Recipt-free Voting Through Distributed Blinding

Recipt-free Voting Through Distributed Blinding

Joint work with Markus Jakobsson

Ari JuelsRSA Laboratories

Coercion-free Voting Through Distributed Blinding

Joint work with Markus Jakobsson

Ari JuelsRSA Laboratories

Why do we want coercion-free voting?

Blackmail with a long arm Vote buying

– Anonymous peer-to-peer networks

– Vote-buying schemes (e.g., vote-auction.com; http://62.116.31.68/)

Home voting– Shoulder surfing– Proximate coercion

Receipt-freeness

required

Coercion-freeness

required

Attack model Attacker cannot interfere with registration process (otherwise can simulate

voter) Attacker can provide keying or other material to voter prior to vote (even entire

ballot) Two possibilities during vote:

– Assume no attacker presence at time of vote (countermeasure: receipt-freeness)

– Assume attacker sometimes present (countermeasure: coercion-freeness) Attacker has access to all public information, i.e., encrypted and decrypted

ballots

Cast of characters

Voting authority

Attacker

Voter (Alice)

I LikeIke

Some visual notation

Ciphertext

Mix network (publicly verifiable)

Hirt-Sako approach

IDEA: Voter commits publicly to vote, but ballot preparation is secret

TOOLS (scheme-specific):

– Designated verifier proofs DV Proof

– Untappable channels

Ballot blinding

Authority 1 Authority 2

Bore

Gush

Nadir

P1 P2

blinded

ballot:

P = P1 P2

Voting

Authority 1 Authority 2

DV Proof

of P1

DV Proof

of P2

P = P1 P2

Voting

= 1 2

Bore

Gush

Nadir

=

Alice’s

vote

Bore

Drawbacks

Cost per ballot is linear in number of candidates

Requires untappable channels for vote Not fully coercion resistant, e.g., not

resistant to shoulder surfing Not resistant to collusion between

adversary and authorities Subject to “randomization” attack

Randomization attack

Random

choice

Gush

Now Alice is unlikely to select her intended choice, Bore

“Proof” that collusion resistance is not possible with public verifiability

We must identify voter in order to have public verifiability

If attacker controls an authority, he can do “spot checking”

In order not to risk “spot checking”, voter must reveal all communication

Thus, untappable channels are breached and all transcripts are revealed

Our scheme represents a counterexample to this “proof”...

(and more?)

New tool for our scheme

Anonymous credential = Voting key– Essentially a group signature key

– Carries hidden, identifying tag, called tagi

– Special enhancement: Also includes validator vali = B(tagi), where B is threshold blinding function

tagi vali

Some notation

Let B’() denote another, independent threshold blinding function Let E[m] denote El Gamal ciphertext on m:

– Private key held distributively– Authorities can jointly decrypt ciphertext– B(E[m]) = E[B(m)] (due to El Gamal homomorphism

Our new scheme

Core ideas:– Voter employs anonymous credential– We don’t know who voted (at time of

voting) or what was voted– Validator required for vote to count– Adversary cannot tell whether or not

validator is correct Attacker cannot tell whether a vote is valid or

not

Anatomy of a ballot

tagi vali

tagi vali votei

proofi

NIZK proof that

tagi ciphertext is

valid for credential

Anonymous credential

signature

validator = B(tagi)

tag3 val3 vote3

proof3

Tallying BallotsStep 1: Check group signatures and proofs

Authority 1 Authority 2

...

?

?

?

?

tag1 val1 vote1

proof1

tag2 val2 vote2

proof2

tagn valn voten

proofn

Tallying BallotsStep 2: Mixing ballots

Authority 1 Authority 2

...

tag1 val1 vote1

tag2 val2 vote2

tagn’ valn’ voten’

re-encryption tag1 val1 vote1

tag2 val2 vote2

tagn’ valn’ voten’

...

Tallying BallotsStep 3: Joint blinding and decryption of validators

Authority 1 Authority 2

tag1 val1 vote1

tag2 val2 vote2

tagn’ valn’ voten’

......

tag1 vote1

tag2vote2

tagn’voten’

B’(val1)

B’(val2)

B’(valn’)

...

Tallying BallotsStep 4: Elimination of duplicates by validator

Authority 1 Authority 2

equal validators ...

tag1 vote1

tag2vote2

tagn’voten’

B’(val1)

B’(val2)

B’(valn’)

tag3vote3

B’(val3)

Tallying BallotsStep 5: Verification of validators

Authority 1 Authority 2

•Authorities compute B’(B(E[tagi])) = E[B’(B(tagi))] and jointly decrypt

•If result is B’(vali), then validator is correct

•Otherwise ballot is invalid and is thus removed

tagi voteiB’(vali)

E[tag2] If correct, B’(vali) = B’(B(tagi))

Tallying BallotsStep 6: Joint decryption of valid votes

Authority 1 Authority 2

Gush=

Bore

Bore

vote1

vote2

vote3

Coersion is eliminated Key idea: Attacker cannot tell a false

validator from a real one– If attacker demands voting key, voter can provide

false validator– If attacker demands that voter cast a certain type

of vote, and demands pointer(s) Voter can vote as demanded using false validator Voter can re-vote using correct validator

– This holds even if attacker colludes with a minority of authorities

Well, there’s

always Florida

Features of scheme

Overhead on top of mixing process is minimal, thus the scheme is quite practical– Cost is effectively independent of number of

candidates

No need for untappable channels during vote– We need some access to anonymous channels

Resistant to “randomization” attacks Resistant to collusion with authorities Potential resistance to shoulder-surfing attack

Additions Votes can be countersigned by polling station,

indicating priority If registrar publishes voting roll with blinded

validators, we can verify publicly that all participants are on roll – Requires an additional mixing step

Validator may be constructed in threshold manner, distributed with proofs and re-encrypted by registrar

Careful modeling required and largely unaddressed

Questions?

Appendix: Improvement to Hirt-Sako

Vote = V1V2

V1V2

Idea: Secret sharing of vote

Authority 1 Authority 2

V1 V2

Authority 1 Authority 2

Vote = V1V2

V1 V2

ZK-DV Proof of

correct encryption

ZK-DV Proof of

correct encryption

Idea: Secret sharing of vote

And then…

Vote V1 V2= x

Remarks

No randomization attack possible Cost is (1) per vote By letting Vi = -1 or 1, we can check

validity