Transcript Document

Practical Electronic
Voting Schemes
Peter Landrock
ECC, Copenhagen 2005
The company
Software house
Established in 1986
Spin-off from
University of Aarhus
World-Class Cryptographers
- Vincent Rijmen, Ivan Damgaard…
Cryptomathic provides secure electronic solutions for web-banking, card
issuing and advanced key management with almost 20 years of
experience.
Innovation beyond competiton
World Economic Forum
Nominated as one of the most innovative
companies in Europe at Davos 2003
Company Ownership
Infineon
#1 in semiconductors
+33,000 employees
Founders
Prof. Peter Landrock, Prof. Ivan Damgaard
Prof. Jørgen Brandt, Dr. Torben Pedersen
University Spin-off
Office Locations
Cambridge, UK
Aarhus, DK
Leuven, BE
Copenhagen, DK
Amaro, IT
Munich, DE
UK & USA
Benelux
ECEO - Partner
Head Quarter
R&D
Scandinavia
Central Europe
Products and Offerings
Products
Custom Solutions
Professional Services
Selected Products
Authenticator
Signer
CardInk
EMV / ID
PrimeInk
Toolkits
PKI
Key
Management
System (KMS)
The Switch from Manual Elections
 General idea behind Electronic Voting:
– like manual voting - only much faster and cheaper, but
 is the voter able to verify that what he enters is actually
what is recorded?
 can official monitoring verify that one vote is recorded –
correctly – for each voter?
 can we trust the counting process?
– and
 is it socially acceptable?
 Well, let’s start with the requirements:
Requirements for an e-Voting Scheme
 Privacy:
– only the final result is made public, no additional information
about votes will leak.
 Robustness:
– the result reflects all submitted and well-formed ballots
correctly, even if some voters and/or possibly some of the
entities running the election cheat.
 Universal verifiability:
– after the election, the result can be verified by anyone.
How to meet these requirements?
 we obviously need cryptographic
techniques
 but tamper resistant devices as well
 and we need to provide
– appropriate protocols and mechanisms to meet these
requirements
 which we will be discussing
– digital signatures to identify voters
Specification
 This does NOT imply that we need an
independent X.509 PKI system in place
 But we will assume we have an existing
registration scheme in place
– otherwise there is no democracy in the first place!
 so we can send something out to a voter by
mail, like a PIN-mailer
– which he may use for electronic registration
– at which stage a public key pair is generated for his use, and
the private key is stored securely in a central server
 all using HSMs
 the private key never leaves the HSM controlled environment
Specification
 This registration could take place
– at home from the voter’s own work station
– or at a polling station
 where he presents a fairly traditional voting card
received in the mail for proper identification and
counting
 and uses an additional small slip with a PIN or similar
to vote, as in the vote home scenario
– using the PIN for identification
Counting votes
 is easy in binary:
– Example
 5 candidates, 128 voters
 40 bits voting ballot
– Candidate A: 00000000...................00000001
– Candidate B: 00000000.....0000000100000000
– ...
– Candidate E: 000000010..............................0
 The sum of the votes reveales how many votes each
candidate obtained
Counting the votes
 Let alone the issues of anonymity etc.,
– adding up votes electronic could be virtually instant
 In order to meet some of all our requirements, it
would be extremely useful with the following property
– Given any two votes, m1 and m2, and their encryption, P(m1), P(m2),
assume
P(m1)+P(m2) =P(m1+m2),
– even better, if we can “randomise” to anonymise using individual
random numbers ri for each vote, and we have the property
P(m1,r1)+P(m2,r2) =P(m1+m2,R)
for some number R, then
e-Voting

we call P(.,.) a homomophic public key if:
for any set of votes, there always exist some R (which will vary with
the votes) with
∑P(xi,ri) = P(∑xi,R)

Now we have it (if such a function exist)!
– the voter
 cast his electronic vote x
– the application
 chooses a random number r and calculate P(x,r)
 signs and forwards SA(P(x,r))
– the authenticating server
 verifies the signature and forwards P(x,r) for counting
– the counting server
 calculates ∑P(xi,ri) = P(∑xi,R) and descrypts to recover ∑xi, while R is
discharged
– the result is available less than 1 minute after the closing of the polling
stations
Another cryptographic tool:
 zero-knowledge
– it is actually possible to verify that a vote is the
encryption of a correctly filled ballot
 without revealing anything else about the vote!
– this means that a votes cannot successfully include more
than one legal vote in his ballot
 this involves commitment schemes
– but it is quite likely that politicians don’t buy it 
Ingenious!?
 if EVERYBODY votes electronically, yes
– but the choice is political
– it could save some embarrassment, though, here and
there 
 Applications in the near future
– closed groups of users who already communicate
together electronically
 e.g. organisations as IEEE
 stock holders in large companies (e.g. IBM)
 Anyway, let’s see how it works
homomorphic encryption
– We start with an ElGamal encryption scheme
 Let E be an elliptic curve, P a generator of a large cyclic
group of prime order
 Let Q = xP be a public key, where x is the private key
– Represent a message m by the point M in E and encrypt
as (rP;M+rQ)
– Decryption of a ciphertext (U;V) takes place by
computing (xU,V-xU)
 This system is “semantically secure under
the generalized DH assumption”o far so good
homomorphic encryption
 We now need to combine this idea with the
vary basic naïve counting method we
described earlier
– Example
assume there are s candidates and less than t voters
Choose a point B such that the order of B is at least ts
Let candidate j be represented by the point tj-1B
this means that any ballot vote to be encrypted is of the
form tj-1B, j = 1,2,…,s
 the sum of all the votes will be equal to
M =t1B+t2tB+…..tsts-1B = (Σ tjtj-1)B, where tj is the number of
votes for candidate j




