Transcript Document
Practical Electronic
Voting Schemes
Peter Landrock
ECC, Copenhagen 2005
The company
Software house
Established in 1986
Spin-off from
University of Aarhus
World-Class Cryptographers
- Vincent Rijmen, Ivan Damgaard…
Cryptomathic provides secure electronic solutions for web-banking, card
issuing and advanced key management with almost 20 years of
experience.
Innovation beyond competiton
World Economic Forum
Nominated as one of the most innovative
companies in Europe at Davos 2003
Company Ownership
Infineon
#1 in semiconductors
+33,000 employees
Founders
Prof. Peter Landrock, Prof. Ivan Damgaard
Prof. Jørgen Brandt, Dr. Torben Pedersen
University Spin-off
Office Locations
Cambridge, UK
Aarhus, DK
Leuven, BE
Copenhagen, DK
Amaro, IT
Munich, DE
UK & USA
Benelux
ECEO - Partner
Head Quarter
R&D
Scandinavia
Central Europe
Products and Offerings
Products
Custom Solutions
Professional Services
Selected Products
Authenticator
Signer
CardInk
EMV / ID
PrimeInk
Toolkits
PKI
Key
Management
System (KMS)
The Switch from Manual Elections
General idea behind Electronic Voting:
– like manual voting - only much faster and cheaper, but
is the voter able to verify that what he enters is actually
what is recorded?
can official monitoring verify that one vote is recorded –
correctly – for each voter?
can we trust the counting process?
– and
is it socially acceptable?
Well, let’s start with the requirements:
Requirements for an e-Voting Scheme
Privacy:
– only the final result is made public, no additional information
about votes will leak.
Robustness:
– the result reflects all submitted and well-formed ballots
correctly, even if some voters and/or possibly some of the
entities running the election cheat.
Universal verifiability:
– after the election, the result can be verified by anyone.
How to meet these requirements?
we obviously need cryptographic
techniques
but tamper resistant devices as well
and we need to provide
– appropriate protocols and mechanisms to meet these
requirements
which we will be discussing
– digital signatures to identify voters
Specification
This does NOT imply that we need an
independent X.509 PKI system in place
But we will assume we have an existing
registration scheme in place
– otherwise there is no democracy in the first place!
so we can send something out to a voter by
mail, like a PIN-mailer
– which he may use for electronic registration
– at which stage a public key pair is generated for his use, and
the private key is stored securely in a central server
all using HSMs
the private key never leaves the HSM controlled environment
Specification
This registration could take place
– at home from the voter’s own work station
– or at a polling station
where he presents a fairly traditional voting card
received in the mail for proper identification and
counting
and uses an additional small slip with a PIN or similar
to vote, as in the vote home scenario
– using the PIN for identification
Counting votes
is easy in binary:
– Example
5 candidates, 128 voters
40 bits voting ballot
– Candidate A: 00000000...................00000001
– Candidate B: 00000000.....0000000100000000
– ...
– Candidate E: 000000010..............................0
The sum of the votes reveales how many votes each
candidate obtained
Counting the votes
Let alone the issues of anonymity etc.,
– adding up votes electronic could be virtually instant
In order to meet some of all our requirements, it
would be extremely useful with the following property
– Given any two votes, m1 and m2, and their encryption, P(m1), P(m2),
assume
P(m1)+P(m2) =P(m1+m2),
– even better, if we can “randomise” to anonymise using individual
random numbers ri for each vote, and we have the property
P(m1,r1)+P(m2,r2) =P(m1+m2,R)
for some number R, then
e-Voting
we call P(.,.) a homomophic public key if:
for any set of votes, there always exist some R (which will vary with
the votes) with
∑P(xi,ri) = P(∑xi,R)
Now we have it (if such a function exist)!
– the voter
cast his electronic vote x
– the application
chooses a random number r and calculate P(x,r)
signs and forwards SA(P(x,r))
– the authenticating server
verifies the signature and forwards P(x,r) for counting
– the counting server
calculates ∑P(xi,ri) = P(∑xi,R) and descrypts to recover ∑xi, while R is
discharged
– the result is available less than 1 minute after the closing of the polling
stations
Another cryptographic tool:
zero-knowledge
– it is actually possible to verify that a vote is the
encryption of a correctly filled ballot
without revealing anything else about the vote!
– this means that a votes cannot successfully include more
than one legal vote in his ballot
this involves commitment schemes
– but it is quite likely that politicians don’t buy it
Ingenious!?
if EVERYBODY votes electronically, yes
– but the choice is political
– it could save some embarrassment, though, here and
there
Applications in the near future
– closed groups of users who already communicate
together electronically
e.g. organisations as IEEE
stock holders in large companies (e.g. IBM)
Anyway, let’s see how it works
homomorphic encryption
– We start with an ElGamal encryption scheme
Let E be an elliptic curve, P a generator of a large cyclic
group of prime order
Let Q = xP be a public key, where x is the private key
– Represent a message m by the point M in E and encrypt
as (rP;M+rQ)
– Decryption of a ciphertext (U;V) takes place by
computing (xU,V-xU)
This system is “semantically secure under
the generalized DH assumption”o far so good
homomorphic encryption
We now need to combine this idea with the
vary basic naïve counting method we
described earlier
– Example
assume there are s candidates and less than t voters
Choose a point B such that the order of B is at least ts
Let candidate j be represented by the point tj-1B
this means that any ballot vote to be encrypted is of the
form tj-1B, j = 1,2,…,s
the sum of all the votes will be equal to
M =t1B+t2tB+…..tsts-1B = (Σ tjtj-1)B, where tj is the number of
votes for candidate j
homomorphic encryption
So given M =(t1+t2t+…..tsts-1)B,
– how do we find t1, t2,…..,ts?
