proposed an approach based on bisimilarity ignoring the notion of receipts Jonker and De Vink proposed an approach based on the characteristics of a receipt founded on the notion of receipts Almost reminiscant of Heisenberg vs. Schrödinger ;-) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 18/20

unifying approach different approaches unifying approach todo branching bisimilarity as an equivalence seems to strong e.g. order in which voters vote does not affect rf checking terms J&DV-style seems imprecise not a precise notion of receipts so unite the two! construct an appropriate equivalence notion for voting processes based on identifying receipts Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 19/20

todo Combine J&DV and DKR How do the various privacy notions relate to eachother? different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 20/20

todo Combine J&DV and DKR How do the various privacy notions relate to eachother? different approaches unifying approach todo Further reading: Formalising Receipt-Freeness, H.L. Jonker and E.P. de Vink. In Information Security Conference 2006, LNCS 4176 Receipt-Freeness as a special case of Anonymity in Epistemic Logic, Hugo Jonker and Wolter Pieters, WOTE 2006 Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 20/20

todo Combine J&DV and DKR How do the various privacy notions relate to eachother? different approaches unifying approach todo Further reading: Formalising Receipt-Freeness, H.L. Jonker and E.P. de Vink. In Information Security Conference 2006, LNCS 4176 Receipt-Freeness as a special case of Anonymity in Epistemic Logic, Hugo Jonker and Wolter Pieters, WOTE 2006 Thanks for your attention Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 20/20

example: BT Original receipt-freeness paper by Benaloh & Tuinstra Attack found... but not on the main scheme Assumes untappable channels and a voting booth Uses randomised encryption and ZKP different approaches unifying approach todo Process for voting authority: Process for a voter: Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 21/20

example: BT Original receipt-freeness paper by Benaloh & Tuinstra Attack found... but not on the main scheme Assumes untappable channels and a voting booth Uses randomised encryption and ZKP different approaches unifying approach todo Process for voting authority: A(v) = x E(0), y E(1) s a v(min(x, y), max(x, y)) p a v(x E(0) y E(1)) ( r v a (x) + r v a (y) ) Process for a voter: Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 21/20

example: BT Original receipt-freeness paper by Benaloh & Tuinstra Attack found... but not on the main scheme Assumes untappable channels and a voting booth Uses randomised encryption and ZKP different approaches unifying approach todo Process for voting authority: A(v) = x E(0), y E(1) s a v(min(x, y), max(x, y)) p a v(x E(0) y E(1)) ( r v a (x) + r v a (y) ) Process for a voter: V = x,y r a v(x, y) i {0,1} p a v(x E(i) y E(1 i)) ( Γ(v) = i sv a (x) + Γ(v) = 1 i s v a (y) ) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 21/20

BT: receipt-free Let s examine the voter process: different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 22/20

BT: receipt-free Let s examine the voter process: V = x,y r a v(x, y) Not an authentication term different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 22/20

BT: receipt-free Let s examine the voter process: different approaches unifying approach todo V = x,y r a v(x, y) Not an authentication term i {0,1} p a v(x E(i) y E(1 i)) No ballot as a subterm Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 22/20

BT: receipt-free Let s examine the voter process: different approaches unifying approach todo V = x,y r a v(x, y) Not an authentication term i {0,1} p a v(x E(i) y E(1 i)) No ballot as a subterm ( Γ(v) = i sv a (x) + Γ(v) = 1 i s v a (y) ) Subterm of first term! Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 22/20

