1 / 35

Cryptography meets Voting Warren D. Smith

Cryptography meets Voting Warren D. Smith. Paper discussed by Isuru Ranaweera. In the next election: Will your vote be properly recorded? Will you be able to rule out election fraud? The answer to both these questions is quite possibly: “ No! ”. The problem (a).

alicethompson
Télécharger la présentation

Cryptography meets Voting Warren D. Smith

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptography meets VotingWarren D. Smith Paper discussed by Isuru Ranaweera

  2. In the next election: Will your vote be properly recorded? Will you be able to rule out election fraud? The answer to both these questions is quite possibly: “No!”

  3. The problem (a) Our election system isn’t very secure to begin with. And it stands to become even more insecure with time.. Many states, including New York, are proposing a shift to an increasingly electronic voting system. (This is a system where votes are tallied and results are calculated electronically.) Unfortunately, many of the electronic voting components such as vote-tallying machines, are manufactured under non-disclosure agreements. (This means that electronic voting machine manufacturers aren’t required to release the hardware and software architectures employed by their machines.)

  4. The problem (b) Herein lies the central problem. Aside from the manufacturers’ guarantee that their systems are bulletproof, we only have moderate federal assurance of the security of such systems. And sometimes, even the federal assurance may not exist. For example, after a recall election in 2003 that employed the popular electronic Diebold Election System, California’s secretary of state, Kevin Shelley, announced that none of the systems’ software had been federally certified. This essentially implied that the validity of the election result was highly questionable.

  5. (potential solution) (a) The solution to our problem is simple : Disclosure Essentially, this means that any electronic voting system must publicly release the explicit methods it uses. Why does it work? Disclosure enables extreme scrutiny of the methods involved. This virtually guarantees that any fraud will be revealed, that the system being used is valid, and that it doesn’t have any hidden security flaws. In an electronic context, disclosure has proved to be extremely useful. For example, open-source (disclosed) systems such as Mandrake’s Linux are much more stable than proprietary (un-disclosed) systems such as Microsoft’s Windows. (This is because disclosed systems are quick to find and remedy flaws.) Furthermore, in the field of information security, all publicly trusted systems have been fully disclosed. These in turn are believed to be the most secure systems in existence.

  6. (potential solution) (b) Is the method feasible? Simply put, yes. Many secure election systems have been devised over the years. One such method devised by Warren D. Smith is outlined in his paper “Cryptography meets Voting”. In this paper he provides a provably secure system that costs around 1¢ per voter. (This is well within current election budgets) • Today we will discuss this crypto system that has the capacity to meet our election security requirements

  7. What do we desire from an election (A) • Cheap : economically and computationally • Virtually impossible to cheat : even for agencies such as the CIA or NSA • Robustness : recounts should be possible

  8. What do we desire from an election (B) • Only the voter knows how he voted : vote cannot be effectively modified • Voter cannot prove how he voted to a third party : voter cannot sell vote • Others cannot tell if voter voted or not : voter cannot be coerced • Everyone can verify that only authorized voters voted and at most once : no illegal voting

  9. Cryptographic tools we’ll use.. (A)-1 • ElGamal public key crypto systems • Based on the difficulty of calculating discrete logs “C” = “Number”(secret-key) (mod “Domain”) (it’s difficult to calculate secret-key from “C”) [ Public keys: N, A, B ] {where B=Aa(mod N)} [ Secret key: a ] • System details cipher-pair = (Ak, mBk) {where m is the message & k is random} decoding: • We get inverse(Aak) by raising Ak to a and calculating its inverse { inverse(Number) x Number = 1 } • mBk = mAak, • mAak x inverse(Aak) = m, • Because of the random element k, equal m’s will provide different cipher-texts

  10. Cryptographic tools we’ll use.. (A)-2 • Homomorphic properties in ElGamal systems A traditional El Gamal system with an encryption function E with this property: E(M1) x E(M2) = E(M1+ M2)

  11. Cryptographic tools we’ll use.. (B)-1 • Zero knowledge proofs A system whereby a prover proves to a verifier that he knows a secret without revealing any direct information about the secret Eg:- Graph mapping

  12. Cryptographic tools we’ll use.. (B)-2 • Zero knowledge (ZK) ‘OR’ ing. Alice provides a zero knowledge proof of { (ZK proof of S) OR (sender is Bob) } to Bob. This way, because Bob knows sender isn’t Bob, he trusts that he’s received a ZK proof of Alice’s S. But if Bob then tries to send the message he received from Alice to Carl, Carl won’t be convinced because he doesn’t know that the second part of the OR was false in the initial transmission. This way, Alice has deniability. (Only Bob knows that (sender is Bob) is false because Alice requires Bob’s secret key to make that statement true. But Carl doesn’t know if Bob gave his secret key to anyone else. So only Bob can be convinced in this scenario.

