Client Puzzles
Download
Report
Transcript Client Puzzles
Receipt-free Voting
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson, C. Andy Neff
Cast of characters
Voter
(Alice, and Bob, Charlie...)
I Like
Ike
Voting
authority
Attacker
Basic Internet voting
Basic Internet voting
A vote for
Al B re
A vote for
Al Bore
A vote for
G.W. Gush
A vote for
G.W. Gush
Final Tally:
Gush 2
Bore 1
Alice knows randomization, so
ciphertext ballot is a proof or receipt
BORE
Knees
Receipt-freeness
Receipt-freeness
property:
Alice cannot open ballot or prove contents
Prevents
simple blackmail
References: BT94,SK95,HS00
What receipt-freeness doesn’t
defend against
Vote
buying
– Sale of authentication key
– Vote-buying schemes (e.g., vote-auction.com;
http://62.116.31.68/)
– Anonymous peer-to-peer networks
Compromise
of voting authority servers
– Limited defense in HS00
What receipt-freeness doesn’t
defend against
Shoulder
surfing
Randomization attack
– Attacker pre-specifies form of Alice’s
ciphertext, leading to random result
Forced-abstention
attack
Receipt-freeness won’t do for real
applications!
Receipt-free Voting
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson, C. Andy Neff
Coercion-free Voting
Ari Juels
RSA Laboratories
Joint work with Markus Jakobsson, C. Andy Neff
First key tool: Mix network
Mix network
Randomly permutes and re-encrypts inputs
What does a mix network do?
?
Key property: We can’t tell which output corresponds
to a given input
Example application:
Anonymizing bulletin board or e-mail
Example application:
Anonymizing bulletin board or e-mail
“Nobody
loves Bob”
Is it Bob, Charlie,
self-love, or other?
“I love
Alice”
“I
love
Charlie”
Another application: Voting
A vote for
Al B re
A vote for
Al Bore
A vote for
G.W. Gush
A vote for
G.W. Gush
Final Tally:
Gush 2
Bore 1
A quick look under the hood
Mix Structure
m1
Server 1
Server 2
Server 3
re-encrypt
and
permute
re-encrypt
and
permute
re-encrypt
and
permute
m2
m2
m2
m2
m3
m1
m3
m3
m1
m3
m1
Mix Structure
m2
•Threshold decryption
•Blinding
•Re-mixing
m3
m1
Properties
Privacy
preserved, i.e., permutation
hidden if at least one server is honest
Soundness achievable by having
servers prove correct permutation
Mix network
Second key tool
Threshold one-way functions
– Denoted by B() and B’()
– Essentially undeniable signature
– B(m) = mx for shared key x
Third key tool
Anonymous
credential = Voting key
– Essentially a group signature key
la Atienese et al. (Crypto ‘00)
Other approaches possible
a
– Carries hidden, identifying tag, called tagi
– Special enhancement: Also includes
validator vali = B(tagi), where B is threshold
one-way function
tagi
vali
A little more notation
Let E[m] denote El Gamal ciphertext on
m:
– Private key held distributively
– Authorities can jointly decrypt ciphertext
– B(E[m]) = E[B(m)] (due to El Gamal
homomorphism)
Our new scheme
Core ideas:
– Voter employs anonymous credential
– We don’t know who voted (at time of
voting) or what was voted
– Validator required for vote to count
– Adversary cannot tell whether or not
validator is correct
Attacker
not
cannot tell whether a vote is valid or
Security model
Registration:
– Attacker cannot interfere with registration process or
– User is forced by, e.g., hardware, to do erasing
Before voting:
– Attacker can provide keying or other material to voter
(even entire ballot)
During vote:
– Votes may be posted anonymously (for strongest
security) or semi-anonymously (for weaker guarantees)
– Bulletin board is universally accessible
At all times:
– Attacker has access to all public information, i.e.,
encrypted and decrypted ballots
Voting: Anatomy of a ballot
validator = B(tagi)
tagi vali
proofi
tagi vali
NIZK proof that
tagi ciphertext is
valid for credential
votei
Anonymous credential
signature
Tallying Ballots
Step 1: Check group signatures and proofs
tag1 val1
proof1
vote1
?
tag2 val2
proof2
vote2
?
tag3 val3
proof3
vote3
tagn
proofn
voten
..
.
val
n
?
?
Authority 1
Authority 2
Tallying Ballots
Step 2: Mixing ballots
Authority 1 Authority 2
tag1
val1
vote1
tag2
val2
tagn’
re-encryption
tag1
val1
vote1
..
.
vote2
tag2
val2
vote2
valn’
voten’
tagn’
valn’
voten’
..
.
Tallying Ballots
Step 3: Joint blinding and decryption of validators
Authority 1 Authority 2
tag1
val1
vote1
tag1 B’(val1) vote1
tag2
val2
..
.
vote2
tag2 B’(val2) vote2
...
tagn’
valn’
voten’
tagn’ B’(valn’) voten’
..
.
B’ blinding prevents authorities from recognizing validators
Tallying Ballots
Step 4: Elimination of duplicates by validator
Authority 1 Authority 2
tag1 B’(val1) vote1
tag2 B’(val2) vote2
...
tag3 B’(val3) vote3
tagn’ B’(valn’) voten’
equal validators
Tallying Ballots
Step 5: Re-mixing ballots
Authority 1 Authority 2
tag1 B’(val1) vote1
re-encryption
tag1
B’(val1) vote1
tag2 B’(val2) vote2
..
.
tag2
.
B’(val
2) vote2
.
.
tagn’ B’(valn’) voten’
tagn’
B’(valn)’ vote
n’
Remixing required so that adversary does not recognize weeding based on number of ballots he cast
Tallying Ballots
Step 6: Verification of validators
Authority 2
Authority 1
If correct, B’(vali) = B’(B(tagi))
E[tagi]
tagi
B’(vali)
votei
•Authorities compute C1= B’(B(E[tagi])) = E[B’(B(tagi))]
•Authorities do distributed comparison of C1 with C2 = E[B’(vali)]
•If ciphertexts are equal, then validator is correct
•Otherwise ballot is invalid and is thus removed
Tallying Ballots
Step 7: Joint decryption of valid votes
Authority 2
Authority 1
vote1
=
Gush
vote2
Bore
vote3
Bore
Winner!
Voter cannot sell or prove vote
Key idea: Attacker cannot tell a false
validator from a real one
– If attacker demands voting key, voter can provide
false validator
– If attacker demands that voter cast a certain type
of vote, and demands pointer(s)
Voter can vote as demanded using false validator
Voter can re-vote using correct validator
Collusion with minority coalition
of servers resisted
Correct
validators only computable by
majority
Mixing is private and robust if majority is
honest
No randomization or forced
abstention
Randomization:
Voter can use false
validator to post false ballot… and later
vote for real
Forced abstention: Group signature
(+ anonymous channel) provides
anonymity
Resistance to shoulder-surfing
Voter
can vote multiple times
Weeding policy provides for re-vote
– E.g., last vote might count (needs extra
phase)
Is it practical?
Overhead
is just a few times that of basic,
mixed-based voting
– Hirt-Sako ‘00 requires untappable channels, linear
cost in number of candidates, no write-ins, etc.
Not just practical, but essential for Internet
voting!
Questions?
Additions
Votes can be countersigned by polling station,
indicating priority
If registrar publishes voting roll with blinded
validators, we can verify publicly that all participants
are on roll
– Requires an additional mixing step
Careful modeling required and largely
unaddressed