Transcript 下載/瀏覽Download

A Practical Electronic Voting Protocol
Based upon
Oblivious Signature Scheme
Chunlai Song, Xinchun Yin, Yali Liu
2008 International Conference on Computational Intelligence
and Security
Speaker:Jun-Ting Lai
Date:2010/05/12
Outline
Introduction
Preliminary
Requirements of electronic voting system
Protocol
Conclusion
2
Introduction
With the rapid development of the Internet, it is expected in
the near future electronic voting will be used more
frequently to collect people’s opinion for many kinds of
political and social decisions through cyber space.
3
Preliminary
Oblivious signature
Bit commitment
Schnorr Identification
4
Oblivious signature
Oblivious signature is a class of digital signatures. An
oblivious signature scheme consists of three entities:
a signer S
a recipient R
a verifierV
5
Bit commitment
In a bit commitment scheme, the person receiving an
encrypted message does not have access to the decryption
key.
He is not able to decrypt the message until the sender
decides to send him the decryption key.
6
Schnorr Identification(1/2)
Let p, q are primes such that q | p  1 , q  2140 , p  2512 ,
 R Z p* with order q .
Signature algorithm and verify algorithm of TA are
denoted as SignTA ,VerTA .
The process of issuing certification is as following:
7
Schnorr Identification(2/2)
Trusted
Authority
User A
Verifier B
pk : v    a mod p
p, q,  , SignTA ,VerTA
(ID,v)
s  SignTA (v)
C(A)=(v,s)
(C ( A),  )
   k mod p
r (1  r  2 )
Verify C(A)
t
y  (k  ar ) mod q
y
If   a v mod p
Accept user A
v
r
8
Requirements of electronic voting
system
Eligibility
Non-reusability
Soundness
Completeness
Verifiability
Fairness
Privacy
9
Protocol
The entities of our scheme consist of the Trusted Center (TC )
, the Certification Authority (CA) , the Voting Center (VC )
and Voters (V ) . The role of each entity is as follows:
1. (TC )
2. (CA)
3. (VC )
4. (V )
10
Phases
Preparation phase
Registration phase
Voting phase
Ballot casting phase
Tally phase
11
Preparation phase(1/5)
Let p, q are two large primes such that q | p  1 , q  2140 , p  2512
 R Z p* with order q .
g , h are two elements of Z p* of the same order q where the
discrete logarithm log hg is unknown to all.
H :{0,1}*  Zq* , f :{0,1}*  Zq* are one way hash functions.
CA picks a random number x R Zq* , the resulting public key
of the voting system y  g x mod p is announced to voters.
CA also publishes the list of L candidates on the bulletin
which is denoted as {CAN1 , CAN 2 ,..., CAN L }.
12
Registration phase(2/5)
Voter
a R Z p*
v    a (mod p )
1.(ID,v)
2.C(V)=(v,s)
TC
signs v
s  SignTC (v)
13
Voting phase(3/5)
CA
Voter
ki R Z q* (1  i  L)
Choose CAN j
c  g r h j m od p
(c, C (v))
K i  g ki mod p
(eˆi , sˆi )
eˆi  H(CANi , Kic /(gh)i mod p)
sˆi  ki  xeˆi mod q
computes
i  g(ri)h( ji) mod p
Verify
eˆi  (CANi , g sˆi yeˆi i mod p)
e  eˆ j , s  r  j  sˆ j mod p
get   (e, s)
14
Ballot casting phase(4/5)
Voter
Computes
CAN  f (CANj , )
,
( , CAN )
,
VC
check

(t ,  , CAN , )
Public board
15
Tally phase(5/5)
Step 1: V checks that his ballot is listed on the list. If his
vote is not listed, then V claims this and sends ( , CAN , ) to
VCagain.
Step 2: V sends the key  with number t , i.e. (t ,  ) to VC
through anonymous channel.
Step 3: VC opens the commitment of the ballot CAN , ,
retrieves the vote CAN j , then VC checks the CA’s signature
on the ballot CAN j , VC accepts the signature as a valid
signature if and only if e  H (CAN j , g s y e mod p. ) .VC
publishes (t, , CAN , , CAN j ,  ) on the BB.
Step 4: VC counts the votes and publishes the voting results.
16
Conclusion
In this paper, we present a secure electronic voting protocol
that is suitable for large scale voting over the Internet.
Moreover, our scheme can guarantee the vote getting
signed is actually the one of L predetermined candidates.
17