  13. Cryptographic tools we’ll use.. (C) • Secret (Key) sharing Multiple parties hold a piece of a universal key that can only be reconstructed with the mutual cooperation of all the secret sharers. (The cooperation is usually sequential and not concurrent)

  14. Cryptographic tools we’ll use.. (D) • Elliptic Curve Cryptosystems (ECC) A computational modification that can be applied to cryptosystems such as ElGamal which in turn provides faster computation while also potentially strengthening the encryption. (Useful for making our voting schemes cost effective)

  15. The election system we’re aiming for (a) • Before the election starts, there is a pre-posted publicly available and readable list of legitimately eligible voters. • During the election, voters provide their vote to the EA (election authority). We assume that the voting and communication processes are private. (Not seen heard or recorded by anyone else.) • Afterwards, the EA combines the votes using a publicly known polynomial time algorithm to produce the election results which it then announces.

  16. The election system we’re aiming for (b) • Anyone can verify that only legitimate voters voted and each voted at most once. And that no votes were faked, altered or destroyed. • Anyone can verify that the correct election results were announced. • The entire election and verification process requires only a polynomial time total computation. (To be feasible). • No vote-buyer can be convinced of what a voter’s vote was. (Because no voter can convince others of how he voted unless an exponentially large computation takes place or the discrete logarithm problem gets solved in less than exponential time.) (So, vote-buying and vote-coercion are virtually impossible)

  17. Our first attempt.. (A) • Each voter V encrypts his vote M using PKEA • He sends the encrypted vote M* to EA • EA re-encrypts M* as M** by using SKEA and sends it to V • V uses a “zero knowledge log proof” to verify that M** was indeed a re-encryption of M* PK : public key SK : secret key EA : Election Authority

  18. Our first attempt.. (B) • V dates and signs M** as M*** and sends it to EA • EA signs M*** as M**** and posts this on a publicly viewable bulletin board next to V’s name • V also receives a paper with a bar code denoting M**** in case a recount is needed • Finally EA converts all bulletin board results to an election result. (It proves the validity of the result by providing zero knowledge proofs of each conversion)

  19. Why the first attempt.. works • Because everything is a ZK proof protocol, everyone is convinced that the EA correctly transformed the posted votes to the declared election result. • Because only the EA has the universal secret key, nobody but the EA knows what the votes are. • A voter wishing to sell his vote is unable to demonstrate regeneration of his publicly posted vote because of random padding. (So no two posted votes will be identical.)

  20. What are the first attempt’s weaknesses? • If the EA agrees to a collusion, the system will allow vote buying and coercion. (However, the actual posted vote will still be correctly counted.) • Therefore, the EA must be trusted to hold a proper election. (The EA is not fully audited).

  21. Analysis of first attempt.. Benefits : • All are convinced of the result • The votes remain anonymous • Voter cannot prove what he voted Drawback : • EA isn’t fully audited by anyone else • EA knows all : this is dangerous So, let us modify our first attempt..

  22. The Secure System (A) • S key holders randomly generate their secret partial decryption keys {K1, K2, …, KS} and use them to produce the public encryption keys and the secret key k{k = Σ(i=1 to S) Ki}(k is the universal secret key) • Voter makes his vote v based on public information (v consists of integers) • Voter homomorphic-Elgamal-encrypts his v with K and transmits the encrypted vote M to EA where K (mod G) = П(i=1 to S) Ki (K is a universal public key and G is K’s modulus domain)

  23. The Secure System (B) • EA re-homomorphic-ElGamal-encrypts M to M^ using public key K. Then EA adjoins the date to M^ to get M* which is sent back to voter. Voter signs M* and sends M** back to EA which signs M** to get M***. ( Both voter and EA use non-interactive zero knowledge proofs to verify the validity of the relevant re-encryptions.) • Then, EA posts the twice-signed, validity-self-proving dated M*** on a public list of approved voters next to our voter’s name. EA prints 2 hardcopy bar-codes of M*** and sends one to the voter while keeping the other.

