View
37
Download
0
Category
Tags:
Preview:
DESCRIPTION
Ari Juels. RSA Laboratories. Joint work with Markus Jakobsson. Recipt-free Voting Through Distributed Blinding. Ari Juels. RSA Laboratories. Joint work with Markus Jakobsson. Coercion-free Voting Through Distributed Blinding. Why do we want coercion-free voting?. Blackmail with a long arm - PowerPoint PPT Presentation
Citation preview
Recipt-free Voting Through Distributed Blinding
Joint work with Markus Jakobsson
Ari JuelsRSA Laboratories
Coercion-free Voting Through Distributed Blinding
Joint work with Markus Jakobsson
Ari JuelsRSA Laboratories
Why do we want coercion-free voting?
Blackmail with a long arm Vote buying
– Anonymous peer-to-peer networks
– Vote-buying schemes (e.g., vote-auction.com; http://62.116.31.68/)
Home voting– Shoulder surfing– Proximate coercion
Receipt-freeness
required
Coercion-freeness
required
Attack model Attacker cannot interfere with registration process (otherwise can simulate
voter) Attacker can provide keying or other material to voter prior to vote (even entire
ballot) Two possibilities during vote:
– Assume no attacker presence at time of vote (countermeasure: receipt-freeness)
– Assume attacker sometimes present (countermeasure: coercion-freeness) Attacker has access to all public information, i.e., encrypted and decrypted
ballots
Cast of characters
Voting authority
Attacker
Voter (Alice)
I LikeIke
Some visual notation
Ciphertext
Mix network (publicly verifiable)
Hirt-Sako approach
IDEA: Voter commits publicly to vote, but ballot preparation is secret
TOOLS (scheme-specific):
– Designated verifier proofs DV Proof
– Untappable channels
Ballot blinding
Authority 1 Authority 2
Bore
Gush
Nadir
P1 P2
blinded
ballot:
P = P1 P2
Voting
Authority 1 Authority 2
DV Proof
of P1
DV Proof
of P2
P = P1 P2
Voting
= 1 2
Bore
Gush
Nadir
=
Alice’s
vote
Bore
Drawbacks
Cost per ballot is linear in number of candidates
Requires untappable channels for vote Not fully coercion resistant, e.g., not
resistant to shoulder surfing Not resistant to collusion between
adversary and authorities Subject to “randomization” attack
Randomization attack
Random
choice
Gush
Now Alice is unlikely to select her intended choice, Bore
“Proof” that collusion resistance is not possible with public verifiability
We must identify voter in order to have public verifiability
If attacker controls an authority, he can do “spot checking”
In order not to risk “spot checking”, voter must reveal all communication
Thus, untappable channels are breached and all transcripts are revealed
Our scheme represents a counterexample to this “proof”...
(and more?)
New tool for our scheme
Anonymous credential = Voting key– Essentially a group signature key
– Carries hidden, identifying tag, called tagi
– Special enhancement: Also includes validator vali = B(tagi), where B is threshold blinding function
tagi vali
Some notation
Let B’() denote another, independent threshold blinding function Let E[m] denote El Gamal ciphertext on m:
– Private key held distributively– Authorities can jointly decrypt ciphertext– B(E[m]) = E[B(m)] (due to El Gamal homomorphism
Our new scheme
Core ideas:– Voter employs anonymous credential– We don’t know who voted (at time of
voting) or what was voted– Validator required for vote to count– Adversary cannot tell whether or not
validator is correct Attacker cannot tell whether a vote is valid or
not
Anatomy of a ballot
tagi vali
tagi vali votei
proofi
NIZK proof that
tagi ciphertext is
valid for credential
Anonymous credential
signature
validator = B(tagi)
tag3 val3 vote3
proof3
Tallying BallotsStep 1: Check group signatures and proofs
Authority 1 Authority 2
...
?
?
?
?
tag1 val1 vote1
proof1
tag2 val2 vote2
proof2
tagn valn voten
proofn
Tallying BallotsStep 2: Mixing ballots
Authority 1 Authority 2
...
tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
re-encryption tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
...
Tallying BallotsStep 3: Joint blinding and decryption of validators
Authority 1 Authority 2
tag1 val1 vote1
tag2 val2 vote2
tagn’ valn’ voten’
......
tag1 vote1
tag2vote2
tagn’voten’
B’(val1)
B’(val2)
B’(valn’)
...
Tallying BallotsStep 4: Elimination of duplicates by validator
Authority 1 Authority 2
equal validators ...
tag1 vote1
tag2vote2
tagn’voten’
B’(val1)
B’(val2)
B’(valn’)
tag3vote3
B’(val3)
Tallying BallotsStep 5: Verification of validators
Authority 1 Authority 2
•Authorities compute B’(B(E[tagi])) = E[B’(B(tagi))] and jointly decrypt
•If result is B’(vali), then validator is correct
•Otherwise ballot is invalid and is thus removed
tagi voteiB’(vali)
E[tag2] If correct, B’(vali) = B’(B(tagi))
Tallying BallotsStep 6: Joint decryption of valid votes
Authority 1 Authority 2
Gush=
Bore
Bore
vote1
vote2
vote3
Coersion is eliminated Key idea: Attacker cannot tell a false
validator from a real one– If attacker demands voting key, voter can provide
false validator– If attacker demands that voter cast a certain type
of vote, and demands pointer(s) Voter can vote as demanded using false validator Voter can re-vote using correct validator
– This holds even if attacker colludes with a minority of authorities
Well, there’s
always Florida
Features of scheme
Overhead on top of mixing process is minimal, thus the scheme is quite practical– Cost is effectively independent of number of
candidates
No need for untappable channels during vote– We need some access to anonymous channels
Resistant to “randomization” attacks Resistant to collusion with authorities Potential resistance to shoulder-surfing attack
Additions Votes can be countersigned by polling station,
indicating priority If registrar publishes voting roll with blinded
validators, we can verify publicly that all participants are on roll – Requires an additional mixing step
Validator may be constructed in threshold manner, distributed with proofs and re-encrypted by registrar
Careful modeling required and largely unaddressed
Questions?
Appendix: Improvement to Hirt-Sako
Vote = V1V2
V1V2
Idea: Secret sharing of vote
Authority 1 Authority 2
V1 V2
Authority 1 Authority 2
Vote = V1V2
V1 V2
ZK-DV Proof of
correct encryption
ZK-DV Proof of
correct encryption
Idea: Secret sharing of vote
And then…
Vote V1 V2= x
Remarks
No randomization attack possible Cost is (1) per vote By letting Vi = -1 or 1, we can check
validity
Recommended