homomorphic encryption
 So given M =(t1+t2t+…..tsts-1)B,
– how do we find t1, t2,…..,ts?
 By solving the discrete log problem!
– Well!? ? ?
 This is easily done by choosing B
wisely for most schemes
– example: Suppose t ~32 mill <225 and s=2
– then the order of B is bounded by 250.
Some references
 R.Cramer, R.Gennaro, B.Schoenmakers:
– A Secure and Optimally Efficient Multi-Authority Election
Scheme,
 Proceedings of EuroCrypt 97,
 I. Damgård and M. Jurik:
– A Generalisation, a Simplification and some Applications
of Paillier's Probabilistic Public-Key System
 Proc. of Public Key Cryptography 2001
 P.Pallier:
– Public-Key Cryptosystems based on Composite Degree
Residue Classes,
 Proceedings of EuroCrypt 99,
 I. Damgård, J. Groth and G. Salomonsen
– The Theory and Implementation of an Electronic Voting
System
 Secure Electronic Voting, Advances in Information Security, Vol. 7 Gritzalis,
Dimitris (Ed.)
Voting using HSMs/SMS
Back-end
(5)
(1)
User
logs
on
to
vote
(3)
(2)
e-Vote
web
request
server
requests
(4)
(5)Key-server
Auth-server
Initiate
vote
forwards
and
sign
one-time
one-time
userto
toUser
vote
SMS
SMS
and Key-Server
Key Server
User
(2)
HSM
(4)
Authenticator
Server
HSM
(3)
(1)
e-Vote
Web
server
(4)
Voting using HSMs/Tokens,…..
Back-end
(5)
(5)
initiate
Voting
(1) User
UserServer
logs
to
e-Vote
WS
(3)
Key
request
(2)
(4)
e-Vote
Authenticator
webon
server
verifies
request
and
signing
generating
one-time
PW
verification
of
one-time
PW
user
one-time
to
vote
PW
Key Server
User
(2)
HSM
(4)
Authenticator
Server
HSM
(3)
(1)
e-Vote
Web
server
Using tamper resistant HSMs
 is an alternative to e.g. using
– zero-knowledge techniques
– mix-nets
– the HSM will only allow legal votes before it signs on
behalf of the voter
 By using independent servers for
– user authentication
– signing and voting
 we can effectively prevent all fraud
Detecting cheating
 If citizens vote at polling stations
– all this could be combined with a touch screen for voting
 printing a ballot for traditional voting
– for all or a small randomly chosen sample
 and an electronic vote as just described
 Samples could then be matched with
the corresponding electronic votes
– and basic statistics would tell us how many we need to
check for an acceptable confidence level
 Consider an example:
Detecting cheating
 By having ballots printed voters are provided
with the service that
– they can see what they have voted on paper, and they have the
same level of certainty as at a manual election,
– their vote will count, provided that a manual recount actually
takes place.
 Almost no information is gained by checking
a few votes in a district. The only action that
makes sense is to make total recounts in a
selection of districts.
– However, if say a manual recount takes place in 10% of the
districts, this gives a 10% chance of catching the manipulation
of votes in a particular district for a particular election.
Detecting cheating

Consequently quite comprehensive recounting is necessary
in order to ensure that the mechanism works as intended
– not only by revealing attempted frauds, but also by preventing attempts of fraud
from happening by acting as a deterrent.

Our approach here allows the following core properties:
– Electronic votes may contain encrypted information identifying the election district
and the manual vote.
– The electronic votes are detached from the identities of the voters and then
decrypted.
– We can pick a random sample of all the electronic votes of an arbitrary size.

Say that we want to ensure with 99% probability that at
most 1% of the electronic votes are tampered with, i.e.
contain different choices than the ones entered by the
voters.
– Then we pick 459 random electronic votes. For each of those, if at least 1% of the
electronic votes contain different choices than the corresponding manual votes, it
has less than a 99% chance of passing the test of being compared to the
corresponding manual vote.
– Consequently there is a probability of less than 0.99459 = 0.009921 that all of
them pass the test.
Detecting cheating
 For the ultimate case,
– a general election in the US say,
 by manipulating 459 votes out of
maybe 100 million votes and causing
the rather simple procedure to happen
in 459 randomly chosen election
districts, you actually get quite
confident that no large scale fraud
takes place with the electronic votes
– had this been implemented in 2000, the world migth have
looked different….
Conclusion
 We have described practical voting schemes
– which have been tested in pilots
 They require instant key generation upon
registration
– without requiring PKI in place
– which for million of voters would be
 practically impossible using RSA
 quite trivial using ECC
 and we can make it as secure as we want
– at low cost