  24. The Secure System (C) • A voter can vote multiple times, but only the last dated vote will count. • Once all votes have been cast, EA provides the homomorphically added result (which it can’t read) to the body of secret key holders who each perform a partial ElGamal decryption on the result to decode the election result. (All during the EA homomorphic addition process and secret-key-holder partial decryption process, independent verifiers can find out if the information has been contaminated)

  25. What have we changed? (a) • We made all encryptions homomorphic-ElGamal. • The EA does not know its decryption key (The universal secret key). (With homomorphism, this doesn’t prevent the EA from correctly tallying the votes or proving to each voter that his vote has been correctly converted.) • Anyone else is free to carry out the same calculation as the EA and verify that its work is accurate by producing the same result himself.

  26. What have we changed? (b) • The EA is prevented from revealing any votes and thus makes the election fully secure. (Therefore the vote-selling problem in our first attempt is no longer a problem.) • Because the EA cannot decrypt each vote, it doesn’t know if each vote is properly formatted. Therefore, it is now necessary for each voter to provide a zero-knowledge proof that his vote was correctly and legally formatted.

  27. What have we changed? (c) • The universal secret key is known (partially) by s mutually distrusting entities. • The s mutually distrusting entities are also known as the secret sharers. • During the election, the s secret sharers work together only twice. Once at the beginning to generate the public keys, and once at the end to decrypt the result by sequentially applying their partial secret keys to make up the universal secret key k. (which gets implicitly used to decode the election result)

  28. What have we changed? (d) • Each secret sharer must provide zero-knowledge proofs that they are using the same Ki for both their initial generation of k and for their subsequent decryption of the final result. • No one knows the ElGamal universal secret key k, but we can still decode the result. • Unless all the keyholders and the EA collude, all votes will remain forever private.

  29. What have we changed? (e) • The EA does most of the communication and computation. The secret key holders act once at the very beginning and once at the end of the election. (This is a small amount of modular exponentiation work which is independent of the number of voters.) • Because the EA only knows encryption keys, it can publicly make them available and distribute them far and wide at different voting locations without fear of exposing an important secret • Therefore voting communication will be between the voter and the EA owned voting machine next to him. If the voting machine performs the encryption and stores the result immediately, its data cannot be compromised. (Naturally, when the voter makes his choice at the machine, that act itself is vulnerable to eavesdropping.)

  30. Analysis of the Secure System Benefits : (similar to first attempt..) • All are convinced of the result • The votes remain anonymous • Voter cannot prove what he voted • EA knows little • Only the secret key holders have to be physically protected One Drawback Remains: (not in the paper) • Public bulletin reveals if you voted or not

  31. Other similar voting systems.. (a) Mixnet voting system : • Expensive in terms of communication cost. (because multiple parallel redundant communications must take place. This will clog the network) • Cannot be scaled to work with multi-winner voting systems. (because this would make votes unique and non-anonymous. There are ways of avoiding this, but they are computationally very expensive and limiting.) • All voters may have to have decided before the voting begins (in order to guarantee perfect anonymity. Otherwise traffic can be monitored.)

  32. Other similar voting systems.. (b) Heterodox voting system : • Votes can be bought. (Voters are capable of proving the way they voted and thereby selling their vote. They can also be coerced through this.) • Potentially heavy delays during voting. (This is because a ‘preparatory phase’ exists along with a ‘vote casting phase’. Furthermore, explicit identification of voters who drop out during phases is required.) • Heavy information storage requirements (This makes the scheme only feasible for small elections with around 10000 voters.)

  33. Other similar voting systems.. (c) Multiparty computation voting system : • Computationally expensive. (This makes it necessary to perform 1014 modular exponentiations for 108 voters. This makes the cost per voter round to about $270 per voter. Unacceptable in all but the most select small circles.) • Too many parties to trust. (The distributed computation model forces us to trust many parties and hope that they don’t collude. When we’re dealing with powerful political parties, it’s unreasonable to make this assumption.) • It may be possible to overcome the second ( /\ ) drawback by making extensive computation advances and overcoming the first drawback.

  34. Conclusion Generally, each voting system has benefits over other systems, and drawbacks compared to other systems as well. However, our present day voting systems are highly antiquated and ineffective at best. (Think about Florida in 2000) Therefore, Mr. Smith argues that important elections should be conducted with secure systems such as the one we’ve discussed today. He believes that his system is the most secure option that meets all the requirements outlined as part of the (election system we’re aiming for..) discussion.

  35. Questions?? Acknowledgements: • “Cryptography Meets Voting” by Warren D. Smith • www.verifiedvoting.org • Prof. Chris Lynch

More Related