BT: receipt-free Let s examine the voter process: different approaches unifying approach todo V = x,y r a v(x, y) Not an authentication term i {0,1} p a v(x E(i) y E(1 i)) No ballot as a subterm ( Γ(v) = i sv a (x) + Γ(v) = 1 i s v a (y) ) Subterm of first term! None of the terms from the voter can satisfy α(t) t β(t) t = BT is receipt-free! Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 22/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: 1. v: create a blinded, encrypted vote different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a 4. v cnt: encrypted vote signed by a Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a 4. v cnt: encrypted vote signed by a 5. cnt: collect all votes Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a 4. v cnt: encrypted vote signed by a 5. cnt: collect all votes 6. cnt: publish list of received votes Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a 4. v cnt: encrypted vote signed by a 5. cnt: collect all votes 6. cnt: publish list of received votes 7. v cnt: decryption key, index of vote in list Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a 4. v cnt: encrypted vote signed by a 5. cnt: collect all votes 6. cnt: publish list of received votes 7. v cnt: decryption key, index of vote in list 8. cnt: publish list of received keys Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a 4. v cnt: encrypted vote signed by a 5. cnt: collect all votes 6. cnt: publish list of received votes 7. v cnt: decryption key, index of vote in list 8. cnt: publish list of received keys Obvious receipt... but it seems to lose its validity Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: FOO Rough sketch of the FOO protocol for voter v, admin a and counter cnt: different approaches unifying approach todo 1. v: create a blinded, encrypted vote 2. v a: blinded, encrypted vote signed by v 3. a v: blinded, encrypted vote signed by a 4. v cnt: encrypted vote signed by a 5. cnt: collect all votes 6. cnt: publish list of received votes 7. v cnt: decryption key, index of vote in list 8. cnt: publish list of received keys Obvious receipt... but it seems to lose its validity Timestamping = no it doesn t! Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 23/20

example: RIES Used in Dutch water management board elections Handled over 70,000 votes Uses a publicly-known hash-function and voter-specific keys Obvious receipt How it works: different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 24/20

example: RIES Used in Dutch water management board elections Handled over 70,000 votes Uses a publicly-known hash-function and voter-specific keys Obvious receipt different approaches unifying approach todo How it works: 1. s a v : key(v) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 24/20

example: RIES Used in Dutch water management board elections Handled over 70,000 votes Uses a publicly-known hash-function and voter-specific keys Obvious receipt different approaches unifying approach todo How it works: 1. s a v : key(v) 2. a: publish list of all possible encrypted votes, hashed: L = v V { h({c} key(v)), c c C} Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 24/20

example: RIES Used in Dutch water management board elections Handled over 70,000 votes Uses a publicly-known hash-function and voter-specific keys Obvious receipt different approaches unifying approach todo How it works: 1. s a v : key(v) 2. a: publish list of all possible encrypted votes, hashed: L = v V { h({c} key(v)), c c C} 3. p v a : {Γ(v)} key(v) Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 24/20

example: RIES Used in Dutch water management board elections Handled over 70,000 votes Uses a publicly-known hash-function and voter-specific keys Obvious receipt different approaches unifying approach todo How it works: 1. s a v : key(v) 2. a: publish list of all possible encrypted votes, hashed: L = v V { h({c} key(v)), c c C} 3. p v a : {Γ(v)} key(v) 4. a: collect all votes Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 24/20

example: RIES Used in Dutch water management board elections Handled over 70,000 votes Uses a publicly-known hash-function and voter-specific keys Obvious receipt different approaches unifying approach todo How it works: 1. s a v : key(v) 2. a: publish list of all possible encrypted votes, hashed: L = v V { h({c} key(v)), c c C} 3. p v a : {Γ(v)} key(v) 4. a: collect all votes 5. a: publish outcome Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 24/20

example: RIES Used in Dutch water management board elections Handled over 70,000 votes Uses a publicly-known hash-function and voter-specific keys Obvious receipt different approaches unifying approach todo How it works: 1. s a v : key(v) 2. a: publish list of all possible encrypted votes, hashed: L = v V { h({c} key(v)), c c C} 3. p v a : {Γ(v)} key(v) 4. a: collect all votes 5. a: publish outcome Notice a receipt? Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 24/20

receipts in RIES To prove that v cast a vote for candidate c, it suffices to show an k such that h({c} k ), c L. This is precisely the voter s key! different approaches unifying approach todo Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 25/20

receipts in RIES different approaches unifying approach todo To prove that v cast a vote for candidate c, it suffices to show an k such that h({c} k ), c L. This is precisely the voter s key! This means the following in the formalism: α(x) = x β(x) = x Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 25/20

receipts in RIES different approaches unifying approach todo To prove that v cast a vote for candidate c, it suffices to show an k such that h({c} k ), c L. This is precisely the voter s key! This means the following in the formalism: α(x) = x β(x) = x... for suitable RB Hugo Jonker, Process Algebra Meetings, January 31st, 2007 Privacy in - p. 25/20

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback