Client Puzzles

Download Report

Transcript Client Puzzles 

Receipt-free Voting
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson, C. Andy Neff
Cast of characters
 Voter
(Alice, and Bob, Charlie...)
I Like
Ike
 Voting
authority
 Attacker
Basic Internet voting
Basic Internet voting
A vote for
Al B re
A vote for
Al Bore
A vote for
G.W. Gush
A vote for
G.W. Gush
Final Tally:
Gush 2
Bore 1
Alice knows randomization, so
ciphertext ballot is a proof or receipt
BORE
Knees
Receipt-freeness
 Receipt-freeness
property:
Alice cannot open ballot or prove contents
 Prevents
simple blackmail
 References: BT94,SK95,HS00
What receipt-freeness doesn’t
defend against
 Vote
buying
– Sale of authentication key
– Vote-buying schemes (e.g., vote-auction.com;
http://62.116.31.68/)
– Anonymous peer-to-peer networks
 Compromise
of voting authority servers
– Limited defense in HS00
What receipt-freeness doesn’t
defend against
 Shoulder
surfing
 Randomization attack
– Attacker pre-specifies form of Alice’s
ciphertext, leading to random result
 Forced-abstention
attack
 Receipt-freeness won’t do for real
applications!
Receipt-free Voting
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson, C. Andy Neff
Coercion-free Voting
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson, C. Andy Neff
First key tool: Mix network
Mix network
Randomly permutes and re-encrypts inputs
What does a mix network do?
?
Key property: We can’t tell which output corresponds
to a given input
Example application:
Anonymizing bulletin board or e-mail
Example application:
Anonymizing bulletin board or e-mail
“Nobody
loves Bob”
Is it Bob, Charlie,
self-love, or other?
“I love
Alice”
“I
love
Charlie”
Another application: Voting
A vote for
Al B re
A vote for
Al Bore
A vote for
G.W. Gush
A vote for
G.W. Gush
Final Tally:
Gush 2
Bore 1
A quick look under the hood
Mix Structure
m1
Server 1
Server 2
Server 3
re-encrypt
and
permute
re-encrypt
and
permute
re-encrypt
and
permute
m2
m2
m2
m2
m3
m1
m3
m3
m1
m3
m1
Mix Structure
m2
•Threshold decryption
•Blinding
•Re-mixing
m3
m1
Properties
 Privacy
preserved, i.e., permutation
hidden if at least one server is honest
 Soundness achievable by having
servers prove correct permutation
Mix network
Second key tool
Threshold one-way functions
– Denoted by B() and B’()
– Essentially undeniable signature
– B(m) = mx for shared key x
Third key tool
 Anonymous
credential = Voting key
– Essentially a group signature key
la Atienese et al. (Crypto ‘00)
 Other approaches possible
a
– Carries hidden, identifying tag, called tagi
– Special enhancement: Also includes
validator vali = B(tagi), where B is threshold
one-way function
tagi
vali
A little more notation
Let E[m] denote El Gamal ciphertext on
m:
– Private key held distributively
– Authorities can jointly decrypt ciphertext
– B(E[m]) = E[B(m)] (due to El Gamal
homomorphism)
Our new scheme
Core ideas:
– Voter employs anonymous credential
– We don’t know who voted (at time of
voting) or what was voted
– Validator required for vote to count
– Adversary cannot tell whether or not
validator is correct
 Attacker
not
cannot tell whether a vote is valid or
Security model
 Registration:
– Attacker cannot interfere with registration process or
– User is forced by, e.g., hardware, to do erasing

Before voting:
– Attacker can provide keying or other material to voter
(even entire ballot)

During vote:
– Votes may be posted anonymously (for strongest
security) or semi-anonymously (for weaker guarantees)
– Bulletin board is universally accessible

At all times:
– Attacker has access to all public information, i.e.,
encrypted and decrypted ballots
Voting: Anatomy of a ballot
validator = B(tagi)
tagi vali
proofi
tagi vali
NIZK proof that
tagi ciphertext is
valid for credential
votei
Anonymous credential
signature
Tallying Ballots
Step 1: Check group signatures and proofs
tag1 val1
proof1
vote1
?
tag2 val2
proof2
vote2
?
tag3 val3
proof3
vote3
tagn
proofn
voten
..
.
val
n
?
?
Authority 1
Authority 2
Tallying Ballots
Step 2: Mixing ballots
Authority 1 Authority 2
tag1
val1
vote1
tag2
val2
tagn’
re-encryption
tag1
val1
vote1
..
.
vote2
tag2
val2
vote2
valn’
voten’
tagn’
valn’
voten’
..
.
Tallying Ballots
Step 3: Joint blinding and decryption of validators
Authority 1 Authority 2
tag1
val1
vote1
tag1 B’(val1) vote1
tag2
val2
..
.
vote2
tag2 B’(val2) vote2
...
tagn’
valn’
voten’
tagn’ B’(valn’) voten’
..
.
B’ blinding prevents authorities from recognizing validators
Tallying Ballots
Step 4: Elimination of duplicates by validator
Authority 1 Authority 2
tag1 B’(val1) vote1
tag2 B’(val2) vote2
...
tag3 B’(val3) vote3
tagn’ B’(valn’) voten’
equal validators
Tallying Ballots
Step 5: Re-mixing ballots
Authority 1 Authority 2
tag1 B’(val1) vote1
re-encryption
tag1
B’(val1) vote1
tag2 B’(val2) vote2
..
.
tag2
.
B’(val
2) vote2
.
.
tagn’ B’(valn’) voten’
tagn’
B’(valn)’ vote
n’
Remixing required so that adversary does not recognize weeding based on number of ballots he cast
Tallying Ballots
Step 6: Verification of validators
Authority 2
Authority 1
If correct, B’(vali) = B’(B(tagi))
E[tagi]
tagi
B’(vali)
votei
•Authorities compute C1= B’(B(E[tagi])) = E[B’(B(tagi))]
•Authorities do distributed comparison of C1 with C2 = E[B’(vali)]
•If ciphertexts are equal, then validator is correct
•Otherwise ballot is invalid and is thus removed
Tallying Ballots
Step 7: Joint decryption of valid votes
Authority 2
Authority 1
vote1
=
Gush
vote2
Bore
vote3
Bore
Winner!
Voter cannot sell or prove vote
Key idea: Attacker cannot tell a false
validator from a real one
– If attacker demands voting key, voter can provide
false validator
– If attacker demands that voter cast a certain type
of vote, and demands pointer(s)
Voter can vote as demanded using false validator
 Voter can re-vote using correct validator

Collusion with minority coalition
of servers resisted
 Correct
validators only computable by
majority
 Mixing is private and robust if majority is
honest
No randomization or forced
abstention
 Randomization:
Voter can use false
validator to post false ballot… and later
vote for real
 Forced abstention: Group signature
(+ anonymous channel) provides
anonymity
Resistance to shoulder-surfing
 Voter
can vote multiple times
 Weeding policy provides for re-vote
– E.g., last vote might count (needs extra
phase)
Is it practical?
 Overhead
is just a few times that of basic,
mixed-based voting
– Hirt-Sako ‘00 requires untappable channels, linear
cost in number of candidates, no write-ins, etc.

Not just practical, but essential for Internet
voting!
Questions?
Additions



Votes can be countersigned by polling station,
indicating priority
If registrar publishes voting roll with blinded
validators, we can verify publicly that all participants
are on roll
– Requires an additional mixing step
Careful modeling required and largely
unaddressed