By solving the discrete log problem!
– Well!? ? ?
This is easily done by choosing B
wisely for most schemes
– example: Suppose t ~32 mill <225 and s=2
– then the order of B is bounded by 250.
Some references
R.Cramer, R.Gennaro, B.Schoenmakers:
– A Secure and Optimally Efficient Multi-Authority Election
Scheme,
Proceedings of EuroCrypt 97,
I. Damgård and M. Jurik:
– A Generalisation, a Simplification and some Applications
of Paillier's Probabilistic Public-Key System
Proc. of Public Key Cryptography 2001
P.Pallier:
– Public-Key Cryptosystems based on Composite Degree
Residue Classes,
Proceedings of EuroCrypt 99,
I. Damgård, J. Groth and G. Salomonsen
– The Theory and Implementation of an Electronic Voting
System
Secure Electronic Voting, Advances in Information Security, Vol. 7 Gritzalis,
Dimitris (Ed.)
Voting using HSMs/SMS
Back-end
(5)
(1)
User
logs
on
to
vote
(3)
(2)
e-Vote
web
request
server
requests
(4)
(5)Key-server
Auth-server
Initiate
vote
forwards
and
sign
one-time
one-time
userto
toUser
vote
SMS
SMS
and Key-Server
Key Server
User
(2)
HSM
(4)
Authenticator
Server
HSM
(3)
(1)
e-Vote
Web
server
(4)
Voting using HSMs/Tokens,…..
Back-end
(5)
(5)
initiate
Voting
(1) User
UserServer
logs
to
e-Vote
WS
(3)
Key
request
(2)
(4)
e-Vote
Authenticator
webon
server
verifies
request
and
signing
generating
one-time
PW
verification
of
one-time
PW
user
one-time
to
vote
PW
Key Server
User
(2)
HSM
(4)
Authenticator
Server
HSM
(3)
(1)
e-Vote
Web
server
Using tamper resistant HSMs
is an alternative to e.g. using
– zero-knowledge techniques
– mix-nets
– the HSM will only allow legal votes before it signs on
behalf of the voter
By using independent servers for
– user authentication
– signing and voting
we can effectively prevent all fraud
Detecting cheating
If citizens vote at polling stations
– all this could be combined with a touch screen for voting
printing a ballot for traditional voting
– for all or a small randomly chosen sample
and an electronic vote as just described
Samples could then be matched with
the corresponding electronic votes
– and basic statistics would tell us how many we need to
check for an acceptable confidence level
Consider an example:
Detecting cheating
By having ballots printed voters are provided
with the service that
– they can see what they have voted on paper, and they have the
same level of certainty as at a manual election,
– their vote will count, provided that a manual recount actually
takes place.
Almost no information is gained by checking
a few votes in a district. The only action that
makes sense is to make total recounts in a
selection of districts.
– However, if say a manual recount takes place in 10% of the
districts, this gives a 10% chance of catching the manipulation
of votes in a particular district for a particular election.
Detecting cheating
Consequently quite comprehensive recounting is necessary
in order to ensure that the mechanism works as intended
– not only by revealing attempted frauds, but also by preventing attempts of fraud
from happening by acting as a deterrent.
Our approach here allows the following core properties:
– Electronic votes may contain encrypted information identifying the election district
and the manual vote.
– The electronic votes are detached from the identities of the voters and then
decrypted.
– We can pick a random sample of all the electronic votes of an arbitrary size.
Say that we want to ensure with 99% probability that at
most 1% of the electronic votes are tampered with, i.e.
contain different choices than the ones entered by the
voters.
– Then we pick 459 random electronic votes. For each of those, if at least 1% of the
electronic votes contain different choices than the corresponding manual votes, it
has less than a 99% chance of passing the test of being compared to the
corresponding manual vote.
– Consequently there is a probability of less than 0.99459 = 0.009921 that all of
them pass the test.
Detecting cheating
For the ultimate case,
– a general election in the US say,
by manipulating 459 votes out of
maybe 100 million votes and causing
the rather simple procedure to happen
in 459 randomly chosen election
districts, you actually get quite
confident that no large scale fraud
takes place with the electronic votes
– had this been implemented in 2000, the world migth have
looked different….
Conclusion
We have described practical voting schemes
– which have been tested in pilots
They require instant key generation upon
registration
– without requiring PKI in place
– which for million of voters would be
practically impossible using RSA
quite trivial using ECC
and we can make it as secure as we want
– at low cost